Lillian-Violet/NixOS-Config
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

Update conduit, flake lock, and fix all build errors

Browse source
This commit is contained in:
Lillian Violet 2024-03-14 13:50:43 +01:00
parent 5dfaf78aae
commit 5a363e9491
7 changed files with 455 additions and 238 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

344
flake.lock
View file

@ -1,5 +1,28 @@
{
"nodes": {
"attic": {
"inputs": {
"crane": "crane",
"flake-compat": "flake-compat",
"flake-utils": "flake-utils",
"nixpkgs": "nixpkgs",
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1707922053,
"narHash": "sha256-wSZjK+rOXn+UQiP1NbdNn5/UW6UcBxjvlqr2wh++MbM=",
"owner": "zhaofengli",
"repo": "attic",
"rev": "6eabc3f02fae3683bffab483e614bebfcd476b21",
"type": "github"
},
"original": {
"owner": "zhaofengli",
"ref": "main",
"repo": "attic",
"type": "github"
}
},
"blobs": {
"flake": false,
"locked": {
@ -16,7 +39,77 @@
"type": "gitlab"
}
},
"conduit": {
"inputs": {
"attic": "attic",
"crane": "crane_2",
"fenix": "fenix",
"flake-compat": "flake-compat_2",
"flake-utils": "flake-utils_2",
"nix-filter": "nix-filter",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1710090208,
"narHash": "sha256-1W7yDW+kqCr/9SygZwygBayE8HwLnzJq48fMAOZQLAY=",
"owner": "girlbossceo",
"repo": "conduwuit",
"rev": "e888a0a745ac979abe6a687ff24b8c5e7b7b79ed",
"type": "github"
},
"original": {
"owner": "girlbossceo",
"repo": "conduwuit",
"type": "github"
}
},
"crane": {
"inputs": {
"nixpkgs": [
"conduit",
"attic",
"nixpkgs"
]
},
"locked": {
"lastModified": 1702918879,
"narHash": "sha256-tWJqzajIvYcaRWxn+cLUB9L9Pv4dQ3Bfit/YjU5ze3g=",
"owner": "ipetkov",
"repo": "crane",
"rev": "7195c00c272fdd92fc74e7d5a0a2844b9fadb2fb",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"type": "github"
}
},
"crane_2": {
"inputs": {
"nixpkgs": [
"conduit",
"nixpkgs"
]
},
"locked": {
"lastModified": 1707685877,
"narHash": "sha256-XoXRS+5whotelr1rHiZle5t5hDg9kpguS5yk8c8qzOc=",
"owner": "ipetkov",
"repo": "crane",
"rev": "2c653e4478476a52c6aa3ac0495e4dea7449ea0e",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"rev": "2c653e4478476a52c6aa3ac0495e4dea7449ea0e",
"type": "github"
}
},
"crane_3": {
"inputs": {
"nixpkgs": [
"lanzaboote",
@ -44,11 +137,11 @@
]
},
"locked": {
"lastModified": 1710332572,
"narHash": "sha256-7JYT5Qya6QuM2szCrdVcNghoz7ar+ClzaqKJ4cfJaKQ=",
"lastModified": 1710379155,
"narHash": "sha256-zdHEsOOnfBTO1ymL6gd9etR+iNS6HowbJM4Llqxy+Uc=",
"owner": "nix-community",
"repo": "disko",
"rev": "59e50d4ecbac78701c2f9950ff2b886ac66741ce",
"rev": "cc69c2340b59e290982ec7e6238471d470c839d0",
"type": "github"
},
"original": {
@ -60,7 +153,7 @@
"extest": {
"inputs": {
"extest": "extest_2",
"nixpkgs": "nixpkgs"
"nixpkgs": "nixpkgs_2"
},
"locked": {
"lastModified": 1706332837,
@ -92,7 +185,45 @@
"type": "github"
}
},
"fenix": {
"inputs": {
"nixpkgs": [
"conduit",
"nixpkgs"
],
"rust-analyzer-src": "rust-analyzer-src"
},
"locked": {
"lastModified": 1709619709,
"narHash": "sha256-l6EPVJfwfelWST7qWQeP6t/TDK3HHv5uUB1b2vw4mOQ=",
"owner": "nix-community",
"repo": "fenix",
"rev": "c8943ea9e98d41325ff57d4ec14736d330b321b2",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "fenix",
"type": "github"
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1673956053,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1696426674,
@ -108,7 +239,23 @@
"type": "github"
}
},
"flake-compat_2": {
"flake-compat_3": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_4": {
"flake": false,
"locked": {
"lastModified": 1668681692,
@ -146,9 +293,42 @@
}
},
"flake-utils": {
"locked": {
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_2": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1709126324,
"narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "d465f4819400de7c8d874d50b982301f28a84605",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_3": {
"inputs": {
"systems": "systems_2"
},
"locked": {
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
@ -163,9 +343,9 @@
"type": "github"
}
},
"flake-utils_2": {
"flake-utils_4": {
"inputs": {
"systems": "systems_2"
"systems": "systems_3"
},
"locked": {
"lastModified": 1709126324,
@ -210,11 +390,11 @@
]
},
"locked": {
"lastModified": 1710349883,
"narHash": "sha256-bjbdS2mC76xNJwt1d/uZa+JdHR8CCyYbF4Ey/NgOJus=",
"lastModified": 1710401383,
"narHash": "sha256-jskq7uDpKXrRoY4hDpNqykmSSKHUXYlo7ZFc/se7fus=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "2f0db7d418e781354d8a3c50e611e3b1cd413087",
"rev": "1ab3cec3a1bbb065b2d52b913d1431366028d5b5",
"type": "github"
},
"original": {
@ -227,14 +407,14 @@
"jovian": {
"inputs": {
"nix-github-actions": "nix-github-actions",
"nixpkgs": "nixpkgs_2"
"nixpkgs": "nixpkgs_3"
},
"locked": {
"lastModified": 1710025765,
"narHash": "sha256-CnNH3E1xB/xfif+KotTfvSGLLqOZ0OvUcUrDsFMwN6Q=",
"lastModified": 1710404304,
"narHash": "sha256-tYsUAsZgt9TT7d+r1KRYHWyBRWedJ39SXNBVSCQVsGQ=",
"owner": "Jovian-Experiments",
"repo": "Jovian-NixOS",
"rev": "2e8c168044e86ee1344c18bde5caeffe205292f2",
"rev": "ffa51458aec4d53aac85b6dee1ee2ec29f4e953f",
"type": "github"
},
"original": {
@ -245,11 +425,11 @@
},
"lanzaboote": {
"inputs": {
"crane": "crane",
"flake-compat": "flake-compat",
"crane": "crane_3",
"flake-compat": "flake-compat_3",
"flake-parts": "flake-parts",
"flake-utils": "flake-utils_2",
"nixpkgs": "nixpkgs_3",
"flake-utils": "flake-utils_4",
"nixpkgs": "nixpkgs_4",
"pre-commit-hooks-nix": "pre-commit-hooks-nix",
"rust-overlay": "rust-overlay"
},
@ -287,6 +467,21 @@
"type": "github"
}
},
"nix-filter": {
"locked": {
"lastModified": 1705332318,
"narHash": "sha256-kcw1yFeJe9N4PjQji9ZeX47jg0p9A0DuU4djKvg1a7I=",
"owner": "numtide",
"repo": "nix-filter",
"rev": "3449dc925982ad46246cfc36469baf66e1b64f17",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "nix-filter",
"type": "github"
}
},
"nix-github-actions": {
"inputs": {
"nixpkgs": [
@ -311,11 +506,11 @@
},
"nixlib": {
"locked": {
"lastModified": 1709426687,
"narHash": "sha256-jLBZmwXf0WYHzLkmEMq33bqhX55YtT5edvluFr0RcSA=",
"lastModified": 1710031547,
"narHash": "sha256-pkUg3hOKuGWMGF9WEMPPN/G4pqqdbNGJQ54yhyQYDVY=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "7873d84a89ae6e4841528ff7f5697ddcb5bdfe6c",
"rev": "630ebdc047ca96d8126e16bb664c7730dc52f6e6",
"type": "github"
},
"original": {
@ -332,11 +527,11 @@
]
},
"locked": {
"lastModified": 1710164763,
"narHash": "sha256-6p7yebSjzrL8qK4Q0gx2RnsxaudGUQcgkSxFG/J265Y=",
"lastModified": 1710398463,
"narHash": "sha256-fQlYanU84E8uwBpcoTCcLCwU8cqn0eQ7nwTcrWfSngc=",
"owner": "nix-community",
"repo": "nixos-generators",
"rev": "1d9c8cd24eba7942955f92fdcefba5a6a7543bc6",
"rev": "efd4e38532b5abfaa5c9fc95c5a913157dc20ccb",
"type": "github"
},
"original": {
@ -363,11 +558,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1710313540,
"narHash": "sha256-HtTTpGe0azsEJVaT9RvbGFGB4idUneraLiUTxFb3ABM=",
"lastModified": 1702539185,
"narHash": "sha256-KnIRG5NMdLIpEkZTnN5zovNYc0hhXjAgv6pfd5Z4c7U=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "4008381882569ab4773f2ba0d7b7bbde8f665672",
"rev": "aa9d4729cbc99dabacb50e3994dcefb3ea0f7447",
"type": "github"
},
"original": {
@ -408,6 +603,22 @@
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1702780907,
"narHash": "sha256-blbrBBXjjZt6OKTcYX1jpe9SRof2P9ZYWPzq22tzXAA=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "1e2e384c5b7c50dbf8e9c441a9e58d85f408b01f",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-23.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-stable_2": {
"locked": {
"lastModified": 1704874635,
"narHash": "sha256-YWuCrtsty5vVZvu+7BchAxmcYzTMfolSPP5io8+WYCg=",
@ -423,7 +634,7 @@
"type": "github"
}
},
"nixpkgs-stable_2": {
"nixpkgs-stable_3": {
"locked": {
"lastModified": 1710033658,
"narHash": "sha256-yiZiVKP5Ya813iYLho2+CcFuuHpaqKc/CoxOlANKcqM=",
@ -456,6 +667,22 @@
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1710377395,
"narHash": "sha256-KMubsUWtVr7L55pXMBibBDBdmk3xrjbBPduc0E8z28c=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "db001797591bf76f7b8d4c4ed3b49233391e0c97",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1708984720,
"narHash": "sha256-gJctErLbXx4QZBBbGp78PxtOOzsDaQ+yw1ylNQBuSUY=",
@ -471,7 +698,7 @@
"type": "github"
}
},
"nixpkgs_3": {
"nixpkgs_4": {
"locked": {
"lastModified": 1710078301,
"narHash": "sha256-BQ3v+XPPz5dLiw2AqUEga++yfKRhqJANUqzqNL518pk=",
@ -487,7 +714,7 @@
"type": "github"
}
},
"nixpkgs_4": {
"nixpkgs_5": {
"locked": {
"lastModified": 1710272261,
"narHash": "sha256-g0bDwXFmTE7uGDOs9HcJsfLFhH7fOsASbAuOzDC+fhQ=",
@ -503,7 +730,7 @@
"type": "github"
}
},
"nixpkgs_5": {
"nixpkgs_6": {
"locked": {
"lastModified": 1705856552,
"narHash": "sha256-JXfnuEf5Yd6bhMs/uvM67/joxYKoysyE3M2k6T3eWbg=",
@ -518,7 +745,7 @@
"type": "indirect"
}
},
"nixpkgs_6": {
"nixpkgs_7": {
"locked": {
"lastModified": 1709968316,
"narHash": "sha256-4rZEtEDT6jcgRaqxsatBeds7x1PoEiEjb6QNGb4mNrk=",
@ -598,7 +825,7 @@
"lanzaboote",
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
"nixpkgs-stable": "nixpkgs-stable_2"
},
"locked": {
"lastModified": 1708018599,
@ -616,16 +843,17 @@
},
"root": {
"inputs": {
"conduit": "conduit",
"disko": "disko",
"extest": "extest",
"flake-utils": "flake-utils",
"flake-utils": "flake-utils_3",
"home-manager": "home-manager",
"jovian": "jovian",
"lanzaboote": "lanzaboote",
"linger": "linger",
"nixos-generators": "nixos-generators",
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs_4",
"nixpkgs": "nixpkgs_5",
"nixpkgs-unstable": "nixpkgs-unstable",
"pihole": "pihole",
"plasma-manager": "plasma-manager",
@ -633,6 +861,23 @@
"sops-nix": "sops-nix"
}
},
"rust-analyzer-src": {
"flake": false,
"locked": {
"lastModified": 1709571018,
"narHash": "sha256-ISFrxHxE0J5g7lDAscbK88hwaT5uewvWoma9TlFmRzM=",
"owner": "rust-lang",
"repo": "rust-analyzer",
"rev": "9f14343f9ee24f53f17492c5f9b653427e2ad15e",
"type": "github"
},
"original": {
"owner": "rust-lang",
"ref": "nightly",
"repo": "rust-analyzer",
"type": "github"
}
},
"rust-overlay": {
"inputs": {
"flake-utils": [
@ -661,8 +906,8 @@
"simple-nixos-mailserver": {
"inputs": {
"blobs": "blobs",
"flake-compat": "flake-compat_2",
"nixpkgs": "nixpkgs_5",
"flake-compat": "flake-compat_4",
"nixpkgs": "nixpkgs_6",
"nixpkgs-23_05": "nixpkgs-23_05",
"nixpkgs-23_11": "nixpkgs-23_11",
"utils": "utils"
@ -684,15 +929,15 @@
},
"sops-nix": {
"inputs": {
"nixpkgs": "nixpkgs_6",
"nixpkgs-stable": "nixpkgs-stable_2"
"nixpkgs": "nixpkgs_7",
"nixpkgs-stable": "nixpkgs-stable_3"
},
"locked": {
"lastModified": 1710195194,
"narHash": "sha256-KFxCJp0T6TJOz1IOKlpRdpsCr9xsvlVuWY/VCiAFnTE=",
"lastModified": 1710417151,
"narHash": "sha256-3aDzAo0+jURqop+XL8EwVMmS3zkslGiPT2JXWOe9W+4=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "e52d8117b330f690382f1d16d81ae43daeb4b880",
"rev": "804157eb75a4312df25a9a144d3807c40ade72b6",
"type": "github"
},
"original": {
@ -731,6 +976,21 @@
"type": "github"
}
},
"systems_3": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"utils": {
"locked": {
"lastModified": 1605370193,

33
flake.nix
View file

@ -17,6 +17,12 @@
inputs.nixpkgs.follows = "nixpkgs";
};
# Conduit fork without all the fuss and drama
conduit = {
url = "github:girlbossceo/conduwuit";
inputs.nixpkgs.follows = "nixpkgs";
};
# Secret management with sops
sops-nix.url = "github:Mic92/sops-nix";
@ -79,6 +85,7 @@
pihole,
lanzaboote,
nixos-hardware,
conduit,
...
} @ inputs: let
inherit (self) outputs;
@ -123,29 +130,12 @@
disko.nixosModules.disko
home-manager.nixosModules.home-manager
{
home-manager.sharedModules = [plasma-manager.homeManagerModules.plasma-manager];
home-manager.sharedModules = [inputs.plasma-manager.homeManagerModules.plasma-manager];
}
];
};
};
# ISO for EDI, can be built using nix build .#EDIISO
EDIISO = nixos-generators.nixosGenerate {
system = "x86_64-linux";
specialArgs = {inherit inputs outputs;};
modules = [
./nixos/hosts/EDI/configuration.nix
sops-nix.nixosModules.sops
lanzaboote.nixosModules.lanzaboote
disko.nixosModules.disko
home-manager.nixosModules.home-manager
{
home-manager.sharedModules = [plasma-manager.homeManagerModules.plasma-manager];
}
];
format = "iso";
};
nixosConfigurations = {
GLaDOS = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
@ -158,7 +148,7 @@
disko.nixosModules.disko
home-manager.nixosModules.home-manager
{
home-manager.sharedModules = [plasma-manager.homeManagerModules.plasma-manager];
home-manager.sharedModules = [inputs.plasma-manager.homeManagerModules.plasma-manager];
}
];
};
@ -186,9 +176,14 @@
# > Our main nixos configuration file <
./nixos/hosts/shodan/configuration.nix
sops-nix.nixosModules.sops
home-manager.nixosModules.home-manager
{
home-manager.sharedModules = [inputs.plasma-manager.homeManagerModules.plasma-manager];
}
];
};
};
nixosConfigurations = {
wheatley = nixpkgs.lib.nixosSystem {
system = "armv7l-linux";

7
home-manager/desktop/plasma-desktop/default.nix
View file

@ -1,4 +1,11 @@
{
inputs,
outputs,
lib,
config,
pkgs,
...
}: {
programs.plasma = {
enable = true;
shortcuts = {

2
home-manager/hosts/shodan/lillian.nix
View file

@ -53,7 +53,7 @@
#Gaming:
prismlauncher
r2modman
yuzu-early-access
ryujinx
# Multimedia:
freetube

2
nixos/hosts/shodan/configuration.nix
View file

@ -116,7 +116,7 @@
services.xserver.enable = true;
# Enable the KDE Plasma Desktop Environment.
services.xserver.desktopManager.plasma6.enable = true;
services.desktopManager.plasma6.enable = true;
programs.kdeconnect.enable = true;
services.xserver.displayManager.sddm.settings = {

165
nixos/server/package-configs/conduit/copy.nix
View file

@ -1,165 +0,0 @@
{
pkgs,
config,
lib,
flake-inputs,
...
}: let
inherit (lib.strings) concatMapStringsSep;
cfg = config.services.matrix-conduit;
domain = "matrix.gladtherescake.eu";
turn-realm = "turn.gladtherescake.eu";
in {
services.matrix-conduit = {
enable = true;
package = flake-inputs.nixpkgs-unstable.legacyPackages.${pkgs.system}.matrix-conduit;
settings.global = {
address = "127.0.0.1";
server_name = domain;
database_backend = "rocksdb";
turn_uris = let
address = "${config.services.coturn.realm}:${toString config.services.coturn.listening-port}";
tls-address = "${config.services.coturn.realm}:${toString config.services.coturn.tls-listening-port}";
in [
"turn:${address}?transport=udp"
"turn:${address}?transport=tcp"
"turns:${tls-address}?transport=udp"
"turns:${tls-address}?transport=tcp"
];
};
};
# Pass in the TURN secret via EnvironmentFile, not supported by
# upstream module currently.
#
# See also https://gitlab.com/famedly/conduit/-/issues/314
systemd.services.conduit.serviceConfig.EnvironmentFile = config.sops.secrets."turn/env".path;
services.coturn = {
enable = true;
no-cli = true;
use-auth-secret = true;
static-auth-secret-file = config.sops.secrets."turn/secret".path;
realm = turn-realm;
relay-ips = [
"178.79.137.55"
];
# SSL config
#
# TODO(tlater): Switch to letsencrypt once google fix:
# https://github.com/vector-im/element-android/issues/1533
pkey = config.sops.secrets."turn/ssl-key".path;
cert = config.sops.secrets."turn/ssl-cert".path;
# Based on suggestions from
# https://github.com/matrix-org/synapse/blob/develop/docs/turn-howto.md
# and
# https://www.foxypossibilities.com/2018/05/19/setting-up-a-turn-sever-for-matrix-on-nixos/
no-tcp-relay = true;
secure-stun = true;
extraConfig = ''
# Deny various local IP ranges, see
# https://www.rtcsec.com/article/cve-2020-26262-bypass-of-coturns-access-control-protection/
no-multicast-peers
denied-peer-ip=0.0.0.0-0.255.255.255
denied-peer-ip=10.0.0.0-10.255.255.255
denied-peer-ip=100.64.0.0-100.127.255.255
denied-peer-ip=127.0.0.0-127.255.255.255
denied-peer-ip=169.254.0.0-169.254.255.255
denied-peer-ip=172.16.0.0-172.31.255.255
denied-peer-ip=192.0.0.0-192.0.0.255
denied-peer-ip=192.0.2.0-192.0.2.255
denied-peer-ip=192.88.99.0-192.88.99.255
denied-peer-ip=192.168.0.0-192.168.255.255
denied-peer-ip=198.18.0.0-198.19.255.255
denied-peer-ip=198.51.100.0-198.51.100.255
denied-peer-ip=203.0.113.0-203.0.113.255
denied-peer-ip=240.0.0.0-255.255.255.255 denied-peer-ip=::1
denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
# *Allow* any IP addresses that we explicitly set as relay IPs
${concatMapStringsSep "\n" (ip: "allowed-peer-ip=${ip}") config.services.coturn.relay-ips}
# Various other security settings
no-tlsv1
no-tlsv1_1
# Monitoring
prometheus
'';
};
services.nginx.virtualHosts."${domain}" = {
enableACME = true;
listen = [
{
addr = "0.0.0.0";
port = 80;
}
{
addr = "[::0]";
port = 80;
}
{
addr = "0.0.0.0";
port = 443;
ssl = true;
}
{
addr = "[::0]";
port = 443;
ssl = true;
}
{
addr = "0.0.0.0";
port = 8448;
ssl = true;
}
{
addr = "[::0]";
port = 8448;
ssl = true;
}
];
forceSSL = true;
extraConfig = ''
merge_slashes off;
access_log /var/log/nginx/${domain}/access.log upstream_time;
'';
locations = {
"/_matrix" = {
proxyPass = "http://${cfg.settings.global.address}:${toString cfg.settings.global.port}";
# Recommended by conduit
extraConfig = ''
proxy_buffering off;
'';
};
# Add Element X support
# TODO(tlater): Remove when no longer required: https://github.com/vector-im/element-x-android/issues/1085
"=/.well-known/matrix/client" = {
alias = pkgs.writeText "well-known-matrix-client" (builtins.toJSON {
"m.homeserver".base_url = "https://${domain}";
"org.matrix.msc3575.proxy".url = "https://${domain}";
});
extraConfig = ''
default_type application/json;
add_header Access-Control-Allow-Origin "*";
'';
};
};
};
}

140
nixos/server/package-configs/conduit/default.nix
View file

@ -1,28 +1,148 @@
{
inputs,
outputs,
lib,
config,
pkgs,
inputs,
...
}: {
}: let
# You'll need to edit these values
# The hostname that will appear in your user and room IDs
server_name = "matrix.gladtherescake.eu";
# The hostname that Conduit actually runs on
#
# This can be the same as `server_name` if you want. This is only necessary
# when Conduit is running on a different machine than the one hosting your
# root domain. This configuration also assumes this is all running on a single
# machine, some tweaks will need to be made if this is not the case.
matrix_hostname = "${server_name}";
# An admin email for TLS certificate notifications
admin_email = "admin@${server_name}";
# These ones you can leave alone
# Build a dervation that stores the content of `${server_name}/.well-known/matrix/server`
well_known_server = pkgs.writeText "well-known-matrix-server" ''
{
"m.server": "${matrix_hostname}"
}
'';
# Build a dervation that stores the content of `${server_name}/.well-known/matrix/client`
well_known_client = pkgs.writeText "well-known-matrix-client" ''
{
"m.homeserver": {
"base_url": "https://${matrix_hostname}"
}
}
'';
in {
# Configure Conduit itself
services.matrix-conduit = {
enable = true;
# This causes NixOS to use the flake defined in this repository instead of
# the build of Conduit built into nixpkgs.
package = flake-inputs.conduit.packages.${pkgs.system}.default;
settings.global = {
allow_registration = true;
server_name = "matrix.gladtherescake.eu";
port = 6167;
inherit server_name;
};
};
# Configure automated TLS acquisition/renewal
security.acme = {
acceptTerms = true;
defaults = {
email = admin_email;
};
};
# ACME data must be readable by the NGINX user
users.users.nginx.extraGroups = [
"acme"
];
# Configure NGINX as a reverse proxy
services.nginx = {
enable = true;
recommendedProxySettings = true;
virtualHosts = {
"matrix.gladtherescake.eu" = {
"${matrix_hostname}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:6167";
listen = [
{
addr = "0.0.0.0";
port = 443;
ssl = true;
}
{
addr = "[::]";
port = 443;
ssl = true;
}
{
addr = "0.0.0.0";
port = 8448;
ssl = true;
}
{
addr = "[::]";
port = 8448;
ssl = true;
}
];
locations."/_matrix/" = {
proxyPass = "http://backend_conduit";
proxyWebsockets = true;
extraConfig = ''
proxy_set_header Host $host;
proxy_buffering off;
'';
};
extraConfig = ''
merge_slashes off;
'';
};
"${server_name}" = {
forceSSL = true;
enableACME = true;
locations."=/.well-known/matrix/server" = {
# Use the contents of the derivation built previously
alias = "${well_known_server}";
extraConfig = ''
# Set the header since by default NGINX thinks it's just bytes
default_type application/json;
'';
};
locations."=/.well-known/matrix/client" = {
# Use the contents of the derivation built previously
alias = "${well_known_client}";
extraConfig = ''
# Set the header since by default NGINX thinks it's just bytes
default_type application/json;
# https://matrix.org/docs/spec/client_server/r0.4.0#web-browser-clients
add_header Access-Control-Allow-Origin "*";
'';
};
};
};
upstreams = {
"backend_conduit" = {
servers = {
"[::1]:${toString config.services.matrix-conduit.settings.global.port}" = {};
};
};
};