commit 2dd5fdb4eca9674334fc3e758a44293f3e04ba19 · ryan.freumh.org/eilean-nix

+10 -8

flake.nix

···

       6
       6
        
       

     

       7
       7
        
         outputs = { self, nixpkgs, nixos-mailserver, ... }: rec {

     

       8
       8
        
           packages = nixpkgs.lib.genAttrs nixpkgs.lib.systems.flakeExposed (system:

     

       9
       9
       -
             let

     

       10
       10
       -
               pkgs = nixpkgs.legacyPackages.${system};

     

       11
       11
       -
             in {

     

       12
       12
       -
               manpage = import ./man { inherit pkgs system nixos-mailserver; };

     

       13
       13
       -
             });

     

       9
       9
       +
             let pkgs = nixpkgs.legacyPackages.${system};

     

       10
       10
       +
             in { manpage = import ./man { inherit pkgs system nixos-mailserver; }; });

     

       14
       11
        
       

     

       15
       12
        
           nixosModules.default = {

     

       16
       13
        
             imports = [

     

       17
       14
        
               ./modules/default.nix

     

       18
       15
        
               nixos-mailserver.nixosModule

     

       19
       16
        
               ({ pkgs, config, ... }: {

     

       20
       20
       -
                 nixpkgs.overlays = [ (final: prev: {

     

       21
       21
       -
                   mautrix-meta = (prev.callPackage ./pkgs/mautrix-meta.nix { });

     

       22
       22
       -
                 }) ];

     

       17
       17
       +
                 nixpkgs.overlays = [

     

       18
       18
       +
                   (final: prev: {

     

       19
       19
       +
                     mautrix-meta = (prev.callPackage ./pkgs/mautrix-meta.nix { });

     

       20
       20
       +
                   })

     

       21
       21
       +
                 ];

     

       23
       22
        
               })

     

       24
       23
        
             ];

     

       25
       24
        
           };

     

       26
       25
        
           defaultTemplate.path = ./template;

     

       26
       26
       +
       

     

       27
       27
       +
           formatter = nixpkgs.lib.genAttrs nixpkgs.lib.systems.flakeExposed

     

       28
       28
       +
             (system: nixpkgs.legacyPackages.${system}.nixfmt);

     

       27
       29
        
         };

     

       28
       30
        
       }

+28 -36

man/default.nix

···

       2
       2
        
       

     

       3
       3
        
       with pkgs;

     

       4
       4
        
       let

     

       5
       5
       -
           optionsDoc =

     

       6
       6
       -
             let

     

       7
       7
       -
               eval = import (pkgs.path + "/nixos/lib/eval-config.nix") {

     

       8
       8
       -
                 inherit system;

     

       9
       9
       -
                 modules = [

     

       10
       10
       -
                   ../modules/default.nix

     

       11
       11
       -
                   nixos-mailserver

     

       12
       12
       -
                 ];

     

       13
       13
       -
               };

     

       14
       14
       -
             in pkgs.nixosOptionsDoc {

     

       15
       15
       -
               options = eval.options;

     

       16
       16
       -
               # TODO make sure all options have descriptions

     

       17
       17
       -
               warningsAreErrors = false;

     

       18
       18
       -
             };

     

       5
       5
       +
         optionsDoc = let

     

       6
       6
       +
           eval = import (pkgs.path + "/nixos/lib/eval-config.nix") {

     

       7
       7
       +
             inherit system;

     

       8
       8
       +
             modules = [ ../modules/default.nix nixos-mailserver ];

     

       9
       9
       +
           };

     

       10
       10
       +
         in pkgs.nixosOptionsDoc {

     

       11
       11
       +
           options = eval.options;

     

       12
       12
       +
           # TODO make sure all options have descriptions

     

       13
       13
       +
           warningsAreErrors = false;

     

       14
       14
       +
         };

     

       19
       15
        
       

     

       20
       16
        
         # Generate the `man eliean.nix` package

     

       21
       21
       -
         eilean-configuration-manual =

     

       22
       22
       -
           runCommand "eilean-reference-manpage"

     

       23
       23
       -
           { nativeBuildInputs = [

     

       24
       24
       -
               buildPackages.installShellFiles

     

       25
       25
       -
               buildPackages.nixos-render-docs

     

       26
       26
       -
             ];

     

       27
       27
       -
             allowedReferences = [ "out" ];

     

       28
       28
       -
           }

     

       29
       29
       -
           ''

     

       30
       30
       -
             # Generate manpages.

     

       31
       31
       -
             mkdir -p $out/share/man/man5

     

       32
       32
       -
             # filter to only eilean options

     

       33
       33
       -
             cat ${optionsDoc.optionsJSON}/share/doc/nixos/options.json \

     

       34
       34
       -
               | ${pkgs.jq}/bin/jq 'with_entries(select(.key | test("^eilean")))' \

     

       35
       35
       -
               > eilean-options.json

     

       36
       36
       -
             nixos-render-docs -j $NIX_BUILD_CORES options manpage \

     

       37
       37
       -
               --revision dev \

     

       38
       38
       -
               --header ${./eilean-configuration-nix-header.5} \

     

       39
       39
       -
               --footer ${./eilean-configuration-nix-footer.5} \

     

       40
       40
       -
               eilean-options.json \

     

       41
       41
       -
               $out/share/man/man5/eilean-configuration.nix.5

     

       42
       42
       -
           '';

     

       17
       17
       +
         eilean-configuration-manual = runCommand "eilean-reference-manpage" {

     

       18
       18
       +
           nativeBuildInputs =

     

       19
       19
       +
             [ buildPackages.installShellFiles buildPackages.nixos-render-docs ];

     

       20
       20
       +
           allowedReferences = [ "out" ];

     

       21
       21
       +
         } ''

     

       22
       22
       +
           # Generate manpages.

     

       23
       23
       +
           mkdir -p $out/share/man/man5

     

       24
       24
       +
           # filter to only eilean options

     

       25
       25
       +
           cat ${optionsDoc.optionsJSON}/share/doc/nixos/options.json \

     

       26
       26
       +
             | ${pkgs.jq}/bin/jq 'with_entries(select(.key | test("^eilean")))' \

     

       27
       27
       +
             > eilean-options.json

     

       28
       28
       +
           nixos-render-docs -j $NIX_BUILD_CORES options manpage \

     

       29
       29
       +
             --revision dev \

     

       30
       30
       +
             --header ${./eilean-configuration-nix-header.5} \

     

       31
       31
       +
             --footer ${./eilean-configuration-nix-footer.5} \

     

       32
       32
       +
             eilean-options.json \

     

       33
       33
       +
             $out/share/man/man5/eilean-configuration.nix.5

     

       34
       34
       +
         '';

     

       43
       35
        
       in eilean-configuration-manual

+7 -15

modules/default.nix

···

       19
       19
        
         ];

     

       20
       20
        
       

     

       21
       21
        
         options.eilean = with types; {

     

       22
       22
       -
           username = mkOption {

     

       23
       23
       -
             type = str;

     

       24
       24
       -
           };

     

       25
       25
       -
           serverIpv4 = mkOption {

     

       26
       26
       -
             type = str;

     

       27
       27
       -
           };

     

       28
       28
       -
           serverIpv6 = mkOption {

     

       29
       29
       -
             type = str;

     

       30
       30
       -
           };

     

       31
       31
       -
           publicInterface = mkOption {

     

       32
       32
       -
             type = str;

     

       33
       33
       -
           };

     

       22
       22
       +
           username = mkOption { type = str; };

     

       23
       23
       +
           serverIpv4 = mkOption { type = str; };

     

       24
       24
       +
           serverIpv6 = mkOption { type = str; };

     

       25
       25
       +
           publicInterface = mkOption { type = str; };

     

       34
       26
        
         };

     

       35
       27
        
       

     

       36
       28
        
         config = {

     

       37
       29
        
           # TODO install manpage

     

       38
       38
       -
           environment.systemPackages = [

     

       39
       39
       -
           ];

     

       40
       40
       -
           security.acme.defaults.email = "${config.eilean.username}@${config.networking.domain}";

     

       30
       30
       +
           environment.systemPackages = [ ];

     

       31
       31
       +
           security.acme.defaults.email =

     

       32
       32
       +
             "${config.eilean.username}@${config.networking.domain}";

     

       41
       33
        
           networking.firewall.allowedTCPPorts = mkIf config.services.nginx.enable [

     

       42
       34
        
             80 # HTTP

     

       43
       35
        
             443 # HTTPS

+6 -7

modules/dns.nix

···

       1
       1
        
       { config, lib, ... }:

     

       2
       2
        
       

     

       3
       3
        
       with lib;

     

       4
       4
       -
       let cfg = config.eilean; in

     

       5
       5
       -
       {

     

       6
       6
       -
         

     

       4
       4
       +
       let cfg = config.eilean;

     

       5
       5
       +
       in {

     

       6
       6
       +
       

     

       7
       7
        
         options.eilean.dns = {

     

       8
       8
        
           enable = mkEnableOption "dns";

     

       9
       9
        
           nameservers = mkOption {

     
···

       11
       11
        
             default = [ "ns1" "ns2" ];

     

       12
       12
        
           };

     

       13
       13
        
         };

     

       14
       14
       -
         

     

       14
       14
       +
       

     

       15
       15
        
         config.eilean.services.dns = mkIf cfg.dns.enable {

     

       16
       16
        
           enable = true;

     

       17
       17
        
           zones.${config.networking.domain} = {

     
···

       37
       37
        
                 type = "AAAA";

     

       38
       38
        
                 data = cfg.serverIpv6;

     

       39
       39
        
               }

     

       40
       40
       -
             ]) cfg.dns.nameservers ++

     

       41
       41
       -
             [

     

       40
       40
       +
             ]) cfg.dns.nameservers ++ [

     

       42
       41
        
               {

     

       43
       42
        
                 name = "@";

     

       44
       43
        
                 type = "A";

     
···

       60
       59
        
                 type = "AAAA";

     

       61
       60
        
                 data = cfg.serverIpv6;

     

       62
       61
        
               }

     

       63
       63
       -
               

     

       62
       62
       +
       

     

       64
       63
        
               {

     

       65
       64
        
                 name = "@";

     

       66
       65
        
                 type = "LOC";

+22 -17

modules/gitea.nix

···

       25
       25
        
               enableACME = true;

     

       26
       26
        
               forceSSL = true;

     

       27
       27
        
               locations."/" = {

     

       28
       28
       -
                 proxyPass = "http://localhost:${builtins.toString config.services.gitea.settings.server.HTTP_PORT}/";

     

       28
       28
       +
                 proxyPass = "http://localhost:${

     

       29
       29
       +
                     builtins.toString config.services.gitea.settings.server.HTTP_PORT

     

       30
       30
       +
                   }/";

     

       29
       31
        
               };

     

       30
       32
        
             };

     

       31
       33
        
           };

     
···

       88
       90
        
             RestrictRealtime = mkForce false;

     

       89
       91
        
             RestrictSUIDSGID = mkForce false;

     

       90
       92
        
             SystemCallArchitectures = mkForce "";

     

       91
       91
       -
             SystemCallFilter = mkForce [];

     

       93
       93
       +
             SystemCallFilter = mkForce [ ];

     

       92
       94
        
           };

     

       93
       95
        
       

     

       94
       96
        
           eilean.dns.enable = true;

     

       95
       95
       -
           eilean.services.dns.zones.${config.networking.domain}.records = [

     

       96
       96
       -
             {

     

       97
       97
       -
               name = "git";

     

       98
       98
       -
               type = "CNAME";

     

       99
       99
       -
               data = "vps";

     

       100
       100
       -
             }

     

       101
       101
       -
           ];

     

       97
       97
       +
           eilean.services.dns.zones.${config.networking.domain}.records = [{

     

       98
       98
       +
             name = "git";

     

       99
       99
       +
             type = "CNAME";

     

       100
       100
       +
             data = "vps";

     

       101
       101
       +
           }];

     

       102
       102
        
       

     

       103
       103
        
           # proxy port 22 on ethernet interface to internal gitea ssh server

     

       104
       104
        
           # openssh server remains accessible on port 22 via vpn(s)

     
···

       110
       110
        
           };

     

       111
       111
        
       

     

       112
       112
        
           networking.firewall = {

     

       113
       113
       -
             allowedTCPPorts = [

     

       114
       114
       -
               22

     

       115
       115
       -
               cfg.gitea.sshPort

     

       116
       116
       -
             ];

     

       113
       113
       +
             allowedTCPPorts = [ 22 cfg.gitea.sshPort ];

     

       117
       114
        
             extraCommands = ''

     

       118
       115
        
               # proxy all traffic on public interface to the gitea SSH server

     

       119
       119
       -
               iptables -A PREROUTING -t nat -i ${config.eilean.publicInterface} -p tcp --dport 22 -j REDIRECT --to-port ${builtins.toString cfg.gitea.sshPort}

     

       120
       120
       -
               ip6tables -A PREROUTING -t nat -i ${config.eilean.publicInterface} -p tcp --dport 22 -j REDIRECT --to-port ${builtins.toString cfg.gitea.sshPort}

     

       116
       116
       +
               iptables -A PREROUTING -t nat -i ${config.eilean.publicInterface} -p tcp --dport 22 -j REDIRECT --to-port ${

     

       117
       117
       +
                 builtins.toString cfg.gitea.sshPort

     

       118
       118
       +
               }

     

       119
       119
       +
               ip6tables -A PREROUTING -t nat -i ${config.eilean.publicInterface} -p tcp --dport 22 -j REDIRECT --to-port ${

     

       120
       120
       +
                 builtins.toString cfg.gitea.sshPort

     

       121
       121
       +
               }

     

       121
       122
        
       

     

       122
       123
        
               # proxy locally originating outgoing packets

     

       123
       123
       -
               iptables -A OUTPUT -d ${config.eilean.serverIpv4} -t nat -p tcp --dport 22 -j REDIRECT --to-port ${builtins.toString cfg.gitea.sshPort}

     

       124
       124
       -
               ip6tables -A OUTPUT -d ${config.eilean.serverIpv6} -t nat -p tcp --dport 22 -j REDIRECT --to-port ${builtins.toString cfg.gitea.sshPort}

     

       124
       124
       +
               iptables -A OUTPUT -d ${config.eilean.serverIpv4} -t nat -p tcp --dport 22 -j REDIRECT --to-port ${

     

       125
       125
       +
                 builtins.toString cfg.gitea.sshPort

     

       126
       126
       +
               }

     

       127
       127
       +
               ip6tables -A OUTPUT -d ${config.eilean.serverIpv6} -t nat -p tcp --dport 22 -j REDIRECT --to-port ${

     

       128
       128
       +
                 builtins.toString cfg.gitea.sshPort

     

       129
       129
       +
               }

     

       125
       130
        
             '';

     

       126
       131
        
           };

     

       127
       132

+8 -14

modules/headscale.nix

···

       1
       1
        
       { pkgs, config, lib, ... }:

     

       2
       2
        
       

     

       3
       3
        
       with lib;

     

       4
       4
       -
       let

     

       5
       5
       -
         cfg = config.eilean;

     

       4
       4
       +
       let cfg = config.eilean;

     

       6
       5
        
       in {

     

       7
       6
        
         options.eilean.headscale = with lib; {

     

       8
       7
        
           enable = mkEnableOption "headscale";

     
···

       14
       13
        
           domain = mkOption {

     

       15
       14
        
             type = types.str;

     

       16
       15
        
             default = "headscale.${config.networking.domain}";

     

       17
       17
       -
             defaultText = "headscale.$${config.networking.domain}";

     

       16
       16
       +
             defaultText = "headscale.$\${config.networking.domain}";

     

       18
       17
        
           };

     

       19
       18
        
         };

     

       20
       19
        
       

     
···

       30
       29
        
             settings = {

     

       31
       30
        
               server_url = "https://${cfg.headscale.domain}";

     

       32
       31
        
               logtail.enabled = false;

     

       33
       33
       -
               ip_prefixes = [

     

       34
       34
       -
                 "100.64.0.0/10"

     

       35
       35
       -
                 "fd7a:115c:a1e0::/48"

     

       36
       36
       -
               ];

     

       32
       32
       +
               ip_prefixes = [ "100.64.0.0/10" "fd7a:115c:a1e0::/48" ];

     

       37
       33
        
               dns_config = {

     

       38
       34
        
                 # magicDns = true;

     

       39
       35
        
                 nameservers = config.networking.nameservers;

     
···

       58
       54
        
           environment.systemPackages = [ config.services.headscale.package ];

     

       59
       55
        
       

     

       60
       56
        
           eilean.dns.enable = true;

     

       61
       61
       -
           eilean.services.dns.zones.${cfg.headscale.zone}.records = [

     

       62
       62
       -
             {

     

       63
       63
       -
               name = "${cfg.headscale.domain}.";

     

       64
       64
       -
               type = "CNAME";

     

       65
       65
       -
               data = "vps";

     

       66
       66
       -
             }

     

       67
       67
       -
           ];

     

       57
       57
       +
           eilean.services.dns.zones.${cfg.headscale.zone}.records = [{

     

       58
       58
       +
             name = "${cfg.headscale.domain}.";

     

       59
       59
       +
             type = "CNAME";

     

       60
       60
       +
             data = "vps";

     

       61
       61
       +
           }];

     

       68
       62
        
         };

     

       69
       63
        
       }

+12 -7

modules/mailserver.nix

···

       42
       42
        
           '';

     

       43
       43
        
       

     

       44
       44
        
           services.postfix.config = {

     

       45
       45
       -
             smtpd_tls_protocols = mkForce "TLSv1.3, TLSv1.2, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3";

     

       46
       46
       -
             smtp_tls_protocols = mkForce "TLSv1.3, TLSv1.2, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3";

     

       47
       47
       -
             smtpd_tls_mandatory_protocols = mkForce "TLSv1.3, !TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3";

     

       48
       48
       -
             smtp_tls_mandatory_protocols = mkForce "TLSv1.3, !TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3";

     

       45
       45
       +
             smtpd_tls_protocols =

     

       46
       46
       +
               mkForce "TLSv1.3, TLSv1.2, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3";

     

       47
       47
       +
             smtp_tls_protocols =

     

       48
       48
       +
               mkForce "TLSv1.3, TLSv1.2, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3";

     

       49
       49
       +
             smtpd_tls_mandatory_protocols =

     

       50
       50
       +
               mkForce "TLSv1.3, !TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3";

     

       51
       51
       +
             smtp_tls_mandatory_protocols =

     

       52
       52
       +
               mkForce "TLSv1.3, !TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3";

     

       49
       53
        
           };

     

       50
       54
        
       

     

       51
       55
        
           eilean.dns.enable = true;

     
···

       68
       72
        
             {

     

       69
       73
        
               name = "@";

     

       70
       74
        
               type = "TXT";

     

       71
       71
       -
               data = "\"v=spf1 a:mail.${config.networking.domain} -all\"";

     

       75
       75
       +
               data = ''"v=spf1 a:mail.${config.networking.domain} -all"'';

     

       72
       76
        
             }

     

       73
       77
        
             {

     

       74
       78
        
               name = "mail._domainkey";

     

       75
       79
        
               ttl = 10800;

     

       76
       80
        
               type = "TXT";

     

       77
       77
       -
               data = "\"v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC6YmYYvoFF7VqtGcozpVQa78aaGgZdvc5ZIHqzmkKdCBEyDF2FRbCEK4s2AlC8hhc8O4mSSe3S4AzEhlRgHXbU22GBaUZ3s2WHS8JJwZvWeTjsbXQwjN/U7xpkqXPHLH9IVfOJbHlp4HQmCAXw4NaypgkkxIGK0jaZHm2j6/1izQIDAQAB\"";

     

       81
       81
       +
               data = ''

     

       82
       82
       +
                 "v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC6YmYYvoFF7VqtGcozpVQa78aaGgZdvc5ZIHqzmkKdCBEyDF2FRbCEK4s2AlC8hhc8O4mSSe3S4AzEhlRgHXbU22GBaUZ3s2WHS8JJwZvWeTjsbXQwjN/U7xpkqXPHLH9IVfOJbHlp4HQmCAXw4NaypgkkxIGK0jaZHm2j6/1izQIDAQAB"'';

     

       78
       83
        
             }

     

       79
       84
        
             {

     

       80
       85
        
               name = "_dmarc";

     

       81
       86
        
               ttl = 10800;

     

       82
       87
        
               type = "TXT";

     

       83
       83
       -
               data = "\"v=DMARC1; p=reject\"";

     

       88
       88
       +
               data = ''"v=DMARC1; p=reject"'';

     

       84
       89
        
             }

     

       85
       90
        
           ];

     

       86
       91
        
         };

+15 -18

modules/mastodon.nix

···

       5
       5
        
         cfg = config.eilean;

     

       6
       6
        
         domain = config.networking.domain;

     

       7
       7
        
       in {

     

       8
       8
       -
         options.eilean.mastodon = {

     

       9
       9
       -
           enable = mkEnableOption "mastodon";

     

       10
       10
       -
         };

     

       8
       8
       +
         options.eilean.mastodon = { enable = mkEnableOption "mastodon"; };

     

       11
       9
        
       

     

       12
       10
        
         config = mkIf cfg.mastodon.enable {

     

       13
       11
        
           services.mastodon = {

     
···

       32
       30
        
               WEB_DOMAIN = "mastodon.${domain}";

     

       33
       31
        
       

     

       34
       32
        
               # https://peterbabic.dev/blog/setting-up-smtp-in-mastodon/

     

       35
       35
       -
               SMTP_SSL="true";

     

       36
       36
       -
               SMTP_ENABLE_STARTTLS="false";

     

       37
       37
       -
               SMTP_OPENSSL_VERIFY_MODE="none";

     

       33
       33
       +
               SMTP_SSL = "true";

     

       34
       34
       +
               SMTP_ENABLE_STARTTLS = "false";

     

       35
       35
       +
               SMTP_OPENSSL_VERIFY_MODE = "none";

     

       38
       36
        
             };

     

       39
       37
        
           };

     

       40
       38
        
       

     

       41
       41
       -
           users.groups.${config.services.mastodon.group}.members = [ config.services.nginx.user ];

     

       39
       39
       +
           users.groups.${config.services.mastodon.group}.members =

     

       40
       40
       +
             [ config.services.nginx.user ];

     

       42
       41
        
       

     

       43
       42
        
           services.nginx = {

     

       44
       43
        
             enable = true;

     
···

       60
       59
        
       

     

       61
       60
        
                 locations."/system/".alias = "/var/lib/mastodon/public-system/";

     

       62
       61
        
       

     

       63
       63
       -
                 locations."/" = {

     

       64
       64
       -
                   tryFiles = "$uri @proxy";

     

       65
       65
       -
                 };

     

       62
       62
       +
                 locations."/" = { tryFiles = "$uri @proxy"; };

     

       66
       63
        
       

     

       67
       64
        
                 locations."@proxy" = {

     

       68
       68
       -
                   proxyPass = "http://127.0.0.1:${builtins.toString config.services.mastodon.webPort}";

     

       65
       65
       +
                   proxyPass = "http://127.0.0.1:${

     

       66
       66
       +
                       builtins.toString config.services.mastodon.webPort

     

       67
       67
       +
                     }";

     

       69
       68
        
                   proxyWebsockets = true;

     

       70
       69
        
                 };

     

       71
       70
        
               };

     
···

       73
       72
        
           };

     

       74
       73
        
       

     

       75
       74
        
           eilean.dns.enable = true;

     

       76
       76
       -
           eilean.services.dns.zones.${config.networking.domain}.records = [

     

       77
       77
       -
             {

     

       78
       78
       -
               name = "mastodon";

     

       79
       79
       -
               type = "CNAME";

     

       80
       80
       -
               data = "vps";

     

       81
       81
       -
             }

     

       82
       82
       -
           ];

     

       75
       75
       +
           eilean.services.dns.zones.${config.networking.domain}.records = [{

     

       76
       76
       +
             name = "mastodon";

     

       77
       77
       +
             type = "CNAME";

     

       78
       78
       +
             data = "vps";

     

       79
       79
       +
           }];

     

       83
       80
        
         };

     

       84
       81
        
       }

+25 -29

modules/matrix/mautrix-instagram.nix

···

       1
       1
       -
       {

     

       2
       2
       -
         lib,

     

       3
       3
       -
         config,

     

       4
       4
       -
         pkgs,

     

       5
       5
       -
         ...

     

       6
       6
       -
       }: let

     

       1
       1
       +
       { lib, config, pkgs, ... }:

     

       2
       2
       +
       let

     

       7
       3
        
         cfg = config.services.mautrix-instagram;

     

       8
       4
        
         dataDir = "/var/lib/mautrix-instagram";

     

       9
       5
        
         registrationFile = "${dataDir}/instagram-registration.yaml";

     

       10
       6
        
         settingsFile = "${dataDir}/config.json";

     

       11
       11
       -
         settingsFileUnsubstituted = settingsFormat.generate "mautrix-instagram-config-unsubstituted.json" cfg.settings;

     

       12
       12
       -
         settingsFormat = pkgs.formats.json {};

     

       7
       7
       +
         settingsFileUnsubstituted =

     

       8
       8
       +
           settingsFormat.generate "mautrix-instagram-config-unsubstituted.json"

     

       9
       9
       +
           cfg.settings;

     

       10
       10
       +
         settingsFormat = pkgs.formats.json { };

     

       13
       11
        
         appservicePort = 29319;

     

       14
       12
        
       

     

       15
       13
        
         mkDefaults = lib.mapAttrsRecursive (n: v: lib.mkDefault v);

     
···

       30
       28
        
           };

     

       31
       29
        
           bridge = {

     

       32
       30
        
             username_template = "instagram_{{.}}";

     

       33
       33
       -
             double_puppet_server_map = {};

     

       34
       34
       -
             login_shared_secret_map = {};

     

       31
       31
       +
             double_puppet_server_map = { };

     

       32
       32
       +
             login_shared_secret_map = { };

     

       35
       33
        
             permissions."*" = "relay";

     

       36
       34
        
             relay.enabled = true;

     

       37
       35
        
           };

     
···

       47
       45
        
       

     

       48
       46
        
       in {

     

       49
       47
        
         options.services.mautrix-instagram = {

     

       50
       50
       -
           enable = lib.mkEnableOption (lib.mdDoc "mautrix-instagram, a puppeting/relaybot bridge between Matrix and Instagram.");

     

       48
       48
       +
           enable = lib.mkEnableOption (lib.mdDoc

     

       49
       49
       +
             "mautrix-instagram, a puppeting/relaybot bridge between Matrix and Instagram.");

     

       51
       50
        
       

     

       52
       51
        
           settings = lib.mkOption {

     

       53
       52
        
             type = settingsFormat.type;

     
···

       67
       66
        
                 ephemeral_events = false;

     

       68
       67
        
               };

     

       69
       68
        
               bridge = {

     

       70
       70
       -
                 history_sync = {

     

       71
       71
       -
                   request_full_sync = true;

     

       72
       72
       -
                 };

     

       69
       69
       +
                 history_sync = { request_full_sync = true; };

     

       73
       70
        
                 private_chat_portal_meta = true;

     

       74
       71
        
                 mute_bridging = true;

     

       75
       72
        
                 encryption = {

     
···

       77
       74
        
                   default = true;

     

       78
       75
        
                   require = true;

     

       79
       76
        
                 };

     

       80
       80
       -
                 provisioning = {

     

       81
       81
       -
                   shared_secret = "disable";

     

       82
       82
       -
                 };

     

       83
       83
       -
                 permissions = {

     

       84
       84
       -
                   "example.com" = "user";

     

       85
       85
       -
                 };

     

       77
       77
       +
                 provisioning = { shared_secret = "disable"; };

     

       78
       78
       +
                 permissions = { "example.com" = "user"; };

     

       86
       79
        
               };

     

       87
       80
        
             };

     

       88
       81
        
           };

     

       89
       82
        
       

     

       90
       83
        
           serviceDependencies = lib.mkOption {

     

       91
       84
        
             type = with lib.types; listOf str;

     

       92
       92
       -
             default = lib.optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit;

     

       85
       85
       +
             default = lib.optional config.services.matrix-synapse.enable

     

       86
       86
       +
               config.services.matrix-synapse.serviceUnit;

     

       93
       87
        
             defaultText = lib.literalExpression ''

     

       94
       88
        
               optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnits

     

       95
       89
        
             '';

     
···

       108
       102
        
             description = "Mautrix-Instagram bridge user";

     

       109
       103
        
           };

     

       110
       104
        
       

     

       111
       111
       -
           users.groups.mautrix-instagram = {};

     

       105
       105
       +
           users.groups.mautrix-instagram = { };

     

       112
       106
        
       

     

       113
       107
        
           services.mautrix-instagram.settings = lib.mkMerge (map mkDefaults [

     

       114
       108
        
             defaultConfig

     

       115
       109
        
             # Note: this is defined here to avoid the docs depending on `config`

     

       116
       116
       -
             { homeserver.domain = config.services.matrix-synapse.settings.server_name; }

     

       110
       110
       +
             {

     

       111
       111
       +
               homeserver.domain = config.services.matrix-synapse.settings.server_name;

     

       112
       112
       +
             }

     

       117
       113
        
           ]);

     

       118
       114
        
       

     

       119
       115
        
           systemd.services.mautrix-instagram = {

     

       120
       116
        
             description = "Mautrix-Instagram Service - A Instagram bridge for Matrix";

     

       121
       117
        
       

     

       122
       122
       -
             wantedBy = ["multi-user.target"];

     

       123
       123
       -
             wants = ["network-online.target"] ++ cfg.serviceDependencies;

     

       124
       124
       -
             after = ["network-online.target"] ++ cfg.serviceDependencies;

     

       118
       118
       +
             wantedBy = [ "multi-user.target" ];

     

       119
       119
       +
             wants = [ "network-online.target" ] ++ cfg.serviceDependencies;

     

       120
       120
       +
             after = [ "network-online.target" ] ++ cfg.serviceDependencies;

     

       125
       121
        
       

     

       126
       122
        
             preStart = ''

     

       127
       123
        
               # substitute the settings file by environment variables

     
···

       182
       178
        
               RestrictSUIDSGID = true;

     

       183
       179
        
               SystemCallArchitectures = "native";

     

       184
       180
        
               SystemCallErrorNumber = "EPERM";

     

       185
       185
       -
               SystemCallFilter = ["@system-service"];

     

       181
       181
       +
               SystemCallFilter = [ "@system-service" ];

     

       186
       182
        
               Type = "simple";

     

       187
       187
       -
               UMask = 0027;

     

       183
       183
       +
               UMask = 27;

     

       188
       184
        
             };

     

       189
       189
       -
             restartTriggers = [settingsFileUnsubstituted];

     

       185
       185
       +
             restartTriggers = [ settingsFileUnsubstituted ];

     

       190
       186
        
           };

     

       191
       187
        
         };

     

       192
       188
        
       }

+25 -29

modules/matrix/mautrix-messenger.nix

···

       1
       1
       -
       {

     

       2
       2
       -
         lib,

     

       3
       3
       -
         config,

     

       4
       4
       -
         pkgs,

     

       5
       5
       -
         ...

     

       6
       6
       -
       }: let

     

       1
       1
       +
       { lib, config, pkgs, ... }:

     

       2
       2
       +
       let

     

       7
       3
        
         cfg = config.services.mautrix-messenger;

     

       8
       4
        
         dataDir = "/var/lib/mautrix-messenger";

     

       9
       5
        
         registrationFile = "${dataDir}/messenger-registration.yaml";

     

       10
       6
        
         settingsFile = "${dataDir}/config.json";

     

       11
       11
       -
         settingsFileUnsubstituted = settingsFormat.generate "mautrix-messenger-config-unsubstituted.json" cfg.settings;

     

       12
       12
       -
         settingsFormat = pkgs.formats.json {};

     

       7
       7
       +
         settingsFileUnsubstituted =

     

       8
       8
       +
           settingsFormat.generate "mautrix-messenger-config-unsubstituted.json"

     

       9
       9
       +
           cfg.settings;

     

       10
       10
       +
         settingsFormat = pkgs.formats.json { };

     

       13
       11
        
         appservicePort = 29320;

     

       14
       12
        
       

     

       15
       13
        
         mkDefaults = lib.mapAttrsRecursive (n: v: lib.mkDefault v);

     
···

       30
       28
        
           };

     

       31
       29
        
           bridge = {

     

       32
       30
        
             username_template = "messenger_{{.}}";

     

       33
       33
       -
             double_puppet_server_map = {};

     

       34
       34
       -
             login_shared_secret_map = {};

     

       31
       31
       +
             double_puppet_server_map = { };

     

       32
       32
       +
             login_shared_secret_map = { };

     

       35
       33
        
             permissions."*" = "relay";

     

       36
       34
        
             relay.enabled = true;

     

       37
       35
        
           };

     
···

       47
       45
        
       

     

       48
       46
        
       in {

     

       49
       47
        
         options.services.mautrix-messenger = {

     

       50
       50
       -
           enable = lib.mkEnableOption (lib.mdDoc "mautrix-messenger, a puppeting/relaybot bridge between Matrix and Messenger.");

     

       48
       48
       +
           enable = lib.mkEnableOption (lib.mdDoc

     

       49
       49
       +
             "mautrix-messenger, a puppeting/relaybot bridge between Matrix and Messenger.");

     

       51
       50
        
       

     

       52
       51
        
           settings = lib.mkOption {

     

       53
       52
        
             type = settingsFormat.type;

     
···

       67
       66
        
                 ephemeral_events = false;

     

       68
       67
        
               };

     

       69
       68
        
               bridge = {

     

       70
       70
       -
                 history_sync = {

     

       71
       71
       -
                   request_full_sync = true;

     

       72
       72
       -
                 };

     

       69
       69
       +
                 history_sync = { request_full_sync = true; };

     

       73
       70
        
                 private_chat_portal_meta = true;

     

       74
       71
        
                 mute_bridging = true;

     

       75
       72
        
                 encryption = {

     
···

       77
       74
        
                   default = true;

     

       78
       75
        
                   require = true;

     

       79
       76
        
                 };

     

       80
       80
       -
                 provisioning = {

     

       81
       81
       -
                   shared_secret = "disable";

     

       82
       82
       -
                 };

     

       83
       83
       -
                 permissions = {

     

       84
       84
       -
                   "example.com" = "user";

     

       85
       85
       -
                 };

     

       77
       77
       +
                 provisioning = { shared_secret = "disable"; };

     

       78
       78
       +
                 permissions = { "example.com" = "user"; };

     

       86
       79
        
               };

     

       87
       80
        
             };

     

       88
       81
        
           };

     

       89
       82
        
       

     

       90
       83
        
           serviceDependencies = lib.mkOption {

     

       91
       84
        
             type = with lib.types; listOf str;

     

       92
       92
       -
             default = lib.optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit;

     

       85
       85
       +
             default = lib.optional config.services.matrix-synapse.enable

     

       86
       86
       +
               config.services.matrix-synapse.serviceUnit;

     

       93
       87
        
             defaultText = lib.literalExpression ''

     

       94
       88
        
               optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnits

     

       95
       89
        
             '';

     
···

       108
       102
        
             description = "Mautrix-Messenger bridge user";

     

       109
       103
        
           };

     

       110
       104
        
       

     

       111
       111
       -
           users.groups.mautrix-messenger = {};

     

       105
       105
       +
           users.groups.mautrix-messenger = { };

     

       112
       106
        
       

     

       113
       107
        
           services.mautrix-messenger.settings = lib.mkMerge (map mkDefaults [

     

       114
       108
        
             defaultConfig

     

       115
       109
        
             # Note: this is defined here to avoid the docs depending on `config`

     

       116
       116
       -
             { homeserver.domain = config.services.matrix-synapse.settings.server_name; }

     

       110
       110
       +
             {

     

       111
       111
       +
               homeserver.domain = config.services.matrix-synapse.settings.server_name;

     

       112
       112
       +
             }

     

       117
       113
        
           ]);

     

       118
       114
        
       

     

       119
       115
        
           systemd.services.mautrix-messenger = {

     

       120
       116
        
             description = "Mautrix-Messenger Service - A Messenger bridge for Matrix";

     

       121
       117
        
       

     

       122
       122
       -
             wantedBy = ["multi-user.target"];

     

       123
       123
       -
             wants = ["network-online.target"] ++ cfg.serviceDependencies;

     

       124
       124
       -
             after = ["network-online.target"] ++ cfg.serviceDependencies;

     

       118
       118
       +
             wantedBy = [ "multi-user.target" ];

     

       119
       119
       +
             wants = [ "network-online.target" ] ++ cfg.serviceDependencies;

     

       120
       120
       +
             after = [ "network-online.target" ] ++ cfg.serviceDependencies;

     

       125
       121
        
       

     

       126
       122
        
             preStart = ''

     

       127
       123
        
               # substitute the settings file by environment variables

     
···

       182
       178
        
               RestrictSUIDSGID = true;

     

       183
       179
        
               SystemCallArchitectures = "native";

     

       184
       180
        
               SystemCallErrorNumber = "EPERM";

     

       185
       185
       -
               SystemCallFilter = ["@system-service"];

     

       181
       181
       +
               SystemCallFilter = [ "@system-service" ];

     

       186
       182
        
               Type = "simple";

     

       187
       187
       -
               UMask = 0027;

     

       183
       183
       +
               UMask = 27;

     

       188
       184
        
             };

     

       189
       189
       -
             restartTriggers = [settingsFileUnsubstituted];

     

       185
       185
       +
             restartTriggers = [ settingsFileUnsubstituted ];

     

       190
       186
        
           };

     

       191
       187
        
         };

     

       192
       188
        
       }

+26 -29

modules/matrix/mautrix-signal.nix

···

       1
       1
       -
       {

     

       2
       2
       -
         lib,

     

       3
       3
       -
         config,

     

       4
       4
       -
         pkgs,

     

       5
       5
       -
         ...

     

       6
       6
       -
       }: let

     

       1
       1
       +
       { lib, config, pkgs, ... }:

     

       2
       2
       +
       let

     

       7
       3
        
         cfg = config.services.mautrix-signal;

     

       8
       4
        
         dataDir = "/var/lib/mautrix-signal";

     

       9
       5
        
         registrationFile = "${dataDir}/signal-registration.yaml";

     

       10
       6
        
         settingsFile = "${dataDir}/config.json";

     

       11
       11
       -
         settingsFileUnsubstituted = settingsFormat.generate "mautrix-signal-config-unsubstituted.json" cfg.settings;

     

       12
       12
       -
         settingsFormat = pkgs.formats.json {};

     

       7
       7
       +
         settingsFileUnsubstituted =

     

       8
       8
       +
           settingsFormat.generate "mautrix-signal-config-unsubstituted.json"

     

       9
       9
       +
           cfg.settings;

     

       10
       10
       +
         settingsFormat = pkgs.formats.json { };

     

       13
       11
        
         appservicePort = 29328;

     

       14
       12
        
       

     

       15
       13
        
         mkDefaults = lib.mapAttrsRecursive (n: v: lib.mkDefault v);

     
···

       32
       30
        
           };

     

       33
       31
        
           bridge = {

     

       34
       32
        
             username_template = "signal_{{.}}";

     

       35
       35
       -
             double_puppet_server_map = {};

     

       36
       36
       -
             login_shared_secret_map = {};

     

       33
       33
       +
             double_puppet_server_map = { };

     

       34
       34
       +
             login_shared_secret_map = { };

     

       37
       35
        
             permissions."*" = "relay";

     

       38
       36
        
           };

     

       39
       37
        
           logging = {

     
···

       48
       46
        
       

     

       49
       47
        
       in {

     

       50
       48
        
         options.services.mautrix-signal = {

     

       51
       51
       -
           enable = lib.mkEnableOption (lib.mdDoc "mautrix-signal, a puppeting/relaybot bridge between Matrix and Signal.");

     

       49
       49
       +
           enable = lib.mkEnableOption (lib.mdDoc

     

       50
       50
       +
             "mautrix-signal, a puppeting/relaybot bridge between Matrix and Signal.");

     

       52
       51
        
       

     

       53
       52
        
           settings = lib.mkOption {

     

       54
       53
        
             type = settingsFormat.type;

     
···

       68
       67
        
                 ephemeral_events = false;

     

       69
       68
        
               };

     

       70
       69
        
               bridge = {

     

       71
       71
       -
                 history_sync = {

     

       72
       72
       -
                   request_full_sync = true;

     

       73
       73
       -
                 };

     

       70
       70
       +
                 history_sync = { request_full_sync = true; };

     

       74
       71
        
                 private_chat_portal_meta = true;

     

       75
       72
        
                 mute_bridging = true;

     

       76
       73
        
                 encryption = {

     
···

       78
       75
        
                   default = true;

     

       79
       76
        
                   require = true;

     

       80
       77
        
                 };

     

       81
       81
       -
                 provisioning = {

     

       82
       82
       -
                   shared_secret = "disable";

     

       83
       83
       -
                 };

     

       84
       84
       -
                 permissions = {

     

       85
       85
       -
                   "example.com" = "user";

     

       86
       86
       -
                 };

     

       78
       78
       +
                 provisioning = { shared_secret = "disable"; };

     

       79
       79
       +
                 permissions = { "example.com" = "user"; };

     

       87
       80
        
               };

     

       88
       81
        
             };

     

       89
       82
        
           };

     

       90
       83
        
       

     

       91
       84
        
           serviceDependencies = lib.mkOption {

     

       92
       85
        
             type = with lib.types; listOf str;

     

       93
       93
       -
             default = lib.optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit;

     

       86
       86
       +
             default = lib.optional config.services.matrix-synapse.enable

     

       87
       87
       +
               config.services.matrix-synapse.serviceUnit;

     

       94
       88
        
             defaultText = lib.literalExpression ''

     

       95
       89
        
               optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnits

     

       96
       90
        
             '';

     
···

       111
       105
        
             description = "Mautrix-Signal bridge user";

     

       112
       106
        
           };

     

       113
       107
        
       

     

       114
       114
       -
           users.groups.mautrix-signal = {};

     

       108
       108
       +
           users.groups.mautrix-signal = { };

     

       115
       109
        
       

     

       116
       110
        
           services.mautrix-signal.settings = lib.mkMerge (map mkDefaults [

     

       117
       111
        
             defaultConfig

     

       118
       112
        
             # Note: this is defined here to avoid the docs depending on `config`

     

       119
       119
       -
             { homeserver.domain = config.services.matrix-synapse.settings.server_name; }

     

       113
       113
       +
             {

     

       114
       114
       +
               homeserver.domain = config.services.matrix-synapse.settings.server_name;

     

       115
       115
       +
             }

     

       120
       116
        
           ]);

     

       121
       117
        
       

     

       122
       118
        
           systemd.services.mautrix-signal = {

     
···

       126
       122
        
             # voice messages need `ffmpeg`

     

       127
       123
        
             path = [ pkgs.ffmpeg ];

     

       128
       124
        
       

     

       129
       129
       -
             wantedBy = ["multi-user.target"];

     

       130
       130
       -
             wants = ["network-online.target"] ++ cfg.serviceDependencies;

     

       131
       131
       -
             after = ["network-online.target" "signald.service"] ++ cfg.serviceDependencies;

     

       125
       125
       +
             wantedBy = [ "multi-user.target" ];

     

       126
       126
       +
             wants = [ "network-online.target" ] ++ cfg.serviceDependencies;

     

       127
       127
       +
             after = [ "network-online.target" "signald.service" ]

     

       128
       128
       +
               ++ cfg.serviceDependencies;

     

       132
       129
        
       

     

       133
       130
        
             preStart = ''

     

       134
       131
        
               # substitute the settings file by environment variables

     
···

       190
       187
        
               RestrictSUIDSGID = true;

     

       191
       188
        
               SystemCallArchitectures = "native";

     

       192
       189
        
               SystemCallErrorNumber = "EPERM";

     

       193
       193
       -
               SystemCallFilter = ["@system-service"];

     

       190
       190
       +
               SystemCallFilter = [ "@system-service" ];

     

       194
       191
        
               Type = "simple";

     

       195
       195
       -
               UMask = 0027;

     

       192
       192
       +
               UMask = 27;

     

       196
       193
        
             };

     

       197
       197
       -
             restartTriggers = [settingsFileUnsubstituted];

     

       194
       194
       +
             restartTriggers = [ settingsFileUnsubstituted ];

     

       198
       195
        
           };

     

       199
       196
        
         };

     

       200
       197
        
       }

+91 -82

modules/matrix/synapse.nix

···

       4
       4
        
       let

     

       5
       5
        
         cfg = config.eilean;

     

       6
       6
        
         turnSharedSecretFile = "/run/matrix-synapse/turn-shared-secret";

     

       7
       7
       -
       in

     

       8
       8
       -
       {

     

       7
       7
       +
       in {

     

       9
       8
        
         options.eilean.matrix = {

     

       10
       9
        
           enable = mkEnableOption "matrix";

     

       11
       10
        
           turn = mkOption {

     
···

       68
       67
        
                 enableACME = true;

     

       69
       68
        
                 forceSSL = true;

     

       70
       69
        
       

     

       71
       71
       -
                 locations."= /.well-known/matrix/server".extraConfig =

     

       72
       72
       -
                   let

     

       73
       73
       -
                     # use 443 instead of the default 8448 port to unite

     

       74
       74
       -
                     # the client-server and server-server port for simplicity

     

       75
       75
       -
                     server = { "m.server" = "matrix.${config.networking.domain}:443"; };

     

       76
       76
       -
                   in ''

     

       77
       77
       -
                     default_type application/json;

     

       78
       78
       -
                     return 200 '${builtins.toJSON server}';

     

       79
       79
       -
                   '';

     

       80
       80
       -
                 locations."= /.well-known/matrix/client".extraConfig =

     

       81
       81
       -
                   let

     

       82
       82
       -
                     client = {

     

       83
       83
       -
                       "m.homeserver" =  { "base_url" = "https://matrix.${config.networking.domain}"; };

     

       84
       84
       -
                       "m.identity_server" =  { "base_url" = "https://vector.im"; };

     

       70
       70
       +
                 locations."= /.well-known/matrix/server".extraConfig = let

     

       71
       71
       +
                   # use 443 instead of the default 8448 port to unite

     

       72
       72
       +
                   # the client-server and server-server port for simplicity

     

       73
       73
       +
                   server = { "m.server" = "matrix.${config.networking.domain}:443"; };

     

       74
       74
       +
                 in ''

     

       75
       75
       +
                   default_type application/json;

     

       76
       76
       +
                   return 200 '${builtins.toJSON server}';

     

       77
       77
       +
                 '';

     

       78
       78
       +
                 locations."= /.well-known/matrix/client".extraConfig = let

     

       79
       79
       +
                   client = {

     

       80
       80
       +
                     "m.homeserver" = {

     

       81
       81
       +
                       "base_url" = "https://matrix.${config.networking.domain}";

     

       85
       82
        
                     };

     

       83
       83
       +
                     "m.identity_server" = { "base_url" = "https://vector.im"; };

     

       84
       84
       +
                   };

     

       86
       85
        
                   # ACAO required to allow element-web on any URL to request this json file

     

       87
       86
        
                   # set other headers due to https://github.com/yandex/gixy/blob/master/docs/en/plugins/addheaderredefinition.md

     

       88
       88
       -
                   in ''

     

       89
       89
       -
                     default_type application/json;

     

       90
       90
       -
                     add_header Access-Control-Allow-Origin *;

     

       91
       91
       -
                     add_header Strict-Transport-Security max-age=31536000 always;

     

       92
       92
       -
                     add_header X-Frame-Options SAMEORIGIN always;

     

       93
       93
       -
                     add_header X-Content-Type-Options nosniff always;

     

       94
       94
       -
                     add_header Content-Security-Policy "default-src 'self'; base-uri 'self'; frame-src 'self'; frame-ancestors 'self'; form-action 'self';" always;

     

       95
       95
       -
                     add_header Referrer-Policy 'same-origin';

     

       96
       96
       -
                     return 200 '${builtins.toJSON client}';

     

       97
       97
       -
                   '';

     

       87
       87
       +
                 in ''

     

       88
       88
       +
                   default_type application/json;

     

       89
       89
       +
                   add_header Access-Control-Allow-Origin *;

     

       90
       90
       +
                   add_header Strict-Transport-Security max-age=31536000 always;

     

       91
       91
       +
                   add_header X-Frame-Options SAMEORIGIN always;

     

       92
       92
       +
                   add_header X-Content-Type-Options nosniff always;

     

       93
       93
       +
                   add_header Content-Security-Policy "default-src 'self'; base-uri 'self'; frame-src 'self'; frame-ancestors 'self'; form-action 'self';" always;

     

       94
       94
       +
                   add_header Referrer-Policy 'same-origin';

     

       95
       95
       +
                   return 200 '${builtins.toJSON client}';

     

       96
       96
       +
                 '';

     

       98
       97
        
               };

     

       99
       98
        
       

     

       100
       99
        
               # Reverse proxy for Matrix client-server and server-server communication

     
···

       125
       124
        
                 enable_registration = true;

     

       126
       125
        
                 registration_requires_token = true;

     

       127
       126
        
                 registration_shared_secret_path = cfg.matrix.registrationSecretFile;

     

       128
       128
       -
                 listeners = [

     

       129
       129
       -
                   {

     

       130
       130
       -
                     port = 8008;

     

       131
       131
       -
                     bind_addresses = [ "::1" "127.0.0.1" ];

     

       132
       132
       -
                     type = "http";

     

       133
       133
       -
                     tls = false;

     

       134
       134
       -
                     x_forwarded = true;

     

       135
       135
       -
                     resources = [

     

       136
       136
       -
                       {

     

       137
       137
       -
                         names = [ "client" "federation" ];

     

       138
       138
       -
                         compress = false;

     

       139
       139
       -
                       }

     

       140
       140
       -
                     ];

     

       141
       141
       -
                   }

     

       142
       142
       -
                 ];

     

       127
       127
       +
                 listeners = [{

     

       128
       128
       +
                   port = 8008;

     

       129
       129
       +
                   bind_addresses = [ "::1" "127.0.0.1" ];

     

       130
       130
       +
                   type = "http";

     

       131
       131
       +
                   tls = false;

     

       132
       132
       +
                   x_forwarded = true;

     

       133
       133
       +
                   resources = [{

     

       134
       134
       +
                     names = [ "client" "federation" ];

     

       135
       135
       +
                     compress = false;

     

       136
       136
       +
                   }];

     

       137
       137
       +
                 }];

     

       143
       138
        
                 max_upload_size = "100M";

     

       144
       144
       -
                 app_service_config_files =

     

       145
       145
       -
                   (optional cfg.matrix.bridges.whatsapp "/var/lib/mautrix-whatsapp/whatsapp-registration.yaml") ++

     

       146
       146
       -
                   (optional cfg.matrix.bridges.signal "/var/lib/mautrix-signal/signal-registration.yaml") ++

     

       147
       147
       -
                   (optional cfg.matrix.bridges.instagram "/var/lib/mautrix-instagram/instagram-registration.yaml") ++

     

       148
       148
       -
                   (optional cfg.matrix.bridges.messenger "/var/lib/mautrix-messenger/messenger-registration.yaml");

     

       139
       139
       +
                 app_service_config_files = (optional cfg.matrix.bridges.whatsapp

     

       140
       140
       +
                   "/var/lib/mautrix-whatsapp/whatsapp-registration.yaml")

     

       141
       141
       +
                   ++ (optional cfg.matrix.bridges.signal

     

       142
       142
       +
                     "/var/lib/mautrix-signal/signal-registration.yaml")

     

       143
       143
       +
                   ++ (optional cfg.matrix.bridges.instagram

     

       144
       144
       +
                     "/var/lib/mautrix-instagram/instagram-registration.yaml")

     

       145
       145
       +
                   ++ (optional cfg.matrix.bridges.messenger

     

       146
       146
       +
                     "/var/lib/mautrix-messenger/messenger-registration.yaml");

     

       149
       147
        
               }

     

       150
       148
        
               (mkIf cfg.matrix.turn {

     

       151
       149
        
                 turn_uris = with config.services.coturn; [

     
···

       157
       155
        
                 turn_user_lifetime = "1h";

     

       158
       156
        
               })

     

       159
       157
        
             ];

     

       160
       160
       -
             extraConfigFiles = mkIf cfg.matrix.turn (

     

       161
       161
       -
               [ turnSharedSecretFile ]

     

       162
       162
       -
             );

     

       158
       158
       +
             extraConfigFiles = mkIf cfg.matrix.turn ([ turnSharedSecretFile ]);

     

       163
       159
        
           };

     

       164
       160
        
       

     

       165
       165
       -
           systemd.services.matrix-synapse-turn-shared-secret-generator = mkIf cfg.matrix.turn {

     

       166
       166
       -
             description = "Generate matrix synapse turn shared secret config file";

     

       167
       167
       -
             script = ''

     

       168
       168
       -
               mkdir -p "$(dirname '${turnSharedSecretFile}')"

     

       169
       169
       -
               echo "turn_shared_secret: $(cat '${config.services.coturn.static-auth-secret-file}')" > '${turnSharedSecretFile}'

     

       170
       170
       -
               chmod 770 '${turnSharedSecretFile}'

     

       171
       171
       -
               chown ${config.systemd.services.matrix-synapse.serviceConfig.User}:${config.systemd.services.matrix-synapse.serviceConfig.Group} '${turnSharedSecretFile}'

     

       161
       161
       +
           systemd.services.matrix-synapse-turn-shared-secret-generator =

     

       162
       162
       +
             mkIf cfg.matrix.turn {

     

       163
       163
       +
               description = "Generate matrix synapse turn shared secret config file";

     

       164
       164
       +
               script = ''

     

       165
       165
       +
                 mkdir -p "$(dirname '${turnSharedSecretFile}')"

     

       166
       166
       +
                 echo "turn_shared_secret: $(cat '${config.services.coturn.static-auth-secret-file}')" > '${turnSharedSecretFile}'

     

       167
       167
       +
                 chmod 770 '${turnSharedSecretFile}'

     

       168
       168
       +
                 chown ${config.systemd.services.matrix-synapse.serviceConfig.User}:${config.systemd.services.matrix-synapse.serviceConfig.Group} '${turnSharedSecretFile}'

     

       172
       169
        
               '';

     

       173
       173
       -
             serviceConfig.Type = "oneshot";

     

       174
       174
       -
             serviceConfig.RemainAfterExit = true;

     

       175
       175
       -
             after = [ "coturn-static-auth-secret-generator.service" ];

     

       176
       176
       -
             requires = [ "coturn-static-auth-secret-generator.service" ];

     

       177
       177
       -
           };

     

       178
       178
       -
           systemd.services."matrix-synapse".after = mkIf cfg.matrix.turn [ "matrix-synapse-turn-shared-secret-generator.service" ];

     

       179
       179
       -
           systemd.services."matrix-synapse".requires = mkIf cfg.matrix.turn [ "matrix-synapse-turn-shared-secret-generator.service" ];

     

       170
       170
       +
               serviceConfig.Type = "oneshot";

     

       171
       171
       +
               serviceConfig.RemainAfterExit = true;

     

       172
       172
       +
               after = [ "coturn-static-auth-secret-generator.service" ];

     

       173
       173
       +
               requires = [ "coturn-static-auth-secret-generator.service" ];

     

       174
       174
       +
             };

     

       175
       175
       +
           systemd.services."matrix-synapse".after = mkIf cfg.matrix.turn

     

       176
       176
       +
             [ "matrix-synapse-turn-shared-secret-generator.service" ];

     

       177
       177
       +
           systemd.services."matrix-synapse".requires = mkIf cfg.matrix.turn

     

       178
       178
       +
             [ "matrix-synapse-turn-shared-secret-generator.service" ];

     

       180
       179
        
       

     

       181
       180
        
           systemd.services.matrix-synapse.serviceConfig.SupplementaryGroups =

     

       182
       182
       -
             (optional cfg.matrix.bridges.whatsapp config.systemd.services.mautrix-whatsapp.serviceConfig.Group) ++

     

       183
       183
       -
             (optional cfg.matrix.bridges.signal config.systemd.services.mautrix-signal.serviceConfig.Group) ++

     

       184
       184
       -
             (optional cfg.matrix.bridges.instagram config.systemd.services.mautrix-instagram.serviceConfig.Group) ++

     

       185
       185
       -
             (optional cfg.matrix.bridges.messenger config.systemd.services.mautrix-messenger.serviceConfig.Group);

     

       181
       181
       +
             (optional cfg.matrix.bridges.whatsapp

     

       182
       182
       +
               config.systemd.services.mautrix-whatsapp.serviceConfig.Group)

     

       183
       183
       +
             ++ (optional cfg.matrix.bridges.signal

     

       184
       184
       +
               config.systemd.services.mautrix-signal.serviceConfig.Group)

     

       185
       185
       +
             ++ (optional cfg.matrix.bridges.instagram

     

       186
       186
       +
               config.systemd.services.mautrix-instagram.serviceConfig.Group)

     

       187
       187
       +
             ++ (optional cfg.matrix.bridges.messenger

     

       188
       188
       +
               config.systemd.services.mautrix-messenger.serviceConfig.Group);

     

       186
       189
        
       

     

       187
       190
        
           services.mautrix-whatsapp = mkIf cfg.matrix.bridges.whatsapp {

     

       188
       191
        
             enable = true;

     

       189
       189
       -
             settings.homeserver.address = "https://matrix.${config.networking.domain}";

     

       192
       192
       +
             settings.homeserver.address =

     

       193
       193
       +
               "https://matrix.${config.networking.domain}";

     

       190
       194
        
             settings.homeserver.domain = config.networking.domain;

     

       191
       195
        
             settings.appservice.hostname = "localhost";

     

       192
       196
        
             settings.appservice.address = "http://localhost:29318";

     

       193
       197
        
             settings.bridge.personal_filtering_spaces = true;

     

       194
       198
        
             settings.bridge.history_sync.backfill = false;

     

       195
       195
       -
             settings.bridge.permissions."@${config.eilean.username}:${config.networking.domain}" = "admin";

     

       199
       199
       +
             settings.bridge.permissions."@${config.eilean.username}:${config.networking.domain}" =

     

       200
       200
       +
               "admin";

     

       196
       201
        
           };

     

       197
       202
        
           services.mautrix-signal = mkIf cfg.matrix.bridges.signal {

     

       198
       203
        
             enable = true;

     

       199
       199
       -
             settings.homeserver.address = "https://matrix.${config.networking.domain}";

     

       204
       204
       +
             settings.homeserver.address =

     

       205
       205
       +
               "https://matrix.${config.networking.domain}";

     

       200
       206
        
             settings.homeserver.domain = config.networking.domain;

     

       201
       207
        
             settings.appservice.hostname = "localhost";

     

       202
       208
        
             settings.appservice.address = "http://localhost:29328";

     

       203
       209
        
             settings.bridge.personal_filtering_spaces = true;

     

       204
       204
       -
             settings.bridge.permissions."@${config.eilean.username}:${config.networking.domain}" = "admin";

     

       210
       210
       +
             settings.bridge.permissions."@${config.eilean.username}:${config.networking.domain}" =

     

       211
       211
       +
               "admin";

     

       205
       212
        
           };

     

       206
       213
        
           services.mautrix-instagram = mkIf cfg.matrix.bridges.instagram {

     

       207
       214
        
             enable = true;

     

       208
       208
       -
             settings.homeserver.address = "https://matrix.${config.networking.domain}";

     

       215
       215
       +
             settings.homeserver.address =

     

       216
       216
       +
               "https://matrix.${config.networking.domain}";

     

       209
       217
        
             settings.homeserver.domain = config.networking.domain;

     

       210
       218
        
             settings.appservice.hostname = "localhost";

     

       211
       219
        
             settings.appservice.address = "http://localhost:29319";

     

       212
       220
        
             settings.bridge.personal_filtering_spaces = true;

     

       213
       221
        
             settings.bridge.backfill.enabled = false;

     

       214
       214
       -
             settings.bridge.permissions."@${config.eilean.username}:${config.networking.domain}" = "admin";

     

       222
       222
       +
             settings.bridge.permissions."@${config.eilean.username}:${config.networking.domain}" =

     

       223
       223
       +
               "admin";

     

       215
       224
        
           };

     

       216
       225
        
           services.mautrix-messenger = mkIf cfg.matrix.bridges.messenger {

     

       217
       226
        
             enable = true;

     

       218
       218
       -
             settings.homeserver.address = "https://matrix.${config.networking.domain}";

     

       227
       227
       +
             settings.homeserver.address =

     

       228
       228
       +
               "https://matrix.${config.networking.domain}";

     

       219
       229
        
             settings.homeserver.domain = config.networking.domain;

     

       220
       230
        
             settings.appservice.hostname = "localhost";

     

       221
       231
        
             settings.appservice.address = "http://localhost:29320";

     

       222
       232
        
             settings.bridge.personal_filtering_spaces = true;

     

       223
       233
        
             settings.bridge.backfill.enabled = false;

     

       224
       224
       -
             settings.bridge.permissions."@${config.eilean.username}:${config.networking.domain}" = "admin";

     

       234
       234
       +
             settings.bridge.permissions."@${config.eilean.username}:${config.networking.domain}" =

     

       235
       235
       +
               "admin";

     

       225
       236
        
           };

     

       226
       237
        
       

     

       227
       238
        
           eilean.turn.enable = mkIf cfg.matrix.turn true;

     

       228
       239
        
       

     

       229
       240
        
           eilean.dns.enable = true;

     

       230
       230
       -
           eilean.services.dns.zones.${config.networking.domain}.records = [

     

       231
       231
       -
             {

     

       232
       232
       -
               name = "matrix";

     

       233
       233
       -
               type = "CNAME";

     

       234
       234
       -
               data = "vps";

     

       235
       235
       -
             }

     

       236
       236
       -
           ];

     

       241
       241
       +
           eilean.services.dns.zones.${config.networking.domain}.records = [{

     

       242
       242
       +
             name = "matrix";

     

       243
       243
       +
             type = "CNAME";

     

       244
       244
       +
             data = "vps";

     

       245
       245
       +
           }];

     

       237
       246
        
         };

     

       238
       247
        
       }

+19 -20

modules/services/dns/bind.nix

···

       1
       1
        
       { pkgs, config, lib, ... }:

     

       2
       2
        
       

     

       3
       3
       -
       let cfg = config.eilean.services.dns; in

     

       4
       4
       -
       lib.mkIf (cfg.enable && cfg.server == "bind") {

     

       3
       3
       +
       let cfg = config.eilean.services.dns;

     

       4
       4
       +
       in lib.mkIf (cfg.enable && cfg.server == "bind") {

     

       5
       5
        
         services.bind = {

     

       6
       6
        
           enable = true;

     

       7
       7
        
           # recursive resolver

     

       8
       8
        
           # cacheNetworks = [ "0.0.0.0/0" ];

     

       9
       9
       -
           zones =

     

       10
       10
       -
             let mapZones = zonename: zone:

     

       11
       11
       -
               {

     

       12
       12
       -
                 master = true;

     

       13
       13
       -
                 file = "${config.services.bind.directory}/${zonename}";

     

       14
       14
       -
                 #file = "${import ./zonefile.nix { inherit pkgs config lib zonename zone; }}/${zonename}";

     

       15
       15
       -
                 # axfr zone transfer

     

       16
       16
       -
                 slaves = [

     

       17
       17
       -
                   "127.0.0.1"

     

       18
       18
       -
                 ];

     

       19
       19
       -
               };

     

       20
       20
       -
             in builtins.mapAttrs mapZones cfg.zones;

     

       9
       9
       +
           zones = let

     

       10
       10
       +
             mapZones = zonename: zone: {

     

       11
       11
       +
               master = true;

     

       12
       12
       +
               file = "${config.services.bind.directory}/${zonename}";

     

       13
       13
       +
               #file = "${import ./zonefile.nix { inherit pkgs config lib zonename zone; }}/${zonename}";

     

       14
       14
       +
               # axfr zone transfer

     

       15
       15
       +
               slaves = [ "127.0.0.1" ];

     

       16
       16
       +
             };

     

       17
       17
       +
           in builtins.mapAttrs mapZones cfg.zones;

     

       21
       18
        
         };

     

       22
       19
        
       

     

       23
       20
        
         ### bind prestart copy zonefiles

     

       24
       24
       -
         systemd.services.bind.preStart =

     

       25
       25
       -
           let ops =

     

       26
       26
       -
             let mapZones = zonename: zone:

     

       21
       21
       +
         systemd.services.bind.preStart = let

     

       22
       22
       +
           ops = let

     

       23
       23
       +
             mapZones = zonename: zone:

     

       27
       24
        
               let

     

       28
       28
       -
                 zonefile = "${import ./zonefile.nix { inherit pkgs config lib zonename zone; }}/${zonename}";

     

       25
       25
       +
                 zonefile = "${

     

       26
       26
       +
                     import ./zonefile.nix { inherit pkgs config lib zonename zone; }

     

       27
       27
       +
                   }/${zonename}";

     

       29
       28
        
                 path = "${config.services.bind.directory}/${zonename}";

     

       30
       29
        
               in ''

     

       31
       30
        
                 if ! diff ${zonefile} ${path} > /dev/null; then

     
···

       35
       34
        
                   rm -f ${path}.signed.jnl

     

       36
       35
        
                 fi

     

       37
       36
        
               '';

     

       38
       38
       -
             in lib.attrsets.mapAttrsToList mapZones cfg.zones;

     

       39
       39
       -
           in builtins.concatStringsSep "\n" ops;

     

       37
       37
       +
           in lib.attrsets.mapAttrsToList mapZones cfg.zones;

     

       38
       38
       +
         in builtins.concatStringsSep "\n" ops;

     

       40
       39
        
       }

+12 -23

modules/services/dns/default.nix

···

       17
       17
        
               default = "dns";

     

       18
       18
        
             };

     

       19
       19
        
             # TODO auto increment

     

       20
       20
       -
             serial = mkOption {

     

       21
       21
       -
               type = types.int;

     

       22
       22
       -
             };

     

       20
       20
       +
             serial = mkOption { type = types.int; };

     

       23
       21
        
             refresh = mkOption {

     

       24
       22
        
               type = types.int;

     

       25
       23
        
               default = 3600; # 1hr

     
···

       37
       35
        
               default = 3600; # 1hr

     

       38
       36
        
             };

     

       39
       37
        
           };

     

       40
       40
       -
           records =

     

       41
       41
       -
             let recordOpts.options = {

     

       42
       42
       -
               name = mkOption {

     

       43
       43
       -
                 type = types.str;

     

       44
       44
       -
               };

     

       38
       38
       +
           records = let

     

       39
       39
       +
             recordOpts.options = {

     

       40
       40
       +
               name = mkOption { type = types.str; };

     

       45
       41
        
               ttl = mkOption {

     

       46
       42
        
                 type = with types; nullOr int;

     

       47
       43
        
                 default = null;

     

       48
       44
        
               };

     

       49
       49
       -
               type = mkOption {

     

       50
       50
       -
                 type = types.str;

     

       51
       51
       -
               };

     

       52
       52
       -
               data = mkOption {

     

       53
       53
       -
                 type = types.str;

     

       54
       54
       -
               };

     

       45
       45
       +
               type = mkOption { type = types.str; };

     

       46
       46
       +
               data = mkOption { type = types.str; };

     

       55
       47
        
             };

     

       56
       56
       -
             in mkOption {

     

       57
       57
       -
               type = with types; listOf (submodule recordOpts);

     

       58
       58
       -
               default = [ ];

     

       59
       59
       -
             };

     

       48
       48
       +
           in mkOption {

     

       49
       49
       +
             type = with types; listOf (submodule recordOpts);

     

       50
       50
       +
             default = [ ];

     

       51
       51
       +
           };

     

       60
       52
        
         };

     

       61
       61
       -
       in

     

       62
       62
       -
       {

     

       53
       53
       +
       in {

     

       63
       54
        
         imports = [ ./bind.nix ];

     

       64
       55
        
       

     

       65
       56
        
         options.eilean.services.dns = {

     
···

       72
       63
        
             type = types.bool;

     

       73
       64
        
             default = true;

     

       74
       65
        
           };

     

       75
       75
       -
           zones = mkOption {

     

       76
       76
       -
             type = with types; attrsOf (submodule zoneOptions);

     

       77
       77
       -
           };

     

       66
       66
       +
           zones = mkOption { type = with types; attrsOf (submodule zoneOptions); };

     

       78
       67
        
         };

     

       79
       68
        
       

     

       80
       69
        
         config.networking.firewall = mkIf config.eilean.services.dns.openFirewall {

+4 -12

modules/services/dns/zonefile.nix

···

       1
       1
       -
       {

     

       2
       2
       -
         pkgs,

     

       3
       3
       -
         config,

     

       4
       4
       -
         lib,

     

       5
       5
       -
         zonename,

     

       6
       6
       -
         zone,

     

       7
       7
       -
         ...

     

       8
       8
       -
       }:

     

       1
       1
       +
       { pkgs, config, lib, zonename, zone, ... }:

     

       9
       2
        
       

     

       10
       3
        
       pkgs.writeTextFile {

     

       11
       4
        
         name = "zonefile-${zonename}";

     
···

       20
       13
        
             ${builtins.toString zone.soa.expire}

     

       21
       14
        
             ${builtins.toString zone.soa.negativeCacheTtl}

     

       22
       15
        
           )

     

       23
       23
       -
           ${

     

       24
       24
       -
             lib.strings.concatStringsSep "\n"

     

       25
       25
       -
               (builtins.map (rr: "${rr.name} IN ${builtins.toString rr.ttl} ${rr.type} ${rr.data}") zone.records)

     

       26
       26
       -
           }

     

       16
       16
       +
           ${lib.strings.concatStringsSep "\n" (builtins.map

     

       17
       17
       +
             (rr: "${rr.name} IN ${builtins.toString rr.ttl} ${rr.type} ${rr.data}")

     

       18
       18
       +
             zone.records)}

     

       27
       19
        
         '';

     

       28
       20
        
       }

+12 -20

modules/turn.nix

···

       5
       5
        
         cfg = config.eilean;

     

       6
       6
        
         domain = config.networking.domain;

     

       7
       7
        
         staticAuthSecretFile = "/run/coturn/static-auth-secret";

     

       8
       8
       -
       in

     

       9
       9
       -
       {

     

       10
       10
       -
         options.eilean.turn = {

     

       11
       11
       -
           enable = mkEnableOption "TURN server";

     

       12
       12
       -
         };

     

       8
       8
       +
       in {

     

       9
       9
       +
         options.eilean.turn = { enable = mkEnableOption "TURN server"; };

     

       13
       10
        
       

     

       14
       11
        
         config = mkIf cfg.turn.enable {

     

       15
       12
        
           services.coturn = rec {

     
···

       20
       17
        
             use-auth-secret = true;

     

       21
       18
        
             static-auth-secret-file = staticAuthSecretFile;

     

       22
       19
        
             realm = "turn.${domain}";

     

       23
       23
       -
             relay-ips = with config.eilean; [

     

       24
       24
       -
               serverIpv4

     

       25
       25
       -
               serverIpv6

     

       26
       26
       -
             ];

     

       20
       20
       +
             relay-ips = with config.eilean; [ serverIpv4 serverIpv6 ];

     

       27
       21
        
             cert = "${config.security.acme.certs.${realm}.directory}/full.pem";

     

       28
       22
        
             pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";

     

       29
       23
        
           };

     
···

       47
       41
        
             };

     

       48
       42
        
           };

     

       49
       43
        
       

     

       50
       50
       -
           networking.firewall =

     

       51
       51
       -
             with config.services.coturn;

     

       44
       44
       +
           networking.firewall = with config.services.coturn;

     

       52
       45
        
             let

     

       53
       46
        
               turn-range = {

     

       54
       47
        
                 from = min-port;

     
···

       66
       59
        
               allowedTCPPortRanges = [ turn-range ];

     

       67
       60
        
               allowedUDPPorts = stun-ports;

     

       68
       61
        
               allowedUDPPortRanges = [ turn-range ];

     

       69
       69
       -
           };

     

       62
       62
       +
             };

     

       70
       63
        
       

     

       71
       64
        
           security.acme.certs.${config.services.coturn.realm} = {

     

       72
       72
       -
             postRun = "systemctl reload nginx.service; systemctl restart coturn.service";

     

       65
       65
       +
             postRun =

     

       66
       66
       +
               "systemctl reload nginx.service; systemctl restart coturn.service";

     

       73
       67
        
             group = "turnserver";

     

       74
       68
        
           };

     

       75
       69
        
           services.nginx.enable = true;

     
···

       82
       76
        
           users.groups."turnserver".members = [ config.services.nginx.user ];

     

       83
       77
        
       

     

       84
       78
        
           eilean.dns.enable = true;

     

       85
       85
       -
           eilean.services.dns.zones.${config.networking.domain}.records = [

     

       86
       86
       -
             {

     

       87
       87
       -
               name = "turn";

     

       88
       88
       -
               type = "CNAME";

     

       89
       89
       -
               data = "vps";

     

       90
       90
       -
             }

     

       91
       91
       -
           ];

     

       79
       79
       +
           eilean.services.dns.zones.${config.networking.domain}.records = [{

     

       80
       80
       +
             name = "turn";

     

       81
       81
       +
             type = "CNAME";

     

       82
       82
       +
             data = "vps";

     

       83
       83
       +
           }];

     

       92
       84
        
         };

     

       93
       85
        
       }

+40 -52

modules/wireguard/default.nix

···

       1
       1
        
       { pkgs, config, lib, ... }:

     

       2
       2
        
       

     

       3
       3
        
       with lib;

     

       4
       4
       -
       let cfg = config.wireguard; in

     

       5
       5
       -
       {

     

       4
       4
       +
       let cfg = config.wireguard;

     

       5
       5
       +
       in {

     

       6
       6
        
         options.wireguard = {

     

       7
       7
        
           enable = mkEnableOption "wireguard";

     

       8
       8
        
           server = mkOption {

     

       9
       9
        
             type = with types; bool;

     

       10
       10
       -
             default =

     

       11
       11
       -
               if cfg.hosts ? config.networking.hostName then

     

       12
       12
       -
                 cfg.hosts.${config.networking.hostName}.server

     

       13
       13
       -
               else false;

     

       10
       10
       +
             default = if cfg.hosts ? config.networking.hostName then

     

       11
       11
       +
               cfg.hosts.${config.networking.hostName}.server

     

       12
       12
       +
             else

     

       13
       13
       +
               false;

     

       14
       14
        
           };

     

       15
       15
       -
           hosts =

     

       16
       16
       -
             let hostOps = { ... }: {

     

       15
       15
       +
           hosts = let

     

       16
       16
       +
             hostOps = { ... }: {

     

       17
       17
        
               options = {

     

       18
       18
       -
                 ip = mkOption {

     

       19
       19
       -
                   type = types.str;

     

       20
       20
       -
                 };

     

       21
       21
       -
                 publicKey = mkOption {

     

       22
       22
       -
                   type = types.str;

     

       23
       23
       -
                 };

     

       18
       18
       +
                 ip = mkOption { type = types.str; };

     

       19
       19
       +
                 publicKey = mkOption { type = types.str; };

     

       24
       20
        
                 server = mkOption {

     

       25
       21
        
                   type = types.bool;

     

       26
       22
        
                   default = false;

     
···

       40
       36
        
                 };

     

       41
       37
        
               };

     

       42
       38
        
             };

     

       43
       43
       -
             in mkOption {

     

       44
       44
       -
               type = with types; attrsOf (submodule hostOps);

     

       45
       45
       -
               default = {};

     

       46
       46
       -
             };

     

       39
       39
       +
           in mkOption {

     

       40
       40
       +
             type = with types; attrsOf (submodule hostOps);

     

       41
       41
       +
             default = { };

     

       42
       42
       +
           };

     

       47
       43
        
         };

     

       48
       44
        
       

     

       49
       45
        
         config = mkIf cfg.enable {

     
···

       51
       47
        
           networking = mkMerge [

     

       52
       48
        
             {

     

       53
       49
        
               # populate /etc/hosts with hostnames and IPs

     

       54
       54
       -
               extraHosts = builtins.concatStringsSep "\n" (

     

       55
       55
       -
                 attrsets.mapAttrsToList (

     

       56
       56
       -
                   hostName: values: "${values.ip} ${hostName}"

     

       57
       57
       -
                 ) cfg.hosts

     

       58
       58
       -
               );

     

       50
       50
       +
               extraHosts = builtins.concatStringsSep "\n" (attrsets.mapAttrsToList

     

       51
       51
       +
                 (hostName: values: "${values.ip} ${hostName}") cfg.hosts);

     

       59
       52
        
       

     

       60
       53
        
               firewall = {

     

       61
       54
        
                 allowedUDPPorts = [ 51820 ];

     
···

       64
       57
        
       

     

       65
       58
        
               wireguard = {

     

       66
       59
        
                 enable = true;

     

       67
       67
       -
                 interfaces.wg0 = let hostName = config.networking.hostName; in {

     

       68
       68
       -
                   ips =

     

       69
       69
       -
                     if cfg.hosts ? hostname then

     

       70
       70
       -
                       [ "${cfg.hosts."${hostName}".ip}/24" ]

     

       71
       71
       -
                     else [ ];

     

       72
       72
       -
                   listenPort = 51820; 

     

       60
       60
       +
                 interfaces.wg0 = let hostName = config.networking.hostName;

     

       61
       61
       +
                 in {

     

       62
       62
       +
                   ips = if cfg.hosts ? hostname then

     

       63
       63
       +
                     [ "${cfg.hosts."${hostName}".ip}/24" ]

     

       64
       64
       +
                   else

     

       65
       65
       +
                     [ ];

     

       66
       66
       +
                   listenPort = 51820;

     

       73
       67
        
                   privateKeyFile = cfg.hosts."${hostName}".privateKeyFile;

     

       74
       74
       -
                   peers =

     

       75
       75
       -
                     let

     

       76
       76
       -
                       serverPeers = attrsets.mapAttrsToList

     

       77
       77
       -
                         (hostName: values:

     

       78
       78
       -
                           if values.server then

     

       79
       79
       -
                           {

     

       80
       80
       -
                             allowedIPs = [ "10.0.0.0/24" ];

     

       81
       81
       -
                             publicKey = values.publicKey;

     

       82
       82
       -
                             endpoint = "${values.endpoint}:51820";

     

       83
       83
       -
                             persistentKeepalive = values.persistentKeepalive;

     

       84
       84
       -
                           }

     

       85
       85
       -
                         else {})

     

       86
       86
       -
                         cfg.hosts;

     

       87
       87
       -
                       # remove empty elements

     

       88
       88
       -
                       cleanedServerPeers = lists.remove { } serverPeers;

     

       89
       89
       -
                     in mkIf (!cfg.server) cleanedServerPeers; 

     

       68
       68
       +
                   peers = let

     

       69
       69
       +
                     serverPeers = attrsets.mapAttrsToList (hostName: values:

     

       70
       70
       +
                       if values.server then {

     

       71
       71
       +
                         allowedIPs = [ "10.0.0.0/24" ];

     

       72
       72
       +
                         publicKey = values.publicKey;

     

       73
       73
       +
                         endpoint = "${values.endpoint}:51820";

     

       74
       74
       +
                         persistentKeepalive = values.persistentKeepalive;

     

       75
       75
       +
                       } else

     

       76
       76
       +
                         { }) cfg.hosts;

     

       77
       77
       +
                     # remove empty elements

     

       78
       78
       +
                     cleanedServerPeers = lists.remove { } serverPeers;

     

       79
       79
       +
                   in mkIf (!cfg.server) cleanedServerPeers;

     

       90
       80
        
                 };

     

       91
       81
        
               };

     

       92
       82
        
             }

     
···

       116
       106
        
       

     

       117
       107
        
                 # add clients

     

       118
       108
        
                 peers = with lib.attrsets;

     

       119
       119
       -
                   mapAttrsToList (

     

       120
       120
       -
                     hostName: values: {

     

       121
       121
       -
                       allowedIPs = [ "${values.ip}/32" ];

     

       122
       122
       -
                       publicKey = values.publicKey;

     

       123
       123
       -
                       persistentKeepalive = values.persistentKeepalive;

     

       124
       124
       -
                     }

     

       125
       125
       -
                   ) cfg.hosts;

     

       109
       109
       +
                   mapAttrsToList (hostName: values: {

     

       110
       110
       +
                     allowedIPs = [ "${values.ip}/32" ];

     

       111
       111
       +
                     publicKey = values.publicKey;

     

       112
       112
       +
                     persistentKeepalive = values.persistentKeepalive;

     

       113
       113
       +
                   }) cfg.hosts;

     

       126
       114
        
               };

     

       127
       115
        
             })

     

       128
       116
        
           ];

+2 -1

pkgs/mautrix-meta.nix

···

       20
       20
        
       

     

       21
       21
        
         meta = with lib; {

     

       22
       22
        
           homepage = "https://github.com/mautrix/meta";

     

       23
       23
       -
           description = " A Matrix-Facebook Messenger and Instagram DM puppeting bridge.";

     

       23
       23
       +
           description =

     

       24
       24
       +
             " A Matrix-Facebook Messenger and Instagram DM puppeting bridge.";

     

       24
       25
        
           license = licenses.agpl3Plus;

     

       25
       26
        
           mainProgram = "mautrix-meta";

     

       26
       27
        
         };

+2 -4

template/configuration.nix

···

       1
       1
        
       { pkgs, config, lib, ... }:

     

       2
       2
        
       

     

       3
       3
        
       {

     

       4
       4
       -
         imports = [

     

       5
       5
       -
           ./hardware-configuration.nix

     

       6
       6
       -
         ];

     

       4
       4
       +
         imports = [ ./hardware-configuration.nix ];

     

       7
       5
        
       

     

       8
       6
        
         boot.loader = {

     

       9
       7
        
           systemd-boot.enable = true;

     
···

       76
       74
        
         # Before changing this value read the documentation for this option

     

       77
       75
        
         # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).

     

       78
       76
        
         system.stateVersion = "23.05"; # Did you read the comment?

     

       79
       79
       -
       }
     

       77
       77
       +
       }

+17 -16

template/flake.nix

···

       1
       1
        
       {

     

       2
       2
        
         inputs = {

     

       3
       3
        
           nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";

     

       4
       4
       -
           eilean.url ="github:RyanGibb/eilean-nix/main";

     

       4
       4
       +
           eilean.url = "github:RyanGibb/eilean-nix/main";

     

       5
       5
        
           # replace the below line to manage the Nixpkgs instance yourself

     

       6
       6
        
           nixpkgs.follows = "eilean/nixpkgs";

     

       7
       7
        
           #eilean.inputs.nixpkgs.follows = "nixpkgs";

     

       8
       8
        
         };

     

       9
       9
        
       

     

       10
       10
        
         outputs = { self, nixpkgs, eilean, ... }@inputs:

     

       11
       11
       -
             let hostname = "eilean"; in

     

       12
       12
       -
           rec {

     

       13
       13
       -
           nixosConfigurations.${hostname} = nixpkgs.lib.nixosSystem {

     

       11
       11
       +
           let hostname = "eilean";

     

       12
       12
       +
           in rec {

     

       13
       13
       +
             nixosConfigurations.${hostname} = nixpkgs.lib.nixosSystem {

     

       14
       14
        
               system = null;

     

       15
       15
        
               pkgs = null;

     

       16
       16
        
               modules = [

     

       17
       17
       -
                   ./configuration.nix

     

       18
       18
       -
                   eilean.nixosModules.default

     

       19
       19
       -
                   {

     

       20
       20
       -
                     networking.hostName = hostname;

     

       21
       21
       -
                     # pin nix command's nixpkgs flake to the system flake to avoid unnecessary downloads

     

       22
       22
       -
                     nix.registry.nixpkgs.flake = nixpkgs;

     

       23
       23
       -
                     # record git revision (can be queried with `nixos-version --json)

     

       24
       24
       -
                     system.configurationRevision = nixpkgs.lib.mkIf (self ? rev) self.rev;

     

       25
       25
       -
                   }

     

       26
       26
       -
                 ];

     

       27
       27
       -
               };

     

       17
       17
       +
                 ./configuration.nix

     

       18
       18
       +
                 eilean.nixosModules.default

     

       19
       19
       +
                 {

     

       20
       20
       +
                   networking.hostName = hostname;

     

       21
       21
       +
                   # pin nix command's nixpkgs flake to the system flake to avoid unnecessary downloads

     

       22
       22
       +
                   nix.registry.nixpkgs.flake = nixpkgs;

     

       23
       23
       +
                   # record git revision (can be queried with `nixos-version --json)

     

       24
       24
       +
                   system.configurationRevision =

     

       25
       25
       +
                     nixpkgs.lib.mkIf (self ? rev) self.rev;

     

       26
       26
       +
                 }

     

       27
       27
       +
               ];

     

       28
       28
        
             };

     

       29
       29
       -
         }

     

       29
       29
       +
           };

     

       30
       30
       +
       }