diff --git a/flake.nix b/flake.nix index 15d7023..c1fb4c7 100644 --- a/flake.nix +++ b/flake.nix @@ -74,7 +74,7 @@ devShells.${system} = import ./devshell { inherit flake self inputs pkgs system; }; legacyPackages.${system} = import ./legacy { inherit flake self inputs pkgs system; }; nixosConfigurations = { - "xray|${system}" = import ./nixos/system/xray { inherit flake self inputs system; }; + "bfs|${system}" = import ./nixos/system/bfs { inherit flake self inputs system; }; }; checks.${system} = import ./test { inherit flake self inputs pkgs system; }; }) // { diff --git a/nixos/system/xray/xray.nix b/nixos/system/bfs/bfs.nix similarity index 72% rename from nixos/system/xray/xray.nix rename to nixos/system/bfs/bfs.nix index 2e39e9d..39a47b0 100644 --- a/nixos/system/xray/xray.nix +++ b/nixos/system/bfs/bfs.nix @@ -10,6 +10,7 @@ ... }: let xrayPort = 10086; + matrixDomain = "accord.tube"; in { # TODO: # white list @@ -20,8 +21,20 @@ in { imports = [ self.nixosModules.hectic inputs.sops-nix.nixosModules.sops + #./voice-tune.nix + ./matrix.nix ]; + currentServer = { + matrix = { + postgresql = { + port = 5432; + initialEnvFile = config.sops.secrets."init-postgresql".path; + }; + matrixDomain = "accord.tube"; + }; + }; + services.xray = { enable = true; settingsFile = config.sops.secrets."config".path; @@ -62,25 +75,25 @@ in { }; }; - hectic = { archetype.base.enable = true; archetype.dev.enable = true; }; sops = { - gnupg.sshKeyPaths = [ ]; - age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - defaultSopsFile = ../../../sus/bfs.xray.yaml; + gnupg.sshKeyPaths = [ ]; + age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + defaultSopsFile = ../../../sus/bfs.xray.yaml; - secrets."config" = {}; + secrets."config" = {}; + secrets."init-postgresql" = {}; }; - networking.firewall = { enable = true; allowedTCPPorts = [ xrayPort + 80 443 # for acme ]; }; } diff --git a/nixos/system/xray/default.nix b/nixos/system/bfs/default.nix similarity index 100% rename from nixos/system/xray/default.nix rename to nixos/system/bfs/default.nix diff --git a/nixos/system/bfs/matrix.nix b/nixos/system/bfs/matrix.nix new file mode 100644 index 0000000..31b9513 --- /dev/null +++ b/nixos/system/bfs/matrix.nix @@ -0,0 +1,141 @@ +{ pkgs, lib, config, ... }: let + cfg = config.currentServer.matrix; +in { + options = { + currentServer.matrix = { + postgresql = { + port = lib.mkOption { + type = lib.types.port; + default = 5432; + description = '' + postgres port + ''; + }; + initialEnvFile = lib.mkOption { + type = lib.types.path; + description = '' + path to env file with postgresql initial secrets + + content: + POSTGRESQL_PASSWORD= + ''; + }; + }; + matrixDomain = lib.mkOption { + type = lib.types.str; + description = '' + domain to matrix + ''; + }; + + }; + }; + config = { + services.matrix-synapse = { + enable = true; + settings = { + server_name = cfg.matrixDomain; + public_baseurl = "https://${cfg.matrixDomain}"; + listeners = [ + { + port = 8008; + bind_addresses = [ "0.0.0.0" ]; + type = "http"; + tls = false; + resources = [ + { + names = [ + "client" + # Ability speak between different matrix servers, requires .well-known + #"federation" + ]; + compress = false; + } + ]; + } + ]; + + enable_registration = true; + enable_registration_without_verification = true; + + registration_shared_secret = "secret1"; + macaroon_secret_key = "secret2"; + form_secret = "secret3"; + }; + }; + + environment.systemPackages = [ + pkgs.matrix-synapse + ]; + + services.postgresql = { + enable = true; + package = pkgs.postgresql_17; + + initdbArgs = [ + "--locale=C" + "--encoding=UTF8" + ]; + + enableTCPIP = true; + port = cfg.postgresql.port; + authentication = builtins.concatStringsSep "\n" [ + "local all all trust" + "host sameuser all 127.0.0.1/32 scram-sha-256" + "host sameuser all ::1/128 scram-sha-256" + "host all all ::1/128 scram-sha-256" + "host all all 0.0.0.0/0 scram-sha-256" + + "host replication postgres 127.0.0.1/32 scram-sha-256" + "host replication postgres ::1/128 scram-sha-256" + ]; + + settings = { + wal_level = "replica"; + max_wal_senders = 10; + }; + + ensureUsers = [ + { + name = "matrix-synapse"; + ensureClauses.login = true; + ensureDBOwnership = true; + } + ]; + + ensureDatabases = [ + "matrix-synapse" + ]; + + initialScript = pkgs.writeText "init-sql-script" '' + -- setup password from env/sops + DO $$#!${pkgs.dash}/bin/dash + set -e + . ${cfg.postgresql.initialEnvFile} + psql -Atc "ALTER USER postgres WITH PASSWORD '$POSTGRESQL_PASSWORD'"; + $$ LANGUAGE plsh; + + CREATE ROLE myuser LOGIN PASSWORD 'matrix-synapse'; + ''; + }; + + services.nginx = { + enable = true; + virtualHosts.${cfg.matrixDomain} = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://127.0.0.1:8008"; + }; + }; + }; + + security.acme = { + acceptTerms = true; + defaults = { + email = "hectic.yukkop.it@gmail.com"; + enableDebugLogs = true; + }; + }; + }; +} diff --git a/nixos/system/bfs/voice-tune.nix b/nixos/system/bfs/voice-tune.nix new file mode 100644 index 0000000..34eb739 --- /dev/null +++ b/nixos/system/bfs/voice-tune.nix @@ -0,0 +1,33 @@ +{ lib, config, ... }: let + cfg = config.currentServer.matrixDomain; +in { + options = { + currentServer.matrixDomain = lib.mkOption { + type = lib.types.str; + description = '' + domain + ''; + }; + }; + config = { + services.coturn = { + enable = true; + realm = cfg.matrixDomain; + + listening-port = 3478; + tls-listening-port = 5349; + no-cli = true; + }; + + networking.firewall.allowedUDPPorts = [ 3478 5349 ]; + networking.firewall.allowedTCPPorts = [ 3478 5349 ]; + + services.matrix-synapse.settings = { + turn_uris = [ + "turn:your.domain:3478?transport=udp" + "turns:your.domain:5349?transport=tcp" + ]; + turn_shared_secret = "secret"; + }; + }; +} diff --git a/sus/bfs.xray.yaml b/sus/bfs.xray.yaml index 7a25386..0926bc4 100644 --- a/sus/bfs.xray.yaml +++ b/sus/bfs.xray.yaml @@ -1,4 +1,5 @@ config: ENC[AES256_GCM,data:IL0jhVCw2YcZW/LkOrKXYrVAzq6jC65gAzOhfD8P8DL8GKQUHY/GlzJBNw+Vnk+EO8vYdcwpjWou+lhyL9aG7HKqK4rVo8nhxVyCmcaoAPjz4gmHer0teAloI5xCtifbDzzE4VAvpxmZbMPg6d5kSV3elqIFzCBVSsM1KM7ku/0+NEm2VuJuZEsta5UqHDGAPPBqy1TkQXDtabyLfP4q4GimKBI4t7uusE0oMRB5WuSljTpW9eBd5pRrKBZZ+oFDn5Lx2GK4DpVX92VKtbEWewRpcU3/2KhSXSc+Nx+Vw0ULc1P1AMtl8v8SBbYLZZF9Ebsl2/XTRvEZO+HuZ4op2zTrLTElFBx4UKoq4tJGru6XeEKRECgIi7jPq0e1NmY+jyjTa8xyUCG2h//+jffMFCvOvN1xy/NYALnaf6dl+NfCYIlRYuPXEA==,iv:v8AKjCMUDcCBDkbp2AxQddTCPmIXpTkgecO5PPQ1Ljs=,tag:fbrMrlRc7tsTr6pppeHbuA==,type:str] +init-postgresql: ENC[AES256_GCM,data:4RGUfJLnYd0C0rGwa11DdreQFly1bcmAv728hv4QGzRRxcrka9GkOubPZFLZCZ8icoydotOckHK7caXK3Hg=,iv:T66gCmgEn94ydApfAs6eK/5FWlzXs3QmOYUQKbhllWI=,tag:9ZcOB/e0MGjjhXWbEpKGYg==,type:str] sops: age: - recipient: age1w4hw2ntxrtfqhht63s9lf7nhjxjmdcc927hndn5ygcqqj532qssq4m2m6p @@ -28,7 +29,7 @@ sops: dFh2anpQTTBpVDdCd3hIYmJLMmpVM0kKvuWuryBpHTpsn9eq6MosafVH0m2KTmql xzxUibPr2BmeR4QAB+pYLqTBH1+N9atGYdLe5qe7GqEmcjq8IfJnBw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-12-05T00:29:42Z" - mac: ENC[AES256_GCM,data:7Aq8HPrJNohcjvIp6FZdNVtjXIg4tviJ7dLXO4NQo5H70l35el1+PusKX+tTjaSx4lVNlosDVQAhT44k8giKkiOivt0Uonn5c8MPSwVB+MOT6kLTwdDIG0mvW8vEl7EXVMNgI2gK1FPGpBEIgK5kJ0wmyM4fwVyfQfJMQqwZhk4=,iv:cpEA6krRGT3tAgT8PqF2wh9zYQ59Bpls3iYZpguRHjI=,tag:izeoirVSJ5phVDJ+xPuePA==,type:str] + lastmodified: "2025-12-05T15:21:27Z" + mac: ENC[AES256_GCM,data:7VvtCv2InOrlYO63IZatZWqDSCgxNILktNbGdg0RtAbyByXB+Ct2ab/Lb3N+uV33KUnBx8n9H8U4r2u6vPJT7yj+b/QcdyAmc21jqhe6IQmMQB6sLKLde82hz3NhdFLarFrFioiqkKYJQkmO1qPfNJXhFbdD8MA3ELCwqBGLNoE=,iv:13TDmpH7GB5nOjpXI42ccbPnO67cjEFTkq1hj2KL9AI=,tag:1hSIsbDOdp7T7kj+yB+2lw==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2