This commit is contained in:
Fiona Grzebien 2024-11-08 01:45:53 +01:00
parent 94e279094a
commit 13a9e1bb43
8 changed files with 230 additions and 34 deletions

17
.sops.yaml Normal file
View file

@ -0,0 +1,17 @@
keys:
- &admin_gpg_fi_cherry 3664299DF7043167375A444792C901ED05ED21F8
- &admin_gpg_fi_violet 46BAEDB6A776F5E245C766F943399230C7523D82
- &admin_gpg_fi_kiara 0DE8BF7F4727049D4D9D78FC25936DC2A622FE56
- &host_age_matrix age1g60l5mu08xrwfw7uptwcwde8kp9dacs4ltqv2ndjskpy8z5sqakqssxxq5
creation_rules:
- path_regex: config/hosts/matrix/.*
key_groups:
- pgp:
- *admin_gpg_fi_cherry
- *admin_gpg_fi_violet
- *admin_gpg_fi_kiara
age:
- *host_age_matrix
stores:
yaml:
indent: 2

View file

@ -1,6 +1,131 @@
{ pkgs, ... }: { pkgs, ... }:
let
masConfig = (pkgs.formats.yaml { }).generate "matrix-authentication-service-config.yaml" {
http = {
public_base = "https://matrix-auth.nekover.se";
listeners = [
{
name = "web";
resources = [
{ name = "discovery"; }
{ name = "human"; }
{ name = "oauth"; }
{ name = "compat"; }
{ name = "graphql"; }
{ name = "assets"; }
];
binds = [{ socket = "/var/run/mas.sock"; }];
proxy_protocol = false;
}
{
name = "internal";
resources = [
{ name = "health"; }
];
binds = [
{
host = "localhost";
port = 8081;
}
];
proxy_protocol = false;
}
];
trusted_proxies = [
"192.168.0.0/16"
"172.16.0.0/12"
"10.0.0.0/10"
"127.0.0.1/8"
"fd00::/8"
"::1/128"
];
};
database = {
uri = "postgresql://mas_user:mas@localhost/mas";
max_connections = 10;
min_connections = 0;
connect_timeout = 30;
idle_timeout = 600;
max_lifetime = 1800;
};
email = {
from = "\"Matrix Authentication Service\" <nyareply@nekover.se>";
reply_to = "\"No reply\" <nyareply@nekover.se>";
transport = "smtp";
mode = "tls";
hostname = "mail-1.grzb.de";
port = 465;
username = "matrix@nekover.se";
# password = "";
};
passwords = {
enabled = true;
schemes = [
{
version = 1;
algorithm = "argon2id";
}
];
# See https://github.com/dropbox/zxcvbn#usage
minimum_complexity = 3;
};
matrix = {
homeserver = "nekover.se";
# secret =
endpoint = "http://localhost:8008";
};
upstream_oauth2 = {
providers = [{
id = "01H8PKNWKKRPCBW4YGH1RWV279";
issuer = "https://id.nekover.se/realms/nekoverse";
human_name = "Nekoverse ID";
token_endpoint_auth_method = "client_secret_basic";
client_id = "matrix-authentication-service";
#client_secret = "";
scope = "openid profile email";
claims_imports = {
localpart = {
action = "require";
template = "\"{% if user.matrix_username is defined %}{{ user.matrix_username }}{% else %}{{ user.preferred_username }}{% endif %}\"";
};
displayname = {
action = "suggest";
template = "\"{% if user.matrix_username is defined %}{{ user.matrix_username }}{% else %}{{ user.preferred_username }}{% endif %}\"";
};
email = {
action = "suggest";
template = "\"{{ user.email }}\"";
set_email_verification = "import";
};
};
}];
};
# secrets = { }
};
in
{ {
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
matrix-authentication-service matrix-authentication-service
]; ];
systemd.services.matrix-authentication-service = {
description = "Matrix Authentication Service";
after = [ "network-online.target" "postgresql.service" ];
requires = [ "postgresql.service" ];
wants = [ "network-online.target" ];
serviceConfig = {
Type = "simple";
ExecReload = "${pkgs.util-linux}/bin/kill -HUP $MAINPID";
Restart = "on-abort";
DynamicUser = "yes";
User = "mas";
Group = "nogroup";
WorkingDirectory = pkgs.matrix-authentication-service;
ExecStart = "${pkgs.matrix-authentication-service}/bin/mas-cli server --config=${masConfig} --config=/secrets/";
SyslogIdentifier = "matrix-authentication-service";
};
wantedBy = [ "multi-user.target" ];
};
} }

View file

@ -46,6 +46,20 @@
]; ];
turn_user_lifetime = 86400000; turn_user_lifetime = 86400000;
turn_allow_guests = true; turn_allow_guests = true;
experimental_features = {
msc3861 = {
enabled = true;
# Synapse will call `{issuer}/.well-known/openid-configuration` to get the OIDC configuration
issuer = "https://nekover.se";
client_id = "0000000000000000000SYNAPSE";
client_auth_method = "client_secret_basic";
# Matches the `client_secret` in the auth service config
client_secret = "SomeRandomSecret";
# Matches the `matrix.secret` in the auth service config
admin_token = "AnotherRandomSecret";
account_management_url = "https://id.nekover.se/realms/nekoverse/account/";
};
};
}; };
extras = [ "oidc" ]; extras = [ "oidc" ];
extraConfigFiles = [ extraConfigFiles = [

View file

@ -2,40 +2,76 @@
{ {
services.nginx = { services.nginx = {
enable = true; enable = true;
virtualHosts."matrix.nekover.se" = { virtualHosts = {
forceSSL = true; "matrix.nekover.se" = {
enableACME = true; forceSSL = true;
listen = [ enableACME = true;
{ listen = [
addr = "0.0.0.0"; {
port = 80; addr = "0.0.0.0";
} port = 80;
{ }
addr = "0.0.0.0"; {
port = 8448; addr = "0.0.0.0";
ssl = true; port = 8448;
} ssl = true;
]; }
locations = { ];
"~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = { locations = {
proxyPass = "http://127.0.0.1:8009"; "~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = {
priority = 999; proxyPass = "http://127.0.0.1:8009";
priority = 999;
};
"~ ^(/_matrix|/_synapse/client)" = {
proxyPass = "http://127.0.0.1:8008";
extraConfig = ''
# Nginx by default only allows file uploads up to 1M in size
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size};
'';
};
}; };
"~ ^(/_matrix|/_synapse/client)" = { extraConfig = ''
proxyPass = "http://127.0.0.1:8008"; listen 0.0.0.0:8443 http2 ssl proxy_protocol;
extraConfig = ''
# Nginx by default only allows file uploads up to 1M in size
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size};
'';
};
};
extraConfig = ''
listen 0.0.0.0:8443 http2 ssl proxy_protocol;
set_real_ip_from 10.202.41.100; set_real_ip_from 10.202.41.100;
real_ip_header proxy_protocol; real_ip_header proxy_protocol;
''; '';
};
"matrix-auth.nekover.se" = {
forceSSL = true;
enableACME = true;
listen = [
{
addr = "0.0.0.0";
port = 80;
}
{
addr = "0.0.0.0";
port = 443;
ssl = true;
}
];
locations = {
"/" = {
proxy_pass = "http://unix:/var/run/mas.sock";
};
"~ ^(/_matrix|/_synapse/client)" = {
proxyPass = "http://127.0.0.1:8008";
extraConfig = ''
# Nginx by default only allows file uploads up to 1M in size
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size};
'';
};
};
extraConfig = ''
listen 0.0.0.0:9443 http2 ssl proxy_protocol;
set_real_ip_from 10.202.41.100;
real_ip_header proxy_protocol;
'';
};
}; };
}; };
} }

View file

@ -26,6 +26,7 @@
hydra.nekover.se 10.202.41.121:8443; hydra.nekover.se 10.202.41.121:8443;
id.nekover.se 10.202.41.124:8443; id.nekover.se 10.202.41.124:8443;
matrix.nekover.se 10.202.41.112:8443; matrix.nekover.se 10.202.41.112:8443;
matrix-auth.nekover.se 10.202.41.112:9443;
mewtube.nekover.se 127.0.0.1:8443; mewtube.nekover.se 127.0.0.1:8443;
nekover.se 127.0.0.1:8443; nekover.se 127.0.0.1:8443;
nix-cache.nekover.se 10.202.41.121:8443; nix-cache.nekover.se 10.202.41.121:8443;

View file

@ -4,6 +4,7 @@ let
"jellyfin.grzb.de" = "jellyfin.vs.grzb.de"; "jellyfin.grzb.de" = "jellyfin.vs.grzb.de";
"mail-1.grzb.de" = "mail-1.vs.grzb.de"; "mail-1.grzb.de" = "mail-1.vs.grzb.de";
"matrix.nekover.se" = "matrix.vs.grzb.de"; "matrix.nekover.se" = "matrix.vs.grzb.de";
"matrix-auth.nekover.se" = "matrix.vs.grzb.de";
"netbox.grzb.de" = "netbox.vs.grzb.de"; "netbox.grzb.de" = "netbox.vs.grzb.de";
"git.nekover.se" = "forgejo.vs.grzb.de"; "git.nekover.se" = "forgejo.vs.grzb.de";
"grafana.grzb.de" = "metrics.vs.grzb.de"; "grafana.grzb.de" = "metrics.vs.grzb.de";

View file

@ -11,9 +11,10 @@
pterodactyl = { pterodactyl = {
url = "git+https://git.nekover.se/fi/pterodactyl.git"; url = "git+https://git.nekover.se/fi/pterodactyl.git";
}; };
inputs.sops-nix.url = "github:Mic92/sops-nix";
}; };
outputs = { self, nixpkgs, nixpkgs-unstable, nixpkgs-master, nixos-generators, simple-nixos-mailserver, pterodactyl, ... }@inputs: outputs = { self, nixpkgs, nixpkgs-unstable, nixpkgs-master, nixos-generators, simple-nixos-mailserver, pterodactyl, sops-nix, ... }@inputs:
let let
hosts = import ./hosts.nix inputs; hosts = import ./hosts.nix inputs;
helper = import ./helper.nix inputs; helper = import ./helper.nix inputs;

View file

@ -1,4 +1,4 @@
{ nixpkgs, nixpkgs-unstable, ... }: { nixpkgs, nixpkgs-unstable, sops-nix, ... }:
let let
# Set of environment specific modules # Set of environment specific modules
environments = { environments = {
@ -22,6 +22,7 @@ let
modules = [ modules = [
./config/common ./config/common
./config/hosts/${name} ./config/hosts/${name}
sops-nix.nixosModules.sops
] ++ (if environment != "" then environments.${environment} else []); ] ++ (if environment != "" then environments.${environment} else []);
}) hosts; }) hosts;
in in