ryan.freumh.org / eilean-nix
Self-host your own digital island
fork atom

Compare changes

Choose any two refs to compare.

options
unified split
Changed files
+537 -359
flake.lock
flake.nix
modules
acme-eon.nix
default.nix
dns.nix
fail2ban.nix
gitea.nix
headscale.nix
mailserver.nix
mastodon.nix
matrix
mautrix-signal.nix
synapse.nix
radicale.nix
services
dns
bind.nix
default.nix
eon.nix
zonefile.nix
turn.nix
pkgs
mautrix-meta.nix
template
configuration.nix
+185 -42
flake.lock 
···

       
16

       
16

       
 

       
        "type": "gitlab"


     

       
17

       
17

       
 

       
      }


     

       
18

       
18

       
 

       
    },


     

       

       
19

       
+

       
    "eon": {


     

       

       
20

       
+

       
      "inputs": {


     

       

       
21

       
+

       
        "flake-utils": "flake-utils",


     

       

       
22

       
+

       
        "nixpkgs": [


     

       

       
23

       
+

       
          "nixpkgs"


     

       

       
24

       
+

       
        ],


     

       

       
25

       
+

       
        "opam-nix": "opam-nix"


     

       

       
26

       
+

       
      },


     

       

       
27

       
+

       
      "locked": {


     

       

       
28

       
+

       
        "lastModified": 1738666931,


     

       

       
29

       
+

       
        "narHash": "sha256-dTF+etN5ZDPVwK8XV/huQByY6JohiVgpCfzVJWAZY1I=",


     

       

       
30

       
+

       
        "owner": "RyanGibb",


     

       

       
31

       
+

       
        "repo": "eon",


     

       

       
32

       
+

       
        "rev": "42523d1d8f720215ab5108a1b42e9c5b7d17d4bf",


     

       

       
33

       
+

       
        "type": "github"


     

       

       
34

       
+

       
      },


     

       

       
35

       
+

       
      "original": {


     

       

       
36

       
+

       
        "owner": "RyanGibb",


     

       

       
37

       
+

       
        "repo": "eon",


     

       

       
38

       
+

       
        "type": "github"


     

       

       
39

       
+

       
      }


     

       

       
40

       
+

       
    },


     

       
19

       
41

       
 

       
    "flake-compat": {


     

       
20

       
42

       
 

       
      "flake": false,


     

       
21

       
43

       
 

       
      "locked": {


     
···

       
32

       
54

       
 

       
        "type": "github"


     

       
33

       
55

       
 

       
      }


     

       
34

       
56

       
 

       
    },


     

       

       
57

       
+

       
    "flake-compat_2": {


     

       

       
58

       
+

       
      "flake": false,


     

       

       
59

       
+

       
      "locked": {


     

       

       
60

       
+

       
        "lastModified": 1696426674,


     

       

       
61

       
+

       
        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",


     

       

       
62

       
+

       
        "owner": "edolstra",


     

       

       
63

       
+

       
        "repo": "flake-compat",


     

       

       
64

       
+

       
        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",


     

       

       
65

       
+

       
        "type": "github"


     

       

       
66

       
+

       
      },


     

       

       
67

       
+

       
      "original": {


     

       

       
68

       
+

       
        "owner": "edolstra",


     

       

       
69

       
+

       
        "repo": "flake-compat",


     

       

       
70

       
+

       
        "type": "github"


     

       

       
71

       
+

       
      }


     

       

       
72

       
+

       
    },


     

       

       
73

       
+

       
    "flake-utils": {


     

       

       
74

       
+

       
      "inputs": {


     

       

       
75

       
+

       
        "systems": "systems"


     

       

       
76

       
+

       
      },


     

       

       
77

       
+

       
      "locked": {


     

       

       
78

       
+

       
        "lastModified": 1731533236,


     

       

       
79

       
+

       
        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",


     

       

       
80

       
+

       
        "owner": "numtide",


     

       

       
81

       
+

       
        "repo": "flake-utils",


     

       

       
82

       
+

       
        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",


     

       

       
83

       
+

       
        "type": "github"


     

       

       
84

       
+

       
      },


     

       

       
85

       
+

       
      "original": {


     

       

       
86

       
+

       
        "owner": "numtide",


     

       

       
87

       
+

       
        "repo": "flake-utils",


     

       

       
88

       
+

       
        "type": "github"


     

       

       
89

       
+

       
      }


     

       

       
90

       
+

       
    },


     

       

       
91

       
+

       
    "mirage-opam-overlays": {


     

       

       
92

       
+

       
      "flake": false,


     

       

       
93

       
+

       
      "locked": {


     

       

       
94

       
+

       
        "lastModified": 1710922379,


     

       

       
95

       
+

       
        "narHash": "sha256-j4QREQDUf8oHOX7qg6wAOupgsNQoYlufxoPrgagD+pY=",


     

       

       
96

       
+

       
        "owner": "dune-universe",


     

       

       
97

       
+

       
        "repo": "mirage-opam-overlays",


     

       

       
98

       
+

       
        "rev": "797cb363df3ff763c43c8fbec5cd44de2878757e",


     

       

       
99

       
+

       
        "type": "github"


     

       

       
100

       
+

       
      },


     

       

       
101

       
+

       
      "original": {


     

       

       
102

       
+

       
        "owner": "dune-universe",


     

       

       
103

       
+

       
        "repo": "mirage-opam-overlays",


     

       

       
104

       
+

       
        "type": "github"


     

       

       
105

       
+

       
      }


     

       

       
106

       
+

       
    },


     

       
35

       
107

       
 

       
    "nixos-mailserver": {


     

       
36

       
108

       
 

       
      "inputs": {


     

       
37

       
109

       
 

       
        "blobs": "blobs",


     

       
38

       

       
-

       
        "flake-compat": "flake-compat",


     

       
39

       

       
-

       
        "nixpkgs": "nixpkgs",


     

       
40

       

       
-

       
        "nixpkgs-23_05": "nixpkgs-23_05",


     

       
41

       

       
-

       
        "nixpkgs-23_11": "nixpkgs-23_11",


     

       

       
110

       
+

       
        "flake-compat": "flake-compat_2",


     

       

       
111

       
+

       
        "nixpkgs": [


     

       

       
112

       
+

       
          "nixpkgs"


     

       

       
113

       
+

       
        ],


     

       

       
114

       
+

       
        "nixpkgs-24_05": "nixpkgs-24_05",


     

       
42

       
115

       
 

       
        "utils": "utils"


     

       
43

       
116

       
 

       
      },


     

       
44

       
117

       
 

       
      "locked": {


     

       
45

       

       
-

       
        "lastModified": 1711069052,


     

       
46

       

       
-

       
        "narHash": "sha256-QScBLiWRDmrOhG4/jCrdZTNe8zQdf6gzSZocAYOcG3U=",


     

       

       
118

       
+

       
        "lastModified": 1718183756,


     

       

       
119

       
+

       
        "narHash": "sha256-m5JQT/RIegSLZJx41Cv7d8Xoa2KKq+5uLkgB5KJR5D0=",


     

       
47

       
120

       
 

       
        "owner": "RyanGibb",


     

       
48

       
121

       
 

       
        "repo": "nixos-mailserver",


     

       
49

       

       
-

       
        "rev": "435c3a167c52ebe443f6ed1ba3412331ae566d05",


     

       
50

       

       
-

       
        "type": "github"


     

       

       
122

       
+

       
        "rev": "9dc7a8d40232f600e6ca1e78356cd4398665b46b",


     

       

       
123

       
+

       
        "type": "gitlab"


     

       
51

       
124

       
 

       
      },


     

       
52

       
125

       
 

       
      "original": {


     

       
53

       
126

       
 

       
        "owner": "RyanGibb",


     

       
54

       

       
-

       
        "ref": "fork-23.11",


     

       

       
127

       
+

       
        "ref": "fork-24.05",


     

       
55

       
128

       
 

       
        "repo": "nixos-mailserver",


     

       
56

       

       
-

       
        "type": "github"


     

       

       
129

       
+

       
        "type": "gitlab"


     

       
57

       
130

       
 

       
      }


     

       
58

       
131

       
 

       
    },


     

       
59

       
132

       
 

       
    "nixpkgs": {


     

       
60

       
133

       
 

       
      "locked": {


     

       
61

       

       
-

       
        "lastModified": 1709703039,


     

       
62

       

       
-

       
        "narHash": "sha256-6hqgQ8OK6gsMu1VtcGKBxKQInRLHtzulDo9Z5jxHEFY=",


     

       
63

       

       
-

       
        "owner": "NixOS",


     

       

       
134

       
+

       
        "lastModified": 1732981179,


     

       

       
135

       
+

       
        "narHash": "sha256-F7thesZPvAMSwjRu0K8uFshTk3ZZSNAsXTIFvXBT+34=",


     

       

       
136

       
+

       
        "owner": "nixos",


     

       
64

       
137

       
 

       
        "repo": "nixpkgs",


     

       
65

       

       
-

       
        "rev": "9df3e30ce24fd28c7b3e2de0d986769db5d6225d",


     

       

       
138

       
+

       
        "rev": "62c435d93bf046a5396f3016472e8f7c8e2aed65",


     

       
66

       
139

       
 

       
        "type": "github"


     

       
67

       
140

       
 

       
      },


     

       
68

       
141

       
 

       
      "original": {


     

       
69

       

       
-

       
        "id": "nixpkgs",


     

       
70

       

       
-

       
        "ref": "nixos-unstable",


     

       
71

       

       
-

       
        "type": "indirect"


     

       

       
142

       
+

       
        "owner": "nixos",


     

       

       
143

       
+

       
        "ref": "nixos-24.11",


     

       

       
144

       
+

       
        "repo": "nixpkgs",


     

       

       
145

       
+

       
        "type": "github"


     

       
72

       
146

       
 

       
      }


     

       
73

       
147

       
 

       
    },


     

       
74

       

       
-

       
    "nixpkgs-23_05": {


     

       

       
148

       
+

       
    "nixpkgs-24_05": {


     

       
75

       
149

       
 

       
      "locked": {


     

       
76

       

       
-

       
        "lastModified": 1704290814,


     

       
77

       

       
-

       
        "narHash": "sha256-LWvKHp7kGxk/GEtlrGYV68qIvPHkU9iToomNFGagixU=",


     

       

       
150

       
+

       
        "lastModified": 1718086528,


     

       

       
151

       
+

       
        "narHash": "sha256-hoB7B7oPgypePz16cKWawPfhVvMSXj4G/qLsfFuhFjw=",


     

       
78

       
152

       
 

       
        "owner": "NixOS",


     

       
79

       
153

       
 

       
        "repo": "nixpkgs",


     

       
80

       

       
-

       
        "rev": "70bdadeb94ffc8806c0570eb5c2695ad29f0e421",


     

       

       
154

       
+

       
        "rev": "47b604b07d1e8146d5398b42d3306fdebd343986",


     

       
81

       
155

       
 

       
        "type": "github"


     

       
82

       
156

       
 

       
      },


     

       
83

       
157

       
 

       
      "original": {


     

       
84

       
158

       
 

       
        "id": "nixpkgs",


     

       
85

       

       
-

       
        "ref": "nixos-23.05",


     

       

       
159

       
+

       
        "ref": "nixos-24.05",


     

       
86

       
160

       
 

       
        "type": "indirect"


     

       
87

       
161

       
 

       
      }


     

       
88

       
162

       
 

       
    },


     

       
89

       

       
-

       
    "nixpkgs-23_11": {


     

       

       
163

       
+

       
    "opam-nix": {


     

       

       
164

       
+

       
      "inputs": {


     

       

       
165

       
+

       
        "flake-compat": "flake-compat",


     

       

       
166

       
+

       
        "flake-utils": [


     

       

       
167

       
+

       
          "eon",


     

       

       
168

       
+

       
          "flake-utils"


     

       

       
169

       
+

       
        ],


     

       

       
170

       
+

       
        "mirage-opam-overlays": "mirage-opam-overlays",


     

       

       
171

       
+

       
        "nixpkgs": [


     

       

       
172

       
+

       
          "eon",


     

       

       
173

       
+

       
          "nixpkgs"


     

       

       
174

       
+

       
        ],


     

       

       
175

       
+

       
        "opam-overlays": "opam-overlays",


     

       

       
176

       
+

       
        "opam-repository": "opam-repository",


     

       

       
177

       
+

       
        "opam2json": "opam2json"


     

       

       
178

       
+

       
      },


     

       

       
179

       
+

       
      "locked": {


     

       

       
180

       
+

       
        "lastModified": 1732617437,


     

       

       
181

       
+

       
        "narHash": "sha256-jj25fziYrES8Ix6HkfSiLzrN6MZjiwlHUxFSIuLRjgE=",


     

       

       
182

       
+

       
        "owner": "tweag",


     

       

       
183

       
+

       
        "repo": "opam-nix",


     

       

       
184

       
+

       
        "rev": "ea8b9cb81fe94e1fc45c6376fcff15f17319c445",


     

       

       
185

       
+

       
        "type": "github"


     

       

       
186

       
+

       
      },


     

       

       
187

       
+

       
      "original": {


     

       

       
188

       
+

       
        "owner": "tweag",


     

       

       
189

       
+

       
        "repo": "opam-nix",


     

       

       
190

       
+

       
        "type": "github"


     

       

       
191

       
+

       
      }


     

       

       
192

       
+

       
    },


     

       

       
193

       
+

       
    "opam-overlays": {


     

       

       
194

       
+

       
      "flake": false,


     

       
90

       
195

       
 

       
      "locked": {


     

       
91

       

       
-

       
        "lastModified": 1710951922,


     

       
92

       

       
-

       
        "narHash": "sha256-FOOBJ3DQenLpTNdxMHR2CpGZmYuctb92gF0lpiirZ30=",


     

       
93

       

       
-

       
        "owner": "NixOS",


     

       
94

       

       
-

       
        "repo": "nixpkgs",


     

       
95

       

       
-

       
        "rev": "f091af045dff8347d66d186a62d42aceff159456",


     

       

       
196

       
+

       
        "lastModified": 1726822209,


     

       

       
197

       
+

       
        "narHash": "sha256-bwM18ydNT9fYq91xfn4gmS21q322NYrKwfq0ldG9GYw=",


     

       

       
198

       
+

       
        "owner": "dune-universe",


     

       

       
199

       
+

       
        "repo": "opam-overlays",


     

       

       
200

       
+

       
        "rev": "f2bec38beca4aea9e481f2fd3ee319c519124649",


     

       

       
201

       
+

       
        "type": "github"


     

       

       
202

       
+

       
      },


     

       

       
203

       
+

       
      "original": {


     

       

       
204

       
+

       
        "owner": "dune-universe",


     

       

       
205

       
+

       
        "repo": "opam-overlays",


     

       

       
206

       
+

       
        "type": "github"


     

       

       
207

       
+

       
      }


     

       

       
208

       
+

       
    },


     

       

       
209

       
+

       
    "opam-repository": {


     

       

       
210

       
+

       
      "flake": false,


     

       

       
211

       
+

       
      "locked": {


     

       

       
212

       
+

       
        "lastModified": 1732612513,


     

       

       
213

       
+

       
        "narHash": "sha256-kju4NWEQo4xTxnKeBIsmqnyxIcCg6sNZYJ1FmG/gCDw=",


     

       

       
214

       
+

       
        "owner": "ocaml",


     

       

       
215

       
+

       
        "repo": "opam-repository",


     

       

       
216

       
+

       
        "rev": "3d52b66b04788999a23f22f0d59c2dfc831c4f32",


     

       
96

       
217

       
 

       
        "type": "github"


     

       
97

       
218

       
 

       
      },


     

       
98

       
219

       
 

       
      "original": {


     

       
99

       

       
-

       
        "id": "nixpkgs",


     

       
100

       

       
-

       
        "ref": "nixos-23.11",


     

       
101

       

       
-

       
        "type": "indirect"


     

       

       
220

       
+

       
        "owner": "ocaml",


     

       

       
221

       
+

       
        "repo": "opam-repository",


     

       

       
222

       
+

       
        "type": "github"


     

       
102

       
223

       
 

       
      }


     

       
103

       
224

       
 

       
    },


     

       
104

       

       
-

       
    "nixpkgs_2": {


     

       

       
225

       
+

       
    "opam2json": {


     

       

       
226

       
+

       
      "inputs": {


     

       

       
227

       
+

       
        "nixpkgs": [


     

       

       
228

       
+

       
          "eon",


     

       

       
229

       
+

       
          "opam-nix",


     

       

       
230

       
+

       
          "nixpkgs"


     

       

       
231

       
+

       
        ]


     

       

       
232

       
+

       
      },


     

       
105

       
233

       
 

       
      "locked": {


     

       
106

       

       
-

       
        "lastModified": 1710272261,


     

       
107

       

       
-

       
        "narHash": "sha256-g0bDwXFmTE7uGDOs9HcJsfLFhH7fOsASbAuOzDC+fhQ=",


     

       
108

       

       
-

       
        "owner": "nixos",


     

       
109

       

       
-

       
        "repo": "nixpkgs",


     

       
110

       

       
-

       
        "rev": "0ad13a6833440b8e238947e47bea7f11071dc2b2",


     

       

       
234

       
+

       
        "lastModified": 1671540003,


     

       

       
235

       
+

       
        "narHash": "sha256-5pXfbUfpVABtKbii6aaI2EdAZTjHJ2QntEf0QD2O5AM=",


     

       

       
236

       
+

       
        "owner": "tweag",


     

       

       
237

       
+

       
        "repo": "opam2json",


     

       

       
238

       
+

       
        "rev": "819d291ea95e271b0e6027679de6abb4d4f7f680",


     

       
111

       
239

       
 

       
        "type": "github"


     

       
112

       
240

       
 

       
      },


     

       
113

       
241

       
 

       
      "original": {


     

       
114

       

       
-

       
        "owner": "nixos",


     

       
115

       

       
-

       
        "ref": "nixos-unstable",


     

       
116

       

       
-

       
        "repo": "nixpkgs",


     

       

       
242

       
+

       
        "owner": "tweag",


     

       

       
243

       
+

       
        "repo": "opam2json",


     

       
117

       
244

       
 

       
        "type": "github"


     

       
118

       
245

       
 

       
      }


     

       
119

       
246

       
 

       
    },


     

       
120

       
247

       
 

       
    "root": {


     

       
121

       
248

       
 

       
      "inputs": {


     

       

       
249

       
+

       
        "eon": "eon",


     

       
122

       
250

       
 

       
        "nixos-mailserver": "nixos-mailserver",


     

       
123

       

       
-

       
        "nixpkgs": "nixpkgs_2"


     

       

       
251

       
+

       
        "nixpkgs": "nixpkgs"


     

       
124

       
252

       
 

       
      }


     

       
125

       
253

       
 

       
    },


     

       
126

       
254

       
 

       
    "systems": {


     
···

       
138

       
266

       
 

       
        "type": "github"


     

       
139

       
267

       
 

       
      }


     

       
140

       
268

       
 

       
    },


     

       

       
269

       
+

       
    "systems_2": {


     

       

       
270

       
+

       
      "locked": {


     

       

       
271

       
+

       
        "lastModified": 1681028828,


     

       

       
272

       
+

       
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",


     

       

       
273

       
+

       
        "owner": "nix-systems",


     

       

       
274

       
+

       
        "repo": "default",


     

       

       
275

       
+

       
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",


     

       

       
276

       
+

       
        "type": "github"


     

       

       
277

       
+

       
      },


     

       

       
278

       
+

       
      "original": {


     

       

       
279

       
+

       
        "owner": "nix-systems",


     

       

       
280

       
+

       
        "repo": "default",


     

       

       
281

       
+

       
        "type": "github"


     

       

       
282

       
+

       
      }


     

       

       
283

       
+

       
    },


     

       
141

       
284

       
 

       
    "utils": {


     

       
142

       
285

       
 

       
      "inputs": {


     

       
143

       

       
-

       
        "systems": "systems"


     

       

       
286

       
+

       
        "systems": "systems_2"


     

       
144

       
287

       
 

       
      },


     

       
145

       
288

       
 

       
      "locked": {


     

       
146

       
289

       
 

       
        "lastModified": 1709126324,
+15 -6
flake.nix 
···

       
1

       
1

       
 

       
{


     

       
2

       
2

       
 

       
  inputs = {


     

       
3

       

       
-

       
    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";


     

       
4

       

       
-

       
    nixos-mailserver.url = "github:RyanGibb/nixos-mailserver/fork-23.11";


     

       

       
3

       
+

       
    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";


     

       

       
4

       
+

       
    nixos-mailserver.url = "gitlab:RyanGibb/nixos-mailserver/fork-24.05";


     

       

       
5

       
+

       
    eon.url = "github:RyanGibb/eon";


     

       

       
6

       
+

       



     

       

       
7

       
+

       
    eon.inputs.nixpkgs.follows = "nixpkgs";


     

       

       
8

       
+

       
    nixos-mailserver.inputs.nixpkgs.follows = "nixpkgs";


     

       
5

       
9

       
 

       
  };


     

       
6

       
10

       
 

       



     

       
7

       

       
-

       
  outputs = { self, nixpkgs, nixos-mailserver, ... }: rec {


     

       

       
11

       
+

       
  outputs = { nixpkgs, nixos-mailserver, eon, ... }: {


     

       
8

       
12

       
 

       
    packages = nixpkgs.lib.genAttrs nixpkgs.lib.systems.flakeExposed (system:


     

       
9

       
13

       
 

       
      let pkgs = nixpkgs.legacyPackages.${system};


     

       
10

       

       
-

       
      in { manpage = import ./man { inherit pkgs system nixos-mailserver; }; });


     

       

       
14

       
+

       
      in {


     

       

       
15

       
+

       
        manpage = import ./man { inherit pkgs system nixos-mailserver; };


     

       

       
16

       
+

       
        packages.mautrix-meta = (pkgs.callPackage ./pkgs/mautrix-meta.nix { });


     

       

       
17

       
+

       
      });


     

       
11

       
18

       
 

       



     

       
12

       
19

       
 

       
    nixosModules.default = {


     

       
13

       
20

       
 

       
      imports = [


     

       
14

       
21

       
 

       
        ./modules/default.nix


     

       
15

       
22

       
 

       
        nixos-mailserver.nixosModule


     

       
16

       

       
-

       
        ({ pkgs, config, ... }: {


     

       

       
23

       
+

       
        eon.nixosModules.default


     

       

       
24

       
+

       
        eon.nixosModules.acme


     

       

       
25

       
+

       
        {


     

       
17

       
26

       
 

       
          nixpkgs.overlays = [


     

       
18

       
27

       
 

       
            (final: prev: {


     

       
19

       
28

       
 

       
              mautrix-meta = (prev.callPackage ./pkgs/mautrix-meta.nix { });


     

       
20

       
29

       
 

       
            })


     

       
21

       
30

       
 

       
          ];


     

       
22

       

       
-

       
        })


     

       

       
31

       
+

       
        }


     

       
23

       
32

       
 

       
      ];


     

       
24

       
33

       
 

       
    };


     

       
25

       
34

       
 

       
    defaultTemplate.path = ./template;
+16
modules/acme-eon.nix 
···

       

       
1

       
+

       
{ pkgs, config, lib, ... }:


     

       

       
2

       
+

       



     

       

       
3

       
+

       
with lib;


     

       

       
4

       
+

       
let cfg = config.eilean;


     

       

       
5

       
+

       
in {


     

       

       
6

       
+

       
  options.eilean.acme-eon = mkEnableOption "acme-eon";


     

       

       
7

       
+

       



     

       

       
8

       
+

       
  config = mkIf cfg.acme-eon {


     

       

       
9

       
+

       
    assertions = [{


     

       

       
10

       
+

       
      assertion = cfg.services.dns.server == "eon";


     

       

       
11

       
+

       
      message = ''


     

       

       
12

       
+

       
        If config.eilean.acme-eon is enabled config.eilean.services.dns.server must be "eon".


     

       

       
13

       
+

       
      '';


     

       

       
14

       
+

       
    }];


     

       

       
15

       
+

       
  };


     

       

       
16

       
+

       
}
+10 -2
modules/default.nix 
···

       
4

       
4

       
 

       



     

       
5

       
5

       
 

       
{


     

       
6

       
6

       
 

       
  imports = [


     

       

       
7

       
+

       
    ./acme-eon.nix


     

       
7

       
8

       
 

       
    ./services/dns/default.nix


     

       
8

       
9

       
 

       
    ./mastodon.nix


     

       
9

       
10

       
 

       
    ./mailserver.nix


     

       
10

       
11

       
 

       
    ./gitea.nix


     

       
11

       
12

       
 

       
    ./dns.nix


     

       

       
13

       
+

       
    ./fail2ban.nix


     

       
12

       
14

       
 

       
    ./matrix/synapse.nix


     

       
13

       

       
-

       
    ./matrix/mautrix-signal.nix


     

       
14

       
15

       
 

       
    ./matrix/mautrix-instagram.nix


     

       
15

       
16

       
 

       
    ./matrix/mautrix-messenger.nix


     

       
16

       
17

       
 

       
    ./turn.nix


     

       
17

       
18

       
 

       
    ./headscale.nix


     

       
18

       
19

       
 

       
    ./wireguard/default.nix


     

       

       
20

       
+

       
    ./radicale.nix


     

       
19

       
21

       
 

       
  ];


     

       
20

       
22

       
 

       



     

       
21

       
23

       
 

       
  options.eilean = with types; {


     
···

       
23

       
25

       
 

       
    serverIpv4 = mkOption { type = str; };


     

       
24

       
26

       
 

       
    serverIpv6 = mkOption { type = str; };


     

       
25

       
27

       
 

       
    publicInterface = mkOption { type = str; };


     

       

       
28

       
+

       
    domainName = mkOption {


     

       

       
29

       
+

       
      type = types.str;


     

       

       
30

       
+

       
      default = "vps";


     

       

       
31

       
+

       
    };


     

       
26

       
32

       
 

       
  };


     

       
27

       
33

       
 

       



     

       
28

       
34

       
 

       
  config = {


     

       
29

       
35

       
 

       
    # TODO install manpage


     

       
30

       
36

       
 

       
    environment.systemPackages = [ ];


     

       
31

       

       
-

       
    security.acme.defaults.email =


     

       

       
37

       
+

       
    security.acme.defaults.email = lib.mkIf (!config.eilean.acme-eon)


     

       

       
38

       
+

       
      "${config.eilean.username}@${config.networking.domain}";


     

       

       
39

       
+

       
    security.acme-eon.defaults.email = lib.mkIf config.eilean.acme-eon


     

       
32

       
40

       
 

       
      "${config.eilean.username}@${config.networking.domain}";


     

       
33

       
41

       
 

       
    networking.firewall.allowedTCPPorts = mkIf config.services.nginx.enable [


     

       
34

       
42

       
 

       
      80 # HTTP
+10 -15
modules/dns.nix 
···

       
20

       
20

       
 

       
        {


     

       
21

       
21

       
 

       
          name = "@";


     

       
22

       
22

       
 

       
          type = "NS";


     

       
23

       

       
-

       
          data = ns;


     

       

       
23

       
+

       
          value = ns;


     

       
24

       
24

       
 

       
        }


     

       
25

       
25

       
 

       
        {


     

       
26

       
26

       
 

       
          name = ns;


     

       
27

       
27

       
 

       
          type = "A";


     

       
28

       

       
-

       
          data = cfg.serverIpv4;


     

       
29

       

       
-

       
        }


     

       
30

       

       
-

       
        {


     

       
31

       

       
-

       
          name = "@";


     

       
32

       

       
-

       
          type = "NS";


     

       
33

       

       
-

       
          data = ns;


     

       

       
28

       
+

       
          value = cfg.serverIpv4;


     

       
34

       
29

       
 

       
        }


     

       
35

       
30

       
 

       
        {


     

       
36

       
31

       
 

       
          name = ns;


     

       
37

       
32

       
 

       
          type = "AAAA";


     

       
38

       

       
-

       
          data = cfg.serverIpv6;


     

       

       
33

       
+

       
          value = cfg.serverIpv6;


     

       
39

       
34

       
 

       
        }


     

       
40

       
35

       
 

       
      ]) cfg.dns.nameservers ++ [


     

       
41

       
36

       
 

       
        {


     

       
42

       
37

       
 

       
          name = "@";


     

       
43

       
38

       
 

       
          type = "A";


     

       
44

       

       
-

       
          data = cfg.serverIpv4;


     

       

       
39

       
+

       
          value = cfg.serverIpv4;


     

       
45

       
40

       
 

       
        }


     

       
46

       
41

       
 

       
        {


     

       
47

       
42

       
 

       
          name = "@";


     

       
48

       
43

       
 

       
          type = "AAAA";


     

       
49

       

       
-

       
          data = cfg.serverIpv6;


     

       

       
44

       
+

       
          value = cfg.serverIpv6;


     

       
50

       
45

       
 

       
        }


     

       
51

       
46

       
 

       



     

       
52

       
47

       
 

       
        {


     

       
53

       

       
-

       
          name = "vps";


     

       

       
48

       
+

       
          name = cfg.domainName;


     

       
54

       
49

       
 

       
          type = "A";


     

       
55

       

       
-

       
          data = cfg.serverIpv4;


     

       

       
50

       
+

       
          value = cfg.serverIpv4;


     

       
56

       
51

       
 

       
        }


     

       
57

       
52

       
 

       
        {


     

       
58

       

       
-

       
          name = "vps";


     

       

       
53

       
+

       
          name = cfg.domainName;


     

       
59

       
54

       
 

       
          type = "AAAA";


     

       
60

       

       
-

       
          data = cfg.serverIpv6;


     

       

       
55

       
+

       
          value = cfg.serverIpv6;


     

       
61

       
56

       
 

       
        }


     

       
62

       
57

       
 

       



     

       
63

       
58

       
 

       
        {


     

       
64

       
59

       
 

       
          name = "@";


     

       
65

       
60

       
 

       
          type = "LOC";


     

       
66

       

       
-

       
          data = "52 12 40.4 N 0 5 31.9 E 22m 10m 10m 10m";


     

       

       
61

       
+

       
          value = "52 12 40.4 N 0 5 31.9 E 22m 10m 10m 10m";


     

       
67

       
62

       
 

       
        }


     

       
68

       
63

       
 

       
      ];


     

       
69

       
64

       
 

       
    };
+42
modules/fail2ban.nix 
···

       

       
1

       
+

       
{ config, pkgs, lib, ... }:


     

       

       
2

       
+

       



     

       

       
3

       
+

       
with lib;


     

       

       
4

       
+

       
let cfg = config.eilean;


     

       

       
5

       
+

       
in {


     

       

       
6

       
+

       
  options.eilean.fail2ban = {


     

       

       
7

       
+

       
    enable = mkEnableOption "TURN server";


     

       

       
8

       
+

       
    radicale = mkOption {


     

       

       
9

       
+

       
      type = types.bool;


     

       

       
10

       
+

       
      default = cfg.radicale.enable;


     

       

       
11

       
+

       
    };


     

       

       
12

       
+

       
  };


     

       

       
13

       
+

       



     

       

       
14

       
+

       
  config = mkIf cfg.fail2ban.enable {


     

       

       
15

       
+

       
    services.fail2ban = {


     

       

       
16

       
+

       
      enable = true;


     

       

       
17

       
+

       
      bantime = "24h";


     

       

       
18

       
+

       
      bantime-increment = {


     

       

       
19

       
+

       
        enable = true;


     

       

       
20

       
+

       
        multipliers = "1 2 4 8 16 32 64";


     

       

       
21

       
+

       
        maxtime = "168h";


     

       

       
22

       
+

       
        overalljails = true;


     

       

       
23

       
+

       
      };


     

       

       
24

       
+

       
      jails."radicale".settings = mkIf cfg.fail2ban.radicale {


     

       

       
25

       
+

       
        port = "5232";


     

       

       
26

       
+

       
        filter = "radicale";


     

       

       
27

       
+

       
        banaction = "%(banaction_allports)s[name=radicale]";


     

       

       
28

       
+

       
        backend = "systemd";


     

       

       
29

       
+

       
        journalmatch = "_SYSTEMD_UNIT=radicale.service";


     

       

       
30

       
+

       
        maxRetry = 2;


     

       

       
31

       
+

       
        bantime = -1;


     

       

       
32

       
+

       
        findtime = 14400;


     

       

       
33

       
+

       
      };


     

       

       
34

       
+

       
    };


     

       

       
35

       
+

       
    environment.etc = {


     

       

       
36

       
+

       
      "fail2ban/filter.d/radicale.local".text = mkIf cfg.fail2ban.radicale ''


     

       

       
37

       
+

       
        [Definition]


     

       

       
38

       
+

       
        failregex = ^.*Failed\slogin\sattempt\sfrom\s.*\(forwarded for \'<HOST>\'.*\):\s.*


     

       

       
39

       
+

       
      '';


     

       

       
40

       
+

       
    };


     

       

       
41

       
+

       
  };


     

       

       
42

       
+

       
}
+8 -5
modules/gitea.nix 
···

       
4

       
4

       
 

       
let


     

       
5

       
5

       
 

       
  cfg = config.eilean;


     

       
6

       
6

       
 

       
  domain = config.networking.domain;


     

       

       
7

       
+

       
  subdomain = "git.${domain}";


     

       
7

       
8

       
 

       
in {


     

       
8

       
9

       
 

       
  options.eilean.gitea = {


     

       
9

       
10

       
 

       
    enable = mkEnableOption "gitea";


     
···

       
18

       
19

       
 

       
  };


     

       
19

       
20

       
 

       



     

       
20

       
21

       
 

       
  config = mkIf cfg.gitea.enable {


     

       

       
22

       
+

       
    security.acme-eon.nginxCerts = [ subdomain ];


     

       

       
23

       
+

       



     

       
21

       
24

       
 

       
    services.nginx = {


     

       
22

       
25

       
 

       
      enable = true;


     

       
23

       
26

       
 

       
      recommendedProxySettings = true;


     

       
24

       

       
-

       
      virtualHosts."git.${domain}" = {


     

       
25

       

       
-

       
        enableACME = true;


     

       

       
27

       
+

       
      virtualHosts."${subdomain}" = {


     

       

       
28

       
+

       
        enableACME = lib.mkIf (!cfg.acme-eon) true;


     

       
26

       
29

       
 

       
        forceSSL = true;


     

       
27

       
30

       
 

       
        locations."/" = {


     

       
28

       
31

       
 

       
          proxyPass = "http://localhost:${


     
···

       
47

       
50

       
 

       
      mailerPasswordFile = cfg.mailserver.systemAccountPasswordFile;


     

       
48

       
51

       
 

       
      settings = {


     

       
49

       
52

       
 

       
        server = {


     

       
50

       

       
-

       
          ROOT_URL = "https://git.${domain}/";


     

       
51

       

       
-

       
          DOMAIN = "git.${domain}";


     

       

       
53

       
+

       
          ROOT_URL = "https://${subdomain}/";


     

       

       
54

       
+

       
          DOMAIN = subdomain;


     

       
52

       
55

       
 

       
        };


     

       
53

       
56

       
 

       
        mailer = {


     

       
54

       
57

       
 

       
          ENABLED = true;


     
···

       
97

       
100

       
 

       
    eilean.services.dns.zones.${config.networking.domain}.records = [{


     

       
98

       
101

       
 

       
      name = "git";


     

       
99

       
102

       
 

       
      type = "CNAME";


     

       
100

       

       
-

       
      data = "vps";


     

       

       
103

       
+

       
      value = cfg.domainName;


     

       
101

       
104

       
 

       
    }];


     

       
102

       
105

       
 

       



     

       
103

       
106

       
 

       
    # proxy port 22 on ethernet interface to internal gitea ssh server
+1 -6
modules/headscale.nix 
···

       
30

       
30

       
 

       
        server_url = "https://${cfg.headscale.domain}";


     

       
31

       
31

       
 

       
        logtail.enabled = false;


     

       
32

       
32

       
 

       
        ip_prefixes = [ "100.64.0.0/10" "fd7a:115c:a1e0::/48" ];


     

       
33

       

       
-

       
        dns_config = {


     

       
34

       

       
-

       
          # magicDns = true;


     

       
35

       

       
-

       
          nameservers = config.networking.nameservers;


     

       
36

       

       
-

       
          base_domain = "${cfg.headscale.zone}";


     

       
37

       

       
-

       
        };


     

       
38

       
33

       
 

       
      };


     

       
39

       
34

       
 

       
    };


     

       
40

       
35

       
 

       



     
···

       
57

       
52

       
 

       
    eilean.services.dns.zones.${cfg.headscale.zone}.records = [{


     

       
58

       
53

       
 

       
      name = "${cfg.headscale.domain}.";


     

       
59

       
54

       
 

       
      type = "CNAME";


     

       
60

       

       
-

       
      data = "vps";


     

       

       
55

       
+

       
      value = cfg.domainName;


     

       
61

       
56

       
 

       
    }];


     

       
62

       
57

       
 

       
  };


     

       
63

       
58

       
 

       
}
+28 -15
modules/mailserver.nix 
···

       
4

       
4

       
 

       
let


     

       
5

       
5

       
 

       
  cfg = config.eilean;


     

       
6

       
6

       
 

       
  domain = config.networking.domain;


     

       

       
7

       
+

       
  subdomain = "mail.${domain}";


     

       
7

       
8

       
 

       
in {


     

       
8

       
9

       
 

       
  options.eilean.mailserver = {


     

       
9

       
10

       
 

       
    enable = mkEnableOption "mailserver";


     
···

       
14

       
15

       
 

       
  };


     

       
15

       
16

       
 

       



     

       
16

       
17

       
 

       
  config = mkIf cfg.mailserver.enable {


     

       

       
18

       
+

       
    security.acme-eon.certs."${subdomain}" = lib.mkIf cfg.acme-eon {


     

       

       
19

       
+

       
      group = "turnserver";


     

       

       
20

       
+

       
      reloadServices = [ "postfix.service" "dovecot.service" ];


     

       

       
21

       
+

       
    };


     

       

       
22

       
+

       



     

       
17

       
23

       
 

       
    mailserver = {


     

       
18

       
24

       
 

       
      enable = true;


     

       
19

       

       
-

       
      fqdn = "mail.${domain}";


     

       

       
25

       
+

       
      fqdn = subdomain;


     

       
20

       
26

       
 

       
      domains = [ "${domain}" ];


     

       
21

       
27

       
 

       



     

       
22

       
28

       
 

       
      loginAccounts = {


     
···

       
31

       
37

       
 

       



     

       
32

       
38

       
 

       
      # Use Let's Encrypt certificates. Note that this needs to set up a stripped


     

       
33

       
39

       
 

       
      # down nginx and opens port 80.


     

       
34

       

       
-

       
      certificateScheme = "acme-nginx";


     

       
35

       

       
-

       



     

       

       
40

       
+

       
      certificateScheme = if cfg.acme-eon then "manual" else "acme-nginx";


     

       

       
41

       
+

       
      certificateFile = lib.mkIf cfg.acme-eon "${


     

       

       
42

       
+

       
          config.security.acme-eon.certs.${subdomain}.directory


     

       

       
43

       
+

       
        }/fullchain.pem";


     

       

       
44

       
+

       
      keyFile = lib.mkIf cfg.acme-eon


     

       

       
45

       
+

       
        "${config.security.acme-eon.certs.${subdomain}.directory}/key.pem";


     

       
36

       
46

       
 

       
      localDnsResolver = false;


     

       
37

       
47

       
 

       
    };


     

       
38

       
48

       
 

       



     
···

       
41

       
51

       
 

       
      return 301 $scheme://${domain}$request_uri;


     

       
42

       
52

       
 

       
    '';


     

       
43

       
53

       
 

       



     

       

       
54

       
+

       
    systemd.services.dovecot2 = lib.mkIf cfg.acme-eon {


     

       

       
55

       
+

       
      wants = [ "acme-eon-${subdomain}.service" ];


     

       

       
56

       
+

       
      after = [ "acme-eon-${subdomain}.service" ];


     

       

       
57

       
+

       
    };


     

       

       
58

       
+

       



     

       

       
59

       
+

       
    systemd.services.postfix = lib.mkIf cfg.acme-eon {


     

       

       
60

       
+

       
      wants = [ "acme-eon-${subdomain}.service" ];


     

       

       
61

       
+

       
      after = [ "acme-eon-${subdomain}.service" ];


     

       

       
62

       
+

       
    };


     

       

       
63

       
+

       



     

       
44

       
64

       
 

       
    services.postfix.config = {


     

       
45

       
65

       
 

       
      smtpd_tls_protocols =


     

       
46

       
66

       
 

       
        mkForce "TLSv1.3, TLSv1.2, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3";


     
···

       
57

       
77

       
 

       
      {


     

       
58

       
78

       
 

       
        name = "mail";


     

       
59

       
79

       
 

       
        type = "A";


     

       
60

       

       
-

       
        data = cfg.serverIpv4;


     

       

       
80

       
+

       
        value = cfg.serverIpv4;


     

       
61

       
81

       
 

       
      }


     

       
62

       
82

       
 

       
      {


     

       
63

       
83

       
 

       
        name = "mail";


     

       
64

       
84

       
 

       
        type = "AAAA";


     

       
65

       

       
-

       
        data = cfg.serverIpv6;


     

       

       
85

       
+

       
        value = cfg.serverIpv6;


     

       
66

       
86

       
 

       
      }


     

       
67

       
87

       
 

       
      {


     

       
68

       
88

       
 

       
        name = "@";


     

       
69

       
89

       
 

       
        type = "MX";


     

       
70

       

       
-

       
        data = "10 mail";


     

       

       
90

       
+

       
        value = "10 mail";


     

       
71

       
91

       
 

       
      }


     

       
72

       
92

       
 

       
      {


     

       
73

       
93

       
 

       
        name = "@";


     

       
74

       
94

       
 

       
        type = "TXT";


     

       
75

       

       
-

       
        data = ''"v=spf1 a:mail.${config.networking.domain} -all"'';


     

       
76

       

       
-

       
      }


     

       
77

       

       
-

       
      {


     

       
78

       

       
-

       
        name = "mail._domainkey";


     

       
79

       

       
-

       
        ttl = 10800;


     

       
80

       

       
-

       
        type = "TXT";


     

       
81

       

       
-

       
        data = ''


     

       
82

       

       
-

       
          "v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC6YmYYvoFF7VqtGcozpVQa78aaGgZdvc5ZIHqzmkKdCBEyDF2FRbCEK4s2AlC8hhc8O4mSSe3S4AzEhlRgHXbU22GBaUZ3s2WHS8JJwZvWeTjsbXQwjN/U7xpkqXPHLH9IVfOJbHlp4HQmCAXw4NaypgkkxIGK0jaZHm2j6/1izQIDAQAB"'';


     

       

       
95

       
+

       
        value = ''"v=spf1 a:mail.${config.networking.domain} -all"'';


     

       
83

       
96

       
 

       
      }


     

       
84

       
97

       
 

       
      {


     

       
85

       
98

       
 

       
        name = "_dmarc";


     

       
86

       
99

       
 

       
        ttl = 10800;


     

       
87

       
100

       
 

       
        type = "TXT";


     

       
88

       

       
-

       
        data = ''"v=DMARC1; p=reject"'';


     

       

       
101

       
+

       
        value = ''"v=DMARC1; p=reject"'';


     

       
89

       
102

       
 

       
      }


     

       
90

       
103

       
 

       
    ];


     

       
91

       
104

       
 

       
  };
+10 -7
modules/mastodon.nix 
···

       
4

       
4

       
 

       
let


     

       
5

       
5

       
 

       
  cfg = config.eilean;


     

       
6

       
6

       
 

       
  domain = config.networking.domain;


     

       

       
7

       
+

       
  subdomain = "mastodon.${domain}";


     

       
7

       
8

       
 

       
in {


     

       
8

       
9

       
 

       
  options.eilean.mastodon = { enable = mkEnableOption "mastodon"; };


     

       
9

       
10

       
 

       



     
···

       
26

       
27

       
 

       
      };


     

       
27

       
28

       
 

       
      extraConfig = {


     

       
28

       
29

       
 

       
        # override localDomain


     

       
29

       

       
-

       
        LOCAL_DOMAIN = "${domain}";


     

       
30

       

       
-

       
        WEB_DOMAIN = "mastodon.${domain}";


     

       

       
30

       
+

       
        LOCAL_DOMAIN = domain;


     

       

       
31

       
+

       
        WEB_DOMAIN = subdomain;


     

       
31

       
32

       
 

       



     

       
32

       
33

       
 

       
        # https://peterbabic.dev/blog/setting-up-smtp-in-mastodon/


     

       
33

       
34

       
 

       
        SMTP_SSL = "true";


     
···

       
39

       
40

       
 

       
    users.groups.${config.services.mastodon.group}.members =


     

       
40

       
41

       
 

       
      [ config.services.nginx.user ];


     

       
41

       
42

       
 

       



     

       

       
43

       
+

       
    security.acme-eon.nginxCerts = lib.mkIf cfg.acme-eon [ subdomain ];


     

       

       
44

       
+

       



     

       
42

       
45

       
 

       
    services.nginx = {


     

       
43

       
46

       
 

       
      enable = true;


     

       
44

       
47

       
 

       
      recommendedProxySettings = true;


     
···

       
46

       
49

       
 

       
        # relies on root domain being set up


     

       
47

       
50

       
 

       
        "${domain}".locations = {


     

       
48

       
51

       
 

       
          "/.well-known/host-meta".extraConfig = ''


     

       
49

       

       
-

       
            return 301 https://mastodon.${domain}$request_uri;


     

       

       
52

       
+

       
            return 301 https://${subdomain}$request_uri;


     

       
50

       
53

       
 

       
          '';


     

       
51

       
54

       
 

       
          "/.well-known/webfinger".extraConfig = ''


     

       
52

       

       
-

       
            return 301 https://mastodon.${domain}$request_uri;


     

       

       
55

       
+

       
            return 301 https://${subdomain}$request_uri;


     

       
53

       
56

       
 

       
          '';


     

       
54

       
57

       
 

       
        };


     

       
55

       

       
-

       
        "mastodon.${domain}" = {


     

       

       
58

       
+

       
        "${subdomain}" = {


     

       
56

       
59

       
 

       
          root = "${config.services.mastodon.package}/public/";


     

       
57

       
60

       
 

       
          forceSSL = true;


     

       
58

       

       
-

       
          enableACME = true;


     

       

       
61

       
+

       
          enableACME = lib.mkIf (!cfg.acme-eon) true;


     

       
59

       
62

       
 

       



     

       
60

       
63

       
 

       
          locations."/system/".alias = "/var/lib/mastodon/public-system/";


     

       
61

       
64

       
 

       



     
···

       
75

       
78

       
 

       
    eilean.services.dns.zones.${config.networking.domain}.records = [{


     

       
76

       
79

       
 

       
      name = "mastodon";


     

       
77

       
80

       
 

       
      type = "CNAME";


     

       
78

       

       
-

       
      data = "vps";


     

       

       
81

       
+

       
      value = cfg.domainName;


     

       
79

       
82

       
 

       
    }];


     

       
80

       
83

       
 

       
  };


     

       
81

       
84

       
 

       
}
-197
modules/matrix/mautrix-signal.nix 
···

       
1

       

       
-

       
{ lib, config, pkgs, ... }:


     

       
2

       

       
-

       
let


     

       
3

       

       
-

       
  cfg = config.services.mautrix-signal;


     

       
4

       

       
-

       
  dataDir = "/var/lib/mautrix-signal";


     

       
5

       

       
-

       
  registrationFile = "${dataDir}/signal-registration.yaml";


     

       
6

       

       
-

       
  settingsFile = "${dataDir}/config.json";


     

       
7

       

       
-

       
  settingsFileUnsubstituted =


     

       
8

       

       
-

       
    settingsFormat.generate "mautrix-signal-config-unsubstituted.json"


     

       
9

       

       
-

       
    cfg.settings;


     

       
10

       

       
-

       
  settingsFormat = pkgs.formats.json { };


     

       
11

       

       
-

       
  appservicePort = 29328;


     

       
12

       

       
-

       



     

       
13

       

       
-

       
  mkDefaults = lib.mapAttrsRecursive (n: v: lib.mkDefault v);


     

       
14

       

       
-

       
  defaultConfig = {


     

       
15

       

       
-

       
    homeserver.address = "http://localhost:8448";


     

       
16

       

       
-

       
    signal = {


     

       
17

       

       
-

       
      socket_path = config.services.signald.socketPath;


     

       
18

       

       
-

       
      outgoing_attachment_dir = "/var/lib/signald/tmp";


     

       
19

       

       
-

       
    };


     

       
20

       

       
-

       
    appservice = {


     

       
21

       

       
-

       
      hostname = "[::]";


     

       
22

       

       
-

       
      port = appservicePort;


     

       
23

       

       
-

       
      database.type = "sqlite3";


     

       
24

       

       
-

       
      database.uri = "${dataDir}/mautrix-signal.db";


     

       
25

       

       
-

       
      id = "signal";


     

       
26

       

       
-

       
      bot.username = "signalbot";


     

       
27

       

       
-

       
      bot.displayname = "Signal Bridge Bot";


     

       
28

       

       
-

       
      as_token = "";


     

       
29

       

       
-

       
      hs_token = "";


     

       
30

       

       
-

       
    };


     

       
31

       

       
-

       
    bridge = {


     

       
32

       

       
-

       
      username_template = "signal_{{.}}";


     

       
33

       

       
-

       
      double_puppet_server_map = { };


     

       
34

       

       
-

       
      login_shared_secret_map = { };


     

       
35

       

       
-

       
      permissions."*" = "relay";


     

       
36

       

       
-

       
    };


     

       
37

       

       
-

       
    logging = {


     

       
38

       

       
-

       
      min_level = "info";


     

       
39

       

       
-

       
      writers = lib.singleton {


     

       
40

       

       
-

       
        type = "stdout";


     

       
41

       

       
-

       
        format = "pretty-colored";


     

       
42

       

       
-

       
        time_format = " ";


     

       
43

       

       
-

       
      };


     

       
44

       

       
-

       
    };


     

       
45

       

       
-

       
  };


     

       
46

       

       
-

       



     

       
47

       

       
-

       
in {


     

       
48

       

       
-

       
  options.services.mautrix-signal = {


     

       
49

       

       
-

       
    enable = lib.mkEnableOption (lib.mdDoc


     

       
50

       

       
-

       
      "mautrix-signal, a puppeting/relaybot bridge between Matrix and Signal.");


     

       
51

       

       
-

       



     

       
52

       

       
-

       
    settings = lib.mkOption {


     

       
53

       

       
-

       
      type = settingsFormat.type;


     

       
54

       

       
-

       
      default = defaultConfig;


     

       
55

       

       
-

       
      description = lib.mdDoc ''


     

       
56

       

       
-

       
        {file}`config.yaml` configuration as a Nix attribute set.


     

       
57

       

       
-

       
        Configuration options should match those described in


     

       
58

       

       
-

       
        [example-config.yaml](https://github.com/mautrix/signal/blob/master/example-config.yaml).


     

       
59

       

       
-

       
      '';


     

       
60

       

       
-

       
      example = {


     

       
61

       

       
-

       
        appservice = {


     

       
62

       

       
-

       
          database = {


     

       
63

       

       
-

       
            type = "postgres";


     

       
64

       

       
-

       
            uri = "postgresql:///mautrix_signal?host=/run/postgresql";


     

       
65

       

       
-

       
          };


     

       
66

       

       
-

       
          id = "signal";


     

       
67

       

       
-

       
          ephemeral_events = false;


     

       
68

       

       
-

       
        };


     

       
69

       

       
-

       
        bridge = {


     

       
70

       

       
-

       
          history_sync = { request_full_sync = true; };


     

       
71

       

       
-

       
          private_chat_portal_meta = true;


     

       
72

       

       
-

       
          mute_bridging = true;


     

       
73

       

       
-

       
          encryption = {


     

       
74

       

       
-

       
            allow = true;


     

       
75

       

       
-

       
            default = true;


     

       
76

       

       
-

       
            require = true;


     

       
77

       

       
-

       
          };


     

       
78

       

       
-

       
          provisioning = { shared_secret = "disable"; };


     

       
79

       

       
-

       
          permissions = { "example.com" = "user"; };


     

       
80

       

       
-

       
        };


     

       
81

       

       
-

       
      };


     

       
82

       

       
-

       
    };


     

       
83

       

       
-

       



     

       
84

       

       
-

       
    serviceDependencies = lib.mkOption {


     

       
85

       

       
-

       
      type = with lib.types; listOf str;


     

       
86

       

       
-

       
      default = lib.optional config.services.matrix-synapse.enable


     

       
87

       

       
-

       
        config.services.matrix-synapse.serviceUnit;


     

       
88

       

       
-

       
      defaultText = lib.literalExpression ''


     

       
89

       

       
-

       
        optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnits


     

       
90

       

       
-

       
      '';


     

       
91

       

       
-

       
      description = lib.mdDoc ''


     

       
92

       

       
-

       
        List of Systemd services to require and wait for when starting the application service.


     

       
93

       

       
-

       
      '';


     

       
94

       

       
-

       
    };


     

       
95

       

       
-

       
  };


     

       
96

       

       
-

       



     

       
97

       

       
-

       
  config = lib.mkIf cfg.enable {


     

       
98

       

       
-

       



     

       
99

       

       
-

       
    services.signald.enable = true;


     

       
100

       

       
-

       



     

       
101

       

       
-

       
    users.users.mautrix-signal = {


     

       
102

       

       
-

       
      isSystemUser = true;


     

       
103

       

       
-

       
      group = "mautrix-signal";


     

       
104

       

       
-

       
      home = dataDir;


     

       
105

       

       
-

       
      description = "Mautrix-Signal bridge user";


     

       
106

       

       
-

       
    };


     

       
107

       

       
-

       



     

       
108

       

       
-

       
    users.groups.mautrix-signal = { };


     

       
109

       

       
-

       



     

       
110

       

       
-

       
    services.mautrix-signal.settings = lib.mkMerge (map mkDefaults [


     

       
111

       

       
-

       
      defaultConfig


     

       
112

       

       
-

       
      # Note: this is defined here to avoid the docs depending on `config`


     

       
113

       

       
-

       
      {


     

       
114

       

       
-

       
        homeserver.domain = config.services.matrix-synapse.settings.server_name;


     

       
115

       

       
-

       
      }


     

       
116

       

       
-

       
    ]);


     

       
117

       

       
-

       



     

       
118

       

       
-

       
    systemd.services.mautrix-signal = {


     

       
119

       

       
-

       
      description = "Mautrix-Signal Service - A Signal bridge for Matrix";


     

       
120

       

       
-

       



     

       
121

       

       
-

       
      requires = [ "signald.service" ];


     

       
122

       

       
-

       
      # voice messages need `ffmpeg`


     

       
123

       

       
-

       
      path = [ pkgs.ffmpeg ];


     

       
124

       

       
-

       



     

       
125

       

       
-

       
      wantedBy = [ "multi-user.target" ];


     

       
126

       

       
-

       
      wants = [ "network-online.target" ] ++ cfg.serviceDependencies;


     

       
127

       

       
-

       
      after = [ "network-online.target" "signald.service" ]


     

       
128

       

       
-

       
        ++ cfg.serviceDependencies;


     

       
129

       

       
-

       



     

       
130

       

       
-

       
      preStart = ''


     

       
131

       

       
-

       
        # substitute the settings file by environment variables


     

       
132

       

       
-

       
        # in this case read from EnvironmentFile


     

       
133

       

       
-

       
        test -f '${settingsFile}' && rm -f '${settingsFile}'


     

       
134

       

       
-

       
        old_umask=$(umask)


     

       
135

       

       
-

       
        umask 0177


     

       
136

       

       
-

       
        ${pkgs.envsubst}/bin/envsubst \


     

       
137

       

       
-

       
          -o '${settingsFile}' \


     

       
138

       

       
-

       
          -i '${settingsFileUnsubstituted}'


     

       
139

       

       
-

       
        umask $old_umask


     

       
140

       

       
-

       



     

       
141

       

       
-

       
        # generate the appservice's registration file if absent


     

       
142

       

       
-

       
        if [ ! -f '${registrationFile}' ]; then


     

       
143

       

       
-

       
          ${pkgs.mautrix-signal}/bin/mautrix-signal \


     

       
144

       

       
-

       
            --generate-registration \


     

       
145

       

       
-

       
            --config='${settingsFile}' \


     

       
146

       

       
-

       
            --registration='${registrationFile}'


     

       
147

       

       
-

       
        fi


     

       
148

       

       
-

       
        chmod 640 ${registrationFile}


     

       
149

       

       
-

       



     

       
150

       

       
-

       
        umask 0177


     

       
151

       

       
-

       
        ${pkgs.yq}/bin/yq -s '.[0].appservice.as_token = .[1].as_token


     

       
152

       

       
-

       
          | .[0].appservice.hs_token = .[1].hs_token


     

       
153

       

       
-

       
          | .[0]' '${settingsFile}' '${registrationFile}' \


     

       
154

       

       
-

       
          > '${settingsFile}.tmp'


     

       
155

       

       
-

       
        mv '${settingsFile}.tmp' '${settingsFile}'


     

       
156

       

       
-

       
        umask $old_umask


     

       
157

       

       
-

       
      '';


     

       
158

       

       
-

       



     

       
159

       

       
-

       
      serviceConfig = {


     

       
160

       

       
-

       
        SupplementaryGroups = [ "signald" ];


     

       
161

       

       
-

       
        User = "mautrix-signal";


     

       
162

       

       
-

       
        Group = "mautrix-signal";


     

       
163

       

       
-

       
        StateDirectory = baseNameOf dataDir;


     

       
164

       

       
-

       
        WorkingDirectory = dataDir;


     

       
165

       

       
-

       
        ExecStart = ''


     

       
166

       

       
-

       
          ${pkgs.mautrix-signal}/bin/mautrix-signal \


     

       
167

       

       
-

       
          --config='${settingsFile}' \


     

       
168

       

       
-

       
          --registration='${registrationFile}'


     

       
169

       

       
-

       
        '';


     

       
170

       

       
-

       
        LockPersonality = true;


     

       
171

       

       
-

       
        MemoryDenyWriteExecute = true;


     

       
172

       

       
-

       
        NoNewPrivileges = true;


     

       
173

       

       
-

       
        PrivateDevices = true;


     

       
174

       

       
-

       
        PrivateTmp = true;


     

       
175

       

       
-

       
        PrivateUsers = true;


     

       
176

       

       
-

       
        ProtectClock = true;


     

       
177

       

       
-

       
        ProtectControlGroups = true;


     

       
178

       

       
-

       
        ProtectHome = true;


     

       
179

       

       
-

       
        ProtectHostname = true;


     

       
180

       

       
-

       
        ProtectKernelLogs = true;


     

       
181

       

       
-

       
        ProtectKernelModules = true;


     

       
182

       

       
-

       
        ProtectKernelTunables = true;


     

       
183

       

       
-

       
        ProtectSystem = "strict";


     

       
184

       

       
-

       
        Restart = "on-failure";


     

       
185

       

       
-

       
        RestartSec = "30s";


     

       
186

       

       
-

       
        RestrictRealtime = true;


     

       
187

       

       
-

       
        RestrictSUIDSGID = true;


     

       
188

       

       
-

       
        SystemCallArchitectures = "native";


     

       
189

       

       
-

       
        SystemCallErrorNumber = "EPERM";


     

       
190

       

       
-

       
        SystemCallFilter = [ "@system-service" ];


     

       
191

       

       
-

       
        Type = "simple";


     

       
192

       

       
-

       
        UMask = 27;


     

       
193

       

       
-

       
      };


     

       
194

       

       
-

       
      restartTriggers = [ settingsFileUnsubstituted ];


     

       
195

       

       
-

       
    };


     

       
196

       

       
-

       
  };


     

       
197

       

       
-

       
}
+41 -39
modules/matrix/synapse.nix 
···

       
4

       
4

       
 

       
let


     

       
5

       
5

       
 

       
  cfg = config.eilean;


     

       
6

       
6

       
 

       
  turnSharedSecretFile = "/run/matrix-synapse/turn-shared-secret";


     

       

       
7

       
+

       
  domain = config.networking.domain;


     

       

       
8

       
+

       
  subdomain = "matrix.${domain}";


     

       
7

       
9

       
 

       
in {


     

       
8

       
10

       
 

       
  options.eilean.matrix = {


     

       
9

       
11

       
 

       
    enable = mkEnableOption "matrix";


     
···

       
50

       
52

       
 

       
        LC_CTYPE = "C";


     

       
51

       
53

       
 

       
    '';


     

       
52

       
54

       
 

       



     

       

       
55

       
+

       
    security.acme-eon.nginxCerts = lib.mkIf cfg.acme-eon [ domain subdomain ];


     

       

       
56

       
+

       



     

       
53

       
57

       
 

       
    services.nginx = {


     

       
54

       
58

       
 

       
      enable = true;


     

       
55

       
59

       
 

       
      # only recommendedProxySettings and recommendedGzipSettings are strictly required,


     
···

       
61

       
65

       
 

       



     

       
62

       
66

       
 

       
      virtualHosts = {


     

       
63

       
67

       
 

       
        # This host section can be placed on a different host than the rest,


     

       
64

       

       
-

       
        # i.e. to delegate from the host being accessible as ${config.networking.domain}


     

       

       
68

       
+

       
        # i.e. to delegate from the host being accessible as ${domain}


     

       
65

       
69

       
 

       
        # to another host actually running the Matrix homeserver.


     

       
66

       

       
-

       
        "${config.networking.domain}" = {


     

       
67

       

       
-

       
          enableACME = true;


     

       

       
70

       
+

       
        "${domain}" = {


     

       

       
71

       
+

       
          enableACME = lib.mkIf (!cfg.acme-eon) true;


     

       
68

       
72

       
 

       
          forceSSL = true;


     

       
69

       
73

       
 

       



     

       
70

       
74

       
 

       
          locations."= /.well-known/matrix/server".extraConfig = let


     

       
71

       
75

       
 

       
            # use 443 instead of the default 8448 port to unite


     

       
72

       
76

       
 

       
            # the client-server and server-server port for simplicity


     

       
73

       

       
-

       
            server = { "m.server" = "matrix.${config.networking.domain}:443"; };


     

       

       
77

       
+

       
            server = { "m.server" = "${subdomain}:443"; };


     

       
74

       
78

       
 

       
          in ''


     

       
75

       
79

       
 

       
            default_type application/json;


     

       
76

       
80

       
 

       
            return 200 '${builtins.toJSON server}';


     

       
77

       
81

       
 

       
          '';


     

       
78

       
82

       
 

       
          locations."= /.well-known/matrix/client".extraConfig = let


     

       
79

       
83

       
 

       
            client = {


     

       
80

       

       
-

       
              "m.homeserver" = {


     

       
81

       

       
-

       
                "base_url" = "https://matrix.${config.networking.domain}";


     

       
82

       

       
-

       
              };


     

       

       
84

       
+

       
              "m.homeserver" = { "base_url" = "https://${subdomain}"; };


     

       
83

       
85

       
 

       
              "m.identity_server" = { "base_url" = "https://vector.im"; };


     

       
84

       
86

       
 

       
            };


     

       
85

       
87

       
 

       
            # ACAO required to allow element-web on any URL to request this json file


     
···

       
97

       
99

       
 

       
        };


     

       
98

       
100

       
 

       



     

       
99

       
101

       
 

       
        # Reverse proxy for Matrix client-server and server-server communication


     

       
100

       

       
-

       
        "matrix.${config.networking.domain}" = {


     

       
101

       

       
-

       
          enableACME = true;


     

       

       
102

       
+

       
        "${subdomain}" = {


     

       

       
103

       
+

       
          enableACME = lib.mkIf (!cfg.acme-eon) true;


     

       
102

       
104

       
 

       
          forceSSL = true;


     

       
103

       
105

       
 

       



     

       
104

       
106

       
 

       
          # Or do a redirect instead of the 404, or whatever is appropriate for you.


     
···

       
108

       
110

       
 

       
          '';


     

       
109

       
111

       
 

       



     

       
110

       
112

       
 

       
          # forward all Matrix API calls to the synapse Matrix homeserver


     

       
111

       

       
-

       
          locations."/_matrix" = {


     

       
112

       

       
-

       
            proxyPass = "http://127.0.0.1:8008"; # without a trailing /


     

       
113

       

       
-

       
            #proxyPassReverse = "http://127.0.0.1:8008"; # without a trailing /


     

       

       
113

       
+

       
          locations."~ ^(\\/_matrix|\\/_synapse\\/client)" = {


     

       

       
114

       
+

       
            proxyPass = "http://127.0.0.1:8008";


     

       
114

       
115

       
 

       
          };


     

       
115

       
116

       
 

       
        };


     

       
116

       
117

       
 

       
      };


     
···

       
120

       
121

       
 

       
      enable = true;


     

       
121

       
122

       
 

       
      settings = mkMerge [


     

       
122

       
123

       
 

       
        {


     

       
123

       

       
-

       
          server_name = config.networking.domain;


     

       

       
124

       
+

       
          server_name = domain;


     

       
124

       
125

       
 

       
          enable_registration = true;


     

       
125

       
126

       
 

       
          registration_requires_token = true;


     

       
126

       
127

       
 

       
          registration_shared_secret_path = cfg.matrix.registrationSecretFile;


     
···

       
136

       
137

       
 

       
            }];


     

       
137

       
138

       
 

       
          }];


     

       
138

       
139

       
 

       
          max_upload_size = "100M";


     

       
139

       

       
-

       
          app_service_config_files = (optional cfg.matrix.bridges.whatsapp


     

       
140

       

       
-

       
            "/var/lib/mautrix-whatsapp/whatsapp-registration.yaml")


     

       
141

       

       
-

       
            ++ (optional cfg.matrix.bridges.signal


     

       
142

       

       
-

       
              "/var/lib/mautrix-signal/signal-registration.yaml")


     

       
143

       

       
-

       
            ++ (optional cfg.matrix.bridges.instagram


     

       
144

       

       
-

       
              "/var/lib/mautrix-instagram/instagram-registration.yaml")


     

       

       
140

       
+

       
          app_service_config_files = (optional cfg.matrix.bridges.instagram


     

       

       
141

       
+

       
            "/var/lib/mautrix-instagram/instagram-registration.yaml")


     

       
145

       
142

       
 

       
            ++ (optional cfg.matrix.bridges.messenger


     

       
146

       
143

       
 

       
              "/var/lib/mautrix-messenger/messenger-registration.yaml");


     

       
147

       
144

       
 

       
        }


     
···

       
178

       
175

       
 

       
      [ "matrix-synapse-turn-shared-secret-generator.service" ];


     

       
179

       
176

       
 

       



     

       
180

       
177

       
 

       
    systemd.services.matrix-synapse.serviceConfig.SupplementaryGroups =


     

       

       
178

       
+

       
      # remove after https://github.com/NixOS/nixpkgs/pull/311681/files


     

       
181

       
179

       
 

       
      (optional cfg.matrix.bridges.whatsapp


     

       
182

       
180

       
 

       
        config.systemd.services.mautrix-whatsapp.serviceConfig.Group)


     

       
183

       

       
-

       
      ++ (optional cfg.matrix.bridges.signal


     

       
184

       

       
-

       
        config.systemd.services.mautrix-signal.serviceConfig.Group)


     

       
185

       
181

       
 

       
      ++ (optional cfg.matrix.bridges.instagram


     

       
186

       
182

       
 

       
        config.systemd.services.mautrix-instagram.serviceConfig.Group)


     

       
187

       
183

       
 

       
      ++ (optional cfg.matrix.bridges.messenger


     
···

       
189

       
185

       
 

       



     

       
190

       
186

       
 

       
    services.mautrix-whatsapp = mkIf cfg.matrix.bridges.whatsapp {


     

       
191

       
187

       
 

       
      enable = true;


     

       
192

       

       
-

       
      settings.homeserver.address =


     

       
193

       

       
-

       
        "https://matrix.${config.networking.domain}";


     

       
194

       

       
-

       
      settings.homeserver.domain = config.networking.domain;


     

       

       
188

       
+

       
      settings.homeserver.address = "https://${subdomain}";


     

       

       
189

       
+

       
      settings.homeserver.domain = domain;


     

       
195

       
190

       
 

       
      settings.appservice.hostname = "localhost";


     

       
196

       
191

       
 

       
      settings.appservice.address = "http://localhost:29318";


     

       
197

       
192

       
 

       
      settings.bridge.personal_filtering_spaces = true;


     

       
198

       
193

       
 

       
      settings.bridge.history_sync.backfill = false;


     

       
199

       

       
-

       
      settings.bridge.permissions."@${config.eilean.username}:${config.networking.domain}" =


     

       

       
194

       
+

       
      settings.bridge.permissions."@${config.eilean.username}:${domain}" =


     

       
200

       
195

       
 

       
        "admin";


     

       

       
196

       
+

       
      settings.bridge.encryption.allow = true;


     

       

       
197

       
+

       
      settings.bridge.encryption.default = true;


     

       
201

       
198

       
 

       
    };


     

       

       
199

       
+

       
    # using https://github.com/NixOS/nixpkgs/pull/277368


     

       
202

       
200

       
 

       
    services.mautrix-signal = mkIf cfg.matrix.bridges.signal {


     

       
203

       
201

       
 

       
      enable = true;


     

       
204

       

       
-

       
      settings.homeserver.address =


     

       
205

       

       
-

       
        "https://matrix.${config.networking.domain}";


     

       
206

       

       
-

       
      settings.homeserver.domain = config.networking.domain;


     

       

       
202

       
+

       
      settings.homeserver.address = "https://${subdomain}";


     

       

       
203

       
+

       
      settings.homeserver.domain = domain;


     

       
207

       
204

       
 

       
      settings.appservice.hostname = "localhost";


     

       
208

       
205

       
 

       
      settings.appservice.address = "http://localhost:29328";


     

       
209

       
206

       
 

       
      settings.bridge.personal_filtering_spaces = true;


     

       
210

       

       
-

       
      settings.bridge.permissions."@${config.eilean.username}:${config.networking.domain}" =


     

       

       
207

       
+

       
      settings.bridge.permissions."@${config.eilean.username}:${domain}" =


     

       
211

       
208

       
 

       
        "admin";


     

       

       
209

       
+

       
      settings.bridge.encryption.allow = true;


     

       

       
210

       
+

       
      settings.bridge.encryption.default = true;


     

       
212

       
211

       
 

       
    };


     

       

       
212

       
+

       
    # TODO replace with upstreamed mautrix-meta


     

       
213

       
213

       
 

       
    services.mautrix-instagram = mkIf cfg.matrix.bridges.instagram {


     

       
214

       
214

       
 

       
      enable = true;


     

       
215

       

       
-

       
      settings.homeserver.address =


     

       
216

       

       
-

       
        "https://matrix.${config.networking.domain}";


     

       
217

       

       
-

       
      settings.homeserver.domain = config.networking.domain;


     

       

       
215

       
+

       
      settings.homeserver.address = "https://${subdomain}";


     

       

       
216

       
+

       
      settings.homeserver.domain = domain;


     

       
218

       
217

       
 

       
      settings.appservice.hostname = "localhost";


     

       
219

       
218

       
 

       
      settings.appservice.address = "http://localhost:29319";


     

       
220

       
219

       
 

       
      settings.bridge.personal_filtering_spaces = true;


     

       
221

       
220

       
 

       
      settings.bridge.backfill.enabled = false;


     

       
222

       

       
-

       
      settings.bridge.permissions."@${config.eilean.username}:${config.networking.domain}" =


     

       

       
221

       
+

       
      settings.bridge.permissions."@${config.eilean.username}:${domain}" =


     

       
223

       
222

       
 

       
        "admin";


     

       

       
223

       
+

       
      settings.bridge.encryption.allow = true;


     

       

       
224

       
+

       
      settings.bridge.encryption.default = true;


     

       
224

       
225

       
 

       
    };


     

       
225

       
226

       
 

       
    services.mautrix-messenger = mkIf cfg.matrix.bridges.messenger {


     

       
226

       
227

       
 

       
      enable = true;


     

       
227

       

       
-

       
      settings.homeserver.address =


     

       
228

       

       
-

       
        "https://matrix.${config.networking.domain}";


     

       
229

       

       
-

       
      settings.homeserver.domain = config.networking.domain;


     

       

       
228

       
+

       
      settings.homeserver.address = "https://${subdomain}";


     

       

       
229

       
+

       
      settings.homeserver.domain = domain;


     

       
230

       
230

       
 

       
      settings.appservice.hostname = "localhost";


     

       
231

       
231

       
 

       
      settings.appservice.address = "http://localhost:29320";


     

       
232

       
232

       
 

       
      settings.bridge.personal_filtering_spaces = true;


     

       
233

       
233

       
 

       
      settings.bridge.backfill.enabled = false;


     

       
234

       

       
-

       
      settings.bridge.permissions."@${config.eilean.username}:${config.networking.domain}" =


     

       

       
234

       
+

       
      settings.bridge.permissions."@${config.eilean.username}:${domain}" =


     

       
235

       
235

       
 

       
        "admin";


     

       

       
236

       
+

       
      settings.bridge.encryption.allow = true;


     

       

       
237

       
+

       
      settings.bridge.encryption.default = true;


     

       
236

       
238

       
 

       
    };


     

       
237

       
239

       
 

       



     

       
238

       
240

       
 

       
    eilean.turn.enable = mkIf cfg.matrix.turn true;


     

       
239

       
241

       
 

       



     

       
240

       
242

       
 

       
    eilean.dns.enable = true;


     

       
241

       

       
-

       
    eilean.services.dns.zones.${config.networking.domain}.records = [{


     

       

       
243

       
+

       
    eilean.services.dns.zones.${domain}.records = [{


     

       
242

       
244

       
 

       
      name = "matrix";


     

       
243

       
245

       
 

       
      type = "CNAME";


     

       
244

       

       
-

       
      data = "vps";


     

       

       
246

       
+

       
      value = cfg.domainName;


     

       
245

       
247

       
 

       
    }];


     

       
246

       
248

       
 

       
  };


     

       
247

       
249

       
 

       
}
+81
modules/radicale.nix 
···

       

       
1

       
+

       
{ pkgs, config, lib, ... }:


     

       

       
2

       
+

       



     

       

       
3

       
+

       
with lib;


     

       

       
4

       
+

       
let


     

       

       
5

       
+

       
  cfg = config.eilean;


     

       

       
6

       
+

       
  domain = config.networking.domain;


     

       

       
7

       
+

       
  passwdDir = "/var/lib/radicale/users";


     

       

       
8

       
+

       
  passwdFile = "${passwdDir}/passwd";


     

       

       
9

       
+

       
  userOps = { name, ... }: {


     

       

       
10

       
+

       
    options = {


     

       

       
11

       
+

       
      name = mkOption {


     

       

       
12

       
+

       
        type = types.str;


     

       

       
13

       
+

       
        readOnly = true;


     

       

       
14

       
+

       
        default = name;


     

       

       
15

       
+

       
      };


     

       

       
16

       
+

       
      passwordFile = mkOption { type = types.nullOr types.str; };


     

       

       
17

       
+

       
    };


     

       

       
18

       
+

       
  };


     

       

       
19

       
+

       
in {


     

       

       
20

       
+

       
  options.eilean.radicale = {


     

       

       
21

       
+

       
    enable = mkEnableOption "radicale";


     

       

       
22

       
+

       
    users = mkOption {


     

       

       
23

       
+

       
      type = with types; nullOr (attrsOf (submodule userOps));


     

       

       
24

       
+

       
      default = { };


     

       

       
25

       
+

       
    };


     

       

       
26

       
+

       
  };


     

       

       
27

       
+

       



     

       

       
28

       
+

       
  config = mkIf cfg.radicale.enable {


     

       

       
29

       
+

       
    services.radicale = {


     

       

       
30

       
+

       
      enable = true;


     

       

       
31

       
+

       
      settings = {


     

       

       
32

       
+

       
        server = { hosts = [ "0.0.0.0:5232" ]; };


     

       

       
33

       
+

       
        auth = {


     

       

       
34

       
+

       
          type = "htpasswd";


     

       

       
35

       
+

       
          htpasswd_filename = passwdFile;


     

       

       
36

       
+

       
          htpasswd_encryption = "bcrypt";


     

       

       
37

       
+

       
        };


     

       

       
38

       
+

       
        storage = { filesystem_folder = "/var/lib/radicale/collections"; };


     

       

       
39

       
+

       
      };


     

       

       
40

       
+

       
    };


     

       

       
41

       
+

       



     

       

       
42

       
+

       
    systemd.services.radicale = {


     

       

       
43

       
+

       
      serviceConfig.ReadWritePaths = [ "/var/lib/radicale" ];


     

       

       
44

       
+

       
      preStart = lib.mkIf (cfg.radicale.users != null) ''


     

       

       
45

       
+

       
        if (! test -d "${passwdDir}"); then


     

       

       
46

       
+

       
          mkdir "${passwdDir}"


     

       

       
47

       
+

       
          chmod 755 "${passwdDir}"


     

       

       
48

       
+

       
        fi


     

       

       
49

       
+

       



     

       

       
50

       
+

       
        umask 077


     

       

       
51

       
+

       



     

       

       
52

       
+

       
        cat <<EOF > ${passwdFile}


     

       

       
53

       
+

       



     

       

       
54

       
+

       
        ${lib.concatStringsSep "\n" (lib.mapAttrsToList (name: value:


     

       

       
55

       
+

       
          ''


     

       

       
56

       
+

       
            $(${pkgs.apacheHttpd}/bin/htpasswd -nbB "${name}" "$(head -n 2 ${value.passwordFile})")'')


     

       

       
57

       
+

       
          cfg.radicale.users)}


     

       

       
58

       
+

       
        EOF


     

       

       
59

       
+

       
      '';


     

       

       
60

       
+

       
    };


     

       

       
61

       
+

       



     

       

       
62

       
+

       
    services.nginx = {


     

       

       
63

       
+

       
      enable = true;


     

       

       
64

       
+

       
      recommendedProxySettings = true;


     

       

       
65

       
+

       
      virtualHosts = {


     

       

       
66

       
+

       
        "cal.${domain}" = {


     

       

       
67

       
+

       
          forceSSL = true;


     

       

       
68

       
+

       
          enableACME = true;


     

       

       
69

       
+

       
          locations."/" = { proxyPass = "http://localhost:5232"; };


     

       

       
70

       
+

       
        };


     

       

       
71

       
+

       
      };


     

       

       
72

       
+

       
    };


     

       

       
73

       
+

       



     

       

       
74

       
+

       
    eilean.dns.enable = true;


     

       

       
75

       
+

       
    eilean.services.dns.zones.${domain}.records = [{


     

       

       
76

       
+

       
      name = "cal";


     

       

       
77

       
+

       
      type = "CNAME";


     

       

       
78

       
+

       
      value = cfg.domainName;


     

       

       
79

       
+

       
    }];


     

       

       
80

       
+

       
  };


     

       

       
81

       
+

       
}
+3
modules/services/dns/bind.nix 
···

       
17

       
17

       
 

       
    in builtins.mapAttrs mapZones cfg.zones;


     

       
18

       
18

       
 

       
  };


     

       
19

       
19

       
 

       



     

       

       
20

       
+

       
  users.users = { named.extraGroups = [ config.services.opendkim.group ]; };


     

       

       
21

       
+

       



     

       
20

       
22

       
 

       
  ### bind prestart copy zonefiles


     

       
21

       
23

       
 

       
  systemd.services.bind.preStart = let


     

       
22

       
24

       
 

       
    ops = let


     
···

       
29

       
31

       
 

       
        in ''


     

       
30

       
32

       
 

       
          if ! diff ${zonefile} ${path} > /dev/null; then


     

       
31

       
33

       
 

       
            cp ${zonefile} ${path}


     

       

       
34

       
+

       
            cat ${config.mailserver.dkimKeyDirectory}/*.txt >> ${path}


     

       
32

       
35

       
 

       
            # remove journal file to avoid 'journal out of sync with zone'


     

       
33

       
36

       
 

       
            # NB this will reset dynamic updates


     

       
34

       
37

       
 

       
            rm -f ${path}.signed.jnl
+4 -4
modules/services/dns/default.nix 
···

       
43

       
43

       
 

       
          default = null;


     

       
44

       
44

       
 

       
        };


     

       
45

       
45

       
 

       
        type = mkOption { type = types.str; };


     

       
46

       

       
-

       
        data = mkOption { type = types.str; };


     

       

       
46

       
+

       
        value = mkOption { type = types.str; };


     

       
47

       
47

       
 

       
      };


     

       
48

       
48

       
 

       
    in mkOption {


     

       
49

       
49

       
 

       
      type = with types; listOf (submodule recordOpts);


     
···

       
51

       
51

       
 

       
    };


     

       
52

       
52

       
 

       
  };


     

       
53

       
53

       
 

       
in {


     

       
54

       

       
-

       
  imports = [ ./bind.nix ];


     

       

       
54

       
+

       
  imports = [ ./bind.nix ./eon.nix ];


     

       
55

       
55

       
 

       



     

       
56

       
56

       
 

       
  options.eilean.services.dns = {


     

       
57

       
57

       
 

       
    enable = mkEnableOption "DNS server";


     

       
58

       
58

       
 

       
    server = mkOption {


     

       
59

       

       
-

       
      type = types.enum [ "bind" ];


     

       
60

       

       
-

       
      default = "bind";


     

       

       
59

       
+

       
      type = types.enum [ "bind" "eon" ];


     

       

       
60

       
+

       
      default = if config.eilean.acme-eon then "eon" else "bind";


     

       
61

       
61

       
 

       
    };


     

       
62

       
62

       
 

       
    openFirewall = mkOption {


     

       
63

       
63

       
 

       
      type = types.bool;
+42
modules/services/dns/eon.nix 
···

       

       
1

       
+

       
{ pkgs, config, lib, ... }:


     

       

       
2

       
+

       



     

       

       
3

       
+

       
let cfg = config.eilean.services.dns;


     

       

       
4

       
+

       
in lib.mkIf (cfg.enable && cfg.server == "eon") {


     

       

       
5

       
+

       
  services.eon = {


     

       

       
6

       
+

       
    enable = true;


     

       

       
7

       
+

       
    application = "capd";


     

       

       
8

       
+

       
    capnpAddress = lib.mkDefault config.networking.domain;


     

       

       
9

       
+

       
    zoneFiles = let


     

       

       
10

       
+

       
      mapZonefile = zonename: zone:


     

       

       
11

       
+

       
        "${


     

       

       
12

       
+

       
          import ./zonefile.nix { inherit pkgs config lib zonename zone; }


     

       

       
13

       
+

       
        }/${zonename}";


     

       

       
14

       
+

       
    in lib.attrsets.mapAttrsToList mapZonefile cfg.zones;


     

       

       
15

       
+

       
  };


     

       

       
16

       
+

       



     

       

       
17

       
+

       
  users.users = { eon.extraGroups = [ config.services.opendkim.group ]; };


     

       

       
18

       
+

       



     

       

       
19

       
+

       
  ### bind prestart copy zonefiles


     

       

       
20

       
+

       
  systemd.services.eon.postStart = let


     

       

       
21

       
+

       
    update = ''


     

       

       
22

       
+

       
      update() {


     

       

       
23

       
+

       
        local file="$1"


     

       

       
24

       
+

       
        local domain="$2"


     

       

       
25

       
+

       
        local input=$(tr -d '\n' < "$file")


     

       

       
26

       
+

       
        local record_name=$(echo "$input" | ${pkgs.gawk}/bin/awk '{print $1}')


     

       

       
27

       
+

       
        local record_type=$(echo "$input" | ${pkgs.gawk}/bin/awk '{print $3}')


     

       

       
28

       
+

       
        local ttl=3600


     

       

       
29

       
+

       
        local record_value=$(echo "$input" | ${pkgs.gnused}/bin/sed -E 's/[^"]*"([^"]*)"[^"]*/\1/g')


     

       

       
30

       
+

       
        ${config.services.eon.package}/bin/capc update /var/lib/eon/caps/domain/''${domain}.cap -u "add|''${record_name}.''${domain}|''${record_type}|''${record_value}|''${ttl}" || exit 0


     

       

       
31

       
+

       
      }


     

       

       
32

       
+

       
      shopt -s nullglob


     

       

       
33

       
+

       
    '';


     

       

       
34

       
+

       
    ops = let


     

       

       
35

       
+

       
      mapZones = zonename: zone: ''


     

       

       
36

       
+

       
        for f in ${config.mailserver.dkimKeyDirectory}/${zonename}.*.txt; do


     

       

       
37

       
+

       
          update $f ${zonename}


     

       

       
38

       
+

       
        done


     

       

       
39

       
+

       
      '';


     

       

       
40

       
+

       
    in lib.attrsets.mapAttrsToList mapZones cfg.zones;


     

       

       
41

       
+

       
  in update + builtins.concatStringsSep "\n" ops;


     

       

       
42

       
+

       
}
+1 -1
modules/services/dns/zonefile.nix 
···

       
14

       
14

       
 

       
      ${builtins.toString zone.soa.negativeCacheTtl}


     

       
15

       
15

       
 

       
    )


     

       
16

       
16

       
 

       
    ${lib.strings.concatStringsSep "\n" (builtins.map


     

       
17

       

       
-

       
      (rr: "${rr.name} IN ${builtins.toString rr.ttl} ${rr.type} ${rr.data}")


     

       

       
17

       
+

       
      (rr: "${rr.name} IN ${builtins.toString rr.ttl} ${rr.type} ${rr.value}")


     

       
18

       
18

       
 

       
      zone.records)}


     

       
19

       
19

       
 

       
  '';


     

       
20

       
20

       
 

       
}
+32 -15
modules/turn.nix 
···

       
4

       
4

       
 

       
let


     

       
5

       
5

       
 

       
  cfg = config.eilean;


     

       
6

       
6

       
 

       
  domain = config.networking.domain;


     

       

       
7

       
+

       
  subdomain = "turn.${domain}";


     

       
7

       
8

       
 

       
  staticAuthSecretFile = "/run/coturn/static-auth-secret";


     

       
8

       
9

       
 

       
in {


     

       
9

       
10

       
 

       
  options.eilean.turn = { enable = mkEnableOption "TURN server"; };


     

       
10

       
11

       
 

       



     

       
11

       
12

       
 

       
  config = mkIf cfg.turn.enable {


     

       
12

       

       
-

       
    services.coturn = rec {


     

       

       
13

       
+

       
    security.acme-eon.certs."${subdomain}" = lib.mkIf cfg.acme-eon {


     

       

       
14

       
+

       
      group = "turnserver";


     

       

       
15

       
+

       
      reloadServices = [ "coturn" ];


     

       

       
16

       
+

       
    };


     

       

       
17

       
+

       



     

       

       
18

       
+

       
    services.coturn = let


     

       

       
19

       
+

       
      certDir = if cfg.acme-eon then


     

       

       
20

       
+

       
        config.security.acme-eon.certs.${subdomain}.directory


     

       

       
21

       
+

       
      else


     

       

       
22

       
+

       
        config.security.acme.certs.${subdomain}.directory;


     

       

       
23

       
+

       
    in {


     

       
13

       
24

       
 

       
      enable = true;


     

       
14

       
25

       
 

       
      no-cli = true;


     

       
15

       
26

       
 

       
      no-tcp-relay = true;


     

       
16

       
27

       
 

       
      secure-stun = true;


     

       
17

       
28

       
 

       
      use-auth-secret = true;


     

       
18

       
29

       
 

       
      static-auth-secret-file = staticAuthSecretFile;


     

       
19

       

       
-

       
      realm = "turn.${domain}";


     

       

       
30

       
+

       
      realm = subdomain;


     

       
20

       
31

       
 

       
      relay-ips = with config.eilean; [ serverIpv4 serverIpv6 ];


     

       
21

       

       
-

       
      cert = "${config.security.acme.certs.${realm}.directory}/full.pem";


     

       
22

       

       
-

       
      pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";


     

       

       
32

       
+

       
      cert = "${certDir}/fullchain.pem";


     

       

       
33

       
+

       
      pkey = "${certDir}/key.pem";


     

       
23

       
34

       
 

       
    };


     

       
24

       
35

       
 

       



     

       
25

       
36

       
 

       
    systemd.services = {


     
···

       
28

       
39

       
 

       
        script = ''


     

       
29

       
40

       
 

       
          if [ ! -f '${staticAuthSecretFile}' ]; then


     

       
30

       
41

       
 

       
            umask 077


     

       

       
42

       
+

       
            DIR="$(dirname '${staticAuthSecretFile}')"


     

       

       
43

       
+

       
            mkdir -p "$DIR"


     

       
31

       
44

       
 

       
            tr -dc A-Za-z0-9 </dev/urandom | head -c 32 > '${staticAuthSecretFile}'


     

       
32

       

       
-

       
            chown ${config.systemd.services.coturn.serviceConfig.User}:${config.systemd.services.coturn.serviceConfig.Group} '${staticAuthSecretFile}'


     

       

       
45

       
+

       
            chown -R ${config.systemd.services.coturn.serviceConfig.User}:${config.systemd.services.coturn.serviceConfig.Group} "$DIR"


     

       
33

       
46

       
 

       
          fi


     

       
34

       
47

       
 

       
        '';


     

       
35

       
48

       
 

       
        serviceConfig.Type = "oneshot";


     

       
36

       
49

       
 

       
        serviceConfig.RemainAfterExit = true;


     

       
37

       
50

       
 

       
      };


     

       
38

       
51

       
 

       
      "coturn" = {


     

       
39

       

       
-

       
        after = [ "coturn-static-auth-secret-generator.service" ];


     

       

       
52

       
+

       
        after = [ "coturn-static-auth-secret-generator.service" ]


     

       

       
53

       
+

       
          ++ lib.lists.optional cfg.acme-eon "acme-eon-${subdomain}.service";


     

       
40

       
54

       
 

       
        requires = [ "coturn-static-auth-secret-generator.service" ];


     

       

       
55

       
+

       
        wants = lib.lists.optional cfg.acme-eon "acme-eon-${subdomain}.service";


     

       
41

       
56

       
 

       
      };


     

       
42

       
57

       
 

       
    };


     

       
43

       
58

       
 

       



     
···

       
61

       
76

       
 

       
        allowedUDPPortRanges = [ turn-range ];


     

       
62

       
77

       
 

       
      };


     

       
63

       
78

       
 

       



     

       
64

       

       
-

       
    security.acme.certs.${config.services.coturn.realm} = {


     

       
65

       

       
-

       
      postRun =


     

       
66

       

       
-

       
        "systemctl reload nginx.service; systemctl restart coturn.service";


     

       
67

       

       
-

       
      group = "turnserver";


     

       
68

       

       
-

       
    };


     

       
69

       

       
-

       
    services.nginx.enable = true;


     

       
70

       

       
-

       
    services.nginx.virtualHosts = {


     

       

       
79

       
+

       
    security.acme.certs.${config.services.coturn.realm} =


     

       

       
80

       
+

       
      lib.mkIf (!cfg.acme-eon) {


     

       

       
81

       
+

       
        postRun =


     

       

       
82

       
+

       
          "systemctl reload nginx.service; systemctl restart coturn.service";


     

       

       
83

       
+

       
        group = "turnserver";


     

       

       
84

       
+

       
      };


     

       

       
85

       
+

       
    services.nginx.enable = lib.mkIf (!cfg.acme-eon) true;


     

       

       
86

       
+

       
    services.nginx.virtualHosts = lib.mkIf (!cfg.acme-eon) {


     

       
71

       
87

       
 

       
      "${config.services.coturn.realm}" = {


     

       
72

       
88

       
 

       
        forceSSL = true;


     

       
73

       
89

       
 

       
        enableACME = true;


     

       
74

       
90

       
 

       
      };


     

       
75

       
91

       
 

       
    };


     

       
76

       

       
-

       
    users.groups."turnserver".members = [ config.services.nginx.user ];


     

       

       
92

       
+

       
    users.groups."turnserver".members =


     

       

       
93

       
+

       
      lib.mkIf (!cfg.acme-eon) [ config.services.nginx.user ];


     

       
77

       
94

       
 

       



     

       
78

       
95

       
 

       
    eilean.dns.enable = true;


     

       
79

       
96

       
 

       
    eilean.services.dns.zones.${config.networking.domain}.records = [{


     

       
80

       
97

       
 

       
      name = "turn";


     

       
81

       
98

       
 

       
      type = "CNAME";


     

       
82

       

       
-

       
      data = "vps";


     

       

       
99

       
+

       
      value = cfg.domainName;


     

       
83

       
100

       
 

       
    }];


     

       
84

       
101

       
 

       
  };


     

       
85

       
102

       
 

       
}
+6 -4
pkgs/mautrix-meta.nix 
···

       
1

       
1

       
 

       
{ lib, buildGoModule, fetchFromGitHub, olm }:


     

       
2

       
2

       
 

       



     

       
3

       

       
-

       
buildGoModule rec {


     

       

       
3

       
+

       
let version = "0.4.4";


     

       

       
4

       
+

       
in buildGoModule rec {


     

       
4

       
5

       
 

       
  name = "mautrix-meta";


     

       

       
6

       
+

       
  inherit version;


     

       
5

       
7

       
 

       



     

       
6

       
8

       
 

       
  src = fetchFromGitHub {


     

       
7

       
9

       
 

       
    owner = "mautrix";


     

       
8

       
10

       
 

       
    repo = "meta";


     

       
9

       

       
-

       
    rev = "7941e937055b792d2cbfde5d9c8c4df75e68ff0a";


     

       
10

       

       
-

       
    hash = "sha256-QDqN6AAaEngWo4UxKAyIXB7BwCEJqsMTeuMb2fKu/9o=";


     

       

       
11

       
+

       
    rev = "v${version}";


     

       

       
12

       
+

       
    hash = "sha256-S8x3TGQEs+oh/3Q1Gz00M8dOcjjuHSgzVhqlbikZ8QE=";


     

       
11

       
13

       
 

       
  };


     

       
12

       
14

       
 

       



     

       
13

       
15

       
 

       
  buildInputs = [ olm ];


     

       
14

       
16

       
 

       



     

       
15

       

       
-

       
  vendorHash = "sha256-ClHg3OEKgXYsmBm/aFKWZXbaLOmKdNyvw42QGhtTRik=";


     

       

       
17

       
+

       
  vendorHash = "sha256-sUnvwPJQOoVzxbo2lS3CRcTrWsPjgYPsKClVw1wZJdM=";


     

       
16

       
18

       
 

       



     

       
17

       
19

       
 

       
  doCheck = false;


     

       
18

       
20
+2 -1
template/configuration.nix 
···

       
43

       
43

       
 

       



     

       
44

       
44

       
 

       
  # TODO replace this with domain


     

       
45

       
45

       
 

       
  networking.domain = "example.org";


     

       
46

       

       
-

       
  security.acme.acceptTerms = true;


     

       

       
46

       
+

       
  security.acme.acceptTerms = lib.mkIf (!config.eilean.acme-eon) true;


     

       

       
47

       
+

       
  security.acme-eon.acceptTerms = lib.mkIf config.eilean.acme-eon true;


     

       
47

       
48

       
 

       



     

       
48

       
49

       
 

       
  # TODO select internationalisation properties


     

       
49

       
50

       
 

       
  i18n.defaultLocale = "en_GB.UTF-8";