From df711fbbe6da90c35126889f904ce60f8bb2efbf Mon Sep 17 00:00:00 2001 From: Aleksandr Lebedev Date: Sun, 10 Aug 2025 11:48:47 +0200 Subject: [PATCH] Server, deploy-rs --- checks/deploy/default.nix | 4 + checks/fmt/default.nix | 11 + flake.lock | 196 +++++++-- flake.nix | 19 +- homes/x86_64-linux/kylekrein/default.nix | 13 +- homes/x86_64-linux/kylekrein/emacs.nix | 7 +- modules/nixos/services/conduwuit/default.nix | 378 ++++++++++++++++++ overlays/conduwuit/default.nix | 3 + overlays/deploy-rs/default.nix | 3 + shells/default/default.nix | 10 + .../x86_64-linux/kylekrein-server/default.nix | 143 +++++++ .../kylekrein-server/hardware.nix | 32 ++ .../kylekrein-server/networking.nix | 48 +++ 13 files changed, 828 insertions(+), 39 deletions(-) create mode 100644 checks/deploy/default.nix create mode 100644 checks/fmt/default.nix create mode 100644 modules/nixos/services/conduwuit/default.nix create mode 100644 overlays/conduwuit/default.nix create mode 100644 overlays/deploy-rs/default.nix create mode 100644 shells/default/default.nix create mode 100644 systems/x86_64-linux/kylekrein-server/default.nix create mode 100644 systems/x86_64-linux/kylekrein-server/hardware.nix create mode 100644 systems/x86_64-linux/kylekrein-server/networking.nix diff --git a/checks/deploy/default.nix b/checks/deploy/default.nix new file mode 100644 index 0000000..fe83564 --- /dev/null +++ b/checks/deploy/default.nix @@ -0,0 +1,4 @@ +{inputs}: +builtins.mapAttrs +(system: deploy-lib: deploy-lib.deployChecks inputs.self.deploy) +inputs.deploy-rs.lib diff --git a/checks/fmt/default.nix b/checks/fmt/default.nix new file mode 100644 index 0000000..c25dfe9 --- /dev/null +++ b/checks/fmt/default.nix @@ -0,0 +1,11 @@ +{ + inputs, + system, + ... +}: +inputs.pre-commit-hooks.lib.${system}.run { + src = ../..; + hooks = { + alejandra.enable = true; + }; +} diff --git a/flake.lock b/flake.lock index a7fa83a..6170ef3 100644 --- a/flake.lock +++ b/flake.lock @@ -309,6 +309,28 @@ "type": "github" } }, + "deploy-rs": { + "inputs": { + "flake-compat": "flake-compat_5", + "nixpkgs": [ + "nixpkgs" + ], + "utils": "utils" + }, + "locked": { + "lastModified": 1749105467, + "narHash": "sha256-hXh76y/wDl15almBcqvjryB50B0BaiXJKk20f314RoE=", + "owner": "serokell", + "repo": "deploy-rs", + "rev": "6bc76b872374845ba9d645a2f012b764fecd765f", + "type": "github" + }, + "original": { + "owner": "serokell", + "repo": "deploy-rs", + "type": "github" + } + }, "devenv": { "inputs": { "cachix": "cachix_2", @@ -464,6 +486,38 @@ "type": "github" } }, + "flake-compat_10": { + "flake": false, + "locked": { + "lastModified": 1650374568, + "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "b4a34015c698c7793d592d66adbab377907a2be8", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_11": { + "flake": false, + "locked": { + "lastModified": 1747046372, + "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-compat_2": { "flake": false, "locked": { @@ -516,11 +570,11 @@ "flake-compat_5": { "flake": false, "locked": { - "lastModified": 1747046372, - "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=", + "lastModified": 1733328505, + "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=", "owner": "edolstra", "repo": "flake-compat", - "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885", + "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec", "type": "github" }, "original": { @@ -548,37 +602,20 @@ "flake-compat_7": { "flake": false, "locked": { - "lastModified": 1696426674, - "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "lastModified": 1747046372, + "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=", "owner": "edolstra", "repo": "flake-compat", - "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885", "type": "github" }, "original": { "owner": "edolstra", - "ref": "v1.0.1", "repo": "flake-compat", "type": "github" } }, "flake-compat_8": { - "flake": false, - "locked": { - "lastModified": 1650374568, - "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "b4a34015c698c7793d592d66adbab377907a2be8", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-compat_9": { "flake": false, "locked": { "lastModified": 1747046372, @@ -594,6 +631,23 @@ "type": "github" } }, + "flake-compat_9": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "ref": "v1.0.1", + "repo": "flake-compat", + "type": "github" + } + }, "flake-parts": { "inputs": { "nixpkgs-lib": [ @@ -790,7 +844,7 @@ }, "flake-utils_2": { "inputs": { - "systems": "systems_2" + "systems": "systems_3" }, "locked": { "lastModified": 1731533236, @@ -823,7 +877,7 @@ }, "flake-utils_4": { "inputs": { - "systems": "systems_4" + "systems": "systems_5" }, "locked": { "lastModified": 1694529238, @@ -928,6 +982,27 @@ "type": "github" } }, + "gitignore_3": { + "inputs": { + "nixpkgs": [ + "pre-commit-hooks", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, "gnome-shell": { "flake": false, "locked": { @@ -1027,7 +1102,7 @@ "lanzaboote": { "inputs": { "crane": "crane_3", - "flake-compat": "flake-compat_5", + "flake-compat": "flake-compat_6", "flake-parts": "flake-parts_3", "nixpkgs": "nixpkgs_9", "pre-commit-hooks-nix": "pre-commit-hooks-nix", @@ -1474,7 +1549,7 @@ }, "nixos-wsl": { "inputs": { - "flake-compat": "flake-compat_6", + "flake-compat": "flake-compat_7", "nixpkgs": "nixpkgs_13" }, "locked": { @@ -2049,7 +2124,7 @@ "plugin-vim-repeat": "plugin-vim-repeat", "plugin-vim-startify": "plugin-vim-startify", "plugin-which-key": "plugin-which-key", - "systems": "systems_3" + "systems": "systems_4" }, "locked": { "lastModified": 1736795850, @@ -4019,6 +4094,28 @@ "type": "github" } }, + "pre-commit-hooks": { + "inputs": { + "flake-compat": "flake-compat_8", + "gitignore": "gitignore_3", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1754416808, + "narHash": "sha256-c6yg0EQ9xVESx6HGDOCMcyRSjaTpNJP10ef+6fRcofA=", + "owner": "cachix", + "repo": "git-hooks.nix", + "rev": "9c52372878df6911f9afc1e2a1391f55e4dfc864", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "git-hooks.nix", + "type": "github" + } + }, "pre-commit-hooks-nix": { "inputs": { "flake-compat": [ @@ -4068,6 +4165,7 @@ "beeengine": "beeengine", "chaotic": "chaotic", "conduwuit": "conduwuit", + "deploy-rs": "deploy-rs", "disko": "disko", "emacs-kylekrein": "emacs-kylekrein", "home-manager": "home-manager_2", @@ -4084,6 +4182,7 @@ "nixos-hardware": "nixos-hardware", "nixos-wsl": "nixos-wsl", "nixpkgs": "nixpkgs_14", + "pre-commit-hooks": "pre-commit-hooks", "snowfall-flake": "snowfall-flake", "snowfall-lib": "snowfall-lib_2", "sops-nix": "sops-nix", @@ -4191,7 +4290,7 @@ }, "snowfall-flake": { "inputs": { - "flake-compat": "flake-compat_7", + "flake-compat": "flake-compat_9", "nixpkgs": [ "nixpkgs" ], @@ -4213,7 +4312,7 @@ }, "snowfall-lib": { "inputs": { - "flake-compat": "flake-compat_8", + "flake-compat": "flake-compat_10", "flake-utils-plus": "flake-utils-plus", "nixpkgs": [ "snowfall-flake", @@ -4237,7 +4336,7 @@ }, "snowfall-lib_2": { "inputs": { - "flake-compat": "flake-compat_9", + "flake-compat": "flake-compat_11", "flake-utils-plus": "flake-utils-plus_2", "nixpkgs": [ "nixpkgs" @@ -4286,7 +4385,7 @@ "gnome-shell": "gnome-shell", "nixpkgs": "nixpkgs_16", "nur": "nur", - "systems": "systems_5", + "systems": "systems_6", "tinted-foot": "tinted-foot", "tinted-kitty": "tinted-kitty", "tinted-schemes": "tinted-schemes", @@ -4383,6 +4482,21 @@ "type": "github" } }, + "systems_6": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "tinted-foot": { "flake": false, "locked": { @@ -4523,6 +4637,24 @@ "type": "github" } }, + "utils": { + "inputs": { + "systems": "systems_2" + }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "xwayland-satellite-stable": { "flake": false, "locked": { diff --git a/flake.nix b/flake.nix index 11508f9..b14ef98 100644 --- a/flake.nix +++ b/flake.nix @@ -73,13 +73,21 @@ # The name "snowfall-lib" is required due to how Snowfall Lib processes your # flake's inputs. snowfall-lib = { - url = "github:KyleKrein/snowfall-lib";#"git+file:///home/kylekrein/Git/snowfall-lib"; + url = "github:KyleKrein/snowfall-lib"; #"git+file:///home/kylekrein/Git/snowfall-lib"; inputs.nixpkgs.follows = "nixpkgs"; }; snowfall-flake = { url = "github:snowfallorg/flake"; inputs.nixpkgs.follows = "nixpkgs"; }; + deploy-rs = { + url = "github:serokell/deploy-rs"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + pre-commit-hooks = { + url = "github:cachix/git-hooks.nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = inputs: @@ -121,6 +129,15 @@ templates = import ./templates {}; + deploy.nodes.server = { + hostname = "kylekrein.com"; + interactiveSudo = false; + profiles.system = { + user = "kylekrein"; + path = inputs.deploy-rs.lib.x86_64-linux.activate.nixos inputs.self.nixosConfigurations.kylekrein-server; + }; + }; + outputs-builder = channels: { formatter = channels.nixpkgs.alejandra; }; diff --git a/homes/x86_64-linux/kylekrein/default.nix b/homes/x86_64-linux/kylekrein/default.nix index 40b4906..d4a6408 100644 --- a/homes/x86_64-linux/kylekrein/default.nix +++ b/homes/x86_64-linux/kylekrein/default.nix @@ -17,25 +17,30 @@ in enable = true; firstNixOSInstall = 1729112485; }; - librewolf = enabled; + librewolf.enable = osConfig.custom.presets.wayland.enable; prismlauncher.enable = osConfig.custom.presets.gaming.enable; - bottles = enabled; + bottles.enable = osConfig.custom.presets.wayland.enable; }; }; home = { packages = with pkgs; [ + neovim + ] + ++ lib.optionals osConfig.custom.presets.wayland.enable [ gdb element-desktop obs-studio - neovim localsend kdePackages.kdenlive ] ++ lib.optionals osConfig.custom.presets.gaming.enable [mcpelauncher-ui-qt]; sessionVariables = { - EDITOR = "emacsclient -c"; + EDITOR = + if osConfig.custom.presets.wayland.enable + then "emacsclient -c" + else "nvim"; NH_OS_FLAKE = "${home}/nixos-config"; NH_HOME_FLAKE = "${home}/nixos-config"; NH_DARWIN_FLAKE = "${home}/nixos-config"; diff --git a/homes/x86_64-linux/kylekrein/emacs.nix b/homes/x86_64-linux/kylekrein/emacs.nix index 6e7047c..55978aa 100644 --- a/homes/x86_64-linux/kylekrein/emacs.nix +++ b/homes/x86_64-linux/kylekrein/emacs.nix @@ -2,15 +2,18 @@ pkgs, system, inputs, + osConfig, + lib, + config, ... }: let emacs = inputs.emacs-kylekrein.packages.${system}.with-lsps-native; in { programs.emacs = { - enable = true; + enable = osConfig.custom.presets.wayland.enable; package = emacs; }; - systemd.user.services.emacs = { + systemd.user.services.emacs = lib.mkIf config.programs.emacs.enable { Unit = { Description = "Launches (and relaunches) emacs"; }; diff --git a/modules/nixos/services/conduwuit/default.nix b/modules/nixos/services/conduwuit/default.nix new file mode 100644 index 0000000..2746fd9 --- /dev/null +++ b/modules/nixos/services/conduwuit/default.nix @@ -0,0 +1,378 @@ +{ + config, + lib, + pkgs, + namespace, + ... +}: let + cfg = config.${namespace}.services.conduwuit; + defaultUser = "conduwuit"; + defaultGroup = "conduwuit"; + + format = pkgs.formats.toml {}; + configFile = format.generate "conduwuit.toml" cfg.settings; +in { + meta.maintainers = with lib.maintainers; [niklaskorz]; + options.${namespace}.services.conduwuit = { + enable = lib.mkEnableOption "conduwuit"; + + user = lib.mkOption { + type = lib.types.nonEmptyStr; + description = '' + The user {command}`conduwuit` is run as. + ''; + default = defaultUser; + }; + + group = lib.mkOption { + type = lib.types.nonEmptyStr; + description = '' + The group {command}`conduwuit` is run as. + ''; + default = defaultGroup; + }; + + extraEnvironment = lib.mkOption { + type = lib.types.attrsOf lib.types.str; + description = "Extra Environment variables to pass to the conduwuit server."; + default = {}; + example = { + RUST_BACKTRACE = "yes"; + }; + }; + + package = lib.mkPackageOption pkgs "conduwuit" {}; + + settings = lib.mkOption { + type = lib.types.submodule { + freeformType = format.type; + options = { + global.server_name = lib.mkOption { + type = lib.types.nonEmptyStr; + example = "example.com"; + description = "The server_name is the name of this server. It is used as a suffix for user and room ids."; + }; + global.address = lib.mkOption { + type = lib.types.nullOr (lib.types.listOf lib.types.nonEmptyStr); + default = null; + example = [ + "127.0.0.1" + "::1" + ]; + description = '' + Addresses (IPv4 or IPv6) to listen on for connections by the reverse proxy/tls terminator. + If set to `null`, conduwuit will listen on IPv4 and IPv6 localhost. + Must be `null` if `unix_socket_path` is set. + ''; + }; + global.port = lib.mkOption { + type = lib.types.listOf lib.types.port; + default = [6167]; + description = '' + The port(s) conduwuit will be running on. + You need to set up a reverse proxy in your web server (e.g. apache or nginx), + so all requests to /_matrix on port 443 and 8448 will be forwarded to the conduwuit + instance running on this port. + ''; + }; + global.unix_socket_path = lib.mkOption { + type = lib.types.nullOr lib.types.path; + default = null; + description = '' + Listen on a UNIX socket at the specified path. If listening on a UNIX socket, + listening on an address will be disabled. The `address` option must be set to + `null` (the default value). The option {option}`services.conduwuit.group` must + be set to a group your reverse proxy is part of. + + This will automatically add a system user "conduwuit" to your system if + {option}`services.conduwuit.user` is left at the default, and a "conduwuit" + group if {option}`services.conduwuit.group` is left at the default. + ''; + }; + global.unix_socket_perms = lib.mkOption { + type = lib.types.ints.positive; + default = 660; + description = "The default permissions (in octal) to create the UNIX socket with."; + }; + global.max_request_size = lib.mkOption { + type = lib.types.ints.positive; + default = 20000000; + description = "Max request size in bytes. Don't forget to also change it in the proxy."; + }; + global.allow_registration = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + Whether new users can register on this server. + + Registration with token requires `registration_token` or `registration_token_file` to be set. + + If set to true without a token configured, and + `yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse` + is set to true, users can freely register. + ''; + }; + global.allow_encryption = lib.mkOption { + type = lib.types.bool; + default = true; + description = "Whether new encrypted rooms can be created. Note: existing rooms will continue to work."; + }; + global.allow_federation = lib.mkOption { + type = lib.types.bool; + default = true; + description = '' + Whether this server federates with other servers. + ''; + }; + global.trusted_servers = lib.mkOption { + type = lib.types.listOf lib.types.nonEmptyStr; + default = ["matrix.org"]; + description = '' + Servers listed here will be used to gather public keys of other servers + (notary trusted key servers). + + Currently, conduwuit doesn't support inbound batched key requests, so + this list should only contain other Synapse servers. + + Example: `[ "matrix.org" "constellatory.net" "tchncs.de" ]` + ''; + }; + global.database_path = lib.mkOption { + readOnly = true; + type = lib.types.path; + default = "/var/lib/conduwuit/"; + description = '' + Path to the conduwuit database, the directory where conduwuit will save its data. + Note that database_path cannot be edited because of the service's reliance on systemd StateDir. + ''; + }; + global.database_backup_path = lib.mkOption { + type = lib.types.nullOr lib.types.path; + default = null; + description = '' + Path to the conduwuit database, the directory where conduwuit will backup its data. + ''; + }; + global.database_backups_to_keep = lib.mkOption { + type = lib.types.ints.positive; + default = 1; + description = ""; + }; + global.allow_check_for_updates = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + If enabled, conduwuit will send a simple GET request periodically to + for any new announcements made. + Despite the name, this is not an update check endpoint, it is simply an announcement check endpoint. + + Disabled by default. + ''; + }; + global.allow_local_presence = lib.mkOption { + type = lib.types.bool; + default = true; + description = '' + ''; + }; + global.allow_incoming_presence = lib.mkOption { + type = lib.types.bool; + default = true; + description = '' + ''; + }; + global.allow_outgoing_presence = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + ''; + }; + global.require_auth_for_profile_requests = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + ''; + }; + global.new_user_displayname_suffix = lib.mkOption { + type = lib.types.str; + default = "🏳️‍⚧️"; + description = '' + ''; + }; + global.registration_token = lib.mkOption { + type = lib.types.str; + default = ""; + description = '' + ''; + }; + global.registration_token_file = lib.mkOption { + type = lib.types.nullOr lib.types.path; + default = null; + description = '' + ''; + }; + global.allow_public_room_directory_over_federation = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + ''; + }; + global.allow_public_room_directory_without_auth = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + ''; + }; + global.allow_device_name_federation = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + ''; + }; + global.allow_inbound_profile_lookup_federation_requests = lib.mkOption { + type = lib.types.bool; + default = true; + description = '' + ''; + }; + global.turn_secret = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = '' + ''; + }; + global.turn_uris = lib.mkOption { + type = lib.types.listOf lib.types.nonEmptyStr; + default = []; + description = '' + ''; + }; + global.turn_secret_file = lib.mkOption { + type = lib.types.nullOr lib.types.path; + default = null; + description = '' + ''; + }; + global.prevent_media_downloads_from = lib.mkOption { + type = lib.types.listOf lib.types.nonEmptyStr; + default = []; + description = '' + ''; + }; + global.well_known.client = lib.mkOption { + type = lib.types.str; + default = ""; + description = '' + ''; + }; + global.well_known.server = lib.mkOption { + type = lib.types.str; + default = ""; + description = '' + ''; + }; + }; + }; + default = {}; + # TOML does not allow null values, so we use null to omit those fields + apply = lib.filterAttrsRecursive (_: v: v != null); + description = '' + Generates the conduwuit.toml configuration file. Refer to + + for details on supported values. + ''; + }; + }; + + config = lib.mkIf cfg.enable { + assertions = [ + { + assertion = !(cfg.settings ? global.unix_socket_path) || !(cfg.settings ? global.address); + message = '' + In `services.conduwuit.settings.global`, `unix_socket_path` and `address` cannot be set at the + same time. + Leave one of the two options unset or explicitly set them to `null`. + ''; + } + { + assertion = cfg.user != defaultUser -> config ? users.users.${cfg.user}; + message = "If `services.conduwuit.user` is changed, the configured user must already exist."; + } + { + assertion = cfg.group != defaultGroup -> config ? users.groups.${cfg.group}; + message = "If `services.conduwuit.group` is changed, the configured group must already exist."; + } + ]; + + users.users = lib.mkIf (cfg.user == defaultUser) { + ${defaultUser} = { + group = cfg.group; + home = cfg.settings.global.database_path; + isSystemUser = true; + }; + }; + + users.groups = lib.mkIf (cfg.group == defaultGroup) { + ${defaultGroup} = {}; + }; + + systemd.services.conduwuit = { + description = "Conduwuit Matrix Server"; + documentation = ["https://conduwuit.puppyirl.gay/"]; + wantedBy = ["multi-user.target"]; + wants = ["network-online.target"]; + after = ["network-online.target"]; + environment = lib.mkMerge [ + {CONDUWUIT_CONFIG = configFile;} + cfg.extraEnvironment + ]; + startLimitBurst = 5; + startLimitIntervalSec = 60; + serviceConfig = { + DynamicUser = true; + User = cfg.user; + Group = cfg.group; + + DevicePolicy = "closed"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + PrivateDevices = true; + PrivateMounts = true; + PrivateTmp = true; + PrivateUsers = true; + PrivateIPC = true; + RemoveIPC = true; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + "AF_UNIX" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service @resources" + "~@clock @debug @module @mount @reboot @swap @cpu-emulation @obsolete @timer @chown @setuid @privileged @keyring @ipc" + ]; + SystemCallErrorNumber = "EPERM"; + + StateDirectory = "conduwuit"; + StateDirectoryMode = "0700"; + RuntimeDirectory = "conduwuit"; + RuntimeDirectoryMode = "0750"; + + ExecStart = lib.getExe cfg.package; + Restart = "on-failure"; + RestartSec = 10; + }; + }; + }; +} diff --git a/overlays/conduwuit/default.nix b/overlays/conduwuit/default.nix new file mode 100644 index 0000000..4288f78 --- /dev/null +++ b/overlays/conduwuit/default.nix @@ -0,0 +1,3 @@ +{inputs, ...}: final: prev: { + conduwuit = inputs.conduwuit.packages.${prev.system}.all-features; +} diff --git a/overlays/deploy-rs/default.nix b/overlays/deploy-rs/default.nix new file mode 100644 index 0000000..780c16f --- /dev/null +++ b/overlays/deploy-rs/default.nix @@ -0,0 +1,3 @@ +{inputs, ...}: final: prev: { + deploy-rs = inputs.deploy-rs.packages.${prev.system}.deploy-rs; +} diff --git a/shells/default/default.nix b/shells/default/default.nix new file mode 100644 index 0000000..9cff5bd --- /dev/null +++ b/shells/default/default.nix @@ -0,0 +1,10 @@ +{ + pkgs, + mkShell, + ... +}: +mkShell { + packages = with pkgs; [ + pkgs.deploy-rs + ]; +} diff --git a/systems/x86_64-linux/kylekrein-server/default.nix b/systems/x86_64-linux/kylekrein-server/default.nix new file mode 100644 index 0000000..cab44c2 --- /dev/null +++ b/systems/x86_64-linux/kylekrein-server/default.nix @@ -0,0 +1,143 @@ +{ + lib, + pkgs, + inputs, + namespace, + system, + target, + format, + virtual, + systems, + config, + ... +}: +with lib; +with lib.custom; { + imports = lib.snowfall.fs.get-non-default-nix-files ./.; + custom = { + presets.default = enabled; + users.kylekrein = { + enable = true; + config = {}; + }; + services.conduwuit = { + enable = true; + #user = "turnserver"; + settings = { + global = { + server_name = "kylekrein.com"; + well_known = { + server = "matrix.kylekrein.com:443"; + client = "https://matrix.kylekrein.com"; + }; + port = [6167]; + trusted_servers = ["matrix.org"]; + allow_registration = false; + registration_token = ""; #nix shell nixpkgs#openssl -c openssl rand -base64 48 | tr -d '/+' | cut -c1-64 + allow_federation = true; + allow_encryption = true; + + allow_local_presence = true; + require_auth_for_profile_requests = true; + }; + }; + extraEnvironment = { + }; + }; + }; + + services.caddy = { + enable = true; + #virtualHosts."kylekrein.com:8448".extraConfig = '' + # reverse_proxy http://localhost:6167 + #''; + virtualHosts."kylekrein.com".extraConfig = '' + handle_path /.well-known/matrix/* { + + header Access-Control-Allow-Origin * + + ## `Content-Type: application/json` isn't required by the matrix spec + ## but some browsers (firefox) and some other tooling might preview json + ## content prettier when they are made aware via Content-Type + header Content-Type application/json + + respond /client `{ "m.homeserver": { "base_url": "https://matrix.kylekrein.com/" }, "org.matrix.msc3575.proxy": { "url": "https://matrix.kylekrein.com/"}, "org.matrix.msc4143.rtc_foci": [ { "type": "livekit", "livekit_service_url": "https://livekit-jwt.call.matrix.org" } ] }` + + respond /server `{ "m.server": "https://matrix.kylekrein.com" }` + + ## return http/404 if nothing matches + respond 404 + } + respond /.well-known/element/element.json `{"call":{"widget_url":"https://call.element.io"}}` + reverse_proxy * http://localhost:6167 + ''; + # reverse_proxy /.well-known/* http://localhost:6167 + #''; + virtualHosts."matrix.kylekrein.com".extraConfig = '' + handle_path /.well-known/matrix/* { + + header Access-Control-Allow-Origin * + + ## `Content-Type: application/json` isn't required by the matrix spec + ## but some browsers (firefox) and some other tooling might preview json + ## content prettier when they are made aware via Content-Type + header Content-Type application/json + + respond /client `{ "m.homeserver": { "base_url": "https://matrix.kylekrein.com/" }, "org.matrix.msc3575.proxy": { "url": "https://matrix.kylekrein.com/"}, "org.matrix.msc4143.rtc_foci": [ { "type": "livekit", "livekit_service_url": "https://livekit-jwt.call.matrix.org" } ] }` + + respond /server `{ "m.server": "https://matrix.kylekrein.com" }` + + ## return http/404 if nothing matches + respond 404 + } + respond /.well-known/element/element.json `{"call":{"widget_url":"https://call.element.io"}}` + reverse_proxy * http://localhost:6167 + ''; + virtualHosts."gitlab.kylekrein.com".extraConfig = '' + reverse_proxy * unix//run/gitlab/gitlab-workhorse.socket + ''; + }; + + #Chat host + networking.firewall.allowedTCPPorts = [80 443 22 8448]; + networking.firewall.allowedUDPPorts = [3478 5349]; + #sops.secrets."services/conduwuit" = {mode = "0755";}; + + sops.secrets."services/gitlab/dbPassword" = {owner = "gitlab";}; + sops.secrets."services/gitlab/rootPassword" = {owner = "gitlab";}; + sops.secrets."services/gitlab/secret" = {owner = "gitlab";}; + sops.secrets."services/gitlab/otpsecret" = {owner = "gitlab";}; + sops.secrets."services/gitlab/dbsecret" = {owner = "gitlab";}; + sops.secrets."services/gitlab/oidcKeyBase" = {owner = "gitlab";}; + sops.secrets."services/gitlab/activeRecordSalt" = {owner = "gitlab";}; + sops.secrets."services/gitlab/activeRecordPrimaryKey" = {owner = "gitlab";}; + sops.secrets."services/gitlab/activeRecordDeterministicKey" = {owner = "gitlab";}; + services.gitlab = { + enable = true; + host = "gitlab.kylekrein.com"; + port = 443; + #statePath = "/persist/gitlab/state"; + backup.startAt = "3:00"; + databasePasswordFile = config.sops.secrets."services/gitlab/dbPassword".path; + initialRootPasswordFile = config.sops.secrets."services/gitlab/rootPassword".path; + secrets = { + secretFile = config.sops.secrets."services/gitlab/secret".path; + otpFile = config.sops.secrets."services/gitlab/otpsecret".path; + dbFile = config.sops.secrets."services/gitlab/dbsecret".path; + jwsFile = config.sops.secrets."services/gitlab/oidcKeyBase".path; #pkgs.runCommand "oidcKeyBase" {} "${pkgs.openssl}/bin/openssl genrsa 2048 > $out"; + activeRecordSaltFile = config.sops.secrets."services/gitlab/activeRecordSalt".path; + activeRecordPrimaryKeyFile = config.sops.secrets."services/gitlab/activeRecordPrimaryKey".path; + activeRecordDeterministicKeyFile = config.sops.secrets."services/gitlab/activeRecordDeterministicKey".path; + }; + }; + + systemd.services.gitlab-backup.environment.BACKUP = "dump"; + boot.tmp.cleanOnBoot = true; + boot.loader.grub.enable = true; + boot.loader.grub.device = "/dev/sda"; + boot.loader.systemd-boot.enable = mkForce false; + + # ======================== DO NOT CHANGE THIS ======================== + system.stateVersion = "24.11"; + # ======================== DO NOT CHANGE THIS ======================== +} diff --git a/systems/x86_64-linux/kylekrein-server/hardware.nix b/systems/x86_64-linux/kylekrein-server/hardware.nix new file mode 100644 index 0000000..eb6daec --- /dev/null +++ b/systems/x86_64-linux/kylekrein-server/hardware.nix @@ -0,0 +1,32 @@ +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = ["ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod"]; + boot.initrd.kernelModules = []; + boot.kernelModules = []; + boot.extraModulePackages = []; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/4f7e141c-0fc7-415a-815d-944b36f93806"; + fsType = "ext4"; + }; + + swapDevices = []; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.eth0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/systems/x86_64-linux/kylekrein-server/networking.nix b/systems/x86_64-linux/kylekrein-server/networking.nix new file mode 100644 index 0000000..28206ce --- /dev/null +++ b/systems/x86_64-linux/kylekrein-server/networking.nix @@ -0,0 +1,48 @@ +{lib, ...}: { + # This file was populated at runtime with the networking + # details gathered from the active system. + networking = { + nameservers = [ + "8.8.8.8" + ]; + defaultGateway = "172.31.1.1"; + defaultGateway6 = { + address = ""; + interface = "eth0"; + }; + dhcpcd.enable = false; + usePredictableInterfaceNames = lib.mkForce false; + interfaces = { + eth0 = { + ipv4.addresses = [ + { + address = "91.99.0.169"; + prefixLength = 32; + } + ]; + ipv6.addresses = [ + { + address = "fe80::9400:4ff:fe30:830e"; + prefixLength = 64; + } + ]; + ipv4.routes = [ + { + address = "172.31.1.1"; + prefixLength = 32; + } + ]; + ipv6.routes = [ + { + address = ""; + prefixLength = 128; + } + ]; + }; + }; + }; + services.udev.extraRules = '' + ATTR{address}=="96:00:04:30:83:0e", NAME="eth0" + + ''; +}