ryan.freumh.org / eilean-nix
Self-host your own digital island
fork atom

Compare changes

Choose any two refs to compare.

options
unified split
Changed files
+853 -730
flake.lock
flake.nix
man
default.nix
modules
acme-eon.nix
default.nix
dns.nix
fail2ban.nix
gitea.nix
headscale.nix
mailserver.nix
mastodon.nix
matrix
mautrix-instagram.nix
mautrix-messenger.nix
mautrix-signal.nix
synapse.nix
radicale.nix
services
dns
bind.nix
default.nix
eon.nix
zonefile.nix
turn.nix
wireguard
default.nix
pkgs
mautrix-meta.nix
template
configuration.nix
flake.nix
+185 -42
flake.lock 
···

       
16

       
16

       
 

       
        "type": "gitlab"


     

       
17

       
17

       
 

       
      }


     

       
18

       
18

       
 

       
    },


     

       

       
19

       
+

       
    "eon": {


     

       

       
20

       
+

       
      "inputs": {


     

       

       
21

       
+

       
        "flake-utils": "flake-utils",


     

       

       
22

       
+

       
        "nixpkgs": [


     

       

       
23

       
+

       
          "nixpkgs"


     

       

       
24

       
+

       
        ],


     

       

       
25

       
+

       
        "opam-nix": "opam-nix"


     

       

       
26

       
+

       
      },


     

       

       
27

       
+

       
      "locked": {


     

       

       
28

       
+

       
        "lastModified": 1738666931,


     

       

       
29

       
+

       
        "narHash": "sha256-dTF+etN5ZDPVwK8XV/huQByY6JohiVgpCfzVJWAZY1I=",


     

       

       
30

       
+

       
        "owner": "RyanGibb",


     

       

       
31

       
+

       
        "repo": "eon",


     

       

       
32

       
+

       
        "rev": "42523d1d8f720215ab5108a1b42e9c5b7d17d4bf",


     

       

       
33

       
+

       
        "type": "github"


     

       

       
34

       
+

       
      },


     

       

       
35

       
+

       
      "original": {


     

       

       
36

       
+

       
        "owner": "RyanGibb",


     

       

       
37

       
+

       
        "repo": "eon",


     

       

       
38

       
+

       
        "type": "github"


     

       

       
39

       
+

       
      }


     

       

       
40

       
+

       
    },


     

       
19

       
41

       
 

       
    "flake-compat": {


     

       
20

       
42

       
 

       
      "flake": false,


     

       
21

       
43

       
 

       
      "locked": {


     
···

       
32

       
54

       
 

       
        "type": "github"


     

       
33

       
55

       
 

       
      }


     

       
34

       
56

       
 

       
    },


     

       

       
57

       
+

       
    "flake-compat_2": {


     

       

       
58

       
+

       
      "flake": false,


     

       

       
59

       
+

       
      "locked": {


     

       

       
60

       
+

       
        "lastModified": 1696426674,


     

       

       
61

       
+

       
        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",


     

       

       
62

       
+

       
        "owner": "edolstra",


     

       

       
63

       
+

       
        "repo": "flake-compat",


     

       

       
64

       
+

       
        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",


     

       

       
65

       
+

       
        "type": "github"


     

       

       
66

       
+

       
      },


     

       

       
67

       
+

       
      "original": {


     

       

       
68

       
+

       
        "owner": "edolstra",


     

       

       
69

       
+

       
        "repo": "flake-compat",


     

       

       
70

       
+

       
        "type": "github"


     

       

       
71

       
+

       
      }


     

       

       
72

       
+

       
    },


     

       

       
73

       
+

       
    "flake-utils": {


     

       

       
74

       
+

       
      "inputs": {


     

       

       
75

       
+

       
        "systems": "systems"


     

       

       
76

       
+

       
      },


     

       

       
77

       
+

       
      "locked": {


     

       

       
78

       
+

       
        "lastModified": 1731533236,


     

       

       
79

       
+

       
        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",


     

       

       
80

       
+

       
        "owner": "numtide",


     

       

       
81

       
+

       
        "repo": "flake-utils",


     

       

       
82

       
+

       
        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",


     

       

       
83

       
+

       
        "type": "github"


     

       

       
84

       
+

       
      },


     

       

       
85

       
+

       
      "original": {


     

       

       
86

       
+

       
        "owner": "numtide",


     

       

       
87

       
+

       
        "repo": "flake-utils",


     

       

       
88

       
+

       
        "type": "github"


     

       

       
89

       
+

       
      }


     

       

       
90

       
+

       
    },


     

       

       
91

       
+

       
    "mirage-opam-overlays": {


     

       

       
92

       
+

       
      "flake": false,


     

       

       
93

       
+

       
      "locked": {


     

       

       
94

       
+

       
        "lastModified": 1710922379,


     

       

       
95

       
+

       
        "narHash": "sha256-j4QREQDUf8oHOX7qg6wAOupgsNQoYlufxoPrgagD+pY=",


     

       

       
96

       
+

       
        "owner": "dune-universe",


     

       

       
97

       
+

       
        "repo": "mirage-opam-overlays",


     

       

       
98

       
+

       
        "rev": "797cb363df3ff763c43c8fbec5cd44de2878757e",


     

       

       
99

       
+

       
        "type": "github"


     

       

       
100

       
+

       
      },


     

       

       
101

       
+

       
      "original": {


     

       

       
102

       
+

       
        "owner": "dune-universe",


     

       

       
103

       
+

       
        "repo": "mirage-opam-overlays",


     

       

       
104

       
+

       
        "type": "github"


     

       

       
105

       
+

       
      }


     

       

       
106

       
+

       
    },


     

       
35

       
107

       
 

       
    "nixos-mailserver": {


     

       
36

       
108

       
 

       
      "inputs": {


     

       
37

       
109

       
 

       
        "blobs": "blobs",


     

       
38

       

       
-

       
        "flake-compat": "flake-compat",


     

       
39

       

       
-

       
        "nixpkgs": "nixpkgs",


     

       
40

       

       
-

       
        "nixpkgs-23_05": "nixpkgs-23_05",


     

       
41

       

       
-

       
        "nixpkgs-23_11": "nixpkgs-23_11",


     

       

       
110

       
+

       
        "flake-compat": "flake-compat_2",


     

       

       
111

       
+

       
        "nixpkgs": [


     

       

       
112

       
+

       
          "nixpkgs"


     

       

       
113

       
+

       
        ],


     

       

       
114

       
+

       
        "nixpkgs-24_05": "nixpkgs-24_05",


     

       
42

       
115

       
 

       
        "utils": "utils"


     

       
43

       
116

       
 

       
      },


     

       
44

       
117

       
 

       
      "locked": {


     

       
45

       

       
-

       
        "lastModified": 1711069052,


     

       
46

       

       
-

       
        "narHash": "sha256-QScBLiWRDmrOhG4/jCrdZTNe8zQdf6gzSZocAYOcG3U=",


     

       

       
118

       
+

       
        "lastModified": 1718183756,


     

       

       
119

       
+

       
        "narHash": "sha256-m5JQT/RIegSLZJx41Cv7d8Xoa2KKq+5uLkgB5KJR5D0=",


     

       
47

       
120

       
 

       
        "owner": "RyanGibb",


     

       
48

       
121

       
 

       
        "repo": "nixos-mailserver",


     

       
49

       

       
-

       
        "rev": "435c3a167c52ebe443f6ed1ba3412331ae566d05",


     

       
50

       

       
-

       
        "type": "github"


     

       

       
122

       
+

       
        "rev": "9dc7a8d40232f600e6ca1e78356cd4398665b46b",


     

       

       
123

       
+

       
        "type": "gitlab"


     

       
51

       
124

       
 

       
      },


     

       
52

       
125

       
 

       
      "original": {


     

       
53

       
126

       
 

       
        "owner": "RyanGibb",


     

       
54

       

       
-

       
        "ref": "fork-23.11",


     

       

       
127

       
+

       
        "ref": "fork-24.05",


     

       
55

       
128

       
 

       
        "repo": "nixos-mailserver",


     

       
56

       

       
-

       
        "type": "github"


     

       

       
129

       
+

       
        "type": "gitlab"


     

       
57

       
130

       
 

       
      }


     

       
58

       
131

       
 

       
    },


     

       
59

       
132

       
 

       
    "nixpkgs": {


     

       
60

       
133

       
 

       
      "locked": {


     

       
61

       

       
-

       
        "lastModified": 1709703039,


     

       
62

       

       
-

       
        "narHash": "sha256-6hqgQ8OK6gsMu1VtcGKBxKQInRLHtzulDo9Z5jxHEFY=",


     

       
63

       

       
-

       
        "owner": "NixOS",


     

       

       
134

       
+

       
        "lastModified": 1732981179,


     

       

       
135

       
+

       
        "narHash": "sha256-F7thesZPvAMSwjRu0K8uFshTk3ZZSNAsXTIFvXBT+34=",


     

       

       
136

       
+

       
        "owner": "nixos",


     

       
64

       
137

       
 

       
        "repo": "nixpkgs",


     

       
65

       

       
-

       
        "rev": "9df3e30ce24fd28c7b3e2de0d986769db5d6225d",


     

       

       
138

       
+

       
        "rev": "62c435d93bf046a5396f3016472e8f7c8e2aed65",


     

       
66

       
139

       
 

       
        "type": "github"


     

       
67

       
140

       
 

       
      },


     

       
68

       
141

       
 

       
      "original": {


     

       
69

       

       
-

       
        "id": "nixpkgs",


     

       
70

       

       
-

       
        "ref": "nixos-unstable",


     

       
71

       

       
-

       
        "type": "indirect"


     

       

       
142

       
+

       
        "owner": "nixos",


     

       

       
143

       
+

       
        "ref": "nixos-24.11",


     

       

       
144

       
+

       
        "repo": "nixpkgs",


     

       

       
145

       
+

       
        "type": "github"


     

       
72

       
146

       
 

       
      }


     

       
73

       
147

       
 

       
    },


     

       
74

       

       
-

       
    "nixpkgs-23_05": {


     

       

       
148

       
+

       
    "nixpkgs-24_05": {


     

       
75

       
149

       
 

       
      "locked": {


     

       
76

       

       
-

       
        "lastModified": 1704290814,


     

       
77

       

       
-

       
        "narHash": "sha256-LWvKHp7kGxk/GEtlrGYV68qIvPHkU9iToomNFGagixU=",


     

       

       
150

       
+

       
        "lastModified": 1718086528,


     

       

       
151

       
+

       
        "narHash": "sha256-hoB7B7oPgypePz16cKWawPfhVvMSXj4G/qLsfFuhFjw=",


     

       
78

       
152

       
 

       
        "owner": "NixOS",


     

       
79

       
153

       
 

       
        "repo": "nixpkgs",


     

       
80

       

       
-

       
        "rev": "70bdadeb94ffc8806c0570eb5c2695ad29f0e421",


     

       

       
154

       
+

       
        "rev": "47b604b07d1e8146d5398b42d3306fdebd343986",


     

       
81

       
155

       
 

       
        "type": "github"


     

       
82

       
156

       
 

       
      },


     

       
83

       
157

       
 

       
      "original": {


     

       
84

       
158

       
 

       
        "id": "nixpkgs",


     

       
85

       

       
-

       
        "ref": "nixos-23.05",


     

       

       
159

       
+

       
        "ref": "nixos-24.05",


     

       
86

       
160

       
 

       
        "type": "indirect"


     

       
87

       
161

       
 

       
      }


     

       
88

       
162

       
 

       
    },


     

       
89

       

       
-

       
    "nixpkgs-23_11": {


     

       

       
163

       
+

       
    "opam-nix": {


     

       

       
164

       
+

       
      "inputs": {


     

       

       
165

       
+

       
        "flake-compat": "flake-compat",


     

       

       
166

       
+

       
        "flake-utils": [


     

       

       
167

       
+

       
          "eon",


     

       

       
168

       
+

       
          "flake-utils"


     

       

       
169

       
+

       
        ],


     

       

       
170

       
+

       
        "mirage-opam-overlays": "mirage-opam-overlays",


     

       

       
171

       
+

       
        "nixpkgs": [


     

       

       
172

       
+

       
          "eon",


     

       

       
173

       
+

       
          "nixpkgs"


     

       

       
174

       
+

       
        ],


     

       

       
175

       
+

       
        "opam-overlays": "opam-overlays",


     

       

       
176

       
+

       
        "opam-repository": "opam-repository",


     

       

       
177

       
+

       
        "opam2json": "opam2json"


     

       

       
178

       
+

       
      },


     

       

       
179

       
+

       
      "locked": {


     

       

       
180

       
+

       
        "lastModified": 1732617437,


     

       

       
181

       
+

       
        "narHash": "sha256-jj25fziYrES8Ix6HkfSiLzrN6MZjiwlHUxFSIuLRjgE=",


     

       

       
182

       
+

       
        "owner": "tweag",


     

       

       
183

       
+

       
        "repo": "opam-nix",


     

       

       
184

       
+

       
        "rev": "ea8b9cb81fe94e1fc45c6376fcff15f17319c445",


     

       

       
185

       
+

       
        "type": "github"


     

       

       
186

       
+

       
      },


     

       

       
187

       
+

       
      "original": {


     

       

       
188

       
+

       
        "owner": "tweag",


     

       

       
189

       
+

       
        "repo": "opam-nix",


     

       

       
190

       
+

       
        "type": "github"


     

       

       
191

       
+

       
      }


     

       

       
192

       
+

       
    },


     

       

       
193

       
+

       
    "opam-overlays": {


     

       

       
194

       
+

       
      "flake": false,


     

       
90

       
195

       
 

       
      "locked": {


     

       
91

       

       
-

       
        "lastModified": 1710951922,


     

       
92

       

       
-

       
        "narHash": "sha256-FOOBJ3DQenLpTNdxMHR2CpGZmYuctb92gF0lpiirZ30=",


     

       
93

       

       
-

       
        "owner": "NixOS",


     

       
94

       

       
-

       
        "repo": "nixpkgs",


     

       
95

       

       
-

       
        "rev": "f091af045dff8347d66d186a62d42aceff159456",


     

       

       
196

       
+

       
        "lastModified": 1726822209,


     

       

       
197

       
+

       
        "narHash": "sha256-bwM18ydNT9fYq91xfn4gmS21q322NYrKwfq0ldG9GYw=",


     

       

       
198

       
+

       
        "owner": "dune-universe",


     

       

       
199

       
+

       
        "repo": "opam-overlays",


     

       

       
200

       
+

       
        "rev": "f2bec38beca4aea9e481f2fd3ee319c519124649",


     

       

       
201

       
+

       
        "type": "github"


     

       

       
202

       
+

       
      },


     

       

       
203

       
+

       
      "original": {


     

       

       
204

       
+

       
        "owner": "dune-universe",


     

       

       
205

       
+

       
        "repo": "opam-overlays",


     

       

       
206

       
+

       
        "type": "github"


     

       

       
207

       
+

       
      }


     

       

       
208

       
+

       
    },


     

       

       
209

       
+

       
    "opam-repository": {


     

       

       
210

       
+

       
      "flake": false,


     

       

       
211

       
+

       
      "locked": {


     

       

       
212

       
+

       
        "lastModified": 1732612513,


     

       

       
213

       
+

       
        "narHash": "sha256-kju4NWEQo4xTxnKeBIsmqnyxIcCg6sNZYJ1FmG/gCDw=",


     

       

       
214

       
+

       
        "owner": "ocaml",


     

       

       
215

       
+

       
        "repo": "opam-repository",


     

       

       
216

       
+

       
        "rev": "3d52b66b04788999a23f22f0d59c2dfc831c4f32",


     

       
96

       
217

       
 

       
        "type": "github"


     

       
97

       
218

       
 

       
      },


     

       
98

       
219

       
 

       
      "original": {


     

       
99

       

       
-

       
        "id": "nixpkgs",


     

       
100

       

       
-

       
        "ref": "nixos-23.11",


     

       
101

       

       
-

       
        "type": "indirect"


     

       

       
220

       
+

       
        "owner": "ocaml",


     

       

       
221

       
+

       
        "repo": "opam-repository",


     

       

       
222

       
+

       
        "type": "github"


     

       
102

       
223

       
 

       
      }


     

       
103

       
224

       
 

       
    },


     

       
104

       

       
-

       
    "nixpkgs_2": {


     

       

       
225

       
+

       
    "opam2json": {


     

       

       
226

       
+

       
      "inputs": {


     

       

       
227

       
+

       
        "nixpkgs": [


     

       

       
228

       
+

       
          "eon",


     

       

       
229

       
+

       
          "opam-nix",


     

       

       
230

       
+

       
          "nixpkgs"


     

       

       
231

       
+

       
        ]


     

       

       
232

       
+

       
      },


     

       
105

       
233

       
 

       
      "locked": {


     

       
106

       

       
-

       
        "lastModified": 1710272261,


     

       
107

       

       
-

       
        "narHash": "sha256-g0bDwXFmTE7uGDOs9HcJsfLFhH7fOsASbAuOzDC+fhQ=",


     

       
108

       

       
-

       
        "owner": "nixos",


     

       
109

       

       
-

       
        "repo": "nixpkgs",


     

       
110

       

       
-

       
        "rev": "0ad13a6833440b8e238947e47bea7f11071dc2b2",


     

       

       
234

       
+

       
        "lastModified": 1671540003,


     

       

       
235

       
+

       
        "narHash": "sha256-5pXfbUfpVABtKbii6aaI2EdAZTjHJ2QntEf0QD2O5AM=",


     

       

       
236

       
+

       
        "owner": "tweag",


     

       

       
237

       
+

       
        "repo": "opam2json",


     

       

       
238

       
+

       
        "rev": "819d291ea95e271b0e6027679de6abb4d4f7f680",


     

       
111

       
239

       
 

       
        "type": "github"


     

       
112

       
240

       
 

       
      },


     

       
113

       
241

       
 

       
      "original": {


     

       
114

       

       
-

       
        "owner": "nixos",


     

       
115

       

       
-

       
        "ref": "nixos-unstable",


     

       
116

       

       
-

       
        "repo": "nixpkgs",


     

       

       
242

       
+

       
        "owner": "tweag",


     

       

       
243

       
+

       
        "repo": "opam2json",


     

       
117

       
244

       
 

       
        "type": "github"


     

       
118

       
245

       
 

       
      }


     

       
119

       
246

       
 

       
    },


     

       
120

       
247

       
 

       
    "root": {


     

       
121

       
248

       
 

       
      "inputs": {


     

       

       
249

       
+

       
        "eon": "eon",


     

       
122

       
250

       
 

       
        "nixos-mailserver": "nixos-mailserver",


     

       
123

       

       
-

       
        "nixpkgs": "nixpkgs_2"


     

       

       
251

       
+

       
        "nixpkgs": "nixpkgs"


     

       
124

       
252

       
 

       
      }


     

       
125

       
253

       
 

       
    },


     

       
126

       
254

       
 

       
    "systems": {


     
···

       
138

       
266

       
 

       
        "type": "github"


     

       
139

       
267

       
 

       
      }


     

       
140

       
268

       
 

       
    },


     

       

       
269

       
+

       
    "systems_2": {


     

       

       
270

       
+

       
      "locked": {


     

       

       
271

       
+

       
        "lastModified": 1681028828,


     

       

       
272

       
+

       
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",


     

       

       
273

       
+

       
        "owner": "nix-systems",


     

       

       
274

       
+

       
        "repo": "default",


     

       

       
275

       
+

       
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",


     

       

       
276

       
+

       
        "type": "github"


     

       

       
277

       
+

       
      },


     

       

       
278

       
+

       
      "original": {


     

       

       
279

       
+

       
        "owner": "nix-systems",


     

       

       
280

       
+

       
        "repo": "default",


     

       

       
281

       
+

       
        "type": "github"


     

       

       
282

       
+

       
      }


     

       

       
283

       
+

       
    },


     

       
141

       
284

       
 

       
    "utils": {


     

       
142

       
285

       
 

       
      "inputs": {


     

       
143

       

       
-

       
        "systems": "systems"


     

       

       
286

       
+

       
        "systems": "systems_2"


     

       
144

       
287

       
 

       
      },


     

       
145

       
288

       
 

       
      "locked": {


     

       
146

       
289

       
 

       
        "lastModified": 1709126324,
+21 -10
flake.nix 
···

       
1

       
1

       
 

       
{


     

       
2

       
2

       
 

       
  inputs = {


     

       
3

       

       
-

       
    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";


     

       
4

       

       
-

       
    nixos-mailserver.url = "github:RyanGibb/nixos-mailserver/fork-23.11";


     

       

       
3

       
+

       
    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";


     

       

       
4

       
+

       
    nixos-mailserver.url = "gitlab:RyanGibb/nixos-mailserver/fork-24.05";


     

       

       
5

       
+

       
    eon.url = "github:RyanGibb/eon";


     

       

       
6

       
+

       



     

       

       
7

       
+

       
    eon.inputs.nixpkgs.follows = "nixpkgs";


     

       

       
8

       
+

       
    nixos-mailserver.inputs.nixpkgs.follows = "nixpkgs";


     

       
5

       
9

       
 

       
  };


     

       
6

       
10

       
 

       



     

       
7

       

       
-

       
  outputs = { self, nixpkgs, nixos-mailserver, ... }: rec {


     

       

       
11

       
+

       
  outputs = { nixpkgs, nixos-mailserver, eon, ... }: {


     

       
8

       
12

       
 

       
    packages = nixpkgs.lib.genAttrs nixpkgs.lib.systems.flakeExposed (system:


     

       
9

       

       
-

       
      let


     

       
10

       

       
-

       
        pkgs = nixpkgs.legacyPackages.${system};


     

       

       
13

       
+

       
      let pkgs = nixpkgs.legacyPackages.${system};


     

       
11

       
14

       
 

       
      in {


     

       
12

       
15

       
 

       
        manpage = import ./man { inherit pkgs system nixos-mailserver; };


     

       

       
16

       
+

       
        packages.mautrix-meta = (pkgs.callPackage ./pkgs/mautrix-meta.nix { });


     

       
13

       
17

       
 

       
      });


     

       
14

       
18

       
 

       



     

       
15

       
19

       
 

       
    nixosModules.default = {


     

       
16

       
20

       
 

       
      imports = [


     

       
17

       
21

       
 

       
        ./modules/default.nix


     

       
18

       
22

       
 

       
        nixos-mailserver.nixosModule


     

       
19

       

       
-

       
        ({ pkgs, config, ... }: {


     

       
20

       

       
-

       
          nixpkgs.overlays = [ (final: prev: {


     

       
21

       

       
-

       
            mautrix-meta = (prev.callPackage ./pkgs/mautrix-meta.nix { });


     

       
22

       

       
-

       
          }) ];


     

       
23

       

       
-

       
        })


     

       

       
23

       
+

       
        eon.nixosModules.default


     

       

       
24

       
+

       
        eon.nixosModules.acme


     

       

       
25

       
+

       
        {


     

       

       
26

       
+

       
          nixpkgs.overlays = [


     

       

       
27

       
+

       
            (final: prev: {


     

       

       
28

       
+

       
              mautrix-meta = (prev.callPackage ./pkgs/mautrix-meta.nix { });


     

       

       
29

       
+

       
            })


     

       

       
30

       
+

       
          ];


     

       

       
31

       
+

       
        }


     

       
24

       
32

       
 

       
      ];


     

       
25

       
33

       
 

       
    };


     

       
26

       
34

       
 

       
    defaultTemplate.path = ./template;


     

       

       
35

       
+

       



     

       

       
36

       
+

       
    formatter = nixpkgs.lib.genAttrs nixpkgs.lib.systems.flakeExposed


     

       

       
37

       
+

       
      (system: nixpkgs.legacyPackages.${system}.nixfmt);


     

       
27

       
38

       
 

       
  };


     

       
28

       
39

       
 

       
}
+28 -36
man/default.nix 
···

       
2

       
2

       
 

       



     

       
3

       
3

       
 

       
with pkgs;


     

       
4

       
4

       
 

       
let


     

       
5

       

       
-

       
    optionsDoc =


     

       
6

       

       
-

       
      let


     

       
7

       

       
-

       
        eval = import (pkgs.path + "/nixos/lib/eval-config.nix") {


     

       
8

       

       
-

       
          inherit system;


     

       
9

       

       
-

       
          modules = [


     

       
10

       

       
-

       
            ../modules/default.nix


     

       
11

       

       
-

       
            nixos-mailserver


     

       
12

       

       
-

       
          ];


     

       
13

       

       
-

       
        };


     

       
14

       

       
-

       
      in pkgs.nixosOptionsDoc {


     

       
15

       

       
-

       
        options = eval.options;


     

       
16

       

       
-

       
        # TODO make sure all options have descriptions


     

       
17

       

       
-

       
        warningsAreErrors = false;


     

       
18

       

       
-

       
      };


     

       

       
5

       
+

       
  optionsDoc = let


     

       

       
6

       
+

       
    eval = import (pkgs.path + "/nixos/lib/eval-config.nix") {


     

       

       
7

       
+

       
      inherit system;


     

       

       
8

       
+

       
      modules = [ ../modules/default.nix nixos-mailserver ];


     

       

       
9

       
+

       
    };


     

       

       
10

       
+

       
  in pkgs.nixosOptionsDoc {


     

       

       
11

       
+

       
    options = eval.options;


     

       

       
12

       
+

       
    # TODO make sure all options have descriptions


     

       

       
13

       
+

       
    warningsAreErrors = false;


     

       

       
14

       
+

       
  };


     

       
19

       
15

       
 

       



     

       
20

       
16

       
 

       
  # Generate the `man eliean.nix` package


     

       
21

       

       
-

       
  eilean-configuration-manual =


     

       
22

       

       
-

       
    runCommand "eilean-reference-manpage"


     

       
23

       

       
-

       
    { nativeBuildInputs = [


     

       
24

       

       
-

       
        buildPackages.installShellFiles


     

       
25

       

       
-

       
        buildPackages.nixos-render-docs


     

       
26

       

       
-

       
      ];


     

       
27

       

       
-

       
      allowedReferences = [ "out" ];


     

       
28

       

       
-

       
    }


     

       
29

       

       
-

       
    ''


     

       
30

       

       
-

       
      # Generate manpages.


     

       
31

       

       
-

       
      mkdir -p $out/share/man/man5


     

       
32

       

       
-

       
      # filter to only eilean options


     

       
33

       

       
-

       
      cat ${optionsDoc.optionsJSON}/share/doc/nixos/options.json \


     

       
34

       

       
-

       
        | ${pkgs.jq}/bin/jq 'with_entries(select(.key | test("^eilean")))' \


     

       
35

       

       
-

       
        > eilean-options.json


     

       
36

       

       
-

       
      nixos-render-docs -j $NIX_BUILD_CORES options manpage \


     

       
37

       

       
-

       
        --revision dev \


     

       
38

       

       
-

       
        --header ${./eilean-configuration-nix-header.5} \


     

       
39

       

       
-

       
        --footer ${./eilean-configuration-nix-footer.5} \


     

       
40

       

       
-

       
        eilean-options.json \


     

       
41

       

       
-

       
        $out/share/man/man5/eilean-configuration.nix.5


     

       
42

       

       
-

       
    '';


     

       

       
17

       
+

       
  eilean-configuration-manual = runCommand "eilean-reference-manpage" {


     

       

       
18

       
+

       
    nativeBuildInputs =


     

       

       
19

       
+

       
      [ buildPackages.installShellFiles buildPackages.nixos-render-docs ];


     

       

       
20

       
+

       
    allowedReferences = [ "out" ];


     

       

       
21

       
+

       
  } ''


     

       

       
22

       
+

       
    # Generate manpages.


     

       

       
23

       
+

       
    mkdir -p $out/share/man/man5


     

       

       
24

       
+

       
    # filter to only eilean options


     

       

       
25

       
+

       
    cat ${optionsDoc.optionsJSON}/share/doc/nixos/options.json \


     

       

       
26

       
+

       
      | ${pkgs.jq}/bin/jq 'with_entries(select(.key | test("^eilean")))' \


     

       

       
27

       
+

       
      > eilean-options.json


     

       

       
28

       
+

       
    nixos-render-docs -j $NIX_BUILD_CORES options manpage \


     

       

       
29

       
+

       
      --revision dev \


     

       

       
30

       
+

       
      --header ${./eilean-configuration-nix-header.5} \


     

       

       
31

       
+

       
      --footer ${./eilean-configuration-nix-footer.5} \


     

       

       
32

       
+

       
      eilean-options.json \


     

       

       
33

       
+

       
      $out/share/man/man5/eilean-configuration.nix.5


     

       

       
34

       
+

       
  '';


     

       
43

       
35

       
 

       
in eilean-configuration-manual
+16
modules/acme-eon.nix 
···

       

       
1

       
+

       
{ pkgs, config, lib, ... }:


     

       

       
2

       
+

       



     

       

       
3

       
+

       
with lib;


     

       

       
4

       
+

       
let cfg = config.eilean;


     

       

       
5

       
+

       
in {


     

       

       
6

       
+

       
  options.eilean.acme-eon = mkEnableOption "acme-eon";


     

       

       
7

       
+

       



     

       

       
8

       
+

       
  config = mkIf cfg.acme-eon {


     

       

       
9

       
+

       
    assertions = [{


     

       

       
10

       
+

       
      assertion = cfg.services.dns.server == "eon";


     

       

       
11

       
+

       
      message = ''


     

       

       
12

       
+

       
        If config.eilean.acme-eon is enabled config.eilean.services.dns.server must be "eon".


     

       

       
13

       
+

       
      '';


     

       

       
14

       
+

       
    }];


     

       

       
15

       
+

       
  };


     

       

       
16

       
+

       
}
+15 -15
modules/default.nix 
···

       
4

       
4

       
 

       



     

       
5

       
5

       
 

       
{


     

       
6

       
6

       
 

       
  imports = [


     

       

       
7

       
+

       
    ./acme-eon.nix


     

       
7

       
8

       
 

       
    ./services/dns/default.nix


     

       
8

       
9

       
 

       
    ./mastodon.nix


     

       
9

       
10

       
 

       
    ./mailserver.nix


     

       
10

       
11

       
 

       
    ./gitea.nix


     

       
11

       
12

       
 

       
    ./dns.nix


     

       

       
13

       
+

       
    ./fail2ban.nix


     

       
12

       
14

       
 

       
    ./matrix/synapse.nix


     

       
13

       

       
-

       
    ./matrix/mautrix-signal.nix


     

       
14

       
15

       
 

       
    ./matrix/mautrix-instagram.nix


     

       
15

       
16

       
 

       
    ./matrix/mautrix-messenger.nix


     

       
16

       
17

       
 

       
    ./turn.nix


     

       
17

       
18

       
 

       
    ./headscale.nix


     

       
18

       
19

       
 

       
    ./wireguard/default.nix


     

       

       
20

       
+

       
    ./radicale.nix


     

       
19

       
21

       
 

       
  ];


     

       
20

       
22

       
 

       



     

       
21

       
23

       
 

       
  options.eilean = with types; {


     

       
22

       

       
-

       
    username = mkOption {


     

       
23

       

       
-

       
      type = str;


     

       
24

       

       
-

       
    };


     

       
25

       

       
-

       
    serverIpv4 = mkOption {


     

       
26

       

       
-

       
      type = str;


     

       
27

       

       
-

       
    };


     

       
28

       

       
-

       
    serverIpv6 = mkOption {


     

       
29

       

       
-

       
      type = str;


     

       
30

       

       
-

       
    };


     

       
31

       

       
-

       
    publicInterface = mkOption {


     

       
32

       

       
-

       
      type = str;


     

       

       
24

       
+

       
    username = mkOption { type = str; };


     

       

       
25

       
+

       
    serverIpv4 = mkOption { type = str; };


     

       

       
26

       
+

       
    serverIpv6 = mkOption { type = str; };


     

       

       
27

       
+

       
    publicInterface = mkOption { type = str; };


     

       

       
28

       
+

       
    domainName = mkOption {


     

       

       
29

       
+

       
      type = types.str;


     

       

       
30

       
+

       
      default = "vps";


     

       
33

       
31

       
 

       
    };


     

       
34

       
32

       
 

       
  };


     

       
35

       
33

       
 

       



     

       
36

       
34

       
 

       
  config = {


     

       
37

       
35

       
 

       
    # TODO install manpage


     

       
38

       

       
-

       
    environment.systemPackages = [


     

       
39

       

       
-

       
    ];


     

       
40

       

       
-

       
    security.acme.defaults.email = "${config.eilean.username}@${config.networking.domain}";


     

       

       
36

       
+

       
    environment.systemPackages = [ ];


     

       

       
37

       
+

       
    security.acme.defaults.email = lib.mkIf (!config.eilean.acme-eon)


     

       

       
38

       
+

       
      "${config.eilean.username}@${config.networking.domain}";


     

       

       
39

       
+

       
    security.acme-eon.defaults.email = lib.mkIf config.eilean.acme-eon


     

       

       
40

       
+

       
      "${config.eilean.username}@${config.networking.domain}";


     

       
41

       
41

       
 

       
    networking.firewall.allowedTCPPorts = mkIf config.services.nginx.enable [


     

       
42

       
42

       
 

       
      80 # HTTP


     

       
43

       
43

       
 

       
      443 # HTTPS
+16 -22
modules/dns.nix 
···

       
1

       
1

       
 

       
{ config, lib, ... }:


     

       
2

       
2

       
 

       



     

       
3

       
3

       
 

       
with lib;


     

       
4

       

       
-

       
let cfg = config.eilean; in


     

       
5

       

       
-

       
{


     

       
6

       

       
-

       
  


     

       

       
4

       
+

       
let cfg = config.eilean;


     

       

       
5

       
+

       
in {


     

       

       
6

       
+

       



     

       
7

       
7

       
 

       
  options.eilean.dns = {


     

       
8

       
8

       
 

       
    enable = mkEnableOption "dns";


     

       
9

       
9

       
 

       
    nameservers = mkOption {


     
···

       
11

       
11

       
 

       
      default = [ "ns1" "ns2" ];


     

       
12

       
12

       
 

       
    };


     

       
13

       
13

       
 

       
  };


     

       
14

       

       
-

       
  


     

       

       
14

       
+

       



     

       
15

       
15

       
 

       
  config.eilean.services.dns = mkIf cfg.dns.enable {


     

       
16

       
16

       
 

       
    enable = true;


     

       
17

       
17

       
 

       
    zones.${config.networking.domain} = {


     
···

       
20

       
20

       
 

       
        {


     

       
21

       
21

       
 

       
          name = "@";


     

       
22

       
22

       
 

       
          type = "NS";


     

       
23

       

       
-

       
          data = ns;


     

       

       
23

       
+

       
          value = ns;


     

       
24

       
24

       
 

       
        }


     

       
25

       
25

       
 

       
        {


     

       
26

       
26

       
 

       
          name = ns;


     

       
27

       
27

       
 

       
          type = "A";


     

       
28

       

       
-

       
          data = cfg.serverIpv4;


     

       
29

       

       
-

       
        }


     

       
30

       

       
-

       
        {


     

       
31

       

       
-

       
          name = "@";


     

       
32

       

       
-

       
          type = "NS";


     

       
33

       

       
-

       
          data = ns;


     

       

       
28

       
+

       
          value = cfg.serverIpv4;


     

       
34

       
29

       
 

       
        }


     

       
35

       
30

       
 

       
        {


     

       
36

       
31

       
 

       
          name = ns;


     

       
37

       
32

       
 

       
          type = "AAAA";


     

       
38

       

       
-

       
          data = cfg.serverIpv6;


     

       

       
33

       
+

       
          value = cfg.serverIpv6;


     

       
39

       
34

       
 

       
        }


     

       
40

       

       
-

       
      ]) cfg.dns.nameservers ++


     

       
41

       

       
-

       
      [


     

       

       
35

       
+

       
      ]) cfg.dns.nameservers ++ [


     

       
42

       
36

       
 

       
        {


     

       
43

       
37

       
 

       
          name = "@";


     

       
44

       
38

       
 

       
          type = "A";


     

       
45

       

       
-

       
          data = cfg.serverIpv4;


     

       

       
39

       
+

       
          value = cfg.serverIpv4;


     

       
46

       
40

       
 

       
        }


     

       
47

       
41

       
 

       
        {


     

       
48

       
42

       
 

       
          name = "@";


     

       
49

       
43

       
 

       
          type = "AAAA";


     

       
50

       

       
-

       
          data = cfg.serverIpv6;


     

       

       
44

       
+

       
          value = cfg.serverIpv6;


     

       
51

       
45

       
 

       
        }


     

       
52

       
46

       
 

       



     

       
53

       
47

       
 

       
        {


     

       
54

       

       
-

       
          name = "vps";


     

       

       
48

       
+

       
          name = cfg.domainName;


     

       
55

       
49

       
 

       
          type = "A";


     

       
56

       

       
-

       
          data = cfg.serverIpv4;


     

       

       
50

       
+

       
          value = cfg.serverIpv4;


     

       
57

       
51

       
 

       
        }


     

       
58

       
52

       
 

       
        {


     

       
59

       

       
-

       
          name = "vps";


     

       

       
53

       
+

       
          name = cfg.domainName;


     

       
60

       
54

       
 

       
          type = "AAAA";


     

       
61

       

       
-

       
          data = cfg.serverIpv6;


     

       

       
55

       
+

       
          value = cfg.serverIpv6;


     

       
62

       
56

       
 

       
        }


     

       
63

       

       
-

       
        


     

       

       
57

       
+

       



     

       
64

       
58

       
 

       
        {


     

       
65

       
59

       
 

       
          name = "@";


     

       
66

       
60

       
 

       
          type = "LOC";


     

       
67

       

       
-

       
          data = "52 12 40.4 N 0 5 31.9 E 22m 10m 10m 10m";


     

       

       
61

       
+

       
          value = "52 12 40.4 N 0 5 31.9 E 22m 10m 10m 10m";


     

       
68

       
62

       
 

       
        }


     

       
69

       
63

       
 

       
      ];


     

       
70

       
64

       
 

       
    };
+42
modules/fail2ban.nix 
···

       

       
1

       
+

       
{ config, pkgs, lib, ... }:


     

       

       
2

       
+

       



     

       

       
3

       
+

       
with lib;


     

       

       
4

       
+

       
let cfg = config.eilean;


     

       

       
5

       
+

       
in {


     

       

       
6

       
+

       
  options.eilean.fail2ban = {


     

       

       
7

       
+

       
    enable = mkEnableOption "TURN server";


     

       

       
8

       
+

       
    radicale = mkOption {


     

       

       
9

       
+

       
      type = types.bool;


     

       

       
10

       
+

       
      default = cfg.radicale.enable;


     

       

       
11

       
+

       
    };


     

       

       
12

       
+

       
  };


     

       

       
13

       
+

       



     

       

       
14

       
+

       
  config = mkIf cfg.fail2ban.enable {


     

       

       
15

       
+

       
    services.fail2ban = {


     

       

       
16

       
+

       
      enable = true;


     

       

       
17

       
+

       
      bantime = "24h";


     

       

       
18

       
+

       
      bantime-increment = {


     

       

       
19

       
+

       
        enable = true;


     

       

       
20

       
+

       
        multipliers = "1 2 4 8 16 32 64";


     

       

       
21

       
+

       
        maxtime = "168h";


     

       

       
22

       
+

       
        overalljails = true;


     

       

       
23

       
+

       
      };


     

       

       
24

       
+

       
      jails."radicale".settings = mkIf cfg.fail2ban.radicale {


     

       

       
25

       
+

       
        port = "5232";


     

       

       
26

       
+

       
        filter = "radicale";


     

       

       
27

       
+

       
        banaction = "%(banaction_allports)s[name=radicale]";


     

       

       
28

       
+

       
        backend = "systemd";


     

       

       
29

       
+

       
        journalmatch = "_SYSTEMD_UNIT=radicale.service";


     

       

       
30

       
+

       
        maxRetry = 2;


     

       

       
31

       
+

       
        bantime = -1;


     

       

       
32

       
+

       
        findtime = 14400;


     

       

       
33

       
+

       
      };


     

       

       
34

       
+

       
    };


     

       

       
35

       
+

       
    environment.etc = {


     

       

       
36

       
+

       
      "fail2ban/filter.d/radicale.local".text = mkIf cfg.fail2ban.radicale ''


     

       

       
37

       
+

       
        [Definition]


     

       

       
38

       
+

       
        failregex = ^.*Failed\slogin\sattempt\sfrom\s.*\(forwarded for \'<HOST>\'.*\):\s.*


     

       

       
39

       
+

       
      '';


     

       

       
40

       
+

       
    };


     

       

       
41

       
+

       
  };


     

       

       
42

       
+

       
}
+29 -21
modules/gitea.nix 
···

       
4

       
4

       
 

       
let


     

       
5

       
5

       
 

       
  cfg = config.eilean;


     

       
6

       
6

       
 

       
  domain = config.networking.domain;


     

       

       
7

       
+

       
  subdomain = "git.${domain}";


     

       
7

       
8

       
 

       
in {


     

       
8

       
9

       
 

       
  options.eilean.gitea = {


     

       
9

       
10

       
 

       
    enable = mkEnableOption "gitea";


     
···

       
18

       
19

       
 

       
  };


     

       
19

       
20

       
 

       



     

       
20

       
21

       
 

       
  config = mkIf cfg.gitea.enable {


     

       

       
22

       
+

       
    security.acme-eon.nginxCerts = [ subdomain ];


     

       

       
23

       
+

       



     

       
21

       
24

       
 

       
    services.nginx = {


     

       
22

       
25

       
 

       
      enable = true;


     

       
23

       
26

       
 

       
      recommendedProxySettings = true;


     

       
24

       

       
-

       
      virtualHosts."git.${domain}" = {


     

       
25

       

       
-

       
        enableACME = true;


     

       

       
27

       
+

       
      virtualHosts."${subdomain}" = {


     

       

       
28

       
+

       
        enableACME = lib.mkIf (!cfg.acme-eon) true;


     

       
26

       
29

       
 

       
        forceSSL = true;


     

       
27

       
30

       
 

       
        locations."/" = {


     

       
28

       

       
-

       
          proxyPass = "http://localhost:${builtins.toString config.services.gitea.settings.server.HTTP_PORT}/";


     

       

       
31

       
+

       
          proxyPass = "http://localhost:${


     

       

       
32

       
+

       
              builtins.toString config.services.gitea.settings.server.HTTP_PORT


     

       

       
33

       
+

       
            }/";


     

       
29

       
34

       
 

       
        };


     

       
30

       
35

       
 

       
      };


     

       
31

       
36

       
 

       
    };


     
···

       
45

       
50

       
 

       
      mailerPasswordFile = cfg.mailserver.systemAccountPasswordFile;


     

       
46

       
51

       
 

       
      settings = {


     

       
47

       
52

       
 

       
        server = {


     

       
48

       

       
-

       
          ROOT_URL = "https://git.${domain}/";


     

       
49

       

       
-

       
          DOMAIN = "git.${domain}";


     

       

       
53

       
+

       
          ROOT_URL = "https://${subdomain}/";


     

       

       
54

       
+

       
          DOMAIN = subdomain;


     

       
50

       
55

       
 

       
        };


     

       
51

       
56

       
 

       
        mailer = {


     

       
52

       
57

       
 

       
          ENABLED = true;


     
···

       
88

       
93

       
 

       
      RestrictRealtime = mkForce false;


     

       
89

       
94

       
 

       
      RestrictSUIDSGID = mkForce false;


     

       
90

       
95

       
 

       
      SystemCallArchitectures = mkForce "";


     

       
91

       

       
-

       
      SystemCallFilter = mkForce [];


     

       

       
96

       
+

       
      SystemCallFilter = mkForce [ ];


     

       
92

       
97

       
 

       
    };


     

       
93

       
98

       
 

       



     

       
94

       
99

       
 

       
    eilean.dns.enable = true;


     

       
95

       

       
-

       
    eilean.services.dns.zones.${config.networking.domain}.records = [


     

       
96

       

       
-

       
      {


     

       
97

       

       
-

       
        name = "git";


     

       
98

       

       
-

       
        type = "CNAME";


     

       
99

       

       
-

       
        data = "vps";


     

       
100

       

       
-

       
      }


     

       
101

       

       
-

       
    ];


     

       

       
100

       
+

       
    eilean.services.dns.zones.${config.networking.domain}.records = [{


     

       

       
101

       
+

       
      name = "git";


     

       

       
102

       
+

       
      type = "CNAME";


     

       

       
103

       
+

       
      value = cfg.domainName;


     

       

       
104

       
+

       
    }];


     

       
102

       
105

       
 

       



     

       
103

       
106

       
 

       
    # proxy port 22 on ethernet interface to internal gitea ssh server


     

       
104

       
107

       
 

       
    # openssh server remains accessible on port 22 via vpn(s)


     
···

       
110

       
113

       
 

       
    };


     

       
111

       
114

       
 

       



     

       
112

       
115

       
 

       
    networking.firewall = {


     

       
113

       

       
-

       
      allowedTCPPorts = [


     

       
114

       

       
-

       
        22


     

       
115

       

       
-

       
        cfg.gitea.sshPort


     

       
116

       

       
-

       
      ];


     

       

       
116

       
+

       
      allowedTCPPorts = [ 22 cfg.gitea.sshPort ];


     

       
117

       
117

       
 

       
      extraCommands = ''


     

       
118

       
118

       
 

       
        # proxy all traffic on public interface to the gitea SSH server


     

       
119

       

       
-

       
        iptables -A PREROUTING -t nat -i ${config.eilean.publicInterface} -p tcp --dport 22 -j REDIRECT --to-port ${builtins.toString cfg.gitea.sshPort}


     

       
120

       

       
-

       
        ip6tables -A PREROUTING -t nat -i ${config.eilean.publicInterface} -p tcp --dport 22 -j REDIRECT --to-port ${builtins.toString cfg.gitea.sshPort}


     

       

       
119

       
+

       
        iptables -A PREROUTING -t nat -i ${config.eilean.publicInterface} -p tcp --dport 22 -j REDIRECT --to-port ${


     

       

       
120

       
+

       
          builtins.toString cfg.gitea.sshPort


     

       

       
121

       
+

       
        }


     

       

       
122

       
+

       
        ip6tables -A PREROUTING -t nat -i ${config.eilean.publicInterface} -p tcp --dport 22 -j REDIRECT --to-port ${


     

       

       
123

       
+

       
          builtins.toString cfg.gitea.sshPort


     

       

       
124

       
+

       
        }


     

       
121

       
125

       
 

       



     

       
122

       
126

       
 

       
        # proxy locally originating outgoing packets


     

       
123

       

       
-

       
        iptables -A OUTPUT -d ${config.eilean.serverIpv4} -t nat -p tcp --dport 22 -j REDIRECT --to-port ${builtins.toString cfg.gitea.sshPort}


     

       
124

       

       
-

       
        ip6tables -A OUTPUT -d ${config.eilean.serverIpv6} -t nat -p tcp --dport 22 -j REDIRECT --to-port ${builtins.toString cfg.gitea.sshPort}


     

       

       
127

       
+

       
        iptables -A OUTPUT -d ${config.eilean.serverIpv4} -t nat -p tcp --dport 22 -j REDIRECT --to-port ${


     

       

       
128

       
+

       
          builtins.toString cfg.gitea.sshPort


     

       

       
129

       
+

       
        }


     

       

       
130

       
+

       
        ip6tables -A OUTPUT -d ${config.eilean.serverIpv6} -t nat -p tcp --dport 22 -j REDIRECT --to-port ${


     

       

       
131

       
+

       
          builtins.toString cfg.gitea.sshPort


     

       

       
132

       
+

       
        }


     

       
125

       
133

       
 

       
      '';


     

       
126

       
134

       
 

       
    };


     

       
127

       
135
+8 -16
modules/headscale.nix 
···

       
1

       
1

       
 

       
{ pkgs, config, lib, ... }:


     

       
2

       
2

       
 

       



     

       
3

       
3

       
 

       
with lib;


     

       
4

       

       
-

       
let


     

       
5

       

       
-

       
  cfg = config.eilean;


     

       

       
4

       
+

       
let cfg = config.eilean;


     

       
6

       
5

       
 

       
in {


     

       
7

       
6

       
 

       
  options.eilean.headscale = with lib; {


     

       
8

       
7

       
 

       
    enable = mkEnableOption "headscale";


     
···

       
14

       
13

       
 

       
    domain = mkOption {


     

       
15

       
14

       
 

       
      type = types.str;


     

       
16

       
15

       
 

       
      default = "headscale.${config.networking.domain}";


     

       
17

       

       
-

       
      defaultText = "headscale.$${config.networking.domain}";


     

       

       
16

       
+

       
      defaultText = "headscale.$\${config.networking.domain}";


     

       
18

       
17

       
 

       
    };


     

       
19

       
18

       
 

       
  };


     

       
20

       
19

       
 

       



     
···

       
30

       
29

       
 

       
      settings = {


     

       
31

       
30

       
 

       
        server_url = "https://${cfg.headscale.domain}";


     

       
32

       
31

       
 

       
        logtail.enabled = false;


     

       
33

       

       
-

       
        ip_prefixes = [ "100.64.0.0/10" ];


     

       
34

       

       
-

       
        dns_config = {


     

       
35

       

       
-

       
          # magicDns = true;


     

       
36

       

       
-

       
          nameservers = config.networking.nameservers;


     

       
37

       

       
-

       
          base_domain = "${cfg.headscale.zone}";


     

       
38

       

       
-

       
        };


     

       

       
32

       
+

       
        ip_prefixes = [ "100.64.0.0/10" "fd7a:115c:a1e0::/48" ];


     

       
39

       
33

       
 

       
      };


     

       
40

       
34

       
 

       
    };


     

       
41

       
35

       
 

       



     
···

       
55

       
49

       
 

       
    environment.systemPackages = [ config.services.headscale.package ];


     

       
56

       
50

       
 

       



     

       
57

       
51

       
 

       
    eilean.dns.enable = true;


     

       
58

       

       
-

       
    eilean.services.dns.zones.${cfg.headscale.zone}.records = [


     

       
59

       

       
-

       
      {


     

       
60

       

       
-

       
        name = "${cfg.headscale.domain}.";


     

       
61

       

       
-

       
        type = "CNAME";


     

       
62

       

       
-

       
        data = "vps";


     

       
63

       

       
-

       
      }


     

       
64

       

       
-

       
    ];


     

       

       
52

       
+

       
    eilean.services.dns.zones.${cfg.headscale.zone}.records = [{


     

       

       
53

       
+

       
      name = "${cfg.headscale.domain}.";


     

       

       
54

       
+

       
      type = "CNAME";


     

       

       
55

       
+

       
      value = cfg.domainName;


     

       

       
56

       
+

       
    }];


     

       
65

       
57

       
 

       
  };


     

       
66

       
58

       
 

       
}
+36 -18
modules/mailserver.nix 
···

       
4

       
4

       
 

       
let


     

       
5

       
5

       
 

       
  cfg = config.eilean;


     

       
6

       
6

       
 

       
  domain = config.networking.domain;


     

       

       
7

       
+

       
  subdomain = "mail.${domain}";


     

       
7

       
8

       
 

       
in {


     

       
8

       
9

       
 

       
  options.eilean.mailserver = {


     

       
9

       
10

       
 

       
    enable = mkEnableOption "mailserver";


     
···

       
14

       
15

       
 

       
  };


     

       
15

       
16

       
 

       



     

       
16

       
17

       
 

       
  config = mkIf cfg.mailserver.enable {


     

       

       
18

       
+

       
    security.acme-eon.certs."${subdomain}" = lib.mkIf cfg.acme-eon {


     

       

       
19

       
+

       
      group = "turnserver";


     

       

       
20

       
+

       
      reloadServices = [ "postfix.service" "dovecot.service" ];


     

       

       
21

       
+

       
    };


     

       

       
22

       
+

       



     

       
17

       
23

       
 

       
    mailserver = {


     

       
18

       
24

       
 

       
      enable = true;


     

       
19

       

       
-

       
      fqdn = "mail.${domain}";


     

       

       
25

       
+

       
      fqdn = subdomain;


     

       
20

       
26

       
 

       
      domains = [ "${domain}" ];


     

       
21

       
27

       
 

       



     

       
22

       
28

       
 

       
      loginAccounts = {


     
···

       
31

       
37

       
 

       



     

       
32

       
38

       
 

       
      # Use Let's Encrypt certificates. Note that this needs to set up a stripped


     

       
33

       
39

       
 

       
      # down nginx and opens port 80.


     

       
34

       

       
-

       
      certificateScheme = "acme-nginx";


     

       
35

       

       
-

       



     

       

       
40

       
+

       
      certificateScheme = if cfg.acme-eon then "manual" else "acme-nginx";


     

       

       
41

       
+

       
      certificateFile = lib.mkIf cfg.acme-eon "${


     

       

       
42

       
+

       
          config.security.acme-eon.certs.${subdomain}.directory


     

       

       
43

       
+

       
        }/fullchain.pem";


     

       

       
44

       
+

       
      keyFile = lib.mkIf cfg.acme-eon


     

       

       
45

       
+

       
        "${config.security.acme-eon.certs.${subdomain}.directory}/key.pem";


     

       
36

       
46

       
 

       
      localDnsResolver = false;


     

       
37

       
47

       
 

       
    };


     

       
38

       
48

       
 

       



     
···

       
41

       
51

       
 

       
      return 301 $scheme://${domain}$request_uri;


     

       
42

       
52

       
 

       
    '';


     

       
43

       
53

       
 

       



     

       

       
54

       
+

       
    systemd.services.dovecot2 = lib.mkIf cfg.acme-eon {


     

       

       
55

       
+

       
      wants = [ "acme-eon-${subdomain}.service" ];


     

       

       
56

       
+

       
      after = [ "acme-eon-${subdomain}.service" ];


     

       

       
57

       
+

       
    };


     

       

       
58

       
+

       



     

       

       
59

       
+

       
    systemd.services.postfix = lib.mkIf cfg.acme-eon {


     

       

       
60

       
+

       
      wants = [ "acme-eon-${subdomain}.service" ];


     

       

       
61

       
+

       
      after = [ "acme-eon-${subdomain}.service" ];


     

       

       
62

       
+

       
    };


     

       

       
63

       
+

       



     

       
44

       
64

       
 

       
    services.postfix.config = {


     

       
45

       

       
-

       
      smtpd_tls_protocols = mkForce "TLSv1.3, TLSv1.2, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3";


     

       
46

       

       
-

       
      smtp_tls_protocols = mkForce "TLSv1.3, TLSv1.2, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3";


     

       
47

       

       
-

       
      smtpd_tls_mandatory_protocols = mkForce "TLSv1.3, !TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3";


     

       
48

       

       
-

       
      smtp_tls_mandatory_protocols = mkForce "TLSv1.3, !TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3";


     

       

       
65

       
+

       
      smtpd_tls_protocols =


     

       

       
66

       
+

       
        mkForce "TLSv1.3, TLSv1.2, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3";


     

       

       
67

       
+

       
      smtp_tls_protocols =


     

       

       
68

       
+

       
        mkForce "TLSv1.3, TLSv1.2, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3";


     

       

       
69

       
+

       
      smtpd_tls_mandatory_protocols =


     

       

       
70

       
+

       
        mkForce "TLSv1.3, !TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3";


     

       

       
71

       
+

       
      smtp_tls_mandatory_protocols =


     

       

       
72

       
+

       
        mkForce "TLSv1.3, !TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3";


     

       
49

       
73

       
 

       
    };


     

       
50

       
74

       
 

       



     

       
51

       
75

       
 

       
    eilean.dns.enable = true;


     
···

       
53

       
77

       
 

       
      {


     

       
54

       
78

       
 

       
        name = "mail";


     

       
55

       
79

       
 

       
        type = "A";


     

       
56

       

       
-

       
        data = cfg.serverIpv4;


     

       

       
80

       
+

       
        value = cfg.serverIpv4;


     

       
57

       
81

       
 

       
      }


     

       
58

       
82

       
 

       
      {


     

       
59

       
83

       
 

       
        name = "mail";


     

       
60

       
84

       
 

       
        type = "AAAA";


     

       
61

       

       
-

       
        data = cfg.serverIpv6;


     

       

       
85

       
+

       
        value = cfg.serverIpv6;


     

       
62

       
86

       
 

       
      }


     

       
63

       
87

       
 

       
      {


     

       
64

       
88

       
 

       
        name = "@";


     

       
65

       
89

       
 

       
        type = "MX";


     

       
66

       

       
-

       
        data = "10 mail";


     

       

       
90

       
+

       
        value = "10 mail";


     

       
67

       
91

       
 

       
      }


     

       
68

       
92

       
 

       
      {


     

       
69

       
93

       
 

       
        name = "@";


     

       
70

       
94

       
 

       
        type = "TXT";


     

       
71

       

       
-

       
        data = "\"v=spf1 a:mail.${config.networking.domain} -all\"";


     

       
72

       

       
-

       
      }


     

       
73

       

       
-

       
      {


     

       
74

       

       
-

       
        name = "mail._domainkey";


     

       
75

       

       
-

       
        ttl = 10800;


     

       
76

       

       
-

       
        type = "TXT";


     

       
77

       

       
-

       
        data = "\"v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC6YmYYvoFF7VqtGcozpVQa78aaGgZdvc5ZIHqzmkKdCBEyDF2FRbCEK4s2AlC8hhc8O4mSSe3S4AzEhlRgHXbU22GBaUZ3s2WHS8JJwZvWeTjsbXQwjN/U7xpkqXPHLH9IVfOJbHlp4HQmCAXw4NaypgkkxIGK0jaZHm2j6/1izQIDAQAB\"";


     

       

       
95

       
+

       
        value = ''"v=spf1 a:mail.${config.networking.domain} -all"'';


     

       
78

       
96

       
 

       
      }


     

       
79

       
97

       
 

       
      {


     

       
80

       
98

       
 

       
        name = "_dmarc";


     

       
81

       
99

       
 

       
        ttl = 10800;


     

       
82

       
100

       
 

       
        type = "TXT";


     

       
83

       

       
-

       
        data = "\"v=DMARC1; p=reject\"";


     

       

       
101

       
+

       
        value = ''"v=DMARC1; p=reject"'';


     

       
84

       
102

       
 

       
      }


     

       
85

       
103

       
 

       
    ];


     

       
86

       
104

       
 

       
  };
+24 -24
modules/mastodon.nix 
···

       
4

       
4

       
 

       
let


     

       
5

       
5

       
 

       
  cfg = config.eilean;


     

       
6

       
6

       
 

       
  domain = config.networking.domain;


     

       

       
7

       
+

       
  subdomain = "mastodon.${domain}";


     

       
7

       
8

       
 

       
in {


     

       
8

       

       
-

       
  options.eilean.mastodon = {


     

       
9

       

       
-

       
    enable = mkEnableOption "mastodon";


     

       
10

       

       
-

       
  };


     

       

       
9

       
+

       
  options.eilean.mastodon = { enable = mkEnableOption "mastodon"; };


     

       
11

       
10

       
 

       



     

       
12

       
11

       
 

       
  config = mkIf cfg.mastodon.enable {


     

       
13

       
12

       
 

       
    services.mastodon = {


     
···

       
28

       
27

       
 

       
      };


     

       
29

       
28

       
 

       
      extraConfig = {


     

       
30

       
29

       
 

       
        # override localDomain


     

       
31

       

       
-

       
        LOCAL_DOMAIN = "${domain}";


     

       
32

       

       
-

       
        WEB_DOMAIN = "mastodon.${domain}";


     

       

       
30

       
+

       
        LOCAL_DOMAIN = domain;


     

       

       
31

       
+

       
        WEB_DOMAIN = subdomain;


     

       
33

       
32

       
 

       



     

       
34

       
33

       
 

       
        # https://peterbabic.dev/blog/setting-up-smtp-in-mastodon/


     

       
35

       

       
-

       
        SMTP_SSL="true";


     

       
36

       

       
-

       
        SMTP_ENABLE_STARTTLS="false";


     

       
37

       

       
-

       
        SMTP_OPENSSL_VERIFY_MODE="none";


     

       

       
34

       
+

       
        SMTP_SSL = "true";


     

       

       
35

       
+

       
        SMTP_ENABLE_STARTTLS = "false";


     

       

       
36

       
+

       
        SMTP_OPENSSL_VERIFY_MODE = "none";


     

       
38

       
37

       
 

       
      };


     

       
39

       
38

       
 

       
    };


     

       
40

       
39

       
 

       



     

       
41

       

       
-

       
    users.groups.${config.services.mastodon.group}.members = [ config.services.nginx.user ];


     

       

       
40

       
+

       
    users.groups.${config.services.mastodon.group}.members =


     

       

       
41

       
+

       
      [ config.services.nginx.user ];


     

       

       
42

       
+

       



     

       

       
43

       
+

       
    security.acme-eon.nginxCerts = lib.mkIf cfg.acme-eon [ subdomain ];


     

       
42

       
44

       
 

       



     

       
43

       
45

       
 

       
    services.nginx = {


     

       
44

       
46

       
 

       
      enable = true;


     
···

       
47

       
49

       
 

       
        # relies on root domain being set up


     

       
48

       
50

       
 

       
        "${domain}".locations = {


     

       
49

       
51

       
 

       
          "/.well-known/host-meta".extraConfig = ''


     

       
50

       

       
-

       
            return 301 https://mastodon.${domain}$request_uri;


     

       

       
52

       
+

       
            return 301 https://${subdomain}$request_uri;


     

       
51

       
53

       
 

       
          '';


     

       
52

       
54

       
 

       
          "/.well-known/webfinger".extraConfig = ''


     

       
53

       

       
-

       
            return 301 https://mastodon.${domain}$request_uri;


     

       

       
55

       
+

       
            return 301 https://${subdomain}$request_uri;


     

       
54

       
56

       
 

       
          '';


     

       
55

       
57

       
 

       
        };


     

       
56

       

       
-

       
        "mastodon.${domain}" = {


     

       

       
58

       
+

       
        "${subdomain}" = {


     

       
57

       
59

       
 

       
          root = "${config.services.mastodon.package}/public/";


     

       
58

       
60

       
 

       
          forceSSL = true;


     

       
59

       

       
-

       
          enableACME = true;


     

       

       
61

       
+

       
          enableACME = lib.mkIf (!cfg.acme-eon) true;


     

       
60

       
62

       
 

       



     

       
61

       
63

       
 

       
          locations."/system/".alias = "/var/lib/mastodon/public-system/";


     

       
62

       
64

       
 

       



     

       
63

       

       
-

       
          locations."/" = {


     

       
64

       

       
-

       
            tryFiles = "$uri @proxy";


     

       
65

       

       
-

       
          };


     

       

       
65

       
+

       
          locations."/" = { tryFiles = "$uri @proxy"; };


     

       
66

       
66

       
 

       



     

       
67

       
67

       
 

       
          locations."@proxy" = {


     

       
68

       

       
-

       
            proxyPass = "http://127.0.0.1:${builtins.toString config.services.mastodon.webPort}";


     

       

       
68

       
+

       
            proxyPass = "http://127.0.0.1:${


     

       

       
69

       
+

       
                builtins.toString config.services.mastodon.webPort


     

       

       
70

       
+

       
              }";


     

       
69

       
71

       
 

       
            proxyWebsockets = true;


     

       
70

       
72

       
 

       
          };


     

       
71

       
73

       
 

       
        };


     
···

       
73

       
75

       
 

       
    };


     

       
74

       
76

       
 

       



     

       
75

       
77

       
 

       
    eilean.dns.enable = true;


     

       
76

       

       
-

       
    eilean.services.dns.zones.${config.networking.domain}.records = [


     

       
77

       

       
-

       
      {


     

       
78

       

       
-

       
        name = "mastodon";


     

       
79

       

       
-

       
        type = "CNAME";


     

       
80

       

       
-

       
        data = "vps";


     

       
81

       

       
-

       
      }


     

       
82

       

       
-

       
    ];


     

       

       
78

       
+

       
    eilean.services.dns.zones.${config.networking.domain}.records = [{


     

       

       
79

       
+

       
      name = "mastodon";


     

       

       
80

       
+

       
      type = "CNAME";


     

       

       
81

       
+

       
      value = cfg.domainName;


     

       

       
82

       
+

       
    }];


     

       
83

       
83

       
 

       
  };


     

       
84

       
84

       
 

       
}
+25 -29
modules/matrix/mautrix-instagram.nix 
···

       
1

       

       
-

       
{


     

       
2

       

       
-

       
  lib,


     

       
3

       

       
-

       
  config,


     

       
4

       

       
-

       
  pkgs,


     

       
5

       

       
-

       
  ...


     

       
6

       

       
-

       
}: let


     

       

       
1

       
+

       
{ lib, config, pkgs, ... }:


     

       

       
2

       
+

       
let


     

       
7

       
3

       
 

       
  cfg = config.services.mautrix-instagram;


     

       
8

       
4

       
 

       
  dataDir = "/var/lib/mautrix-instagram";


     

       
9

       
5

       
 

       
  registrationFile = "${dataDir}/instagram-registration.yaml";


     

       
10

       
6

       
 

       
  settingsFile = "${dataDir}/config.json";


     

       
11

       

       
-

       
  settingsFileUnsubstituted = settingsFormat.generate "mautrix-instagram-config-unsubstituted.json" cfg.settings;


     

       
12

       

       
-

       
  settingsFormat = pkgs.formats.json {};


     

       

       
7

       
+

       
  settingsFileUnsubstituted =


     

       

       
8

       
+

       
    settingsFormat.generate "mautrix-instagram-config-unsubstituted.json"


     

       

       
9

       
+

       
    cfg.settings;


     

       

       
10

       
+

       
  settingsFormat = pkgs.formats.json { };


     

       
13

       
11

       
 

       
  appservicePort = 29319;


     

       
14

       
12

       
 

       



     

       
15

       
13

       
 

       
  mkDefaults = lib.mapAttrsRecursive (n: v: lib.mkDefault v);


     
···

       
30

       
28

       
 

       
    };


     

       
31

       
29

       
 

       
    bridge = {


     

       
32

       
30

       
 

       
      username_template = "instagram_{{.}}";


     

       
33

       

       
-

       
      double_puppet_server_map = {};


     

       
34

       

       
-

       
      login_shared_secret_map = {};


     

       

       
31

       
+

       
      double_puppet_server_map = { };


     

       

       
32

       
+

       
      login_shared_secret_map = { };


     

       
35

       
33

       
 

       
      permissions."*" = "relay";


     

       
36

       
34

       
 

       
      relay.enabled = true;


     

       
37

       
35

       
 

       
    };


     
···

       
47

       
45

       
 

       



     

       
48

       
46

       
 

       
in {


     

       
49

       
47

       
 

       
  options.services.mautrix-instagram = {


     

       
50

       

       
-

       
    enable = lib.mkEnableOption (lib.mdDoc "mautrix-instagram, a puppeting/relaybot bridge between Matrix and Instagram.");


     

       

       
48

       
+

       
    enable = lib.mkEnableOption (lib.mdDoc


     

       

       
49

       
+

       
      "mautrix-instagram, a puppeting/relaybot bridge between Matrix and Instagram.");


     

       
51

       
50

       
 

       



     

       
52

       
51

       
 

       
    settings = lib.mkOption {


     

       
53

       
52

       
 

       
      type = settingsFormat.type;


     
···

       
67

       
66

       
 

       
          ephemeral_events = false;


     

       
68

       
67

       
 

       
        };


     

       
69

       
68

       
 

       
        bridge = {


     

       
70

       

       
-

       
          history_sync = {


     

       
71

       

       
-

       
            request_full_sync = true;


     

       
72

       

       
-

       
          };


     

       

       
69

       
+

       
          history_sync = { request_full_sync = true; };


     

       
73

       
70

       
 

       
          private_chat_portal_meta = true;


     

       
74

       
71

       
 

       
          mute_bridging = true;


     

       
75

       
72

       
 

       
          encryption = {


     
···

       
77

       
74

       
 

       
            default = true;


     

       
78

       
75

       
 

       
            require = true;


     

       
79

       
76

       
 

       
          };


     

       
80

       

       
-

       
          provisioning = {


     

       
81

       

       
-

       
            shared_secret = "disable";


     

       
82

       

       
-

       
          };


     

       
83

       

       
-

       
          permissions = {


     

       
84

       

       
-

       
            "example.com" = "user";


     

       
85

       

       
-

       
          };


     

       

       
77

       
+

       
          provisioning = { shared_secret = "disable"; };


     

       

       
78

       
+

       
          permissions = { "example.com" = "user"; };


     

       
86

       
79

       
 

       
        };


     

       
87

       
80

       
 

       
      };


     

       
88

       
81

       
 

       
    };


     

       
89

       
82

       
 

       



     

       
90

       
83

       
 

       
    serviceDependencies = lib.mkOption {


     

       
91

       
84

       
 

       
      type = with lib.types; listOf str;


     

       
92

       

       
-

       
      default = lib.optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit;


     

       

       
85

       
+

       
      default = lib.optional config.services.matrix-synapse.enable


     

       

       
86

       
+

       
        config.services.matrix-synapse.serviceUnit;


     

       
93

       
87

       
 

       
      defaultText = lib.literalExpression ''


     

       
94

       
88

       
 

       
        optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnits


     

       
95

       
89

       
 

       
      '';


     
···

       
108

       
102

       
 

       
      description = "Mautrix-Instagram bridge user";


     

       
109

       
103

       
 

       
    };


     

       
110

       
104

       
 

       



     

       
111

       

       
-

       
    users.groups.mautrix-instagram = {};


     

       

       
105

       
+

       
    users.groups.mautrix-instagram = { };


     

       
112

       
106

       
 

       



     

       
113

       
107

       
 

       
    services.mautrix-instagram.settings = lib.mkMerge (map mkDefaults [


     

       
114

       
108

       
 

       
      defaultConfig


     

       
115

       
109

       
 

       
      # Note: this is defined here to avoid the docs depending on `config`


     

       
116

       

       
-

       
      { homeserver.domain = config.services.matrix-synapse.settings.server_name; }


     

       

       
110

       
+

       
      {


     

       

       
111

       
+

       
        homeserver.domain = config.services.matrix-synapse.settings.server_name;


     

       

       
112

       
+

       
      }


     

       
117

       
113

       
 

       
    ]);


     

       
118

       
114

       
 

       



     

       
119

       
115

       
 

       
    systemd.services.mautrix-instagram = {


     

       
120

       
116

       
 

       
      description = "Mautrix-Instagram Service - A Instagram bridge for Matrix";


     

       
121

       
117

       
 

       



     

       
122

       

       
-

       
      wantedBy = ["multi-user.target"];


     

       
123

       

       
-

       
      wants = ["network-online.target"] ++ cfg.serviceDependencies;


     

       
124

       

       
-

       
      after = ["network-online.target"] ++ cfg.serviceDependencies;


     

       

       
118

       
+

       
      wantedBy = [ "multi-user.target" ];


     

       

       
119

       
+

       
      wants = [ "network-online.target" ] ++ cfg.serviceDependencies;


     

       

       
120

       
+

       
      after = [ "network-online.target" ] ++ cfg.serviceDependencies;


     

       
125

       
121

       
 

       



     

       
126

       
122

       
 

       
      preStart = ''


     

       
127

       
123

       
 

       
        # substitute the settings file by environment variables


     
···

       
182

       
178

       
 

       
        RestrictSUIDSGID = true;


     

       
183

       
179

       
 

       
        SystemCallArchitectures = "native";


     

       
184

       
180

       
 

       
        SystemCallErrorNumber = "EPERM";


     

       
185

       

       
-

       
        SystemCallFilter = ["@system-service"];


     

       

       
181

       
+

       
        SystemCallFilter = [ "@system-service" ];


     

       
186

       
182

       
 

       
        Type = "simple";


     

       
187

       

       
-

       
        UMask = 0027;


     

       

       
183

       
+

       
        UMask = 27;


     

       
188

       
184

       
 

       
      };


     

       
189

       

       
-

       
      restartTriggers = [settingsFileUnsubstituted];


     

       

       
185

       
+

       
      restartTriggers = [ settingsFileUnsubstituted ];


     

       
190

       
186

       
 

       
    };


     

       
191

       
187

       
 

       
  };


     

       
192

       
188

       
 

       
}
+25 -29
modules/matrix/mautrix-messenger.nix 
···

       
1

       

       
-

       
{


     

       
2

       

       
-

       
  lib,


     

       
3

       

       
-

       
  config,


     

       
4

       

       
-

       
  pkgs,


     

       
5

       

       
-

       
  ...


     

       
6

       

       
-

       
}: let


     

       

       
1

       
+

       
{ lib, config, pkgs, ... }:


     

       

       
2

       
+

       
let


     

       
7

       
3

       
 

       
  cfg = config.services.mautrix-messenger;


     

       
8

       
4

       
 

       
  dataDir = "/var/lib/mautrix-messenger";


     

       
9

       
5

       
 

       
  registrationFile = "${dataDir}/messenger-registration.yaml";


     

       
10

       
6

       
 

       
  settingsFile = "${dataDir}/config.json";


     

       
11

       

       
-

       
  settingsFileUnsubstituted = settingsFormat.generate "mautrix-messenger-config-unsubstituted.json" cfg.settings;


     

       
12

       

       
-

       
  settingsFormat = pkgs.formats.json {};


     

       

       
7

       
+

       
  settingsFileUnsubstituted =


     

       

       
8

       
+

       
    settingsFormat.generate "mautrix-messenger-config-unsubstituted.json"


     

       

       
9

       
+

       
    cfg.settings;


     

       

       
10

       
+

       
  settingsFormat = pkgs.formats.json { };


     

       
13

       
11

       
 

       
  appservicePort = 29320;


     

       
14

       
12

       
 

       



     

       
15

       
13

       
 

       
  mkDefaults = lib.mapAttrsRecursive (n: v: lib.mkDefault v);


     
···

       
30

       
28

       
 

       
    };


     

       
31

       
29

       
 

       
    bridge = {


     

       
32

       
30

       
 

       
      username_template = "messenger_{{.}}";


     

       
33

       

       
-

       
      double_puppet_server_map = {};


     

       
34

       

       
-

       
      login_shared_secret_map = {};


     

       

       
31

       
+

       
      double_puppet_server_map = { };


     

       

       
32

       
+

       
      login_shared_secret_map = { };


     

       
35

       
33

       
 

       
      permissions."*" = "relay";


     

       
36

       
34

       
 

       
      relay.enabled = true;


     

       
37

       
35

       
 

       
    };


     
···

       
47

       
45

       
 

       



     

       
48

       
46

       
 

       
in {


     

       
49

       
47

       
 

       
  options.services.mautrix-messenger = {


     

       
50

       

       
-

       
    enable = lib.mkEnableOption (lib.mdDoc "mautrix-messenger, a puppeting/relaybot bridge between Matrix and Messenger.");


     

       

       
48

       
+

       
    enable = lib.mkEnableOption (lib.mdDoc


     

       

       
49

       
+

       
      "mautrix-messenger, a puppeting/relaybot bridge between Matrix and Messenger.");


     

       
51

       
50

       
 

       



     

       
52

       
51

       
 

       
    settings = lib.mkOption {


     

       
53

       
52

       
 

       
      type = settingsFormat.type;


     
···

       
67

       
66

       
 

       
          ephemeral_events = false;


     

       
68

       
67

       
 

       
        };


     

       
69

       
68

       
 

       
        bridge = {


     

       
70

       

       
-

       
          history_sync = {


     

       
71

       

       
-

       
            request_full_sync = true;


     

       
72

       

       
-

       
          };


     

       

       
69

       
+

       
          history_sync = { request_full_sync = true; };


     

       
73

       
70

       
 

       
          private_chat_portal_meta = true;


     

       
74

       
71

       
 

       
          mute_bridging = true;


     

       
75

       
72

       
 

       
          encryption = {


     
···

       
77

       
74

       
 

       
            default = true;


     

       
78

       
75

       
 

       
            require = true;


     

       
79

       
76

       
 

       
          };


     

       
80

       

       
-

       
          provisioning = {


     

       
81

       

       
-

       
            shared_secret = "disable";


     

       
82

       

       
-

       
          };


     

       
83

       

       
-

       
          permissions = {


     

       
84

       

       
-

       
            "example.com" = "user";


     

       
85

       

       
-

       
          };


     

       

       
77

       
+

       
          provisioning = { shared_secret = "disable"; };


     

       

       
78

       
+

       
          permissions = { "example.com" = "user"; };


     

       
86

       
79

       
 

       
        };


     

       
87

       
80

       
 

       
      };


     

       
88

       
81

       
 

       
    };


     

       
89

       
82

       
 

       



     

       
90

       
83

       
 

       
    serviceDependencies = lib.mkOption {


     

       
91

       
84

       
 

       
      type = with lib.types; listOf str;


     

       
92

       

       
-

       
      default = lib.optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit;


     

       

       
85

       
+

       
      default = lib.optional config.services.matrix-synapse.enable


     

       

       
86

       
+

       
        config.services.matrix-synapse.serviceUnit;


     

       
93

       
87

       
 

       
      defaultText = lib.literalExpression ''


     

       
94

       
88

       
 

       
        optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnits


     

       
95

       
89

       
 

       
      '';


     
···

       
108

       
102

       
 

       
      description = "Mautrix-Messenger bridge user";


     

       
109

       
103

       
 

       
    };


     

       
110

       
104

       
 

       



     

       
111

       

       
-

       
    users.groups.mautrix-messenger = {};


     

       

       
105

       
+

       
    users.groups.mautrix-messenger = { };


     

       
112

       
106

       
 

       



     

       
113

       
107

       
 

       
    services.mautrix-messenger.settings = lib.mkMerge (map mkDefaults [


     

       
114

       
108

       
 

       
      defaultConfig


     

       
115

       
109

       
 

       
      # Note: this is defined here to avoid the docs depending on `config`


     

       
116

       

       
-

       
      { homeserver.domain = config.services.matrix-synapse.settings.server_name; }


     

       

       
110

       
+

       
      {


     

       

       
111

       
+

       
        homeserver.domain = config.services.matrix-synapse.settings.server_name;


     

       

       
112

       
+

       
      }


     

       
117

       
113

       
 

       
    ]);


     

       
118

       
114

       
 

       



     

       
119

       
115

       
 

       
    systemd.services.mautrix-messenger = {


     

       
120

       
116

       
 

       
      description = "Mautrix-Messenger Service - A Messenger bridge for Matrix";


     

       
121

       
117

       
 

       



     

       
122

       

       
-

       
      wantedBy = ["multi-user.target"];


     

       
123

       

       
-

       
      wants = ["network-online.target"] ++ cfg.serviceDependencies;


     

       
124

       

       
-

       
      after = ["network-online.target"] ++ cfg.serviceDependencies;


     

       

       
118

       
+

       
      wantedBy = [ "multi-user.target" ];


     

       

       
119

       
+

       
      wants = [ "network-online.target" ] ++ cfg.serviceDependencies;


     

       

       
120

       
+

       
      after = [ "network-online.target" ] ++ cfg.serviceDependencies;


     

       
125

       
121

       
 

       



     

       
126

       
122

       
 

       
      preStart = ''


     

       
127

       
123

       
 

       
        # substitute the settings file by environment variables


     
···

       
182

       
178

       
 

       
        RestrictSUIDSGID = true;


     

       
183

       
179

       
 

       
        SystemCallArchitectures = "native";


     

       
184

       
180

       
 

       
        SystemCallErrorNumber = "EPERM";


     

       
185

       

       
-

       
        SystemCallFilter = ["@system-service"];


     

       

       
181

       
+

       
        SystemCallFilter = [ "@system-service" ];


     

       
186

       
182

       
 

       
        Type = "simple";


     

       
187

       

       
-

       
        UMask = 0027;


     

       

       
183

       
+

       
        UMask = 27;


     

       
188

       
184

       
 

       
      };


     

       
189

       

       
-

       
      restartTriggers = [settingsFileUnsubstituted];


     

       

       
185

       
+

       
      restartTriggers = [ settingsFileUnsubstituted ];


     

       
190

       
186

       
 

       
    };


     

       
191

       
187

       
 

       
  };


     

       
192

       
188

       
 

       
}
-200
modules/matrix/mautrix-signal.nix 
···

       
1

       

       
-

       
{


     

       
2

       

       
-

       
  lib,


     

       
3

       

       
-

       
  config,


     

       
4

       

       
-

       
  pkgs,


     

       
5

       

       
-

       
  ...


     

       
6

       

       
-

       
}: let


     

       
7

       

       
-

       
  cfg = config.services.mautrix-signal;


     

       
8

       

       
-

       
  dataDir = "/var/lib/mautrix-signal";


     

       
9

       

       
-

       
  registrationFile = "${dataDir}/signal-registration.yaml";


     

       
10

       

       
-

       
  settingsFile = "${dataDir}/config.json";


     

       
11

       

       
-

       
  settingsFileUnsubstituted = settingsFormat.generate "mautrix-signal-config-unsubstituted.json" cfg.settings;


     

       
12

       

       
-

       
  settingsFormat = pkgs.formats.json {};


     

       
13

       

       
-

       
  appservicePort = 29328;


     

       
14

       

       
-

       



     

       
15

       

       
-

       
  mkDefaults = lib.mapAttrsRecursive (n: v: lib.mkDefault v);


     

       
16

       

       
-

       
  defaultConfig = {


     

       
17

       

       
-

       
    homeserver.address = "http://localhost:8448";


     

       
18

       

       
-

       
    signal = {


     

       
19

       

       
-

       
      socket_path = config.services.signald.socketPath;


     

       
20

       

       
-

       
      outgoing_attachment_dir = "/var/lib/signald/tmp";


     

       
21

       

       
-

       
    };


     

       
22

       

       
-

       
    appservice = {


     

       
23

       

       
-

       
      hostname = "[::]";


     

       
24

       

       
-

       
      port = appservicePort;


     

       
25

       

       
-

       
      database.type = "sqlite3";


     

       
26

       

       
-

       
      database.uri = "${dataDir}/mautrix-signal.db";


     

       
27

       

       
-

       
      id = "signal";


     

       
28

       

       
-

       
      bot.username = "signalbot";


     

       
29

       

       
-

       
      bot.displayname = "Signal Bridge Bot";


     

       
30

       

       
-

       
      as_token = "";


     

       
31

       

       
-

       
      hs_token = "";


     

       
32

       

       
-

       
    };


     

       
33

       

       
-

       
    bridge = {


     

       
34

       

       
-

       
      username_template = "signal_{{.}}";


     

       
35

       

       
-

       
      double_puppet_server_map = {};


     

       
36

       

       
-

       
      login_shared_secret_map = {};


     

       
37

       

       
-

       
      permissions."*" = "relay";


     

       
38

       

       
-

       
    };


     

       
39

       

       
-

       
    logging = {


     

       
40

       

       
-

       
      min_level = "info";


     

       
41

       

       
-

       
      writers = lib.singleton {


     

       
42

       

       
-

       
        type = "stdout";


     

       
43

       

       
-

       
        format = "pretty-colored";


     

       
44

       

       
-

       
        time_format = " ";


     

       
45

       

       
-

       
      };


     

       
46

       

       
-

       
    };


     

       
47

       

       
-

       
  };


     

       
48

       

       
-

       



     

       
49

       

       
-

       
in {


     

       
50

       

       
-

       
  options.services.mautrix-signal = {


     

       
51

       

       
-

       
    enable = lib.mkEnableOption (lib.mdDoc "mautrix-signal, a puppeting/relaybot bridge between Matrix and Signal.");


     

       
52

       

       
-

       



     

       
53

       

       
-

       
    settings = lib.mkOption {


     

       
54

       

       
-

       
      type = settingsFormat.type;


     

       
55

       

       
-

       
      default = defaultConfig;


     

       
56

       

       
-

       
      description = lib.mdDoc ''


     

       
57

       

       
-

       
        {file}`config.yaml` configuration as a Nix attribute set.


     

       
58

       

       
-

       
        Configuration options should match those described in


     

       
59

       

       
-

       
        [example-config.yaml](https://github.com/mautrix/signal/blob/master/example-config.yaml).


     

       
60

       

       
-

       
      '';


     

       
61

       

       
-

       
      example = {


     

       
62

       

       
-

       
        appservice = {


     

       
63

       

       
-

       
          database = {


     

       
64

       

       
-

       
            type = "postgres";


     

       
65

       

       
-

       
            uri = "postgresql:///mautrix_signal?host=/run/postgresql";


     

       
66

       

       
-

       
          };


     

       
67

       

       
-

       
          id = "signal";


     

       
68

       

       
-

       
          ephemeral_events = false;


     

       
69

       

       
-

       
        };


     

       
70

       

       
-

       
        bridge = {


     

       
71

       

       
-

       
          history_sync = {


     

       
72

       

       
-

       
            request_full_sync = true;


     

       
73

       

       
-

       
          };


     

       
74

       

       
-

       
          private_chat_portal_meta = true;


     

       
75

       

       
-

       
          mute_bridging = true;


     

       
76

       

       
-

       
          encryption = {


     

       
77

       

       
-

       
            allow = true;


     

       
78

       

       
-

       
            default = true;


     

       
79

       

       
-

       
            require = true;


     

       
80

       

       
-

       
          };


     

       
81

       

       
-

       
          provisioning = {


     

       
82

       

       
-

       
            shared_secret = "disable";


     

       
83

       

       
-

       
          };


     

       
84

       

       
-

       
          permissions = {


     

       
85

       

       
-

       
            "example.com" = "user";


     

       
86

       

       
-

       
          };


     

       
87

       

       
-

       
        };


     

       
88

       

       
-

       
      };


     

       
89

       

       
-

       
    };


     

       
90

       

       
-

       



     

       
91

       

       
-

       
    serviceDependencies = lib.mkOption {


     

       
92

       

       
-

       
      type = with lib.types; listOf str;


     

       
93

       

       
-

       
      default = lib.optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit;


     

       
94

       

       
-

       
      defaultText = lib.literalExpression ''


     

       
95

       

       
-

       
        optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnits


     

       
96

       

       
-

       
      '';


     

       
97

       

       
-

       
      description = lib.mdDoc ''


     

       
98

       

       
-

       
        List of Systemd services to require and wait for when starting the application service.


     

       
99

       

       
-

       
      '';


     

       
100

       

       
-

       
    };


     

       
101

       

       
-

       
  };


     

       
102

       

       
-

       



     

       
103

       

       
-

       
  config = lib.mkIf cfg.enable {


     

       
104

       

       
-

       



     

       
105

       

       
-

       
    services.signald.enable = true;


     

       
106

       

       
-

       



     

       
107

       

       
-

       
    users.users.mautrix-signal = {


     

       
108

       

       
-

       
      isSystemUser = true;


     

       
109

       

       
-

       
      group = "mautrix-signal";


     

       
110

       

       
-

       
      home = dataDir;


     

       
111

       

       
-

       
      description = "Mautrix-Signal bridge user";


     

       
112

       

       
-

       
    };


     

       
113

       

       
-

       



     

       
114

       

       
-

       
    users.groups.mautrix-signal = {};


     

       
115

       

       
-

       



     

       
116

       

       
-

       
    services.mautrix-signal.settings = lib.mkMerge (map mkDefaults [


     

       
117

       

       
-

       
      defaultConfig


     

       
118

       

       
-

       
      # Note: this is defined here to avoid the docs depending on `config`


     

       
119

       

       
-

       
      { homeserver.domain = config.services.matrix-synapse.settings.server_name; }


     

       
120

       

       
-

       
    ]);


     

       
121

       

       
-

       



     

       
122

       

       
-

       
    systemd.services.mautrix-signal = {


     

       
123

       

       
-

       
      description = "Mautrix-Signal Service - A Signal bridge for Matrix";


     

       
124

       

       
-

       



     

       
125

       

       
-

       
      requires = [ "signald.service" ];


     

       
126

       

       
-

       
      # voice messages need `ffmpeg`


     

       
127

       

       
-

       
      path = [ pkgs.ffmpeg ];


     

       
128

       

       
-

       



     

       
129

       

       
-

       
      wantedBy = ["multi-user.target"];


     

       
130

       

       
-

       
      wants = ["network-online.target"] ++ cfg.serviceDependencies;


     

       
131

       

       
-

       
      after = ["network-online.target" "signald.service"] ++ cfg.serviceDependencies;


     

       
132

       

       
-

       



     

       
133

       

       
-

       
      preStart = ''


     

       
134

       

       
-

       
        # substitute the settings file by environment variables


     

       
135

       

       
-

       
        # in this case read from EnvironmentFile


     

       
136

       

       
-

       
        test -f '${settingsFile}' && rm -f '${settingsFile}'


     

       
137

       

       
-

       
        old_umask=$(umask)


     

       
138

       

       
-

       
        umask 0177


     

       
139

       

       
-

       
        ${pkgs.envsubst}/bin/envsubst \


     

       
140

       

       
-

       
          -o '${settingsFile}' \


     

       
141

       

       
-

       
          -i '${settingsFileUnsubstituted}'


     

       
142

       

       
-

       
        umask $old_umask


     

       
143

       

       
-

       



     

       
144

       

       
-

       
        # generate the appservice's registration file if absent


     

       
145

       

       
-

       
        if [ ! -f '${registrationFile}' ]; then


     

       
146

       

       
-

       
          ${pkgs.mautrix-signal}/bin/mautrix-signal \


     

       
147

       

       
-

       
            --generate-registration \


     

       
148

       

       
-

       
            --config='${settingsFile}' \


     

       
149

       

       
-

       
            --registration='${registrationFile}'


     

       
150

       

       
-

       
        fi


     

       
151

       

       
-

       
        chmod 640 ${registrationFile}


     

       
152

       

       
-

       



     

       
153

       

       
-

       
        umask 0177


     

       
154

       

       
-

       
        ${pkgs.yq}/bin/yq -s '.[0].appservice.as_token = .[1].as_token


     

       
155

       

       
-

       
          | .[0].appservice.hs_token = .[1].hs_token


     

       
156

       

       
-

       
          | .[0]' '${settingsFile}' '${registrationFile}' \


     

       
157

       

       
-

       
          > '${settingsFile}.tmp'


     

       
158

       

       
-

       
        mv '${settingsFile}.tmp' '${settingsFile}'


     

       
159

       

       
-

       
        umask $old_umask


     

       
160

       

       
-

       
      '';


     

       
161

       

       
-

       



     

       
162

       

       
-

       
      serviceConfig = {


     

       
163

       

       
-

       
        SupplementaryGroups = [ "signald" ];


     

       
164

       

       
-

       
        User = "mautrix-signal";


     

       
165

       

       
-

       
        Group = "mautrix-signal";


     

       
166

       

       
-

       
        StateDirectory = baseNameOf dataDir;


     

       
167

       

       
-

       
        WorkingDirectory = dataDir;


     

       
168

       

       
-

       
        ExecStart = ''


     

       
169

       

       
-

       
          ${pkgs.mautrix-signal}/bin/mautrix-signal \


     

       
170

       

       
-

       
          --config='${settingsFile}' \


     

       
171

       

       
-

       
          --registration='${registrationFile}'


     

       
172

       

       
-

       
        '';


     

       
173

       

       
-

       
        LockPersonality = true;


     

       
174

       

       
-

       
        MemoryDenyWriteExecute = true;


     

       
175

       

       
-

       
        NoNewPrivileges = true;


     

       
176

       

       
-

       
        PrivateDevices = true;


     

       
177

       

       
-

       
        PrivateTmp = true;


     

       
178

       

       
-

       
        PrivateUsers = true;


     

       
179

       

       
-

       
        ProtectClock = true;


     

       
180

       

       
-

       
        ProtectControlGroups = true;


     

       
181

       

       
-

       
        ProtectHome = true;


     

       
182

       

       
-

       
        ProtectHostname = true;


     

       
183

       

       
-

       
        ProtectKernelLogs = true;


     

       
184

       

       
-

       
        ProtectKernelModules = true;


     

       
185

       

       
-

       
        ProtectKernelTunables = true;


     

       
186

       

       
-

       
        ProtectSystem = "strict";


     

       
187

       

       
-

       
        Restart = "on-failure";


     

       
188

       

       
-

       
        RestartSec = "30s";


     

       
189

       

       
-

       
        RestrictRealtime = true;


     

       
190

       

       
-

       
        RestrictSUIDSGID = true;


     

       
191

       

       
-

       
        SystemCallArchitectures = "native";


     

       
192

       

       
-

       
        SystemCallErrorNumber = "EPERM";


     

       
193

       

       
-

       
        SystemCallFilter = ["@system-service"];


     

       
194

       

       
-

       
        Type = "simple";


     

       
195

       

       
-

       
        UMask = 0027;


     

       
196

       

       
-

       
      };


     

       
197

       

       
-

       
      restartTriggers = [settingsFileUnsubstituted];


     

       
198

       

       
-

       
    };


     

       
199

       

       
-

       
  };


     

       
200

       

       
-

       
}
+107 -96
modules/matrix/synapse.nix 
···

       
4

       
4

       
 

       
let


     

       
5

       
5

       
 

       
  cfg = config.eilean;


     

       
6

       
6

       
 

       
  turnSharedSecretFile = "/run/matrix-synapse/turn-shared-secret";


     

       
7

       

       
-

       
in


     

       
8

       

       
-

       
{


     

       

       
7

       
+

       
  domain = config.networking.domain;


     

       

       
8

       
+

       
  subdomain = "matrix.${domain}";


     

       

       
9

       
+

       
in {


     

       
9

       
10

       
 

       
  options.eilean.matrix = {


     

       
10

       
11

       
 

       
    enable = mkEnableOption "matrix";


     

       
11

       
12

       
 

       
    turn = mkOption {


     
···

       
51

       
52

       
 

       
        LC_CTYPE = "C";


     

       
52

       
53

       
 

       
    '';


     

       
53

       
54

       
 

       



     

       

       
55

       
+

       
    security.acme-eon.nginxCerts = lib.mkIf cfg.acme-eon [ domain subdomain ];


     

       

       
56

       
+

       



     

       
54

       
57

       
 

       
    services.nginx = {


     

       
55

       
58

       
 

       
      enable = true;


     

       
56

       
59

       
 

       
      # only recommendedProxySettings and recommendedGzipSettings are strictly required,


     
···

       
62

       
65

       
 

       



     

       
63

       
66

       
 

       
      virtualHosts = {


     

       
64

       
67

       
 

       
        # This host section can be placed on a different host than the rest,


     

       
65

       

       
-

       
        # i.e. to delegate from the host being accessible as ${config.networking.domain}


     

       

       
68

       
+

       
        # i.e. to delegate from the host being accessible as ${domain}


     

       
66

       
69

       
 

       
        # to another host actually running the Matrix homeserver.


     

       
67

       

       
-

       
        "${config.networking.domain}" = {


     

       
68

       

       
-

       
          enableACME = true;


     

       

       
70

       
+

       
        "${domain}" = {


     

       

       
71

       
+

       
          enableACME = lib.mkIf (!cfg.acme-eon) true;


     

       
69

       
72

       
 

       
          forceSSL = true;


     

       
70

       
73

       
 

       



     

       
71

       

       
-

       
          locations."= /.well-known/matrix/server".extraConfig =


     

       
72

       

       
-

       
            let


     

       
73

       

       
-

       
              # use 443 instead of the default 8448 port to unite


     

       
74

       

       
-

       
              # the client-server and server-server port for simplicity


     

       
75

       

       
-

       
              server = { "m.server" = "matrix.${config.networking.domain}:443"; };


     

       
76

       

       
-

       
            in ''


     

       
77

       

       
-

       
              default_type application/json;


     

       
78

       

       
-

       
              return 200 '${builtins.toJSON server}';


     

       
79

       

       
-

       
            '';


     

       
80

       

       
-

       
          locations."= /.well-known/matrix/client".extraConfig =


     

       
81

       

       
-

       
            let


     

       
82

       

       
-

       
              client = {


     

       
83

       

       
-

       
                "m.homeserver" =  { "base_url" = "https://matrix.${config.networking.domain}"; };


     

       
84

       

       
-

       
                "m.identity_server" =  { "base_url" = "https://vector.im"; };


     

       
85

       

       
-

       
              };


     

       

       
74

       
+

       
          locations."= /.well-known/matrix/server".extraConfig = let


     

       

       
75

       
+

       
            # use 443 instead of the default 8448 port to unite


     

       

       
76

       
+

       
            # the client-server and server-server port for simplicity


     

       

       
77

       
+

       
            server = { "m.server" = "${subdomain}:443"; };


     

       

       
78

       
+

       
          in ''


     

       

       
79

       
+

       
            default_type application/json;


     

       

       
80

       
+

       
            return 200 '${builtins.toJSON server}';


     

       

       
81

       
+

       
          '';


     

       

       
82

       
+

       
          locations."= /.well-known/matrix/client".extraConfig = let


     

       

       
83

       
+

       
            client = {


     

       

       
84

       
+

       
              "m.homeserver" = { "base_url" = "https://${subdomain}"; };


     

       

       
85

       
+

       
              "m.identity_server" = { "base_url" = "https://vector.im"; };


     

       

       
86

       
+

       
            };


     

       
86

       
87

       
 

       
            # ACAO required to allow element-web on any URL to request this json file


     

       
87

       
88

       
 

       
            # set other headers due to https://github.com/yandex/gixy/blob/master/docs/en/plugins/addheaderredefinition.md


     

       
88

       

       
-

       
            in ''


     

       
89

       

       
-

       
              default_type application/json;


     

       
90

       

       
-

       
              add_header Access-Control-Allow-Origin *;


     

       
91

       

       
-

       
              add_header Strict-Transport-Security max-age=31536000 always;


     

       
92

       

       
-

       
              add_header X-Frame-Options SAMEORIGIN always;


     

       
93

       

       
-

       
              add_header X-Content-Type-Options nosniff always;


     

       
94

       

       
-

       
              add_header Content-Security-Policy "default-src 'self'; base-uri 'self'; frame-src 'self'; frame-ancestors 'self'; form-action 'self';" always;


     

       
95

       

       
-

       
              add_header Referrer-Policy 'same-origin';


     

       
96

       

       
-

       
              return 200 '${builtins.toJSON client}';


     

       
97

       

       
-

       
            '';


     

       

       
89

       
+

       
          in ''


     

       

       
90

       
+

       
            default_type application/json;


     

       

       
91

       
+

       
            add_header Access-Control-Allow-Origin *;


     

       

       
92

       
+

       
            add_header Strict-Transport-Security max-age=31536000 always;


     

       

       
93

       
+

       
            add_header X-Frame-Options SAMEORIGIN always;


     

       

       
94

       
+

       
            add_header X-Content-Type-Options nosniff always;


     

       

       
95

       
+

       
            add_header Content-Security-Policy "default-src 'self'; base-uri 'self'; frame-src 'self'; frame-ancestors 'self'; form-action 'self';" always;


     

       

       
96

       
+

       
            add_header Referrer-Policy 'same-origin';


     

       

       
97

       
+

       
            return 200 '${builtins.toJSON client}';


     

       

       
98

       
+

       
          '';


     

       
98

       
99

       
 

       
        };


     

       
99

       
100

       
 

       



     

       
100

       
101

       
 

       
        # Reverse proxy for Matrix client-server and server-server communication


     

       
101

       

       
-

       
        "matrix.${config.networking.domain}" = {


     

       
102

       

       
-

       
          enableACME = true;


     

       

       
102

       
+

       
        "${subdomain}" = {


     

       

       
103

       
+

       
          enableACME = lib.mkIf (!cfg.acme-eon) true;


     

       
103

       
104

       
 

       
          forceSSL = true;


     

       
104

       
105

       
 

       



     

       
105

       
106

       
 

       
          # Or do a redirect instead of the 404, or whatever is appropriate for you.


     
···

       
109

       
110

       
 

       
          '';


     

       
110

       
111

       
 

       



     

       
111

       
112

       
 

       
          # forward all Matrix API calls to the synapse Matrix homeserver


     

       
112

       

       
-

       
          locations."/_matrix" = {


     

       
113

       

       
-

       
            proxyPass = "http://127.0.0.1:8008"; # without a trailing /


     

       
114

       

       
-

       
            #proxyPassReverse = "http://127.0.0.1:8008"; # without a trailing /


     

       

       
113

       
+

       
          locations."~ ^(\\/_matrix|\\/_synapse\\/client)" = {


     

       

       
114

       
+

       
            proxyPass = "http://127.0.0.1:8008";


     

       
115

       
115

       
 

       
          };


     

       
116

       
116

       
 

       
        };


     

       
117

       
117

       
 

       
      };


     
···

       
121

       
121

       
 

       
      enable = true;


     

       
122

       
122

       
 

       
      settings = mkMerge [


     

       
123

       
123

       
 

       
        {


     

       
124

       

       
-

       
          server_name = config.networking.domain;


     

       

       
124

       
+

       
          server_name = domain;


     

       
125

       
125

       
 

       
          enable_registration = true;


     

       
126

       
126

       
 

       
          registration_requires_token = true;


     

       
127

       
127

       
 

       
          registration_shared_secret_path = cfg.matrix.registrationSecretFile;


     

       
128

       

       
-

       
          listeners = [


     

       
129

       

       
-

       
            {


     

       
130

       

       
-

       
              port = 8008;


     

       
131

       

       
-

       
              bind_addresses = [ "::1" "127.0.0.1" ];


     

       
132

       

       
-

       
              type = "http";


     

       
133

       

       
-

       
              tls = false;


     

       
134

       

       
-

       
              x_forwarded = true;


     

       
135

       

       
-

       
              resources = [


     

       
136

       

       
-

       
                {


     

       
137

       

       
-

       
                  names = [ "client" "federation" ];


     

       
138

       

       
-

       
                  compress = false;


     

       
139

       

       
-

       
                }


     

       
140

       

       
-

       
              ];


     

       
141

       

       
-

       
            }


     

       
142

       

       
-

       
          ];


     

       

       
128

       
+

       
          listeners = [{


     

       

       
129

       
+

       
            port = 8008;


     

       

       
130

       
+

       
            bind_addresses = [ "::1" "127.0.0.1" ];


     

       

       
131

       
+

       
            type = "http";


     

       

       
132

       
+

       
            tls = false;


     

       

       
133

       
+

       
            x_forwarded = true;


     

       

       
134

       
+

       
            resources = [{


     

       

       
135

       
+

       
              names = [ "client" "federation" ];


     

       

       
136

       
+

       
              compress = false;


     

       

       
137

       
+

       
            }];


     

       

       
138

       
+

       
          }];


     

       
143

       
139

       
 

       
          max_upload_size = "100M";


     

       
144

       

       
-

       
          app_service_config_files =


     

       
145

       

       
-

       
            (optional cfg.matrix.bridges.whatsapp "/var/lib/mautrix-whatsapp/whatsapp-registration.yaml") ++


     

       
146

       

       
-

       
            (optional cfg.matrix.bridges.signal "/var/lib/mautrix-signal/signal-registration.yaml") ++


     

       
147

       

       
-

       
            (optional cfg.matrix.bridges.instagram "/var/lib/mautrix-instagram/instagram-registration.yaml") ++


     

       
148

       

       
-

       
            (optional cfg.matrix.bridges.messenger "/var/lib/mautrix-messenger/messenger-registration.yaml");


     

       

       
140

       
+

       
          app_service_config_files = (optional cfg.matrix.bridges.instagram


     

       

       
141

       
+

       
            "/var/lib/mautrix-instagram/instagram-registration.yaml")


     

       

       
142

       
+

       
            ++ (optional cfg.matrix.bridges.messenger


     

       

       
143

       
+

       
              "/var/lib/mautrix-messenger/messenger-registration.yaml");


     

       
149

       
144

       
 

       
        }


     

       
150

       
145

       
 

       
        (mkIf cfg.matrix.turn {


     

       
151

       
146

       
 

       
          turn_uris = with config.services.coturn; [


     
···

       
157

       
152

       
 

       
          turn_user_lifetime = "1h";


     

       
158

       
153

       
 

       
        })


     

       
159

       
154

       
 

       
      ];


     

       
160

       

       
-

       
      extraConfigFiles = mkIf cfg.matrix.turn (


     

       
161

       

       
-

       
        [ turnSharedSecretFile ]


     

       
162

       

       
-

       
      );


     

       

       
155

       
+

       
      extraConfigFiles = mkIf cfg.matrix.turn ([ turnSharedSecretFile ]);


     

       
163

       
156

       
 

       
    };


     

       
164

       
157

       
 

       



     

       
165

       

       
-

       
    systemd.services.matrix-synapse-turn-shared-secret-generator = mkIf cfg.matrix.turn {


     

       
166

       

       
-

       
      description = "Generate matrix synapse turn shared secret config file";


     

       
167

       

       
-

       
      script = ''


     

       
168

       

       
-

       
        mkdir -p "$(dirname '${turnSharedSecretFile}')"


     

       
169

       

       
-

       
        echo "turn_shared_secret: $(cat '${config.services.coturn.static-auth-secret-file}')" > '${turnSharedSecretFile}'


     

       
170

       

       
-

       
        chmod 770 '${turnSharedSecretFile}'


     

       
171

       

       
-

       
        chown ${config.systemd.services.matrix-synapse.serviceConfig.User}:${config.systemd.services.matrix-synapse.serviceConfig.Group} '${turnSharedSecretFile}'


     

       

       
158

       
+

       
    systemd.services.matrix-synapse-turn-shared-secret-generator =


     

       

       
159

       
+

       
      mkIf cfg.matrix.turn {


     

       

       
160

       
+

       
        description = "Generate matrix synapse turn shared secret config file";


     

       

       
161

       
+

       
        script = ''


     

       

       
162

       
+

       
          mkdir -p "$(dirname '${turnSharedSecretFile}')"


     

       

       
163

       
+

       
          echo "turn_shared_secret: $(cat '${config.services.coturn.static-auth-secret-file}')" > '${turnSharedSecretFile}'


     

       

       
164

       
+

       
          chmod 770 '${turnSharedSecretFile}'


     

       

       
165

       
+

       
          chown ${config.systemd.services.matrix-synapse.serviceConfig.User}:${config.systemd.services.matrix-synapse.serviceConfig.Group} '${turnSharedSecretFile}'


     

       
172

       
166

       
 

       
        '';


     

       
173

       

       
-

       
      serviceConfig.Type = "oneshot";


     

       
174

       

       
-

       
      serviceConfig.RemainAfterExit = true;


     

       
175

       

       
-

       
      after = [ "coturn-static-auth-secret-generator.service" ];


     

       
176

       

       
-

       
      requires = [ "coturn-static-auth-secret-generator.service" ];


     

       
177

       

       
-

       
    };


     

       
178

       

       
-

       
    systemd.services."matrix-synapse".after = mkIf cfg.matrix.turn [ "matrix-synapse-turn-shared-secret-generator.service" ];


     

       
179

       

       
-

       
    systemd.services."matrix-synapse".requires = mkIf cfg.matrix.turn [ "matrix-synapse-turn-shared-secret-generator.service" ];


     

       

       
167

       
+

       
        serviceConfig.Type = "oneshot";


     

       

       
168

       
+

       
        serviceConfig.RemainAfterExit = true;


     

       

       
169

       
+

       
        after = [ "coturn-static-auth-secret-generator.service" ];


     

       

       
170

       
+

       
        requires = [ "coturn-static-auth-secret-generator.service" ];


     

       

       
171

       
+

       
      };


     

       

       
172

       
+

       
    systemd.services."matrix-synapse".after = mkIf cfg.matrix.turn


     

       

       
173

       
+

       
      [ "matrix-synapse-turn-shared-secret-generator.service" ];


     

       

       
174

       
+

       
    systemd.services."matrix-synapse".requires = mkIf cfg.matrix.turn


     

       

       
175

       
+

       
      [ "matrix-synapse-turn-shared-secret-generator.service" ];


     

       
180

       
176

       
 

       



     

       
181

       
177

       
 

       
    systemd.services.matrix-synapse.serviceConfig.SupplementaryGroups =


     

       
182

       

       
-

       
      (optional cfg.matrix.bridges.whatsapp config.systemd.services.mautrix-whatsapp.serviceConfig.Group) ++


     

       
183

       

       
-

       
      (optional cfg.matrix.bridges.signal config.systemd.services.mautrix-signal.serviceConfig.Group) ++


     

       
184

       

       
-

       
      (optional cfg.matrix.bridges.instagram config.systemd.services.mautrix-instagram.serviceConfig.Group) ++


     

       
185

       

       
-

       
      (optional cfg.matrix.bridges.messenger config.systemd.services.mautrix-messenger.serviceConfig.Group);


     

       

       
178

       
+

       
      # remove after https://github.com/NixOS/nixpkgs/pull/311681/files


     

       

       
179

       
+

       
      (optional cfg.matrix.bridges.whatsapp


     

       

       
180

       
+

       
        config.systemd.services.mautrix-whatsapp.serviceConfig.Group)


     

       

       
181

       
+

       
      ++ (optional cfg.matrix.bridges.instagram


     

       

       
182

       
+

       
        config.systemd.services.mautrix-instagram.serviceConfig.Group)


     

       

       
183

       
+

       
      ++ (optional cfg.matrix.bridges.messenger


     

       

       
184

       
+

       
        config.systemd.services.mautrix-messenger.serviceConfig.Group);


     

       
186

       
185

       
 

       



     

       
187

       
186

       
 

       
    services.mautrix-whatsapp = mkIf cfg.matrix.bridges.whatsapp {


     

       
188

       
187

       
 

       
      enable = true;


     

       
189

       

       
-

       
      settings.homeserver.address = "https://matrix.${config.networking.domain}";


     

       
190

       

       
-

       
      settings.homeserver.domain = config.networking.domain;


     

       

       
188

       
+

       
      settings.homeserver.address = "https://${subdomain}";


     

       

       
189

       
+

       
      settings.homeserver.domain = domain;


     

       
191

       
190

       
 

       
      settings.appservice.hostname = "localhost";


     

       
192

       
191

       
 

       
      settings.appservice.address = "http://localhost:29318";


     

       
193

       
192

       
 

       
      settings.bridge.personal_filtering_spaces = true;


     

       
194

       
193

       
 

       
      settings.bridge.history_sync.backfill = false;


     

       
195

       

       
-

       
      settings.bridge.permissions."@${config.eilean.username}:${config.networking.domain}" = "admin";


     

       

       
194

       
+

       
      settings.bridge.permissions."@${config.eilean.username}:${domain}" =


     

       

       
195

       
+

       
        "admin";


     

       

       
196

       
+

       
      settings.bridge.encryption.allow = true;


     

       

       
197

       
+

       
      settings.bridge.encryption.default = true;


     

       
196

       
198

       
 

       
    };


     

       

       
199

       
+

       
    # using https://github.com/NixOS/nixpkgs/pull/277368


     

       
197

       
200

       
 

       
    services.mautrix-signal = mkIf cfg.matrix.bridges.signal {


     

       
198

       
201

       
 

       
      enable = true;


     

       
199

       

       
-

       
      settings.homeserver.address = "https://matrix.${config.networking.domain}";


     

       
200

       

       
-

       
      settings.homeserver.domain = config.networking.domain;


     

       

       
202

       
+

       
      settings.homeserver.address = "https://${subdomain}";


     

       

       
203

       
+

       
      settings.homeserver.domain = domain;


     

       
201

       
204

       
 

       
      settings.appservice.hostname = "localhost";


     

       
202

       
205

       
 

       
      settings.appservice.address = "http://localhost:29328";


     

       
203

       
206

       
 

       
      settings.bridge.personal_filtering_spaces = true;


     

       
204

       

       
-

       
      settings.bridge.permissions."@${config.eilean.username}:${config.networking.domain}" = "admin";


     

       

       
207

       
+

       
      settings.bridge.permissions."@${config.eilean.username}:${domain}" =


     

       

       
208

       
+

       
        "admin";


     

       

       
209

       
+

       
      settings.bridge.encryption.allow = true;


     

       

       
210

       
+

       
      settings.bridge.encryption.default = true;


     

       
205

       
211

       
 

       
    };


     

       

       
212

       
+

       
    # TODO replace with upstreamed mautrix-meta


     

       
206

       
213

       
 

       
    services.mautrix-instagram = mkIf cfg.matrix.bridges.instagram {


     

       
207

       
214

       
 

       
      enable = true;


     

       
208

       

       
-

       
      settings.homeserver.address = "https://matrix.${config.networking.domain}";


     

       
209

       

       
-

       
      settings.homeserver.domain = config.networking.domain;


     

       

       
215

       
+

       
      settings.homeserver.address = "https://${subdomain}";


     

       

       
216

       
+

       
      settings.homeserver.domain = domain;


     

       
210

       
217

       
 

       
      settings.appservice.hostname = "localhost";


     

       
211

       
218

       
 

       
      settings.appservice.address = "http://localhost:29319";


     

       
212

       
219

       
 

       
      settings.bridge.personal_filtering_spaces = true;


     

       
213

       
220

       
 

       
      settings.bridge.backfill.enabled = false;


     

       
214

       

       
-

       
      settings.bridge.permissions."@${config.eilean.username}:${config.networking.domain}" = "admin";


     

       

       
221

       
+

       
      settings.bridge.permissions."@${config.eilean.username}:${domain}" =


     

       

       
222

       
+

       
        "admin";


     

       

       
223

       
+

       
      settings.bridge.encryption.allow = true;


     

       

       
224

       
+

       
      settings.bridge.encryption.default = true;


     

       
215

       
225

       
 

       
    };


     

       
216

       
226

       
 

       
    services.mautrix-messenger = mkIf cfg.matrix.bridges.messenger {


     

       
217

       
227

       
 

       
      enable = true;


     

       
218

       

       
-

       
      settings.homeserver.address = "https://matrix.${config.networking.domain}";


     

       
219

       

       
-

       
      settings.homeserver.domain = config.networking.domain;


     

       

       
228

       
+

       
      settings.homeserver.address = "https://${subdomain}";


     

       

       
229

       
+

       
      settings.homeserver.domain = domain;


     

       
220

       
230

       
 

       
      settings.appservice.hostname = "localhost";


     

       
221

       
231

       
 

       
      settings.appservice.address = "http://localhost:29320";


     

       
222

       
232

       
 

       
      settings.bridge.personal_filtering_spaces = true;


     

       
223

       
233

       
 

       
      settings.bridge.backfill.enabled = false;


     

       
224

       

       
-

       
      settings.bridge.permissions."@${config.eilean.username}:${config.networking.domain}" = "admin";


     

       

       
234

       
+

       
      settings.bridge.permissions."@${config.eilean.username}:${domain}" =


     

       

       
235

       
+

       
        "admin";


     

       

       
236

       
+

       
      settings.bridge.encryption.allow = true;


     

       

       
237

       
+

       
      settings.bridge.encryption.default = true;


     

       
225

       
238

       
 

       
    };


     

       
226

       
239

       
 

       



     

       
227

       
240

       
 

       
    eilean.turn.enable = mkIf cfg.matrix.turn true;


     

       
228

       
241

       
 

       



     

       
229

       
242

       
 

       
    eilean.dns.enable = true;


     

       
230

       

       
-

       
    eilean.services.dns.zones.${config.networking.domain}.records = [


     

       
231

       

       
-

       
      {


     

       
232

       

       
-

       
        name = "matrix";


     

       
233

       

       
-

       
        type = "CNAME";


     

       
234

       

       
-

       
        data = "vps";


     

       
235

       

       
-

       
      }


     

       
236

       

       
-

       
    ];


     

       

       
243

       
+

       
    eilean.services.dns.zones.${domain}.records = [{


     

       

       
244

       
+

       
      name = "matrix";


     

       

       
245

       
+

       
      type = "CNAME";


     

       

       
246

       
+

       
      value = cfg.domainName;


     

       

       
247

       
+

       
    }];


     

       
237

       
248

       
 

       
  };


     

       
238

       
249

       
 

       
}
+81
modules/radicale.nix 
···

       

       
1

       
+

       
{ pkgs, config, lib, ... }:


     

       

       
2

       
+

       



     

       

       
3

       
+

       
with lib;


     

       

       
4

       
+

       
let


     

       

       
5

       
+

       
  cfg = config.eilean;


     

       

       
6

       
+

       
  domain = config.networking.domain;


     

       

       
7

       
+

       
  passwdDir = "/var/lib/radicale/users";


     

       

       
8

       
+

       
  passwdFile = "${passwdDir}/passwd";


     

       

       
9

       
+

       
  userOps = { name, ... }: {


     

       

       
10

       
+

       
    options = {


     

       

       
11

       
+

       
      name = mkOption {


     

       

       
12

       
+

       
        type = types.str;


     

       

       
13

       
+

       
        readOnly = true;


     

       

       
14

       
+

       
        default = name;


     

       

       
15

       
+

       
      };


     

       

       
16

       
+

       
      passwordFile = mkOption { type = types.nullOr types.str; };


     

       

       
17

       
+

       
    };


     

       

       
18

       
+

       
  };


     

       

       
19

       
+

       
in {


     

       

       
20

       
+

       
  options.eilean.radicale = {


     

       

       
21

       
+

       
    enable = mkEnableOption "radicale";


     

       

       
22

       
+

       
    users = mkOption {


     

       

       
23

       
+

       
      type = with types; nullOr (attrsOf (submodule userOps));


     

       

       
24

       
+

       
      default = { };


     

       

       
25

       
+

       
    };


     

       

       
26

       
+

       
  };


     

       

       
27

       
+

       



     

       

       
28

       
+

       
  config = mkIf cfg.radicale.enable {


     

       

       
29

       
+

       
    services.radicale = {


     

       

       
30

       
+

       
      enable = true;


     

       

       
31

       
+

       
      settings = {


     

       

       
32

       
+

       
        server = { hosts = [ "0.0.0.0:5232" ]; };


     

       

       
33

       
+

       
        auth = {


     

       

       
34

       
+

       
          type = "htpasswd";


     

       

       
35

       
+

       
          htpasswd_filename = passwdFile;


     

       

       
36

       
+

       
          htpasswd_encryption = "bcrypt";


     

       

       
37

       
+

       
        };


     

       

       
38

       
+

       
        storage = { filesystem_folder = "/var/lib/radicale/collections"; };


     

       

       
39

       
+

       
      };


     

       

       
40

       
+

       
    };


     

       

       
41

       
+

       



     

       

       
42

       
+

       
    systemd.services.radicale = {


     

       

       
43

       
+

       
      serviceConfig.ReadWritePaths = [ "/var/lib/radicale" ];


     

       

       
44

       
+

       
      preStart = lib.mkIf (cfg.radicale.users != null) ''


     

       

       
45

       
+

       
        if (! test -d "${passwdDir}"); then


     

       

       
46

       
+

       
          mkdir "${passwdDir}"


     

       

       
47

       
+

       
          chmod 755 "${passwdDir}"


     

       

       
48

       
+

       
        fi


     

       

       
49

       
+

       



     

       

       
50

       
+

       
        umask 077


     

       

       
51

       
+

       



     

       

       
52

       
+

       
        cat <<EOF > ${passwdFile}


     

       

       
53

       
+

       



     

       

       
54

       
+

       
        ${lib.concatStringsSep "\n" (lib.mapAttrsToList (name: value:


     

       

       
55

       
+

       
          ''


     

       

       
56

       
+

       
            $(${pkgs.apacheHttpd}/bin/htpasswd -nbB "${name}" "$(head -n 2 ${value.passwordFile})")'')


     

       

       
57

       
+

       
          cfg.radicale.users)}


     

       

       
58

       
+

       
        EOF


     

       

       
59

       
+

       
      '';


     

       

       
60

       
+

       
    };


     

       

       
61

       
+

       



     

       

       
62

       
+

       
    services.nginx = {


     

       

       
63

       
+

       
      enable = true;


     

       

       
64

       
+

       
      recommendedProxySettings = true;


     

       

       
65

       
+

       
      virtualHosts = {


     

       

       
66

       
+

       
        "cal.${domain}" = {


     

       

       
67

       
+

       
          forceSSL = true;


     

       

       
68

       
+

       
          enableACME = true;


     

       

       
69

       
+

       
          locations."/" = { proxyPass = "http://localhost:5232"; };


     

       

       
70

       
+

       
        };


     

       

       
71

       
+

       
      };


     

       

       
72

       
+

       
    };


     

       

       
73

       
+

       



     

       

       
74

       
+

       
    eilean.dns.enable = true;


     

       

       
75

       
+

       
    eilean.services.dns.zones.${domain}.records = [{


     

       

       
76

       
+

       
      name = "cal";


     

       

       
77

       
+

       
      type = "CNAME";


     

       

       
78

       
+

       
      value = cfg.domainName;


     

       

       
79

       
+

       
    }];


     

       

       
80

       
+

       
  };


     

       

       
81

       
+

       
}
+22 -20
modules/services/dns/bind.nix 
···

       
1

       
1

       
 

       
{ pkgs, config, lib, ... }:


     

       
2

       
2

       
 

       



     

       
3

       

       
-

       
let cfg = config.eilean.services.dns; in


     

       
4

       

       
-

       
lib.mkIf (cfg.enable && cfg.server == "bind") {


     

       

       
3

       
+

       
let cfg = config.eilean.services.dns;


     

       

       
4

       
+

       
in lib.mkIf (cfg.enable && cfg.server == "bind") {


     

       
5

       
5

       
 

       
  services.bind = {


     

       
6

       
6

       
 

       
    enable = true;


     

       
7

       
7

       
 

       
    # recursive resolver


     

       
8

       
8

       
 

       
    # cacheNetworks = [ "0.0.0.0/0" ];


     

       
9

       

       
-

       
    zones =


     

       
10

       

       
-

       
      let mapZones = zonename: zone:


     

       
11

       

       
-

       
        {


     

       
12

       

       
-

       
          master = true;


     

       
13

       

       
-

       
          file = "${config.services.bind.directory}/${zonename}";


     

       
14

       

       
-

       
          #file = "${import ./zonefile.nix { inherit pkgs config lib zonename zone; }}/${zonename}";


     

       
15

       

       
-

       
          # axfr zone transfer


     

       
16

       

       
-

       
          slaves = [


     

       
17

       

       
-

       
            "127.0.0.1"


     

       
18

       

       
-

       
          ];


     

       
19

       

       
-

       
        };


     

       
20

       

       
-

       
      in builtins.mapAttrs mapZones cfg.zones;


     

       

       
9

       
+

       
    zones = let


     

       

       
10

       
+

       
      mapZones = zonename: zone: {


     

       

       
11

       
+

       
        master = true;


     

       

       
12

       
+

       
        file = "${config.services.bind.directory}/${zonename}";


     

       

       
13

       
+

       
        #file = "${import ./zonefile.nix { inherit pkgs config lib zonename zone; }}/${zonename}";


     

       

       
14

       
+

       
        # axfr zone transfer


     

       

       
15

       
+

       
        slaves = [ "127.0.0.1" ];


     

       

       
16

       
+

       
      };


     

       

       
17

       
+

       
    in builtins.mapAttrs mapZones cfg.zones;


     

       
21

       
18

       
 

       
  };


     

       

       
19

       
+

       



     

       

       
20

       
+

       
  users.users = { named.extraGroups = [ config.services.opendkim.group ]; };


     

       
22

       
21

       
 

       



     

       
23

       
22

       
 

       
  ### bind prestart copy zonefiles


     

       
24

       

       
-

       
  systemd.services.bind.preStart =


     

       
25

       

       
-

       
    let ops =


     

       
26

       

       
-

       
      let mapZones = zonename: zone:


     

       

       
23

       
+

       
  systemd.services.bind.preStart = let


     

       

       
24

       
+

       
    ops = let


     

       

       
25

       
+

       
      mapZones = zonename: zone:


     

       
27

       
26

       
 

       
        let


     

       
28

       

       
-

       
          zonefile = "${import ./zonefile.nix { inherit pkgs config lib zonename zone; }}/${zonename}";


     

       

       
27

       
+

       
          zonefile = "${


     

       

       
28

       
+

       
              import ./zonefile.nix { inherit pkgs config lib zonename zone; }


     

       

       
29

       
+

       
            }/${zonename}";


     

       
29

       
30

       
 

       
          path = "${config.services.bind.directory}/${zonename}";


     

       
30

       
31

       
 

       
        in ''


     

       
31

       
32

       
 

       
          if ! diff ${zonefile} ${path} > /dev/null; then


     

       
32

       
33

       
 

       
            cp ${zonefile} ${path}


     

       

       
34

       
+

       
            cat ${config.mailserver.dkimKeyDirectory}/*.txt >> ${path}


     

       
33

       
35

       
 

       
            # remove journal file to avoid 'journal out of sync with zone'


     

       
34

       
36

       
 

       
            # NB this will reset dynamic updates


     

       
35

       
37

       
 

       
            rm -f ${path}.signed.jnl


     

       
36

       
38

       
 

       
          fi


     

       
37

       
39

       
 

       
        '';


     

       
38

       

       
-

       
      in lib.attrsets.mapAttrsToList mapZones cfg.zones;


     

       
39

       

       
-

       
    in builtins.concatStringsSep "\n" ops;


     

       

       
40

       
+

       
    in lib.attrsets.mapAttrsToList mapZones cfg.zones;


     

       

       
41

       
+

       
  in builtins.concatStringsSep "\n" ops;


     

       
40

       
42

       
 

       
}
+15 -26
modules/services/dns/default.nix 
···

       
17

       
17

       
 

       
        default = "dns";


     

       
18

       
18

       
 

       
      };


     

       
19

       
19

       
 

       
      # TODO auto increment


     

       
20

       

       
-

       
      serial = mkOption {


     

       
21

       

       
-

       
        type = types.int;


     

       
22

       

       
-

       
      };


     

       

       
20

       
+

       
      serial = mkOption { type = types.int; };


     

       
23

       
21

       
 

       
      refresh = mkOption {


     

       
24

       
22

       
 

       
        type = types.int;


     

       
25

       
23

       
 

       
        default = 3600; # 1hr


     
···

       
37

       
35

       
 

       
        default = 3600; # 1hr


     

       
38

       
36

       
 

       
      };


     

       
39

       
37

       
 

       
    };


     

       
40

       

       
-

       
    records =


     

       
41

       

       
-

       
      let recordOpts.options = {


     

       
42

       

       
-

       
        name = mkOption {


     

       
43

       

       
-

       
          type = types.str;


     

       
44

       

       
-

       
        };


     

       

       
38

       
+

       
    records = let


     

       

       
39

       
+

       
      recordOpts.options = {


     

       

       
40

       
+

       
        name = mkOption { type = types.str; };


     

       
45

       
41

       
 

       
        ttl = mkOption {


     

       
46

       
42

       
 

       
          type = with types; nullOr int;


     

       
47

       
43

       
 

       
          default = null;


     

       
48

       
44

       
 

       
        };


     

       
49

       

       
-

       
        type = mkOption {


     

       
50

       

       
-

       
          type = types.str;


     

       
51

       

       
-

       
        };


     

       
52

       

       
-

       
        data = mkOption {


     

       
53

       

       
-

       
          type = types.str;


     

       
54

       

       
-

       
        };


     

       

       
45

       
+

       
        type = mkOption { type = types.str; };


     

       

       
46

       
+

       
        value = mkOption { type = types.str; };


     

       
55

       
47

       
 

       
      };


     

       
56

       

       
-

       
      in mkOption {


     

       
57

       

       
-

       
        type = with types; listOf (submodule recordOpts);


     

       
58

       

       
-

       
        default = [ ];


     

       
59

       

       
-

       
      };


     

       

       
48

       
+

       
    in mkOption {


     

       

       
49

       
+

       
      type = with types; listOf (submodule recordOpts);


     

       

       
50

       
+

       
      default = [ ];


     

       

       
51

       
+

       
    };


     

       
60

       
52

       
 

       
  };


     

       
61

       

       
-

       
in


     

       
62

       

       
-

       
{


     

       
63

       

       
-

       
  imports = [ ./bind.nix ];


     

       

       
53

       
+

       
in {


     

       

       
54

       
+

       
  imports = [ ./bind.nix ./eon.nix ];


     

       
64

       
55

       
 

       



     

       
65

       
56

       
 

       
  options.eilean.services.dns = {


     

       
66

       
57

       
 

       
    enable = mkEnableOption "DNS server";


     

       
67

       
58

       
 

       
    server = mkOption {


     

       
68

       

       
-

       
      type = types.enum [ "bind" ];


     

       
69

       

       
-

       
      default = "bind";


     

       

       
59

       
+

       
      type = types.enum [ "bind" "eon" ];


     

       

       
60

       
+

       
      default = if config.eilean.acme-eon then "eon" else "bind";


     

       
70

       
61

       
 

       
    };


     

       
71

       
62

       
 

       
    openFirewall = mkOption {


     

       
72

       
63

       
 

       
      type = types.bool;


     

       
73

       
64

       
 

       
      default = true;


     

       
74

       
65

       
 

       
    };


     

       
75

       

       
-

       
    zones = mkOption {


     

       
76

       

       
-

       
      type = with types; attrsOf (submodule zoneOptions);


     

       
77

       

       
-

       
    };


     

       

       
66

       
+

       
    zones = mkOption { type = with types; attrsOf (submodule zoneOptions); };


     

       
78

       
67

       
 

       
  };


     

       
79

       
68

       
 

       



     

       
80

       
69

       
 

       
  config.networking.firewall = mkIf config.eilean.services.dns.openFirewall {
+42
modules/services/dns/eon.nix 
···

       

       
1

       
+

       
{ pkgs, config, lib, ... }:


     

       

       
2

       
+

       



     

       

       
3

       
+

       
let cfg = config.eilean.services.dns;


     

       

       
4

       
+

       
in lib.mkIf (cfg.enable && cfg.server == "eon") {


     

       

       
5

       
+

       
  services.eon = {


     

       

       
6

       
+

       
    enable = true;


     

       

       
7

       
+

       
    application = "capd";


     

       

       
8

       
+

       
    capnpAddress = lib.mkDefault config.networking.domain;


     

       

       
9

       
+

       
    zoneFiles = let


     

       

       
10

       
+

       
      mapZonefile = zonename: zone:


     

       

       
11

       
+

       
        "${


     

       

       
12

       
+

       
          import ./zonefile.nix { inherit pkgs config lib zonename zone; }


     

       

       
13

       
+

       
        }/${zonename}";


     

       

       
14

       
+

       
    in lib.attrsets.mapAttrsToList mapZonefile cfg.zones;


     

       

       
15

       
+

       
  };


     

       

       
16

       
+

       



     

       

       
17

       
+

       
  users.users = { eon.extraGroups = [ config.services.opendkim.group ]; };


     

       

       
18

       
+

       



     

       

       
19

       
+

       
  ### bind prestart copy zonefiles


     

       

       
20

       
+

       
  systemd.services.eon.postStart = let


     

       

       
21

       
+

       
    update = ''


     

       

       
22

       
+

       
      update() {


     

       

       
23

       
+

       
        local file="$1"


     

       

       
24

       
+

       
        local domain="$2"


     

       

       
25

       
+

       
        local input=$(tr -d '\n' < "$file")


     

       

       
26

       
+

       
        local record_name=$(echo "$input" | ${pkgs.gawk}/bin/awk '{print $1}')


     

       

       
27

       
+

       
        local record_type=$(echo "$input" | ${pkgs.gawk}/bin/awk '{print $3}')


     

       

       
28

       
+

       
        local ttl=3600


     

       

       
29

       
+

       
        local record_value=$(echo "$input" | ${pkgs.gnused}/bin/sed -E 's/[^"]*"([^"]*)"[^"]*/\1/g')


     

       

       
30

       
+

       
        ${config.services.eon.package}/bin/capc update /var/lib/eon/caps/domain/''${domain}.cap -u "add|''${record_name}.''${domain}|''${record_type}|''${record_value}|''${ttl}" || exit 0


     

       

       
31

       
+

       
      }


     

       

       
32

       
+

       
      shopt -s nullglob


     

       

       
33

       
+

       
    '';


     

       

       
34

       
+

       
    ops = let


     

       

       
35

       
+

       
      mapZones = zonename: zone: ''


     

       

       
36

       
+

       
        for f in ${config.mailserver.dkimKeyDirectory}/${zonename}.*.txt; do


     

       

       
37

       
+

       
          update $f ${zonename}


     

       

       
38

       
+

       
        done


     

       

       
39

       
+

       
      '';


     

       

       
40

       
+

       
    in lib.attrsets.mapAttrsToList mapZones cfg.zones;


     

       

       
41

       
+

       
  in update + builtins.concatStringsSep "\n" ops;


     

       

       
42

       
+

       
}
+4 -12
modules/services/dns/zonefile.nix 
···

       
1

       

       
-

       
{


     

       
2

       

       
-

       
  pkgs,


     

       
3

       

       
-

       
  config,


     

       
4

       

       
-

       
  lib,


     

       
5

       

       
-

       
  zonename,


     

       
6

       

       
-

       
  zone,


     

       
7

       

       
-

       
  ...


     

       
8

       

       
-

       
}:


     

       

       
1

       
+

       
{ pkgs, config, lib, zonename, zone, ... }:


     

       
9

       
2

       
 

       



     

       
10

       
3

       
 

       
pkgs.writeTextFile {


     

       
11

       
4

       
 

       
  name = "zonefile-${zonename}";


     
···

       
20

       
13

       
 

       
      ${builtins.toString zone.soa.expire}


     

       
21

       
14

       
 

       
      ${builtins.toString zone.soa.negativeCacheTtl}


     

       
22

       
15

       
 

       
    )


     

       
23

       

       
-

       
    ${


     

       
24

       

       
-

       
      lib.strings.concatStringsSep "\n"


     

       
25

       

       
-

       
        (builtins.map (rr: "${rr.name} IN ${builtins.toString rr.ttl} ${rr.type} ${rr.data}") zone.records)


     

       
26

       

       
-

       
    }


     

       

       
16

       
+

       
    ${lib.strings.concatStringsSep "\n" (builtins.map


     

       

       
17

       
+

       
      (rr: "${rr.name} IN ${builtins.toString rr.ttl} ${rr.type} ${rr.value}")


     

       

       
18

       
+

       
      zone.records)}


     

       
27

       
19

       
 

       
  '';


     

       
28

       
20

       
 

       
}
+41 -32
modules/turn.nix 
···

       
4

       
4

       
 

       
let


     

       
5

       
5

       
 

       
  cfg = config.eilean;


     

       
6

       
6

       
 

       
  domain = config.networking.domain;


     

       

       
7

       
+

       
  subdomain = "turn.${domain}";


     

       
7

       
8

       
 

       
  staticAuthSecretFile = "/run/coturn/static-auth-secret";


     

       
8

       

       
-

       
in


     

       
9

       

       
-

       
{


     

       
10

       

       
-

       
  options.eilean.turn = {


     

       
11

       

       
-

       
    enable = mkEnableOption "TURN server";


     

       
12

       

       
-

       
  };


     

       

       
9

       
+

       
in {


     

       

       
10

       
+

       
  options.eilean.turn = { enable = mkEnableOption "TURN server"; };


     

       
13

       
11

       
 

       



     

       
14

       
12

       
 

       
  config = mkIf cfg.turn.enable {


     

       
15

       

       
-

       
    services.coturn = rec {


     

       

       
13

       
+

       
    security.acme-eon.certs."${subdomain}" = lib.mkIf cfg.acme-eon {


     

       

       
14

       
+

       
      group = "turnserver";


     

       

       
15

       
+

       
      reloadServices = [ "coturn" ];


     

       

       
16

       
+

       
    };


     

       

       
17

       
+

       



     

       

       
18

       
+

       
    services.coturn = let


     

       

       
19

       
+

       
      certDir = if cfg.acme-eon then


     

       

       
20

       
+

       
        config.security.acme-eon.certs.${subdomain}.directory


     

       

       
21

       
+

       
      else


     

       

       
22

       
+

       
        config.security.acme.certs.${subdomain}.directory;


     

       

       
23

       
+

       
    in {


     

       
16

       
24

       
 

       
      enable = true;


     

       
17

       
25

       
 

       
      no-cli = true;


     

       
18

       
26

       
 

       
      no-tcp-relay = true;


     

       
19

       
27

       
 

       
      secure-stun = true;


     

       
20

       
28

       
 

       
      use-auth-secret = true;


     

       
21

       
29

       
 

       
      static-auth-secret-file = staticAuthSecretFile;


     

       
22

       

       
-

       
      realm = "turn.${domain}";


     

       
23

       

       
-

       
      relay-ips = with config.eilean; [


     

       
24

       

       
-

       
        serverIpv4


     

       
25

       

       
-

       
        serverIpv6


     

       
26

       

       
-

       
      ];


     

       
27

       

       
-

       
      cert = "${config.security.acme.certs.${realm}.directory}/full.pem";


     

       
28

       

       
-

       
      pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";


     

       

       
30

       
+

       
      realm = subdomain;


     

       

       
31

       
+

       
      relay-ips = with config.eilean; [ serverIpv4 serverIpv6 ];


     

       

       
32

       
+

       
      cert = "${certDir}/fullchain.pem";


     

       

       
33

       
+

       
      pkey = "${certDir}/key.pem";


     

       
29

       
34

       
 

       
    };


     

       
30

       
35

       
 

       



     

       
31

       
36

       
 

       
    systemd.services = {


     
···

       
34

       
39

       
 

       
        script = ''


     

       
35

       
40

       
 

       
          if [ ! -f '${staticAuthSecretFile}' ]; then


     

       
36

       
41

       
 

       
            umask 077


     

       

       
42

       
+

       
            DIR="$(dirname '${staticAuthSecretFile}')"


     

       

       
43

       
+

       
            mkdir -p "$DIR"


     

       
37

       
44

       
 

       
            tr -dc A-Za-z0-9 </dev/urandom | head -c 32 > '${staticAuthSecretFile}'


     

       
38

       

       
-

       
            chown ${config.systemd.services.coturn.serviceConfig.User}:${config.systemd.services.coturn.serviceConfig.Group} '${staticAuthSecretFile}'


     

       

       
45

       
+

       
            chown -R ${config.systemd.services.coturn.serviceConfig.User}:${config.systemd.services.coturn.serviceConfig.Group} "$DIR"


     

       
39

       
46

       
 

       
          fi


     

       
40

       
47

       
 

       
        '';


     

       
41

       
48

       
 

       
        serviceConfig.Type = "oneshot";


     

       
42

       
49

       
 

       
        serviceConfig.RemainAfterExit = true;


     

       
43

       
50

       
 

       
      };


     

       
44

       
51

       
 

       
      "coturn" = {


     

       
45

       

       
-

       
        after = [ "coturn-static-auth-secret-generator.service" ];


     

       

       
52

       
+

       
        after = [ "coturn-static-auth-secret-generator.service" ]


     

       

       
53

       
+

       
          ++ lib.lists.optional cfg.acme-eon "acme-eon-${subdomain}.service";


     

       
46

       
54

       
 

       
        requires = [ "coturn-static-auth-secret-generator.service" ];


     

       

       
55

       
+

       
        wants = lib.lists.optional cfg.acme-eon "acme-eon-${subdomain}.service";


     

       
47

       
56

       
 

       
      };


     

       
48

       
57

       
 

       
    };


     

       
49

       
58

       
 

       



     

       
50

       

       
-

       
    networking.firewall =


     

       
51

       

       
-

       
      with config.services.coturn;


     

       

       
59

       
+

       
    networking.firewall = with config.services.coturn;


     

       
52

       
60

       
 

       
      let


     

       
53

       
61

       
 

       
        turn-range = {


     

       
54

       
62

       
 

       
          from = min-port;


     
···

       
66

       
74

       
 

       
        allowedTCPPortRanges = [ turn-range ];


     

       
67

       
75

       
 

       
        allowedUDPPorts = stun-ports;


     

       
68

       
76

       
 

       
        allowedUDPPortRanges = [ turn-range ];


     

       
69

       

       
-

       
    };


     

       

       
77

       
+

       
      };


     

       
70

       
78

       
 

       



     

       
71

       

       
-

       
    security.acme.certs.${config.services.coturn.realm} = {


     

       
72

       

       
-

       
      postRun = "systemctl reload nginx.service; systemctl restart coturn.service";


     

       
73

       

       
-

       
      group = "turnserver";


     

       
74

       

       
-

       
    };


     

       
75

       

       
-

       
    services.nginx.enable = true;


     

       
76

       

       
-

       
    services.nginx.virtualHosts = {


     

       

       
79

       
+

       
    security.acme.certs.${config.services.coturn.realm} =


     

       

       
80

       
+

       
      lib.mkIf (!cfg.acme-eon) {


     

       

       
81

       
+

       
        postRun =


     

       

       
82

       
+

       
          "systemctl reload nginx.service; systemctl restart coturn.service";


     

       

       
83

       
+

       
        group = "turnserver";


     

       

       
84

       
+

       
      };


     

       

       
85

       
+

       
    services.nginx.enable = lib.mkIf (!cfg.acme-eon) true;


     

       

       
86

       
+

       
    services.nginx.virtualHosts = lib.mkIf (!cfg.acme-eon) {


     

       
77

       
87

       
 

       
      "${config.services.coturn.realm}" = {


     

       
78

       
88

       
 

       
        forceSSL = true;


     

       
79

       
89

       
 

       
        enableACME = true;


     

       
80

       
90

       
 

       
      };


     

       
81

       
91

       
 

       
    };


     

       
82

       

       
-

       
    users.groups."turnserver".members = [ config.services.nginx.user ];


     

       

       
92

       
+

       
    users.groups."turnserver".members =


     

       

       
93

       
+

       
      lib.mkIf (!cfg.acme-eon) [ config.services.nginx.user ];


     

       
83

       
94

       
 

       



     

       
84

       
95

       
 

       
    eilean.dns.enable = true;


     

       
85

       

       
-

       
    eilean.services.dns.zones.${config.networking.domain}.records = [


     

       
86

       

       
-

       
      {


     

       
87

       

       
-

       
        name = "turn";


     

       
88

       

       
-

       
        type = "CNAME";


     

       
89

       

       
-

       
        data = "vps";


     

       
90

       

       
-

       
      }


     

       
91

       

       
-

       
    ];


     

       

       
96

       
+

       
    eilean.services.dns.zones.${config.networking.domain}.records = [{


     

       

       
97

       
+

       
      name = "turn";


     

       

       
98

       
+

       
      type = "CNAME";


     

       

       
99

       
+

       
      value = cfg.domainName;


     

       

       
100

       
+

       
    }];


     

       
92

       
101

       
 

       
  };


     

       
93

       
102

       
 

       
}
+40 -52
modules/wireguard/default.nix 
···

       
1

       
1

       
 

       
{ pkgs, config, lib, ... }:


     

       
2

       
2

       
 

       



     

       
3

       
3

       
 

       
with lib;


     

       
4

       

       
-

       
let cfg = config.wireguard; in


     

       
5

       

       
-

       
{


     

       

       
4

       
+

       
let cfg = config.wireguard;


     

       

       
5

       
+

       
in {


     

       
6

       
6

       
 

       
  options.wireguard = {


     

       
7

       
7

       
 

       
    enable = mkEnableOption "wireguard";


     

       
8

       
8

       
 

       
    server = mkOption {


     

       
9

       
9

       
 

       
      type = with types; bool;


     

       
10

       

       
-

       
      default =


     

       
11

       

       
-

       
        if cfg.hosts ? config.networking.hostName then


     

       
12

       

       
-

       
          cfg.hosts.${config.networking.hostName}.server


     

       
13

       

       
-

       
        else false;


     

       

       
10

       
+

       
      default = if cfg.hosts ? config.networking.hostName then


     

       

       
11

       
+

       
        cfg.hosts.${config.networking.hostName}.server


     

       

       
12

       
+

       
      else


     

       

       
13

       
+

       
        false;


     

       
14

       
14

       
 

       
    };


     

       
15

       

       
-

       
    hosts =


     

       
16

       

       
-

       
      let hostOps = { ... }: {


     

       

       
15

       
+

       
    hosts = let


     

       

       
16

       
+

       
      hostOps = { ... }: {


     

       
17

       
17

       
 

       
        options = {


     

       
18

       

       
-

       
          ip = mkOption {


     

       
19

       

       
-

       
            type = types.str;


     

       
20

       

       
-

       
          };


     

       
21

       

       
-

       
          publicKey = mkOption {


     

       
22

       

       
-

       
            type = types.str;


     

       
23

       

       
-

       
          };


     

       

       
18

       
+

       
          ip = mkOption { type = types.str; };


     

       

       
19

       
+

       
          publicKey = mkOption { type = types.str; };


     

       
24

       
20

       
 

       
          server = mkOption {


     

       
25

       
21

       
 

       
            type = types.bool;


     

       
26

       
22

       
 

       
            default = false;


     
···

       
40

       
36

       
 

       
          };


     

       
41

       
37

       
 

       
        };


     

       
42

       
38

       
 

       
      };


     

       
43

       

       
-

       
      in mkOption {


     

       
44

       

       
-

       
        type = with types; attrsOf (submodule hostOps);


     

       
45

       

       
-

       
        default = {};


     

       
46

       

       
-

       
      };


     

       

       
39

       
+

       
    in mkOption {


     

       

       
40

       
+

       
      type = with types; attrsOf (submodule hostOps);


     

       

       
41

       
+

       
      default = { };


     

       

       
42

       
+

       
    };


     

       
47

       
43

       
 

       
  };


     

       
48

       
44

       
 

       



     

       
49

       
45

       
 

       
  config = mkIf cfg.enable {


     
···

       
51

       
47

       
 

       
    networking = mkMerge [


     

       
52

       
48

       
 

       
      {


     

       
53

       
49

       
 

       
        # populate /etc/hosts with hostnames and IPs


     

       
54

       

       
-

       
        extraHosts = builtins.concatStringsSep "\n" (


     

       
55

       

       
-

       
          attrsets.mapAttrsToList (


     

       
56

       

       
-

       
            hostName: values: "${values.ip} ${hostName}"


     

       
57

       

       
-

       
          ) cfg.hosts


     

       
58

       

       
-

       
        );


     

       

       
50

       
+

       
        extraHosts = builtins.concatStringsSep "\n" (attrsets.mapAttrsToList


     

       

       
51

       
+

       
          (hostName: values: "${values.ip} ${hostName}") cfg.hosts);


     

       
59

       
52

       
 

       



     

       
60

       
53

       
 

       
        firewall = {


     

       
61

       
54

       
 

       
          allowedUDPPorts = [ 51820 ];


     
···

       
64

       
57

       
 

       



     

       
65

       
58

       
 

       
        wireguard = {


     

       
66

       
59

       
 

       
          enable = true;


     

       
67

       

       
-

       
          interfaces.wg0 = let hostName = config.networking.hostName; in {


     

       
68

       

       
-

       
            ips =


     

       
69

       

       
-

       
              if cfg.hosts ? hostname then


     

       
70

       

       
-

       
                [ "${cfg.hosts."${hostName}".ip}/24" ]


     

       
71

       

       
-

       
              else [ ];


     

       
72

       

       
-

       
            listenPort = 51820; 


     

       

       
60

       
+

       
          interfaces.wg0 = let hostName = config.networking.hostName;


     

       

       
61

       
+

       
          in {


     

       

       
62

       
+

       
            ips = if cfg.hosts ? hostname then


     

       

       
63

       
+

       
              [ "${cfg.hosts."${hostName}".ip}/24" ]


     

       

       
64

       
+

       
            else


     

       

       
65

       
+

       
              [ ];


     

       

       
66

       
+

       
            listenPort = 51820;


     

       
73

       
67

       
 

       
            privateKeyFile = cfg.hosts."${hostName}".privateKeyFile;


     

       
74

       

       
-

       
            peers =


     

       
75

       

       
-

       
              let


     

       
76

       

       
-

       
                serverPeers = attrsets.mapAttrsToList


     

       
77

       

       
-

       
                  (hostName: values:


     

       
78

       

       
-

       
                    if values.server then


     

       
79

       

       
-

       
                    {


     

       
80

       

       
-

       
                      allowedIPs = [ "10.0.0.0/24" ];


     

       
81

       

       
-

       
                      publicKey = values.publicKey;


     

       
82

       

       
-

       
                      endpoint = "${values.endpoint}:51820";


     

       
83

       

       
-

       
                      persistentKeepalive = values.persistentKeepalive;


     

       
84

       

       
-

       
                    }


     

       
85

       

       
-

       
                  else {})


     

       
86

       

       
-

       
                  cfg.hosts;


     

       
87

       

       
-

       
                # remove empty elements


     

       
88

       

       
-

       
                cleanedServerPeers = lists.remove { } serverPeers;


     

       
89

       

       
-

       
              in mkIf (!cfg.server) cleanedServerPeers; 


     

       

       
68

       
+

       
            peers = let


     

       

       
69

       
+

       
              serverPeers = attrsets.mapAttrsToList (hostName: values:


     

       

       
70

       
+

       
                if values.server then {


     

       

       
71

       
+

       
                  allowedIPs = [ "10.0.0.0/24" ];


     

       

       
72

       
+

       
                  publicKey = values.publicKey;


     

       

       
73

       
+

       
                  endpoint = "${values.endpoint}:51820";


     

       

       
74

       
+

       
                  persistentKeepalive = values.persistentKeepalive;


     

       

       
75

       
+

       
                } else


     

       

       
76

       
+

       
                  { }) cfg.hosts;


     

       

       
77

       
+

       
              # remove empty elements


     

       

       
78

       
+

       
              cleanedServerPeers = lists.remove { } serverPeers;


     

       

       
79

       
+

       
            in mkIf (!cfg.server) cleanedServerPeers;


     

       
90

       
80

       
 

       
          };


     

       
91

       
81

       
 

       
        };


     

       
92

       
82

       
 

       
      }


     
···

       
116

       
106

       
 

       



     

       
117

       
107

       
 

       
          # add clients


     

       
118

       
108

       
 

       
          peers = with lib.attrsets;


     

       
119

       

       
-

       
            mapAttrsToList (


     

       
120

       

       
-

       
              hostName: values: {


     

       
121

       

       
-

       
                allowedIPs = [ "${values.ip}/32" ];


     

       
122

       

       
-

       
                publicKey = values.publicKey;


     

       
123

       

       
-

       
                persistentKeepalive = values.persistentKeepalive;


     

       
124

       

       
-

       
              }


     

       
125

       

       
-

       
            ) cfg.hosts;


     

       

       
109

       
+

       
            mapAttrsToList (hostName: values: {


     

       

       
110

       
+

       
              allowedIPs = [ "${values.ip}/32" ];


     

       

       
111

       
+

       
              publicKey = values.publicKey;


     

       

       
112

       
+

       
              persistentKeepalive = values.persistentKeepalive;


     

       

       
113

       
+

       
            }) cfg.hosts;


     

       
126

       
114

       
 

       
        };


     

       
127

       
115

       
 

       
      })


     

       
128

       
116

       
 

       
    ];
+8 -5
pkgs/mautrix-meta.nix 
···

       
1

       
1

       
 

       
{ lib, buildGoModule, fetchFromGitHub, olm }:


     

       
2

       
2

       
 

       



     

       
3

       

       
-

       
buildGoModule rec {


     

       

       
3

       
+

       
let version = "0.4.4";


     

       

       
4

       
+

       
in buildGoModule rec {


     

       
4

       
5

       
 

       
  name = "mautrix-meta";


     

       

       
6

       
+

       
  inherit version;


     

       
5

       
7

       
 

       



     

       
6

       
8

       
 

       
  src = fetchFromGitHub {


     

       
7

       
9

       
 

       
    owner = "mautrix";


     

       
8

       
10

       
 

       
    repo = "meta";


     

       
9

       

       
-

       
    rev = "7941e937055b792d2cbfde5d9c8c4df75e68ff0a";


     

       
10

       

       
-

       
    hash = "sha256-QDqN6AAaEngWo4UxKAyIXB7BwCEJqsMTeuMb2fKu/9o=";


     

       

       
11

       
+

       
    rev = "v${version}";


     

       

       
12

       
+

       
    hash = "sha256-S8x3TGQEs+oh/3Q1Gz00M8dOcjjuHSgzVhqlbikZ8QE=";


     

       
11

       
13

       
 

       
  };


     

       
12

       
14

       
 

       



     

       
13

       
15

       
 

       
  buildInputs = [ olm ];


     

       
14

       
16

       
 

       



     

       
15

       

       
-

       
  vendorHash = "sha256-ClHg3OEKgXYsmBm/aFKWZXbaLOmKdNyvw42QGhtTRik=";


     

       

       
17

       
+

       
  vendorHash = "sha256-sUnvwPJQOoVzxbo2lS3CRcTrWsPjgYPsKClVw1wZJdM=";


     

       
16

       
18

       
 

       



     

       
17

       
19

       
 

       
  doCheck = false;


     

       
18

       
20

       
 

       



     
···

       
20

       
22

       
 

       



     

       
21

       
23

       
 

       
  meta = with lib; {


     

       
22

       
24

       
 

       
    homepage = "https://github.com/mautrix/meta";


     

       
23

       

       
-

       
    description = " A Matrix-Facebook Messenger and Instagram DM puppeting bridge.";


     

       

       
25

       
+

       
    description =


     

       

       
26

       
+

       
      " A Matrix-Facebook Messenger and Instagram DM puppeting bridge.";


     

       
24

       
27

       
 

       
    license = licenses.agpl3Plus;


     

       
25

       
28

       
 

       
    mainProgram = "mautrix-meta";


     

       
26

       
29

       
 

       
  };
+4 -5
template/configuration.nix 
···

       
1

       
1

       
 

       
{ pkgs, config, lib, ... }:


     

       
2

       
2

       
 

       



     

       
3

       
3

       
 

       
{


     

       
4

       

       
-

       
  imports = [


     

       
5

       

       
-

       
    ./hardware-configuration.nix


     

       
6

       

       
-

       
  ];


     

       

       
4

       
+

       
  imports = [ ./hardware-configuration.nix ];


     

       
7

       
5

       
 

       



     

       
8

       
6

       
 

       
  boot.loader = {


     

       
9

       
7

       
 

       
    systemd-boot.enable = true;


     
···

       
45

       
43

       
 

       



     

       
46

       
44

       
 

       
  # TODO replace this with domain


     

       
47

       
45

       
 

       
  networking.domain = "example.org";


     

       
48

       

       
-

       
  security.acme.acceptTerms = true;


     

       

       
46

       
+

       
  security.acme.acceptTerms = lib.mkIf (!config.eilean.acme-eon) true;


     

       

       
47

       
+

       
  security.acme-eon.acceptTerms = lib.mkIf config.eilean.acme-eon true;


     

       
49

       
48

       
 

       



     

       
50

       
49

       
 

       
  # TODO select internationalisation properties


     

       
51

       
50

       
 

       
  i18n.defaultLocale = "en_GB.UTF-8";


     
···

       
76

       
75

       
 

       
  # Before changing this value read the documentation for this option


     

       
77

       
76

       
 

       
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).


     

       
78

       
77

       
 

       
  system.stateVersion = "23.05"; # Did you read the comment?


     

       
79

       

       
-

       
}

     

       

       
78

       
+

       
}
+19 -20
template/flake.nix 
···

       
1

       
1

       
 

       
{


     

       
2

       
2

       
 

       
  inputs = {


     

       
3

       

       
-

       
    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";


     

       
4

       

       
-

       
    eilean.url ="github:RyanGibb/eilean-nix/main";


     

       
5

       

       
-

       
    # replace the below line to manage the Nixpkgs instance yourself


     

       
6

       

       
-

       
    nixpkgs.follows = "eilean/nixpkgs";


     

       
7

       

       
-

       
    #eilean.inputs.nixpkgs.follows = "nixpkgs";


     

       

       
3

       
+

       
    nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11";


     

       

       
4

       
+

       
    eilean.url = "github:RyanGibb/eilean-nix/main";


     

       

       
5

       
+

       
    eilean.inputs.nixpkgs.follows = "nixpkgs";


     

       
8

       
6

       
 

       
  };


     

       
9

       
7

       
 

       



     

       
10

       
8

       
 

       
  outputs = { self, nixpkgs, eilean, ... }@inputs:


     

       
11

       

       
-

       
      let hostname = "eilean"; in


     

       
12

       

       
-

       
    rec {


     

       
13

       

       
-

       
    nixosConfigurations.${hostname} = nixpkgs.lib.nixosSystem {


     

       

       
9

       
+

       
    let hostname = "eilean";


     

       

       
10

       
+

       
    in rec {


     

       

       
11

       
+

       
      nixosConfigurations.${hostname} = nixpkgs.lib.nixosSystem {


     

       
14

       
12

       
 

       
        system = null;


     

       
15

       
13

       
 

       
        pkgs = null;


     

       
16

       
14

       
 

       
        modules = [


     

       
17

       

       
-

       
            ./configuration.nix


     

       
18

       

       
-

       
            eilean.nixosModules.default


     

       
19

       

       
-

       
            {


     

       
20

       

       
-

       
              networking.hostName = hostname;


     

       
21

       

       
-

       
              # pin nix command's nixpkgs flake to the system flake to avoid unnecessary downloads


     

       
22

       

       
-

       
              nix.registry.nixpkgs.flake = nixpkgs;


     

       
23

       

       
-

       
              # record git revision (can be queried with `nixos-version --json)


     

       
24

       

       
-

       
              system.configurationRevision = nixpkgs.lib.mkIf (self ? rev) self.rev;


     

       
25

       

       
-

       
            }


     

       
26

       

       
-

       
          ];


     

       
27

       

       
-

       
        };


     

       

       
15

       
+

       
          ./configuration.nix


     

       

       
16

       
+

       
          eilean.nixosModules.default


     

       

       
17

       
+

       
          {


     

       

       
18

       
+

       
            networking.hostName = hostname;


     

       

       
19

       
+

       
            # pin nix command's nixpkgs flake to the system flake to avoid unnecessary downloads


     

       

       
20

       
+

       
            nix.registry.nixpkgs.flake = nixpkgs;


     

       

       
21

       
+

       
            # record git revision (can be queried with `nixos-version --json)


     

       

       
22

       
+

       
            system.configurationRevision =


     

       

       
23

       
+

       
              nixpkgs.lib.mkIf (self ? rev) self.rev;


     

       

       
24

       
+

       
          }


     

       

       
25

       
+

       
        ];


     

       
28

       
26

       
 

       
      };


     

       
29

       

       
-

       
  }


     

       

       
27

       
+

       
    };


     

       

       
28

       
+

       
}