hectic-lab/util.nix
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(nixos): bfs: +matrix, very unsave

Browse Source
This commit is contained in:
yukkop
2025-12-05 16:30:34 +00:00
parent 9d914ed863
commit 49bf4c6d91
6 changed files with 197 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

99
nixos/system/bfs/bfs.nix Normal file
View File

@@ -0,0 +1,99 @@
{
inputs,
flake,
self,
}: {
lib,
pkgs,
modulesPath,
config,
...
}: let
xrayPort = 10086;
matrixDomain = "accord.tube";
in {
# TODO:
# white list
# torent
# rate limit
# ping - game and speak
imports = [
self.nixosModules.hectic
inputs.sops-nix.nixosModules.sops
#./voice-tune.nix
./matrix.nix
];
currentServer = {
matrix = {
postgresql = {
port = 5432;
initialEnvFile = config.sops.secrets."init-postgresql".path;
};
matrixDomain = "accord.tube";
};
};
services.xray = {
enable = true;
settingsFile = config.sops.secrets."config".path;
};
users.users.root.openssh.authorizedKeys.keys = [
''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOn1KflaIX1RU9YS/qLb0GInmndYxx2vTLZC9OA+eXZl''
];
boot.loader.grub.device = "/dev/vda";
boot.initrd.availableKernelModules = [
"ata_piix"
"uhci_hcd"
"xen_blkfront"
] ++ (if pkgs.system != "aarch64-linux" then [ "vmw_pvscsi" ] else []);
boot.initrd.kernelModules = ["nvme"];
disko.devices = {
disk.vda = {
device = lib.mkDefault "/dev/vda";
content = {
type = "table";
format = "msdos";
partitions = [
{
name = "root";
part-type = "primary";
fs-type = "ext4";
bootable = true;
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
};
}
];
};
};
};
hectic = {
archetype.base.enable = true;
archetype.dev.enable = true;
};
sops = {
gnupg.sshKeyPaths = [ ];
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
defaultSopsFile = ../../../sus/bfs.xray.yaml;
secrets."config" = {};
secrets."init-postgresql" = {};
};
networking.firewall = {
enable = true;
allowedTCPPorts = [
xrayPort
80 443 # for acme
];
};
}

20
nixos/system/bfs/default.nix Normal file
View File

@@ -0,0 +1,20 @@
{
flake,
self,
inputs,
system,
...
}: let
# Use folder name as name of this system
name = builtins.baseNameOf ./.;
in self.lib.nixpkgs-lib.nixosSystem {
pkgs = import inputs.nixpkgs {
inherit system;
overlays = [ self.overlays.default ];
};
modules = [
{ networking.hostName = name; }
(import ./${name}.nix { inherit flake self inputs; })
];
}

141
nixos/system/bfs/matrix.nix Normal file
View File

@@ -0,0 +1,141 @@
{ pkgs, lib, config, ... }: let
cfg = config.currentServer.matrix;
in {
options = {
currentServer.matrix = {
postgresql = {
port = lib.mkOption {
type = lib.types.port;
default = 5432;
description = ''
postgres port
'';
};
initialEnvFile = lib.mkOption {
type = lib.types.path;
description = ''
path to env file with postgresql initial secrets
content:
POSTGRESQL_PASSWORD=
'';
};
};
matrixDomain = lib.mkOption {
type = lib.types.str;
description = ''
domain to matrix
'';
};
};
};
config = {
services.matrix-synapse = {
enable = true;
settings = {
server_name = cfg.matrixDomain;
public_baseurl = "https://${cfg.matrixDomain}";
listeners = [
{
port = 8008;
bind_addresses = [ "0.0.0.0" ];
type = "http";
tls = false;
resources = [
{
names = [
"client"
# Ability speak between different matrix servers, requires .well-known
#"federation"
];
compress = false;
}
];
}
];
enable_registration = true;
enable_registration_without_verification = true;
registration_shared_secret = "secret1";
macaroon_secret_key = "secret2";
form_secret = "secret3";
};
};
environment.systemPackages = [
pkgs.matrix-synapse
];
services.postgresql = {
enable = true;
package = pkgs.postgresql_17;
initdbArgs = [
"--locale=C"
"--encoding=UTF8"
];
enableTCPIP = true;
port = cfg.postgresql.port;
authentication = builtins.concatStringsSep "\n" [
"local all all trust"
"host sameuser all 127.0.0.1/32 scram-sha-256"
"host sameuser all ::1/128 scram-sha-256"
"host all all ::1/128 scram-sha-256"
"host all all 0.0.0.0/0 scram-sha-256"
"host replication postgres 127.0.0.1/32 scram-sha-256"
"host replication postgres ::1/128 scram-sha-256"
];
settings = {
wal_level = "replica";
max_wal_senders = 10;
};
ensureUsers = [
{
name = "matrix-synapse";
ensureClauses.login = true;
ensureDBOwnership = true;
}
];
ensureDatabases = [
"matrix-synapse"
];
initialScript = pkgs.writeText "init-sql-script" ''
-- setup password from env/sops
DO $$#!${pkgs.dash}/bin/dash
set -e
. ${cfg.postgresql.initialEnvFile}
psql -Atc "ALTER USER postgres WITH PASSWORD '$POSTGRESQL_PASSWORD'";
$$ LANGUAGE plsh;
CREATE ROLE myuser LOGIN PASSWORD 'matrix-synapse';
'';
};
services.nginx = {
enable = true;
virtualHosts.${cfg.matrixDomain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8008";
};
};
};
security.acme = {
acceptTerms = true;
defaults = {
email = "hectic.yukkop.it@gmail.com";
enableDebugLogs = true;
};
};
};
}

33
nixos/system/bfs/voice-tune.nix Normal file
View File

@@ -0,0 +1,33 @@
{ lib, config, ... }: let
cfg = config.currentServer.matrixDomain;
in {
options = {
currentServer.matrixDomain = lib.mkOption {
type = lib.types.str;
description = ''
domain
'';
};
};
config = {
services.coturn = {
enable = true;
realm = cfg.matrixDomain;
listening-port = 3478;
tls-listening-port = 5349;
no-cli = true;
};
networking.firewall.allowedUDPPorts = [ 3478 5349 ];
networking.firewall.allowedTCPPorts = [ 3478 5349 ];
services.matrix-synapse.settings = {
turn_uris = [
"turn:your.domain:3478?transport=udp"
"turns:your.domain:5349?transport=tcp"
];
turn_shared_secret = "secret";
};
};
}