deploy 2 conduwuits

2024-11-27 23:59:27 +05:30 · 2024-11-27 23:59:27 +05:30 · 20d2e5740e
commit 20d2e5740e
parent aeb0720818
11 changed files with 214 additions and 42 deletions
--- a/flake.lock
+++ b/flake.lock
@ -281,6 +281,25 @@
      "inputs": {
        "systems": "systems_6"
      },
+      "locked": {
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "ref": "main",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_6": {
+      "inputs": {
+        "systems": "systems_7"
+      },
      "locked": {
        "lastModified": 1726560853,
        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
@ -295,9 +314,9 @@
        "type": "github"
      }
    },
-    "flake-utils_6": {
+    "flake-utils_7": {
      "inputs": {
-        "systems": "systems_7"
+        "systems": "systems_8"
      },
      "locked": {
        "lastModified": 1726560853,
@ -590,6 +609,22 @@
        "type": "github"
      }
    },
+    "nixpkgs_10": {
+      "locked": {
+        "lastModified": 1729755165,
+        "narHash": "sha256-6IpnOHWsaSSjT3yvqlrWfHW6HVCT+wOAlUpcooGJ+FQ=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "cabaf14d3e69c9921d7acedf5d7d60bb2b90be02",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
    "nixpkgs_2": {
      "locked": {
        "lastModified": 1732014248,
@ -671,6 +706,22 @@
      }
    },
    "nixpkgs_7": {
+      "locked": {
+        "lastModified": 1732014248,
+        "narHash": "sha256-y/MEyuJ5oBWrWAic/14LaIr/u5E0wRVzyYsouYY3W6w=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "23e89b7da85c3640bbc2173fe04f4bd114342367",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_8": {
      "locked": {
        "lastModified": 1728492678,
        "narHash": "sha256-9UTxR8eukdg+XZeHgxW5hQA9fIKHsKCdOIUycTryeVw=",
@ -686,7 +737,7 @@
        "type": "github"
      }
    },
-    "nixpkgs_8": {
+    "nixpkgs_9": {
      "locked": {
        "lastModified": 1731763621,
        "narHash": "sha256-ddcX4lQL0X05AYkrkV2LMFgGdRvgap7Ho8kgon3iWZk=",
@ -702,22 +753,6 @@
        "type": "github"
      }
    },
-    "nixpkgs_9": {
-      "locked": {
-        "lastModified": 1729755165,
-        "narHash": "sha256-6IpnOHWsaSSjT3yvqlrWfHW6HVCT+wOAlUpcooGJ+FQ=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "cabaf14d3e69c9921d7acedf5d7d60bb2b90be02",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixpkgs-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
    "pre-commit-hooks-nix": {
      "inputs": {
        "flake-compat": [
@ -745,6 +780,26 @@
        "type": "github"
      }
    },
+    "recipes": {
+      "inputs": {
+        "flake-utils": "flake-utils_5",
+        "nixpkgs": "nixpkgs_7"
+      },
+      "locked": {
+        "lastModified": 1732731942,
+        "narHash": "sha256-uF+paBlFe6EfWQj3WET1WH9/om4OMbrHCd0IzvoHBe0=",
+        "ref": "main",
+        "rev": "d66dcb6bc5da9285d204aed145944f3fad390f2d",
+        "revCount": 7,
+        "type": "git",
+        "url": "https://git.acomputer.lol/adtya/recipes.nix"
+      },
+      "original": {
+        "ref": "main",
+        "type": "git",
+        "url": "https://git.acomputer.lol/adtya/recipes.nix"
+      }
+    },
    "root": {
      "inputs": {
        "adtyaxyz": "adtyaxyz",
@ -757,6 +812,7 @@
        "lix-module": "lix-module",
        "neovim-nightly": "neovim-nightly",
        "nixpkgs": "nixpkgs_6",
+        "recipes": "recipes",
        "smc-fonts": "smc-fonts",
        "sops-nix": "sops-nix",
        "wiki": "wiki"
@ -785,8 +841,8 @@
    },
    "smc-fonts": {
      "inputs": {
-        "flake-utils": "flake-utils_5",
-        "nixpkgs": "nixpkgs_7"
+        "flake-utils": "flake-utils_6",
+        "nixpkgs": "nixpkgs_8"
      },
      "locked": {
        "lastModified": 1731189279,
@ -805,7 +861,7 @@
    },
    "sops-nix": {
      "inputs": {
-        "nixpkgs": "nixpkgs_8"
+        "nixpkgs": "nixpkgs_9"
      },
      "locked": {
        "lastModified": 1732186149,
@ -927,6 +983,21 @@
        "type": "github"
      }
    },
+    "systems_8": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
    "utils": {
      "inputs": {
        "systems": "systems_3"
@ -947,8 +1018,8 @@
    },
    "wiki": {
      "inputs": {
-        "flake-utils": "flake-utils_6",
-        "nixpkgs": "nixpkgs_9"
+        "flake-utils": "flake-utils_7",
+        "nixpkgs": "nixpkgs_10"
      },
      "locked": {
        "lastModified": 1729817327,
--- a/flake.nix
+++ b/flake.nix
@ -33,6 +33,7 @@
    caddy.url = "git+https://git.acomputer.lol/adtya/caddy-with-modules?ref=main";
    adtyaxyz.url = "git+https://git.acomputer.lol/adtya/adtya.xyz?ref=main";
    wiki.url = "git+https://git.acomputer.lol/adtya/wiki?ref=main";
+    recipes.url = "git+https://git.acomputer.lol/adtya/recipes.nix?ref=main";
    smc-fonts.url = "gitlab:smc/smc-fonts-flake?ref=trunk";
  };

@ -50,6 +51,7 @@
    , caddy
    , adtyaxyz
    , wiki
+    , recipes
    , smc-fonts
    ,
    } @ inputs:
@ -110,6 +112,7 @@
                nixpkgs.hostPlatform = lib.mkDefault system;
              }
              sops-nix.nixosModules.sops
+              recipes.nixosModules.default
              self.nixosModules.default
              ./common
              ./hosts/rico0
@ -132,6 +135,7 @@
                nixpkgs.hostPlatform = lib.mkDefault system;
              }
              sops-nix.nixosModules.sops
+              recipes.nixosModules.default
              self.nixosModules.default
              ./common
              ./hosts/rico1
@ -154,6 +158,7 @@
                nixpkgs.hostPlatform = lib.mkDefault system;
              }
              sops-nix.nixosModules.sops
+              recipes.nixosModules.default
              self.nixosModules.default
              ./common
              ./hosts/rico2
@ -177,6 +182,7 @@
              }
              lix-module.nixosModules.default
              sops-nix.nixosModules.sops
+              recipes.nixosModules.default
              self.nixosModules.default
              ./common
              ./hosts/wynne
@ -200,6 +206,7 @@
              }
              lix-module.nixosModules.default
              sops-nix.nixosModules.sops
+              recipes.nixosModules.default
              self.nixosModules.default
              ./common
              ./hosts/layne
@ -223,6 +230,7 @@
              }
              lix-module.nixosModules.default
              sops-nix.nixosModules.sops
+              recipes.nixosModules.default
              self.nixosModules.default
              ./common
              ./hosts/bifrost
--- a/hosts/bifrost/services/apps/acomputer.lol.nix
+++ b/hosts/bifrost/services/apps/acomputer.lol.nix
@ -1,22 +1,9 @@
 _:
-let
-  domainName = "acomputer.lol";
-in
-{
+let domainName = "acomputer.lol"; in {
  services = {
    caddy.virtualHosts."${domainName}" = {
      extraConfig = ''
-        handle /.well-known/matrix/server {
-          header Content-Type application/json
-          header Access-Control-Allow-Origin *
-          respond `{"m.server": "matrix.${domainName}:443"}`
-        }
-
-        handle /.well-known/matrix/client {
-          header Content-Type application/json
-          header Access-Control-Allow-Origin *
-          respond `{"m.homeserver": {"base_url": "https://matrix.${domainName}:443"}}`
-        }
+        reverse_proxy /.well-known/matrix/* 10.10.10.13:6167
      '';
    };
  };
--- a/hosts/bifrost/services/apps/conduwuit.nix
+++ b/hosts/bifrost/services/apps/conduwuit.nix
@ -0,0 +1,23 @@
+_: {
+  services = {
+    caddy.virtualHosts = {
+      "matrix.acomputer.lol" = {
+        serverAliases = [ "matrix.acomputer.lol:8448" ];
+        extraConfig = ''
+          reverse_proxy /_matrix/* 10.10.10.13:6167
+          reverse_proxy /_conduwuit/* 10.10.10.13:6167
+          reverse_proxy /.well-known/matrix/* 10.10.10.13:6167
+        '';
+      };
+      "matrix.ironyofprivacy.org" = {
+        serverAliases = [ "matrix.ironyofprivacy.org:8448" ];
+        extraConfig = ''
+          reverse_proxy /_matrix/* 10.10.10.13:6168
+          reverse_proxy /_conduwuit/* 10.10.10.13:6168
+          reverse_proxy /.well-known/matrix/* 10.10.10.13:6168
+        '';
+      };
+    };
+  };
+  networking.firewall.interfaces.ens3.allowedTCPPorts = [ 8448 ];
+}
--- a/hosts/bifrost/services/apps/default.nix
+++ b/hosts/bifrost/services/apps/default.nix
@ -3,8 +3,10 @@ _: {
    ./adtya.xyz.nix
    ./acomputer.lol.nix
    ./blocky.nix
+    ./conduwuit.nix
    ./dendrite.nix
    ./forgejo.nix
+    ./ironyofprivacy.org.nix
    ./ntfy.nix
    ./proofs.nix
    ./wiki.nix
--- a/hosts/bifrost/services/apps/ironyofprivacy.org.nix
+++ b/hosts/bifrost/services/apps/ironyofprivacy.org.nix
@ -0,0 +1,11 @@
+_:
+let domainName = "ironyofprivacy.org"; in {
+  services = {
+    caddy.virtualHosts."${domainName}" = {
+      extraConfig = ''
+        reverse_proxy /.well-known/matrix/* 10.10.10.13:6168
+      '';
+    };
+  };
+}
+
--- a/hosts/wynne/hardware/filesystem.nix
+++ b/hosts/wynne/hardware/filesystem.nix
@ -37,6 +37,13 @@ _: {
      options = [ "subvol=/" "compress-force=zstd" "noatime" "nofail" "x-systemd.automount" "x-systemd.device-timeout=5" ];
    };

+    "/var/lib/private" = {
+      device = "/dev/disk/by-partlabel/DATA1";
+      fsType = "btrfs";
+      options = [ "subvol=@state" "compress-force=zstd" "noatime" ];
+    };
+
+
    "/boot" = {
      device = "/dev/disk/by-partlabel/WYNNE_BOOT";
      fsType = "vfat";
--- a/hosts/wynne/services/apps/conduwuit.nix
+++ b/hosts/wynne/services/apps/conduwuit.nix
@ -0,0 +1,60 @@
+{ config, ... }: {
+  sops.secrets = {
+    "conduwuit/secrets" = {
+      mode = "400";
+      owner = config.users.users.root.name;
+      group = config.users.users.root.group;
+    };
+  };
+
+  recipes.conduwuit.instances = {
+    acomputer-lol = let domain = "acomputer.lol"; in {
+      enable = true;
+      environmentFiles = [ config.sops.secrets."conduwuit/secrets".path ];
+      settings = {
+        global = {
+          server_name = domain;
+          address = [ "10.10.10.13" ];
+          port = 6167;
+          database_backend = "rocksdb";
+          ip_lookup_strategy = 1;
+
+          new_user_displayname_suffix = "💯";
+          allow_check_for_updates = false;
+          allow_encryption = true;
+          allow_federation = true;
+          trusted_servers = [ "matrix.org" ];
+          well_known = {
+            server = "matrix.${domain}:443";
+            client = "https://matrix.${domain}";
+          };
+        };
+      };
+    };
+    ironyofprivacy = let domain = "ironyofprivacy.org"; in {
+      enable = true;
+      environmentFiles = [ config.sops.secrets."conduwuit/secrets".path ];
+      settings = {
+        global = {
+          server_name = domain;
+          address = [ "10.10.10.13" ];
+          port = 6168;
+          database_backend = "rocksdb";
+          ip_lookup_strategy = 1;
+
+          new_user_displayname_suffix = "💯";
+          allow_check_for_updates = false;
+          allow_encryption = true;
+          allow_federation = true;
+          trusted_servers = [ "matrix.org" ];
+          well_known = {
+            server = "matrix.${domain}:443";
+            client = "https://matrix.${domain}";
+          };
+        };
+      };
+    };
+  };
+  systemd.services."conduwuit-ironyofprivacy".unitConfig.RequiresMountsFor = [ "/var/lib/private" ];
+  systemd.services."conduwuit-acomputer-lol".unitConfig.RequiresMountsFor = [ "/var/lib/private" ];
+}
--- a/hosts/wynne/services/apps/default.nix
+++ b/hosts/wynne/services/apps/default.nix
@ -1,5 +1,6 @@
 _: {
  imports = [
+    ./conduwuit.nix
    ./dendrite
    ./forgejo.nix
    ./ntfy.nix
--- a/hosts/wynne/services/apps/dendrite/config.yaml
+++ b/hosts/wynne/services/apps/dendrite/config.yaml
@ -3,7 +3,7 @@ version: 2
 global:
  server_name: acomputer.lol
  private_key: /persist/secrets/dendrite/matrix_key.pem
-  key_validity_period: 168h0m0s
+  key_validity_period: 0h10m0s
  database:
    connection_string: postgresql://dendrite@localhost/dendrite?sslmode=disable
    max_open_conns: 90
--- a/secrets.yaml
+++ b/secrets.yaml
@ -20,6 +20,8 @@ caddy:
    env_file: ENC[AES256_GCM,data:PKtILX7o0D3rj78JXIXad9UcQz0ZiihXK1nY/kb08fh3i54hYrFyJyGt04b9mAufxTnhDV4=,iv:I/EtxopCFmRxgsGJIcFDufTiM1JyPPoIQkgKIDiCP24=,tag:5QlGMp839p9RYKB09tr61A==,type:str]
 forgejo:
    runner_registration_token_file: ENC[AES256_GCM,data:fHHAk5i3xjsTx7Zro1EOpbQaMCii0kksjTLgM+gXH2Gu2Mw+bCgKCKfeYccEQg==,iv:6jrQwEfqGDdbI/QCMvHcIEtZXtoDFT7OxVu80+oykCs=,tag:u3UClo6ca6ipBeQ/Am8yVA==,type:str]
+conduwuit:
+    secrets: ENC[AES256_GCM,data:eYrm7PSELWFZgJOamChhD+Vx59QeybltE/RTUnRjIu7nkNuHoMYNCmJr2m/PiGpjvypkYIQpfX4Qcdio0hSKwe5FeN+U4XanryFq4eLK7TrXn/9rTxo5rNcj1bildNsQ,iv:Jbf7zM6bPs3ukBT+NlPon1y30FX7LRCup8Xqs+G8zcg=,tag:hf7jMdYUdv2lrYcKNdFgYA==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -98,8 +100,8 @@ sops:
            Ynd0czBOK0NCdnZIQzNJZ3BqNndlSG8Kg9UUjMZ2p7xUhHLEL6SjSiVPw5JemYxh
            sdiuZVVxzEasXLXXk6tax6AD5fz5mXEhXB24Op5scF4+VTfSZ+g9Cg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-11-22T05:40:29Z"
-    mac: ENC[AES256_GCM,data:dialk5LEy/M+zx839s9YKU1DxPOPkBadMAcXqkvyDE20dr0EoXjeNa9oQMuA++RsCUJfUKAOskyqjCFhLjDD4VHNr1htE4uBpfRS196p16Cgp4Qp12uj51D/7JCgQeAwGAwc1K7R0z1lXfrqDE2I6xrGcTWxlJcN7PN6IT2X6tA=,iv:Y5alGY//VAXd3yiHR//5BbZumLU3IyBJNvWweVKUDeM=,tag:rfn/6RLQlGU+nXZPlIQjfg==,type:str]
+    lastmodified: "2024-11-24T17:39:15Z"
+    mac: ENC[AES256_GCM,data:6RxJy0sdKAb19lI84U1KLYRFMxhTGPvG3l7f3usfSogjAqTwZsI5uGxlTZEoHOCMtiX2WKgjEh6xvo5f2Qm+gSNzwxDRbV/4VvGyddAy0ZA7j0baWyqECZEGc5w8jbekb9zknZ9miFF9yLXL9qGjTEaeUDHGPNE8yOrkYpPGg3Y=,iv:tQZUqyQSbUt2F35XxCpojItGstq+8ljJFOZ9xbeCbR4=,tag:7hpUewJZU8GJ+iO/VLyI3A==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.1