diff --git a/flake.lock b/flake.lock index d6fb4f8..a69e369 100644 --- a/flake.lock +++ b/flake.lock @@ -1470,11 +1470,11 @@ "secrets": { "flake": false, "locked": { - "lastModified": 1704582381, - "narHash": "sha256-GC56ZF7qAtRqxF/SchmlVN86mA4BMwRFRz411utqUvc=", + "lastModified": 1709496928, + "narHash": "sha256-g9dipr2h98QommLyv5uGF6T9Oqp5OQAyyxCugr4B6+A=", "ref": "main", - "rev": "cd333595c000cd2b1cbce7b2a6027fd6c3f07769", - "revCount": 62, + "rev": "e38a0471afe70fa2d262ba0a86a68bfbae8c2c26", + "revCount": 63, "type": "git", "url": "ssh://gitea@git.ingolf-wagner.de/palo/nixos-secrets.git" }, diff --git a/nixos/components/network/tinc/private.nix b/nixos/components/network/tinc/private.nix index c315aba..4da6955 100644 --- a/nixos/components/network/tinc/private.nix +++ b/nixos/components/network/tinc/private.nix @@ -16,8 +16,10 @@ let chungus = "10.23.42.28"; cherry = "10.23.42.29"; robi = "10.23.42.111"; + orbi = "10.23.42.100"; }; subDomains = { + # orbi # robi "grafana.robi" = hosts.robi; "loki.robi" = hosts.robi; @@ -97,6 +99,11 @@ in subnets = [{ address = hosts.robi; }]; settings.Ed25519PublicKey = "bZUbSdME4fwudNVbUoNO7PpoOS2xALsyTs81F260KbL"; }; + orbi = { + addresses = [{ address = "95.216.66.212"; }]; + subnets = [{ address = hosts.orbi; }]; + settings.Ed25519PublicKey = "/1OE8xsnRT6egxd/+iH9TE+tzlwiUJeNsGFIIWyc70A"; + }; }; }; }; diff --git a/nixos/machines/orbi/configuration.nix b/nixos/machines/orbi/configuration.nix index 9af5071..5b4010e 100644 --- a/nixos/machines/orbi/configuration.nix +++ b/nixos/machines/orbi/configuration.nix @@ -5,7 +5,6 @@ ../../system/all/defaults.nix - ../../components ../../modules @@ -21,7 +20,7 @@ #./nginx.nix #./nginx-wkd.nix - #./network-tinc.nix + ./network-tinc.nix #./network-wireguard.nix #./media-share.nix @@ -35,6 +34,7 @@ #./sync-torrent.nix #./social-jitsi.nix + ./social-matrix.nix # matrix # ------ @@ -62,7 +62,6 @@ security.acme.acceptTerms = true; security.acme.defaults.email = "contact@ingolf-wagner.de"; - # todo create your own - sops.defaultSopsFile = ../../secrets/robi.yaml; + sops.defaultSopsFile = ../../secrets/orbi.yaml; } diff --git a/nixos/machines/orbi/hardware-configuration/default.nix b/nixos/machines/orbi/hardware-configuration/default.nix index ab1819d..c48958e 100644 --- a/nixos/machines/orbi/hardware-configuration/default.nix +++ b/nixos/machines/orbi/hardware-configuration/default.nix @@ -74,6 +74,7 @@ in hostKeys = [ # make sure you use --copy-host-keys during nixos-anywhere # (you can create ne ssh keys later, again) + # rm /etc/ssh/ssh_host_* && systemctl restart sshd.service /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_ed25519_key ]; diff --git a/nixos/machines/orbi/network-tinc.nix b/nixos/machines/orbi/network-tinc.nix index 0bf4df2..9afe192 100644 --- a/nixos/machines/orbi/network-tinc.nix +++ b/nixos/machines/orbi/network-tinc.nix @@ -7,9 +7,9 @@ }; tinc.private.enable = true; - tinc.private.ipv4 = "10.23.42.111"; + tinc.private.ipv4 = "10.23.42.100"; tinc.secret.enable = true; - tinc.secret.ipv4 = "10.123.42.123"; + tinc.secret.ipv4 = "10.123.42.100"; } diff --git a/nixos/machines/orbi/social-matrix.nix b/nixos/machines/orbi/social-matrix.nix new file mode 100644 index 0000000..a20c502 --- /dev/null +++ b/nixos/machines/orbi/social-matrix.nix @@ -0,0 +1,121 @@ +{ config, pkgs, ... }: +let + + inherit (config.services.dendrite.settings.global) server_name; + + nginx-vhost = "matrix.terranix.org"; + element-web-terranix.org = + pkgs.runCommand "element-web-with-config" + { + nativeBuildInputs = [ pkgs.buildPackages.jq ]; + } '' + cp -r ${pkgs.element-web} $out + chmod -R u+w $out + jq '."default_server_config"."m.homeserver" = { "base_url": "https://${nginx-vhost}:443", "server_name": "${server_name}" }' \ + > $out/config.json < ${pkgs.element-web}/config.json + ln -s $out/config.json $out/config.${nginx-vhost}.json + ''; +in +{ + + # postgresql instance dedicated to matrix + # todo : mount postgresql folder in a dedicated zfs pool + containers.synapse-postgresql = { + autoStart = true; + privateNetwork = false; + config = { config, pkgs, lib, ... }: { + system.stateVersion = "23.11"; + services.postgresql.enable = true; + }; + }; + + # $ nix-shell -p dendrite --run 'generate-keys --private-key /tmp/key' + #sops.secrets.matrix-server-key = { }; + + #services.dendrite = { + # enable = true; + # httpPort = 8448; + # settings = { + # global = { + # server_name = "terranix.org"; + # # `private_key` has the type `path` + # # prefix a `/` to make `path` happy + # private_key = "/$CREDENTIALS_DIRECTORY/matrix-server-key"; + # trusted_third_party_id_servers = [ + # "matrix.org" + # "vector.im" + # "xaos.space" + # "lassul.us" + # "thalheim.io" + # "nixos.org" + # ]; + # metrics.enabled = false; + # }; + # logging = [ + # { + # type = "std"; + # level = "warn"; + # } + # ]; + # client_api = { + # registration_disabled = true; + # rate_limiting.enabled = false; + # # set only for the first admin account, than remove. + # #registration_shared_secret = ""; # disable once first admin account is created + # }; + # media_api = { + # dynamic_thumbnails = true; + # }; + # mscs = { + # mscs = [ "msc2836" "msc2946" ]; + # }; + # sync_api = { + # real_ip_header = "X-Real-IP"; + # }; + # federation_api = { + # key_perspectives = [ + # { + # server_name = "matrix.org"; + # keys = [ + # { + # key_id = "ed25519:auto"; + # public_key = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"; + # } + # { + # key_id = "ed25519:a_RXGa"; + # public_key = "l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ"; + # } + # ]; + # } + # ]; + # prefer_direct_fetch = false; + # }; + # }; + #}; + + #systemd.services.dendrite.serviceConfig.LoadCredential = [ + # "matrix-server-key:${config.sops.secrets.matrix-server-key.path}" + #]; + + #services.nginx.virtualHosts.${nginx-vhost} = { + # forceSSL = true; + # enableACME = true; + # extraConfig = '' + # proxy_set_header Host $host; + # proxy_set_header X-Real-IP $remote_addr; + # proxy_read_timeout 600; + # ''; + # locations."/_matrix".proxyPass = "http://127.0.0.1:${toString config.services.dendrite.httpPort}"; + # # for remote admin access + # locations."/_synapse".proxyPass = "http://127.0.0.1:${toString config.services.dendrite.httpPort}"; + # locations."/".root = element-web-terranix.org; + #}; + + #services.nginx.virtualHosts.${server_name} = { + # locations."= /.well-known/matrix/server".alias = + # pkgs.writeText "matrix-server" (builtins.toJSON { "m.server" = "${nginx-vhost}:443"; }); + # locations."= /.well-known/matrix/client".alias = + # pkgs.writeText "matrix-client" (builtins.toJSON { "m.homeserver".base_url = "https://${nginx-vhost}"; }); + #}; + +}