hectic-lab/util.nix
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: wsl: some things

Browse Source
This commit is contained in:
yukkop
2026-03-15 10:59:19 +00:00
parent b9730784ba
commit f23720e151
12 changed files with 190 additions and 63 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
nixos/system/bfs/bfs.nix
View File

@@ -10,7 +10,6 @@
...
}: let
xrayPort = 10086;
matrixDomain = "accord.tube";
in {
# TODO:
# white list
@@ -21,22 +20,18 @@ in {
imports = [
self.nixosModules.hectic
inputs.sops-nix.nixosModules.sops
#./voice-tune.nix
#./matrix.nix
#./element-rtc.nix
#./element.nix
];
#currentServer = {
# matrix = {
# secretsFile = config.sops.secrets."matrix/secrets".path;
# turnSecretFile = config.sops.secrets."matrix/turn-secret".path;
# postgresql = {
# port = 5432;
# initialEnvFile = config.sops.secrets."init-postgresql".path;
# };
# matrixDomain = "accord.tube";
#hectic.services.matrix = {
# enable = true;
# secretsFile = config.sops.secrets."matrix/secrets".path;
# turnSecretFile = config.sops.secrets."matrix/turn-secret".path;
# publicIp = "188.137.254.58";
# postgresql = {
# port = 5432;
# initialEnvFile = config.sops.secrets."init-postgresql".path;
# };
# matrixDomain = "accord.tube";
#};
services.xray = {

98
nixos/system/bfs/element-rtc.nix
View File

@@ -1,98 +0,0 @@
{ pkgs, lib, config, ... }: let
cfg = config.currentServer.matrix;
in {
config = let
keyFile = "/run/livekit.key";
in {
services.livekit = {
enable = true;
openFirewall = true;
settings.room.auto_create = false;
inherit keyFile;
};
services.lk-jwt-service = {
enable = true;
livekitUrl = "wss://${cfg.matrixDomain}/livekit/sfu";
inherit keyFile;
};
systemd.services.livekit-key = {
before = [ "lk-jwt-service.service" "livekit.service" ];
wantedBy = [ "multi-user.target" ];
path = with pkgs; [ livekit coreutils gawk ];
script = ''
echo "Key missing, generating key"
echo "lk-jwt-service: $(livekit-server generate-keys | tail -1 | awk '{print $3}')" > "${keyFile}"
'';
serviceConfig.Type = "oneshot";
unitConfig.ConditionPathExists = "!${keyFile}";
};
systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS =
cfg.matrixDomain;
services.nginx = {
enable = true;
virtualHosts.${cfg.matrixDomain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8008";
};
locations."=/.well-known/matrix/client" = {
extraConfig = ''
default_type application/json;
add_header Access-Control-Allow-Origin *;
'';
return = ''200 '{
"m.homeserver": {
"base_url": "https://${cfg.matrixDomain}"
},
"m.identity_server": {
"base_url": "https://vector.im"
},
"org.matrix.msc3575.proxy": {
"url": "https://${cfg.matrixDomain}"
},
"org.matrix.msc4143.rtc_foci": [
{
"type": "livekit",
"livekit_service_url": "https://${cfg.matrixDomain}/livekit/jwt"
}
]
}' '';
};
locations."^~ /livekit/jwt/" = {
priority = 400;
proxyPass = "http://[::1]:${toString config.services.lk-jwt-service.port}/";
};
locations."^~ /livekit/sfu/" = {
priority = 400;
proxyPass = "http://[::1]:${toString config.services.livekit.settings.port}/";
proxyWebsockets = true;
extraConfig = ''
proxy_send_timeout 120;
proxy_read_timeout 120;
proxy_buffering off;
proxy_set_header Accept-Encoding gzip;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
'';
};
};
};
networking.firewall = {
enable = true;
allowedTCPPorts = [
8080
7880
7881
];
};
};
}

22
nixos/system/bfs/element.nix
View File

@@ -1,22 +0,0 @@
{ config, lib, pkgs, ... }: let
cfg = config.currentServer.matrix;
in {
config = {
services.nginx.virtualHosts."element.${cfg.matrixDomain}" = {
enableACME = true;
forceSSL = true;
root = pkgs.element-web.override {
conf = {
default_server_config = {
"m.homeserver".base_url = "https://${cfg.matrixDomain}";
"m.identity_server".base_url = "https://vector.im";
};
default_theme = "dark";
show_labs_settings = true;
};
};
};
};
}

159
nixos/system/bfs/matrix.nix
View File

@@ -1,159 +0,0 @@
{ pkgs, lib, config, ... }: let
cfg = config.currentServer.matrix;
in {
options = {
currentServer.matrix = {
secretsFile = lib.mkOption {
type = lib.types.path;
description = ''
path to env file with matrix secrets
content:
registration_shared_secret:
macroon_secret_key
form_secret
'';
};
postgresql = {
port = lib.mkOption {
type = lib.types.port;
default = 5432;
description = ''
postgres port
'';
};
initialEnvFile = lib.mkOption {
type = lib.types.path;
description = ''
path to env file with postgresql initial secrets
content:
POSTGRESQL_PASSWORD=
'';
};
};
matrixDomain = lib.mkOption {
type = lib.types.str;
description = ''
domain to matrix
'';
};
};
};
config = {
services.matrix-synapse = {
enable = true;
settings = {
server_name = cfg.matrixDomain;
public_baseurl = "https://${cfg.matrixDomain}";
listeners = [
{
port = 8008;
bind_addresses = [ "0.0.0.0" ];
type = "http";
tls = false;
resources = [
{
names = [
"client"
# Ability speak between different matrix servers and get
# global id, requires .well-known
"federation"
];
compress = false;
}
];
}
];
enable_registration = true;
enable_registration_without_verification = true;
extraConfigFiles = [
cfg.secretsFile
];
};
};
environment.systemPackages = [
pkgs.matrix-synapse
];
services.postgresql = {
enable = true;
package = pkgs.postgresql_17;
initdbArgs = [
"--locale=C"
"--encoding=UTF8"
];
enableTCPIP = true;
port = cfg.postgresql.port;
authentication = builtins.concatStringsSep "\n" [
"local all all trust"
"host sameuser all 127.0.0.1/32 scram-sha-256"
"host sameuser all ::1/128 scram-sha-256"
"host all all ::1/128 scram-sha-256"
"host all all 0.0.0.0/0 scram-sha-256"
"host replication postgres 127.0.0.1/32 scram-sha-256"
"host replication postgres ::1/128 scram-sha-256"
];
settings = {
wal_level = "replica";
max_wal_senders = 10;
};
ensureUsers = [
{
name = "matrix-synapse";
ensureClauses.login = true;
ensureDBOwnership = true;
}
];
ensureDatabases = [
"matrix-synapse"
];
initialScript = pkgs.writeText "init-sql-script" ''
-- setup password from env/sops
DO $$#!${pkgs.dash}/bin/dash
set -e
. ${cfg.postgresql.initialEnvFile}
psql -Atc "ALTER USER postgres WITH PASSWORD '$POSTGRESQL_PASSWORD'";
$$ LANGUAGE plsh;
CREATE ROLE myuser LOGIN PASSWORD 'matrix-synapse';
'';
};
services.nginx = {
enable = true;
virtualHosts.${cfg.matrixDomain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8008";
};
locations."=/.well-known/matrix/server" = {
extraConfig = ''
default_type application/json;
add_header Access-Control-Allow-Origin *;
'';
return = "200 '{\"m.server\": \"${cfg.matrixDomain}:443\"}'";
};
};
};
security.acme = {
acceptTerms = true;
defaults = {
email = "hectic.yukkop.it@gmail.com";
enableDebugLogs = true;
};
};
};
}

52
nixos/system/bfs/voice-tune.nix
View File

@@ -1,52 +0,0 @@
{ lib, config, ... }: let
cfg = config.currentServer.matrix;
shared_secret = "secret";
in {
options = {
currentServer.matrix = {
turnSecretFile = lib.mkOption {
type = lib.types.path;
description = ''
path to env file with matrix secrets
just raw secret
'';
};
};
};
config = {
services.coturn = rec {
enable = true;
realm = cfg.matrixDomain;
use-auth-secret = true;
static-auth-secret-file = cfg.turnSecretFile;
cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
listening-ips = ["188.137.254.58"];
no-tcp-relay = true;
relay-ips = ["188.137.254.58"];
listening-port = 3478;
tls-listening-port = 5349;
no-cli = true;
extraConfig = ''
verbose
'';
};
networking.firewall = {
allowedUDPPorts = [ 3478 5349 ];
allowedTCPPorts = [ 3478 5349 ];
allowedUDPPortRanges = [
{ from = 49152; to = 65535; }
];
};
services.matrix-synapse.settings = {
turn_uris = [
"turn:${cfg.matrixDomain}:3478?transport=udp"
"turn:${cfg.matrixDomain}:3478?transport=tcp"
];
};
};
}