xin/hosts/h/default.nix

1006 lines
29 KiB
Nix
Raw Normal View History

2023-09-12 08:44:05 -06:00
{ config
, pkgs
, isUnstable
, inputs
, ...
2023-07-11 09:12:50 -06:00
}:
with pkgs; let
2023-09-12 08:44:05 -06:00
gqrss = callPackage ../../pkgs/gqrss.nix { inherit isUnstable; };
icbirc = callPackage ../../pkgs/icbirc.nix { inherit isUnstable; };
slidingSyncPkg = callPackage ../../pkgs/sliding-sync.nix { };
2022-09-23 10:25:38 -06:00
weepushover =
2023-09-12 08:44:05 -06:00
python3Packages.callPackage ../../pkgs/weepushover.nix { inherit pkgs; };
2022-08-25 12:21:35 -06:00
pgBackupDir = "/var/backups/postgresql";
pubKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILnaC1v+VoVNnK04D32H+euiCyWPXU8nX6w+4UoFfjA3 qbit@plq"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO7v+/xS8832iMqJHCWsxUZ8zYoMWoZhjj++e26g1fLT europa"
];
2023-09-12 08:44:05 -06:00
userBase = { openssh.authorizedKeys.keys = pubKeys; };
2023-07-11 09:12:50 -06:00
icbIrcTunnel =
pkgs.writeScriptBin "icb-irc-tunnel"
2023-09-12 08:44:05 -06:00
(import ../../bins/icb-irc-tunnel.nix {
inherit pkgs;
inherit icbirc;
});
goModuleHost = "https://codeberg.org/qbit"; # "https://git.sr.ht/~qbit";
httpAllow = ''
allow 10.6.0.0/24;
allow 100.64.0.0/10;
allow 10.20.30.1/32;
'';
2022-08-25 12:21:35 -06:00
2023-07-14 05:20:06 -06:00
mtxCfg = {
port = 8009;
address = "127.0.0.1";
};
matrixServer = "tapenet.org";
matrixClientConfig = {
2023-05-19 08:13:02 -06:00
"m.homeserver".base_url = "https://${matrixServer}:443";
2023-09-12 08:44:05 -06:00
"org.matrix.msc3575.proxy" = { url = "https://${matrixServer}"; };
};
2023-09-12 08:44:05 -06:00
matrixServerConfig = { "m.server" = "${matrixServer}:443"; };
mkMatrixWellKnown = p: ''
return 200 '${builtins.toJSON p}';
'';
mkMatrixSliderLoc = {
2023-03-09 09:45:22 -07:00
proxyWebsockets = true;
proxyPass = "http://${config.services.sliding-sync.address}:${
2023-07-11 09:12:50 -06:00
toString config.services.sliding-sync.port
}";
};
mkMatrixLoc = {
2023-03-09 09:45:22 -07:00
proxyWebsockets = true;
2023-07-14 05:20:06 -06:00
proxyPass = "http://${mtxCfg.address}:${toString mtxCfg.port}";
};
2023-09-12 08:44:05 -06:00
in
{
2022-11-01 07:00:48 -06:00
_module.args.isUnstable = false;
2022-10-11 09:28:27 -06:00
imports = [
./hardware-configuration.nix
];
2022-08-25 12:21:35 -06:00
2023-09-12 08:44:05 -06:00
boot = {
loader.grub = {
enable = true;
device = "/dev/sda";
configurationLimit = 15;
};
2022-08-25 12:21:35 -06:00
2023-09-12 08:44:05 -06:00
kernelParams = [ "net.ifnames=0" ];
};
2022-08-25 12:21:35 -06:00
2024-01-23 07:01:33 -07:00
nix = {
settings = {
allowed-users = lib.mkForce [ "root" ];
trusted-users = lib.mkForce [ "root" ];
};
};
tailscale.sshOnly = true;
2022-08-25 12:21:35 -06:00
nixpkgs.overlays = [
2023-03-22 10:35:46 -06:00
(_: super: {
weechat = super.weechat.override {
2023-09-12 08:44:05 -06:00
configure = { ... }: {
scripts = with super.weechatScripts; [ highmon weepushover ];
};
};
})
];
2022-08-25 12:21:35 -06:00
sops.secrets = {
synapse_signing_key = {
owner = config.users.users.matrix-synapse.name;
mode = "600";
sopsFile = config.xin-secrets.h.secrets.services;
2022-08-25 12:21:35 -06:00
};
synapse_shared_secret = {
owner = config.users.users.matrix-synapse.name;
mode = "600";
sopsFile = config.xin-secrets.h.secrets.services;
};
2022-08-25 12:21:35 -06:00
hammer_access_token = {
owner = config.users.users.mjolnir.name;
mode = "600";
sopsFile = config.xin-secrets.h.secrets.services;
2022-08-25 12:21:35 -06:00
};
gqrss_token = {
owner = config.users.users.qbit.name;
mode = "400";
sopsFile = config.xin-secrets.h.secrets.services;
2022-08-25 12:21:35 -06:00
};
restic_env_file = {
owner = config.users.users.root.name;
mode = "400";
sopsFile = config.xin-secrets.h.secrets.services;
2022-08-25 12:21:35 -06:00
};
restic_password_file = {
owner = config.users.users.root.name;
mode = "400";
sopsFile = config.xin-secrets.h.secrets.services;
2022-08-25 12:21:35 -06:00
};
2022-10-11 09:28:27 -06:00
yarr_auth = {
owner = config.users.users.yarr.name;
mode = "400";
sopsFile = config.xin-secrets.h.secrets.services;
2022-10-11 09:28:27 -06:00
};
# TODO: rename
router_stats_ts_key = {
sopsFile = config.xin-secrets.h.secrets.services;
owner = config.users.users.tsvnstat.name;
};
gostart = {
sopsFile = config.xin-secrets.h.secrets.services;
owner = config.users.users.gostart.name;
};
wireguard_private_key = { sopsFile = config.xin-secrets.h.secrets.services; };
pots_env_file = {
owner = config.users.users.pots.name;
mode = "400";
sopsFile = config.xin-secrets.h.secrets.services;
};
sliding_sync_env = {
owner = config.services.sliding-sync.user;
mode = "400";
sopsFile = config.xin-secrets.h.secrets.services;
};
2023-05-23 07:45:48 -06:00
pr_status_env = {
mode = "400";
owner = config.services.ts-reverse-proxy.servers."pr-status-reverse".user;
sopsFile = config.xin-secrets.h.secrets.services;
2023-05-23 07:45:48 -06:00
};
2023-11-28 14:27:18 -07:00
qbit_at_suah_pass_file = {
2023-08-01 12:39:55 -06:00
mode = "400";
2023-11-28 14:27:18 -07:00
owner = "root";
sopsFile = config.xin-secrets.h.secrets.services;
2023-08-01 12:39:55 -06:00
};
2024-06-18 07:28:09 -06:00
mcchunkie_at_suah_pass_file = {
mode = "400";
owner = "root";
sopsFile = config.xin-secrets.h.secrets.services;
};
2024-05-10 15:06:29 -06:00
golink = {
mode = "400";
owner = config.services.golink.user;
sopsFile = config.xin-secrets.h.secrets.services;
};
#wallabag_secret = {
# mode = "400";
# owner = "wallabag";
# sopsFile = config.xin-secrets.h.secrets.services;
#};
2022-08-25 12:21:35 -06:00
};
networking = {
hostName = "h";
enableIPv6 = true;
useDHCP = false;
defaultGateway = "23.29.118.1";
defaultGateway6 = "2602:ff16:3::1";
2023-09-12 08:44:05 -06:00
nameservers = [ "9.9.9.9" ];
2022-10-21 09:49:05 -06:00
2022-08-25 12:21:35 -06:00
interfaces.eth0 = {
2023-07-11 09:12:50 -06:00
ipv4.addresses = [
{
address = "23.29.118.127";
prefixLength = 24;
}
];
2022-08-25 12:21:35 -06:00
ipv6 = {
2023-07-11 09:12:50 -06:00
addresses = [
{
address = "2602:ff16:3:0:1:3a0:0:1";
prefixLength = 64;
}
];
2022-08-25 12:21:35 -06:00
};
};
2022-10-21 09:49:05 -06:00
wireguard = {
enable = true;
2022-10-21 09:49:05 -06:00
interfaces = {
wg0 = {
listenPort = 7122;
2023-09-12 08:44:05 -06:00
ips = [ "192.168.112.3/32" ];
2023-07-11 09:12:50 -06:00
peers = [
{
publicKey = "gZ16FwqUgzKgEpJgVC9BngJ+Dd0e5LPsDhDuJby0VzY=";
2023-09-12 08:44:05 -06:00
allowedIPs = [ "192.168.112.4/32" ];
2023-07-11 09:12:50 -06:00
persistentKeepalive = 25;
}
];
privateKeyFile = "${config.sops.secrets.wireguard_private_key.path}";
2022-10-21 09:49:05 -06:00
};
};
};
2022-08-25 12:21:35 -06:00
firewall = {
2023-11-15 09:37:01 -07:00
interfaces = { "tailscale0" = { allowedTCPPorts = [ 9002 config.services.shiori.port ]; }; };
2023-09-12 08:44:05 -06:00
allowedTCPPorts = [ 22 80 443 2222 53589 ];
allowedUDPPorts = [ 7122 ];
2023-07-11 09:12:50 -06:00
allowedUDPPortRanges = [
{
from = 60000;
to = 61000;
}
];
2022-08-25 12:21:35 -06:00
};
};
environment = {
systemPackages = with pkgs; [
inetutils
# irc
weechat
weechatScripts.highmon
aspell
aspellDicts.en
icbirc
2024-03-16 06:21:54 -06:00
irssi
# matrix things
matrix-synapse-tools.synadm
matrix-synapse-tools.rust-synapse-compress-state
zonemaster-cli
2023-12-14 08:20:02 -07:00
sqlite
2024-02-02 08:02:23 -07:00
python3
2024-01-22 08:50:19 -07:00
python3Packages.nomadnet
];
};
2022-08-25 12:21:35 -06:00
security.acme = {
acceptTerms = true;
defaults.email = "aaron@bolddaemon.com";
};
2023-09-12 08:44:05 -06:00
users = {
users = {
2024-02-28 07:19:43 -07:00
root = userBase;
2023-09-12 08:44:05 -06:00
qbit = userBase;
};
2022-08-25 12:21:35 -06:00
};
2024-02-07 20:44:39 -07:00
systemd = {
services = {
2024-03-28 12:19:10 -06:00
mcchunkie = {
serviceConfig = {
ExecStart = lib.mkForce "${pkgs.mcchunkie}/bin/mcchunkie -db /var/lib/mcchunkie/db";
};
};
2024-02-07 20:44:39 -07:00
nomadnet = {
description = "nomadnet";
2024-06-14 09:04:26 -06:00
wants = [ "multi-user.target" "multi-user.target" ];
2024-02-07 20:44:39 -07:00
serviceConfig = {
User = "qbit";
2024-02-07 20:44:39 -07:00
Type = "forking";
ExecStart = "${pkgs.tmux}/bin/tmux new-session -s NomadNet -d '${pkgs.python3Packages.nomadnet}/bin/nomadnet'";
ExecStop = "${pkgs.tmux}/bin/tmux kill-session -t NomadNet";
};
2023-09-12 08:44:05 -06:00
};
2024-02-07 20:44:39 -07:00
matrix-synapse.after = [ "icbirc.service" ];
icb-tunnel = {
2024-06-14 09:04:26 -06:00
wants = [ "network.target" "multi-user.target" ];
2024-02-07 20:44:39 -07:00
serviceConfig = {
User = "qbit";
WorkingDirectory = "/home/qbit";
ExecStart = "${icbIrcTunnel}/bin/icb-irc-tunnel";
};
};
2022-08-25 12:21:35 -06:00
};
};
2023-11-28 14:27:18 -07:00
mailserver = {
enable = true;
fqdn = "mail.suah.dev";
domains = [ "suah.dev" ];
certificateScheme = "acme-nginx";
2024-01-08 08:40:14 -07:00
localDnsResolver = false;
2023-11-28 14:27:18 -07:00
loginAccounts = {
"qbit@suah.dev" = {
hashedPasswordFile = "${config.sops.secrets.qbit_at_suah_pass_file.path}";
aliases = [ "postmaster@suah.dev" "aaron@suah.dev" ];
};
2024-06-18 07:28:09 -06:00
"mcchunkie@suah.dev" = {
hashedPasswordFile = "${config.sops.secrets.mcchunkie_at_suah_pass_file.path}";
};
2023-11-28 14:27:18 -07:00
};
fullTextSearch = {
enable = true;
autoIndex = true;
indexAttachments = true;
enforced = "body";
};
};
2022-08-25 12:21:35 -06:00
services = {
2024-05-10 15:06:29 -06:00
golink = {
enable = true;
envFile = config.sops.secrets.golink.path;
};
2024-04-25 13:11:50 -06:00
smartd.enable = false;
mcchunkie.enable = true;
2023-12-30 07:43:02 -07:00
wallabag = {
enable = false;
2023-12-30 07:43:02 -07:00
secretPath = config.sops.secrets.wallabag_secret.path;
domain = "bookmarks.tapenet.org";
};
2023-12-04 07:38:00 -07:00
navidrome = {
enable = true;
settings = {
Address = "127.0.0.1";
Port = 4533;
MusicFolder = "/var/lib/music";
PlaylistsPath = ".:**/**";
2023-12-04 07:38:00 -07:00
};
};
2023-11-15 08:50:06 -07:00
shiori = {
enable = true;
port = 8967;
address = "127.0.0.1";
2023-11-15 10:08:20 -07:00
package = inputs.unstable.legacyPackages.${pkgs.system}.shiori;
2023-11-15 08:50:06 -07:00
};
2023-09-03 19:49:32 -06:00
veilid-server = {
enable = true;
2023-09-03 19:54:58 -06:00
package = inputs.unstable.legacyPackages.${pkgs.system}.veilid;
2023-09-03 19:49:32 -06:00
};
2023-07-14 05:20:06 -06:00
heisenbridge = {
enable = true;
homeserver = "http://${mtxCfg.address}:${toString mtxCfg.port}";
owner = "@qbit:tapenet.org";
namespaces = {
users = [
{
regex = "@irc_.*";
exclusive = true;
}
];
2023-09-12 08:44:05 -06:00
aliases = [ ];
rooms = [ ];
2023-07-14 05:20:06 -06:00
};
};
ts-reverse-proxy = {
servers = {
"pr-status-reverse" = {
enable = true;
reverseName = "pr-status";
reversePort = 3003;
};
};
2023-05-23 07:45:48 -06:00
};
sliding-sync = {
enable = true;
server = "https://tapenet.org";
package = slidingSyncPkg;
};
pots = {
enable = true;
envFile = "${config.sops.secrets.pots_env_file.path}";
};
2023-09-12 08:44:05 -06:00
pr-status = { enable = true; };
gostart = {
enable = true;
2022-12-12 06:47:23 -07:00
keyPath = "${config.sops.secrets.gostart.path}";
};
2024-03-26 20:35:56 -06:00
kogs = {
enable = true;
#registration = false;
listen = "127.0.0.1:8383";
};
tsvnstat = {
enable = true;
2023-09-25 14:36:25 -06:00
#keyPath = "${config.sops.secrets.router_stats_ts_key.path}";
};
2022-11-16 07:44:25 -07:00
yarr.enable = true;
gotosocial = {
2022-11-01 09:28:06 -06:00
enable = true;
2022-11-07 07:41:33 -07:00
# https://github.com/superseriousbusiness/gotosocial/blob/v0.5.2/example/config.yaml
configuration = {
account-domain = "mammothcirc.us";
2022-09-13 08:13:46 -06:00
accounts-approval-required = false;
accounts-reason-required = false;
accounts-registration-open = false;
2022-11-07 07:41:33 -07:00
accounts-allow-custom-css = true;
2022-09-13 08:13:46 -06:00
advanced-cookies-samesite = "strict";
bind-address = "127.0.0.1";
db-address = "127.0.0.1";
2022-09-13 08:13:46 -06:00
db-database = "gotosocial";
db-port = 5432;
2022-09-13 08:13:46 -06:00
db-tls-ca-cert = "";
db-type = "postgres";
db-user = "gotosocial";
dp-password = "";
host = "mammothcirc.us";
2022-09-13 14:27:39 -06:00
log-db-queries = true;
2022-09-13 13:35:04 -06:00
log-level = "debug";
2022-09-13 08:13:46 -06:00
port = 8778;
2022-09-13 08:20:48 -06:00
protocol = "https";
storage-backend = "local";
2022-09-15 16:52:29 -06:00
storage-local-base-path = "/var/lib/gotosocial";
2023-09-12 08:44:05 -06:00
trusted-proxies = [ "127.0.0.1/32" "23.29.118.0/24" ];
2023-07-11 09:12:50 -06:00
web-template-base-dir = "${config.services.gotosocial.package}/assets/web/template/";
web-asset-base-dir = "${config.services.gotosocial.package}/assets/web/assets/";
};
};
2022-09-10 21:51:29 -06:00
promtail = {
enable = true;
configuration = {
server = {
http_listen_port = 3031;
grpc_listen_port = 0;
};
2023-09-12 08:44:05 -06:00
positions = { filename = "/tmp/positions.yaml"; };
2023-09-25 14:36:25 -06:00
clients = [{ url = "http://box.otter-alligator.ts.net:3030/loki/api/v1/push"; }];
2023-07-11 09:12:50 -06:00
scrape_configs = [
{
job_name = "journal";
journal = {
max_age = "12h";
labels = {
job = "systemd-journal";
host = "box";
};
2022-09-10 21:51:29 -06:00
};
2023-07-11 09:12:50 -06:00
relabel_configs = [
{
2023-09-12 08:44:05 -06:00
source_labels = [ "__journal__systemd_unit" ];
2023-07-11 09:12:50 -06:00
target_label = "unit";
}
];
}
];
2022-09-10 21:51:29 -06:00
};
};
2022-09-10 09:47:47 -06:00
prometheus = {
enable = true;
port = 9001;
2023-11-06 08:12:57 -07:00
listenAddress = "100.83.77.133";
2022-09-10 09:47:47 -06:00
exporters = {
node = {
enable = true;
2023-09-12 08:44:05 -06:00
enabledCollectors = [ "systemd" ];
2022-09-10 09:47:47 -06:00
port = 9002;
};
};
};
2022-08-25 12:21:35 -06:00
cron = {
enable = true;
systemCronJobs = [
''
@hourly qbit (export GH_AUTH_TOKEN=$(cat /run/secrets/gqrss_token); cd /var/www/suah.dev/rss; ${gqrss}/bin/gqrss ; ${gqrss}/bin/gqrss -search "LibreSSL" -prefix libressl_ ) >/dev/null 2>&1''
];
};
restic = {
backups = {
b2 = {
initialize = true;
repository = "b2:cyaspanJicyeemJedMarlEjcasOmos";
environmentFile = "${config.sops.secrets.restic_env_file.path}";
passwordFile = "${config.sops.secrets.restic_password_file.path}";
2022-11-21 11:11:22 -07:00
paths = [
pgBackupDir
"/var/lib/synapse/media_store"
"/var/www"
"/home"
"/var/lib/yarr"
2023-11-15 08:50:06 -07:00
"/var/lib/shiori"
2022-11-21 11:11:22 -07:00
"/var/lib/gotosocial"
"/var/lib/mcchunkie"
2023-07-14 05:20:06 -06:00
"/var/lib/heisenbridge"
2024-03-26 20:35:56 -06:00
"/var/lib/kogs"
2023-11-28 14:27:18 -07:00
"/var/vmail"
"/var/dkim"
2022-11-21 11:11:22 -07:00
];
2022-08-25 12:21:35 -06:00
2023-09-12 08:44:05 -06:00
timerConfig = { OnCalendar = "00:05"; };
2022-08-25 12:21:35 -06:00
2023-09-12 08:44:05 -06:00
pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-yearly 10" ];
2022-08-25 12:21:35 -06:00
};
};
};
nginx = {
enable = true;
package = pkgs.openresty;
2022-08-25 12:21:35 -06:00
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
clientMaxBodySize = "50M";
commonHttpConfig = ''
# Add HSTS header with preloading to HTTPS requests.
# Adding this header to HTTP requests is discouraged
map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload";
}
add_header Strict-Transport-Security $hsts_header;
# Enable CSP for your services.
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
# Minimize information leaked to other domains
add_header 'Referrer-Policy' 'origin-when-cross-origin';
# Disable embedding as a frame
add_header X-Frame-Options DENY;
# Prevent injection of code in other mime types (XSS Attacks)
add_header X-Content-Type-Options nosniff;
# This might create errors
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
'';
upstreams = {
2023-09-12 08:44:05 -06:00
"ssh_gitea" = { servers = { "192.168.112.4:2222" = { }; }; };
};
streamConfig = ''
server {
listen 23.29.118.127:2222;
proxy_pass 192.168.112.4:2222;
}
'';
2022-08-25 12:21:35 -06:00
virtualHosts = {
"deftly.net" = {
forceSSL = true;
enableACME = true;
root = "/var/www/deftly.net";
extraConfig = ''
location ~ ^/pub|^/patches|^/dist|^/pbp|^/screenshots|^/pharo|^/fw {
autoindex on;
index index.php index.html index.htm;
}
'';
};
"bolddaemon.com" = {
forceSSL = true;
enableACME = true;
root = "/var/www/bolddaemon.com";
2022-08-25 12:21:35 -06:00
};
2024-03-26 20:35:56 -06:00
"sync.suah.dev" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://${config.services.kogs.listen}";
proxyWebsockets = true;
priority = 1000;
};
};
};
2022-09-22 08:28:35 -06:00
"notes.suah.dev" = {
forceSSL = true;
enableACME = true;
root = "/var/www/suah.dev";
2022-09-22 08:31:55 -06:00
extraConfig = ''
2022-09-22 10:16:37 -06:00
location / {
resolver 9.9.9.9;
2022-09-22 14:55:26 -06:00
proxy_set_header Connection "";
proxy_http_version 1.1;
2022-09-22 10:16:37 -06:00
proxy_pass https://publish.obsidian.md/serve?url=notes.suah.dev/;
proxy_ssl_server_name on;
}
2022-09-22 08:31:55 -06:00
'';
2022-09-22 08:28:35 -06:00
};
2023-12-04 07:38:00 -07:00
"music.tapenet.org" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://${config.services.navidrome.settings.Address}:${toString config.services.navidrome.settings.Port}";
proxyWebsockets = true;
priority = 1000;
};
};
};
"bookmarks.tapenet.org" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://${config.services.shiori.address}:${toString config.services.shiori.port}";
proxyWebsockets = true;
priority = 1000;
};
};
};
2023-12-04 07:38:00 -07:00
"git.tapenet.org" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://192.168.112.4:3000";
proxyWebsockets = true;
priority = 1000;
};
};
};
"bw.tapenet.org" = {
forceSSL = true;
enableACME = true;
2023-09-12 08:44:05 -06:00
locations = {
"/" = {
proxyPass = "http://192.168.112.4:8222";
proxyWebsockets = true;
};
"/admin" = {
extraConfig = ''
${httpAllow}
deny all;
'';
};
};
};
2022-08-25 12:21:35 -06:00
"suah.dev" = {
forceSSL = true;
enableACME = true;
root = "/var/www/suah.dev";
extraConfig = ''
location ~ ^/api {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Ssl on;
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_pass http://127.0.0.1:8888; # pots
}
location ~ ^/_got {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Ssl on;
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_pass http://127.0.0.1:8043;
}
location ~ ^/_sms {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header Authorization $http_authorization;
proxy_pass_header Authorization;
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_pass http://127.0.0.1:8044;
}
2023-07-11 09:12:50 -06:00
location ~ ^/p/ {
autoindex on;
}
location ~ ^/recipes/ {
autoindex on;
}
location ~ ^/_matrix/|^/_synapse/ {
return 404;
}
2023-07-11 09:12:50 -06:00
location ~* .(xml)$ {
autoindex on;
root /var/www/suah.dev/rss;
}
location ~ "([^/\s]+)(/.*)?" {
set $not_serving 1;
if ($request_filename = 'index.html') {
set $not_serving 0;
}
if (-f $request_filename) {
set $not_serving 0;
}
if ($args = "go-get=1") {
add_header Strict-Transport-Security $hsts_header;
add_header Referrer-Policy origin-when-cross-origin;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header Content-Type text/html;
return 200 '<html><head>
<meta name="go-import" content="$host/$1 git ${goModuleHost}/$1">
<meta name="go-source" content="$host/$1 _ ${goModuleHost}/$1/tree/master{/dir} ${goModuleHost}/$1/tree/master{/dir}/{file}#L{line}">
<meta http-equiv="refresh" content="0; url=https://pkg.go.dev/mod/suah.dev/$1">
</head>
<body>
Redirecting to docs at <a href="https://pkg.go.dev/mod/suah.dev/$1">pkg.go.dev/mod/suah.dev/$1</a>...
</body>
</html>';
}
if ($not_serving) {
add_header Strict-Transport-Security $hsts_header;
add_header Referrer-Policy origin-when-cross-origin;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header Content-Type text/html;
return 200 '<html><head>
<meta name="go-import" content="$host/$1 git ${goModuleHost}/$1">
<meta name="go-source" content="$host/$1 _ ${goModuleHost}/$1/tree/master{/dir} ${goModuleHost}/$1/tree/master{/dir}/{file}#L{line}">
<meta http-equiv="refresh" content="0; url=https://pkg.go.dev/mod/suah.dev/$1">
</head>
<body>
Redirecting to docs at <a href="https://pkg.go.dev/mod/suah.dev/$1">pkg.go.dev/mod/suah.dev/$1</a>...
</body>
</html>';
}
}
2022-08-25 12:21:35 -06:00
'';
};
"qbit.io" = {
forceSSL = true;
enableACME = true;
root = "/var/www/qbit.io";
};
"mammothcirc.us" = {
2022-08-25 12:21:35 -06:00
forceSSL = true;
enableACME = true;
2023-02-23 09:04:44 -07:00
extraConfig =
2023-07-11 09:12:50 -06:00
if config.services.gotosocial.package.version == "0.7.1"
then ''
2023-02-23 09:04:44 -07:00
# TODO: This can be removed next release
# https://github.com/superseriousbusiness/gotosocial/issues/1419
# Workaround for missing API + Ice Cubes
location ~ ^/api/v1/accounts/[0-9A-Z]+/featured_tags {
default_type application/json;
return 200 '[]';
}
2023-07-11 09:12:50 -06:00
''
else "";
locations."/" = {
2022-09-13 14:00:56 -06:00
extraConfig = ''
2023-11-28 14:27:18 -07:00
proxy_pass http://127.0.0.1:${
toString config.services.gotosocial.configuration.port
2022-09-14 18:35:18 -06:00
};
2023-11-28 14:27:18 -07:00
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
2022-09-13 14:00:56 -06:00
'';
2022-09-14 18:35:18 -06:00
};
2022-08-25 12:21:35 -06:00
};
"mammothcircus.com" = {
forceSSL = true;
enableACME = true;
root = "/var/www/mammothcircus.com";
};
2022-10-11 09:28:27 -06:00
"rss.bolddaemon.com" = {
forceSSL = true;
enableACME = true;
root = "/var/www/rss.bolddaemon.com";
locations."/" = {
proxyWebsockets = true;
proxyPass = "http://${config.services.yarr.address}:${
2023-11-28 14:27:18 -07:00
toString config.services.yarr.port
}";
2022-10-11 09:28:27 -06:00
};
};
"tapenet.org" = {
forceSSL = true;
enableACME = true;
root = "/var/www/tapenet.org";
locations = {
"/.well-known/webfinger" = {
extraConfig = ''
default_type 'application/json';
content_by_lua_block {
local acct = ngx.unescape_uri(ngx.var.arg_resource)
local json = '${builtins.toJSON {
subject = "%s";
links = [
{
rel = "http://openid.net/specs/connect/1.0/issuer";
href = "https://git.tapenet.org/";
}
];
}}';
local newjson, n, err = ngx.re.sub(json, "%s", acct)
if not err then
ngx.say(newjson)
else
ngx.say("")
end
return
}
'';
2023-09-12 08:44:05 -06:00
};
2023-07-11 09:12:50 -06:00
}
// (if config.services.sliding-sync.enable
then {
"/.well-known/matrix/client".extraConfig =
mkMatrixWellKnown matrixClientConfig;
"/.well-known/matrix/server".extraConfig =
mkMatrixWellKnown matrixServerConfig;
"/client" = mkMatrixSliderLoc;
"/_matrix/client/unstable/org.matrix.msc3575/sync" =
mkMatrixSliderLoc;
"/_matrix" = mkMatrixLoc;
"/_synapse/client" = mkMatrixLoc;
}
2023-07-11 09:12:50 -06:00
else {
"/.well-known/matrix/client".extraConfig =
mkMatrixWellKnown matrixClientConfig;
"/.well-known/matrix/server".extraConfig =
mkMatrixWellKnown matrixServerConfig;
"/_matrix" = mkMatrixLoc;
"/_synapse/client" = mkMatrixLoc;
});
};
2022-08-25 12:21:35 -06:00
};
};
postgresqlBackup = {
enable = true;
location = pgBackupDir;
};
postgresql = {
enable = true;
package = pkgs.postgresql_14;
2023-09-12 08:44:05 -06:00
settings = { };
2022-08-25 12:21:35 -06:00
enableTCPIP = true;
authentication = pkgs.lib.mkOverride 14 ''
local all all trust
host all all 127.0.0.1/32 trust
host all all ::1/128 trust
'';
initialScript = pkgs.writeText "synapse-init.sql" ''
CREATE ROLE "synapse-user" LOGIN;
CREATE DATABASE "synapse" WITH OWNER "synapse-user"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
'';
2023-12-30 07:43:02 -07:00
ensureDatabases = [ "synapse" "gotosocial" "syncv3" "wallabag" ];
ensureUsers = [
{
name = "synapse_user";
}
{
name = "gotosocial";
2023-12-05 10:24:11 -07:00
ensureDBOwnership = true;
}
{
name = "syncv3";
2023-12-05 10:24:11 -07:00
ensureDBOwnership = true;
}
2023-12-30 07:43:02 -07:00
{
name = "wallabag";
ensureDBOwnership = true;
}
];
2022-08-25 12:21:35 -06:00
};
mjolnir = {
enable = true;
pantalaimon.enable = false;
pantalaimon.username = "hammer";
accessTokenFile = "${config.sops.secrets.hammer_access_token.path}";
homeserverUrl = "https://tapenet.org";
protectedRooms = [
"https://matrix.to/#/#openbsd:matrix.org"
"https://matrix.to/#/#go-lang:matrix.org"
"https://matrix.to/#/#plan9:matrix.org"
"https://matrix.to/#/#nix-openbsd:tapenet.org"
2023-07-18 05:21:44 -06:00
"https://matrix.to/#/#cobug:tapenet.org"
"https://matrix.to/#/#gosec:tapenet.org"
"https://matrix.to/#/#gophers-offtopic:matrix.org"
2023-08-29 06:03:24 -06:00
"https://matrix.to/#/#devious:tapenet.org"
2024-02-09 07:33:51 -07:00
"https://matrix.to/#/#gotk4:matrix.org"
2024-02-09 07:43:35 -07:00
"https://matrix.to/#/#aerc:matrix.org"
2022-08-25 12:21:35 -06:00
];
settings = {
verboseLogging = false;
protections = {
wordlist = {
words = [
"^https://libera.chat <-- visit!$"
"^@.*@.*@.*@.*@.*@.*@.*@.*@.*@.*"
];
};
};
managementRoom = "#moderation:tapenet.org";
automaticallyRedactForReasons = [
"spam"
"advertising"
"racism"
"nazi"
"nazism"
"trolling"
"porn"
"csam"
];
2023-09-12 08:44:05 -06:00
aditionalPrefixes = [ "hammer" ];
2022-08-25 12:21:35 -06:00
confirmWildcardBan = false;
};
};
matrix-synapse = {
enable = true;
dataDir = "/var/lib/synapse";
settings = {
federation_client_minimum_tls_version = "1.2";
2022-08-25 12:21:35 -06:00
enable_registration = false;
registration_shared_secret_path = "${config.sops.secrets.synapse_shared_secret.path}";
2022-08-25 12:21:35 -06:00
media_store_path = "/var/lib/synapse/media_store";
2023-09-19 08:08:04 -06:00
presence.enabled = true;
2022-08-25 12:21:35 -06:00
public_baseurl = "https://tapenet.org";
server_name = "tapenet.org";
signing_key_path = "${config.sops.secrets.synapse_signing_key.path}";
url_preview_enabled = false;
2023-09-12 08:44:05 -06:00
plugins = with config.services.matrix-synapse.package.plugins; [ matrix-synapse-mjolnir-antispam ];
2023-07-14 05:20:06 -06:00
app_service_config_files = [
"/var/lib/heisenbridge/registration.yml"
];
2022-08-25 12:21:35 -06:00
database = {
name = "psycopg2";
args = {
database = "synapse";
user = "synapse_user";
};
};
2023-07-11 09:12:50 -06:00
listeners = [
{
2023-07-27 10:19:05 -06:00
inherit (mtxCfg) port;
2023-09-12 08:44:05 -06:00
bind_addresses = [ mtxCfg.address ];
2023-07-11 09:12:50 -06:00
resources = [
{
compress = true;
2023-09-12 08:44:05 -06:00
names = [ "client" ];
2023-07-11 09:12:50 -06:00
}
{
compress = false;
2023-09-12 08:44:05 -06:00
names = [ "federation" ];
2023-07-11 09:12:50 -06:00
}
];
tls = false;
type = "http";
x_forwarded = true;
}
];
2022-08-25 12:21:35 -06:00
};
};
};
system.stateVersion = "22.11";
}