From 146026f7bd704aa80e09fedac08e47754f9ac2f4 Mon Sep 17 00:00:00 2001 From: sinanmohd Date: Sat, 9 Sep 2023 11:45:52 +0530 Subject: hosts/kay/modules/www: init --- hosts/kay/configuration.nix | 1 + hosts/kay/modules/cgit.nix | 28 +++++++++++ hosts/kay/modules/dendrite.nix | 109 +++++++++++++++++++++++++++++++++++++++++ hosts/kay/modules/www.nix | 47 ++++++++++++++++++ hosts/kay/secrets.yaml | 5 +- 5 files changed, 188 insertions(+), 2 deletions(-) create mode 100644 hosts/kay/modules/cgit.nix create mode 100644 hosts/kay/modules/dendrite.nix create mode 100644 hosts/kay/modules/www.nix (limited to 'hosts') diff --git a/hosts/kay/configuration.nix b/hosts/kay/configuration.nix index 99d52bc..5085a42 100644 --- a/hosts/kay/configuration.nix +++ b/hosts/kay/configuration.nix @@ -4,6 +4,7 @@ imports = [ ./hardware-configuration.nix ./modules/network.nix + ./modules/www.nix ../../common.nix ]; diff --git a/hosts/kay/modules/cgit.nix b/hosts/kay/modules/cgit.nix new file mode 100644 index 0000000..e4bed68 --- /dev/null +++ b/hosts/kay/modules/cgit.nix @@ -0,0 +1,28 @@ +{ config, pkgs, ... }: + +let + domain = config.userdata.domain; + user = config.userdata.user; +in +{ + services = { + nginx.virtualHosts."git.${domain}" = { + forceSSL = true; + enableACME = true; + }; + cgit."git.${domain}" = { + enable = true; + nginx.virtualHost = "git.${domain}"; + scanPath = "/var/lib/git"; + settings = { + project-list = "/var/lib/git/project.list"; + remove-suffix = 1; + enable-commit-graph = 1; + root-title = "${user}'s git server"; + root-desc = "how do i learn github anon"; + source-filter = "${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py"; + clone-url = "https://git.${domain}/$CGIT_REPO_URL"; + }; + }; + }; +} diff --git a/hosts/kay/modules/dendrite.nix b/hosts/kay/modules/dendrite.nix new file mode 100644 index 0000000..4ec2bb3 --- /dev/null +++ b/hosts/kay/modules/dendrite.nix @@ -0,0 +1,109 @@ +{ config, lib, pkgs, ... }: + +let + domain = config.userdata.domain; + database = { + connection_string = "postgres:///dendrite?host=/run/postgresql"; + max_open_conns = 90; + max_idle_conns = 5; + conn_max_lifetime = -1; + }; +in +{ + sops.secrets."misc/matrix-${domain}" = {}; + + services = { + postgresql = { + enable = true; + package = with pkgs; postgresql_15; + settings = { + log_timezone = config.time.timeZone; + listen_addresses = lib.mkForce ""; + }; + ensureDatabases = [ "dendrite" ]; + ensureUsers = [ + { + name = "dendrite"; + ensurePermissions."DATABASE dendrite" = "ALL PRIVILEGES"; + } + ]; + }; + + dendrite = { + enable = true; + loadCredential = [ + "private_key:${config.sops.secrets."misc/matrix-${domain}".path}" + ]; + + settings = { + sync_api.search = { + enable = true; + index_path = "/var/lib/dendrite/searchindex"; + }; + global = { + server_name = domain; + private_key = "$CREDENTIALS_DIRECTORY/private_key"; + trusted_third_party_id_servers = [ + "matrix.org" + "vector.im" + ]; + inherit database; + }; + logging = [{ + type = "std"; + level = "warn"; + }]; + mscs = { + inherit database; + mscs = [ "msc2836" ]; + }; + sync_api = { + inherit database; + real_ip_header = "X-Real-IP"; + }; + media_api = { + inherit database; + dynamic_thumbnails = true; + max_file_size_bytes = 12800000000; + }; + federation_api = { + inherit database; + send_max_retries = 8; + key_perspectives = [{ + server_name = "matrix.org"; + keys = [ + { + key_id = "ed25519:auto"; + public_key = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"; + } + { + key_id = "ed25519:a_RXGa"; + public_key = "l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ"; + } + ]; + }]; + }; + + app_service_api = { + inherit database; + }; + room_server = { + inherit database; + }; + push_server = { + inherit database; + }; + relay_api = { + inherit database; + }; + key_server = { + inherit database; + }; + user_api = { + account_database = database; + device_database = database; + }; + }; + }; + }; +} diff --git a/hosts/kay/modules/www.nix b/hosts/kay/modules/www.nix new file mode 100644 index 0000000..08548e8 --- /dev/null +++ b/hosts/kay/modules/www.nix @@ -0,0 +1,47 @@ +{ config, ... }: + +let + domain = config.userdata.domain; + email = config.userdata.email; +in +{ + imports = [ + ./dendrite.nix + ./cgit.nix + ]; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; + security.acme = { + acceptTerms = true; + defaults.email = email; + }; + + services.nginx = { + enable = true; + virtualHosts = { + "${domain}" = { + forceSSL = true; + enableACME = true; + globalRedirect = "www.${domain}"; + + extraConfig = '' + client_max_body_size ${toString config.services.dendrite.settings.media_api.max_file_size_bytes}; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_read_timeout 600; + ''; + locations."/_matrix" = { + proxyPass = "http://127.0.0.1:${toString config.services.dendrite.httpPort}"; + }; + locations."/.well-known/matrix/server".return = '' + 200 '{ "m.server": "${domain}:443" }' + ''; + }; + "www.${domain}" = { + forceSSL = true; + enableACME = true; + root = "/var/www/${domain}"; + }; + }; + }; +} diff --git a/hosts/kay/secrets.yaml b/hosts/kay/secrets.yaml index 9db62ac..98d18a9 100644 --- a/hosts/kay/secrets.yaml +++ b/hosts/kay/secrets.yaml @@ -4,6 +4,7 @@ ppp: username: ENC[AES256_GCM,data:Xa6wBxpAtaKwsbEeudVvkpsX6CPG8E3Aku1zTi0o6Kdy9Q==,iv:yTRruKpMda4N2J3Z8MEesrFxqV4g1usbYoxTeKlWf4M=,tag:gTsn7HzgE3tHTIo2MVN12g==,type:str] misc: namecheap.com: ENC[AES256_GCM,data:8sN1/APumZDclTAeYEy4nidGbvooDK6Us0yOZBbG4oU=,iv:WGof33ezbBpFmnWTWS9gzDayJpz2BVMTPsShYY+nuXY=,tag:ky/ucGEHWBtWwGcwK+1nhw==,type:str] + matrix-sinanmohd.com: ENC[AES256_GCM,data:iU1RGvv275iZpP5L8T2BPCqDIPlGUXdx7Hcct8T7kK2eYH5mGHN1o16azEJKuVKJfrZ86Lt5bDCBu9i7IcF0yXqlf6tqdjeoQdhhZXvC7f7zXNiypiRc5LFh0Ks7mXQxNhxPUQ6HRxKmLC+15H9FAn69fK7NOIh9ZG8QBKAXRrtosyTYnSPdPQ==,iv:0vPDl1YvSseIj2VVlX5jrvd1BwGuBXP3pgaHponE5ZU=,tag:eon485eelXfCKjhKat5fzw==,type:str] sops: kms: [] gcp_kms: [] @@ -19,8 +20,8 @@ sops: bUY4eisvWDIxdWplQjlod0hIcjVGNlUKYkA9hUTHuWgST3UUr7ACtmgC9s5SGEAp ker5KUGGi1fHgGlsPKHmnJSvikkVFlOVAhVa8R6X02l8FJf0lcjOYA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-09-08T16:51:01Z" - mac: ENC[AES256_GCM,data:lW4EoZAjHH5L1++ravYUAkWLRtHMpmL6qWlEUM7xmDZzM9FzCILi9SglNaht72j3I83//7CWfMWftvhIzgy1wiGorLdQEz/jsf7fM1tGpNVyg8DOO2NCT5QWESQjDdjE+74tloG20Jbs0VHoGxHFarLNSc4qe0V8nSgjtnurlj4=,iv:akj2kcf6YuoOyA5CEFF6X2+e2OHyXrCzJ15IFD9z/DY=,tag:26ldQCKhCWjtEZUAYCStuQ==,type:str] + lastmodified: "2023-09-09T06:14:23Z" + mac: ENC[AES256_GCM,data:wMUs5AknuaVcyYoWAVr9OZoLrJ4oHRJTHbgV8ptQg7mLrqW0WCzQ5WtubUVgvzIpm1BkRIXHfzAaUxJvcZFRk8NxCKp9ElA3DxdkbUXayYV+HkdcrvygsB1BzYaDXzV1SwLfH2ROSKTu6iWJWf6p1oM96mA5ur6DgKiXhdgnjGg=,iv:SfWrSP2+fcPzXgINCoRcH2ljkNTEJWLHQUjG25+Z+mc=,tag:U5A44EiyZHf/vV8ThEs8qQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3 -- cgit v1.2.3