tlaternet/tlaternet-server
1
0
Fork 0
Code Issues 10 Pull requests Activity

Compare commits

base: tlaternet:74f38614a0816dc5d45012042279615ba5405765
Branches Tags
tlaternet:master
tlaternet:tlater/authelia-attempt-3
tlaternet:tlater/coturn-disable
tlaternet:tlater/authelia-2
tlaternet:tlater/crowdsec-whitelists
tlaternet:tlater/authelia
..
compare: tlaternet:b7feffc52f25f75af8b20c7c0212475df028e983
Branches Tags
tlaternet:tlater/authelia-attempt-3
tlaternet:master
tlaternet:tlater/coturn-disable
tlaternet:tlater/authelia-2
tlaternet:tlater/crowdsec-whitelists
tlaternet:tlater/authelia

No commits in common. "74f38614a0816dc5d45012042279615ba5405765" and "b7feffc52f25f75af8b20c7c0212475df028e983" have entirely different histories.
74f38614a0 ... b7feffc52f

8 changed files with 35 additions and 136 deletions
Download patch file Download diff file Expand all files Collapse all files

4
configuration/default.nix
View file

@ -3,13 +3,9 @@
pkgs, pkgs,
lib, lib,
modulesPath, modulesPath,
flake-inputs,
... ...
}: { }: {
imports = [ imports = [
flake-inputs.sops-nix.nixosModules.sops
flake-inputs.tlaternet-webserver.nixosModules.default
"${modulesPath}/profiles/headless.nix" "${modulesPath}/profiles/headless.nix"
"${modulesPath}/profiles/minimal.nix" "${modulesPath}/profiles/minimal.nix"
(import ../modules) (import ../modules)

84
configuration/services/conduit.nix
View file

@ -1,8 +1,6 @@
{ {
pkgs,
config, config,
lib, lib,
flake-inputs,
... ...
}: let }: let
inherit (lib.strings) concatMapStringsSep; inherit (lib.strings) concatMapStringsSep;
@ -13,7 +11,6 @@
in { in {
services.matrix-conduit = { services.matrix-conduit = {
enable = true; enable = true;
package = flake-inputs.nixpkgs-unstable.legacyPackages.${pkgs.system}.matrix-conduit;
settings.global = { settings.global = {
address = "127.0.0.1"; address = "127.0.0.1";
server_name = domain; server_name = domain;
@ -31,87 +28,6 @@ in {
}; };
}; };
systemd.services.heisenbridge = let
replaceSecretBin = "${pkgs.replace-secret}/bin/replace-secret";
registrationFile = builtins.toFile "heisenbridge-registration.yaml" (builtins.toJSON {
id = "heisenbridge";
url = "http://127.0.0.1:9898";
as_token = "@AS_TOKEN@";
hs_token = "@HS_TOKEN@";
rate_limited = false;
sender_localpart = "heisenbridge";
namespaces = {
users = [
{
regex = "@irc_.*";
exclusive = true;
}
{
regex = "@heisenbridge:.*";
exclusive = true;
}
];
aliases = [];
rooms = [];
};
});
# TODO(tlater): Starting with systemd 253 it will become possible
# to do the credential setup as part of ExecStartPre/preStart
# instead.
#
# This will also make it possible to actually set caps on the
# heisenbridge process using systemd, so that we can run the
# identd process.
execScript = pkgs.writeShellScript "heisenbridge" ''
cp ${registrationFile} "$RUNTIME_DIRECTORY/heisenbridge-registration.yaml"
chmod 600 $RUNTIME_DIRECTORY/heisenbridge-registration.yaml
${replaceSecretBin} '@AS_TOKEN@' "$CREDENTIALS_DIRECTORY/heisenbridge_as-token" "$RUNTIME_DIRECTORY/heisenbridge-registration.yaml"
${replaceSecretBin} '@HS_TOKEN@' "$CREDENTIALS_DIRECTORY/heisenbridge_hs-token" "$RUNTIME_DIRECTORY/heisenbridge-registration.yaml"
chmod 400 $RUNTIME_DIRECTORY/heisenbridge-registration.yaml
${pkgs.heisenbridge}/bin/heisenbridge \
--config $RUNTIME_DIRECTORY/heisenbridge-registration.yaml \
--owner @tlater:matrix.tlater.net \
'http://localhost:${toString cfg.settings.global.port}'
'';
in {
description = "Matrix<->IRC bridge";
wantedBy = ["multi-user.target"];
after = ["conduit.service"];
serviceConfig = {
Type = "simple";
LoadCredential = "heisenbridge:/run/secrets/heisenbridge";
ExecStart = execScript;
DynamicUser = true;
RuntimeDirectory = "heisenbridge";
RuntimeDirectoryMode = "0700";
RestrictNamespaces = true;
PrivateUsers = true;
ProtectHostname = true;
ProtectClock = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
RestrictAddressFamilies = ["AF_INET AF_INET6"];
LockPersonality = true;
RestrictRealtime = true;
ProtectProc = "invisible";
ProcSubset = "pid";
UMask = 0077;
# For the identd port
# CapabilityBoundingSet = ["CAP_NET_BIND_SERVICE"];
# AmbientCapabilities = ["CAP_NET_BIND_SERVICE"];
};
};
# Pass in the TURN secret via EnvironmentFile, not supported by # Pass in the TURN secret via EnvironmentFile, not supported by
# upstream module currently. # upstream module currently.
# #

2
configuration/sops.nix
View file

@ -6,8 +6,6 @@
group = "nextcloud"; group = "nextcloud";
}; };
secrets."steam/tlater" = {}; secrets."steam/tlater" = {};
secrets."heisenbridge/as-token" = {};
secrets."heisenbridge/hs-token" = {};
secrets."turn/env" = {}; secrets."turn/env" = {};
secrets."turn/secret" = { secrets."turn/secret" = {
owner = "turnserver"; owner = "turnserver";

17
flake.lock generated
View file

@ -378,22 +378,6 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs-unstable": {
"locked": {
"lastModified": 1677342105,
"narHash": "sha256-kv1fpkfCJGb0M+LZaCHFUuIS9kRIwyVgupHu86Y28nc=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "b1f87ca164a9684404c8829b851c3586c4d9f089",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1673345971, "lastModified": 1673345971,
@ -495,7 +479,6 @@
"inputs": { "inputs": {
"deploy-rs": "deploy-rs", "deploy-rs": "deploy-rs",
"nixpkgs": "nixpkgs_2", "nixpkgs": "nixpkgs_2",
"nixpkgs-unstable": "nixpkgs-unstable",
"nvfetcher": "nvfetcher", "nvfetcher": "nvfetcher",
"sops-nix": "sops-nix", "sops-nix": "sops-nix",
"tlaternet-webserver": "tlaternet-webserver" "tlaternet-webserver": "tlaternet-webserver"

28
flake.nix
View file

@ -3,7 +3,6 @@
inputs = { inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-22.11"; nixpkgs.url = "github:nixos/nixpkgs/nixos-22.11";
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
deploy-rs.url = "github:serokell/deploy-rs"; deploy-rs.url = "github:serokell/deploy-rs";
sops-nix = { sops-nix = {
url = "github:Mic92/sops-nix"; url = "github:Mic92/sops-nix";
@ -25,8 +24,8 @@
sops-nix, sops-nix,
nvfetcher, nvfetcher,
deploy-rs, deploy-rs,
... tlaternet-webserver,
} @ inputs: let }: let
system = "x86_64-linux"; system = "x86_64-linux";
in { in {
################## ##################
@ -34,14 +33,9 @@
################## ##################
nixosConfigurations = { nixosConfigurations = {
# The actual system definition # The actual system definition
tlaternet = nixpkgs.lib.nixosSystem { tlaternet = self.lib.makeNixosSystem {
inherit system; inherit system;
specialArgs.flake-inputs = inputs; extraModules = [(import ./configuration/hardware-specific/linode)];
modules = [
./configuration
./configuration/hardware-specific/linode
];
}; };
}; };
@ -69,21 +63,19 @@
#################### ####################
# Helper functions # # Helper functions #
#################### ####################
lib = import ./lib {inherit (nixpkgs) lib;}; lib = import ./lib {
inherit nixpkgs sops-nix tlaternet-webserver;
lib = nixpkgs.lib;
};
################### ###################
# Utility scripts # # Utility scripts #
################### ###################
packages.${system} = let packages.${system} = let
inherit (nixpkgs.legacyPackages.${system}) writeShellScript; inherit (nixpkgs.legacyPackages.${system}) writeShellScript;
vm = nixpkgs.lib.nixosSystem { vm = self.lib.makeNixosSystem {
inherit system; inherit system;
specialArgs.flake-inputs = inputs; extraModules = [(import ./configuration/hardware-specific/vm.nix)];
modules = [
./configuration
./configuration/hardware-specific/vm.nix
];
}; };
in { in {
default = vm.config.system.build.vm; default = vm.config.system.build.vm;

7
keys/production.yaml
View file

@ -2,9 +2,6 @@ nextcloud:
tlater: ENC[AES256_GCM,data:zNsPm4uFaIRe3LjcwmayRg==,iv:5wam6bP5zP708jC9UrLV0s8qspl3Pm4fPzbMFYBUyPQ=,tag:apnJUMeJwMn9q0NhO4ptmA==,type:str] tlater: ENC[AES256_GCM,data:zNsPm4uFaIRe3LjcwmayRg==,iv:5wam6bP5zP708jC9UrLV0s8qspl3Pm4fPzbMFYBUyPQ=,tag:apnJUMeJwMn9q0NhO4ptmA==,type:str]
steam: steam:
tlater: ENC[AES256_GCM,data:HNsve/Wid40ftclO9n09yXg=,iv:VQxAz4eR9lfxEvM0zl1FpJpbKrEFxjIYLyCqL9Aool0=,tag:LHcpHCXAHe8p2kOvOnKXyw==,type:str] tlater: ENC[AES256_GCM,data:HNsve/Wid40ftclO9n09yXg=,iv:VQxAz4eR9lfxEvM0zl1FpJpbKrEFxjIYLyCqL9Aool0=,tag:LHcpHCXAHe8p2kOvOnKXyw==,type:str]
heisenbridge:
as-token: ENC[AES256_GCM,data:+2yo6T18j34622H8ZWblAFB2phLw1q0k0vUQEZ5sFj7dQaRnkEiAMi0R3p17Zq0pOtGEC0RRZuPLYkcZ1oKP0w==,iv:lGwrQYp//FufpmJocrLIVyy9RK7lEEVcpAi0wmkjr34=,tag:yV06UbhAYJQz36O2XdhY+A==,type:str]
hs-token: ENC[AES256_GCM,data:u52WpkQFd/J7JFoE/rfNluebyZQLOokvkVdL7+AEAvrhJhrkJli1ztkD79lbC+6tGUH4tT3T+nX9wvGKnrRUQg==,iv:as+9fVuvMg2IoE2WIKD9mHi+znhNcWRh5Zq+yr0xcDQ=,tag:mZ7fh7U0MfgI8hyq/28Bcg==,type:str]
turn: turn:
env: ENC[AES256_GCM,data:kt5nhVo9pb/ZbPUEcqSYXxN9YMgQKnFb5VRfFFS/qoIaJ73uD2fuJKqcxAyVRrdLqnSAWSQBgTgunBzdP7xqLAK2qt8DYAQWHkIe9uxFbSXZpdmw,iv:9lq6SFwTFN4GGm6gPiJpUMasMdnHVF6XLGYrsyG3kjU=,tag:428Qf9DOiiHt/Wjb188b8g==,type:str] env: ENC[AES256_GCM,data:kt5nhVo9pb/ZbPUEcqSYXxN9YMgQKnFb5VRfFFS/qoIaJ73uD2fuJKqcxAyVRrdLqnSAWSQBgTgunBzdP7xqLAK2qt8DYAQWHkIe9uxFbSXZpdmw,iv:9lq6SFwTFN4GGm6gPiJpUMasMdnHVF6XLGYrsyG3kjU=,tag:428Qf9DOiiHt/Wjb188b8g==,type:str]
secret: ENC[AES256_GCM,data:si7ee6Xfhdgdyzbp6aQpF7pz3TmTBb7iQ82lRPVXNDg9JfHI+lbmgAsSnRLX5qMCA6P9R045sSMosqidL8QwRg==,iv:SrhpZKK8D45yxCEfDb9P3TwtA14+qEI+wcRqcN/a6pw=,tag:PiwV+mOL9xHJgJft6sc61g==,type:str] secret: ENC[AES256_GCM,data:si7ee6Xfhdgdyzbp6aQpF7pz3TmTBb7iQ82lRPVXNDg9JfHI+lbmgAsSnRLX5qMCA6P9R045sSMosqidL8QwRg==,iv:SrhpZKK8D45yxCEfDb9P3TwtA14+qEI+wcRqcN/a6pw=,tag:PiwV+mOL9xHJgJft6sc61g==,type:str]
@ -17,8 +14,8 @@ sops:
azure_kv: [] azure_kv: []
hc_vault: [] hc_vault: []
age: [] age: []
lastmodified: "2023-02-21T10:51:11Z" lastmodified: "2022-11-05T18:45:55Z"
mac: ENC[AES256_GCM,data:uMqT+7ljd6t1RpF9IH7illO62pq5cERoAtJlRic5BNOeawy/+7ufVorhhya15m39WTKnlGyIY0MEd3tDueHBm4rjf+Pmh6PQ+owRv+deXHv0jXYWX2sz/6i1aYbv9DDMWsvNbkdidKEme+ctY6EVgjSjN5nxxcx+vH+u1OyQ3t0=,iv:VKXznTlMH34SOS+4dpfOVaoiiUTRmIbUMnTPNpyawvY=,tag:onA5C4o/tcGjdBxO9JxMGw==,type:str] mac: ENC[AES256_GCM,data:xPCfjqVkewEqrUjHroXa9RGHITntVj2uGPaRZfj0lqTUPFG6GQDn3Yq6L6cV3EPOYQ4OedJlaVXy05OHkzZwjYEbBQVGQ0aH/ZOP7X301eebBX5MvHLFU4mcnjMITWGH/E7SXz3pPF75s9eM/onx374PcQt6zevbBF+Jp0Fz71I=,iv:84JL69nF3ougygMAVFOoTaCn37thvm4lF6HYdgTiftg=,tag:ATQ18acehgUAE/dX+vYugQ==,type:str]
pgp: pgp:
- created_at: "2022-10-12T00:46:51Z" - created_at: "2022-10-12T00:46:51Z"
enc: | enc: |

7
keys/staging.yaml
View file

@ -2,9 +2,6 @@ nextcloud:
tlater: ENC[AES256_GCM,data:91kDcO4hpng=,iv:ayuILRmRru4ZxTCur9H2xHuLjkDzwPdS/4lEog/tesU=,tag:qYhJxnNDcCwUM7xe7Tlcjw==,type:str] tlater: ENC[AES256_GCM,data:91kDcO4hpng=,iv:ayuILRmRru4ZxTCur9H2xHuLjkDzwPdS/4lEog/tesU=,tag:qYhJxnNDcCwUM7xe7Tlcjw==,type:str]
steam: steam:
tlater: ENC[AES256_GCM,data:jcW4wacGzOQ=,iv:KstKGHflscSWDFXGbnAZUcsqGN4Ot+w7sRbsAUwZNHQ=,tag:n9sRWvaKSgagpIgV/NF/Og==,type:str] tlater: ENC[AES256_GCM,data:jcW4wacGzOQ=,iv:KstKGHflscSWDFXGbnAZUcsqGN4Ot+w7sRbsAUwZNHQ=,tag:n9sRWvaKSgagpIgV/NF/Og==,type:str]
heisenbridge:
as-token: ENC[AES256_GCM,data:tXbOeo7nv8I=,iv:wJAKcOXX9nGIw4n38ThOoj29u7dUWhsxSQG/p79JlEw=,tag:rTVaGS2UuWcea1uBa8YX2g==,type:str]
hs-token: ENC[AES256_GCM,data:VBwvwomv0Xg=,iv:q6INtJ+rg+QiXj8uBdBzQYQZUBBXp+9odxDHwvu8Jxc=,tag:XKhm8nxygAkKaiVPJ2Fcdg==,type:str]
turn: turn:
env: ENC[AES256_GCM,data:xjIz/AY109lyiL5N01p5T3HcYco/rM5CJSRTtg==,iv:16bW6OpyOK/QL0QPGQp/Baa9xyT8E3ZsYkwqmjuofk0=,tag:J5re3uKxIykw3YunvQWBgg==,type:str] env: ENC[AES256_GCM,data:xjIz/AY109lyiL5N01p5T3HcYco/rM5CJSRTtg==,iv:16bW6OpyOK/QL0QPGQp/Baa9xyT8E3ZsYkwqmjuofk0=,tag:J5re3uKxIykw3YunvQWBgg==,type:str]
secret: ENC[AES256_GCM,data:eQ7dAocoZtg=,iv:fgzjTPv30WqTKlLy+yMn5MsKQgjhPnwlGFFwYEg3gWs=,tag:1ze33U1NBkgMX/9SiaBNQg==,type:str] secret: ENC[AES256_GCM,data:eQ7dAocoZtg=,iv:fgzjTPv30WqTKlLy+yMn5MsKQgjhPnwlGFFwYEg3gWs=,tag:1ze33U1NBkgMX/9SiaBNQg==,type:str]
@ -17,8 +14,8 @@ sops:
azure_kv: [] azure_kv: []
hc_vault: [] hc_vault: []
age: [] age: []
lastmodified: "2023-02-21T08:32:04Z" lastmodified: "2023-01-11T01:49:31Z"
mac: ENC[AES256_GCM,data:ZZtL4zYX7FsYeGJ1CcTq5AzRkrvOxIeCoVf77JyEj9k3gApm3k7z2eXe/D+8qvwahlleuvAqhVCUH/I5yHaQSjXXsHO1flULiTnQVk4hrX0fDwXp97NQwpvDovSRyGqx4F25dISfYLVhFpb+64yaPxqMzThVk+Q7Xn40GCY5PR8=,iv:xNeyqB5K2EBDDJEq72IDwpGqzKkAlcxHO6GlJY/iHmM=,tag:Qxz0GTQ/I4EsZhFZh2VxKg==,type:str] mac: ENC[AES256_GCM,data:5IcHdNQ/mh6Jz60dlpgqbBtVGKYml4EOs7YXsBcejgAoPzZqEK+xb3f9+rq2G6sCcMXzROHJsdQUfp1wMgfp8DwVm4H+XO+SQh/E1kFuWO8G/IpXOT4P9RQC+wHxrVuxHd8pwl9CLv6uuMnO+FNg9TeWB2GAVxIBsY8JHwGN/BA=,iv:/Yqfij58LGNooyyhmr8aWCpknd4dN+b4iSvokVoDGls=,tag:XHm8Qcg75B1+pTOcgZubIQ==,type:str]
pgp: pgp:
- created_at: "2022-10-12T16:48:23Z" - created_at: "2022-10-12T16:48:23Z"
enc: | enc: |

22
lib/default.nix
View file

@ -1,4 +1,9 @@
{lib}: let {
lib,
nixpkgs,
sops-nix,
tlaternet-webserver,
}: let
inherit (lib.attrsets) mapAttrsToList; inherit (lib.attrsets) mapAttrsToList;
inherit (lib.strings) concatStringsSep; inherit (lib.strings) concatStringsSep;
in { in {
@ -7,4 +12,19 @@ in {
(mapAttrsToList (mapAttrsToList
(host: vm: "hostfwd=::${host}-:${vm}") (host: vm: "hostfwd=::${host}-:${vm}")
portMapping); portMapping);
makeNixosSystem = {
system,
extraModules,
}:
nixpkgs.lib.nixosSystem {
inherit system;
modules =
[
sops-nix.nixosModules.sops
tlaternet-webserver.nixosModules.default
(import ../configuration)
]
++ extraModules;
};
} }