From 9a3af6b3260df92a218ac94f8f07585b6f36add5 Mon Sep 17 00:00:00 2001 From: garionion Date: Mon, 14 Jun 2021 16:33:50 +0200 Subject: [PATCH] add luxon --- hosts/luxon/configuration.nix | 49 +++++++ hosts/luxon/hardware-configuration.nix | 27 ++++ hosts/luxon/matrix.nix | 172 +++++++++++++++++++++++++ nixops/bulldog/deployment.nix | 1 + nixops/bulldog/deployment_ip.nix | 11 ++ 5 files changed, 260 insertions(+) create mode 100644 hosts/luxon/configuration.nix create mode 100644 hosts/luxon/hardware-configuration.nix create mode 100644 hosts/luxon/matrix.nix diff --git a/hosts/luxon/configuration.nix b/hosts/luxon/configuration.nix new file mode 100644 index 0000000..9ab7a52 --- /dev/null +++ b/hosts/luxon/configuration.nix @@ -0,0 +1,49 @@ +{ config, pkgs, ... }: + +{ + imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix + ../../common/common.nix + ../../common/netdata.nix + ./matrix.nix + ]; + + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + networking.hostName = "luxon"; + networking.useDHCP = false; + networking.interfaces.ens18.useDHCP = true; + networking.interfaces.ens18.mtu = 1420; + networking.interfaces.ens18.ipv6.addresses = [{ + address = "2a01:4f8:c010:61dc:200::500:23"; + prefixLength = 72; + }]; + + networking.defaultGateway6 = { + address = "2a01:4f8:c010:61dc:200::1"; + interface = "ens18"; + }; + + clerie.monitoring = { + enable = true; + id = "204"; + privKeyFile = "/run/keys/wg-luxon_priv"; + pubkey = "QAcy1H4ze8fkTbhkoMx58S48FhitQmqPClUfFduj6Vw="; + }; + + + services.postgresql = { + enable = true; + package = pkgs.postgresql_12; + }; + services.prometheus.exporters.postgres = { + enable = true; + port = 9101; + runAsLocalSuperUser = true; + openFirewall = true; + firewallFilter = "-i wg-monitoring -p tcp -m tcp --dport 9101"; + }; +} \ No newline at end of file diff --git a/hosts/luxon/hardware-configuration.nix b/hosts/luxon/hardware-configuration.nix new file mode 100644 index 0000000..8032d37 --- /dev/null +++ b/hosts/luxon/hardware-configuration.nix @@ -0,0 +1,27 @@ +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/b24a0b24-ee5e-450c-930b-85ae5ac60275"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/DBBB-F848"; + fsType = "vfat"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/2698b80a-3b18-4252-beb2-6b2c3b5e4e76"; } + ]; + +} \ No newline at end of file diff --git a/hosts/luxon/matrix.nix b/hosts/luxon/matrix.nix new file mode 100644 index 0000000..91e0afc --- /dev/null +++ b/hosts/luxon/matrix.nix @@ -0,0 +1,172 @@ +{config, pkgs, lib, ...}: { + networking.firewall.allowedTCPPorts = [ 80 443 8448 ]; + + services.nginx = { + enable = true; # Enable Nginx + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + virtualHosts = { + "entr0py.de" = { + enableACME = true; + forceSSL = true; + locations."= /.well-known/matrix/server".extraConfig = + let + # use 443 instead of the default 8448 port to unite + # the client-server and server-server port for simplicity + server = { "m.server" = "matrix.entr0py.de:443"; }; + in '' + add_header Content-Type application/json; + return 200 '${builtins.toJSON server}'; + ''; + locations."= /.well-known/matrix/client".extraConfig = + let + client = { + "m.homeserver" = { "base_url" = "https://matrix.entr0py.de"; }; + "m.identity_server" = { "base_url" = "https://element.io"; }; + }; + # ACAO required to allow element-web on any URL to request this json file + in '' + add_header Content-Type application/json; + add_header Access-Control-Allow-Origin *; + return 200 '${builtins.toJSON client}'; + ''; + }; + + # Reverse proxy for Matrix client-server and server-server communication + "matrix.entr0py.de" = { + enableACME = true; + forceSSL = true; + + # Or do a redirect instead of the 404, or whatever is appropriate for you. + # But do not put a Matrix Web client here! See the Element web section below. + locations."/".extraConfig = '' + return 404; + ''; + + # forward all Matrix API calls to the synapse Matrix homeserver + locations."/_matrix" = { + proxyPass = "http://[::1]:8008"; # without a trailing / + }; + }; + }; + }; + + services.matrix-synapse = { + enable = true; + server_name = "entr0py.de"; + enable_registration = true; + database_type = "psycopg2"; + database_name = "matrix_synapse"; + database_user = "matrix-synapse"; + max_upload_size = "100M"; + enable_metrics = true; + extraConfig = '' + admin_contact: "mailto:admin@entr0py.de" + ''; + turn_uris = ["turn:turn.entr0py.de:3478?transport=udp" "turn:turn.entr0py.de:3478?transport=tcp"]; + turn_user_lifetime = "1d"; + turn_shared_secret = (builtins.readFile ../dyon/turn.secret); + app_service_config_files = [ + "/var/lib/matrix-appservice-irc/registration.yml" + ]; + listeners = [{ + port = 8008; + bind_address = "::1"; + type = "http"; + tls = false; + x_forwarded = true; + resources = [{ + names = [ "client" "federation" ]; + compress = false; + }]; + }{ + port = 9123; + bind_address = "[::]"; #does not work right now + + type = "metrics"; + tls = false; + resources = [{ + names = [ "metric" ]; + compress = false; + }]; + }]; + }; + + + services.postgresql = { + + ensureDatabases = [ "matrix_irc" ]; + ensureUsers = [ + { + name = "matrix-synapse"; + } + { + name = "matrix-appservice-irc"; + ensurePermissions."DATABASE matrix_irc" = "ALL PRIVILEGES"; + } + ]; + initialScript = pkgs.writeText "synapse-init.sql" '' + CREATE DATABASE "matrix_synapse" WITH OWNER "matrix-synapse" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + ''; + }; + + services.matrix-appservice-irc = { + enable = true; + registrationUrl = "http://localhost:8009"; + + # Everything from here is passed to the appservice + settings = { + homeserver.url = "https://matrix.entr0py.de"; # Or localhost + homeserver.domain = "entr0py.de"; + database = { + engine = "postgres"; + connectionString = "postgres:///matrix_irc?host=/run/postgresql"; + }; + + ircService.ircHandler.mapIrcMentionsToMatrix = "on"; + + ircService.servers."irc.hackint.org" = { + name = "HackInt"; + port = 6697; + ssl = true; + dynamicChannels = { + enabled = true; + createAlias = true; + aliasTemplate = "#hackint_$CHANNEL"; + groupId = "+hackint:entr0py.de"; + + }; + matrixClients = { + userTemplate = "@hackint_$NICK"; + displayName = "$NICK (HackInt)"; + }; + ircClients = { + nickTemplate = "$DISPLAY[m]"; + allowNickChanges = true; + + lineLimit = 15; + idleTimeout = 0; + }; + + membershipLists = { + enabled = true; + global = { + ircToMatrix = { + initial = true; + incremental = true; + }; + matrixToIrc = { + initial = true; + incremental = true; + }; + }; + }; + }; + }; + }; +} \ No newline at end of file diff --git a/nixops/bulldog/deployment.nix b/nixops/bulldog/deployment.nix index fae3aed..f0e2862 100644 --- a/nixops/bulldog/deployment.nix +++ b/nixops/bulldog/deployment.nix @@ -7,4 +7,5 @@ dyon = import ../../hosts/dyon/configuration.nix; kaon = import ../../hosts/kaon/configuration.nix; nebula = import ../../hosts/nebula/configuration.nix; + luxon = import ../../hosts/luxon/configuration.nix; } \ No newline at end of file diff --git a/nixops/bulldog/deployment_ip.nix b/nixops/bulldog/deployment_ip.nix index 39136d6..3b2c420 100644 --- a/nixops/bulldog/deployment_ip.nix +++ b/nixops/bulldog/deployment_ip.nix @@ -4,23 +4,34 @@ }; geon = { config, pkgs, ... }:{ deployment.targetHost = "geon.net.entr0py.de"; + hasFastConnection = true; }; pion = { config, pkgs, ... }:{ deployment.targetHost = "pion.net.entr0py.de"; + hasFastConnection = true; }; scotty-router = { config, pkgs, ... }:{ deployment.targetHost = "scotty-router"; + hasFastConnection = true; }; tailpipe = { config, pkgs, ... }:{ deployment.targetHost = "tailpipe.net.entr0py.de"; + hasFastConnection = true; }; dyon = { config, pkgs, ... }:{ deployment.targetHost = "dyon.net.entr0py.de"; + hasFastConnection = true; }; kaon = { config, pkgs, ... }:{ deployment.targetHost = "kaon.net.entr0py.de"; + hasFastConnection = true; }; nebula = { config, pkgs, ... }:{ deployment.targetHost = "nebula.net.entr0py.de"; + hasFastConnection = true; + }; + luxon = { config, pkgs, ... }:{ + deployment.targetHost = "luxon.net.entr0py.de"; + hasFastConnection = true; }; } \ No newline at end of file