From 1e901b985cecb3fb2c96df8b5b7be5e08a5d3723 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Thu, 24 Feb 2022 22:20:21 +0100 Subject: surtr: ... --- hosts/surtr/matrix.nix | 125 --------------------------------- hosts/surtr/matrix/default.nix | 132 +++++++++++++++++++++++++++++++++++ hosts/surtr/matrix/registration.yaml | 26 +++++++ 3 files changed, 158 insertions(+), 125 deletions(-) delete mode 100644 hosts/surtr/matrix.nix create mode 100644 hosts/surtr/matrix/default.nix create mode 100644 hosts/surtr/matrix/registration.yaml (limited to 'hosts/surtr') diff --git a/hosts/surtr/matrix.nix b/hosts/surtr/matrix.nix deleted file mode 100644 index b6e6d29d..00000000 --- a/hosts/surtr/matrix.nix +++ /dev/null @@ -1,125 +0,0 @@ -{ config, pkgs, ... }: -{ - config = { - services.matrix-synapse = { - enable = true; - enable_metrics = true; - - enable_registration = false; - allow_guest_access = false; - - server_name = "synapse.li"; - - listeners = [ - { bind_address = "localhost"; - port = 8008; - resources = [ - { names = [ "client" ]; - compress = true; - } - { names = [ "federation" ]; - compress = false; - } - ]; - tls = false; - type = "http"; - x_forwarded = true; - } - ]; - - tls_certificate_path = "/run/credentials/matrix-synapse/synapse.li.pem"; - tls_private_key_path = "/run/credentials/matrix-synapse/synapse.li.key.pem"; - tls_dh_params_path = config.security.dhparams.params.matrix-synapse.path; - }; - - systemd.services.matrix-synapse = { - serviceConfig = { - LoadCredential = [ - "synapse.li.key.pem:${config.security.acme.certs."synapse.li".directory}/key.pem" - "synapse.li.pem:${config.security.acme.certs."synapse.li".directory}/fullchain.pem" - ]; - }; - }; - - services.nginx = { - recommendedProxySettings = true; - - upstreams."matrix-synapse" = { - servers = { - "127.0.0.1:8008" = {}; - }; - }; - - virtualHosts."synapse.li" = { - forceSSL = true; - sslCertificate = "/run/credentials/nginx.service/synapse.li.pem"; - sslCertificateKey = "/run/credentials/nginx.service/synapse.li.key.pem"; - sslTrustedCertificate = "/run/credentials/nginx.service/synapse.li.chain.pem"; - listen = [ - { addr = "0.0.0.0"; port = 443; ssl = true; } - { addr = "[::0]"; port = 443; ssl = true; } - { addr = "0.0.0.0"; port = 8448; ssl = true; } - { addr = "[::0]"; port = 8448; ssl = true; } - ]; - locations = let - synapse = { - proxyPass = "http://matrix-synapse"; - extraConfig = '' - add_header Strict-Transport-Security "max-age=63072000" always; - ''; - }; - in { - "/_matrix" = synapse; - "/_synapse/client" = synapse; - "/".return = "301 https://element.synapse.li$request_uri"; - }; - }; - - virtualHosts."element.synapse.li" = { - forceSSL = true; - sslCertificate = "/run/credentials/nginx.service/element.synapse.li.pem"; - sslCertificateKey = "/run/credentials/nginx.service/element.synapse.li.key.pem"; - sslTrustedCertificate = "/run/credentials/nginx.service/element.synapse.li.chain.pem"; - - root = pkgs.element-web.override { - conf = { - default_server_config."m.homeserver" = { - "base_url" = "https://synapse.li"; - "server_name" = "synapse.li"; - }; - }; - }; - }; - }; - - security.acme.domains = { - "element.synapse.li" = { - zone = "synapse.li"; - certCfg = { - postRun = '' - ${pkgs.systemd}/bin/systemctl try-restart nginx.service - ''; - }; - }; - "synapse.li".certCfg = { - postRun = '' - ${pkgs.systemd}/bin/systemctl try-restart nginx.service - ''; - }; - }; - - systemd.services.nginx = { - serviceConfig = { - LoadCredential = [ - "synapse.li.key.pem:${config.security.acme.certs."synapse.li".directory}/key.pem" - "synapse.li.pem:${config.security.acme.certs."synapse.li".directory}/fullchain.pem" - "synapse.li.chain.pem:${config.security.acme.certs."synapse.li".directory}/chain.pem" - - "element.synapse.li.key.pem:${config.security.acme.certs."element.synapse.li".directory}/key.pem" - "element.synapse.li.pem:${config.security.acme.certs."element.synapse.li".directory}/fullchain.pem" - "element.synapse.li.chain.pem:${config.security.acme.certs."element.synapse.li".directory}/chain.pem" - ]; - }; - }; - }; -} diff --git a/hosts/surtr/matrix/default.nix b/hosts/surtr/matrix/default.nix new file mode 100644 index 00000000..aad9bc90 --- /dev/null +++ b/hosts/surtr/matrix/default.nix @@ -0,0 +1,132 @@ +{ config, pkgs, ... }: +{ + config = { + services.matrix-synapse = { + enable = true; + enable_metrics = true; + + enable_registration = false; + allow_guest_access = false; + + server_name = "synapse.li"; + + listeners = [ + { bind_address = "localhost"; + port = 8008; + resources = [ + { names = [ "client" ]; + compress = true; + } + { names = [ "federation" ]; + compress = false; + } + ]; + tls = false; + type = "http"; + x_forwarded = true; + } + ]; + + tls_certificate_path = "/run/credentials/matrix-synapse/synapse.li.pem"; + tls_private_key_path = "/run/credentials/matrix-synapse/synapse.li.key.pem"; + tls_dh_params_path = config.security.dhparams.params.matrix-synapse.path; + + extraConfigFiles = ["/run/credentials/matrix-synapse/registration.yaml"]; + }; + sops.secrets."matrix-synapse-registration.yaml" = { + format = "binary"; + sopsFile = ./registration.yaml; + }; + + systemd.services.matrix-synapse = { + serviceConfig = { + LoadCredential = [ + "synapse.li.key.pem:${config.security.acme.certs."synapse.li".directory}/key.pem" + "synapse.li.pem:${config.security.acme.certs."synapse.li".directory}/fullchain.pem" + "registration.yaml:${config.sops.secrets."matrix-synapse-registration.yaml".path}" + ]; + }; + }; + + services.nginx = { + recommendedProxySettings = true; + + upstreams."matrix-synapse" = { + servers = { + "127.0.0.1:8008" = {}; + }; + }; + + virtualHosts."synapse.li" = { + forceSSL = true; + sslCertificate = "/run/credentials/nginx.service/synapse.li.pem"; + sslCertificateKey = "/run/credentials/nginx.service/synapse.li.key.pem"; + sslTrustedCertificate = "/run/credentials/nginx.service/synapse.li.chain.pem"; + listen = [ + { addr = "0.0.0.0"; port = 443; ssl = true; } + { addr = "[::0]"; port = 443; ssl = true; } + { addr = "0.0.0.0"; port = 8448; ssl = true; } + { addr = "[::0]"; port = 8448; ssl = true; } + ]; + locations = let + synapse = { + proxyPass = "http://matrix-synapse"; + extraConfig = '' + add_header Strict-Transport-Security "max-age=63072000" always; + ''; + }; + in { + "/_matrix" = synapse; + "/_synapse/client" = synapse; + "/".return = "301 https://element.synapse.li$request_uri"; + }; + }; + + virtualHosts."element.synapse.li" = { + forceSSL = true; + sslCertificate = "/run/credentials/nginx.service/element.synapse.li.pem"; + sslCertificateKey = "/run/credentials/nginx.service/element.synapse.li.key.pem"; + sslTrustedCertificate = "/run/credentials/nginx.service/element.synapse.li.chain.pem"; + + root = pkgs.element-web.override { + conf = { + default_server_config."m.homeserver" = { + "base_url" = "https://synapse.li"; + "server_name" = "synapse.li"; + }; + }; + }; + }; + }; + + security.acme.domains = { + "element.synapse.li" = { + zone = "synapse.li"; + certCfg = { + postRun = '' + ${pkgs.systemd}/bin/systemctl try-restart nginx.service + ''; + }; + }; + "synapse.li".certCfg = { + postRun = '' + ${pkgs.systemd}/bin/systemctl try-restart nginx.service + ''; + }; + }; + + systemd.services.nginx = { + serviceConfig = { + LoadCredential = [ + "synapse.li.key.pem:${config.security.acme.certs."synapse.li".directory}/key.pem" + "synapse.li.pem:${config.security.acme.certs."synapse.li".directory}/fullchain.pem" + "synapse.li.chain.pem:${config.security.acme.certs."synapse.li".directory}/chain.pem" + + "element.synapse.li.key.pem:${config.security.acme.certs."element.synapse.li".directory}/key.pem" + "element.synapse.li.pem:${config.security.acme.certs."element.synapse.li".directory}/fullchain.pem" + "element.synapse.li.chain.pem:${config.security.acme.certs."element.synapse.li".directory}/chain.pem" + ]; + }; + }; + }; +} diff --git a/hosts/surtr/matrix/registration.yaml b/hosts/surtr/matrix/registration.yaml new file mode 100644 index 00000000..44b9ca89 --- /dev/null +++ b/hosts/surtr/matrix/registration.yaml @@ -0,0 +1,26 @@ +{ + "data": "ENC[AES256_GCM,data:RrFw7leN405vBuzzDi8HMMsZ68gGRNuEJ7tuPjgIsGbcI1eYQwaV1+81J3TUMFhqsgpsF3OuPEVcTEBAAaSSPJbPMiUo2dbS1AzZ,iv:+sfQ9yW+rbSDQiRlaPF5plMxwgKI6qa9o/FzLVeVHV0=,tag:Y1dnxQgFDUeRoELbSCiQBg==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": null, + "lastmodified": "2022-02-24T21:20:09Z", + "mac": "ENC[AES256_GCM,data:llCJ+LjuyaPhslNPzdARtBt67R7EcllGER9u/w8NEPd1kC2RyGGsUiO2y+LywO1SY4OO0JG5M3FAIYuXEefKofzeDMCzFlmDjPRdjts9N6e6ObGyVSppOCcRIn7J1lyy+Ml+qbxuV0VrP0DN6OxLGO/dOcvtsYjftPKxcUiplNQ=,iv:ZtBLC4Tl++1yNGK07/4GL+Qzq+Hy25gfRNRxJTvL53U=,tag:V6NyCT/1ZN0qNd1tc+NRQg==,type:str]", + "pgp": [ + { + "created_at": "2022-02-24T21:18:14Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAd77XebsH3fPMPEHxFn2zEVKiHBKkhSsCLESuR2PPRksw\nw8zx2eJsnnW7GnjTF7LH/OPYyDEHgSu73ZFcsUebjESupZKbeu/EL/fkNaVdHfFk\n0l4BC8BYAXh22mgnHYV2ZJp0WAfv2WL0nhemY2uQ8Zs2Zdf9866/j57xvj6RQEXP\nbInXWALV1wdXhnBGlYILdEo7U9RPHRVsbqdiRq7KZVi2gNAn93lBk5qcHsQTgIkz\n=4bf7\n-----END PGP MESSAGE-----\n", + "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8" + }, + { + "created_at": "2022-02-24T21:18:14Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAi4YnLeLo0H8uz6DbU8knoDxsgxqFcwp1M7kQp4GllFsw\nNjwT3AdoMxCYOOqFF9dNzcEieI4hqwfeN3pxe8hw5TG7EvlUbiY3x7udzoO0+9Tm\n0l4BdV1+kQsB1tldnVo+II7EvP9HWWtNowmZzZgmVRxHt/wTL2VrB3gS7EZFssoV\nDtHpqD7cQ6Pbe+R1bzg1TDmNRamzvMUKYIaJ8tuUgA2HmZI4SiaNBPLX4XML5Zbz\n=9njW\n-----END PGP MESSAGE-----\n", + "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.7.1" + } +} \ No newline at end of file -- cgit v1.2.3