diff --git a/flake.lock b/flake.lock index 5b66d47..97f202f 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,28 @@ { "nodes": { + "attic": { + "inputs": { + "crane": "crane", + "flake-compat": "flake-compat", + "flake-utils": "flake-utils", + "nixpkgs": "nixpkgs", + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1707922053, + "narHash": "sha256-wSZjK+rOXn+UQiP1NbdNn5/UW6UcBxjvlqr2wh++MbM=", + "owner": "zhaofengli", + "repo": "attic", + "rev": "6eabc3f02fae3683bffab483e614bebfcd476b21", + "type": "github" + }, + "original": { + "owner": "zhaofengli", + "ref": "main", + "repo": "attic", + "type": "github" + } + }, "blobs": { "flake": false, "locked": { @@ -16,7 +39,77 @@ "type": "gitlab" } }, + "conduit": { + "inputs": { + "attic": "attic", + "crane": "crane_2", + "fenix": "fenix", + "flake-compat": "flake-compat_2", + "flake-utils": "flake-utils_2", + "nix-filter": "nix-filter", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1710090208, + "narHash": "sha256-1W7yDW+kqCr/9SygZwygBayE8HwLnzJq48fMAOZQLAY=", + "owner": "girlbossceo", + "repo": "conduwuit", + "rev": "e888a0a745ac979abe6a687ff24b8c5e7b7b79ed", + "type": "github" + }, + "original": { + "owner": "girlbossceo", + "repo": "conduwuit", + "type": "github" + } + }, "crane": { + "inputs": { + "nixpkgs": [ + "conduit", + "attic", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1702918879, + "narHash": "sha256-tWJqzajIvYcaRWxn+cLUB9L9Pv4dQ3Bfit/YjU5ze3g=", + "owner": "ipetkov", + "repo": "crane", + "rev": "7195c00c272fdd92fc74e7d5a0a2844b9fadb2fb", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, + "crane_2": { + "inputs": { + "nixpkgs": [ + "conduit", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1707685877, + "narHash": "sha256-XoXRS+5whotelr1rHiZle5t5hDg9kpguS5yk8c8qzOc=", + "owner": "ipetkov", + "repo": "crane", + "rev": "2c653e4478476a52c6aa3ac0495e4dea7449ea0e", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "rev": "2c653e4478476a52c6aa3ac0495e4dea7449ea0e", + "type": "github" + } + }, + "crane_3": { "inputs": { "nixpkgs": [ "lanzaboote", @@ -44,11 +137,11 @@ ] }, "locked": { - "lastModified": 1710332572, - "narHash": "sha256-7JYT5Qya6QuM2szCrdVcNghoz7ar+ClzaqKJ4cfJaKQ=", + "lastModified": 1710379155, + "narHash": "sha256-zdHEsOOnfBTO1ymL6gd9etR+iNS6HowbJM4Llqxy+Uc=", "owner": "nix-community", "repo": "disko", - "rev": "59e50d4ecbac78701c2f9950ff2b886ac66741ce", + "rev": "cc69c2340b59e290982ec7e6238471d470c839d0", "type": "github" }, "original": { @@ -60,7 +153,7 @@ "extest": { "inputs": { "extest": "extest_2", - "nixpkgs": "nixpkgs" + "nixpkgs": "nixpkgs_2" }, "locked": { "lastModified": 1706332837, @@ -92,7 +185,45 @@ "type": "github" } }, + "fenix": { + "inputs": { + "nixpkgs": [ + "conduit", + "nixpkgs" + ], + "rust-analyzer-src": "rust-analyzer-src" + }, + "locked": { + "lastModified": 1709619709, + "narHash": "sha256-l6EPVJfwfelWST7qWQeP6t/TDK3HHv5uUB1b2vw4mOQ=", + "owner": "nix-community", + "repo": "fenix", + "rev": "c8943ea9e98d41325ff57d4ec14736d330b321b2", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "fenix", + "type": "github" + } + }, "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_2": { "flake": false, "locked": { "lastModified": 1696426674, @@ -108,7 +239,23 @@ "type": "github" } }, - "flake-compat_2": { + "flake-compat_3": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_4": { "flake": false, "locked": { "lastModified": 1668681692, @@ -146,9 +293,42 @@ } }, "flake-utils": { + "locked": { + "lastModified": 1667395993, + "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_2": { "inputs": { "systems": "systems" }, + "locked": { + "lastModified": 1709126324, + "narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "d465f4819400de7c8d874d50b982301f28a84605", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_3": { + "inputs": { + "systems": "systems_2" + }, "locked": { "lastModified": 1710146030, "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", @@ -163,9 +343,9 @@ "type": "github" } }, - "flake-utils_2": { + "flake-utils_4": { "inputs": { - "systems": "systems_2" + "systems": "systems_3" }, "locked": { "lastModified": 1709126324, @@ -210,11 +390,11 @@ ] }, "locked": { - "lastModified": 1710349883, - "narHash": "sha256-bjbdS2mC76xNJwt1d/uZa+JdHR8CCyYbF4Ey/NgOJus=", + "lastModified": 1710401383, + "narHash": "sha256-jskq7uDpKXrRoY4hDpNqykmSSKHUXYlo7ZFc/se7fus=", "owner": "nix-community", "repo": "home-manager", - "rev": "2f0db7d418e781354d8a3c50e611e3b1cd413087", + "rev": "1ab3cec3a1bbb065b2d52b913d1431366028d5b5", "type": "github" }, "original": { @@ -227,14 +407,14 @@ "jovian": { "inputs": { "nix-github-actions": "nix-github-actions", - "nixpkgs": "nixpkgs_2" + "nixpkgs": "nixpkgs_3" }, "locked": { - "lastModified": 1710025765, - "narHash": "sha256-CnNH3E1xB/xfif+KotTfvSGLLqOZ0OvUcUrDsFMwN6Q=", + "lastModified": 1710404304, + "narHash": "sha256-tYsUAsZgt9TT7d+r1KRYHWyBRWedJ39SXNBVSCQVsGQ=", "owner": "Jovian-Experiments", "repo": "Jovian-NixOS", - "rev": "2e8c168044e86ee1344c18bde5caeffe205292f2", + "rev": "ffa51458aec4d53aac85b6dee1ee2ec29f4e953f", "type": "github" }, "original": { @@ -245,11 +425,11 @@ }, "lanzaboote": { "inputs": { - "crane": "crane", - "flake-compat": "flake-compat", + "crane": "crane_3", + "flake-compat": "flake-compat_3", "flake-parts": "flake-parts", - "flake-utils": "flake-utils_2", - "nixpkgs": "nixpkgs_3", + "flake-utils": "flake-utils_4", + "nixpkgs": "nixpkgs_4", "pre-commit-hooks-nix": "pre-commit-hooks-nix", "rust-overlay": "rust-overlay" }, @@ -287,6 +467,21 @@ "type": "github" } }, + "nix-filter": { + "locked": { + "lastModified": 1705332318, + "narHash": "sha256-kcw1yFeJe9N4PjQji9ZeX47jg0p9A0DuU4djKvg1a7I=", + "owner": "numtide", + "repo": "nix-filter", + "rev": "3449dc925982ad46246cfc36469baf66e1b64f17", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "nix-filter", + "type": "github" + } + }, "nix-github-actions": { "inputs": { "nixpkgs": [ @@ -311,11 +506,11 @@ }, "nixlib": { "locked": { - "lastModified": 1709426687, - "narHash": "sha256-jLBZmwXf0WYHzLkmEMq33bqhX55YtT5edvluFr0RcSA=", + "lastModified": 1710031547, + "narHash": "sha256-pkUg3hOKuGWMGF9WEMPPN/G4pqqdbNGJQ54yhyQYDVY=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "7873d84a89ae6e4841528ff7f5697ddcb5bdfe6c", + "rev": "630ebdc047ca96d8126e16bb664c7730dc52f6e6", "type": "github" }, "original": { @@ -332,11 +527,11 @@ ] }, "locked": { - "lastModified": 1710164763, - "narHash": "sha256-6p7yebSjzrL8qK4Q0gx2RnsxaudGUQcgkSxFG/J265Y=", + "lastModified": 1710398463, + "narHash": "sha256-fQlYanU84E8uwBpcoTCcLCwU8cqn0eQ7nwTcrWfSngc=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "1d9c8cd24eba7942955f92fdcefba5a6a7543bc6", + "rev": "efd4e38532b5abfaa5c9fc95c5a913157dc20ccb", "type": "github" }, "original": { @@ -363,11 +558,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1710313540, - "narHash": "sha256-HtTTpGe0azsEJVaT9RvbGFGB4idUneraLiUTxFb3ABM=", + "lastModified": 1702539185, + "narHash": "sha256-KnIRG5NMdLIpEkZTnN5zovNYc0hhXjAgv6pfd5Z4c7U=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "4008381882569ab4773f2ba0d7b7bbde8f665672", + "rev": "aa9d4729cbc99dabacb50e3994dcefb3ea0f7447", "type": "github" }, "original": { @@ -408,6 +603,22 @@ } }, "nixpkgs-stable": { + "locked": { + "lastModified": 1702780907, + "narHash": "sha256-blbrBBXjjZt6OKTcYX1jpe9SRof2P9ZYWPzq22tzXAA=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "1e2e384c5b7c50dbf8e9c441a9e58d85f408b01f", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable_2": { "locked": { "lastModified": 1704874635, "narHash": "sha256-YWuCrtsty5vVZvu+7BchAxmcYzTMfolSPP5io8+WYCg=", @@ -423,7 +634,7 @@ "type": "github" } }, - "nixpkgs-stable_2": { + "nixpkgs-stable_3": { "locked": { "lastModified": 1710033658, "narHash": "sha256-yiZiVKP5Ya813iYLho2+CcFuuHpaqKc/CoxOlANKcqM=", @@ -456,6 +667,22 @@ } }, "nixpkgs_2": { + "locked": { + "lastModified": 1710377395, + "narHash": "sha256-KMubsUWtVr7L55pXMBibBDBdmk3xrjbBPduc0E8z28c=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "db001797591bf76f7b8d4c4ed3b49233391e0c97", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { "locked": { "lastModified": 1708984720, "narHash": "sha256-gJctErLbXx4QZBBbGp78PxtOOzsDaQ+yw1ylNQBuSUY=", @@ -471,7 +698,7 @@ "type": "github" } }, - "nixpkgs_3": { + "nixpkgs_4": { "locked": { "lastModified": 1710078301, "narHash": "sha256-BQ3v+XPPz5dLiw2AqUEga++yfKRhqJANUqzqNL518pk=", @@ -487,7 +714,7 @@ "type": "github" } }, - "nixpkgs_4": { + "nixpkgs_5": { "locked": { "lastModified": 1710272261, "narHash": "sha256-g0bDwXFmTE7uGDOs9HcJsfLFhH7fOsASbAuOzDC+fhQ=", @@ -503,7 +730,7 @@ "type": "github" } }, - "nixpkgs_5": { + "nixpkgs_6": { "locked": { "lastModified": 1705856552, "narHash": "sha256-JXfnuEf5Yd6bhMs/uvM67/joxYKoysyE3M2k6T3eWbg=", @@ -518,7 +745,7 @@ "type": "indirect" } }, - "nixpkgs_6": { + "nixpkgs_7": { "locked": { "lastModified": 1709968316, "narHash": "sha256-4rZEtEDT6jcgRaqxsatBeds7x1PoEiEjb6QNGb4mNrk=", @@ -598,7 +825,7 @@ "lanzaboote", "nixpkgs" ], - "nixpkgs-stable": "nixpkgs-stable" + "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { "lastModified": 1708018599, @@ -616,16 +843,17 @@ }, "root": { "inputs": { + "conduit": "conduit", "disko": "disko", "extest": "extest", - "flake-utils": "flake-utils", + "flake-utils": "flake-utils_3", "home-manager": "home-manager", "jovian": "jovian", "lanzaboote": "lanzaboote", "linger": "linger", "nixos-generators": "nixos-generators", "nixos-hardware": "nixos-hardware", - "nixpkgs": "nixpkgs_4", + "nixpkgs": "nixpkgs_5", "nixpkgs-unstable": "nixpkgs-unstable", "pihole": "pihole", "plasma-manager": "plasma-manager", @@ -633,6 +861,23 @@ "sops-nix": "sops-nix" } }, + "rust-analyzer-src": { + "flake": false, + "locked": { + "lastModified": 1709571018, + "narHash": "sha256-ISFrxHxE0J5g7lDAscbK88hwaT5uewvWoma9TlFmRzM=", + "owner": "rust-lang", + "repo": "rust-analyzer", + "rev": "9f14343f9ee24f53f17492c5f9b653427e2ad15e", + "type": "github" + }, + "original": { + "owner": "rust-lang", + "ref": "nightly", + "repo": "rust-analyzer", + "type": "github" + } + }, "rust-overlay": { "inputs": { "flake-utils": [ @@ -661,8 +906,8 @@ "simple-nixos-mailserver": { "inputs": { "blobs": "blobs", - "flake-compat": "flake-compat_2", - "nixpkgs": "nixpkgs_5", + "flake-compat": "flake-compat_4", + "nixpkgs": "nixpkgs_6", "nixpkgs-23_05": "nixpkgs-23_05", "nixpkgs-23_11": "nixpkgs-23_11", "utils": "utils" @@ -684,15 +929,15 @@ }, "sops-nix": { "inputs": { - "nixpkgs": "nixpkgs_6", - "nixpkgs-stable": "nixpkgs-stable_2" + "nixpkgs": "nixpkgs_7", + "nixpkgs-stable": "nixpkgs-stable_3" }, "locked": { - "lastModified": 1710195194, - "narHash": "sha256-KFxCJp0T6TJOz1IOKlpRdpsCr9xsvlVuWY/VCiAFnTE=", + "lastModified": 1710417151, + "narHash": "sha256-3aDzAo0+jURqop+XL8EwVMmS3zkslGiPT2JXWOe9W+4=", "owner": "Mic92", "repo": "sops-nix", - "rev": "e52d8117b330f690382f1d16d81ae43daeb4b880", + "rev": "804157eb75a4312df25a9a144d3807c40ade72b6", "type": "github" }, "original": { @@ -731,6 +976,21 @@ "type": "github" } }, + "systems_3": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "utils": { "locked": { "lastModified": 1605370193, diff --git a/flake.nix b/flake.nix index 8780eea..ca7f796 100644 --- a/flake.nix +++ b/flake.nix @@ -17,6 +17,12 @@ inputs.nixpkgs.follows = "nixpkgs"; }; + # Conduit fork without all the fuss and drama + conduit = { + url = "github:girlbossceo/conduwuit"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + # Secret management with sops sops-nix.url = "github:Mic92/sops-nix"; @@ -79,6 +85,7 @@ pihole, lanzaboote, nixos-hardware, + conduit, ... } @ inputs: let inherit (self) outputs; @@ -123,29 +130,12 @@ disko.nixosModules.disko home-manager.nixosModules.home-manager { - home-manager.sharedModules = [plasma-manager.homeManagerModules.plasma-manager]; + home-manager.sharedModules = [inputs.plasma-manager.homeManagerModules.plasma-manager]; } ]; }; }; - # ISO for EDI, can be built using nix build .#EDIISO - EDIISO = nixos-generators.nixosGenerate { - system = "x86_64-linux"; - specialArgs = {inherit inputs outputs;}; - modules = [ - ./nixos/hosts/EDI/configuration.nix - sops-nix.nixosModules.sops - lanzaboote.nixosModules.lanzaboote - disko.nixosModules.disko - home-manager.nixosModules.home-manager - { - home-manager.sharedModules = [plasma-manager.homeManagerModules.plasma-manager]; - } - ]; - format = "iso"; - }; - nixosConfigurations = { GLaDOS = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; @@ -158,7 +148,7 @@ disko.nixosModules.disko home-manager.nixosModules.home-manager { - home-manager.sharedModules = [plasma-manager.homeManagerModules.plasma-manager]; + home-manager.sharedModules = [inputs.plasma-manager.homeManagerModules.plasma-manager]; } ]; }; @@ -186,9 +176,14 @@ # > Our main nixos configuration file < ./nixos/hosts/shodan/configuration.nix sops-nix.nixosModules.sops + home-manager.nixosModules.home-manager + { + home-manager.sharedModules = [inputs.plasma-manager.homeManagerModules.plasma-manager]; + } ]; }; }; + nixosConfigurations = { wheatley = nixpkgs.lib.nixosSystem { system = "armv7l-linux"; diff --git a/home-manager/desktop/plasma-desktop/default.nix b/home-manager/desktop/plasma-desktop/default.nix index fa8a52d..48e77cf 100644 --- a/home-manager/desktop/plasma-desktop/default.nix +++ b/home-manager/desktop/plasma-desktop/default.nix @@ -1,4 +1,11 @@ { + inputs, + outputs, + lib, + config, + pkgs, + ... +}: { programs.plasma = { enable = true; shortcuts = { diff --git a/home-manager/hosts/shodan/lillian.nix b/home-manager/hosts/shodan/lillian.nix index f6195fb..1f1393d 100644 --- a/home-manager/hosts/shodan/lillian.nix +++ b/home-manager/hosts/shodan/lillian.nix @@ -53,7 +53,7 @@ #Gaming: prismlauncher r2modman - yuzu-early-access + ryujinx # Multimedia: freetube diff --git a/nixos/hosts/shodan/configuration.nix b/nixos/hosts/shodan/configuration.nix index 4d6232d..7b8dcb3 100644 --- a/nixos/hosts/shodan/configuration.nix +++ b/nixos/hosts/shodan/configuration.nix @@ -116,7 +116,7 @@ services.xserver.enable = true; # Enable the KDE Plasma Desktop Environment. - services.xserver.desktopManager.plasma6.enable = true; + services.desktopManager.plasma6.enable = true; programs.kdeconnect.enable = true; services.xserver.displayManager.sddm.settings = { diff --git a/nixos/server/package-configs/conduit/copy.nix b/nixos/server/package-configs/conduit/copy.nix deleted file mode 100644 index 4c301ac..0000000 --- a/nixos/server/package-configs/conduit/copy.nix +++ /dev/null @@ -1,165 +0,0 @@ -{ - pkgs, - config, - lib, - flake-inputs, - ... -}: let - inherit (lib.strings) concatMapStringsSep; - - cfg = config.services.matrix-conduit; - domain = "matrix.gladtherescake.eu"; - turn-realm = "turn.gladtherescake.eu"; -in { - services.matrix-conduit = { - enable = true; - package = flake-inputs.nixpkgs-unstable.legacyPackages.${pkgs.system}.matrix-conduit; - settings.global = { - address = "127.0.0.1"; - server_name = domain; - database_backend = "rocksdb"; - - turn_uris = let - address = "${config.services.coturn.realm}:${toString config.services.coturn.listening-port}"; - tls-address = "${config.services.coturn.realm}:${toString config.services.coturn.tls-listening-port}"; - in [ - "turn:${address}?transport=udp" - "turn:${address}?transport=tcp" - "turns:${tls-address}?transport=udp" - "turns:${tls-address}?transport=tcp" - ]; - }; - }; - - # Pass in the TURN secret via EnvironmentFile, not supported by - # upstream module currently. - # - # See also https://gitlab.com/famedly/conduit/-/issues/314 - systemd.services.conduit.serviceConfig.EnvironmentFile = config.sops.secrets."turn/env".path; - - services.coturn = { - enable = true; - no-cli = true; - use-auth-secret = true; - static-auth-secret-file = config.sops.secrets."turn/secret".path; - realm = turn-realm; - relay-ips = [ - "178.79.137.55" - ]; - - # SSL config - # - # TODO(tlater): Switch to letsencrypt once google fix: - # https://github.com/vector-im/element-android/issues/1533 - pkey = config.sops.secrets."turn/ssl-key".path; - cert = config.sops.secrets."turn/ssl-cert".path; - - # Based on suggestions from - # https://github.com/matrix-org/synapse/blob/develop/docs/turn-howto.md - # and - # https://www.foxypossibilities.com/2018/05/19/setting-up-a-turn-sever-for-matrix-on-nixos/ - no-tcp-relay = true; - secure-stun = true; - extraConfig = '' - # Deny various local IP ranges, see - # https://www.rtcsec.com/article/cve-2020-26262-bypass-of-coturns-access-control-protection/ - no-multicast-peers - denied-peer-ip=0.0.0.0-0.255.255.255 - denied-peer-ip=10.0.0.0-10.255.255.255 - denied-peer-ip=100.64.0.0-100.127.255.255 - denied-peer-ip=127.0.0.0-127.255.255.255 - denied-peer-ip=169.254.0.0-169.254.255.255 - denied-peer-ip=172.16.0.0-172.31.255.255 - denied-peer-ip=192.0.0.0-192.0.0.255 - denied-peer-ip=192.0.2.0-192.0.2.255 - denied-peer-ip=192.88.99.0-192.88.99.255 - denied-peer-ip=192.168.0.0-192.168.255.255 - denied-peer-ip=198.18.0.0-198.19.255.255 - denied-peer-ip=198.51.100.0-198.51.100.255 - denied-peer-ip=203.0.113.0-203.0.113.255 - denied-peer-ip=240.0.0.0-255.255.255.255 denied-peer-ip=::1 - denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff - denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255 - denied-peer-ip=100::-100::ffff:ffff:ffff:ffff - denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff - denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff - denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff - denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff - - # *Allow* any IP addresses that we explicitly set as relay IPs - ${concatMapStringsSep "\n" (ip: "allowed-peer-ip=${ip}") config.services.coturn.relay-ips} - - # Various other security settings - no-tlsv1 - no-tlsv1_1 - - # Monitoring - prometheus - ''; - }; - - services.nginx.virtualHosts."${domain}" = { - enableACME = true; - - listen = [ - { - addr = "0.0.0.0"; - port = 80; - } - { - addr = "[::0]"; - port = 80; - } - { - addr = "0.0.0.0"; - port = 443; - ssl = true; - } - { - addr = "[::0]"; - port = 443; - ssl = true; - } - { - addr = "0.0.0.0"; - port = 8448; - ssl = true; - } - { - addr = "[::0]"; - port = 8448; - ssl = true; - } - ]; - - forceSSL = true; - extraConfig = '' - merge_slashes off; - access_log /var/log/nginx/${domain}/access.log upstream_time; - ''; - - locations = { - "/_matrix" = { - proxyPass = "http://${cfg.settings.global.address}:${toString cfg.settings.global.port}"; - # Recommended by conduit - extraConfig = '' - proxy_buffering off; - ''; - }; - - # Add Element X support - # TODO(tlater): Remove when no longer required: https://github.com/vector-im/element-x-android/issues/1085 - "=/.well-known/matrix/client" = { - alias = pkgs.writeText "well-known-matrix-client" (builtins.toJSON { - "m.homeserver".base_url = "https://${domain}"; - "org.matrix.msc3575.proxy".url = "https://${domain}"; - }); - - extraConfig = '' - default_type application/json; - add_header Access-Control-Allow-Origin "*"; - ''; - }; - }; - }; -} diff --git a/nixos/server/package-configs/conduit/default.nix b/nixos/server/package-configs/conduit/default.nix index d9f44a9..364d0e3 100644 --- a/nixos/server/package-configs/conduit/default.nix +++ b/nixos/server/package-configs/conduit/default.nix @@ -1,28 +1,148 @@ { - inputs, - outputs, - lib, config, pkgs, + inputs, ... -}: { +}: let + # You'll need to edit these values + # The hostname that will appear in your user and room IDs + server_name = "matrix.gladtherescake.eu"; + + # The hostname that Conduit actually runs on + # + # This can be the same as `server_name` if you want. This is only necessary + # when Conduit is running on a different machine than the one hosting your + # root domain. This configuration also assumes this is all running on a single + # machine, some tweaks will need to be made if this is not the case. + matrix_hostname = "${server_name}"; + + # An admin email for TLS certificate notifications + admin_email = "admin@${server_name}"; + + # These ones you can leave alone + + # Build a dervation that stores the content of `${server_name}/.well-known/matrix/server` + well_known_server = pkgs.writeText "well-known-matrix-server" '' + { + "m.server": "${matrix_hostname}" + } + ''; + + # Build a dervation that stores the content of `${server_name}/.well-known/matrix/client` + well_known_client = pkgs.writeText "well-known-matrix-client" '' + { + "m.homeserver": { + "base_url": "https://${matrix_hostname}" + } + } + ''; +in { + # Configure Conduit itself services.matrix-conduit = { enable = true; + + # This causes NixOS to use the flake defined in this repository instead of + # the build of Conduit built into nixpkgs. + package = flake-inputs.conduit.packages.${pkgs.system}.default; + settings.global = { - allow_registration = true; - server_name = "matrix.gladtherescake.eu"; - port = 6167; + inherit server_name; }; }; + # Configure automated TLS acquisition/renewal + security.acme = { + acceptTerms = true; + defaults = { + email = admin_email; + }; + }; + + # ACME data must be readable by the NGINX user + users.users.nginx.extraGroups = [ + "acme" + ]; + + # Configure NGINX as a reverse proxy services.nginx = { + enable = true; + recommendedProxySettings = true; + virtualHosts = { - "matrix.gladtherescake.eu" = { + "${matrix_hostname}" = { forceSSL = true; enableACME = true; - locations."/" = { - proxyPass = "http://localhost:6167"; + + listen = [ + { + addr = "0.0.0.0"; + port = 443; + ssl = true; + } + { + addr = "[::]"; + port = 443; + ssl = true; + } + { + addr = "0.0.0.0"; + port = 8448; + ssl = true; + } + { + addr = "[::]"; + port = 8448; + ssl = true; + } + ]; + + locations."/_matrix/" = { + proxyPass = "http://backend_conduit"; proxyWebsockets = true; + extraConfig = '' + proxy_set_header Host $host; + proxy_buffering off; + ''; + }; + + extraConfig = '' + merge_slashes off; + ''; + }; + + "${server_name}" = { + forceSSL = true; + enableACME = true; + + locations."=/.well-known/matrix/server" = { + # Use the contents of the derivation built previously + alias = "${well_known_server}"; + + extraConfig = '' + # Set the header since by default NGINX thinks it's just bytes + default_type application/json; + ''; + }; + + locations."=/.well-known/matrix/client" = { + # Use the contents of the derivation built previously + alias = "${well_known_client}"; + + extraConfig = '' + # Set the header since by default NGINX thinks it's just bytes + default_type application/json; + + # https://matrix.org/docs/spec/client_server/r0.4.0#web-browser-clients + add_header Access-Control-Allow-Origin "*"; + ''; + }; + }; + }; + + upstreams = { + "backend_conduit" = { + servers = { + "[::1]:${toString config.services.matrix-conduit.settings.global.port}" = {}; }; }; };