diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..d216fa5 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,17 @@ +keys: + - &admin_gpg_fi_cherry 3664299DF7043167375A444792C901ED05ED21F8 + - &admin_gpg_fi_violet 46BAEDB6A776F5E245C766F943399230C7523D82 + - &admin_gpg_fi_kiara 0DE8BF7F4727049D4D9D78FC25936DC2A622FE56 + - &host_age_matrix age1g60l5mu08xrwfw7uptwcwde8kp9dacs4ltqv2ndjskpy8z5sqakqssxxq5 +creation_rules: + - path_regex: config/hosts/matrix/.* + key_groups: + - pgp: + - *admin_gpg_fi_cherry + - *admin_gpg_fi_violet + - *admin_gpg_fi_kiara + age: + - *host_age_matrix +stores: + yaml: + indent: 2 diff --git a/config/hosts/matrix/mas.nix b/config/hosts/matrix/mas.nix index 4750b5f..2199061 100644 --- a/config/hosts/matrix/mas.nix +++ b/config/hosts/matrix/mas.nix @@ -1,6 +1,131 @@ { pkgs, ... }: +let + masConfig = (pkgs.formats.yaml { }).generate "matrix-authentication-service-config.yaml" { + http = { + public_base = "https://matrix-auth.nekover.se"; + listeners = [ + { + name = "web"; + resources = [ + { name = "discovery"; } + { name = "human"; } + { name = "oauth"; } + { name = "compat"; } + { name = "graphql"; } + { name = "assets"; } + ]; + binds = [{ socket = "/var/run/mas.sock"; }]; + proxy_protocol = false; + } + { + name = "internal"; + resources = [ + { name = "health"; } + ]; + binds = [ + { + host = "localhost"; + port = 8081; + } + ]; + proxy_protocol = false; + } + ]; + trusted_proxies = [ + "192.168.0.0/16" + "172.16.0.0/12" + "10.0.0.0/10" + "127.0.0.1/8" + "fd00::/8" + "::1/128" + ]; + }; + database = { + uri = "postgresql://mas_user:mas@localhost/mas"; + max_connections = 10; + min_connections = 0; + connect_timeout = 30; + idle_timeout = 600; + max_lifetime = 1800; + }; + email = { + from = "\"Matrix Authentication Service\" "; + reply_to = "\"No reply\" "; + transport = "smtp"; + mode = "tls"; + hostname = "mail-1.grzb.de"; + port = 465; + username = "matrix@nekover.se"; + # password = ""; + }; + passwords = { + enabled = true; + schemes = [ + { + version = 1; + algorithm = "argon2id"; + } + ]; + # See https://github.com/dropbox/zxcvbn#usage + minimum_complexity = 3; + }; + matrix = { + homeserver = "nekover.se"; + # secret = + endpoint = "http://localhost:8008"; + }; + upstream_oauth2 = { + providers = [{ + id = "01H8PKNWKKRPCBW4YGH1RWV279"; + issuer = "https://id.nekover.se/realms/nekoverse"; + human_name = "Nekoverse ID"; + token_endpoint_auth_method = "client_secret_basic"; + client_id = "matrix-authentication-service"; + #client_secret = ""; + scope = "openid profile email"; + claims_imports = { + localpart = { + action = "require"; + template = "\"{% if user.matrix_username is defined %}{{ user.matrix_username }}{% else %}{{ user.preferred_username }}{% endif %}\""; + }; + displayname = { + action = "suggest"; + template = "\"{% if user.matrix_username is defined %}{{ user.matrix_username }}{% else %}{{ user.preferred_username }}{% endif %}\""; + }; + email = { + action = "suggest"; + template = "\"{{ user.email }}\""; + set_email_verification = "import"; + }; + }; + }]; + }; + # secrets = { } + }; +in { environment.systemPackages = with pkgs; [ matrix-authentication-service ]; + + systemd.services.matrix-authentication-service = { + description = "Matrix Authentication Service"; + after = [ "network-online.target" "postgresql.service" ]; + requires = [ "postgresql.service" ]; + wants = [ "network-online.target" ]; + + serviceConfig = { + Type = "simple"; + ExecReload = "${pkgs.util-linux}/bin/kill -HUP $MAINPID"; + Restart = "on-abort"; + DynamicUser = "yes"; + User = "mas"; + Group = "nogroup"; + WorkingDirectory = pkgs.matrix-authentication-service; + ExecStart = "${pkgs.matrix-authentication-service}/bin/mas-cli server --config=${masConfig} --config=/secrets/"; + SyslogIdentifier = "matrix-authentication-service"; + }; + + wantedBy = [ "multi-user.target" ]; + }; } diff --git a/config/hosts/matrix/matrix-synapse.nix b/config/hosts/matrix/matrix-synapse.nix index 7f339bf..1eee71c 100644 --- a/config/hosts/matrix/matrix-synapse.nix +++ b/config/hosts/matrix/matrix-synapse.nix @@ -46,6 +46,20 @@ ]; turn_user_lifetime = 86400000; turn_allow_guests = true; + experimental_features = { + msc3861 = { + enabled = true; + # Synapse will call `{issuer}/.well-known/openid-configuration` to get the OIDC configuration + issuer = "https://nekover.se"; + client_id = "0000000000000000000SYNAPSE"; + client_auth_method = "client_secret_basic"; + # Matches the `client_secret` in the auth service config + client_secret = "SomeRandomSecret"; + # Matches the `matrix.secret` in the auth service config + admin_token = "AnotherRandomSecret"; + account_management_url = "https://id.nekover.se/realms/nekoverse/account/"; + }; + }; }; extras = [ "oidc" ]; extraConfigFiles = [ diff --git a/config/hosts/matrix/nginx.nix b/config/hosts/matrix/nginx.nix index 1b28649..832e7f1 100644 --- a/config/hosts/matrix/nginx.nix +++ b/config/hosts/matrix/nginx.nix @@ -2,40 +2,76 @@ { services.nginx = { enable = true; - virtualHosts."matrix.nekover.se" = { - forceSSL = true; - enableACME = true; - listen = [ - { - addr = "0.0.0.0"; - port = 80; - } - { - addr = "0.0.0.0"; - port = 8448; - ssl = true; - } - ]; - locations = { - "~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = { - proxyPass = "http://127.0.0.1:8009"; - priority = 999; + virtualHosts = { + "matrix.nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "0.0.0.0"; + port = 8448; + ssl = true; + } + ]; + locations = { + "~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = { + proxyPass = "http://127.0.0.1:8009"; + priority = 999; + }; + "~ ^(/_matrix|/_synapse/client)" = { + proxyPass = "http://127.0.0.1:8008"; + extraConfig = '' + # Nginx by default only allows file uploads up to 1M in size + # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml + client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size}; + ''; + }; }; - "~ ^(/_matrix|/_synapse/client)" = { - proxyPass = "http://127.0.0.1:8008"; - extraConfig = '' - # Nginx by default only allows file uploads up to 1M in size - # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml - client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size}; - ''; - }; - }; - extraConfig = '' - listen 0.0.0.0:8443 http2 ssl proxy_protocol; + extraConfig = '' + listen 0.0.0.0:8443 http2 ssl proxy_protocol; - set_real_ip_from 10.202.41.100; - real_ip_header proxy_protocol; - ''; + set_real_ip_from 10.202.41.100; + real_ip_header proxy_protocol; + ''; + }; + "matrix-auth.nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "0.0.0.0"; + port = 443; + ssl = true; + } + ]; + locations = { + "/" = { + proxy_pass = "http://unix:/var/run/mas.sock"; + }; + "~ ^(/_matrix|/_synapse/client)" = { + proxyPass = "http://127.0.0.1:8008"; + extraConfig = '' + # Nginx by default only allows file uploads up to 1M in size + # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml + client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size}; + ''; + }; + }; + extraConfig = '' + listen 0.0.0.0:9443 http2 ssl proxy_protocol; + + set_real_ip_from 10.202.41.100; + real_ip_header proxy_protocol; + ''; + }; }; }; } diff --git a/config/hosts/web-public-2/nginx.nix b/config/hosts/web-public-2/nginx.nix index 8debb31..ef9b750 100644 --- a/config/hosts/web-public-2/nginx.nix +++ b/config/hosts/web-public-2/nginx.nix @@ -26,6 +26,7 @@ hydra.nekover.se 10.202.41.121:8443; id.nekover.se 10.202.41.124:8443; matrix.nekover.se 10.202.41.112:8443; + matrix-auth.nekover.se 10.202.41.112:9443; mewtube.nekover.se 127.0.0.1:8443; nekover.se 127.0.0.1:8443; nix-cache.nekover.se 10.202.41.121:8443; diff --git a/config/hosts/web-public-2/virtualHosts/acme-challenge.nix b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix index 558aa95..8b36bfc 100644 --- a/config/hosts/web-public-2/virtualHosts/acme-challenge.nix +++ b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix @@ -4,6 +4,7 @@ let "jellyfin.grzb.de" = "jellyfin.vs.grzb.de"; "mail-1.grzb.de" = "mail-1.vs.grzb.de"; "matrix.nekover.se" = "matrix.vs.grzb.de"; + "matrix-auth.nekover.se" = "matrix.vs.grzb.de"; "netbox.grzb.de" = "netbox.vs.grzb.de"; "git.nekover.se" = "forgejo.vs.grzb.de"; "grafana.grzb.de" = "metrics.vs.grzb.de"; diff --git a/flake.nix b/flake.nix index 3aae2d8..849ba70 100644 --- a/flake.nix +++ b/flake.nix @@ -11,9 +11,10 @@ pterodactyl = { url = "git+https://git.nekover.se/fi/pterodactyl.git"; }; + inputs.sops-nix.url = "github:Mic92/sops-nix"; }; - outputs = { self, nixpkgs, nixpkgs-unstable, nixpkgs-master, nixos-generators, simple-nixos-mailserver, pterodactyl, ... }@inputs: + outputs = { self, nixpkgs, nixpkgs-unstable, nixpkgs-master, nixos-generators, simple-nixos-mailserver, pterodactyl, sops-nix, ... }@inputs: let hosts = import ./hosts.nix inputs; helper = import ./helper.nix inputs; diff --git a/hosts.nix b/hosts.nix index 820e5cb..d5f1279 100644 --- a/hosts.nix +++ b/hosts.nix @@ -1,4 +1,4 @@ -{ nixpkgs, nixpkgs-unstable, ... }: +{ nixpkgs, nixpkgs-unstable, sops-nix, ... }: let # Set of environment specific modules environments = { @@ -22,6 +22,7 @@ let modules = [ ./config/common ./config/hosts/${name} + sops-nix.nixosModules.sops ] ++ (if environment != "" then environments.${environment} else []); }) hosts; in