summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--hosts/surtr/default.nix12
-rw-r--r--hosts/surtr/http.nix4
-rw-r--r--hosts/surtr/matrix.nix85
-rw-r--r--hosts/surtr/postgres.nix20
-rw-r--r--hosts/surtr/zfs.nix24
5 files changed, 138 insertions, 7 deletions
diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix
index add50653..7ab3199b 100644
--- a/hosts/surtr/default.nix
+++ b/hosts/surtr/default.nix
@@ -2,7 +2,7 @@
2{ 2{
3 imports = with flake.nixosModules.systemProfiles; [ 3 imports = with flake.nixosModules.systemProfiles; [
4 qemu-guest openssh rebuild-machines zfs 4 qemu-guest openssh rebuild-machines zfs
5 ./zfs.nix ./dns ./tls ./http.nix ./bifrost 5 ./zfs.nix ./dns ./tls ./http.nix ./bifrost ./matrix.nix ./postgres.nix
6 ]; 6 ];
7 7
8 config = { 8 config = {
@@ -139,5 +139,15 @@
139 automatic = true; 139 automatic = true;
140 options = "--delete-older-than 30d"; 140 options = "--delete-older-than 30d";
141 }; 141 };
142
143 security.dhparams = {
144 enable = true;
145 defaultBitSize = 4096;
146 params = {
147 nginx = {};
148 matrix-synapse = {};
149 };
150 stateful = true;
151 };
142 }; 152 };
143} 153}
diff --git a/hosts/surtr/http.nix b/hosts/surtr/http.nix
index fb22492f..a7b61d81 100644
--- a/hosts/surtr/http.nix
+++ b/hosts/surtr/http.nix
@@ -14,6 +14,7 @@
14 recommendedGzipSettings = true; 14 recommendedGzipSettings = true;
15 recommendedProxySettings = true; 15 recommendedProxySettings = true;
16 recommendedTlsSettings = true; 16 recommendedTlsSettings = true;
17 sslDhparam = config.security.dhparams.params.nginx.path;
17 commonHttpConfig = '' 18 commonHttpConfig = ''
18 ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1; 19 ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;
19 20
@@ -25,6 +26,8 @@
25 26
26 access_log syslog:server=unix:/dev/log main; 27 access_log syslog:server=unix:/dev/log main;
27 error_log syslog:server=unix:/dev/log info; 28 error_log syslog:server=unix:/dev/log info;
29
30 client_body_temp_path /run/nginx-client-bodies;
28 ''; 31 '';
29 additionalModules = with pkgs.nginxModules; [ dav pam ]; 32 additionalModules = with pkgs.nginxModules; [ dav pam ];
30 virtualHosts = { 33 virtualHosts = {
@@ -45,7 +48,6 @@
45 dav_access user:rw; 48 dav_access user:rw;
46 autoindex on; 49 autoindex on;
47 50
48 client_body_temp_path /run/nginx-client-bodies;
49 client_max_body_size 0; 51 client_max_body_size 0;
50 create_full_put_path on; 52 create_full_put_path on;
51 53
diff --git a/hosts/surtr/matrix.nix b/hosts/surtr/matrix.nix
new file mode 100644
index 00000000..315490cb
--- /dev/null
+++ b/hosts/surtr/matrix.nix
@@ -0,0 +1,85 @@
1{ config, ... }:
2{
3 config = {
4 services.matrix-synapse = {
5 enable = true;
6 enable_metrics = true;
7
8 enable_registration = false;
9 allow_guest_access = false;
10
11 server_name = "synapse.li";
12
13 listeners = [
14 { bind_address = "localhost";
15 port = 8008;
16 resources = [
17 { names = [ "client" ];
18 compress = true;
19 }
20 { names = [ "federation" ];
21 compress = false;
22 }
23 ];
24 tls = false;
25 type = "http";
26 x_forwarded = true;
27 }
28 ];
29
30 tls_certificate_path = "/run/credentials/matrix-synapse/synapse.li.pem";
31 tls_private_key_path = "/run/credentials/matrix-synapse/synapse.li.key.pem";
32 tls_dh_params_path = config.security.dhparams.params.matrix-synapse.path;
33 };
34
35 systemd.services.matrix-synapse = {
36 serviceConfig = {
37 LoadCredential = [
38 "synapse.li.key.pem:${config.security.acme.certs."synapse.li".directory}/key.pem"
39 "synapse.li.pem:${config.security.acme.certs."synapse.li".directory}/fullchain.pem"
40 ];
41 };
42 };
43
44 services.nginx = {
45 recommendedProxySettings = true;
46
47 upstreams."matrix-synapse" = {
48 servers = {
49 "127.0.0.1:8008" = {};
50 };
51 };
52
53 virtualHosts."synapse.li" = {
54 forceSSL = true;
55 sslCertificate = "/run/credentials/nginx.service/synapse.li.pem";
56 sslCertificateKey = "/run/credentials/nginx.service/synapse.li.key.pem";
57 sslTrustedCertificate = "/run/credentials/nginx.service/synapse.li.chain.pem";
58 listen = [
59 { addr = "0.0.0.0"; port = 443; ssl = true; }
60 { addr = "[::]"; port = 443; ssl = true; }
61 { addr = "0.0.0.0"; port = 8448; ssl = true; }
62 { addr = "[::]"; port = 8448; ssl = true; }
63 ];
64 locations = let
65 synapse = {
66 proxyPass = "http://matrix-synapse";
67 extraConfig = ''
68 add_header Strict-Transport-Security "max-age=63072000" always;
69 '';
70 };
71 in { "/_matrix" = synapse; "/_synapse/client" = synapse; };
72 };
73 };
74
75 systemd.services.nginx = {
76 serviceConfig = {
77 LoadCredential = [
78 "synapse.li.key.pem:${config.security.acme.certs."synapse.li".directory}/key.pem"
79 "synapse.li.pem:${config.security.acme.certs."synapse.li".directory}/fullchain.pem"
80 "synapse.li.chain.pem:${config.security.acme.certs."synapse.li".directory}/chain.pem"
81 ];
82 };
83 };
84 };
85}
diff --git a/hosts/surtr/postgres.nix b/hosts/surtr/postgres.nix
new file mode 100644
index 00000000..e8ea73be
--- /dev/null
+++ b/hosts/surtr/postgres.nix
@@ -0,0 +1,20 @@
1{ pkgs, ... }:
2{
3 config = {
4 services.postgresql = {
5 enable = true;
6 package = pkgs.postgresql_14;
7 ensureDatabases = [
8 "matrix-synapse"
9 ];
10 ensureUsers = [
11 { name = "matrix-synapse";
12 ensurePermissions = {
13 "DATABASE \"matrix-synapse\"" = "ALL PRIVILEGES";
14 "ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES";
15 };
16 }
17 ];
18 };
19 };
20}
diff --git a/hosts/surtr/zfs.nix b/hosts/surtr/zfs.nix
index 3a69fd96..736d5cc9 100644
--- a/hosts/surtr/zfs.nix
+++ b/hosts/surtr/zfs.nix
@@ -35,11 +35,25 @@
35 fsType = "zfs"; 35 fsType = "zfs";
36 }; 36 };
37 37
38 "/srv" = 38 # "/srv" =
39 { device = "surtr/safe/srv"; 39 # { device = "surtr/safe/srv";
40 fsType = "zfs"; 40 # fsType = "zfs";
41 options = [ "zfsutil" ]; 41 # options = [ "zfsutil" ];
42 }; 42 # };
43 };
44
45 boot.postBootCommands = ''
46 echo "=== STARTING ZPOOL IMPORT ==="
47 ${pkgs.zfs}/bin/zpool import -a -N -d /dev
48 ${pkgs.zfs}/bin/zpool status
49 ${pkgs.zfs}/bin/zfs mount -a
50 echo "=== ZPOOL IMPORT COMPLETE ==="
51 '';
52
53 system.activationScripts = {
54 zfsMount.text = ''
55 ${pkgs.zfs}/bin/zfs mount -a
56 '';
43 }; 57 };
44 58
45 services.zfssnap.enable = true; 59 services.zfssnap.enable = true;