hectic-lab/util.nix
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(nixos): bfs: +matrix, very unsave

Browse Source
This commit is contained in:
yukkop
2025-12-05 16:30:34 +00:00
parent 9d914ed863
commit 49bf4c6d91
6 changed files with 197 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
flake.nix
View File

@@ -74,7 +74,7 @@
devShells.${system} = import ./devshell { inherit flake self inputs pkgs system; }; devShells.${system} = import ./devshell { inherit flake self inputs pkgs system; };
legacyPackages.${system} = import ./legacy { inherit flake self inputs pkgs system; }; legacyPackages.${system} = import ./legacy { inherit flake self inputs pkgs system; };
nixosConfigurations = { nixosConfigurations = {
"xray|${system}" = import ./nixos/system/xray { inherit flake self inputs system; }; "bfs|${system}" = import ./nixos/system/bfs { inherit flake self inputs system; };
}; };
checks.${system} = import ./test { inherit flake self inputs pkgs system; }; checks.${system} = import ./test { inherit flake self inputs pkgs system; };
}) // { }) // {

25
nixos/system/xray/xray.nix → nixos/system/bfs/bfs.nix
View File

@@ -10,6 +10,7 @@
... ...
}: let }: let
xrayPort = 10086; xrayPort = 10086;
matrixDomain = "accord.tube";
in { in {
# TODO: # TODO:
# white list # white list
@@ -20,8 +21,20 @@ in {
imports = [ imports = [
self.nixosModules.hectic self.nixosModules.hectic
inputs.sops-nix.nixosModules.sops inputs.sops-nix.nixosModules.sops
#./voice-tune.nix
./matrix.nix
]; ];
currentServer = {
matrix = {
postgresql = {
port = 5432;
initialEnvFile = config.sops.secrets."init-postgresql".path;
};
matrixDomain = "accord.tube";
};
};
services.xray = { services.xray = {
enable = true; enable = true;
settingsFile = config.sops.secrets."config".path; settingsFile = config.sops.secrets."config".path;
@@ -62,25 +75,25 @@ in {
}; };
}; };
hectic = { hectic = {
archetype.base.enable = true; archetype.base.enable = true;
archetype.dev.enable = true; archetype.dev.enable = true;
}; };
sops = { sops = {
gnupg.sshKeyPaths = [ ]; gnupg.sshKeyPaths = [ ];
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
defaultSopsFile = ../../../sus/bfs.xray.yaml; defaultSopsFile = ../../../sus/bfs.xray.yaml;
secrets."config" = {}; secrets."config" = {};
secrets."init-postgresql" = {};
}; };
networking.firewall = { networking.firewall = {
enable = true; enable = true;
allowedTCPPorts = [ allowedTCPPorts = [
xrayPort xrayPort
80 443 # for acme
]; ];
}; };
} }

0
nixos/system/xray/default.nix → nixos/system/bfs/default.nix
View File

141
nixos/system/bfs/matrix.nix Normal file
View File

@@ -0,0 +1,141 @@
{ pkgs, lib, config, ... }: let
cfg = config.currentServer.matrix;
in {
options = {
currentServer.matrix = {
postgresql = {
port = lib.mkOption {
type = lib.types.port;
default = 5432;
description = ''
postgres port
'';
};
initialEnvFile = lib.mkOption {
type = lib.types.path;
description = ''
path to env file with postgresql initial secrets
content:
POSTGRESQL_PASSWORD=
'';
};
};
matrixDomain = lib.mkOption {
type = lib.types.str;
description = ''
domain to matrix
'';
};
};
};
config = {
services.matrix-synapse = {
enable = true;
settings = {
server_name = cfg.matrixDomain;
public_baseurl = "https://${cfg.matrixDomain}";
listeners = [
{
port = 8008;
bind_addresses = [ "0.0.0.0" ];
type = "http";
tls = false;
resources = [
{
names = [
"client"
# Ability speak between different matrix servers, requires .well-known
#"federation"
];
compress = false;
}
];
}
];
enable_registration = true;
enable_registration_without_verification = true;
registration_shared_secret = "secret1";
macaroon_secret_key = "secret2";
form_secret = "secret3";
};
};
environment.systemPackages = [
pkgs.matrix-synapse
];
services.postgresql = {
enable = true;
package = pkgs.postgresql_17;
initdbArgs = [
"--locale=C"
"--encoding=UTF8"
];
enableTCPIP = true;
port = cfg.postgresql.port;
authentication = builtins.concatStringsSep "\n" [
"local all all trust"
"host sameuser all 127.0.0.1/32 scram-sha-256"
"host sameuser all ::1/128 scram-sha-256"
"host all all ::1/128 scram-sha-256"
"host all all 0.0.0.0/0 scram-sha-256"
"host replication postgres 127.0.0.1/32 scram-sha-256"
"host replication postgres ::1/128 scram-sha-256"
];
settings = {
wal_level = "replica";
max_wal_senders = 10;
};
ensureUsers = [
{
name = "matrix-synapse";
ensureClauses.login = true;
ensureDBOwnership = true;
}
];
ensureDatabases = [
"matrix-synapse"
];
initialScript = pkgs.writeText "init-sql-script" ''
-- setup password from env/sops
DO $$#!${pkgs.dash}/bin/dash
set -e
. ${cfg.postgresql.initialEnvFile}
psql -Atc "ALTER USER postgres WITH PASSWORD '$POSTGRESQL_PASSWORD'";
$$ LANGUAGE plsh;
CREATE ROLE myuser LOGIN PASSWORD 'matrix-synapse';
'';
};
services.nginx = {
enable = true;
virtualHosts.${cfg.matrixDomain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8008";
};
};
};
security.acme = {
acceptTerms = true;
defaults = {
email = "hectic.yukkop.it@gmail.com";
enableDebugLogs = true;
};
};
};
}

33
nixos/system/bfs/voice-tune.nix Normal file
View File

@@ -0,0 +1,33 @@
{ lib, config, ... }: let
cfg = config.currentServer.matrixDomain;
in {
options = {
currentServer.matrixDomain = lib.mkOption {
type = lib.types.str;
description = ''
domain
'';
};
};
config = {
services.coturn = {
enable = true;
realm = cfg.matrixDomain;
listening-port = 3478;
tls-listening-port = 5349;
no-cli = true;
};
networking.firewall.allowedUDPPorts = [ 3478 5349 ];
networking.firewall.allowedTCPPorts = [ 3478 5349 ];
services.matrix-synapse.settings = {
turn_uris = [
"turn:your.domain:3478?transport=udp"
"turns:your.domain:5349?transport=tcp"
];
turn_shared_secret = "secret";
};
};
}

5
sus/bfs.xray.yaml
View File

@@ -1,4 +1,5 @@
config: ENC[AES256_GCM,data:IL0jhVCw2YcZW/LkOrKXYrVAzq6jC65gAzOhfD8P8DL8GKQUHY/GlzJBNw+Vnk+EO8vYdcwpjWou+lhyL9aG7HKqK4rVo8nhxVyCmcaoAPjz4gmHer0teAloI5xCtifbDzzE4VAvpxmZbMPg6d5kSV3elqIFzCBVSsM1KM7ku/0+NEm2VuJuZEsta5UqHDGAPPBqy1TkQXDtabyLfP4q4GimKBI4t7uusE0oMRB5WuSljTpW9eBd5pRrKBZZ+oFDn5Lx2GK4DpVX92VKtbEWewRpcU3/2KhSXSc+Nx+Vw0ULc1P1AMtl8v8SBbYLZZF9Ebsl2/XTRvEZO+HuZ4op2zTrLTElFBx4UKoq4tJGru6XeEKRECgIi7jPq0e1NmY+jyjTa8xyUCG2h//+jffMFCvOvN1xy/NYALnaf6dl+NfCYIlRYuPXEA==,iv:v8AKjCMUDcCBDkbp2AxQddTCPmIXpTkgecO5PPQ1Ljs=,tag:fbrMrlRc7tsTr6pppeHbuA==,type:str] config: ENC[AES256_GCM,data:IL0jhVCw2YcZW/LkOrKXYrVAzq6jC65gAzOhfD8P8DL8GKQUHY/GlzJBNw+Vnk+EO8vYdcwpjWou+lhyL9aG7HKqK4rVo8nhxVyCmcaoAPjz4gmHer0teAloI5xCtifbDzzE4VAvpxmZbMPg6d5kSV3elqIFzCBVSsM1KM7ku/0+NEm2VuJuZEsta5UqHDGAPPBqy1TkQXDtabyLfP4q4GimKBI4t7uusE0oMRB5WuSljTpW9eBd5pRrKBZZ+oFDn5Lx2GK4DpVX92VKtbEWewRpcU3/2KhSXSc+Nx+Vw0ULc1P1AMtl8v8SBbYLZZF9Ebsl2/XTRvEZO+HuZ4op2zTrLTElFBx4UKoq4tJGru6XeEKRECgIi7jPq0e1NmY+jyjTa8xyUCG2h//+jffMFCvOvN1xy/NYALnaf6dl+NfCYIlRYuPXEA==,iv:v8AKjCMUDcCBDkbp2AxQddTCPmIXpTkgecO5PPQ1Ljs=,tag:fbrMrlRc7tsTr6pppeHbuA==,type:str]
init-postgresql: ENC[AES256_GCM,data:4RGUfJLnYd0C0rGwa11DdreQFly1bcmAv728hv4QGzRRxcrka9GkOubPZFLZCZ8icoydotOckHK7caXK3Hg=,iv:T66gCmgEn94ydApfAs6eK/5FWlzXs3QmOYUQKbhllWI=,tag:9ZcOB/e0MGjjhXWbEpKGYg==,type:str]
sops: sops:
age: age:
- recipient: age1w4hw2ntxrtfqhht63s9lf7nhjxjmdcc927hndn5ygcqqj532qssq4m2m6p - recipient: age1w4hw2ntxrtfqhht63s9lf7nhjxjmdcc927hndn5ygcqqj532qssq4m2m6p
@@ -28,7 +29,7 @@ sops:
dFh2anpQTTBpVDdCd3hIYmJLMmpVM0kKvuWuryBpHTpsn9eq6MosafVH0m2KTmql dFh2anpQTTBpVDdCd3hIYmJLMmpVM0kKvuWuryBpHTpsn9eq6MosafVH0m2KTmql
xzxUibPr2BmeR4QAB+pYLqTBH1+N9atGYdLe5qe7GqEmcjq8IfJnBw== xzxUibPr2BmeR4QAB+pYLqTBH1+N9atGYdLe5qe7GqEmcjq8IfJnBw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-12-05T00:29:42Z" lastmodified: "2025-12-05T15:21:27Z"
mac: ENC[AES256_GCM,data:7Aq8HPrJNohcjvIp6FZdNVtjXIg4tviJ7dLXO4NQo5H70l35el1+PusKX+tTjaSx4lVNlosDVQAhT44k8giKkiOivt0Uonn5c8MPSwVB+MOT6kLTwdDIG0mvW8vEl7EXVMNgI2gK1FPGpBEIgK5kJ0wmyM4fwVyfQfJMQqwZhk4=,iv:cpEA6krRGT3tAgT8PqF2wh9zYQ59Bpls3iYZpguRHjI=,tag:izeoirVSJ5phVDJ+xPuePA==,type:str] mac: ENC[AES256_GCM,data:7VvtCv2InOrlYO63IZatZWqDSCgxNILktNbGdg0RtAbyByXB+Ct2ab/Lb3N+uV33KUnBx8n9H8U4r2u6vPJT7yj+b/QcdyAmc21jqhe6IQmMQB6sLKLde82hz3NhdFLarFrFioiqkKYJQkmO1qPfNJXhFbdD8MA3ELCwqBGLNoE=,iv:13TDmpH7GB5nOjpXI42ccbPnO67cjEFTkq1hj2KL9AI=,tag:1hSIsbDOdp7T7kj+yB+2lw==,type:str]
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.10.2 version: 3.10.2