diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 0000000..3f7c734 --- /dev/null +++ b/.editorconfig @@ -0,0 +1,13 @@ +# EditorConfig is awesome: https://editorconfig.org + +root = true + +[*] +end_of_line = lf +insert_final_newline = true +charset = utf-8 + +[*.nix] +indent_style = space +indent_size = 2 + diff --git a/configuration.nix b/configuration.nix index f99d39a..8de16bc 100644 --- a/configuration.nix +++ b/configuration.nix @@ -17,14 +17,15 @@ settings = { auto-optimise-store = true; sandbox = false; + # Allow remote updates trusted-users = [ "root" "@wheel" - ]; # Allow remote updates + ]; experimental-features = [ "nix-command" "flakes" - ]; # Enable flakes + ]; }; gc = { automatic = true; diff --git a/flake.nix b/flake.nix index 426fd4d..a101a9b 100644 --- a/flake.nix +++ b/flake.nix @@ -34,6 +34,7 @@ nixosConfigurations."matrix" = nixpkgs.lib.nixosSystem { #system = "x86_64-linux"; #pkgs = import nixpkgs { inherit system; }; + inherit system; modules = [ agenix.nixosModules.default { environment.systemPackages = [ (agenix.packages.${system}.default) ]; } diff --git a/secrets/matrix-registration-shared-secret.age b/secrets/matrix_registration_shared_secret.age similarity index 100% rename from secrets/matrix-registration-shared-secret.age rename to secrets/matrix_registration_shared_secret.age diff --git a/secrets/secrets.nix b/secrets/secrets.nix index b2cef40..d5f3192 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -17,7 +17,7 @@ let _matrix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM7AZkepRXoY+DJeSLOU+GR60S62p6+0X/PDeEUZ0yHx root@matrix"; in { - "matrix-registration-shared-secret.age".publicKeys = users ++ [ _matrix ]; + "matrix_registration_shared_secret.age".publicKeys = users ++ [ _matrix ]; "pushover_app_token.age".publicKeys = users ++ [ _matrix ]; "pushover_user_key.age".publicKeys = users ++ [ _matrix ]; } diff --git a/services/draupnir.nix b/services/draupnir.nix index 3c4a8b5..8564d39 100644 --- a/services/draupnir.nix +++ b/services/draupnir.nix @@ -5,7 +5,7 @@ enable = false; settings = { homeserverUrl = "https://matrix.berlin.ccc.de"; - managementRoom = "#moderators:berlin.ccc.de"; + managementRoom = "!ZYWNuaQBkkenNklCSm:matrix.org"; # #cccb-moderators:berlin.ccc.de autojoinOnlyIfManager = true; recordIgnoredInvites = true; roomStateBackingStore.enabled = true; @@ -14,4 +14,3 @@ secrets.accessToken = config.age.secrets.draupnir_access_token.path; }; } - diff --git a/services/grafana.nix b/services/grafana.nix index 981693d..b14e43c 100644 --- a/services/grafana.nix +++ b/services/grafana.nix @@ -1,4 +1,4 @@ -{ ... }: +{ config, ... }: # Dashboards: # - Synapse: https://github.com/element-hq/synapse/tree/master/contrib/grafana @@ -56,4 +56,3 @@ }; }; } - diff --git a/services/nginx.nix b/services/nginx.nix index 98b2fb7..d1e16a6 100644 --- a/services/nginx.nix +++ b/services/nginx.nix @@ -7,7 +7,12 @@ in services.nginx = { enable = true; package = pkgs.nginxQuic; - resolver.addresses = ["[2606:4700:4700::1111]" "[2620:fe::fe]" "1.1.1.1" "9.9.9.9"]; + resolver.addresses = [ + "[2606:4700:4700::1111]" + "[2620:fe::fe]" + "1.1.1.1" + "9.9.9.9" + ]; statusPage = true; # http://127.0.0.1/nginx_status sslProtocols = "TLSv1.3"; recommendedTlsSettings = true; @@ -20,6 +25,28 @@ in kTLS = true; forceSSL = true; useACMEHost = fqdn; + listen = [ + { + addr = "0.0.0.0"; + port = 443; + ssl = true; + } + { + addr = "::"; + port = 443; + ssl = true; + } + { + addr = "0.0.0.0"; + port = 8448; + ssl = true; + } + { + addr = "::"; + port = 8448; + ssl = true; + } + ]; locations = { "/".return = "418 \"I'm a Teapot!\""; "= /.well-known/matrix/client" = { @@ -29,7 +56,7 @@ in add_header Access-Control-Allow-Origin "*"; ''; }; - "~ ^(/_matrix|/_synapse/client)" { + "~ ^(/_matrix|/_synapse/client)" = { recommendedProxySettings = true; proxyPass = "http://[::1]:8008"; extraConfig = '' @@ -42,5 +69,5 @@ in }; }; - security.acme.certs."${fqdn}".reloadServices = ["nginx"]; + security.acme.certs."${fqdn}".reloadServices = [ "nginx" ]; } diff --git a/services/prometheus.nix b/services/prometheus.nix index 23f7be4..d70657c 100644 --- a/services/prometheus.nix +++ b/services/prometheus.nix @@ -12,11 +12,11 @@ }; scrapeConfigs = [ { - job_name = "synapse"; + job_name = "synapse"; scrape_interval = "15s"; static_configs = [ { - targets = ["[::1]:9009"]; + targets = [ "[::1]:9009" ]; } ]; } @@ -63,4 +63,3 @@ ]; }; } - diff --git a/services/synapse.nix b/services/synapse.nix index 0d9c548..b67f72e 100644 --- a/services/synapse.nix +++ b/services/synapse.nix @@ -25,6 +25,7 @@ in tls = false; port = 8008; bind_addresses = [ "::1" ]; + #request_id_header = "X-Request-ID"; resources = [ { compress = false; @@ -39,10 +40,12 @@ in type = "metrics"; port = 9009; bind_addresses = [ "::1" ]; - resources = [{ - compress = false; - names = [ "metrics" ]; - }]; + resources = [ + { + compress = false; + names = [ "metrics" ]; + } + ]; } ]; enable_metrics = true; @@ -61,7 +64,7 @@ in }; }; extraConfigFiles = [ - config.age.secrets.matrix-registration-shared-secret.path + config.age.secrets.matrix_registration_shared_secret.path ]; enableRegistrationScript = true; };