summaryrefslogtreecommitdiff
path: root/hosts/kay
diff options
context:
space:
mode:
authorsinanmohd <sinan@sinanmohd.com>2023-09-09 11:45:52 +0530
committersinanmohd <sinan@sinanmohd.com>2023-09-11 13:44:14 +0530
commit146026f7bd704aa80e09fedac08e47754f9ac2f4 (patch)
treed0bf90d69eae592cab13b07befde180a463144be /hosts/kay
parente72c86c26271ba88e8b5ea1db9baf1fdd2501945 (diff)
hosts/kay/modules/www: init
Diffstat (limited to 'hosts/kay')
-rw-r--r--hosts/kay/configuration.nix1
-rw-r--r--hosts/kay/modules/cgit.nix28
-rw-r--r--hosts/kay/modules/dendrite.nix109
-rw-r--r--hosts/kay/modules/www.nix47
-rw-r--r--hosts/kay/secrets.yaml5
5 files changed, 188 insertions, 2 deletions
diff --git a/hosts/kay/configuration.nix b/hosts/kay/configuration.nix
index 99d52bc..5085a42 100644
--- a/hosts/kay/configuration.nix
+++ b/hosts/kay/configuration.nix
@@ -4,6 +4,7 @@
imports = [
./hardware-configuration.nix
./modules/network.nix
+ ./modules/www.nix
../../common.nix
];
diff --git a/hosts/kay/modules/cgit.nix b/hosts/kay/modules/cgit.nix
new file mode 100644
index 0000000..e4bed68
--- /dev/null
+++ b/hosts/kay/modules/cgit.nix
@@ -0,0 +1,28 @@
+{ config, pkgs, ... }:
+
+let
+ domain = config.userdata.domain;
+ user = config.userdata.user;
+in
+{
+ services = {
+ nginx.virtualHosts."git.${domain}" = {
+ forceSSL = true;
+ enableACME = true;
+ };
+ cgit."git.${domain}" = {
+ enable = true;
+ nginx.virtualHost = "git.${domain}";
+ scanPath = "/var/lib/git";
+ settings = {
+ project-list = "/var/lib/git/project.list";
+ remove-suffix = 1;
+ enable-commit-graph = 1;
+ root-title = "${user}'s git server";
+ root-desc = "how do i learn github anon";
+ source-filter = "${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py";
+ clone-url = "https://git.${domain}/$CGIT_REPO_URL";
+ };
+ };
+ };
+}
diff --git a/hosts/kay/modules/dendrite.nix b/hosts/kay/modules/dendrite.nix
new file mode 100644
index 0000000..4ec2bb3
--- /dev/null
+++ b/hosts/kay/modules/dendrite.nix
@@ -0,0 +1,109 @@
+{ config, lib, pkgs, ... }:
+
+let
+ domain = config.userdata.domain;
+ database = {
+ connection_string = "postgres:///dendrite?host=/run/postgresql";
+ max_open_conns = 90;
+ max_idle_conns = 5;
+ conn_max_lifetime = -1;
+ };
+in
+{
+ sops.secrets."misc/matrix-${domain}" = {};
+
+ services = {
+ postgresql = {
+ enable = true;
+ package = with pkgs; postgresql_15;
+ settings = {
+ log_timezone = config.time.timeZone;
+ listen_addresses = lib.mkForce "";
+ };
+ ensureDatabases = [ "dendrite" ];
+ ensureUsers = [
+ {
+ name = "dendrite";
+ ensurePermissions."DATABASE dendrite" = "ALL PRIVILEGES";
+ }
+ ];
+ };
+
+ dendrite = {
+ enable = true;
+ loadCredential = [
+ "private_key:${config.sops.secrets."misc/matrix-${domain}".path}"
+ ];
+
+ settings = {
+ sync_api.search = {
+ enable = true;
+ index_path = "/var/lib/dendrite/searchindex";
+ };
+ global = {
+ server_name = domain;
+ private_key = "$CREDENTIALS_DIRECTORY/private_key";
+ trusted_third_party_id_servers = [
+ "matrix.org"
+ "vector.im"
+ ];
+ inherit database;
+ };
+ logging = [{
+ type = "std";
+ level = "warn";
+ }];
+ mscs = {
+ inherit database;
+ mscs = [ "msc2836" ];
+ };
+ sync_api = {
+ inherit database;
+ real_ip_header = "X-Real-IP";
+ };
+ media_api = {
+ inherit database;
+ dynamic_thumbnails = true;
+ max_file_size_bytes = 12800000000;
+ };
+ federation_api = {
+ inherit database;
+ send_max_retries = 8;
+ key_perspectives = [{
+ server_name = "matrix.org";
+ keys = [
+ {
+ key_id = "ed25519:auto";
+ public_key = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw";
+ }
+ {
+ key_id = "ed25519:a_RXGa";
+ public_key = "l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ";
+ }
+ ];
+ }];
+ };
+
+ app_service_api = {
+ inherit database;
+ };
+ room_server = {
+ inherit database;
+ };
+ push_server = {
+ inherit database;
+ };
+ relay_api = {
+ inherit database;
+ };
+ key_server = {
+ inherit database;
+ };
+ user_api = {
+ account_database = database;
+ device_database = database;
+ };
+ };
+ };
+ };
+}
diff --git a/hosts/kay/modules/www.nix b/hosts/kay/modules/www.nix
new file mode 100644
index 0000000..08548e8
--- /dev/null
+++ b/hosts/kay/modules/www.nix
@@ -0,0 +1,47 @@
+{ config, ... }:
+
+let
+ domain = config.userdata.domain;
+ email = config.userdata.email;
+in
+{
+ imports = [
+ ./dendrite.nix
+ ./cgit.nix
+ ];
+
+ networking.firewall.allowedTCPPorts = [ 80 443 ];
+ security.acme = {
+ acceptTerms = true;
+ defaults.email = email;
+ };
+
+ services.nginx = {
+ enable = true;
+ virtualHosts = {
+ "${domain}" = {
+ forceSSL = true;
+ enableACME = true;
+ globalRedirect = "www.${domain}";
+
+ extraConfig = ''
+ client_max_body_size ${toString config.services.dendrite.settings.media_api.max_file_size_bytes};
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_read_timeout 600;
+ '';
+ locations."/_matrix" = {
+ proxyPass = "http://127.0.0.1:${toString config.services.dendrite.httpPort}";
+ };
+ locations."/.well-known/matrix/server".return = ''
+ 200 '{ "m.server": "${domain}:443" }'
+ '';
+ };
+ "www.${domain}" = {
+ forceSSL = true;
+ enableACME = true;
+ root = "/var/www/${domain}";
+ };
+ };
+ };
+}
diff --git a/hosts/kay/secrets.yaml b/hosts/kay/secrets.yaml
index 9db62ac..98d18a9 100644
--- a/hosts/kay/secrets.yaml
+++ b/hosts/kay/secrets.yaml
@@ -4,6 +4,7 @@ ppp:
username: ENC[AES256_GCM,data:Xa6wBxpAtaKwsbEeudVvkpsX6CPG8E3Aku1zTi0o6Kdy9Q==,iv:yTRruKpMda4N2J3Z8MEesrFxqV4g1usbYoxTeKlWf4M=,tag:gTsn7HzgE3tHTIo2MVN12g==,type:str]
misc:
namecheap.com: ENC[AES256_GCM,data:8sN1/APumZDclTAeYEy4nidGbvooDK6Us0yOZBbG4oU=,iv:WGof33ezbBpFmnWTWS9gzDayJpz2BVMTPsShYY+nuXY=,tag:ky/ucGEHWBtWwGcwK+1nhw==,type:str]
+ matrix-sinanmohd.com: ENC[AES256_GCM,data:iU1RGvv275iZpP5L8T2BPCqDIPlGUXdx7Hcct8T7kK2eYH5mGHN1o16azEJKuVKJfrZ86Lt5bDCBu9i7IcF0yXqlf6tqdjeoQdhhZXvC7f7zXNiypiRc5LFh0Ks7mXQxNhxPUQ6HRxKmLC+15H9FAn69fK7NOIh9ZG8QBKAXRrtosyTYnSPdPQ==,iv:0vPDl1YvSseIj2VVlX5jrvd1BwGuBXP3pgaHponE5ZU=,tag:eon485eelXfCKjhKat5fzw==,type:str]
sops:
kms: []
gcp_kms: []
@@ -19,8 +20,8 @@ sops:
bUY4eisvWDIxdWplQjlod0hIcjVGNlUKYkA9hUTHuWgST3UUr7ACtmgC9s5SGEAp
ker5KUGGi1fHgGlsPKHmnJSvikkVFlOVAhVa8R6X02l8FJf0lcjOYA==
-----END AGE ENCRYPTED FILE-----
- lastmodified: "2023-09-08T16:51:01Z"
- mac: ENC[AES256_GCM,data:lW4EoZAjHH5L1++ravYUAkWLRtHMpmL6qWlEUM7xmDZzM9FzCILi9SglNaht72j3I83//7CWfMWftvhIzgy1wiGorLdQEz/jsf7fM1tGpNVyg8DOO2NCT5QWESQjDdjE+74tloG20Jbs0VHoGxHFarLNSc4qe0V8nSgjtnurlj4=,iv:akj2kcf6YuoOyA5CEFF6X2+e2OHyXrCzJ15IFD9z/DY=,tag:26ldQCKhCWjtEZUAYCStuQ==,type:str]
+ lastmodified: "2023-09-09T06:14:23Z"
+ mac: ENC[AES256_GCM,data:wMUs5AknuaVcyYoWAVr9OZoLrJ4oHRJTHbgV8ptQg7mLrqW0WCzQ5WtubUVgvzIpm1BkRIXHfzAaUxJvcZFRk8NxCKp9ElA3DxdkbUXayYV+HkdcrvygsB1BzYaDXzV1SwLfH2ROSKTu6iWJWf6p1oM96mA5ur6DgKiXhdgnjGg=,iv:SfWrSP2+fcPzXgINCoRcH2ljkNTEJWLHQUjG25+Z+mc=,tag:U5A44EiyZHf/vV8ThEs8qQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3