diff options
-rw-r--r-- | hosts/surtr/default.nix | 12 | ||||
-rw-r--r-- | hosts/surtr/http.nix | 4 | ||||
-rw-r--r-- | hosts/surtr/matrix.nix | 85 | ||||
-rw-r--r-- | hosts/surtr/postgres.nix | 20 | ||||
-rw-r--r-- | hosts/surtr/zfs.nix | 24 |
5 files changed, 138 insertions, 7 deletions
diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix index add50653..7ab3199b 100644 --- a/hosts/surtr/default.nix +++ b/hosts/surtr/default.nix | |||
@@ -2,7 +2,7 @@ | |||
2 | { | 2 | { |
3 | imports = with flake.nixosModules.systemProfiles; [ | 3 | imports = with flake.nixosModules.systemProfiles; [ |
4 | qemu-guest openssh rebuild-machines zfs | 4 | qemu-guest openssh rebuild-machines zfs |
5 | ./zfs.nix ./dns ./tls ./http.nix ./bifrost | 5 | ./zfs.nix ./dns ./tls ./http.nix ./bifrost ./matrix.nix ./postgres.nix |
6 | ]; | 6 | ]; |
7 | 7 | ||
8 | config = { | 8 | config = { |
@@ -139,5 +139,15 @@ | |||
139 | automatic = true; | 139 | automatic = true; |
140 | options = "--delete-older-than 30d"; | 140 | options = "--delete-older-than 30d"; |
141 | }; | 141 | }; |
142 | |||
143 | security.dhparams = { | ||
144 | enable = true; | ||
145 | defaultBitSize = 4096; | ||
146 | params = { | ||
147 | nginx = {}; | ||
148 | matrix-synapse = {}; | ||
149 | }; | ||
150 | stateful = true; | ||
151 | }; | ||
142 | }; | 152 | }; |
143 | } | 153 | } |
diff --git a/hosts/surtr/http.nix b/hosts/surtr/http.nix index fb22492f..a7b61d81 100644 --- a/hosts/surtr/http.nix +++ b/hosts/surtr/http.nix | |||
@@ -14,6 +14,7 @@ | |||
14 | recommendedGzipSettings = true; | 14 | recommendedGzipSettings = true; |
15 | recommendedProxySettings = true; | 15 | recommendedProxySettings = true; |
16 | recommendedTlsSettings = true; | 16 | recommendedTlsSettings = true; |
17 | sslDhparam = config.security.dhparams.params.nginx.path; | ||
17 | commonHttpConfig = '' | 18 | commonHttpConfig = '' |
18 | ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1; | 19 | ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1; |
19 | 20 | ||
@@ -25,6 +26,8 @@ | |||
25 | 26 | ||
26 | access_log syslog:server=unix:/dev/log main; | 27 | access_log syslog:server=unix:/dev/log main; |
27 | error_log syslog:server=unix:/dev/log info; | 28 | error_log syslog:server=unix:/dev/log info; |
29 | |||
30 | client_body_temp_path /run/nginx-client-bodies; | ||
28 | ''; | 31 | ''; |
29 | additionalModules = with pkgs.nginxModules; [ dav pam ]; | 32 | additionalModules = with pkgs.nginxModules; [ dav pam ]; |
30 | virtualHosts = { | 33 | virtualHosts = { |
@@ -45,7 +48,6 @@ | |||
45 | dav_access user:rw; | 48 | dav_access user:rw; |
46 | autoindex on; | 49 | autoindex on; |
47 | 50 | ||
48 | client_body_temp_path /run/nginx-client-bodies; | ||
49 | client_max_body_size 0; | 51 | client_max_body_size 0; |
50 | create_full_put_path on; | 52 | create_full_put_path on; |
51 | 53 | ||
diff --git a/hosts/surtr/matrix.nix b/hosts/surtr/matrix.nix new file mode 100644 index 00000000..315490cb --- /dev/null +++ b/hosts/surtr/matrix.nix | |||
@@ -0,0 +1,85 @@ | |||
1 | { config, ... }: | ||
2 | { | ||
3 | config = { | ||
4 | services.matrix-synapse = { | ||
5 | enable = true; | ||
6 | enable_metrics = true; | ||
7 | |||
8 | enable_registration = false; | ||
9 | allow_guest_access = false; | ||
10 | |||
11 | server_name = "synapse.li"; | ||
12 | |||
13 | listeners = [ | ||
14 | { bind_address = "localhost"; | ||
15 | port = 8008; | ||
16 | resources = [ | ||
17 | { names = [ "client" ]; | ||
18 | compress = true; | ||
19 | } | ||
20 | { names = [ "federation" ]; | ||
21 | compress = false; | ||
22 | } | ||
23 | ]; | ||
24 | tls = false; | ||
25 | type = "http"; | ||
26 | x_forwarded = true; | ||
27 | } | ||
28 | ]; | ||
29 | |||
30 | tls_certificate_path = "/run/credentials/matrix-synapse/synapse.li.pem"; | ||
31 | tls_private_key_path = "/run/credentials/matrix-synapse/synapse.li.key.pem"; | ||
32 | tls_dh_params_path = config.security.dhparams.params.matrix-synapse.path; | ||
33 | }; | ||
34 | |||
35 | systemd.services.matrix-synapse = { | ||
36 | serviceConfig = { | ||
37 | LoadCredential = [ | ||
38 | "synapse.li.key.pem:${config.security.acme.certs."synapse.li".directory}/key.pem" | ||
39 | "synapse.li.pem:${config.security.acme.certs."synapse.li".directory}/fullchain.pem" | ||
40 | ]; | ||
41 | }; | ||
42 | }; | ||
43 | |||
44 | services.nginx = { | ||
45 | recommendedProxySettings = true; | ||
46 | |||
47 | upstreams."matrix-synapse" = { | ||
48 | servers = { | ||
49 | "127.0.0.1:8008" = {}; | ||
50 | }; | ||
51 | }; | ||
52 | |||
53 | virtualHosts."synapse.li" = { | ||
54 | forceSSL = true; | ||
55 | sslCertificate = "/run/credentials/nginx.service/synapse.li.pem"; | ||
56 | sslCertificateKey = "/run/credentials/nginx.service/synapse.li.key.pem"; | ||
57 | sslTrustedCertificate = "/run/credentials/nginx.service/synapse.li.chain.pem"; | ||
58 | listen = [ | ||
59 | { addr = "0.0.0.0"; port = 443; ssl = true; } | ||
60 | { addr = "[::]"; port = 443; ssl = true; } | ||
61 | { addr = "0.0.0.0"; port = 8448; ssl = true; } | ||
62 | { addr = "[::]"; port = 8448; ssl = true; } | ||
63 | ]; | ||
64 | locations = let | ||
65 | synapse = { | ||
66 | proxyPass = "http://matrix-synapse"; | ||
67 | extraConfig = '' | ||
68 | add_header Strict-Transport-Security "max-age=63072000" always; | ||
69 | ''; | ||
70 | }; | ||
71 | in { "/_matrix" = synapse; "/_synapse/client" = synapse; }; | ||
72 | }; | ||
73 | }; | ||
74 | |||
75 | systemd.services.nginx = { | ||
76 | serviceConfig = { | ||
77 | LoadCredential = [ | ||
78 | "synapse.li.key.pem:${config.security.acme.certs."synapse.li".directory}/key.pem" | ||
79 | "synapse.li.pem:${config.security.acme.certs."synapse.li".directory}/fullchain.pem" | ||
80 | "synapse.li.chain.pem:${config.security.acme.certs."synapse.li".directory}/chain.pem" | ||
81 | ]; | ||
82 | }; | ||
83 | }; | ||
84 | }; | ||
85 | } | ||
diff --git a/hosts/surtr/postgres.nix b/hosts/surtr/postgres.nix new file mode 100644 index 00000000..e8ea73be --- /dev/null +++ b/hosts/surtr/postgres.nix | |||
@@ -0,0 +1,20 @@ | |||
1 | { pkgs, ... }: | ||
2 | { | ||
3 | config = { | ||
4 | services.postgresql = { | ||
5 | enable = true; | ||
6 | package = pkgs.postgresql_14; | ||
7 | ensureDatabases = [ | ||
8 | "matrix-synapse" | ||
9 | ]; | ||
10 | ensureUsers = [ | ||
11 | { name = "matrix-synapse"; | ||
12 | ensurePermissions = { | ||
13 | "DATABASE \"matrix-synapse\"" = "ALL PRIVILEGES"; | ||
14 | "ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES"; | ||
15 | }; | ||
16 | } | ||
17 | ]; | ||
18 | }; | ||
19 | }; | ||
20 | } | ||
diff --git a/hosts/surtr/zfs.nix b/hosts/surtr/zfs.nix index 3a69fd96..736d5cc9 100644 --- a/hosts/surtr/zfs.nix +++ b/hosts/surtr/zfs.nix | |||
@@ -35,11 +35,25 @@ | |||
35 | fsType = "zfs"; | 35 | fsType = "zfs"; |
36 | }; | 36 | }; |
37 | 37 | ||
38 | "/srv" = | 38 | # "/srv" = |
39 | { device = "surtr/safe/srv"; | 39 | # { device = "surtr/safe/srv"; |
40 | fsType = "zfs"; | 40 | # fsType = "zfs"; |
41 | options = [ "zfsutil" ]; | 41 | # options = [ "zfsutil" ]; |
42 | }; | 42 | # }; |
43 | }; | ||
44 | |||
45 | boot.postBootCommands = '' | ||
46 | echo "=== STARTING ZPOOL IMPORT ===" | ||
47 | ${pkgs.zfs}/bin/zpool import -a -N -d /dev | ||
48 | ${pkgs.zfs}/bin/zpool status | ||
49 | ${pkgs.zfs}/bin/zfs mount -a | ||
50 | echo "=== ZPOOL IMPORT COMPLETE ===" | ||
51 | ''; | ||
52 | |||
53 | system.activationScripts = { | ||
54 | zfsMount.text = '' | ||
55 | ${pkgs.zfs}/bin/zfs mount -a | ||
56 | ''; | ||
43 | }; | 57 | }; |
44 | 58 | ||
45 | services.zfssnap.enable = true; | 59 | services.zfssnap.enable = true; |