From 79c5c57629c899730ca8a19c33cbafdeab90d596 Mon Sep 17 00:00:00 2001 From: "Ricardo (XenGi) Band" Date: Mon, 24 Nov 2025 22:56:05 +0100 Subject: [PATCH 01/41] add draupnir --- README.md | 13 +++++++++++++ flake.nix | 1 + services/draupnir.nix | 17 +++++++++++++++++ services/nginx.nix | 15 +++++++++++++-- services/synapse.nix | 1 + 5 files changed, 45 insertions(+), 2 deletions(-) create mode 100644 services/draupnir.nix diff --git a/README.md b/README.md index 629c2e3..05a9c48 100644 --- a/README.md +++ b/README.md @@ -33,3 +33,16 @@ register_new_matrix_user \ --password ``` +# Draupnir + +Remove rate limit for account: + +```bash +curl -X DELETE https://matrix.berlin.ccc.de/_synapse/admin/v1/users/@admin:berlin.ccc.de/override_ratelimit +``` +Set rate limit for account: + +```bash +curl -X POST -d '{"messages_per_second":0,"burst_count":0}' https://matrix.berlin.ccc.de/_synapse/admin/v1/users/@admin:berlin.ccc.de/override_ratelimit +``` + diff --git a/flake.nix b/flake.nix index 3fa8a5c..3edb18a 100644 --- a/flake.nix +++ b/flake.nix @@ -57,6 +57,7 @@ ./services/nginx.nix ./services/postgres.nix ./services/synapse.nix + ./services/draupnir.nix ]; }; }; diff --git a/services/draupnir.nix b/services/draupnir.nix new file mode 100644 index 0000000..3c4a8b5 --- /dev/null +++ b/services/draupnir.nix @@ -0,0 +1,17 @@ +{ config, ... }: + +{ + services.draupnir = { + enable = false; + settings = { + homeserverUrl = "https://matrix.berlin.ccc.de"; + managementRoom = "#moderators:berlin.ccc.de"; + autojoinOnlyIfManager = true; + recordIgnoredInvites = true; + roomStateBackingStore.enabled = true; + displayReports = true; + }; + secrets.accessToken = config.age.secrets.draupnir_access_token.path; + }; +} + diff --git a/services/nginx.nix b/services/nginx.nix index b334e5c..282b82c 100644 --- a/services/nginx.nix +++ b/services/nginx.nix @@ -20,6 +20,7 @@ in kTLS = true; forceSSL = true; useACMEHost = fqdn; + #enableACME = true; locations = { "/.well-known/matrix/client" = { return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.berlin.ccc.de\"}}'"; @@ -28,13 +29,23 @@ in add_header Access-Control-Allow-Origin "*"; ''; }; - "/" = { + "~ ^(/_matrix|/_synapse/client)" { recommendedProxySettings = true; proxyPass = "unix:/run/matrix-synapse.sock"; + extraConfig = '' + proxy_set_header X-Request-ID $request_id; + ''; }; + "/" = { + return = "418 \"I'm a Teapot!\""; + }; + extraConfig = '' + client_max_body_size 64M; + ''; }; extraConfig = '' - ''; + proxy_http_version 1.1; + ''; }; }; diff --git a/services/synapse.nix b/services/synapse.nix index 3e7e9b8..0fbec23 100644 --- a/services/synapse.nix +++ b/services/synapse.nix @@ -15,6 +15,7 @@ in { path = "/run/matrix-synapse.sock"; x_forwarded = true; + request_id_header = "X-Request-ID"; resources = [ { compress = false; From 1612f5e511aa23d3a7593fb6231d9d8be3db43e3 Mon Sep 17 00:00:00 2001 From: "Ricardo (XenGi) Band" Date: Sun, 30 Nov 2025 16:09:05 +0100 Subject: [PATCH 02/41] add metrics --- flake.nix | 29 +++++++++++ services/grafana.nix | 56 +++++++++++++++++++++ services/nginx.nix | 21 +++----- services/postgres.nix | 9 +--- services/prometheus.nix | 66 +++++++++++++++++++++++++ services/synapse.nix | 106 ++++++++++++++++++++++++++-------------- 6 files changed, 227 insertions(+), 60 deletions(-) create mode 100644 services/grafana.nix create mode 100644 services/prometheus.nix diff --git a/flake.nix b/flake.nix index 3edb18a..426fd4d 100644 --- a/flake.nix +++ b/flake.nix @@ -51,13 +51,42 @@ owner = "root"; group = "root"; }; + matrix_registration_shared_secret = { + file = ./secrets/matrix_registration_shared_secret.age; + mode = "440"; + owner = "matrix-synapse"; + group = "matrix-synapse"; + }; + matrix_signing_key = { + file = ./secrets/matrix_signing_key.age; + mode = "440"; + owner = "matrix-synapse"; + group = "matrix-synapse"; + }; + grafana_secret_key = { + file = ./secrets/grafana_secret_key.age; + mode = "440"; + owner = "grafana"; + group = "grafana"; + }; + grafana_admin_password = { + file = ./secrets/grafana_admin_password.age; + mode = "440"; + owner = "grafana"; + group = "grafana"; + }; }; } ./configuration.nix + ./services/nginx.nix ./services/postgres.nix + ./services/synapse.nix ./services/draupnir.nix + + ./services/prometheus.nix + ./services/grafana.nix ]; }; }; diff --git a/services/grafana.nix b/services/grafana.nix new file mode 100644 index 0000000..3f167da --- /dev/null +++ b/services/grafana.nix @@ -0,0 +1,56 @@ +{ ... }: + +{ + services = { + grafana = { + enable = true; + settings = { + server.http_addr = "::1"; + database = { + type = "postgres"; + name = "grafana"; + user = "grafana"; + host = "/run/postgresql"; + }; + security = { + secret_key = "$__file{${config.age.secrets.grafana_secret_key.path}}"; + admin_user = "xengi"; + admin_password = "$__file{${config.age.secrets.grafana_admin_password.path}}"; + admin_email = "grafana@xengi.de"; + }; + analytics = { + reporting_enabled = false; + feedback_links_enabled = false; + }; + }; + provision = { + enable = true; + datasources.settings.datasources = [ + { + name = "Prometheus"; + type = "prometheus"; + url = "http://${config.services.prometheus.listenAddress}:${toString config.services.prometheus.port}"; + jsonData = { + httpMethod = "GET"; + prometheusType = "Prometheus"; + cacheLevel = "High"; + }; + } + ]; + }; + }; + + postgresql = { + ensureUsers = [ + { + name = config.services.grafana.settings.database.user; + ensureDBOwnership = true; + } + ]; + ensureDatabases = [ + config.services.grafana.settings.database.name + ]; + }; + }; +} + diff --git a/services/nginx.nix b/services/nginx.nix index 282b82c..98b2fb7 100644 --- a/services/nginx.nix +++ b/services/nginx.nix @@ -20,9 +20,9 @@ in kTLS = true; forceSSL = true; useACMEHost = fqdn; - #enableACME = true; locations = { - "/.well-known/matrix/client" = { + "/".return = "418 \"I'm a Teapot!\""; + "= /.well-known/matrix/client" = { return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.berlin.ccc.de\"}}'"; extraConfig = '' default_type application/json; @@ -31,25 +31,16 @@ in }; "~ ^(/_matrix|/_synapse/client)" { recommendedProxySettings = true; - proxyPass = "unix:/run/matrix-synapse.sock"; + proxyPass = "http://[::1]:8008"; extraConfig = '' + client_max_body_size 64M; proxy_set_header X-Request-ID $request_id; + proxy_http_version 1.1; ''; }; - "/" = { - return = "418 \"I'm a Teapot!\""; - }; - extraConfig = '' - client_max_body_size 64M; - ''; }; - extraConfig = '' - proxy_http_version 1.1; - ''; }; }; - security.acme.certs."${fqdn}" = { - reloadServices = ["nginx"]; - }; + security.acme.certs."${fqdn}".reloadServices = ["nginx"]; } diff --git a/services/postgres.nix b/services/postgres.nix index 2c78756..99a0b51 100644 --- a/services/postgres.nix +++ b/services/postgres.nix @@ -1,15 +1,8 @@ -{ config, ... }: +{ ... }: { services.postgresql = { enable = true; enableJIT = true; - ensureUsers = [ - { - name = config.services.matrix-synapse.settings.database.args.user; - ensureDBOwnership = true; - } - ]; - ensureDatabases = [ config.services.matrix-synapse.settings.database.args.database ]; }; } diff --git a/services/prometheus.nix b/services/prometheus.nix new file mode 100644 index 0000000..23f7be4 --- /dev/null +++ b/services/prometheus.nix @@ -0,0 +1,66 @@ +{ pkgs, ... }: + +{ + services.prometheus = { + enable = true; + retentionTime = "14d"; + listenAddress = "[::1]"; + exporters = { + #node = {}; + #nginx = {}; + #postgres = {}; + }; + scrapeConfigs = [ + { + job_name = "synapse"; + scrape_interval = "15s"; + static_configs = [ + { + targets = ["[::1]:9009"]; + } + ]; + } + ]; + ruleFiles = [ + # https://github.com/element-hq/synapse/tree/master/contrib/prometheus + (pkgs.writeText "prom-synapse-rules.yaml" '' + groups: + - name: synapse + rules: + - record: 'synapse_federation_client_sent' + labels: + type: "EDU" + expr: 'synapse_federation_client_sent_edus_total + 0' + - record: 'synapse_federation_client_sent' + labels: + type: "PDU" + expr: 'synapse_federation_client_sent_pdu_destinations_count_total + 0' + - record: 'synapse_federation_client_sent' + labels: + type: "Query" + expr: 'sum(synapse_federation_client_sent_queries) by (job)' + - record: 'synapse_federation_server_received' + labels: + type: "EDU" + expr: 'synapse_federation_server_received_edus_total + 0' + - record: 'synapse_federation_server_received' + labels: + type: "PDU" + expr: 'synapse_federation_server_received_pdus_total + 0' + - record: 'synapse_federation_server_received' + labels: + type: "Query" + expr: 'sum(synapse_federation_server_received_queries) by (job)' + - record: 'synapse_federation_transaction_queue_pending' + labels: + type: "EDU" + expr: 'synapse_federation_transaction_queue_pending_edus + 0' + - record: 'synapse_federation_transaction_queue_pending' + labels: + type: "PDU" + expr: 'synapse_federation_transaction_queue_pending_pdus + 0' + '') + ]; + }; +} + diff --git a/services/synapse.nix b/services/synapse.nix index 0fbec23..0d9c548 100644 --- a/services/synapse.nix +++ b/services/synapse.nix @@ -4,46 +4,78 @@ let domain = "berlin.ccc.de"; in { - services.matrix-synapse = { - enable = false; - settings = { - server_name = domain; - public_baseurl = "https://matrix.${domain}:443/"; - #signing_key_path = config.age.secrets.signing_key.path; # "/var/lib/matrix-synapse/homeserver.signing.key" - database.name = "psycopg2"; - listeners = [ - { - path = "/run/matrix-synapse.sock"; - x_forwarded = true; - request_id_header = "X-Request-ID"; - resources = [ - { + services = { + matrix-synapse = { + enable = true; + settings = { + server_name = domain; + public_baseurl = "https://matrix.${domain}:443/"; + #signing_key_path = config.age.secrets.signing_key.path; # "/var/lib/matrix-synapse/homeserver.signing.key" + database = { + name = "psycopg2"; + args = { + user = "matrix-synapse"; + database = "matrix-synapse"; + }; + }; + listeners = [ + { + type = "http"; + x_forwarded = true; + tls = false; + port = 8008; + bind_addresses = [ "::1" ]; + resources = [ + { + compress = false; + names = [ + "client" + "federation" + ]; + } + ]; + } + { + type = "metrics"; + port = 9009; + bind_addresses = [ "::1" ]; + resources = [{ compress = false; - names = [ - "client" - "federation" - ]; - } - ]; + names = [ "metrics" ]; + }]; + } + ]; + enable_metrics = true; + dynamic_thumbnails = true; + max_upload_size = "128M"; + max_image_pixels = "64M"; + + retention = { + enabled = true; + default_policy = { + min_lifetime = "1d"; + max_lifetime = "1y"; + }; + allowed_lifetime_min = "1d"; + allowed_lifetime_max = "1y"; + }; + }; + extraConfigFiles = [ + config.age.secrets.matrix-registration-shared-secret.path + ]; + enableRegistrationScript = true; + }; + + postgresql = { + ensureUsers = [ + { + name = config.services.matrix-synapse.settings.database.args.user; + ensureDBOwnership = true; } ]; - dynamic_thumbnails = true; - max_upload_size = "128M"; - max_image_pixels = "64M"; - - retention = { - enabled = true; - default_policy = { - min_lifetime = "1d"; - max_lifetime = "1y"; - }; - allowed_lifetime_min = "1d"; - allowed_lifetime_max = "1y"; - }; + ensureDatabases = [ + config.services.matrix-synapse.settings.database.args.database + ]; }; - extraConfigFiles = [ - config.age.secrets.matrix-registration-shared-secret.path - ]; - enableRegistrationScript = true; }; } From 63f434567a2f44d6505f0f300784f2be120e7314 Mon Sep 17 00:00:00 2001 From: "Ricardo (XenGi) Band" Date: Sun, 30 Nov 2025 16:10:23 +0100 Subject: [PATCH 03/41] add dashboard link --- services/grafana.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/services/grafana.nix b/services/grafana.nix index 3f167da..981693d 100644 --- a/services/grafana.nix +++ b/services/grafana.nix @@ -1,5 +1,8 @@ { ... }: +# Dashboards: +# - Synapse: https://github.com/element-hq/synapse/tree/master/contrib/grafana + { services = { grafana = { From 04efe82c0a3a2fbc0bfa307da03383e61c63e4a4 Mon Sep 17 00:00:00 2001 From: "Ricardo (XenGi) Band" Date: Tue, 2 Dec 2025 19:36:46 +0100 Subject: [PATCH 04/41] foo --- .editorconfig | 13 +++++++ configuration.nix | 5 +-- flake.nix | 1 + ... => matrix_registration_shared_secret.age} | Bin secrets/secrets.nix | 2 +- services/draupnir.nix | 3 +- services/grafana.nix | 3 +- services/nginx.nix | 33 ++++++++++++++++-- services/prometheus.nix | 5 ++- services/synapse.nix | 13 ++++--- 10 files changed, 60 insertions(+), 18 deletions(-) create mode 100644 .editorconfig rename secrets/{matrix-registration-shared-secret.age => matrix_registration_shared_secret.age} (100%) diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 0000000..3f7c734 --- /dev/null +++ b/.editorconfig @@ -0,0 +1,13 @@ +# EditorConfig is awesome: https://editorconfig.org + +root = true + +[*] +end_of_line = lf +insert_final_newline = true +charset = utf-8 + +[*.nix] +indent_style = space +indent_size = 2 + diff --git a/configuration.nix b/configuration.nix index f99d39a..8de16bc 100644 --- a/configuration.nix +++ b/configuration.nix @@ -17,14 +17,15 @@ settings = { auto-optimise-store = true; sandbox = false; + # Allow remote updates trusted-users = [ "root" "@wheel" - ]; # Allow remote updates + ]; experimental-features = [ "nix-command" "flakes" - ]; # Enable flakes + ]; }; gc = { automatic = true; diff --git a/flake.nix b/flake.nix index 426fd4d..a101a9b 100644 --- a/flake.nix +++ b/flake.nix @@ -34,6 +34,7 @@ nixosConfigurations."matrix" = nixpkgs.lib.nixosSystem { #system = "x86_64-linux"; #pkgs = import nixpkgs { inherit system; }; + inherit system; modules = [ agenix.nixosModules.default { environment.systemPackages = [ (agenix.packages.${system}.default) ]; } diff --git a/secrets/matrix-registration-shared-secret.age b/secrets/matrix_registration_shared_secret.age similarity index 100% rename from secrets/matrix-registration-shared-secret.age rename to secrets/matrix_registration_shared_secret.age diff --git a/secrets/secrets.nix b/secrets/secrets.nix index b2cef40..d5f3192 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -17,7 +17,7 @@ let _matrix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM7AZkepRXoY+DJeSLOU+GR60S62p6+0X/PDeEUZ0yHx root@matrix"; in { - "matrix-registration-shared-secret.age".publicKeys = users ++ [ _matrix ]; + "matrix_registration_shared_secret.age".publicKeys = users ++ [ _matrix ]; "pushover_app_token.age".publicKeys = users ++ [ _matrix ]; "pushover_user_key.age".publicKeys = users ++ [ _matrix ]; } diff --git a/services/draupnir.nix b/services/draupnir.nix index 3c4a8b5..8564d39 100644 --- a/services/draupnir.nix +++ b/services/draupnir.nix @@ -5,7 +5,7 @@ enable = false; settings = { homeserverUrl = "https://matrix.berlin.ccc.de"; - managementRoom = "#moderators:berlin.ccc.de"; + managementRoom = "!ZYWNuaQBkkenNklCSm:matrix.org"; # #cccb-moderators:berlin.ccc.de autojoinOnlyIfManager = true; recordIgnoredInvites = true; roomStateBackingStore.enabled = true; @@ -14,4 +14,3 @@ secrets.accessToken = config.age.secrets.draupnir_access_token.path; }; } - diff --git a/services/grafana.nix b/services/grafana.nix index 981693d..b14e43c 100644 --- a/services/grafana.nix +++ b/services/grafana.nix @@ -1,4 +1,4 @@ -{ ... }: +{ config, ... }: # Dashboards: # - Synapse: https://github.com/element-hq/synapse/tree/master/contrib/grafana @@ -56,4 +56,3 @@ }; }; } - diff --git a/services/nginx.nix b/services/nginx.nix index 98b2fb7..d1e16a6 100644 --- a/services/nginx.nix +++ b/services/nginx.nix @@ -7,7 +7,12 @@ in services.nginx = { enable = true; package = pkgs.nginxQuic; - resolver.addresses = ["[2606:4700:4700::1111]" "[2620:fe::fe]" "1.1.1.1" "9.9.9.9"]; + resolver.addresses = [ + "[2606:4700:4700::1111]" + "[2620:fe::fe]" + "1.1.1.1" + "9.9.9.9" + ]; statusPage = true; # http://127.0.0.1/nginx_status sslProtocols = "TLSv1.3"; recommendedTlsSettings = true; @@ -20,6 +25,28 @@ in kTLS = true; forceSSL = true; useACMEHost = fqdn; + listen = [ + { + addr = "0.0.0.0"; + port = 443; + ssl = true; + } + { + addr = "::"; + port = 443; + ssl = true; + } + { + addr = "0.0.0.0"; + port = 8448; + ssl = true; + } + { + addr = "::"; + port = 8448; + ssl = true; + } + ]; locations = { "/".return = "418 \"I'm a Teapot!\""; "= /.well-known/matrix/client" = { @@ -29,7 +56,7 @@ in add_header Access-Control-Allow-Origin "*"; ''; }; - "~ ^(/_matrix|/_synapse/client)" { + "~ ^(/_matrix|/_synapse/client)" = { recommendedProxySettings = true; proxyPass = "http://[::1]:8008"; extraConfig = '' @@ -42,5 +69,5 @@ in }; }; - security.acme.certs."${fqdn}".reloadServices = ["nginx"]; + security.acme.certs."${fqdn}".reloadServices = [ "nginx" ]; } diff --git a/services/prometheus.nix b/services/prometheus.nix index 23f7be4..d70657c 100644 --- a/services/prometheus.nix +++ b/services/prometheus.nix @@ -12,11 +12,11 @@ }; scrapeConfigs = [ { - job_name = "synapse"; + job_name = "synapse"; scrape_interval = "15s"; static_configs = [ { - targets = ["[::1]:9009"]; + targets = [ "[::1]:9009" ]; } ]; } @@ -63,4 +63,3 @@ ]; }; } - diff --git a/services/synapse.nix b/services/synapse.nix index 0d9c548..b67f72e 100644 --- a/services/synapse.nix +++ b/services/synapse.nix @@ -25,6 +25,7 @@ in tls = false; port = 8008; bind_addresses = [ "::1" ]; + #request_id_header = "X-Request-ID"; resources = [ { compress = false; @@ -39,10 +40,12 @@ in type = "metrics"; port = 9009; bind_addresses = [ "::1" ]; - resources = [{ - compress = false; - names = [ "metrics" ]; - }]; + resources = [ + { + compress = false; + names = [ "metrics" ]; + } + ]; } ]; enable_metrics = true; @@ -61,7 +64,7 @@ in }; }; extraConfigFiles = [ - config.age.secrets.matrix-registration-shared-secret.path + config.age.secrets.matrix_registration_shared_secret.path ]; enableRegistrationScript = true; }; From 0d555609df0fab1b07a453d2c3ea7c8295a323cc Mon Sep 17 00:00:00 2001 From: "Ricardo (XenGi) Band" Date: Tue, 2 Dec 2025 19:39:20 +0100 Subject: [PATCH 05/41] bar --- README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/README.md b/README.md index 05a9c48..f295fe6 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,9 @@ +# Tarball + +```bash +nix build .#nixosConfigurations.matrix.config.system.build.image +``` + # HTTP Configure `berlin.ccc.de` web server to send federation traffic to the matrix server: From d864d58b47ae9596c0b0229ae6ea87ddfab9920d Mon Sep 17 00:00:00 2001 From: "Ricardo (XenGi) Band" Date: Tue, 2 Dec 2025 20:07:22 +0100 Subject: [PATCH 06/41] baz --- .gitignore | 2 ++ secrets/grafana_admin_password.age | 17 +++++++++++++++++ secrets/grafana_secret_key.age | 17 +++++++++++++++++ secrets/matrix_signing_key.age | 17 +++++++++++++++++ secrets/secrets.nix | 3 +++ services/draupnir.nix | 1 + services/synapse.nix | 3 ++- 7 files changed, 59 insertions(+), 1 deletion(-) create mode 100644 secrets/grafana_admin_password.age create mode 100644 secrets/grafana_secret_key.age create mode 100644 secrets/matrix_signing_key.age diff --git a/.gitignore b/.gitignore index fef1ed0..58b0104 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,5 @@ +result + # Created by https://www.toptal.com/developers/gitignore/api/linux,windows,macos,vim,direnv # Edit at https://www.toptal.com/developers/gitignore?templates=linux,windows,macos,vim,direnv,nix diff --git a/secrets/grafana_admin_password.age b/secrets/grafana_admin_password.age new file mode 100644 index 0000000..df4f05b --- /dev/null +++ b/secrets/grafana_admin_password.age @@ -0,0 +1,17 @@ +age-encryption.org/v1 +-> ssh-ed25519 uH+n1w F0dXYkVQl4OHE/uqzecvcT/l1iZkre6SRrcRUdepWjk +qkcNCTunrQsCvLNS9eApcWhx1uLpMF5GW6ZEoIX8KO0 +-> ssh-ed25519 EvLbWw gwDhePU1s103sRh8QnvRe9hUc2WabyD07s16WwqvdXg +VdaL7kJlgX/4xXkrh56IOJYNF96RYkeF8gCvxy2MvDI +-> ssh-ed25519 dM+fLQ nG9argTfh6IK0k/kkQR0vVbq1kDkLMtmqx/naEt962Q +PAB4idJ9VsTIM3l6Kd79pf41+/dr4pvYhwK5ivQm/ig +-> ssh-ed25519 jxWM2Q +xyZZfCnDFpgdHIwJ6AHPvY4wpFWsn2X1npS/gm7dX4 +0yM0Lb/r1ZzIt+NPktRB2nLEEYyxiIsqvI6L1biTjXA +-> ssh-ed25519 /yCUCg ERxCrJW5XMwdhIyNXZcZaPhwdBeEefQpOGDXTpvMXHk +r7hizzua8sO8ZYxph8az8Mrly56GaAmHuTSaPfQOg88 +-> ssh-ed25519 FGp51g 4aH+NNyJSaeQUN+fnHQaGrb4lhPpIovrUmP30Po7BxM +PgO1S13fIK6lAF4xK+f9HHv1mWaUEy37KNR662ltFKQ +-> ssh-ed25519 alMFaA q2hGtM/3TUP9UHTmFHrCZx8/xWVCjHrLrF656KqLpH0 +WsSDexTEKVop3lJlzbtlHBuvUdRfdO66ioDXdIMrXSQ +--- BQtprCgGHGAzi7Vn4Xg6TuyhFOOFe+wdyqaaiUNVtbc +e L),2! ܋HU>l^4K[-EMI.e1rg \ No newline at end of file diff --git a/secrets/grafana_secret_key.age b/secrets/grafana_secret_key.age new file mode 100644 index 0000000..18191c2 --- /dev/null +++ b/secrets/grafana_secret_key.age @@ -0,0 +1,17 @@ +age-encryption.org/v1 +-> ssh-ed25519 uH+n1w 94gh7QC7DaVLH5wSmAi6N2b0hoUL+Kmjkq8COJTNPUM +k69HGr8czlxPRr5NYA8PFnL0lnD/Kcmn8SGjpPPhhDo +-> ssh-ed25519 EvLbWw 38FPJGhR6MvAOhOhlR98twybUBWGtgrK9rsv4eojADE +VDLUJ4ZqdN1oXKA86R8GEWSGm1faOApRpYambq7x/9Q +-> ssh-ed25519 dM+fLQ tKN7S0P8ElCy0z2K1IODTrQlx/TFIBXiHp/2NkhITA4 +azb6mwz88ZqFItrpTqQs+zlwu2KWRa0jQFh5yElnkfE +-> ssh-ed25519 jxWM2Q ZDK0Mj7de/K8yqX8WGqaiAb4rZA+X1njybIIPhzGc2Q +FyLxkVJF2X+5uXlrcs4jsRQsrYUB/vgdE+JnTPK3nZM +-> ssh-ed25519 /yCUCg Ab0KxtKf7B+toBwj/WADiCyyViHZdJuklnA4o4CkqWw +rByyM2l+cxuL51VpA0+TavhaLPtYkwAU8nKxTJi+thk +-> ssh-ed25519 FGp51g 8t6IBQDzTlRTqGqOUys2EoUL84G1cJviTaP3bLcAsT8 +IQ8DWOuibBerLFF/ySTxYkHrP8XSMkH0de8cProbOJU +-> ssh-ed25519 alMFaA w3yR4ct9I+bYE+pg8VEjC7PwfA0W8dYc8lAdkVbS924 +uPOoOdtwqUyzXdBspRqR6Q5pDYt9awdhFGJxPtMyoUM +--- aoySP/f7E5udD+VvXzZZGkaLBFo84fo+iK94eddA0/c +K (Uؓ]3)^Vo@ngsUpt'|2];wh0PPRtwITj%Y \ No newline at end of file diff --git a/secrets/matrix_signing_key.age b/secrets/matrix_signing_key.age new file mode 100644 index 0000000..764f60b --- /dev/null +++ b/secrets/matrix_signing_key.age @@ -0,0 +1,17 @@ +age-encryption.org/v1 +-> ssh-ed25519 uH+n1w x3o/RgAapZI61UmYLpH3dcMRk8YXqp5oIQngvUXqtk0 +HHYvUwmeIqy44wQRmcQMPRnrsCxtQmm5hMM2hkHor9w +-> ssh-ed25519 EvLbWw 3b873iCOgDyRmmFUE4DVvSCxQAWeymrC227nCemL8Dg +ieXGhB/jwwkOBqkojLMEiG9dZ1F7t67yVCohRdwNUUA +-> ssh-ed25519 dM+fLQ 5nTLh+e0lUupYzs21zqTndNcPAOzBW24oaW4CH6HCEI +kO/VeF/B2bC4oBfK33nHb8qe3Ky1e9O3BsTghI2X+A0 +-> ssh-ed25519 jxWM2Q dnQGTtLB7GNL2dhKLGBt49h7qKaZ3hmTi89ErkA4pxQ +d9buWLv+Qtr4Pz72JYnuM5HsonEpMB5usZrPeaquEo8 +-> ssh-ed25519 /yCUCg duFR2YmHexHh/JUlPHOmiK6Dpk6AHp2fgfr7jGOZzmE +KkUtXyStKZflXUoCY+m79QWF4n/oYoQ2GQB/aZg6Zo0 +-> ssh-ed25519 FGp51g 5+2pW1SZUhDQUK7T3ayCOLykY0MLXQ+xmpDbK/xG3XM +6dZuQdj7k0QCNzqjlmVtxBdh7agD3yAaDjFYYvsunAQ +-> ssh-ed25519 alMFaA jeu85oh+h0CqyXV7k2/Lg7/Wb2GbzIuNkNvwJsu36WM +qQK3z5l0RdiX1vfhlqIjcrH12UH1y7PNe9LVPwyTB5E +--- jrWFFkJ9YIPPt8hi3J19/5WEEzMH6MdyKxCpoFbcqh4 ++Z4䁛h:bo&7>7 R^= \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index d5f3192..cf7e577 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -17,7 +17,10 @@ let _matrix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM7AZkepRXoY+DJeSLOU+GR60S62p6+0X/PDeEUZ0yHx root@matrix"; in { + "matrix_signing_key.age".publicKeys = users ++ [ _matrix ]; "matrix_registration_shared_secret.age".publicKeys = users ++ [ _matrix ]; "pushover_app_token.age".publicKeys = users ++ [ _matrix ]; "pushover_user_key.age".publicKeys = users ++ [ _matrix ]; + "grafana_admin_password.age".publicKeys = users ++ [ _matrix ]; + "grafana_secret_key.age".publicKeys = users ++ [ _matrix ]; } diff --git a/services/draupnir.nix b/services/draupnir.nix index 8564d39..de4d809 100644 --- a/services/draupnir.nix +++ b/services/draupnir.nix @@ -14,3 +14,4 @@ secrets.accessToken = config.age.secrets.draupnir_access_token.path; }; } + diff --git a/services/synapse.nix b/services/synapse.nix index b67f72e..bc2e19c 100644 --- a/services/synapse.nix +++ b/services/synapse.nix @@ -10,7 +10,8 @@ in settings = { server_name = domain; public_baseurl = "https://matrix.${domain}:443/"; - #signing_key_path = config.age.secrets.signing_key.path; # "/var/lib/matrix-synapse/homeserver.signing.key" + # "/var/lib/matrix-synapse/homeserver.signing.key" + #signing_key_path = config.age.secrets.signing_key.path; database = { name = "psycopg2"; args = { From 738d3d1cd924434ac4f619835bb35f4105fd96f0 Mon Sep 17 00:00:00 2001 From: "Ricardo (XenGi) Band" Date: Thu, 4 Dec 2025 14:52:18 +0100 Subject: [PATCH 07/41] nginx pkg can do http3 now --- services/nginx.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/services/nginx.nix b/services/nginx.nix index d1e16a6..d64c64b 100644 --- a/services/nginx.nix +++ b/services/nginx.nix @@ -6,7 +6,6 @@ in { services.nginx = { enable = true; - package = pkgs.nginxQuic; resolver.addresses = [ "[2606:4700:4700::1111]" "[2620:fe::fe]" From 97d132c9e637def84f8cdfc4f530cc9ca1b9ff9a Mon Sep 17 00:00:00 2001 From: "Ricardo (XenGi) Band" Date: Thu, 4 Dec 2025 14:53:09 +0100 Subject: [PATCH 08/41] update to nixos 25.11 --- flake.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/flake.nix b/flake.nix index a101a9b..3c84b12 100644 --- a/flake.nix +++ b/flake.nix @@ -1,7 +1,7 @@ { description = "Matrix server for CCCB"; inputs = { - nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05"; + nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11"; #flake-utils.url = "github:numtide/flake-utils"; agenix = { url = "github:ryantm/agenix"; From c2515ce69c023a18cf48300f73059e5a588f43fb Mon Sep 17 00:00:00 2001 From: "Ricardo (XenGi) Band" Date: Thu, 4 Dec 2025 14:54:33 +0100 Subject: [PATCH 09/41] disable zstd --- services/nginx.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/services/nginx.nix b/services/nginx.nix index d64c64b..314e487 100644 --- a/services/nginx.nix +++ b/services/nginx.nix @@ -16,7 +16,6 @@ in sslProtocols = "TLSv1.3"; recommendedTlsSettings = true; recommendedOptimisation = true; - recommendedZstdSettings = true; recommendedGzipSettings = true; recommendedBrotliSettings = true; virtualHosts."${fqdn}" = { From ea7ff408a28a1a7aaf6cf1ede631ab9033841579 Mon Sep 17 00:00:00 2001 From: "Ricardo (XenGi) Band" Date: Thu, 4 Dec 2025 14:58:06 +0100 Subject: [PATCH 10/41] polish --- configuration.nix | 3 +++ flake.lock | 8 ++++---- flake.nix | 2 +- services/nginx.nix | 2 -- 4 files changed, 8 insertions(+), 7 deletions(-) diff --git a/configuration.nix b/configuration.nix index 8de16bc..b942516 100644 --- a/configuration.nix +++ b/configuration.nix @@ -126,6 +126,9 @@ enable = true; defaultEditor = true; }; + htop = { + enable = true; + }; ssh.startAgent = true; }; diff --git a/flake.lock b/flake.lock index b001316..811cfc3 100644 --- a/flake.lock +++ b/flake.lock @@ -68,16 +68,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1763622513, - "narHash": "sha256-1jQnuyu82FpiSxowrF/iFK6Toh9BYprfDqfs4BB+19M=", + "lastModified": 1764677808, + "narHash": "sha256-H3lC7knbXOBrHI9hITQ7modLuX20mYJVhZORL5ioms0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "c58bc7f5459328e4afac201c5c4feb7c818d604b", + "rev": "1aab89277eb2d87823d5b69bae631a2496cff57a", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-25.05", + "ref": "nixos-25.11", "repo": "nixpkgs", "type": "github" } diff --git a/flake.nix b/flake.nix index a101a9b..3c84b12 100644 --- a/flake.nix +++ b/flake.nix @@ -1,7 +1,7 @@ { description = "Matrix server for CCCB"; inputs = { - nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05"; + nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11"; #flake-utils.url = "github:numtide/flake-utils"; agenix = { url = "github:ryantm/agenix"; diff --git a/services/nginx.nix b/services/nginx.nix index d1e16a6..314e487 100644 --- a/services/nginx.nix +++ b/services/nginx.nix @@ -6,7 +6,6 @@ in { services.nginx = { enable = true; - package = pkgs.nginxQuic; resolver.addresses = [ "[2606:4700:4700::1111]" "[2620:fe::fe]" @@ -17,7 +16,6 @@ in sslProtocols = "TLSv1.3"; recommendedTlsSettings = true; recommendedOptimisation = true; - recommendedZstdSettings = true; recommendedGzipSettings = true; recommendedBrotliSettings = true; virtualHosts."${fqdn}" = { From 4d1237dc6ea332d546aefc4a0243fa1de22d3d95 Mon Sep 17 00:00:00 2001 From: "Ricardo (XenGi) Band" Date: Thu, 4 Dec 2025 15:02:08 +0100 Subject: [PATCH 11/41] reencrypt all secrets --- secrets/grafana_admin_password.age | Bin 905 -> 905 bytes secrets/grafana_secret_key.age | 32 +++++++++--------- secrets/matrix_registration_shared_secret.age | Bin 937 -> 937 bytes secrets/matrix_signing_key.age | 32 +++++++++--------- secrets/pushover_app_token.age | 32 +++++++++--------- secrets/pushover_user_key.age | 32 +++++++++--------- secrets/secrets.nix | 2 +- 7 files changed, 65 insertions(+), 65 deletions(-) diff --git a/secrets/grafana_admin_password.age b/secrets/grafana_admin_password.age index df4f05bb4cd57da7bb054ad00d3c8d4a6bede822..1ac13ca76f8fa262339c748c7abf315202ffc02c 100644 GIT binary patch delta 817 zcmeBV?_{5#Q}5$$80c?q?&y`A9GYI@VPq2G>SmE15fGYQQe2f7;2-Q+R$*e09hRO| z&XrmaX<88$W#$#=nPr+^R1lJ$a=vr><9+a2s9TFU#U25Tx&!uapP+Xj$ zo0?)|YHDby;9BOB6ke`ik>YA$nii=YSm2cITwr44@0RCc?jKp^o8pq1VUQD&?&TI- z8JwE#5@Be;m7kmu5K$5k9H4EHRGv~9sqN>Km2Q+)o?Bd+92S~Xm7Y|dqg@<2 z@uPUStCPQ5dPYHkMSf(VYk5Stfp=87Q&~v5iKVYeQIUy3icwKwvVWSpPhdWmk$YyO zmw~5GK!K;Xk*QNzuvcEFW1?A3PQyh;ozlZt~4 zeNCb&qAElDgYvT?ojpP#N`iuO1F{3Tye!HByi>EI(){!NB8;*NjWRsb(lYY0Eu9Uc zw7oJD9W4qgf^rKg{UXcJW5CV5z|=5Z!PK-Y#4;k=%q=P@C&)b{DYD)oC{N$mqO!;| zFU!)^J+LS_$Sc?&H@vXYl`Eto(j_RrAh@(7tgs>_H6SE7&@kA?&ELQ@!XhjvFe)c4 zDafy|Bv`vN8{N9feCOOmM};a2)5sEUFKxf{aOd1elh9N**TkS4-z-ayNb|rjXK(Z1 z`jY%C5AA|9<8-d7sF0|#^l}5^5$a#yaj zmKla|oBG9#18f<#Z}|EyK7i^j8Sdbi^QDIo>Q{d}n>K<+u<(lsqVd3p>z@=-aP+Xj$ zo0?)|YHDby;9BOB6ke{7Uha~S8W3t&Y-nIy9F$=Z=$2O&lxmp~nrsxFm{jRvU|wu! z7G7RhmJ*T96_%3dW1j7mlOCaOQW23|lwoS->F*Wk=VoaZ6q%jsW|8h(R#9o>Tjt_9 z@uPTnp1WmYQF=&PhMA|gLAHK&c3_Y}Sy)n`VYW-Qk8eqCVTFEPqHBqznNc8DfTNR1 zW{Q_(SaFD_uW^oB6H5^cYL z?2;fSqdXs1*T~9>OwZ!NGEXxf!=%iRtO&=+XBoxoU4tr|i@d^3BYewKGCV8&BBGL` z5(6^IQ=C#=Q_}(q{M}t5LJG=!BRsOXip(=ItEx&9EsFguq9Q8_GAt6SEPRV{DoxGY z6CHCsN<)GZ1JVNh(=9B}W5CV5z|=5Z!6eZ`+t07kD>yMVFw{>wEwA1qFwwmz$s{Ku zpujV~tSB@$z}O%l-`uIfmn$IM-!RzFIL*`BEXUE!q{3S}&C1n!9Iu?Jq>>yDr_!>}l%TW}e>1bpe3yt6Pv4@5 z;6N^2U0nsIz> ssh-ed25519 uH+n1w 94gh7QC7DaVLH5wSmAi6N2b0hoUL+Kmjkq8COJTNPUM -k69HGr8czlxPRr5NYA8PFnL0lnD/Kcmn8SGjpPPhhDo --> ssh-ed25519 EvLbWw 38FPJGhR6MvAOhOhlR98twybUBWGtgrK9rsv4eojADE -VDLUJ4ZqdN1oXKA86R8GEWSGm1faOApRpYambq7x/9Q --> ssh-ed25519 dM+fLQ tKN7S0P8ElCy0z2K1IODTrQlx/TFIBXiHp/2NkhITA4 -azb6mwz88ZqFItrpTqQs+zlwu2KWRa0jQFh5yElnkfE --> ssh-ed25519 jxWM2Q ZDK0Mj7de/K8yqX8WGqaiAb4rZA+X1njybIIPhzGc2Q -FyLxkVJF2X+5uXlrcs4jsRQsrYUB/vgdE+JnTPK3nZM --> ssh-ed25519 /yCUCg Ab0KxtKf7B+toBwj/WADiCyyViHZdJuklnA4o4CkqWw -rByyM2l+cxuL51VpA0+TavhaLPtYkwAU8nKxTJi+thk --> ssh-ed25519 FGp51g 8t6IBQDzTlRTqGqOUys2EoUL84G1cJviTaP3bLcAsT8 -IQ8DWOuibBerLFF/ySTxYkHrP8XSMkH0de8cProbOJU --> ssh-ed25519 alMFaA w3yR4ct9I+bYE+pg8VEjC7PwfA0W8dYc8lAdkVbS924 -uPOoOdtwqUyzXdBspRqR6Q5pDYt9awdhFGJxPtMyoUM ---- aoySP/f7E5udD+VvXzZZGkaLBFo84fo+iK94eddA0/c -K (Uؓ]3)^Vo@ngsUpt'|2];wh0PPRtwITj%Y \ No newline at end of file +-> ssh-ed25519 uH+n1w 55Lrc+d1ob+lncF+9PeowOUk6pfN5H8pYcKze8Yh9Ts +hrIsGn3VbmTatB41953JkzKpsFy1ClaDzV3dDDHd/mg +-> ssh-ed25519 EvLbWw Zvm46/ZMQa2bELLpS/sg/gUejfeh6HhF9C/hF4W5+Q4 +Y7ibiWUZAGJ3CLSa1n0qQ0EfYlXJ1TSIL/n/S6xxM2k +-> ssh-ed25519 dM+fLQ Y40HHJlJBSmrmiLU7uSr6M8GGxiIQ6MrLTBLHtx+cA8 +dQlUrZmO4WySeAyo1a7ZAd9r/uU1dCMdk72Wxr4Lu1s +-> ssh-ed25519 jxWM2Q 7/C5lcAq1AuuydbQPBD/hFmbXHyL6/lxqfAW8IDvm0g +Wj8GgA0/fhNPnLTUFMuBo/qvBMsx9f27nrS8BwLUHLo +-> ssh-ed25519 /yCUCg XUJ0s52LivXboJ4EeMGamFvzTlSfQKBB8GG3Hbv43Cw +SnWMJ9TnOjFLsHhXNusiT9OInmyICsrJVceVUEF4USA +-> ssh-ed25519 FGp51g qZrVsdh4binpAi42bk3s8PhykxkS76xY901grBeDyjk +Pneymp2y1kljGodCk/OIiBJeWNG86ZeXUwo3KqJ4AAE +-> ssh-ed25519 yoCmaA R4J9TeYunLSrLnbyz00VoKcGJNR84YLusoKGgxjuiCk +G+zmtvQaYWcVPwuD+jZKBcs0yzR9LSpCxjNOpt/hGQ8 +--- mXNr0c7WoNFuGQ2tPiwYpEJFYB+7S8VYrdKeSHwrhWU +8N ~ eݠ$JM]N=xI^f;&e9r4hy+G]^34<|8hOuE \ No newline at end of file diff --git a/secrets/matrix_registration_shared_secret.age b/secrets/matrix_registration_shared_secret.age index 533179a296b131a8836a7324786a741b75bf735f..67bf0e7583f87c81fcdc1bc027ef021a441635fb 100644 GIT binary patch delta 849 zcmZ3L1Ln>Q&yIVc4&rYR=&G?zLRryHkYoQLUD11 zZfc5=si~o*f@_&iQh2$7U!JFBWnQLtxly2Rc~wA$sauvyU_fYQnPEhvM`gZ6ntMUI zmv5zKaZY+MS6NwDVn$(3Qkj2vepRuPx4uc5zi+OGwr56YsZ+9lVv4s>QDkOmq6S@`$re@S-tIZ6m66UFRr#qIS>=^xrBV7xo_S6gkrrjHhWQ4Q;~B-n(+fP4k_?Tt z1O1&%(<&W}0+T}uoU~oii^7bZ)016;D}o}TLiEeRivnG_lET6&k_x=j{0u{@vMVi2 zvwahj@?45?Ec9IsqY6udwcUc;s!FR$v)nBvpJf!UuM9HK&JPVRFU~VF$S+OH^-2!S z$qI2y^>j~j49GRm&I>fk_D%Kl%yBf~3USVhC^M?caP=}b&nbv7DX$DD&P@r*@JljI zD$3CJs4%nCPs*`K3=77H0XO#oQ^Rxxe;@ry!_d;yuzU+2Qy(+$@cK|Q;|%@m{Or_x zU-J^b%*d=#k5rHB(twnn zR;|h|ObkiD6ONC80$X#o@Uw1#Uj2DTx+Q`L6jPnMNt*;f3jw;~B-ny^}1R4YMnX z42-?AeM6j+Je`WYQ(g0mTmvlh!%8d5O}(A6140XPvkXJIJj*>?ih|Qi!b-{m-AugP zv(25I42+7y{oG8<(~=F+3JWT8(jp4;$}$WlpJf!U&#%ZYEjKAON^|ot4|O%liZsnC zHO@74N)I$kb8*dg45-piPfiN;Dl9kQ@<=U6E$}I~2=+Bj_VuYONG~r z2oH}e@eRv2E=w^o^RCQBj{!IL0#n0ug|d`@oHX}B<7AWK0{zkm)BO7KG?VlUzsQt8 z>io>#s z>eIYaJuA!e42rp&Dh!?SEZx(LeUpQ;3&Y$zB11jH^-a7?O-%f}GtzwnDx*U3Bf}#- z3=Ft*b#)ay^4zn$t6ZGib3@BA3o8%B^dG$JYcubT2-$nHOx9zP&kcrsp*Jt>`nLVNG~bUuDnFJK{+KHk z+`#f|t2O`bllD8zOAmX#PtrLhymZ#xALqSal>W+^6q|W0;B9Zxry15R=QdBtij~d> E0C_7e2mk;8 diff --git a/secrets/matrix_signing_key.age b/secrets/matrix_signing_key.age index 764f60b..0761554 100644 --- a/secrets/matrix_signing_key.age +++ b/secrets/matrix_signing_key.age @@ -1,17 +1,17 @@ age-encryption.org/v1 --> ssh-ed25519 uH+n1w x3o/RgAapZI61UmYLpH3dcMRk8YXqp5oIQngvUXqtk0 -HHYvUwmeIqy44wQRmcQMPRnrsCxtQmm5hMM2hkHor9w --> ssh-ed25519 EvLbWw 3b873iCOgDyRmmFUE4DVvSCxQAWeymrC227nCemL8Dg -ieXGhB/jwwkOBqkojLMEiG9dZ1F7t67yVCohRdwNUUA --> ssh-ed25519 dM+fLQ 5nTLh+e0lUupYzs21zqTndNcPAOzBW24oaW4CH6HCEI -kO/VeF/B2bC4oBfK33nHb8qe3Ky1e9O3BsTghI2X+A0 --> ssh-ed25519 jxWM2Q dnQGTtLB7GNL2dhKLGBt49h7qKaZ3hmTi89ErkA4pxQ -d9buWLv+Qtr4Pz72JYnuM5HsonEpMB5usZrPeaquEo8 --> ssh-ed25519 /yCUCg duFR2YmHexHh/JUlPHOmiK6Dpk6AHp2fgfr7jGOZzmE -KkUtXyStKZflXUoCY+m79QWF4n/oYoQ2GQB/aZg6Zo0 --> ssh-ed25519 FGp51g 5+2pW1SZUhDQUK7T3ayCOLykY0MLXQ+xmpDbK/xG3XM -6dZuQdj7k0QCNzqjlmVtxBdh7agD3yAaDjFYYvsunAQ --> ssh-ed25519 alMFaA jeu85oh+h0CqyXV7k2/Lg7/Wb2GbzIuNkNvwJsu36WM -qQK3z5l0RdiX1vfhlqIjcrH12UH1y7PNe9LVPwyTB5E ---- jrWFFkJ9YIPPt8hi3J19/5WEEzMH6MdyKxCpoFbcqh4 -+Z4䁛h:bo&7>7 R^= \ No newline at end of file +-> ssh-ed25519 uH+n1w w8axXvHYqvpPQ3F6HPqkYajE0Dt22jo3wY8b0i/lnSQ +PZBQjY8wX3P7ogQkXpxtoZR3P5eF1D/zVi16U4jgQJs +-> ssh-ed25519 EvLbWw QGSamUGLnPH72E4D8sTH6IedCXC9WQKWlrg6dpBRIVg +yBKhlPaoHEUp+TGpJnD3piI7rJQ4qGJDDwjd2IbCQ+c +-> ssh-ed25519 dM+fLQ DrTAMtTO7ODPdz4qrT+x3BNWHlBmiSiCKZZ73AePoBc +sNwG62hSoI/Meq2yu4DPXgdFWCCfRJR8TXBGcisrKrQ +-> ssh-ed25519 jxWM2Q o7y4DSM9ALuLKxy0eqp/nWoNRhNGhsxyCBT6BbBY6Cg +ohCjkO4M0lHeVABX25kGWf1/1hiI28Hxt0ynNRcLKLM +-> ssh-ed25519 /yCUCg U7fBnQJi16qOcZX8HRUy4oQHhe+TMBJDGAoB9Vgs6RI +JCVKwdeSALdMoiqHlqysOj+kQgd9pDjPsoJTWmQPqcU +-> ssh-ed25519 FGp51g seW1UzoGtIPpAVodMB+hysJyOOtiUy+7R9Wqj9qwkz4 +Yd+gxejXcFtKLeSNINCdwnDeqgC+b3OaJ9LpjomDy9g +-> ssh-ed25519 yoCmaA HyjmnIoY5X1MQRN6nh7ASM++g1jWgdir8V3Sz4H2+Hc +dWHiwSHf2X4Cuvpe5gLjC1qPqxaQQmQLN0JKOar0xc8 +--- q4OohJC7um3dN17nHMcgANZt05Ly+m3Ozk4ORJ6esxM +/v|}Hք^+<6< \ No newline at end of file diff --git a/secrets/pushover_app_token.age b/secrets/pushover_app_token.age index 1fe3ef2..7a675c7 100644 --- a/secrets/pushover_app_token.age +++ b/secrets/pushover_app_token.age @@ -1,17 +1,17 @@ age-encryption.org/v1 --> ssh-ed25519 uH+n1w EMOmmGlZ2rnqAaqcHHQ9conaa8YH/3TBFRpUlssNuGw -jyXUxitYHc/vNpab9winTCqCWBQYtmDGdZortYYlMAI --> ssh-ed25519 EvLbWw K+NOnJui0ASn3lPsP1xZ2X4fdfSBQ1woOnD3c4Zk/xE -FDYbrduCSWvo5NSzyAgwNa7tU4c3r7Fcoizfph3fqF4 --> ssh-ed25519 dM+fLQ Ji3jw0haPByWaQ68rHxFmj1xjSG9EVfyYTtZZpAFYFg -cHPTEfHWjwIVUBaDB85vGCfatd4Wtuq7QT3mIcdaF7M --> ssh-ed25519 jxWM2Q ZTbjGk18JyognAJwUQIfwy3YlHALXsfyUICiGrG/ij0 -/eyD/UoQZ33s2geZ6212ZMOLhyzKCbryR1HDYW02dfg --> ssh-ed25519 /yCUCg cM7meOfoTt4UlsODZeSrLFkMtIAInASm0uDrMHDDnXY -LCdZCjhp+/i7bGkXhHJ4Jv6C2ikcPsL3i7W/tap7AMs --> ssh-ed25519 FGp51g zZFF/qLQDbKpkBQiEJJQrtoJVxrdrWeqziwNq/rP2jY -jJ/ivlZIfn6/oh7yZSCNmQGikvwdSVAzxkLj/tc2Eys --> ssh-ed25519 alMFaA y5NuhEOK3lijncBscuSCfOTpepiIkAYW/W5kG+wscRE -a/z+2jHk1ERmNXFv+h1B7BpavjbemqOON5ruHP5U6dY ---- 6e7V59HtYHOi9koxczT0hwL6wk1/QkmDOkUGGlZCmo8 -[5̓rl*X*_'-`|3A3N> \ No newline at end of file +-> ssh-ed25519 uH+n1w CpismpignW6KyCMQzoag+R8oimzZHES+0yGksCcUMho +sDwfn3wJrFC9IDenrh8eXgfHoqTlJNb+vyF8xyJrjZ8 +-> ssh-ed25519 EvLbWw 7HOXQ9JHK0wRtmW8wipPQoQU7Hl2mzuEJR3yhSQ8v1M +ju2NYTnCUapa9XIq9mF1ydItVa2GSE/aBhep8+4WxqQ +-> ssh-ed25519 dM+fLQ gTVxxgX+4FROshLyPkU98DWcXg0vsra/37JzS8tSRGM +454qvkc89sxBQeP/xtTA/g6YsKnPYkpFD1JQshCcWQ0 +-> ssh-ed25519 jxWM2Q UNp42zqLcZT1E3/CfzyNdE74gQJmq1NcLjj83m0pAg8 +HghuogwHIJ1PTYbdtzhSREOxBoItUAb0yA9aMff1Ha4 +-> ssh-ed25519 /yCUCg nDHhp+yPDpRKlpJSx5I3BR4R3My1ivoCNbSCGeFM8lw +JCfjM/9x3vFdOtQAQDGvdPhUnCD3ztIrK8BN9nafnKI +-> ssh-ed25519 FGp51g WJA1Z5O3yxtypMLG9m4l0mjQrw6XMe8/JDvY4QGFgRQ +TlzGrdk3A0tNyY0ZkDORqe90x7Jnrna3emCXOHIIg4I +-> ssh-ed25519 yoCmaA BCwjqZS92x24+UThVDbEqPopfQnKthAXkOA1uxQjiDo +zX+u2YP/lXJOvPvG30HLNAOLsJv7QT5IU9d3w6aSXeU +--- I9YP9v5qBtGoN7epTH7gLqFqFPml3THjnE0y7H5f17g +giyT`!|80!YȤMy` \ No newline at end of file diff --git a/secrets/pushover_user_key.age b/secrets/pushover_user_key.age index 1fe3ef2..828cd88 100644 --- a/secrets/pushover_user_key.age +++ b/secrets/pushover_user_key.age @@ -1,17 +1,17 @@ age-encryption.org/v1 --> ssh-ed25519 uH+n1w EMOmmGlZ2rnqAaqcHHQ9conaa8YH/3TBFRpUlssNuGw -jyXUxitYHc/vNpab9winTCqCWBQYtmDGdZortYYlMAI --> ssh-ed25519 EvLbWw K+NOnJui0ASn3lPsP1xZ2X4fdfSBQ1woOnD3c4Zk/xE -FDYbrduCSWvo5NSzyAgwNa7tU4c3r7Fcoizfph3fqF4 --> ssh-ed25519 dM+fLQ Ji3jw0haPByWaQ68rHxFmj1xjSG9EVfyYTtZZpAFYFg -cHPTEfHWjwIVUBaDB85vGCfatd4Wtuq7QT3mIcdaF7M --> ssh-ed25519 jxWM2Q ZTbjGk18JyognAJwUQIfwy3YlHALXsfyUICiGrG/ij0 -/eyD/UoQZ33s2geZ6212ZMOLhyzKCbryR1HDYW02dfg --> ssh-ed25519 /yCUCg cM7meOfoTt4UlsODZeSrLFkMtIAInASm0uDrMHDDnXY -LCdZCjhp+/i7bGkXhHJ4Jv6C2ikcPsL3i7W/tap7AMs --> ssh-ed25519 FGp51g zZFF/qLQDbKpkBQiEJJQrtoJVxrdrWeqziwNq/rP2jY -jJ/ivlZIfn6/oh7yZSCNmQGikvwdSVAzxkLj/tc2Eys --> ssh-ed25519 alMFaA y5NuhEOK3lijncBscuSCfOTpepiIkAYW/W5kG+wscRE -a/z+2jHk1ERmNXFv+h1B7BpavjbemqOON5ruHP5U6dY ---- 6e7V59HtYHOi9koxczT0hwL6wk1/QkmDOkUGGlZCmo8 -[5̓rl*X*_'-`|3A3N> \ No newline at end of file +-> ssh-ed25519 uH+n1w HTqQauCW1UsrG02sXuh6+d81ccDXxuICmLgXp+EJxUE +wRo53sJ4nECI17A1QHJPycecvv9Vv8e0J+PS/sAyqIw +-> ssh-ed25519 EvLbWw RRqLwCd1NgUCRXcEF5k3+Gp3xeI0wscX8dYfYdisJTU +u2m4/DpD16jgO0mDu09/CekJK/uAS3ufQcQYDsay8AA +-> ssh-ed25519 dM+fLQ SgDFIxeGQxv72Bo+hgxFRBnW6bD0pAoP2Tqz4D3d/Ec +Emi7INrfeimLilF/Dtb2twmgedtyCq+Fp/sTB+NeBtE +-> ssh-ed25519 jxWM2Q 27h3w7OD9Mv8Pd4O1eAc6e2pzRD6R1TPeyALnzh2r3A +PvRdyDvHYMEEhGobaZPsNl80hcfMX4QBJI0Xmt/QXds +-> ssh-ed25519 /yCUCg SIKJiDq+ibPUOQjcjMCFuH53LhBjKjcrb9k3DZs3xQM +ZeHS04Pcdykau8AHQr/U1IAmd4j15CZvSGJ8sC3H3po +-> ssh-ed25519 FGp51g VIF1TFzuPNVhEjF3jnBpte9m3VF1Z7IaHrvO+3Rr9i0 +QszHp1w4AxfqVr2/h9RU546sFyik6DTSg0qY9ItZtCU +-> ssh-ed25519 yoCmaA cZd7lZ4MAvBqnEgLhk1cJAgvbI7lR4zmXcLla3GKoUE +s4rWNU4yFRdnTfDLVAG6JupNe7PyVx3wZKaOKsycff0 +--- n/y1v04doS7QVo+ZepIgG3YBMXcaKm4h9y3wPMjeupU +Gƶj!!YA'cF=XЌ!YUWٞ \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index cf7e577..f106d09 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -14,7 +14,7 @@ let nyu ]; - _matrix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM7AZkepRXoY+DJeSLOU+GR60S62p6+0X/PDeEUZ0yHx root@matrix"; + _matrix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIApAkkhHLj918co/wUGuyW8WCPYHxsNM4uo32XDEu7VV root@matrix"; in { "matrix_signing_key.age".publicKeys = users ++ [ _matrix ]; From 6648c94a6eb66b8b1b9cd51a087071e168074f1f Mon Sep 17 00:00:00 2001 From: "Ricardo (XenGi) Band" Date: Thu, 4 Dec 2025 15:04:43 +0100 Subject: [PATCH 12/41] make config more lxc aware --- configuration.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/configuration.nix b/configuration.nix index b942516..ed0d5e2 100644 --- a/configuration.nix +++ b/configuration.nix @@ -9,6 +9,12 @@ { imports = [ (modulesPath + "/virtualisation/proxmox-lxc.nix") ]; + systemd.suppressedSystemUnits = [ + "dev-mqueue.mount" + "sys-kernel-debug.mount" + "sys-fs-fuse-connections.mount" + ]; + nix = { optimise = { automatic = true; From 41d7733576b966f98792a855ee5898e8a8587bbe Mon Sep 17 00:00:00 2001 From: "Ricardo (XenGi) Band" Date: Thu, 4 Dec 2025 15:09:05 +0100 Subject: [PATCH 13/41] fix ipv6 --- services/nginx.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/nginx.nix b/services/nginx.nix index 314e487..8d79b53 100644 --- a/services/nginx.nix +++ b/services/nginx.nix @@ -30,7 +30,7 @@ in ssl = true; } { - addr = "::"; + addr = "[::]"; port = 443; ssl = true; } @@ -40,7 +40,7 @@ in ssl = true; } { - addr = "::"; + addr = "[::]"; port = 8448; ssl = true; } From 0c71452bb829f17f3c740b9bdaafed5e09bbfd1e Mon Sep 17 00:00:00 2001 From: "Ricardo (XenGi) Band" Date: Thu, 4 Dec 2025 15:10:08 +0100 Subject: [PATCH 14/41] no tls --- services/synapse.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/services/synapse.nix b/services/synapse.nix index bc2e19c..5dd9892 100644 --- a/services/synapse.nix +++ b/services/synapse.nix @@ -23,7 +23,6 @@ in { type = "http"; x_forwarded = true; - tls = false; port = 8008; bind_addresses = [ "::1" ]; #request_id_header = "X-Request-ID"; From ea94303f03686f0ab75dbac981c5b7c439c50d8b Mon Sep 17 00:00:00 2001 From: "Ricardo (XenGi) Band" Date: Thu, 4 Dec 2025 15:14:37 +0100 Subject: [PATCH 15/41] enable acme http challenge --- configuration.nix | 2 +- services/nginx.nix | 7 ++++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/configuration.nix b/configuration.nix index ed0d5e2..404c171 100644 --- a/configuration.nix +++ b/configuration.nix @@ -146,7 +146,7 @@ renewInterval = "daily"; email = "acme@xengi.de"; group = "nginx"; - webroot = "/var/lib/acme/acme-challenge"; + webroot = "/var/lib/acme/acme-challenges"; }; }; }; diff --git a/services/nginx.nix b/services/nginx.nix index 8d79b53..e8c1f7b 100644 --- a/services/nginx.nix +++ b/services/nginx.nix @@ -4,6 +4,8 @@ let fqdn = "matrix.berlin.ccc.de"; in { + users.users.nginx.extraGroups = [ "acme" ]; + services.nginx = { enable = true; resolver.addresses = [ @@ -46,6 +48,7 @@ in } ]; locations = { + "/.well-known/acme-challenge".root = config.security.acme.defaults.webroot; "/".return = "418 \"I'm a Teapot!\""; "= /.well-known/matrix/client" = { return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.berlin.ccc.de\"}}'"; @@ -67,5 +70,7 @@ in }; }; - security.acme.certs."${fqdn}".reloadServices = [ "nginx" ]; + security.acme.certs."${fqdn}" = { + reloadServices = [ "nginx" ]; + }; } From 21053732c49d069823b4914bde9c68fb2ddf72c4 Mon Sep 17 00:00:00 2001 From: "Ricardo (XenGi) Band" Date: Thu, 4 Dec 2025 15:17:48 +0100 Subject: [PATCH 16/41] persist signing key --- secrets/matrix_signing_key.age | 32 ++++++++++++++++---------------- services/synapse.nix | 2 +- 2 files changed, 17 insertions(+), 17 deletions(-) diff --git a/secrets/matrix_signing_key.age b/secrets/matrix_signing_key.age index 0761554..cebe8d5 100644 --- a/secrets/matrix_signing_key.age +++ b/secrets/matrix_signing_key.age @@ -1,17 +1,17 @@ age-encryption.org/v1 --> ssh-ed25519 uH+n1w w8axXvHYqvpPQ3F6HPqkYajE0Dt22jo3wY8b0i/lnSQ -PZBQjY8wX3P7ogQkXpxtoZR3P5eF1D/zVi16U4jgQJs --> ssh-ed25519 EvLbWw QGSamUGLnPH72E4D8sTH6IedCXC9WQKWlrg6dpBRIVg -yBKhlPaoHEUp+TGpJnD3piI7rJQ4qGJDDwjd2IbCQ+c --> ssh-ed25519 dM+fLQ DrTAMtTO7ODPdz4qrT+x3BNWHlBmiSiCKZZ73AePoBc -sNwG62hSoI/Meq2yu4DPXgdFWCCfRJR8TXBGcisrKrQ --> ssh-ed25519 jxWM2Q o7y4DSM9ALuLKxy0eqp/nWoNRhNGhsxyCBT6BbBY6Cg -ohCjkO4M0lHeVABX25kGWf1/1hiI28Hxt0ynNRcLKLM --> ssh-ed25519 /yCUCg U7fBnQJi16qOcZX8HRUy4oQHhe+TMBJDGAoB9Vgs6RI -JCVKwdeSALdMoiqHlqysOj+kQgd9pDjPsoJTWmQPqcU --> ssh-ed25519 FGp51g seW1UzoGtIPpAVodMB+hysJyOOtiUy+7R9Wqj9qwkz4 -Yd+gxejXcFtKLeSNINCdwnDeqgC+b3OaJ9LpjomDy9g --> ssh-ed25519 yoCmaA HyjmnIoY5X1MQRN6nh7ASM++g1jWgdir8V3Sz4H2+Hc -dWHiwSHf2X4Cuvpe5gLjC1qPqxaQQmQLN0JKOar0xc8 ---- q4OohJC7um3dN17nHMcgANZt05Ly+m3Ozk4ORJ6esxM -/v|}Hք^+<6< \ No newline at end of file +-> ssh-ed25519 uH+n1w 4o87n9J5BB5e/X5sQM+8HOczgSye/WijcvOrCUM6d3I +Ye8imH528eWpCJ7SSxf9eogBzoNYdYGfYHZaZLzUKB4 +-> ssh-ed25519 EvLbWw E8bQjHPE783T5Q6fYjCd4dlVGK5CgGUjHBn+tXz9Qmg +PQArA8KnQ2xB8JvCN0CNtBZZe0xiHf4p3cHwJ+qEzjw +-> ssh-ed25519 dM+fLQ fbA5v7Et6b11JIeDzl1d/Nff1FPNVT07ISL9ap4TehE +/SG8ePRf0GXrqT7bEvwpf2wa31J31d5Di2rgeQcdRwk +-> ssh-ed25519 jxWM2Q uClXpHlke1YRyJhye5twdSwUNI8JpQSz3eGkFEFHKGc +XF5DiSO4cZLIaLl04y2zmPguIpufcw+yAx7L8UbudV8 +-> ssh-ed25519 /yCUCg MDYtCl4FvqBLb/xC+7Rt3tYeQ2Mi5fbOWl2aKdPSJQI +8iQSqlMMj+VCOBBKcyTvS3p4lJsN5h6MPDM3mnaWNlE +-> ssh-ed25519 FGp51g 6lALHIQk3kpc/9rrXEwuG2HXAHGP4sGBTZNO50jMRkI ++GbZjITsBCDzOPEHgp945knlYlsYC8ObNbUQmA/DsME +-> ssh-ed25519 yoCmaA G2n3ZtZ5gyDSABy0wgyy9feImhprTFOZpEIwNJLJjBs +P99b4Q1ghNW9slWE9wVGgQX9j9vDZUP6Lumnwc+EWw4 +--- NCjPsR2/qrlWPaHya7ucG9xFuPAMVwJjSCC40HixNhY +(E`%Fv.ԧ-bGzSʴHjO{3EchnlYs'LAI8NbnϽoe"jX gp]e `Q2ϛ$ \ No newline at end of file diff --git a/services/synapse.nix b/services/synapse.nix index 5dd9892..d381cf1 100644 --- a/services/synapse.nix +++ b/services/synapse.nix @@ -11,7 +11,7 @@ in server_name = domain; public_baseurl = "https://matrix.${domain}:443/"; # "/var/lib/matrix-synapse/homeserver.signing.key" - #signing_key_path = config.age.secrets.signing_key.path; + signing_key_path = config.age.secrets.matrix_signing_key.path; database = { name = "psycopg2"; args = { From afb45d4c11b09beb3d040bbfc841a9b72c760614 Mon Sep 17 00:00:00 2001 From: "Ricardo (XenGi) Band" Date: Thu, 4 Dec 2025 15:23:04 +0100 Subject: [PATCH 17/41] fix secret --- services/synapse.nix | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/services/synapse.nix b/services/synapse.nix index d381cf1..1d71e10 100644 --- a/services/synapse.nix +++ b/services/synapse.nix @@ -12,6 +12,7 @@ in public_baseurl = "https://matrix.${domain}:443/"; # "/var/lib/matrix-synapse/homeserver.signing.key" signing_key_path = config.age.secrets.matrix_signing_key.path; + registration_shared_secret_path = config.age.secrets.matrix_registration_shared_secret.path; database = { name = "psycopg2"; args = { @@ -63,9 +64,6 @@ in allowed_lifetime_max = "1y"; }; }; - extraConfigFiles = [ - config.age.secrets.matrix_registration_shared_secret.path - ]; enableRegistrationScript = true; }; From 300034185e2eb5a9f10ab7e6b81d1fc3b6a78882 Mon Sep 17 00:00:00 2001 From: "Ricardo (XenGi) Band" Date: Thu, 4 Dec 2025 15:24:49 +0100 Subject: [PATCH 18/41] fix tls --- services/synapse.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/services/synapse.nix b/services/synapse.nix index 1d71e10..e0fa15e 100644 --- a/services/synapse.nix +++ b/services/synapse.nix @@ -23,6 +23,7 @@ in listeners = [ { type = "http"; + tls = false; x_forwarded = true; port = 8008; bind_addresses = [ "::1" ]; @@ -39,6 +40,7 @@ in } { type = "metrics"; + tls = false; port = 9009; bind_addresses = [ "::1" ]; resources = [ From ff9315233c28b1a0a2f7ebd445394cff25957c65 Mon Sep 17 00:00:00 2001 From: "Ricardo (XenGi) Band" Date: Thu, 4 Dec 2025 15:30:57 +0100 Subject: [PATCH 19/41] fix postgres colation --- services/postgres.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/services/postgres.nix b/services/postgres.nix index 99a0b51..8753953 100644 --- a/services/postgres.nix +++ b/services/postgres.nix @@ -4,5 +4,9 @@ services.postgresql = { enable = true; enableJIT = true; + initdbArgs = [ + "--locale=C" + "--encoding=UTF8" + ]; }; } From 2a282146107b7f5a0dad5a4a984648a9ce78a0ac Mon Sep 17 00:00:00 2001 From: "Ricardo (XenGi) Band" Date: Thu, 4 Dec 2025 22:46:52 +0100 Subject: [PATCH 20/41] fix http challenge --- services/nginx.nix | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/services/nginx.nix b/services/nginx.nix index e8c1f7b..f89d339 100644 --- a/services/nginx.nix +++ b/services/nginx.nix @@ -24,7 +24,8 @@ in quic = true; kTLS = true; forceSSL = true; - useACMEHost = fqdn; + #useACMEHost = fqdn; + enableACME = true; listen = [ { addr = "0.0.0.0"; @@ -48,7 +49,7 @@ in } ]; locations = { - "/.well-known/acme-challenge".root = config.security.acme.defaults.webroot; + #"/.well-known/acme-challenge".root = config.security.acme.defaults.webroot; "/".return = "418 \"I'm a Teapot!\""; "= /.well-known/matrix/client" = { return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.berlin.ccc.de\"}}'"; @@ -70,7 +71,7 @@ in }; }; - security.acme.certs."${fqdn}" = { - reloadServices = [ "nginx" ]; - }; + #security.acme.certs."${fqdn}" = { + # reloadServices = [ "nginx" ]; + #}; } From 4ed9dc41b1cabaadecd07a458416ce6fe262aa6e Mon Sep 17 00:00:00 2001 From: "Ricardo (XenGi) Band" Date: Thu, 4 Dec 2025 22:49:01 +0100 Subject: [PATCH 21/41] fix http challenge --- configuration.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/configuration.nix b/configuration.nix index 404c171..3b202e0 100644 --- a/configuration.nix +++ b/configuration.nix @@ -146,7 +146,6 @@ renewInterval = "daily"; email = "acme@xengi.de"; group = "nginx"; - webroot = "/var/lib/acme/acme-challenges"; }; }; }; From bd3477cd55583a09a53666f95ee39d38082c1463 Mon Sep 17 00:00:00 2001 From: "Ricardo (XenGi) Band" Date: Thu, 4 Dec 2025 23:01:38 +0100 Subject: [PATCH 22/41] fix nginx --- services/nginx.nix | 44 ++++++++++++++++++++++---------------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/services/nginx.nix b/services/nginx.nix index f89d339..8b79a57 100644 --- a/services/nginx.nix +++ b/services/nginx.nix @@ -26,28 +26,28 @@ in forceSSL = true; #useACMEHost = fqdn; enableACME = true; - listen = [ - { - addr = "0.0.0.0"; - port = 443; - ssl = true; - } - { - addr = "[::]"; - port = 443; - ssl = true; - } - { - addr = "0.0.0.0"; - port = 8448; - ssl = true; - } - { - addr = "[::]"; - port = 8448; - ssl = true; - } - ]; + #listen = [ + # { + # addr = "0.0.0.0"; + # port = 443; + # ssl = true; + # } + # { + # addr = "[::]"; + # port = 443; + # ssl = true; + # } + # { + # addr = "0.0.0.0"; + # port = 8448; + # ssl = true; + # } + # { + # addr = "[::]"; + # port = 8448; + # ssl = true; + # } + #]; locations = { #"/.well-known/acme-challenge".root = config.security.acme.defaults.webroot; "/".return = "418 \"I'm a Teapot!\""; From 21bd6d4f9f7abb128084de025b3a657d895ccc94 Mon Sep 17 00:00:00 2001 From: "Ricardo (XenGi) Band" Date: Thu, 4 Dec 2025 23:24:04 +0100 Subject: [PATCH 23/41] add health check --- services/nginx.nix | 37 +------------------------------------ 1 file changed, 1 insertion(+), 36 deletions(-) diff --git a/services/nginx.nix b/services/nginx.nix index 8b79a57..24c02a3 100644 --- a/services/nginx.nix +++ b/services/nginx.nix @@ -24,41 +24,10 @@ in quic = true; kTLS = true; forceSSL = true; - #useACMEHost = fqdn; enableACME = true; - #listen = [ - # { - # addr = "0.0.0.0"; - # port = 443; - # ssl = true; - # } - # { - # addr = "[::]"; - # port = 443; - # ssl = true; - # } - # { - # addr = "0.0.0.0"; - # port = 8448; - # ssl = true; - # } - # { - # addr = "[::]"; - # port = 8448; - # ssl = true; - # } - #]; locations = { - #"/.well-known/acme-challenge".root = config.security.acme.defaults.webroot; "/".return = "418 \"I'm a Teapot!\""; - "= /.well-known/matrix/client" = { - return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.berlin.ccc.de\"}}'"; - extraConfig = '' - default_type application/json; - add_header Access-Control-Allow-Origin "*"; - ''; - }; - "~ ^(/_matrix|/_synapse/client)" = { + "~ ^(/_matrix|/_synapse/client|/health)" = { recommendedProxySettings = true; proxyPass = "http://[::1]:8008"; extraConfig = '' @@ -70,8 +39,4 @@ in }; }; }; - - #security.acme.certs."${fqdn}" = { - # reloadServices = [ "nginx" ]; - #}; } From 288b50d9936385df83f74585e4c8d5b471d80efe Mon Sep 17 00:00:00 2001 From: "Ricardo (XenGi) Band" Date: Thu, 4 Dec 2025 23:27:30 +0100 Subject: [PATCH 24/41] remove /health --- services/nginx.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/nginx.nix b/services/nginx.nix index 24c02a3..acaff25 100644 --- a/services/nginx.nix +++ b/services/nginx.nix @@ -27,7 +27,7 @@ in enableACME = true; locations = { "/".return = "418 \"I'm a Teapot!\""; - "~ ^(/_matrix|/_synapse/client|/health)" = { + "~ ^(/_matrix|/_synapse/client)" = { recommendedProxySettings = true; proxyPass = "http://[::1]:8008"; extraConfig = '' From c457ef602a2a519d6bf923dc6dc02c18c9b44ecd Mon Sep 17 00:00:00 2001 From: xengi Date: Fri, 5 Dec 2025 10:18:21 +0100 Subject: [PATCH 25/41] Update README.md Signed-off-by: xengi --- README.md | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index f295fe6..bde01f5 100644 --- a/README.md +++ b/README.md @@ -13,20 +13,30 @@ server { hostname berlin.ccc.de; location "/.well-known/matrix/server" { default_type application/json; + add_header Access-Control-Allow-Origin "*"; return 200 '{"m.server":"matrix.berlin.ccc.de:443"}'; } + location "/.well-known/matrix/client" { + default_type application/json; + add_header Access-Control-Allow-Origin "*"; + return 200 '{"m.homeserver": {"base_url": "https://matrix.berlin.ccc.de"}}'; + } } ``` # DNS ``` -_matrix-fed._tcp.matrix.berlin.ccc.de. IN SRV 10 0 443 matrix.berlin.ccc.de. -#_matrix._tcp.matrix.berlin.ccc.de. IN SRV 10 0 443 matrix.berlin.ccc.de. -#_matrix._tcp.berlin.ccc.de. IN SRV 10 0 443 matrix.berlin.ccc.de. -_matrix-fed._tcp.berlin.ccc.de. IN SRV 10 0 443 matrix.berlin.ccc.de. -matrix.berlin.ccc.de. IN A -matrix.berlin.ccc.de. IN AAAA +_matrix-fed._tcp.berlin.ccc.de. IN SRV 10 0 443 matrix.berlin.ccc.de. +_matrix-fed._tcp.berlin.ccc.de. IN SRV 10 0 443 matrix.berlin.ccc.de. +matrix.berlin.ccc.de. IN A 195.160.173.25 +matrix.berlin.ccc.de. IN AAAA 2001:678:760:cccb::25 +matrix.berlin.ccc.de. IN CAA 0 issue "letsencrypt.org;validationmethods=http-01" +matrix.berlin.ccc.de. IN CAA 0 iodef "mailto:caa@xengi.de" +matrix.berlin.ccc.de. IN SSHFP 1 1 f40e117b002957939a454070adbbafe42d6f5842 +matrix.berlin.ccc.de. IN SSHFP 1 2 8ba0c605a365ef5369e91c531dd86fabfe4ce6dbd5e8280093ec2672d67c329b +matrix.berlin.ccc.de. IN SSHFP 4 1 62d10fa57f8a1aa7469cd9b00621e4ce89261d91 +matrix.berlin.ccc.de. IN SSHFP 4 2 ca80a6685984da140ac850e4951fa31e70b616e87f62f46437af3bfd215af887 ``` # Bots From 3b84ac33f0bbdbc2acd657dd05826a18a5b3a31d Mon Sep 17 00:00:00 2001 From: xengi Date: Fri, 5 Dec 2025 10:18:41 +0100 Subject: [PATCH 26/41] Update README.md Signed-off-by: xengi --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index bde01f5..e608ad8 100644 --- a/README.md +++ b/README.md @@ -26,7 +26,7 @@ server { # DNS -``` +```dns _matrix-fed._tcp.berlin.ccc.de. IN SRV 10 0 443 matrix.berlin.ccc.de. _matrix-fed._tcp.berlin.ccc.de. IN SRV 10 0 443 matrix.berlin.ccc.de. matrix.berlin.ccc.de. IN A 195.160.173.25 From 8bfa4284cbadfebcf8f738594ba717211a6867ee Mon Sep 17 00:00:00 2001 From: "Ricardo (XenGi) Band" Date: Fri, 5 Dec 2025 12:06:16 +0100 Subject: [PATCH 27/41] things --- configuration.nix | 22 ++++++++++++++++++---- services/nginx.nix | 3 ++- 2 files changed, 20 insertions(+), 5 deletions(-) diff --git a/configuration.nix b/configuration.nix index 404c171..02c4f3d 100644 --- a/configuration.nix +++ b/configuration.nix @@ -55,7 +55,8 @@ users.users.root = { packages = with pkgs; [ kitty # for terminfo - neofetch # for shits and giggles + fastfetch # for shits and giggles + tmux ]; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICW1+Ml8R9x1LCJaZ8bIZ1qIV4HCuZ6x7DziFW+0Nn5T xengi@kanae_2022-12-09" @@ -69,16 +70,25 @@ }; networking = { + hostname = "matrix"; + domain = "berlin.ccc.de"; + nameservers = [ + "2606:4700:4700::1111#one.one.one.one" + "2620:fe::fe#dns.quad9.net" + ]; + useDHCP = false; useNetworkd = true; - nftables.enable = true; dhcpcd.enable = false; + nftables.enable = true; + tempAddresses = "disabled"; firewall = { enable = true; allowedTCPPorts = [ - 22 # SSH + 22 80 # HTTP/1 443 # HTTP/2 8448 # Matrix federation + 10022 # SSH ]; allowedUDPPorts = [ 443 # HTTP/3 @@ -94,7 +104,7 @@ fstrim.enable = false; # Let Proxmox host handle fstrim openssh = { enable = true; - openFirewall = true; + ports = [ 22 10022 ]; settings = { PermitEmptyPasswords = "no"; PermitRootLogin = "prohibit-password"; @@ -111,6 +121,10 @@ \/_/\/_/\/_/\/__/\/_/ \/__/ \/_/ \/_/\//\/_/ \/____/\/____/\/____/ \/___/ ''; }; + sshguard = { + enable = true; + services = [ "sshd" ]; + }; # Cache DNS lookups to improve performance resolved = { enable = true; diff --git a/services/nginx.nix b/services/nginx.nix index e8c1f7b..8ac5477 100644 --- a/services/nginx.nix +++ b/services/nginx.nix @@ -21,6 +21,7 @@ in recommendedGzipSettings = true; recommendedBrotliSettings = true; virtualHosts."${fqdn}" = { + default = true; quic = true; kTLS = true; forceSSL = true; @@ -49,7 +50,7 @@ in ]; locations = { "/.well-known/acme-challenge".root = config.security.acme.defaults.webroot; - "/".return = "418 \"I'm a Teapot!\""; + "/".return = "418 \"🫖\""; "= /.well-known/matrix/client" = { return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.berlin.ccc.de\"}}'"; extraConfig = '' From ac3739c83d38ec2c89c1a5c0e1d9872e69ee2793 Mon Sep 17 00:00:00 2001 From: "Ricardo (XenGi) Band" Date: Fri, 5 Dec 2025 12:09:01 +0100 Subject: [PATCH 28/41] fix --- configuration.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/configuration.nix b/configuration.nix index 7a0be5f..a3ff60c 100644 --- a/configuration.nix +++ b/configuration.nix @@ -49,7 +49,7 @@ proxmoxLXC = { manageNetwork = false; manageHostName = false; - privileged = true; + privileged = false; }; users.users.root = { @@ -70,7 +70,7 @@ }; networking = { - hostname = "matrix"; + hostName = "matrix"; domain = "berlin.ccc.de"; nameservers = [ "2606:4700:4700::1111#one.one.one.one" From 935244f72e1ff40e0fb49bd2987efb9e6e61a776 Mon Sep 17 00:00:00 2001 From: "Ricardo (XenGi) Band" Date: Fri, 5 Dec 2025 12:11:59 +0100 Subject: [PATCH 29/41] fix --- configuration.nix | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/configuration.nix b/configuration.nix index a3ff60c..91418b3 100644 --- a/configuration.nix +++ b/configuration.nix @@ -84,11 +84,10 @@ firewall = { enable = true; allowedTCPPorts = [ - 22 + 22 # SSH 80 # HTTP/1 443 # HTTP/2 8448 # Matrix federation - 10022 # SSH ]; allowedUDPPorts = [ 443 # HTTP/3 @@ -104,7 +103,6 @@ fstrim.enable = false; # Let Proxmox host handle fstrim openssh = { enable = true; - ports = [ 22 10022 ]; settings = { PermitEmptyPasswords = "no"; PermitRootLogin = "prohibit-password"; From 4ec1302a6872c71d21d6c189136580e4934b94c1 Mon Sep 17 00:00:00 2001 From: "Ricardo (XenGi) Band" Date: Fri, 5 Dec 2025 19:49:24 +0100 Subject: [PATCH 30/41] fmt fix --- services/draupnir.nix | 1 - services/nginx.nix | 1 - 2 files changed, 2 deletions(-) diff --git a/services/draupnir.nix b/services/draupnir.nix index de4d809..8564d39 100644 --- a/services/draupnir.nix +++ b/services/draupnir.nix @@ -14,4 +14,3 @@ secrets.accessToken = config.age.secrets.draupnir_access_token.path; }; } - diff --git a/services/nginx.nix b/services/nginx.nix index a848f13..eff02e6 100644 --- a/services/nginx.nix +++ b/services/nginx.nix @@ -42,4 +42,3 @@ in }; }; } - From a9714a1d6c907c59190100661f16c97a06423fae Mon Sep 17 00:00:00 2001 From: "Ricardo (XenGi) Band" Date: Fri, 5 Dec 2025 21:33:54 +0100 Subject: [PATCH 31/41] add tmux --- configuration.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/configuration.nix b/configuration.nix index 3b202e0..571d7e7 100644 --- a/configuration.nix +++ b/configuration.nix @@ -135,6 +135,13 @@ htop = { enable = true; }; + tmux = { + enable = true; + terminal = "screen-256color"; + shortcut = "a"; + newSession = true; + clock24 = true; + }; ssh.startAgent = true; }; From 736aa3a9ef63e8d8f96fd915840e8ed6993cdf07 Mon Sep 17 00:00:00 2001 From: "Ricardo (XenGi) Band" Date: Fri, 5 Dec 2025 21:37:10 +0100 Subject: [PATCH 32/41] fix typo --- configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configuration.nix b/configuration.nix index c202c1a..0f7677a 100644 --- a/configuration.nix +++ b/configuration.nix @@ -35,7 +35,7 @@ }; gc = { automatic = true; - options = "--delete-older-then 14d"; + options = "--delete-older-than 14d"; }; }; From 3e6830369c6ae6a2f2fbbb75b1a3ac8a52b6414c Mon Sep 17 00:00:00 2001 From: xengi Date: Fri, 5 Dec 2025 22:11:27 +0100 Subject: [PATCH 33/41] Update README.md Signed-off-by: xengi --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index e608ad8..1169c52 100644 --- a/README.md +++ b/README.md @@ -11,12 +11,12 @@ Configure `berlin.ccc.de` web server to send federation traffic to the matrix se ```nginx server { hostname berlin.ccc.de; - location "/.well-known/matrix/server" { + location = /.well-known/matrix/server { default_type application/json; add_header Access-Control-Allow-Origin "*"; return 200 '{"m.server":"matrix.berlin.ccc.de:443"}'; } - location "/.well-known/matrix/client" { + location = /.well-known/matrix/client { default_type application/json; add_header Access-Control-Allow-Origin "*"; return 200 '{"m.homeserver": {"base_url": "https://matrix.berlin.ccc.de"}}'; From b5c58f9c5b1fc69e268362df81cd905914f4ca39 Mon Sep 17 00:00:00 2001 From: "Ricardo (XenGi) Band" Date: Fri, 5 Dec 2025 23:40:43 +0100 Subject: [PATCH 34/41] add node exporter --- flake.nix | 6 ++++++ services/prometheus.nix | 20 +++++++++++++++++--- 2 files changed, 23 insertions(+), 3 deletions(-) diff --git a/flake.nix b/flake.nix index 3c84b12..a0d506b 100644 --- a/flake.nix +++ b/flake.nix @@ -25,6 +25,12 @@ in { formatter.${system} = pkgs.nixfmt-tree; + apps.${system}.connect = { + type = "app"; + program = "${pkgs.writeShellScript "connect.sh" '' + ${pkgs.openssh}/bin/ssh root@matrix.berlin.ccc.de -L 3000:[::1]:3000 -L 9090:[::1]:9090 -N + ''}"; + }; devShells.${system}.default = pkgs.mkShell { packages = [ (agenix.packages.${system}.default) diff --git a/services/prometheus.nix b/services/prometheus.nix index d70657c..8aed380 100644 --- a/services/prometheus.nix +++ b/services/prometheus.nix @@ -1,4 +1,4 @@ -{ pkgs, ... }: +{ pkgs, lib, ... }: { services.prometheus = { @@ -6,7 +6,10 @@ retentionTime = "14d"; listenAddress = "[::1]"; exporters = { - #node = {}; + node = { + enable = true; + listenAddress = services.prometheus.listenAddress; + }; #nginx = {}; #postgres = {}; }; @@ -16,10 +19,21 @@ scrape_interval = "15s"; static_configs = [ { - targets = [ "[::1]:9009" ]; + target = lib.pipe config.services.matrix-synapse.settings.listeners [ + (lib.filter (l: l.type == "metrics")) + builtins.head + (l: "[${l.listenAddress}]:${l.port}") + ]; } ]; } + { + job_name = "node"; + scrape_interval = "15s"; + static_configs = [ + { targets = [ "${config.services.prometheus.exporters.node.listenAddress}:${toString config.services.prometheus.exporters.node.port}" ]; } + ]; + } ]; ruleFiles = [ # https://github.com/element-hq/synapse/tree/master/contrib/prometheus From d386a151ddef7a5192dd82f3ce20c1021913c3e2 Mon Sep 17 00:00:00 2001 From: "Ricardo (XenGi) Band" Date: Fri, 5 Dec 2025 23:41:37 +0100 Subject: [PATCH 35/41] fix --- services/prometheus.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/prometheus.nix b/services/prometheus.nix index 8aed380..1151bf6 100644 --- a/services/prometheus.nix +++ b/services/prometheus.nix @@ -1,4 +1,4 @@ -{ pkgs, lib, ... }: +{ config, pkgs, lib, ... }: { services.prometheus = { From bb496bc2b507947a184f763ca0ec04ce75f0b958 Mon Sep 17 00:00:00 2001 From: "Ricardo (XenGi) Band" Date: Fri, 5 Dec 2025 23:42:09 +0100 Subject: [PATCH 36/41] fix --- services/prometheus.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/prometheus.nix b/services/prometheus.nix index 1151bf6..0e8343d 100644 --- a/services/prometheus.nix +++ b/services/prometheus.nix @@ -8,7 +8,7 @@ exporters = { node = { enable = true; - listenAddress = services.prometheus.listenAddress; + listenAddress = config.services.prometheus.listenAddress; }; #nginx = {}; #postgres = {}; From 8f8363a9b150a892642acc8dc60455ab3d0b23a4 Mon Sep 17 00:00:00 2001 From: "Ricardo (XenGi) Band" Date: Fri, 5 Dec 2025 23:43:06 +0100 Subject: [PATCH 37/41] typo --- services/prometheus.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/prometheus.nix b/services/prometheus.nix index 0e8343d..dc87004 100644 --- a/services/prometheus.nix +++ b/services/prometheus.nix @@ -22,7 +22,7 @@ target = lib.pipe config.services.matrix-synapse.settings.listeners [ (lib.filter (l: l.type == "metrics")) builtins.head - (l: "[${l.listenAddress}]:${l.port}") + (l: "[${l.bind_addresses}]:${l.port}") ]; } ]; From 6d5886c93d77cd13ab5b350efa28aacb6acb1200 Mon Sep 17 00:00:00 2001 From: "Ricardo (XenGi) Band" Date: Fri, 5 Dec 2025 23:45:50 +0100 Subject: [PATCH 38/41] typo --- services/prometheus.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/prometheus.nix b/services/prometheus.nix index dc87004..d7598d5 100644 --- a/services/prometheus.nix +++ b/services/prometheus.nix @@ -19,7 +19,7 @@ scrape_interval = "15s"; static_configs = [ { - target = lib.pipe config.services.matrix-synapse.settings.listeners [ + targets = lib.pipe config.services.matrix-synapse.settings.listeners [ (lib.filter (l: l.type == "metrics")) builtins.head (l: "[${l.bind_addresses}]:${l.port}") From 56821a155e7ff6599e875db6b306b548ed8ae564 Mon Sep 17 00:00:00 2001 From: "Ricardo (XenGi) Band" Date: Fri, 5 Dec 2025 23:47:58 +0100 Subject: [PATCH 39/41] ... --- services/prometheus.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/prometheus.nix b/services/prometheus.nix index d7598d5..f32e945 100644 --- a/services/prometheus.nix +++ b/services/prometheus.nix @@ -22,7 +22,7 @@ targets = lib.pipe config.services.matrix-synapse.settings.listeners [ (lib.filter (l: l.type == "metrics")) builtins.head - (l: "[${l.bind_addresses}]:${l.port}") + (l: "[${builtins.head l.bind_addresses}]:${l.port}") ]; } ]; From 404dba37bbad1dbb44b2c5cdca3d171f102e714a Mon Sep 17 00:00:00 2001 From: "Ricardo (XenGi) Band" Date: Fri, 5 Dec 2025 23:49:03 +0100 Subject: [PATCH 40/41] ... --- services/prometheus.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/prometheus.nix b/services/prometheus.nix index f32e945..0a04a31 100644 --- a/services/prometheus.nix +++ b/services/prometheus.nix @@ -22,7 +22,7 @@ targets = lib.pipe config.services.matrix-synapse.settings.listeners [ (lib.filter (l: l.type == "metrics")) builtins.head - (l: "[${builtins.head l.bind_addresses}]:${l.port}") + (l: "[${builtins.head l.bind_addresses}]:${toString l.port}") ]; } ]; From 8adfe0b55c138817d355ad5aa3798c1dd0b802c9 Mon Sep 17 00:00:00 2001 From: "Ricardo (XenGi) Band" Date: Fri, 5 Dec 2025 23:50:04 +0100 Subject: [PATCH 41/41] ... --- services/prometheus.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/prometheus.nix b/services/prometheus.nix index 0a04a31..2c56280 100644 --- a/services/prometheus.nix +++ b/services/prometheus.nix @@ -22,7 +22,7 @@ targets = lib.pipe config.services.matrix-synapse.settings.listeners [ (lib.filter (l: l.type == "metrics")) builtins.head - (l: "[${builtins.head l.bind_addresses}]:${toString l.port}") + (l: [ "[${builtins.head l.bind_addresses}]:${toString l.port}" ]) ]; } ];