btw i use nix
ryan.freumh.org
1{
2 pkgs,
3 config,
4 lib,
5 hyperbib-eeg,
6 ...
7}:
8
9let
10 domain = "eeg.cl.cam.ac.uk";
11in
12{
13 imports = [
14 ./hardware-configuration.nix
15 ./minimal.nix
16 hyperbib-eeg.nixosModules.default
17 ];
18
19 security.acme = {
20 defaults.email = "${config.custom.username}@${config.networking.domain}";
21 acceptTerms = true;
22 };
23
24 environment.systemPackages = with pkgs; [ xe-guest-utilities ];
25
26 services.hyperbib = {
27 enable = true;
28 domain = domain;
29 # servicePath = "/bib/";
30 # proxyPath = "/";
31 };
32
33 services.nginx.enable = lib.mkForce false;
34 services.httpd = {
35 enable = true;
36 extraModules =
37 let
38 mod_ucam_webauth = pkgs.callPackage ./mod_ucam_webauth.nix { };
39 in
40 [
41 {
42 name = "ucam_webauth";
43 path = "${mod_ucam_webauth}/modules/mod_ucam_webauth.so";
44 }
45 ];
46
47 virtualHosts."${domain}" = {
48 forceSSL = true;
49 enableACME = true;
50 documentRoot = "/var/www/eeg/";
51 locations."/bib/" = {
52 proxyPass = "http://127.0.0.1:${builtins.toString config.services.hyperbib.port}/bib/";
53 };
54 extraConfig =
55 let
56 keyfile = pkgs.writeTextFile {
57 name = "raven-rsa-key";
58 destination = "/pubkey2";
59 text = ''
60 -----BEGIN RSA PUBLIC KEY-----
61 MIGJAoGBAL/2pwBbVcJKTRF8B+K6W9Oi4xkoPiOb32te0whw7Zuf7cTFCk5tvBa6
62 CI7wM0R99LtvNLFmoantTps92LjF9fvrCBYZDqpaLnk5clXShKKqt3do4SykqYkq
63 66kpc42jZ58C3omR0dUfQ7o7yTktVqnrDjLVb9P+vLhAfuSFHFa1AgMBAAE=
64 -----END RSA PUBLIC KEY-----
65 '';
66 };
67 matrixServerConfig = pkgs.writeText "matrix-server-config.json" (
68 builtins.toJSON { "m.server" = "${domain}:443"; }
69 );
70 matrixClientConfig = pkgs.writeText "matrix-server-config.json" (
71 builtins.toJSON {
72 "m.homeserver" = {
73 "base_url" = "https://${domain}";
74 };
75 "m.identity_server" = {
76 "base_url" = "https://vector.im";
77 };
78 }
79 );
80 in
81 ''
82 AAKeyDir ${keyfile}
83 AACookieKey file:/dev/urandom
84 <Location "/bib/">
85 AuthType Ucam-WebAuth
86 Require valid-user
87 </Location>
88
89 SSLEngine on
90 ServerName ${domain}
91
92 ### Matrix config
93
94 RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
95 AllowEncodedSlashes NoDecode
96 ProxyPreserveHost on
97 ProxyPass /_matrix http://127.0.0.1:8008/_matrix nocanon
98 ProxyPassReverse /_matrix http://127.0.0.1:8008/_matrix
99 ProxyPass /_synapse/client http://127.0.0.1:8008/_synapse/client nocanon
100 ProxyPassReverse /_synapse/client http://127.0.0.1:8008/_synapse/client
101
102 Alias /.well-known/matrix/server "${matrixServerConfig}"
103 Alias /.well-known/matrix/client "${matrixClientConfig}"
104 '';
105 };
106 virtualHosts."watch.${domain}" = {
107 forceSSL = true;
108 enableACME = true;
109 locations."/" = {
110 extraConfig = ''
111 ProxyPass http://127.0.0.1:${builtins.toString config.services.peertube.listenHttp}/ upgrade=websocket
112 ProxyPassReverse http://127.0.0.1:${builtins.toString config.services.peertube.listenHttp}/
113 '';
114 };
115 extraConfig = ''
116 ProxyPreserveHost On
117 '';
118 };
119 };
120
121 services.postgresql = {
122 enable = true;
123 enableTCPIP = true;
124 authentication = ''
125 hostnossl peertube_local peertube_test 127.0.0.1/32 md5
126 '';
127 package = pkgs.postgresql_13;
128 initialScript = pkgs.writeText "postgresql_init.sql" ''
129 CREATE ROLE peertube_test LOGIN PASSWORD 'test123';
130 CREATE DATABASE peertube_local TEMPLATE template0 ENCODING UTF8;
131 GRANT ALL PRIVILEGES ON DATABASE peertube_local TO peertube_test;
132 \connect peertube_local
133 CREATE EXTENSION IF NOT EXISTS pg_trgm;
134 CREATE EXTENSION IF NOT EXISTS unaccent;
135 '';
136 #initialScript = pkgs.writeText "synapse-init.sql" ''
137 # CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
138 # CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
139 # TEMPLATE template0
140 # LC_COLLATE = "C"
141 # LC_CTYPE = "C";
142 #'';
143 };
144
145 services.matrix-synapse = {
146 enable = true;
147 settings = lib.mkMerge [
148 {
149 server_name = domain;
150 enable_registration = false;
151 auto_join_rooms = [ "#EEG:eeg.cl.cam.ac.uk" ];
152 password_config.enabled = false;
153 listeners = [
154 {
155 port = 8008;
156 bind_addresses = [
157 "::1"
158 "127.0.0.1"
159 ];
160 type = "http";
161 tls = false;
162 x_forwarded = true;
163 resources = [
164 {
165 names = [
166 "client"
167 "federation"
168 ];
169 compress = false;
170 }
171 ];
172 }
173 ];
174 max_upload_size = "100M";
175 saml2_config = {
176 sp_config = {
177 metadata.remote = [ { url = "https://shib.raven.cam.ac.uk/shibboleth"; } ];
178 description = [
179 "Energy and Environment Group Computer Lab Matrix Server"
180 "en"
181 ];
182 name = [
183 "EEG CL Matrix Server"
184 "en"
185 ];
186 # generate keys with
187 # sudo nix shell nixpkgs#openssl nixpkgs#shibboleth-sp -c sh -c '`nix eval --raw nixpkgs#shibboleth-sp`/etc/shibboleth/keygen.sh -h matrix.eeg.cl.cam.ac.uk -o /secrets/matrix-shibboleth/'
188 # chown -R matrix-synapse /secrets/matrix-shibboleth/
189 key_file = "/secrets/matrix-shibboleth/sp-key.pem";
190 cert_file = "/secrets/matrix-shibboleth/sp-cert.pem";
191 encryption_keypairs = [
192 { key_file = "/secrets/matrix-shibboleth/sp-key.pem"; }
193 { cert_file = "/secrets/matrix-shibboleth/sp-cert.pem"; }
194 ];
195 attribute_map_dir = pkgs.writeTextDir "map.py" ''
196 MAP = {
197 "identifier": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
198 "fro": {
199 'urn:oid:0.9.2342.19200300.100.1.1': 'uid',
200 'urn:oid:0.9.2342.19200300.100.1.3': 'email',
201 'urn:oid:2.16.840.1.113730.3.1.241': 'displayName',
202 },
203 "to": {
204 'uid': 'urn:oid:0.9.2342.19200300.100.1.1',
205 'email': 'urn:oid:0.9.2342.19200300.100.1.3',
206 'displayName': 'urn:oid:2.16.840.1.113730.3.1.241',
207 },
208 }
209 '';
210 };
211 };
212 app_service_config_files = [ "/var/lib/heisenbridge/registration.yml" ];
213 }
214 ];
215 };
216
217 networking.firewall.allowedTCPPorts = [
218 80 # HTTP
219 443 # HTTPS
220 6667
221 ];
222
223 nix.settings.require-sigs = false;
224
225 environment.etc = {
226 "peertube/password-posgressql-db".text = "test123";
227 "peertube/password-redis-db".text = "test123";
228 };
229
230 services = {
231 peertube = {
232 enable = true;
233 localDomain = "watch.eeg.cl.cam.ac.uk";
234 listenWeb = 443;
235 enableWebHttps = true;
236 database = {
237 host = "127.0.0.1";
238 name = "peertube_local";
239 user = "peertube_test";
240 passwordFile = "/etc/peertube/password-posgressql-db";
241 };
242 redis = {
243 host = "127.0.0.1";
244 port = 31638;
245 passwordFile = "/etc/peertube/password-redis-db";
246 };
247 settings = {
248 listen.hostname = "0.0.0.0";
249 instance.name = "PeerTube Test Server";
250 storage.videos = "/tank/peertube/videos";
251 };
252 secrets.secretsFile = "/secrets/peertube";
253 serviceEnvironmentFile = "/secrets/peertube.env";
254 dataDirs = [ "/tank/peertube/videos" ];
255 };
256
257 redis.servers.peertube = {
258 enable = true;
259 bind = "0.0.0.0";
260 requirePass = "test123";
261 port = 31638;
262 };
263 };
264
265 services.heisenbridge = {
266 enable = true;
267 address = "0.0.0.0";
268 homeserver = "https://${domain}";
269 };
270 systemd.services.inspircd.serviceConfig.Group = "wwwrun";
271 services.inspircd = {
272 #enable = true;
273 config = ''
274 <module name="ssl_gnutls">
275
276 <server
277 name="eeg.cl.cam.ac.uk"
278 description="EEG Lab IRC Server at Cambridge"
279 network="EEGLabNetwork"
280 >
281
282 <admin
283 name="Ryan Gibb"
284 nick="rtg24"
285 email="rtg24@eeg.cl.cam.ac.uk"
286 >
287
288 <bind
289 address="128.232.98.96"
290 port="6667"
291 type="clients"
292 >
293
294 <oper
295 name="RyanGibb"
296 password="securepassword"
297 host="*@*"
298 type="NetAdmin"
299 >
300
301 <type
302 name="NetAdmin"
303 classes="ServerLink ClientLink"
304 >
305
306 <class
307 name="ServerLink"
308 commands="300"
309 usermodes="300"
310 maxtime="0"
311 >
312
313 <class
314 name="ClientLink"
315 commands="20"
316 usermodes="20"
317 maxtime="90"
318 >
319
320 <channels
321 users="20"
322 op="@"
323 halfop="%"
324 voice="+"
325 >
326
327 <log method="stdout"
328 type="*"
329 level="default"
330 flush="1">
331 '';
332 };
333}