diff --git a/.sops.yaml b/.sops.yaml index 8730ae2..a8414a8 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -5,6 +5,7 @@ keys: - &girldick age1r6cmthdk6lhy62wa4pu23l46f5fcqhuu7xrq353pe6c8f0s6ce8s67pdtf - &florp age18vc8rcmczlt3r0ee7jr9s8l3yrkthu8wtypt08eh0eskpkw3dg6qxs7t3t - &crime age1sky8kccyyxe79ws4rew42r94427v2xnphq2vtxvdlw5xl7yzgs2q599yzs + - &emilia age1pjn7q6qs49jenr40dhsxa8x5g4z6elsh0pk0tc5pxg6pl0nzgc6scakynn creation_rules: - path_regex: secrets/services/dns-knot.yaml key_groups: @@ -72,3 +73,9 @@ creation_rules: - *emily age: - *crime + - path_regex: secrets/restic/zh3485s3.yaml + key_groups: + - pgp: + - *emily + age: + - *emilia diff --git a/config/hosts/emilia/configuration.nix b/config/hosts/emilia/configuration.nix index cad1e2c..846aab0 100644 --- a/config/hosts/emilia/configuration.nix +++ b/config/hosts/emilia/configuration.nix @@ -17,6 +17,21 @@ kyouma.machine-type.physical = true; kyouma.nginx.defaultForbidden = "uptime.kyouma.net"; + kyouma.restic = { + enable = true; + remoteUser = "zh3485s3"; + timerConfig = { + OnCalendar = "hourly"; + Persistent = true; + }; + }; + + kyouma.matrix = { + enable = true; + serverName = "woof.rip"; + hostname = "matrix.woof.rip"; + }; + networking.hostName = "emilia"; systemd.network.networks."98-eth-default" = { @@ -33,5 +48,4 @@ { Gateway = "fe80::1"; } ]; }; - } diff --git a/modules/matrix/default.nix b/modules/matrix/default.nix new file mode 100644 index 0000000..a771d0f --- /dev/null +++ b/modules/matrix/default.nix @@ -0,0 +1,71 @@ +{ config, lib, pkgs, ... }: let + cfg = config.kyouma.matrix; + unix_socket_path = "/run/conduwuit/conduwuit.sock"; +in { + options.kyouma.matrix = { + enable = lib.mkEnableOption "enable matrix server"; + serverName = lib.mkOption { + description = "Name used as a suffix for user and room ids"; + type = lib.types.nonEmptyStr; + default = null; + }; + hostname = lib.mkOption { + description = "Domain name that will be used to connect to the server"; + type = lib.types.nonEmptyStr; + default = null; + }; + }; + config = lib.mkIf cfg.enable { + services.conduwuit = { + enable = true; + settings = { + global = { + inherit unix_socket_path; + unix_socket_perms = 666; + server_name = cfg.serverName; + database_backup_path = "/var/lib/conduwuit/db-backup"; + database_backups_to_keep = 1; + new_user_displayname_suffix = ""; + ip_lookup_strategy = 4; + max_request_size = 256 * 1024 * 1024; + federation_timeout = 15 * 60; + allow_registration = true; + registration_token = "woofwoof"; + allow_public_room_directory_over_federation = true; + allow_public_room_directory_without_auth = false; + allow_local_presence = true; + allow_incoming_presence = true; + allow_outgoing_presence = true; + typing_federation_timeout_s = 240; + typing_client_timeout_max_s = 240; + forbidden_usernames = [ "admin" "administrator" ]; + well_known = { + client = "https://${cfg.hostname}"; + server = "${cfg.hostname}:443"; + }; + }; + }; + }; + kyouma.nginx.virtualHosts = { + ${cfg.hostname}.locations."/" = { + proxyPass = "http://unix:${unix_socket_path}"; + recommendedProxySettings = true; + }; + ${cfg.serverName}.locations."~ ^/.well-known/matrix(/.*)$" = { + proxyPass = "http://unix:${unix_socket_path}"; + recommendedProxySettings = true; + }; + }; + security.acme.certs.${cfg.hostname} = {}; + kyouma.restic = { + paths = [ + "/var/lib/conduwuit/media" + "/var/lib/conduwuit/db-backup" + ]; +# backupPrepareCommand = '' +# ${lib.getExe pkgs.conduwuit} --execute "server backup" +# ''; + }; + systemd.services.conduwuit.serviceConfig.RuntimeDirectoryMode = lib.mkForce "0755"; + }; +} diff --git a/secrets/restic/zh3485s3.yaml b/secrets/restic/zh3485s3.yaml new file mode 100644 index 0000000..77ee7fa --- /dev/null +++ b/secrets/restic/zh3485s3.yaml @@ -0,0 +1,35 @@ +restic: + zh3485s3: + password: ENC[AES256_GCM,data:s9AawDoH+OfAcahdpzUQ0/J3STf2dyOnt5aFs6FrZ/wkA9YZv3vg/SRex+6jDRA7,iv:vQQZSubZd2XKu9n/qr2rO0VIeobhn72XZ65kOlX/TeM=,tag:KwMtfslw93Y60wCfZEHxEA==,type:str] + id_ed25519: ENC[AES256_GCM,data:5g+/fpinmrOkzOIYaDxZywZUoTfPjzGLE3utCkI2rkffxN8QYtCupE3hHeI1AHbFGWo8UkLZjK47kW/Mqeq4EWqfIR41gnE2PB1YQ6g29KQifJyqoG1SHpkKplB5eV+4JIccJ0NY/Y/MP1c9NuL7iXA9AvkSLTC7rBUiHsJ0fmEKusazv7gOKesv2/rBmpm+9Rp6cNqTCc28tmczarXV1sYNfLy0vXhuRMCkbvqnx3F/W5J+6+81plRbTWrJ+zArwfyf9z9NOLBeNAsRiAhObACD5YTXnd2EwPnevM4V36l1k+pQX1mk0O1PuUCNpujhogbiUlvL8f038uEgKIuVeAUDdCz+YhJeYSXDgta/jkffnjF6my0I8pUb3lzQXk5hqvnlZtvZQO9+mK8w+w8U6zY9jxQwrlC2Cume5IyyN2Vf+CKd2/kV6I48f3yUHOpfJnMfM0Lw78+0rxhOn+IF4bywiddT302pS2kOm3z1/pRpwX/tTk+NnTQF58N+rAyp+uwRJxFfxQ8pMuWabNEUR4cepzNXSqDs12HHbbqaziH4a9M=,iv:Wf56t+KfFA+T93HqC8yusHK03tOLHlBi4eXBY8AprM4=,tag:co80y+TA9XUNc1mjWliarg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1pjn7q6qs49jenr40dhsxa8x5g4z6elsh0pk0tc5pxg6pl0nzgc6scakynn + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6OEJHMlFuQm8xeXNhTG5w + dCtiU1hwY2lSaVMzME9Wcm5SNkRGM3J5NWhRClhScW5abmVEckFSeTUxd212WnVm + NnhqRlRHVUFtVkdFYUUvaWs5UW1kNW8KLS0tIFFiSis0cUR2dTV5S1hSdkpjbGdv + VUtqWjMzUm1oVDlCL2V1cXpYbVd4Ym8KfcPUwWdz7aFBjAiIoIbp8F6n4k5vGK3E + yxvKDr+Le+vBpljGCD1tWkg8aPvKxHFgyu6nAToXorTI40NZx8bPUA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-01-19T14:49:46Z" + mac: ENC[AES256_GCM,data:5TO2OmjVMGCfSc64DcAyYMmW2sUA+pUCCoe1K/X2yxa0KL6ycYLF5JS+RJRLG62grdnqH6AGHgg9C2GqruJp/+307YsbKEZ+yA/U3GUxSpge1YKQ3JUbRzNsCcGMZ5rz8a1bt+EWPV6QFV+ouuKoEwYrOHlq5L3hepUmcju+nzc=,iv:IKCe7Rbtm4r7A71FmCv50HBqwixJ7t3xvZjdT6vJPc4=,tag:9J5bNEFNB0at+HhiJl5dYQ==,type:str] + pgp: + - created_at: "2025-01-19T14:48:06Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4D1GtNSlou/HkSAQdA++VY5bgWKEBjlP3NSMaVY3iTUtY9oYc+JWRhTb4I0R8w + qGuNlDh6SEX4QQPgopg1/ttNvVOWPKYbmeJuUoJIDkT4GEnteAXCkiC+jp3qkE4v + 0lwBo15+lfZGs/zXM4A2Q42DHoQvA172tOfpl8lvM+c0pugo6sA5R4kHe4rFDNF1 + T4/T9fshPu2xXSJn68vNJ/9R0yxzziDSR5U9qPmzjQ/uRkGO7D8ecMC0MTHpQg== + =+6BE + -----END PGP MESSAGE----- + fp: B04F01A7A98A13020C39B4A68AB7B773A214ACE5 + unencrypted_suffix: _unencrypted + version: 3.9.1