erwin/nixos-config
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Wiki Activity Actions

Compare commits

base: erwin:8068c145808068097b29d2f5c02af04572f2b14b
Branches Tags
erwin:main
..
compare: erwin:b657f2d0badb1a018f0b73cf3b2be9c81e75003e
Branches Tags
erwin:main

No commits in common. "8068c145808068097b29d2f5c02af04572f2b14b" and "b657f2d0badb1a018f0b73cf3b2be9c81e75003e" have entirely different histories.
8068c14580 ... b657f2d0ba

9 changed files with 351 additions and 8 deletions
Show stats Expand all files Collapse all files

6
incus-conf/container.yaml
View file

@ -1,6 +0,0 @@
profiles:
- default
- nixos
- autostart
- net-bridged
limits.memory: "2GiB"

9
machines/default.nix
View file

@ -88,6 +88,15 @@ inputs: {
tags = [ "container" ]; tags = [ "container" ];
}; };
}; };
neo = {
config = import ./neo/configuration.nix inputs;
deploy = {
# host = "10.0.0.213";
host = "neo.barn-beaver.ts.net";
targetUser = "erwin";
# tags = [ "container" ];
};
};
nix-cache = { nix-cache = {
config = import ./nix-cache/configuration.nix inputs; config = import ./nix-cache/configuration.nix inputs;
deploy = { deploy = {

17
machines/heimdall/caddy/default.nix
View file

@ -41,7 +41,22 @@
"boskma.frl" = { "boskma.frl" = {
extraConfig = '' extraConfig = ''
error "Nothing to see here." 404 header /.well-known/matrix/* Content-Type application/json
header /.well-known/matrix/* Access-Control-Allow-Origin *
respond /.well-known/matrix/server `{"m.server":"matrix.boskma.frl:443"}`
respond /.well-known/matrix/client `{"m.homeserver": {"base_url":"https://matrix.boskma.frl"},"m.identity_server":{"base_url":"https://vector.im"},"org.matrix.msc3575.proxy":{"url":"https://syncv3.boskma.frl"}}`
'';
};
"matrix.boskma.frl" = {
extraConfig = ''
reverse_proxy neo.barn-beaver.ts.net:8008
'';
};
"syncv3.boskma.frl" = {
extraConfig = ''
reverse_proxy neo.barn-beaver.ts.net:8009
''; '';
}; };
}; };

83
machines/neo/configuration.nix Normal file
View file

@ -0,0 +1,83 @@
{ self, ... }:
{ modulesPath, lib, ... }:
{
imports = [
(modulesPath + "/virtualisation/lxc-container.nix")
../../users/root
../../users/erwin
./dendrite
./matrix-sliding-sync
./postgresql
];
eboskma = {
users.erwin = {
enable = true;
server = true;
};
nix-common = {
enable = true;
remote-builders = true;
};
tailscale.enable = true;
};
boot = {
isContainer = true;
};
time.timeZone = "Europe/Amsterdam";
system.configurationRevision = lib.mkIf (self ? rev) self.rev;
networking = {
hostName = "neo";
useDHCP = false;
useHostResolvConf = false;
networkmanager.enable = false;
useNetworkd = true;
nftables.enable = true;
firewall.trustedInterfaces = [ "tailscale0" ];
};
systemd.network = {
enable = true;
wait-online.anyInterface = true;
networks = {
"40-eth0" = {
matchConfig = {
Name = "eth0";
};
networkConfig = {
Address = "10.0.0.213/24";
Gateway = "10.0.0.1";
DNS = "10.0.0.206";
DHCP = "no";
};
};
};
};
security = {
sudo-rs = {
enable = true;
execWheelOnly = true;
wheelNeedsPassword = false;
};
sudo.enable = false;
};
sops.defaultSopsFile = ./secrets.yaml;
sops.secrets = {
dendrite-env = { };
dendrite-private-key = { };
matrix-sliding-sync-env = { };
};
system.stateVersion = "24.05";
}

147
machines/neo/dendrite/default.nix Normal file
View file

@ -0,0 +1,147 @@
{
pkgs,
lib,
config,
...
}:
let
settingsFormat = pkgs.formats.yaml { };
configurationYaml = settingsFormat.generate "dendrite.yaml" settings;
workingDir = "/var/lib/dendrite";
environmentFile = config.sops.secrets.dendrite-env.path;
httpPort = 8008;
settings = {
version = 2;
global = {
server_name = "boskma.frl";
private_key = "$CREDENTIALS_DIRECTORY/private_key";
database = {
connection_string = "postgresql:///dendrite?host=/run/postgresql";
max_open_conns = 90;
max_idle_conns = 5;
conn_max_lifetime = -1;
};
trusted_third_party_id_servers = [
"matrix.org"
"vector.im"
];
disable_federation = false;
presence = {
inbound = true;
outbound = true;
};
server_notices = {
enabled = true;
local_part = "_server";
display_part = "Tidingen";
room_name = "Tidingen";
};
metrics = {
enabled = true;
basic_auth = {
username = "metrics";
password = "metrics";
};
};
};
client_api = {
registration_shared_secret = "$REGISTRATION_SECRET";
};
federation_api = {
key_perspectives = [
{
server_name = "matrix.org";
keys = [
{
key_id = "ed25519:auto";
public_key = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw";
}
{
key_id = "ed25519:a_RXGa";
public_key = "l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ";
}
];
}
];
};
sync_api = {
real_ip_header = "X-Forwarded-For";
};
mscs = {
mscs = [
"msc2444"
"msc2753"
"msc2836"
];
};
media_api = {
base_path = "${workingDir}/media_store";
max_file_size_bytes = 25 * 1024 * 1024;
thumbnail_sizes = [
{
height = 32;
method = "crop";
width = 32;
}
{
height = 96;
method = "crop";
width = 96;
}
{
height = 480;
method = "scale";
width = 640;
}
];
};
logging = [
{
type = "std";
level = "info";
}
];
};
in
{
systemd.services.dendrite = {
description = "Dendrite Matrix homeserver";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "simple";
DynamicUser = true;
StateDirectory = "dendrite";
WorkingDirectory = workingDir;
RuntimeDirectory = "dendrite";
RuntimeDirectoryMode = "0700";
LimitNOFILE = 65535;
EnvironmentFile = environmentFile;
LoadCredential = [ "private_key:${config.sops.secrets.dendrite-private-key.path}" ];
ExecStartPre = [
''
${pkgs.envsubst}/bin/envsubst \
-i ${configurationYaml} \
-o /run/dendrite/dendrite.yaml
''
];
ExecStart = lib.strings.concatStringsSep " " ([
"${pkgs.dendrite}/bin/dendrite"
"--config /run/dendrite/dendrite.yaml"
"--http-bind-address :${builtins.toString httpPort}"
]);
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
Restart = "on-failure";
};
};
}

15
machines/neo/matrix-sliding-sync/default.nix Normal file
View file

@ -0,0 +1,15 @@
{ config, ... }:
{
services.matrix-sliding-sync = {
enable = true;
createDatabase = true;
environmentFile = config.sops.secrets.matrix-sliding-sync-env.path;
settings = {
SYNCV3_SERVER = "http://127.0.0.1:8008";
SYNCV3_BINDADDR = "0.0.0.0:8009";
};
};
}

39
machines/neo/postgresql/default.nix Normal file
View file

@ -0,0 +1,39 @@
{ pkgs, ... }:
{
services = {
postgresql = {
enable = true;
# version is tied to stateVersion
# manual update required
# MIGRATION REQUIRED WHEN UPDATING
package = pkgs.postgresql_15;
ensureDatabases = [
"dendrite"
"matrix-sliding-sync"
];
ensureUsers = [
{
name = "dendrite";
ensureDBOwnership = true;
}
{
name = "matrix-sliding-sync";
ensureDBOwnership = true;
}
];
};
postgresqlBackup = {
enable = true;
backupAll = true;
# borg will do compression and deduplication
compression = "none";
startAt = "*-*-* 02:00:00";
};
};
}

41
machines/neo/secrets.yaml Normal file
View file

@ -0,0 +1,41 @@
dendrite-private-key: ENC[AES256_GCM,data:gA2xpUfmXUGaT5bPxBZTNTH2w+6Ovmzp3zUClV8+zlpo4Fyf15rd8nd0AJ70HhteYEFK+unlULWYrJtzrm+gAMQ/TAHbE4+y4aCOrr/pryDc+GXZ59maEXKif9PYvpI6b5l1S3SQIZDP3YNrh2LwkVn39CJceGZ0xfBqj2QFZYvWnT5rIzUSomc=,iv:ifiF9DzOibbtaXkERcP/A3Ty6EjNKoJ3XlOF4YCsJQ4=,tag:VDsMfuwGkJOSM3Y9nhGURA==,type:str]
dendrite-env: ENC[AES256_GCM,data:iETLbUzHKla+8zmftTM/asiDT2F6LUxRjFtKiWTMpl+p0nb7rMdpxTO9Wi4C23a0SZz4gcpvywpjd55ASpBGsNfTcnZ0ITKrtS5QkCcL2VR6S/3HaAH91cT7x/LwvszyeQdFmVUnWsauq/vd+Qp+RU0TcaiBsFHw3FrCfxeilvUtUAnbXmWj3g/YVQ6sZ8C8MoDinbE=,iv:HZK6AQcrb1LNW2YIBZQkJGsvIjULePhHex01DsiB26M=,tag:iMFi5lMMNZ8MGH3EWaG1Eg==,type:str]
matrix-sliding-sync-env: ENC[AES256_GCM,data:2K5d58v+hbIGto2PFnDLD05NL9cvp+vOIpyUInnZpU7MxfHo3rZtY5OJeDCjysLBChe7kIwoh9FR44IRq9xzWuc44B2eo7ByPTzgk4RWOA==,iv:NDSYRO5oLkimwhomCCP4vV9Hq8UchdNnpTkH/3ntBmA=,tag:W+iPqpEfWG8Aehasy8PN1Q==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1h7ddyj66gcqt5vnzphjfn6y5tul79q0glcdl0et9w44z2evl999qe02wht
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTZ3ByVUIyTjhUdURYMnZE
eDlQeEg0VE8weHhhd1BibllqTE1RVXRaZjJBCjZqZ1Y4dVcydGZ4alhoc0lLQWdr
KzNtTkEvajdxbmpaKzl5cERxQnFjL00KLS0tIFk2MHMvUjBDTGNBZzJJdXJpWkRp
Y25MQXp4WXBNYkZXM0grVkNYM0lKWFUKUaK3hDN7WbDiu9EgfJ5wmArjmM8PRtbY
TVIAp0htw+efC7PbCbaa0SaDltAR0Q19lIROUfccoLLpUCyk5mQvjg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1435gxhlpu55pp86r8pullhc6wg43nv6qm5l3g2vl5000xhn8apdqtlf8cg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhWkZpd3ZvWWM3ZjRkbnc4
NGRiZi9rMDJoaGRENjRDWHUwZllibEQ5aDBJCllFeE9XbTNlMnFSZTZBY1FVSmph
Z2cxTzdGSEdlQ0UzeWpzUENjM1Fpd2MKLS0tIGUvVUpjZTFqa2RvY2U3TlBXaXNB
VkdHS1FSdmlXKzdNRmltZDdmUWVZc0kK0TQeKRVafkIY2v0OBnxIQr48v9ilOEld
PpqwtEtH1HcSFwxhaFymUQpqg5Uvh5eXoPB/bnxOnOPlDYB+/HZQ0w==
-----END AGE ENCRYPTED FILE-----
- recipient: age1s95yw988he30l6wegfwquh4nh03jst2tvyu4ykng4g88h7s3a3rs5zh5fp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxbCt0NDAvT0pCVmxpOUNh
TXpIanhKK01jN3FuaUdDeWJHZkFRdXBjMUhJCmNqWVNkN1owWnFOakJ6NWovQVZw
dnB5Vm4zMWpvZkZkODJqS2hxRVRaaDQKLS0tIERlMkozL2xBWVp4NWRlZnpiVVk5
cnZiZ1YvTlBWUVdoSjNqYkVXaGZHTlEKe7w9qbDkzfxoW4CVxH2hmO9JFuCYCcgp
bguCZbLQpyjiS6LjpX5AqXQH9tRqWNnqhq8QTbB9v4VIw5rz7S9Hpw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-24T12:22:54Z"
mac: ENC[AES256_GCM,data:kyB5rwsn6gVutITtzmBwPFHY0x42SbsZMy98JF0wVGBfjDrfmwmxAeFOJ9KmvR0rUaEr7RPMOFCwT5w/zUUsColF7Dy5uoOSpV7JxPi6suVGUmz5BkGaPB5HvIQhtb/75owUx+9Fvjq4Vmnh8UX9vk/0Gj/ay0p3BFiypJegyuI=,iv:5mJC3xoeTyw6jv7+hSTyUUz9luffSuN6TrKPohTT95M=,tag:iq8aBa9dTjmC7z7DrcP3JQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

2
users/erwin/home.nix
View file

@ -102,7 +102,7 @@ in
enable = true; enable = true;
name = "Erwin Boskma"; name = "Erwin Boskma";
email = "erwin@datarift.nl"; email = "erwin@datarift.nl";
signingKey = "${homeCfg.home.homeDirectory}/.ssh/id_ed25519"; signingKey = "${homeCfg.home.homeDirectory}/.ssh/id_ed25519_sk_personal.pub";
signingBackend = "ssh"; signingBackend = "ssh";
}; };
mpd.enable = true; mpd.enable = true;