diff --git a/.sops.yaml b/.sops.yaml index 79cd3e7..29672f1 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -9,6 +9,7 @@ keys: - &heimdall age1z94c897pvq4tx0xwsj6wr8emnlpmk6u0xks75rydga6r33dlapjqyqqacc - &mimir age192a3nepaclecjjkxssszueak6rxar49prceplvvxc5m4f3ww7g5qpfgdqj - &minio age1cjxe2e7zemvs0jacjawug6k2qnmcpvnka3e04mfzp939h7hppydqrlp6l5 + - &neo age1s95yw988he30l6wegfwquh4nh03jst2tvyu4ykng4g88h7s3a3rs5zh5fp - &nix-cache age1ffpkfl4ged52ym7ynyhjc40t9v2g6pgjp4ue670lxcr6mxy7mdtqt5qjlq - &proxy age1yz7k9s5plamjq425memjh00y4sdldgdhpwxqpx9gk9wutttx9scsdg3qd5 - &saga age10advysga7fpkh7uuv9a7phs77c5khswf5c9q9txvrauxtqr4yu0sk2r75v @@ -62,6 +63,12 @@ creation_rules: - *erwin - *erwin_horus - *minio + - path_regex: machines/neo/[^/]+\.yaml$ + key_groups: + - age: + - *erwin + - *erwin_horus + - *neo - path_regex: machines/nix-cache/[^/]+\.yaml$ key_groups: - age: diff --git a/machines/default.nix b/machines/default.nix index 337e329..afb5446 100644 --- a/machines/default.nix +++ b/machines/default.nix @@ -82,6 +82,15 @@ inputs: { tags = [ "container" ]; }; }; + neo = { + config = import ./neo/configuration.nix inputs; + deploy = { + host = "10.0.0.157"; + # host = "neo.barn-beaver.ts.net"; + targetUser = "erwin"; + tags = [ "container" ]; + }; + }; nix-cache = { config = import ./nix-cache/configuration.nix inputs; deploy = { diff --git a/machines/neo/configuration.nix b/machines/neo/configuration.nix new file mode 100644 index 0000000..3b44cd0 --- /dev/null +++ b/machines/neo/configuration.nix @@ -0,0 +1,83 @@ +{ self, ... }: +{ modulesPath, lib, ... }: +{ + imports = [ + (modulesPath + "/virtualisation/lxc-container.nix") + ../../users/root + ../../users/erwin + + ./dendrite + ./matrix-sliding-sync + ./postgresql + ]; + + eboskma = { + users.erwin = { + enable = true; + server = true; + }; + nix-common = { + enable = true; + remote-builders = true; + }; + tailscale.enable = true; + }; + + boot = { + isContainer = true; + }; + + time.timeZone = "Europe/Amsterdam"; + + system.configurationRevision = lib.mkIf (self ? rev) self.rev; + + networking = { + hostName = "neo"; + useDHCP = false; + useHostResolvConf = false; + networkmanager.enable = false; + useNetworkd = true; + nftables.enable = true; + + firewall.trustedInterfaces = [ "tailscale0" ]; + }; + + systemd.network = { + enable = true; + + wait-online.anyInterface = true; + + networks = { + "40-eth0" = { + matchConfig = { + Name = "eth0"; + }; + + networkConfig = { + Address = "10.0.0.213/24"; + Gateway = "10.0.0.1"; + DNS = "10.0.0.206"; + DHCP = "no"; + }; + }; + }; + }; + + security = { + sudo-rs = { + enable = true; + execWheelOnly = true; + wheelNeedsPassword = false; + }; + sudo.enable = false; + }; + + sops.defaultSopsFile = ./secrets.yaml; + sops.secrets = { + dendrite-env = { }; + dendrite-private-key = { }; + matrix-sliding-sync-env = { }; + }; + + system.stateVersion = "24.05"; +} diff --git a/machines/neo/dendrite/default.nix b/machines/neo/dendrite/default.nix new file mode 100644 index 0000000..ce080bd --- /dev/null +++ b/machines/neo/dendrite/default.nix @@ -0,0 +1,133 @@ +{ + pkgs, + lib, + config, + ... +}: +let + + settingsFormat = pkgs.formats.yaml { }; + configurationYaml = settingsFormat.generate "dendrite.yaml" settings; + workingDir = "/var/lib/dendrite"; + + environmentFile = config.sops.secrets.dendrite-env.path; + + httpPort = 8008; + + settings = { + global = { + server_name = "matrix.boskma.frl"; + private_key = config.sops.secrets.dendrite-private-key.path; + + database = { + connection_string = "postgresql://%2Frun%2Fpostgresql/dendrite"; + max_open_conns = 100; + max_idle_conns = 5; + conn_max_lifetime = -1; + }; + + trusted_third_party_id_servers = [ + "matrix.org" + "vector.im" + ]; + disable_federation = false; + presence = { + inbound = true; + outbound = true; + }; + + server_notices = { + enabled = true; + local_part = "_server"; + display_part = "Tidingen"; + room_name = "Tidingen"; + }; + + metrics = { + enabled = true; + basic_auth = { + username = "metrics"; + password = "metrics"; + }; + }; + }; + client_api = { + registration_shared_secret = "$REGISTRATION_SECRET"; + }; + federation_api = { + key_perspectives = [ + { + server_name = "matrix.org"; + keys = [ + { + key_id = "ed25519:auto"; + public_key = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"; + } + { + key_id = "ed25519:a_RXGa"; + public_key = "l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ"; + } + ]; + } + ]; + }; + media_api = { + max_file_size_bytes = 25 * 1024 * 1024; + thumbnail_sizes = [ + { + height = 32; + method = "crop"; + width = 32; + } + { + height = 96; + method = "crop"; + width = 96; + } + { + height = 480; + method = "scale"; + width = 640; + } + ]; + }; + + logging = [ + { + type = "std"; + level = "info"; + } + ]; + }; +in +{ + systemd.services.dendrite = { + description = "Dendrite Matrix homeserver"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Type = "simple"; + DynamicUser = true; + StateDirectory = "dendrite"; + WorkingDirectory = workingDir; + RuntimeDirectory = "dendrite"; + RuntimeDirectoryMode = "0700"; + LimitNOFILE = 65535; + EnvironmentFile = environmentFile; + ExecStartPre = [ + '' + ${pkgs.envsubst}/bin/envsubst \ + -i ${configurationYaml} \ + -o /run/dendrite/dendrite.yaml + '' + ]; + ExecStart = lib.strings.concatStringsSep " " ([ + "${pkgs.dendrite}/bin/dendrite" + "--config /run/dendrite/dendrite.yaml" + "--http-bind-address :${builtins.toString httpPort}" + ]); + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + Restart = "on-failure"; + }; + }; +} diff --git a/machines/neo/matrix-sliding-sync/default.nix b/machines/neo/matrix-sliding-sync/default.nix new file mode 100644 index 0000000..c057b27 --- /dev/null +++ b/machines/neo/matrix-sliding-sync/default.nix @@ -0,0 +1,14 @@ +{ config, ... }: +{ + services.matrix-sliding-sync = { + enable = true; + + createDatabase = true; + + environmentFile = config.sops.secrets.matrix-sliding-sync-env.path; + + settings = { + SYNCV3_SERVER = "https://matrix.boskma.frl"; + }; + }; +} diff --git a/machines/neo/postgresql/default.nix b/machines/neo/postgresql/default.nix new file mode 100644 index 0000000..8e4c830 --- /dev/null +++ b/machines/neo/postgresql/default.nix @@ -0,0 +1,28 @@ +{ pkgs, ... }: +{ + services = { + postgresql = { + enable = true; + + # version is tied to stateVersion + # manual update required + # MIGRATION REQUIRED WHEN UPDATING + package = pkgs.postgresql_15; + + ensureDatabases = [ + "dendrite" + "matrix-sliding-sync" + ]; + }; + + postgresqlBackup = { + enable = true; + backupAll = true; + + # borg will do compression and deduplication + compression = "none"; + + startAt = "*-*-* 02:00:00"; + }; + }; +} diff --git a/machines/neo/secrets.yaml b/machines/neo/secrets.yaml new file mode 100644 index 0000000..96cf0e5 --- /dev/null +++ b/machines/neo/secrets.yaml @@ -0,0 +1,41 @@ +dendrite-private-key: ENC[AES256_GCM,data:gA2xpUfmXUGaT5bPxBZTNTH2w+6Ovmzp3zUClV8+zlpo4Fyf15rd8nd0AJ70HhteYEFK+unlULWYrJtzrm+gAMQ/TAHbE4+y4aCOrr/pryDc+GXZ59maEXKif9PYvpI6b5l1S3SQIZDP3YNrh2LwkVn39CJceGZ0xfBqj2QFZYvWnT5rIzUSomc=,iv:ifiF9DzOibbtaXkERcP/A3Ty6EjNKoJ3XlOF4YCsJQ4=,tag:VDsMfuwGkJOSM3Y9nhGURA==,type:str] +dendrite-env: ENC[AES256_GCM,data:iETLbUzHKla+8zmftTM/asiDT2F6LUxRjFtKiWTMpl+p0nb7rMdpxTO9Wi4C23a0SZz4gcpvywpjd55ASpBGsNfTcnZ0ITKrtS5QkCcL2VR6S/3HaAH91cT7x/LwvszyeQdFmVUnWsauq/vd+Qp+RU0TcaiBsFHw3FrCfxeilvUtUAnbXmWj3g/YVQ6sZ8C8MoDinbE=,iv:HZK6AQcrb1LNW2YIBZQkJGsvIjULePhHex01DsiB26M=,tag:iMFi5lMMNZ8MGH3EWaG1Eg==,type:str] +matrix-sliding-sync-env: ENC[AES256_GCM,data:2K5d58v+hbIGto2PFnDLD05NL9cvp+vOIpyUInnZpU7MxfHo3rZtY5OJeDCjysLBChe7kIwoh9FR44IRq9xzWuc44B2eo7ByPTzgk4RWOA==,iv:NDSYRO5oLkimwhomCCP4vV9Hq8UchdNnpTkH/3ntBmA=,tag:W+iPqpEfWG8Aehasy8PN1Q==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1h7ddyj66gcqt5vnzphjfn6y5tul79q0glcdl0et9w44z2evl999qe02wht + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTZ3ByVUIyTjhUdURYMnZE + eDlQeEg0VE8weHhhd1BibllqTE1RVXRaZjJBCjZqZ1Y4dVcydGZ4alhoc0lLQWdr + KzNtTkEvajdxbmpaKzl5cERxQnFjL00KLS0tIFk2MHMvUjBDTGNBZzJJdXJpWkRp + Y25MQXp4WXBNYkZXM0grVkNYM0lKWFUKUaK3hDN7WbDiu9EgfJ5wmArjmM8PRtbY + TVIAp0htw+efC7PbCbaa0SaDltAR0Q19lIROUfccoLLpUCyk5mQvjg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1435gxhlpu55pp86r8pullhc6wg43nv6qm5l3g2vl5000xhn8apdqtlf8cg + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhWkZpd3ZvWWM3ZjRkbnc4 + NGRiZi9rMDJoaGRENjRDWHUwZllibEQ5aDBJCllFeE9XbTNlMnFSZTZBY1FVSmph + Z2cxTzdGSEdlQ0UzeWpzUENjM1Fpd2MKLS0tIGUvVUpjZTFqa2RvY2U3TlBXaXNB + VkdHS1FSdmlXKzdNRmltZDdmUWVZc0kK0TQeKRVafkIY2v0OBnxIQr48v9ilOEld + PpqwtEtH1HcSFwxhaFymUQpqg5Uvh5eXoPB/bnxOnOPlDYB+/HZQ0w== + -----END AGE ENCRYPTED FILE----- + - recipient: age1s95yw988he30l6wegfwquh4nh03jst2tvyu4ykng4g88h7s3a3rs5zh5fp + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxbCt0NDAvT0pCVmxpOUNh + TXpIanhKK01jN3FuaUdDeWJHZkFRdXBjMUhJCmNqWVNkN1owWnFOakJ6NWovQVZw + dnB5Vm4zMWpvZkZkODJqS2hxRVRaaDQKLS0tIERlMkozL2xBWVp4NWRlZnpiVVk5 + cnZiZ1YvTlBWUVdoSjNqYkVXaGZHTlEKe7w9qbDkzfxoW4CVxH2hmO9JFuCYCcgp + bguCZbLQpyjiS6LjpX5AqXQH9tRqWNnqhq8QTbB9v4VIw5rz7S9Hpw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-04-24T12:22:54Z" + mac: ENC[AES256_GCM,data:kyB5rwsn6gVutITtzmBwPFHY0x42SbsZMy98JF0wVGBfjDrfmwmxAeFOJ9KmvR0rUaEr7RPMOFCwT5w/zUUsColF7Dy5uoOSpV7JxPi6suVGUmz5BkGaPB5HvIQhtb/75owUx+9Fvjq4Vmnh8UX9vk/0Gj/ay0p3BFiypJegyuI=,iv:5mJC3xoeTyw6jv7+hSTyUUz9luffSuN6TrKPohTT95M=,tag:iq8aBa9dTjmC7z7DrcP3JQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1