diff --git a/flake.lock b/flake.lock index 496ead1..4fd776a 100644 --- a/flake.lock +++ b/flake.lock @@ -281,6 +281,25 @@ "inputs": { "systems": "systems_6" }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "owner": "numtide", + "ref": "main", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_6": { + "inputs": { + "systems": "systems_7" + }, "locked": { "lastModified": 1726560853, "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=", @@ -295,9 +314,9 @@ "type": "github" } }, - "flake-utils_6": { + "flake-utils_7": { "inputs": { - "systems": "systems_7" + "systems": "systems_8" }, "locked": { "lastModified": 1726560853, @@ -590,6 +609,22 @@ "type": "github" } }, + "nixpkgs_10": { + "locked": { + "lastModified": 1729755165, + "narHash": "sha256-6IpnOHWsaSSjT3yvqlrWfHW6HVCT+wOAlUpcooGJ+FQ=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "cabaf14d3e69c9921d7acedf5d7d60bb2b90be02", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs_2": { "locked": { "lastModified": 1732014248, @@ -671,6 +706,22 @@ } }, "nixpkgs_7": { + "locked": { + "lastModified": 1732014248, + "narHash": "sha256-y/MEyuJ5oBWrWAic/14LaIr/u5E0wRVzyYsouYY3W6w=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "23e89b7da85c3640bbc2173fe04f4bd114342367", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_8": { "locked": { "lastModified": 1728492678, "narHash": "sha256-9UTxR8eukdg+XZeHgxW5hQA9fIKHsKCdOIUycTryeVw=", @@ -686,7 +737,7 @@ "type": "github" } }, - "nixpkgs_8": { + "nixpkgs_9": { "locked": { "lastModified": 1731763621, "narHash": "sha256-ddcX4lQL0X05AYkrkV2LMFgGdRvgap7Ho8kgon3iWZk=", @@ -702,22 +753,6 @@ "type": "github" } }, - "nixpkgs_9": { - "locked": { - "lastModified": 1729755165, - "narHash": "sha256-6IpnOHWsaSSjT3yvqlrWfHW6HVCT+wOAlUpcooGJ+FQ=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "cabaf14d3e69c9921d7acedf5d7d60bb2b90be02", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, "pre-commit-hooks-nix": { "inputs": { "flake-compat": [ @@ -745,6 +780,26 @@ "type": "github" } }, + "recipes": { + "inputs": { + "flake-utils": "flake-utils_5", + "nixpkgs": "nixpkgs_7" + }, + "locked": { + "lastModified": 1732731942, + "narHash": "sha256-uF+paBlFe6EfWQj3WET1WH9/om4OMbrHCd0IzvoHBe0=", + "ref": "main", + "rev": "d66dcb6bc5da9285d204aed145944f3fad390f2d", + "revCount": 7, + "type": "git", + "url": "https://git.acomputer.lol/adtya/recipes.nix" + }, + "original": { + "ref": "main", + "type": "git", + "url": "https://git.acomputer.lol/adtya/recipes.nix" + } + }, "root": { "inputs": { "adtyaxyz": "adtyaxyz", @@ -757,6 +812,7 @@ "lix-module": "lix-module", "neovim-nightly": "neovim-nightly", "nixpkgs": "nixpkgs_6", + "recipes": "recipes", "smc-fonts": "smc-fonts", "sops-nix": "sops-nix", "wiki": "wiki" @@ -785,8 +841,8 @@ }, "smc-fonts": { "inputs": { - "flake-utils": "flake-utils_5", - "nixpkgs": "nixpkgs_7" + "flake-utils": "flake-utils_6", + "nixpkgs": "nixpkgs_8" }, "locked": { "lastModified": 1731189279, @@ -805,7 +861,7 @@ }, "sops-nix": { "inputs": { - "nixpkgs": "nixpkgs_8" + "nixpkgs": "nixpkgs_9" }, "locked": { "lastModified": 1732186149, @@ -927,6 +983,21 @@ "type": "github" } }, + "systems_8": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "utils": { "inputs": { "systems": "systems_3" @@ -947,8 +1018,8 @@ }, "wiki": { "inputs": { - "flake-utils": "flake-utils_6", - "nixpkgs": "nixpkgs_9" + "flake-utils": "flake-utils_7", + "nixpkgs": "nixpkgs_10" }, "locked": { "lastModified": 1729817327, diff --git a/flake.nix b/flake.nix index eeafa59..ea8de08 100644 --- a/flake.nix +++ b/flake.nix @@ -33,6 +33,7 @@ caddy.url = "git+https://git.acomputer.lol/adtya/caddy-with-modules?ref=main"; adtyaxyz.url = "git+https://git.acomputer.lol/adtya/adtya.xyz?ref=main"; wiki.url = "git+https://git.acomputer.lol/adtya/wiki?ref=main"; + recipes.url = "git+https://git.acomputer.lol/adtya/recipes.nix?ref=main"; smc-fonts.url = "gitlab:smc/smc-fonts-flake?ref=trunk"; }; @@ -50,6 +51,7 @@ , caddy , adtyaxyz , wiki + , recipes , smc-fonts , } @ inputs: @@ -110,6 +112,7 @@ nixpkgs.hostPlatform = lib.mkDefault system; } sops-nix.nixosModules.sops + recipes.nixosModules.default self.nixosModules.default ./common ./hosts/rico0 @@ -132,6 +135,7 @@ nixpkgs.hostPlatform = lib.mkDefault system; } sops-nix.nixosModules.sops + recipes.nixosModules.default self.nixosModules.default ./common ./hosts/rico1 @@ -154,6 +158,7 @@ nixpkgs.hostPlatform = lib.mkDefault system; } sops-nix.nixosModules.sops + recipes.nixosModules.default self.nixosModules.default ./common ./hosts/rico2 @@ -177,6 +182,7 @@ } lix-module.nixosModules.default sops-nix.nixosModules.sops + recipes.nixosModules.default self.nixosModules.default ./common ./hosts/wynne @@ -200,6 +206,7 @@ } lix-module.nixosModules.default sops-nix.nixosModules.sops + recipes.nixosModules.default self.nixosModules.default ./common ./hosts/layne @@ -223,6 +230,7 @@ } lix-module.nixosModules.default sops-nix.nixosModules.sops + recipes.nixosModules.default self.nixosModules.default ./common ./hosts/bifrost diff --git a/hosts/bifrost/services/apps/acomputer.lol.nix b/hosts/bifrost/services/apps/acomputer.lol.nix index d2bf137..24df122 100644 --- a/hosts/bifrost/services/apps/acomputer.lol.nix +++ b/hosts/bifrost/services/apps/acomputer.lol.nix @@ -1,22 +1,9 @@ _: -let - domainName = "acomputer.lol"; -in -{ +let domainName = "acomputer.lol"; in { services = { caddy.virtualHosts."${domainName}" = { extraConfig = '' - handle /.well-known/matrix/server { - header Content-Type application/json - header Access-Control-Allow-Origin * - respond `{"m.server": "matrix.${domainName}:443"}` - } - - handle /.well-known/matrix/client { - header Content-Type application/json - header Access-Control-Allow-Origin * - respond `{"m.homeserver": {"base_url": "https://matrix.${domainName}:443"}}` - } + reverse_proxy /.well-known/matrix/* 10.10.10.13:6167 ''; }; }; diff --git a/hosts/bifrost/services/apps/conduwuit.nix b/hosts/bifrost/services/apps/conduwuit.nix new file mode 100644 index 0000000..f0228c4 --- /dev/null +++ b/hosts/bifrost/services/apps/conduwuit.nix @@ -0,0 +1,23 @@ +_: { + services = { + caddy.virtualHosts = { + "matrix.acomputer.lol" = { + serverAliases = [ "matrix.acomputer.lol:8448" ]; + extraConfig = '' + reverse_proxy /_matrix/* 10.10.10.13:6167 + reverse_proxy /_conduwuit/* 10.10.10.13:6167 + reverse_proxy /.well-known/matrix/* 10.10.10.13:6167 + ''; + }; + "matrix.ironyofprivacy.org" = { + serverAliases = [ "matrix.ironyofprivacy.org:8448" ]; + extraConfig = '' + reverse_proxy /_matrix/* 10.10.10.13:6168 + reverse_proxy /_conduwuit/* 10.10.10.13:6168 + reverse_proxy /.well-known/matrix/* 10.10.10.13:6168 + ''; + }; + }; + }; + networking.firewall.interfaces.ens3.allowedTCPPorts = [ 8448 ]; +} diff --git a/hosts/bifrost/services/apps/default.nix b/hosts/bifrost/services/apps/default.nix index 1d615f8..1df0f58 100644 --- a/hosts/bifrost/services/apps/default.nix +++ b/hosts/bifrost/services/apps/default.nix @@ -3,8 +3,10 @@ _: { ./adtya.xyz.nix ./acomputer.lol.nix ./blocky.nix + ./conduwuit.nix ./dendrite.nix ./forgejo.nix + ./ironyofprivacy.org.nix ./ntfy.nix ./proofs.nix ./wiki.nix diff --git a/hosts/bifrost/services/apps/ironyofprivacy.org.nix b/hosts/bifrost/services/apps/ironyofprivacy.org.nix new file mode 100644 index 0000000..b519719 --- /dev/null +++ b/hosts/bifrost/services/apps/ironyofprivacy.org.nix @@ -0,0 +1,11 @@ +_: +let domainName = "ironyofprivacy.org"; in { + services = { + caddy.virtualHosts."${domainName}" = { + extraConfig = '' + reverse_proxy /.well-known/matrix/* 10.10.10.13:6168 + ''; + }; + }; +} + diff --git a/hosts/wynne/hardware/filesystem.nix b/hosts/wynne/hardware/filesystem.nix index 7838ef2..42a4d4f 100644 --- a/hosts/wynne/hardware/filesystem.nix +++ b/hosts/wynne/hardware/filesystem.nix @@ -37,6 +37,13 @@ _: { options = [ "subvol=/" "compress-force=zstd" "noatime" "nofail" "x-systemd.automount" "x-systemd.device-timeout=5" ]; }; + "/var/lib/private" = { + device = "/dev/disk/by-partlabel/DATA1"; + fsType = "btrfs"; + options = [ "subvol=@state" "compress-force=zstd" "noatime" ]; + }; + + "/boot" = { device = "/dev/disk/by-partlabel/WYNNE_BOOT"; fsType = "vfat"; diff --git a/hosts/wynne/services/apps/conduwuit.nix b/hosts/wynne/services/apps/conduwuit.nix new file mode 100644 index 0000000..3490fa0 --- /dev/null +++ b/hosts/wynne/services/apps/conduwuit.nix @@ -0,0 +1,60 @@ +{ config, ... }: { + sops.secrets = { + "conduwuit/secrets" = { + mode = "400"; + owner = config.users.users.root.name; + group = config.users.users.root.group; + }; + }; + + recipes.conduwuit.instances = { + acomputer-lol = let domain = "acomputer.lol"; in { + enable = true; + environmentFiles = [ config.sops.secrets."conduwuit/secrets".path ]; + settings = { + global = { + server_name = domain; + address = [ "10.10.10.13" ]; + port = 6167; + database_backend = "rocksdb"; + ip_lookup_strategy = 1; + + new_user_displayname_suffix = "💯"; + allow_check_for_updates = false; + allow_encryption = true; + allow_federation = true; + trusted_servers = [ "matrix.org" ]; + well_known = { + server = "matrix.${domain}:443"; + client = "https://matrix.${domain}"; + }; + }; + }; + }; + ironyofprivacy = let domain = "ironyofprivacy.org"; in { + enable = true; + environmentFiles = [ config.sops.secrets."conduwuit/secrets".path ]; + settings = { + global = { + server_name = domain; + address = [ "10.10.10.13" ]; + port = 6168; + database_backend = "rocksdb"; + ip_lookup_strategy = 1; + + new_user_displayname_suffix = "💯"; + allow_check_for_updates = false; + allow_encryption = true; + allow_federation = true; + trusted_servers = [ "matrix.org" ]; + well_known = { + server = "matrix.${domain}:443"; + client = "https://matrix.${domain}"; + }; + }; + }; + }; + }; + systemd.services."conduwuit-ironyofprivacy".unitConfig.RequiresMountsFor = [ "/var/lib/private" ]; + systemd.services."conduwuit-acomputer-lol".unitConfig.RequiresMountsFor = [ "/var/lib/private" ]; +} diff --git a/hosts/wynne/services/apps/default.nix b/hosts/wynne/services/apps/default.nix index 841a502..2623bf5 100644 --- a/hosts/wynne/services/apps/default.nix +++ b/hosts/wynne/services/apps/default.nix @@ -1,5 +1,6 @@ _: { imports = [ + ./conduwuit.nix ./dendrite ./forgejo.nix ./ntfy.nix diff --git a/hosts/wynne/services/apps/dendrite/config.yaml b/hosts/wynne/services/apps/dendrite/config.yaml index 2318451..b298697 100644 --- a/hosts/wynne/services/apps/dendrite/config.yaml +++ b/hosts/wynne/services/apps/dendrite/config.yaml @@ -3,7 +3,7 @@ version: 2 global: server_name: acomputer.lol private_key: /persist/secrets/dendrite/matrix_key.pem - key_validity_period: 168h0m0s + key_validity_period: 0h10m0s database: connection_string: postgresql://dendrite@localhost/dendrite?sslmode=disable max_open_conns: 90 diff --git a/secrets.yaml b/secrets.yaml index 83f54ff..28ac3aa 100644 --- a/secrets.yaml +++ b/secrets.yaml @@ -20,6 +20,8 @@ caddy: env_file: ENC[AES256_GCM,data:PKtILX7o0D3rj78JXIXad9UcQz0ZiihXK1nY/kb08fh3i54hYrFyJyGt04b9mAufxTnhDV4=,iv:I/EtxopCFmRxgsGJIcFDufTiM1JyPPoIQkgKIDiCP24=,tag:5QlGMp839p9RYKB09tr61A==,type:str] forgejo: runner_registration_token_file: ENC[AES256_GCM,data:fHHAk5i3xjsTx7Zro1EOpbQaMCii0kksjTLgM+gXH2Gu2Mw+bCgKCKfeYccEQg==,iv:6jrQwEfqGDdbI/QCMvHcIEtZXtoDFT7OxVu80+oykCs=,tag:u3UClo6ca6ipBeQ/Am8yVA==,type:str] +conduwuit: + secrets: ENC[AES256_GCM,data:eYrm7PSELWFZgJOamChhD+Vx59QeybltE/RTUnRjIu7nkNuHoMYNCmJr2m/PiGpjvypkYIQpfX4Qcdio0hSKwe5FeN+U4XanryFq4eLK7TrXn/9rTxo5rNcj1bildNsQ,iv:Jbf7zM6bPs3ukBT+NlPon1y30FX7LRCup8Xqs+G8zcg=,tag:hf7jMdYUdv2lrYcKNdFgYA==,type:str] sops: kms: [] gcp_kms: [] @@ -98,8 +100,8 @@ sops: Ynd0czBOK0NCdnZIQzNJZ3BqNndlSG8Kg9UUjMZ2p7xUhHLEL6SjSiVPw5JemYxh sdiuZVVxzEasXLXXk6tax6AD5fz5mXEhXB24Op5scF4+VTfSZ+g9Cg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-22T05:40:29Z" - mac: ENC[AES256_GCM,data:dialk5LEy/M+zx839s9YKU1DxPOPkBadMAcXqkvyDE20dr0EoXjeNa9oQMuA++RsCUJfUKAOskyqjCFhLjDD4VHNr1htE4uBpfRS196p16Cgp4Qp12uj51D/7JCgQeAwGAwc1K7R0z1lXfrqDE2I6xrGcTWxlJcN7PN6IT2X6tA=,iv:Y5alGY//VAXd3yiHR//5BbZumLU3IyBJNvWweVKUDeM=,tag:rfn/6RLQlGU+nXZPlIQjfg==,type:str] + lastmodified: "2024-11-24T17:39:15Z" + mac: ENC[AES256_GCM,data:6RxJy0sdKAb19lI84U1KLYRFMxhTGPvG3l7f3usfSogjAqTwZsI5uGxlTZEoHOCMtiX2WKgjEh6xvo5f2Qm+gSNzwxDRbV/4VvGyddAy0ZA7j0baWyqECZEGc5w8jbekb9zknZ9miFF9yLXL9qGjTEaeUDHGPNE8yOrkYpPGg3Y=,iv:tQZUqyQSbUt2F35XxCpojItGstq+8ljJFOZ9xbeCbR4=,tag:7hpUewJZU8GJ+iO/VLyI3A==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.1