Merge branch 'main' of ssh://git.berlin.ccc.de/cccb/matrix

README.md

@@ -11,12 +11,12 @@ Configure `berlin.ccc.de` web server to send federation traffic to the matrix se
 ```nginx
 server {
   hostname berlin.ccc.de;
-  location "/.well-known/matrix/server" {
+  location = /.well-known/matrix/server {
     default_type application/json;
     add_header Access-Control-Allow-Origin "*";
     return 200 '{"m.server":"matrix.berlin.ccc.de:443"}';
   }
-  location "/.well-known/matrix/client" {
+  location = /.well-known/matrix/client {
     default_type application/json;
     add_header Access-Control-Allow-Origin "*";
     return 200 '{"m.homeserver": {"base_url": "https://matrix.berlin.ccc.de"}}';

configuration.nix

@@ -35,7 +35,7 @@
     };
     gc = {
       automatic = true;
-      options = "--delete-older-then 14d";
+      options = "--delete-older-than 14d";
     };
   };
 
@@ -56,7 +56,6 @@
     packages = with pkgs; [
       kitty # for terminfo
       fastfetch # for shits and giggles
-      tmux
     ];
     openssh.authorizedKeys.keys = [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICW1+Ml8R9x1LCJaZ8bIZ1qIV4HCuZ6x7DziFW+0Nn5T xengi@kanae_2022-12-09"
@@ -147,6 +146,13 @@
     htop = {
       enable = true;
     };
+    tmux = {
+      enable = true;
+      terminal = "screen-256color";
+      shortcut = "a";
+      newSession = true;
+      clock24 = true;
+    };
     ssh.startAgent = true;
   };
 

flake.nix

@@ -25,6 +25,12 @@
     in
     {
       formatter.${system} = pkgs.nixfmt-tree;
+      apps.${system}.connect = {
+        type = "app";
+        program = "${pkgs.writeShellScript "connect.sh" ''
+          ${pkgs.openssh}/bin/ssh root@matrix.berlin.ccc.de -L 3000:[::1]:3000 -L 9090:[::1]:9090 -N
+        ''}";
+      };
       devShells.${system}.default = pkgs.mkShell {
         packages = [
           (agenix.packages.${system}.default)
@@ -64,6 +70,12 @@
                 owner = "matrix-synapse";
                 group = "matrix-synapse";
               };
+              draupnir_access_token = {
+                file = ./secrets/draupnir_access_token.age;
+                mode = "440";
+                owner = "draupnir";
+                group = "draupnir";
+              };              
               grafana_secret_key = {
                 file = ./secrets/grafana_secret_key.age;
                 mode = "440";

secrets/draupnir_access_token.age

@@ -0,0 +1,17 @@
+age-encryption.org/v1
+-> ssh-ed25519 uH+n1w 2hSmjOu7GxDfquW1HiyHi2Yyew1tnZqiFIxaeUhJymg
+LqD/39jT1v7JjpgiiOwpHxrZvSIpmlEytBln+M6eL5I
+-> ssh-ed25519 EvLbWw xaOrlq5mgR3i7XvE704FDt/0nhyb5GTOrps7S5LUIH8
+Va1xSbYhkwWJHSvL0QLIOrI0FHI+QxWYtU2VHlZbOCg
+-> ssh-ed25519 dM+fLQ zqeBwPAbTMmDb3wgrlJQEtwV+1qQTLXpNc17zJt/BxU
+i6FiCoPLYJ4bYPTLYO4WJwoOG9d/sJtr4vOuJ/xL9CY
+-> ssh-ed25519 jxWM2Q R0GsQt6HBODYIV/hhNTqyFbQYEgiSTzjNdSA83EyVQg
+Ud+hSYBNXGq0J0GkJJ+Z0aCtwv+nE8Z9BT+YcJ50e10
+-> ssh-ed25519 /yCUCg 46LBDK2i8Ra3FMYjPOXBKyyATWOjs5giuvs6xKZEvxo
+3Ed22P9nimNYR81tiugg+TtNw/iHxIAGiTy7VNzCSqQ
+-> ssh-ed25519 FGp51g 6xSucs4pAWiRpxJOE2hc+0poWbbqfkSoyPXnCFv73TM
+xUx/7VuLnGjnqDK3V9vZRBFi6IUb2N70KtTRPahEg60
+-> ssh-ed25519 yoCmaA +DAPosKueugYv9XVTiOidCgPjauoIqlZVQeprxZjwFU
+uhPNEu4nLw5v7E6ce6PWmlk+OZXt998eUQVY8A9kSp4
+--- bsh1fZUWEACxlxqk+VQQUzo7T4SunVJ67EC066G7Br4
+
<0A>—øHm&„èÈYÓ<59>«Ûà«ÌG•EÈÞ¸JÛôÁJgûèß6k”¼/0[“gâSë!½C¼íiL;†<>Ö»!¾I˜=‚

secrets/secrets.nix

@@ -17,6 +17,8 @@ let
   _matrix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIApAkkhHLj918co/wUGuyW8WCPYHxsNM4uo32XDEu7VV root@matrix";
 in
 {
+  "matrix_admin_password.age".publicKeys = users;
+  "draupnir_access_token.age".publicKeys = users ++ [ _matrix ];
   "matrix_signing_key.age".publicKeys = users ++ [ _matrix ];
   "matrix_registration_shared_secret.age".publicKeys = users ++ [ _matrix ];
   "pushover_app_token.age".publicKeys = users ++ [ _matrix ];

services/draupnir.nix

@@ -2,7 +2,7 @@
 
 {
   services.draupnir = {
-    enable = false;
+    enable = true;
     settings = {
       homeserverUrl = "https://matrix.berlin.ccc.de";
       managementRoom = "!ZYWNuaQBkkenNklCSm:matrix.org"; # #cccb-moderators:berlin.ccc.de

services/prometheus.nix

@@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ config, pkgs, lib, ... }:
 
 {
   services.prometheus = {
@@ -6,8 +6,14 @@
     retentionTime = "14d";
     listenAddress = "[::1]";
     exporters = {
-      #node = {};
-      #nginx = {};
+      node = {
+        enable = true;
+        listenAddress = config.services.prometheus.listenAddress;
+      };
+      nginx = {
+        enable = true;
+        listenAddress = config.services.prometheus.listenAddress;
+      };
       #postgres = {};
     };
     scrapeConfigs = [
@@ -16,10 +22,28 @@
         scrape_interval = "15s";
         static_configs = [
           {
-            targets = [ "[::1]:9009" ];
+            targets = lib.pipe config.services.matrix-synapse.settings.listeners [
+              (lib.filter (l: l.type == "metrics"))
+              builtins.head
+              (l: [ "[${builtins.head l.bind_addresses}]:${toString l.port}" ])
+            ];
           }
         ];
       }
+      {
+        job_name = "node";
+        scrape_interval = "15s";
+        static_configs = [
+          { targets = [ "${config.services.prometheus.exporters.node.listenAddress}:${toString config.services.prometheus.exporters.node.port}" ]; }
+        ];
+      }
+      {
+        job_name = "nginx";
+        scrape_interval = "15s";
+        static_configs = [
+          { targets = [ "${config.services.prometheus.exporters.nginx.listenAddress}:${toString config.services.prometheus.exporters.nginx.port}" ]; }
+        ];
+      }
     ];
     ruleFiles = [
       # https://github.com/element-hq/synapse/tree/master/contrib/prometheus