emily/nixfiles
emily/nixfiles
2
1
Fork 1
Code Issues Pull requests Activity

emilia: add conduwuit config

Browse source
This commit is contained in:
emily 2025-01-19 15:56:53 +01:00
parent d0fc7889b5
commit 40db129f3a
Signed by: emily
GPG key ID: F6F4C66207FCF995
4 changed files with 128 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
.sops.yaml
View file

@ -5,6 +5,7 @@ keys:
- &girldick age1r6cmthdk6lhy62wa4pu23l46f5fcqhuu7xrq353pe6c8f0s6ce8s67pdtf
- &florp age18vc8rcmczlt3r0ee7jr9s8l3yrkthu8wtypt08eh0eskpkw3dg6qxs7t3t
- &crime age1sky8kccyyxe79ws4rew42r94427v2xnphq2vtxvdlw5xl7yzgs2q599yzs
- &emilia age1pjn7q6qs49jenr40dhsxa8x5g4z6elsh0pk0tc5pxg6pl0nzgc6scakynn
creation_rules:
- path_regex: secrets/services/dns-knot.yaml
key_groups:
@ -72,3 +73,9 @@ creation_rules:
- *emily
age:
- *crime
- path_regex: secrets/restic/zh3485s3.yaml
key_groups:
- pgp:
- *emily
age:
- *emilia

16
config/hosts/emilia/configuration.nix
View file

@ -17,6 +17,21 @@
kyouma.machine-type.physical = true;
kyouma.nginx.defaultForbidden = "uptime.kyouma.net";
kyouma.restic = {
enable = true;
remoteUser = "zh3485s3";
timerConfig = {
OnCalendar = "hourly";
Persistent = true;
};
};
kyouma.matrix = {
enable = true;
serverName = "woof.rip";
hostname = "matrix.woof.rip";
};
networking.hostName = "emilia";
systemd.network.networks."98-eth-default" = {
@ -33,5 +48,4 @@
{ Gateway = "fe80::1"; }
];
};
}

71
modules/matrix/default.nix Normal file
View file

@ -0,0 +1,71 @@
{ config, lib, pkgs, ... }: let
cfg = config.kyouma.matrix;
unix_socket_path = "/run/conduwuit/conduwuit.sock";
in {
options.kyouma.matrix = {
enable = lib.mkEnableOption "enable matrix server";
serverName = lib.mkOption {
description = "Name used as a suffix for user and room ids";
type = lib.types.nonEmptyStr;
default = null;
};
hostname = lib.mkOption {
description = "Domain name that will be used to connect to the server";
type = lib.types.nonEmptyStr;
default = null;
};
};
config = lib.mkIf cfg.enable {
services.conduwuit = {
enable = true;
settings = {
global = {
inherit unix_socket_path;
unix_socket_perms = 666;
server_name = cfg.serverName;
database_backup_path = "/var/lib/conduwuit/db-backup";
database_backups_to_keep = 1;
new_user_displayname_suffix = "";
ip_lookup_strategy = 4;
max_request_size = 256 * 1024 * 1024;
federation_timeout = 15 * 60;
allow_registration = true;
registration_token = "woofwoof";
allow_public_room_directory_over_federation = true;
allow_public_room_directory_without_auth = false;
allow_local_presence = true;
allow_incoming_presence = true;
allow_outgoing_presence = true;
typing_federation_timeout_s = 240;
typing_client_timeout_max_s = 240;
forbidden_usernames = [ "admin" "administrator" ];
well_known = {
client = "https://${cfg.hostname}";
server = "${cfg.hostname}:443";
};
};
};
};
kyouma.nginx.virtualHosts = {
${cfg.hostname}.locations."/" = {
proxyPass = "http://unix:${unix_socket_path}";
recommendedProxySettings = true;
};
${cfg.serverName}.locations."~ ^/.well-known/matrix(/.*)$" = {
proxyPass = "http://unix:${unix_socket_path}";
recommendedProxySettings = true;
};
};
security.acme.certs.${cfg.hostname} = {};
kyouma.restic = {
paths = [
"/var/lib/conduwuit/media"
"/var/lib/conduwuit/db-backup"
];
# backupPrepareCommand = ''
# ${lib.getExe pkgs.conduwuit} --execute "server backup"
# '';
};
systemd.services.conduwuit.serviceConfig.RuntimeDirectoryMode = lib.mkForce "0755";
};
}

35
secrets/restic/zh3485s3.yaml Normal file
View file

@ -0,0 +1,35 @@
restic:
zh3485s3:
password: ENC[AES256_GCM,data:s9AawDoH+OfAcahdpzUQ0/J3STf2dyOnt5aFs6FrZ/wkA9YZv3vg/SRex+6jDRA7,iv:vQQZSubZd2XKu9n/qr2rO0VIeobhn72XZ65kOlX/TeM=,tag:KwMtfslw93Y60wCfZEHxEA==,type:str]
id_ed25519: ENC[AES256_GCM,data:5g+/fpinmrOkzOIYaDxZywZUoTfPjzGLE3utCkI2rkffxN8QYtCupE3hHeI1AHbFGWo8UkLZjK47kW/Mqeq4EWqfIR41gnE2PB1YQ6g29KQifJyqoG1SHpkKplB5eV+4JIccJ0NY/Y/MP1c9NuL7iXA9AvkSLTC7rBUiHsJ0fmEKusazv7gOKesv2/rBmpm+9Rp6cNqTCc28tmczarXV1sYNfLy0vXhuRMCkbvqnx3F/W5J+6+81plRbTWrJ+zArwfyf9z9NOLBeNAsRiAhObACD5YTXnd2EwPnevM4V36l1k+pQX1mk0O1PuUCNpujhogbiUlvL8f038uEgKIuVeAUDdCz+YhJeYSXDgta/jkffnjF6my0I8pUb3lzQXk5hqvnlZtvZQO9+mK8w+w8U6zY9jxQwrlC2Cume5IyyN2Vf+CKd2/kV6I48f3yUHOpfJnMfM0Lw78+0rxhOn+IF4bywiddT302pS2kOm3z1/pRpwX/tTk+NnTQF58N+rAyp+uwRJxFfxQ8pMuWabNEUR4cepzNXSqDs12HHbbqaziH4a9M=,iv:Wf56t+KfFA+T93HqC8yusHK03tOLHlBi4eXBY8AprM4=,tag:co80y+TA9XUNc1mjWliarg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1pjn7q6qs49jenr40dhsxa8x5g4z6elsh0pk0tc5pxg6pl0nzgc6scakynn
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6OEJHMlFuQm8xeXNhTG5w
dCtiU1hwY2lSaVMzME9Wcm5SNkRGM3J5NWhRClhScW5abmVEckFSeTUxd212WnVm
NnhqRlRHVUFtVkdFYUUvaWs5UW1kNW8KLS0tIFFiSis0cUR2dTV5S1hSdkpjbGdv
VUtqWjMzUm1oVDlCL2V1cXpYbVd4Ym8KfcPUwWdz7aFBjAiIoIbp8F6n4k5vGK3E
yxvKDr+Le+vBpljGCD1tWkg8aPvKxHFgyu6nAToXorTI40NZx8bPUA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-01-19T14:49:46Z"
mac: ENC[AES256_GCM,data:5TO2OmjVMGCfSc64DcAyYMmW2sUA+pUCCoe1K/X2yxa0KL6ycYLF5JS+RJRLG62grdnqH6AGHgg9C2GqruJp/+307YsbKEZ+yA/U3GUxSpge1YKQ3JUbRzNsCcGMZ5rz8a1bt+EWPV6QFV+ouuKoEwYrOHlq5L3hepUmcju+nzc=,iv:IKCe7Rbtm4r7A71FmCv50HBqwixJ7t3xvZjdT6vJPc4=,tag:9J5bNEFNB0at+HhiJl5dYQ==,type:str]
pgp:
- created_at: "2025-01-19T14:48:06Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4D1GtNSlou/HkSAQdA++VY5bgWKEBjlP3NSMaVY3iTUtY9oYc+JWRhTb4I0R8w
qGuNlDh6SEX4QQPgopg1/ttNvVOWPKYbmeJuUoJIDkT4GEnteAXCkiC+jp3qkE4v
0lwBo15+lfZGs/zXM4A2Q42DHoQvA172tOfpl8lvM+c0pugo6sA5R4kHe4rFDNF1
T4/T9fshPu2xXSJn68vNJ/9R0yxzziDSR5U9qPmzjQ/uRkGO7D8ecMC0MTHpQg==
=+6BE
-----END PGP MESSAGE-----
fp: B04F01A7A98A13020C39B4A68AB7B773A214ACE5
unencrypted_suffix: _unencrypted
version: 3.9.1