xengi/infra
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

add hedgedoc config

Browse source
This commit is contained in:
XenGi 2026-02-01 00:26:41 +01:00
parent 41bc2bff69
commit a3a5cc794c
Signed by: xengi
SSH key fingerprint: SHA256:jxWM2RTHvxxcncXycwwWkP7HCWb4VREN05UGJTbIPZg
5 changed files with 212 additions and 32 deletions
Download patch file Download diff file Expand all files Collapse all files

12
README.md
View file

@ -62,10 +62,12 @@ rm -v delete_old_cluster.sh
# Tarball
```bash
nix build .#nixosConfigurations.matrix.config.system.build.image
nix build .#nixosConfigurations.<hostname>.config.system.build.image
```
# HTTP
# Matrix
## HTTP
Configure `berlin.ccc.de` web server to send federation traffic to the matrix server:
@ -85,7 +87,7 @@ server {
}
```
# DNS
## DNS
```dns
_matrix-fed._tcp.berlin.ccc.de. IN SRV 10 0 443 matrix.berlin.ccc.de.
@ -100,7 +102,7 @@ matrix.berlin.ccc.de. IN SSHFP 4 1 62d10fa57f8a1aa7469cd9b00621e4ce8
matrix.berlin.ccc.de. IN SSHFP 4 2 ca80a6685984da140ac850e4951fa31e70b616e87f62f46437af3bfd215af887
```
# Bots
## Bots
```bash
register_new_matrix_user \
@ -110,7 +112,7 @@ register_new_matrix_user \
--password <YOUR_PASSWORD>
```
# Draupnir
## Draupnir
Remove rate limit for account:

23
flake.nix
View file

@ -1,13 +1,11 @@
{
description = "Matrix server for CCCB";
description = "CCCB services";
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
#flake-utils.url = "github:numtide/flake-utils";
agenix = {
url = "github:ryantm/agenix";
inputs = {
nixpkgs.follows = "nixpkgs";
};
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs =
@ -90,7 +88,9 @@
};
};
}
./configuration.nix
./hosts/matrix.nix
./services/openssh.nix
./services/nginx.nix
./services/postgres.nix
@ -102,6 +102,19 @@
./services/grafana.nix
];
};
nixosConfigurations."hedgedoc" = nixpkgs.lib.nixosSystem {
#system = "x86_64-linux";
#pkgs = import nixpkgs { inherit system; };
inherit system;
modules = [
agenix.nixosModules.default
{ environment.systemPackages = [ (agenix.packages.${system}.default) ]; }
./hosts/hedgedoc.nix
./services/openssh.nix
];
};
};
#);
}

158
hosts/hedgedoc.nix Normal file
View file

@ -0,0 +1,158 @@
{
config,
modulesPath,
pkgs,
lib,
...
}:
{
imports = [ (modulesPath + "/virtualisation/proxmox-lxc.nix") ];
systemd.suppressedSystemUnits = [
"dev-mqueue.mount"
"sys-kernel-debug.mount"
"sys-fs-fuse-connections.mount"
];
nix = {
optimise = {
automatic = true;
dates = [ "11:00" ];
};
settings = {
auto-optimise-store = true;
sandbox = false;
# Allow remote updates
trusted-users = [
"root"
"@wheel"
];
experimental-features = [
"nix-command"
"flakes"
];
};
gc = {
automatic = true;
options = "--delete-older-than 14d";
};
};
nixpkgs.hostPlatform = "x86_64-linux";
environment.systemPackages = with pkgs; [
vim
git
];
proxmoxLXC = {
manageNetwork = false;
manageHostName = false;
privileged = false;
};
users.users.root = {
packages = with pkgs; [
kitty # for terminfo
fastfetch # for shits and giggles
];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICW1+Ml8R9x1LCJaZ8bIZ1qIV4HCuZ6x7DziFW+0Nn5T xengi@kanae_2022-12-09"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICmb+mJfo84IagUaRoDEqY9ROjjQUOQ7tMclpN6NDPrX xengi@kota_2022-01-16"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICyklb7dvEHH0VBEMmTUQFKHN6ekBQqkDKj09+EilUIQ xengi@lucy_2018-09-08"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICjv9W8WXq9QGkgmANNPQR24/I1Pm1ghxNIHftEI+jlZ xengi@mayu_2021-06-11"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGhyfD+8jMl6FDSADb11sfAsJk0KNoVzjjiDRZjUOtmf xengi@nana_2019-08-16"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMPtGqhV7io3mhIoZho4Yf7eCo0sUZvjT2NziM2PkXSo xengi@nyu_2017-10-11"
];
};
networking = {
hostName = "hedgedoc";
domain = "berlin.ccc.de";
nameservers = [
"2606:4700:4700::1111#one.one.one.one"
"2620:fe::fe#dns.quad9.net"
"1.1.1.1#one.one.one.one"
"9.9.9.9#dns.quad9.net"
];
useDHCP = false;
useNetworkd = true;
dhcpcd.enable = false;
nftables.enable = true;
tempAddresses = "disabled";
firewall = {
enable = true;
allowedTCPPorts = [
22 # SSH
80 # HTTP/1
443 # HTTP/2
];
allowedUDPPorts = [
443 # HTTP/3
];
};
};
time.timeZone = "Europe/Berlin";
i18n.defaultLocale = "en_GB.UTF-8";
console.font = "Lat2-Terminus16";
services = {
fstrim.enable = false; # Let Proxmox host handle fstrim
openssh.banner = ''
__ __ __
/\ \ /\ \ /\ \
\ \ \___ __ \_\ \ __ __ \_\ \ ___ ___
\ \ _ `\ /'__`\ /'_` \ /'_ `\ /'__`\ /'_` \ / __`\ /'___\
\ \ \ \ \/\ __//\ \L\ \/\ \L\ \/\ __//\ \L\ \/\ \L\ \/\ \__/
\ \_\ \_\ \____\ \___,_\ \____ \ \____\ \___,_\ \____/\ \____\
\/_/\/_/\/____/\/__,_ /\/___L\ \/____/\/__,_ /\/___/ \/____/
/\____/
\_/__/
'';
# Cache DNS lookups to improve performance
resolved = {
enable = true;
dnssec = "allow-downgrade";
dnsovertls = "true";
extraConfig = ''
Cache=true
CacheFromLocalhost=true
'';
};
};
programs = {
mtr.enable = true;
vim = {
enable = true;
defaultEditor = true;
};
htop = {
enable = true;
};
tmux = {
enable = true;
terminal = "screen-256color";
shortcut = "a";
newSession = true;
clock24 = true;
};
ssh.startAgent = true;
};
security = {
acme = {
acceptTerms = true;
defaults = {
validMinDays = 14;
renewInterval = "daily";
email = "acme@xengi.de";
group = "nginx";
};
};
};
system.stateVersion = "25.11";
}

32
configuration.nix → hosts/matrix.nix
View file

@ -97,32 +97,20 @@
};
time.timeZone = "Europe/Berlin";
i18n.defaultLocale = "en_US.UTF-8";
i18n.defaultLocale = "en_GB.UTF-8";
console.font = "Lat2-Terminus16";
services = {
fstrim.enable = false; # Let Proxmox host handle fstrim
openssh = {
enable = true;
settings = {
PermitEmptyPasswords = "no";
PermitRootLogin = "prohibit-password";
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
};
banner = ''
__ __
/\ \__ __ /\ \
___ ___ __ \ \ ,_\ _ __ /\_\ __ _ ___ ___ ___\ \ \____
/' __` __`\ /'__`\ \ \ \/ /\`'__\/\ \ /\ \/'\ /'___\ /'___\ /'___\ \ '__`\
/\ \/\ \/\ \/\ \L\.\_\ \ \_\ \ \/ \ \ \\/> </ /\ \__//\ \__//\ \__/\ \ \L\ \
\ \_\ \_\ \_\ \__/.\_\\ \__\\ \_\ \ \_\/\_/\_\ \ \____\ \____\ \____\\ \_,__/
\/_/\/_/\/_/\/__/\/_/ \/__/ \/_/ \/_/\//\/_/ \/____/\/____/\/____/ \/___/
'';
};
sshguard = {
enable = true;
services = [ "sshd" ];
openssh.banner = ''
__ __
/\ \__ __ /\ \
___ ___ __ \ \ ,_\ _ __ /\_\ __ _ ___ ___ ___\ \ \____
/' __` __`\ /'__`\ \ \ \/ /\`'__\/\ \ /\ \/'\ /'___\ /'___\ /'___\ \ '__`\
/\ \/\ \/\ \/\ \L\.\_\ \ \_\ \ \/ \ \ \\/> </ /\ \__//\ \__//\ \__/\ \ \L\ \
\ \_\ \_\ \_\ \__/.\_\\ \__\\ \_\ \ \_\/\_/\_\ \ \____\ \____\ \____\\ \_,__/
\/_/\/_/\/_/\/__/\/_/ \/__/ \/_/ \/_/\//\/_/ \/____/\/____/\/____/ \/___/
'';
};
# Cache DNS lookups to improve performance
resolved = {

19
services/openssh.nix Normal file
View file

@ -0,0 +1,19 @@
{ ... }:
{
services = {
openssh = {
enable = true;
settings = {
PermitEmptyPasswords = "no";
PermitRootLogin = "prohibit-password";
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
};
};
sshguard = {
enable = true;
services = [ "sshd" ];
};
};
}