coolneng/zion
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Compare commits

base: coolneng/zion:master
Branches Tags
coolneng/zion:master
..
compare: coolneng/zion:fce6c83fc47ca1bd3fed844916efd917c6d83cc1
Branches Tags
coolneng/zion:master

1 Commits
master .. fce6c83fc4

Author SHA1 Message Date
coolneng fce6c83fc4 Upgrade to NixOS 26.05 2026-05-31 20:12:35 +02:00
11 changed files with 116 additions and 136 deletions
Expand all files Collapse all files
configuration.nix
+10 -7
View File
@@ -173,10 +173,18 @@ with pkgs;
group = "users"; group = "users";
}; };
# HACK The owner and group is set by systemd due to the use of DynamicUser # HACK The owner and group is set by systemd due to the use of DynamicUser
secrets.dendrite = {
file = secrets/dendrite.age;
owner = "63026";
group = "63026";
};
secrets.dendrite-postgres = {
file = secrets/dendrite-postgres.age;
owner = "63026";
group = "63026";
};
secrets.telegram = { secrets.telegram = {
file = secrets/telegram.age; file = secrets/telegram.age;
owner = "mautrix-telegram";
group = "mautrix-telegram";
}; };
secrets.mqtt-sender = { secrets.mqtt-sender = {
file = secrets/mqtt-sender.age; file = secrets/mqtt-sender.age;
@@ -190,14 +198,9 @@ with pkgs;
}; };
secrets.facebook = { secrets.facebook = {
file = secrets/facebook.age; file = secrets/facebook.age;
owner = "mautrix-meta-facebook";
group = "mautrix-meta-facebook";
}; };
secrets.signal = { secrets.signal = {
file = secrets/signal.age; file = secrets/signal.age;
owner = "mautrix-signal";
group = "mautrix-signal";
}; };
secrets.inadyn-duckdns = { secrets.inadyn-duckdns = {
file = secrets/inadyn-duckdns.age; file = secrets/inadyn-duckdns.age;
flake.lock
Generated
+30 -30
View File
@@ -54,12 +54,12 @@
"nixpkgs": "nixpkgs_2" "nixpkgs": "nixpkgs_2"
}, },
"locked": { "locked": {
"lastModified": 1780941588, "lastModified": 1779475417,
"narHash": "sha256-cXxaBtTSYEYVtSxw4IH0hPa+p+VFxS0i+66GwxVFk7o=", "narHash": "sha256-7/U/+X66C7XmLnt5JVJVtpx8wVDRU//Awaeqkq9+NNc=",
"rev": "70c28bcdd4dde10d04f39e7accb5738a1f5d5298", "rev": "8a9c57ea6b458a40589df60f26200b7d305354d1",
"revCount": 421, "revCount": 417,
"type": "tarball", "type": "tarball",
"url": "https://api.flakehub.com/f/pinned/DeterminateSystems/determinate/3.21.1/019ea867-5568-7d03-9579-e943ed6d4cef/source.tar.gz" "url": "https://api.flakehub.com/f/pinned/DeterminateSystems/determinate/3.21.0/019e5103-0940-7a50-bac6-f1c621bf31ff/source.tar.gz"
}, },
"original": { "original": {
"type": "tarball", "type": "tarball",
@@ -69,37 +69,37 @@
"determinate-nixd-aarch64-darwin": { "determinate-nixd-aarch64-darwin": {
"flake": false, "flake": false,
"locked": { "locked": {
"narHash": "sha256-ctwRrPKWBSFkTqlCHRGz6MHBSWRkbSAEVGoelsxdr2g=", "narHash": "sha256-LNvx0qZsH8tbdgNfaig/x5Cf4r4UrXfU1m+0bO3D0E4=",
"type": "file", "type": "file",
"url": "https://install.determinate.systems/determinate-nixd/tag/v3.21.1/macOS" "url": "https://install.determinate.systems/determinate-nixd/tag/v3.21.0/macOS"
}, },
"original": { "original": {
"type": "file", "type": "file",
"url": "https://install.determinate.systems/determinate-nixd/tag/v3.21.1/macOS" "url": "https://install.determinate.systems/determinate-nixd/tag/v3.21.0/macOS"
} }
}, },
"determinate-nixd-aarch64-linux": { "determinate-nixd-aarch64-linux": {
"flake": false, "flake": false,
"locked": { "locked": {
"narHash": "sha256-qYFrMN6lSMRYV87D/uK5L2CUBvOpoLZAAfSYXvcp9cc=", "narHash": "sha256-rKg7uVAEK8X3TTFGaWp8CVZuCAr3wHkMnuJOndhXJF0=",
"type": "file", "type": "file",
"url": "https://install.determinate.systems/determinate-nixd/tag/v3.21.1/aarch64-linux" "url": "https://install.determinate.systems/determinate-nixd/tag/v3.21.0/aarch64-linux"
}, },
"original": { "original": {
"type": "file", "type": "file",
"url": "https://install.determinate.systems/determinate-nixd/tag/v3.21.1/aarch64-linux" "url": "https://install.determinate.systems/determinate-nixd/tag/v3.21.0/aarch64-linux"
} }
}, },
"determinate-nixd-x86_64-linux": { "determinate-nixd-x86_64-linux": {
"flake": false, "flake": false,
"locked": { "locked": {
"narHash": "sha256-BxzPf6fT1ekyvD5JA0vvDJOTPtIyjrzVg3Puuo0ftbg=", "narHash": "sha256-vBCUEVPfY4+nxGDM62evpxJYEVqLTqdBGbCkmZ2sQhk=",
"type": "file", "type": "file",
"url": "https://install.determinate.systems/determinate-nixd/tag/v3.21.1/x86_64-linux" "url": "https://install.determinate.systems/determinate-nixd/tag/v3.21.0/x86_64-linux"
}, },
"original": { "original": {
"type": "file", "type": "file",
"url": "https://install.determinate.systems/determinate-nixd/tag/v3.21.1/x86_64-linux" "url": "https://install.determinate.systems/determinate-nixd/tag/v3.21.0/x86_64-linux"
} }
}, },
"flake-compat": { "flake-compat": {
@@ -195,12 +195,12 @@
"nixpkgs-regression": "nixpkgs-regression" "nixpkgs-regression": "nixpkgs-regression"
}, },
"locked": { "locked": {
"lastModified": 1780939209, "lastModified": 1779472733,
"narHash": "sha256-/JuW5C6sWuC836Y9b7hga3ZvhRiY4k4Zs73RRg5KVWM=", "narHash": "sha256-nV5OHwivEf392cB5MDwoVdDHSvy6Q+rRYZBHd9sePj4=",
"rev": "952beffe9c45ed245d30209d4f17cf1d26654a2a", "rev": "11f3aff904f84ae612e36e8bc578ac421fca74fa",
"revCount": 26044, "revCount": 25967,
"type": "tarball", "type": "tarball",
"url": "https://api.flakehub.com/f/pinned/DeterminateSystems/nix-src/3.21.1/019ea860-2acd-7680-ae61-10f9574b2694/source.tar.gz" "url": "https://api.flakehub.com/f/pinned/DeterminateSystems/nix-src/3.21.0/019e50fb-8633-73d0-b673-b2e265950490/source.tar.gz"
}, },
"original": { "original": {
"type": "tarball", "type": "tarball",
@@ -212,11 +212,11 @@
"nixpkgs": "nixpkgs_3" "nixpkgs": "nixpkgs_3"
}, },
"locked": { "locked": {
"lastModified": 1781020964, "lastModified": 1780065812,
"narHash": "sha256-fS7xTi2j2iso5Hj7RNZLv/acDlCT+fgMVkVk40A7Uco=", "narHash": "sha256-SCSLUKBmwlSLGQ8Xbr8PjRFtiHNk0l9ktqkcmqdBkfE=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "32c2cd9e46286c4eced3dc6b613c659126bf3cca", "rev": "b76b5639c0593e0aeb0b5879ad62d4b30596c144",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -274,12 +274,12 @@
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1780336545, "lastModified": 1778869304,
"narHash": "sha256-vhVhuXzFrIOfcssC/9hDHx7MHzDKjF3keHuREOQqQiQ=", "narHash": "sha256-30sZNZoA1cqF5JNO9fVX+wgiQYjB7HJqqJ4ztCDeBZE=",
"rev": "4df1b885d76a54e1aa1a318f8d16fd6005b6401f", "rev": "d233902339c02a9c334e7e593de68855ad26c4cb",
"revCount": 1008784, "revCount": 998534,
"type": "tarball", "type": "tarball",
"url": "https://api.flakehub.com/f/pinned/DeterminateSystems/nixpkgs-weekly/0.1.1008784%2Brev-4df1b885d76a54e1aa1a318f8d16fd6005b6401f/019e8725-c925-7ec1-8f35-3f9effcf169a/source.tar.gz" "url": "https://api.flakehub.com/f/pinned/DeterminateSystems/nixpkgs-weekly/0.1.998534%2Brev-d233902339c02a9c334e7e593de68855ad26c4cb/019e3efc-e09a-7ff1-b05f-0c8f85ba7441/source.tar.gz"
}, },
"original": { "original": {
"type": "tarball", "type": "tarball",
@@ -301,11 +301,11 @@
}, },
"nixpkgs_4": { "nixpkgs_4": {
"locked": { "locked": {
"lastModified": 1780902259, "lastModified": 1780051219,
"narHash": "sha256-q8yYEC5f1mFlQO9RGna4LTc9QrcvWunX6FYp83munkQ=", "narHash": "sha256-WnxzG4x47uCgjz+uD+vOzbF+Qid+hKyYdJWbduA9w7g=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "bd0ff2d3eac24699c3664d5966b9ef36f388e2ca", "rev": "e8e446a361172fe838243958325845d0b845c5e5",
"type": "github" "type": "github"
}, },
"original": { "original": {
flake.nix
+4
View File
@@ -16,6 +16,10 @@
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
nixos-hardware.url = "github:NixOS/nixos-hardware/master"; nixos-hardware.url = "github:NixOS/nixos-hardware/master";
nix-matrix-appservices = {
url = "gitlab:coffeetables/nix-matrix-appservices";
inputs.nixpkgs.follows = "nixpkgs";
};
}; };
outputs = outputs =
modules/communication.nix
+52 -73
View File
@@ -7,92 +7,71 @@
with pkgs; with pkgs;
# NOTE Reference the environment variable set in the corresponding agenix secret
let
database = {
connection_string = "$DB_STRING";
max_open_conns = 100;
max_idle_conns = 5;
conn_max_lifetime = -1;
};
in
{ {
# Matrix server configuration # Matrix server configuration
services.matrix-continuwuity = { services.dendrite = {
enable = true; enable = true;
httpPort = 8008;
environmentFile = config.age.secrets.dendrite-postgres.path;
loadCredential = [ "private_key:${config.age.secrets.dendrite.path}" ];
settings = { settings = {
global = { global = {
server_name = "psydnd.org"; server_name = "coolneng.duckdns.org";
port = [ 8008 ]; private_key = config.age.secrets.dendrite.path;
allow_encryption = true; inherit database;
allow_federation = true; dns_cache.enabled = true;
well_known.client = "https://matrix.psydnd.org";
}; };
# HACK Inherit postgres connection string for the rest of the DBs
app_service_api = {
inherit database;
}; };
media_api = {
inherit database;
}; };
room_server = {
## Matrix bridges inherit database;
# Facebook
services.mautrix-meta.instances.facebook = {
enable = true;
environmentFile = config.age.secrets.facebook.path;
settings = {
homeserver = {
address = "https://matrix.psysdnd.org";
domain = "psydnd.org";
}; };
appservice = { push_server = {
address = "http://localhost:8228"; inherit database;
port = 8228;
database = "$DB_STRING";
}; };
bridge.permissions."@coolneng:psydnd.org" = "admin"; mscs = {
}; inherit database;
serviceDependencies = [ "continuwuity.service" ]; mscs = [
}; "msc2836"
"msc2946"
# Enable voice messages for Facebook
systemd.services.matrix-as-facebook.path = [ ffmpeg ];
# Telegram
services.mautrix-telegram = {
enable = true;
environmentFile = config.age.secrets.telegram.path;
settings = {
homeserver = {
address = "https://matrix.psysdnd.org";
domain = "psydnd.org";
};
appservice = {
address = "http://localhost:8118";
port = 8118;
database = "$DB_STRING";
};
bridge.permissions."@coolneng:psydnd.org" = "admin";
};
serviceDependencies = [ "continuwuity.service" ];
};
# Signal
services.mautrix-signal = {
enable = true;
environmentFile = config.age.secrets.signal.path;
settings = {
homeserver = {
address = "https://matrix.psysdnd.org";
domain = "psydnd.org";
};
appservice = {
address = "http://localhost:8338";
port = 8338;
database = "$DB_STRING";
};
bridge.permissions."@coolneng:psydnd.org" = "admin";
};
serviceDependencies = [ "continuwuity.service" ];
};
# HACK Use libolm as there's no good alternative
nixpkgs.config.permittedInsecurePackages = [
"olm-3.2.16"
]; ];
};
sync_api = {
inherit database;
};
key_server = {
inherit database;
};
federation_api = {
inherit database;
};
user_api = {
account_database = database;
device_database = database;
};
};
};
# Start dendrite after config files are mounted # Start dendrite after config files are mounted
systemd.services.continuwuity.unitConfig.RequiresMountsFor = [ systemd.services.dendrite.unitConfig.RequiresMountsFor = [
/var/lib/mautrix-meta-facebook /var/lib/matrix-as-facebook
/var/lib/mautrix-signal /var/lib/matrix-as-signal
/var/lib/mautrix-telegram /var/lib/matrix-as-telegram
]; ];
# MQTT configuration # MQTT configuration
modules/monitoring.nix
+1 -4
View File
@@ -82,14 +82,11 @@ with pkgs;
# Grafana configuration # Grafana configuration
services.grafana = { services.grafana = {
enable = true; enable = true;
settings = { settings.server = {
server = {
domain = "grafana.psydnd.org"; domain = "grafana.psydnd.org";
http_port = 9009; http_port = 9009;
http_addr = "127.0.0.1"; http_addr = "127.0.0.1";
}; };
security.secret_key = config.age.secrets.grafana.path;
};
}; };
} }
modules/webstack.nix
+10 -10
View File
@@ -34,12 +34,21 @@
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
''; '';
virtualHosts = { virtualHosts = {
# Redirection of the old domain # Old domain being redirected
"coolneng.duckdns.org" = { "coolneng.duckdns.org" = {
useACMEHost = "coolneng.duckdns.org"; useACMEHost = "coolneng.duckdns.org";
forceSSL = true; forceSSL = true;
locations = { locations = {
"/".return = "301 https://psydnd.org$request_uri"; "/".return = "301 https://psydnd.org$request_uri";
# Delegation for Matrix
"/.well-known/" = {
alias = "${../well-known}" + "/";
extraConfig = ''
${config.services.nginx.commonHttpConfig}
default_type application/json;
add_header Access-Control-Allow-Origin * always;
'';
};
}; };
}; };
# Redirect subdomains # Redirect subdomains
@@ -52,15 +61,6 @@
"psydnd.org" = { "psydnd.org" = {
useACMEHost = "psydnd.org"; useACMEHost = "psydnd.org";
forceSSL = true; forceSSL = true;
# Delegation for Matrix
locations."/.well-known/" = {
alias = "${../well-known}" + "/";
extraConfig = ''
${config.services.nginx.commonHttpConfig}
default_type application/json;
add_header Access-Control-Allow-Origin * always;
'';
};
}; };
"radicale.psydnd.org" = { "radicale.psydnd.org" = {
useACMEHost = "psydnd.org"; useACMEHost = "psydnd.org";
scripts/motd.sh
+1 -1
View File
@@ -24,7 +24,7 @@ services=(
"radicale.service" "radicale.service"
"miniflux.service" "miniflux.service"
"gitea.service" "gitea.service"
"continuwuity.service" "dendrite.service"
"nginx.service" "nginx.service"
"dnsmasq.service" "dnsmasq.service"
"dnscrypt-proxy.service" "dnscrypt-proxy.service"
secrets/dendrite-postgres.age
BIN
View File
Binary file not shown.
secrets/dendrite.age
BIN
View File
Binary file not shown.
secrets/grafana.age
-5
View File
@@ -1,5 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 iUaRGg Ag32nut/aBlxEy7RPw7sV5itZSHkp8eMLVtxFxwQ8EM
ZhK8EZWTLkxrwo+x97w4HpexDXkC1yQuKyYFujqlOgs
--- kszqKtyubreK5mGkrJg4hrEKrfITJCCM/hW6IHKlMIE
TÚ+À~/ œDbM?Çø×å ½œa-ð'ƒÒp^5ç›?ï&#!àϳ‰þ~59O
secrets/secrets.nix
+2
View File
@@ -8,6 +8,8 @@ in
"gitea.age".publicKeys = [ zion ]; "gitea.age".publicKeys = [ zion ];
"miniflux.age".publicKeys = [ zion ]; "miniflux.age".publicKeys = [ zion ];
"git.age".publicKeys = [ zion ]; "git.age".publicKeys = [ zion ];
"dendrite.age".publicKeys = [ zion ];
"dendrite-postgres.age".publicKeys = [ zion ];
"telegram.age".publicKeys = [ zion ]; "telegram.age".publicKeys = [ zion ];
"mqtt-sender.age".publicKeys = [ zion ]; "mqtt-sender.age".publicKeys = [ zion ];
"mqtt-receiver.age".publicKeys = [ zion ]; "mqtt-receiver.age".publicKeys = [ zion ];