From bb397841eee0986be2b2e0949be83d28f9958d3d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= Date: Sun, 26 Feb 2023 05:44:54 +0000 Subject: [PATCH 1/3] refactoring: Use flake-inputs instead of awkwardly passing through --- configuration/default.nix | 4 ++++ flake.nix | 27 +++++++++++++++++---------- lib/default.nix | 22 +--------------------- 3 files changed, 22 insertions(+), 31 deletions(-) diff --git a/configuration/default.nix b/configuration/default.nix index d090cef..2a4ce63 100644 --- a/configuration/default.nix +++ b/configuration/default.nix @@ -3,9 +3,13 @@ pkgs, lib, modulesPath, + flake-inputs, ... }: { imports = [ + flake-inputs.sops-nix.nixosModules.sops + flake-inputs.tlaternet-webserver.nixosModules.default + "${modulesPath}/profiles/headless.nix" "${modulesPath}/profiles/minimal.nix" (import ../modules) diff --git a/flake.nix b/flake.nix index 2aa6c0b..ec8a157 100644 --- a/flake.nix +++ b/flake.nix @@ -24,8 +24,8 @@ sops-nix, nvfetcher, deploy-rs, - tlaternet-webserver, - }: let + ... + } @ inputs: let system = "x86_64-linux"; in { ################## @@ -33,9 +33,14 @@ ################## nixosConfigurations = { # The actual system definition - tlaternet = self.lib.makeNixosSystem { + tlaternet = nixpkgs.lib.nixosSystem { inherit system; - extraModules = [(import ./configuration/hardware-specific/linode)]; + specialArgs.flake-inputs = inputs; + + modules = [ + ./configuration + ./configuration/hardware-specific/linode + ]; }; }; @@ -63,19 +68,21 @@ #################### # Helper functions # #################### - lib = import ./lib { - inherit nixpkgs sops-nix tlaternet-webserver; - lib = nixpkgs.lib; - }; + lib = import ./lib {inherit (nixpkgs) lib;}; ################### # Utility scripts # ################### packages.${system} = let inherit (nixpkgs.legacyPackages.${system}) writeShellScript; - vm = self.lib.makeNixosSystem { + vm = nixpkgs.lib.nixosSystem { inherit system; - extraModules = [(import ./configuration/hardware-specific/vm.nix)]; + specialArgs.flake-inputs = inputs; + + modules = [ + ./configuration + ./configuration/hardware-specific/vm.nix + ]; }; in { default = vm.config.system.build.vm; diff --git a/lib/default.nix b/lib/default.nix index 5f6b68f..20d874d 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -1,9 +1,4 @@ -{ - lib, - nixpkgs, - sops-nix, - tlaternet-webserver, -}: let +{lib}: let inherit (lib.attrsets) mapAttrsToList; inherit (lib.strings) concatStringsSep; in { @@ -12,19 +7,4 @@ in { (mapAttrsToList (host: vm: "hostfwd=::${host}-:${vm}") portMapping); - - makeNixosSystem = { - system, - extraModules, - }: - nixpkgs.lib.nixosSystem { - inherit system; - modules = - [ - sops-nix.nixosModules.sops - tlaternet-webserver.nixosModules.default - (import ../configuration) - ] - ++ extraModules; - }; } -- 2.50.1 From 33ec32a8da2fc55a9459eb3a8f1a1196e5da68de Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= Date: Sun, 26 Feb 2023 05:46:11 +0000 Subject: [PATCH 2/3] conduit: Update to 0.5.0 --- configuration/services/conduit.nix | 2 ++ flake.lock | 17 +++++++++++++++++ flake.nix | 1 + 3 files changed, 20 insertions(+) diff --git a/configuration/services/conduit.nix b/configuration/services/conduit.nix index 6da82da..bf63305 100644 --- a/configuration/services/conduit.nix +++ b/configuration/services/conduit.nix @@ -1,6 +1,7 @@ { config, lib, + flake-inputs, ... }: let inherit (lib.strings) concatMapStringsSep; @@ -11,6 +12,7 @@ in { services.matrix-conduit = { enable = true; + package = flake-inputs.nixpkgs-unstable.legacyPackages.${pkgs.system}.matrix-conduit; settings.global = { address = "127.0.0.1"; server_name = domain; diff --git a/flake.lock b/flake.lock index e156a33..5793ce8 100644 --- a/flake.lock +++ b/flake.lock @@ -378,6 +378,22 @@ "type": "github" } }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1677342105, + "narHash": "sha256-kv1fpkfCJGb0M+LZaCHFUuIS9kRIwyVgupHu86Y28nc=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "b1f87ca164a9684404c8829b851c3586c4d9f089", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs_2": { "locked": { "lastModified": 1673345971, @@ -479,6 +495,7 @@ "inputs": { "deploy-rs": "deploy-rs", "nixpkgs": "nixpkgs_2", + "nixpkgs-unstable": "nixpkgs-unstable", "nvfetcher": "nvfetcher", "sops-nix": "sops-nix", "tlaternet-webserver": "tlaternet-webserver" diff --git a/flake.nix b/flake.nix index ec8a157..3f3865c 100644 --- a/flake.nix +++ b/flake.nix @@ -3,6 +3,7 @@ inputs = { nixpkgs.url = "github:nixos/nixpkgs/nixos-22.11"; + nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; deploy-rs.url = "github:serokell/deploy-rs"; sops-nix = { url = "github:Mic92/sops-nix"; -- 2.50.1 From 74f38614a0816dc5d45012042279615ba5405765 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= Date: Thu, 23 Feb 2023 09:08:56 +0000 Subject: [PATCH 3/3] matrix: Add heisenbridge --- configuration/services/conduit.nix | 82 ++++++++++++++++++++++++++++++ configuration/sops.nix | 2 + keys/production.yaml | 7 ++- keys/staging.yaml | 7 ++- 4 files changed, 94 insertions(+), 4 deletions(-) diff --git a/configuration/services/conduit.nix b/configuration/services/conduit.nix index bf63305..871b5e2 100644 --- a/configuration/services/conduit.nix +++ b/configuration/services/conduit.nix @@ -1,4 +1,5 @@ { + pkgs, config, lib, flake-inputs, @@ -30,6 +31,87 @@ in { }; }; + systemd.services.heisenbridge = let + replaceSecretBin = "${pkgs.replace-secret}/bin/replace-secret"; + registrationFile = builtins.toFile "heisenbridge-registration.yaml" (builtins.toJSON { + id = "heisenbridge"; + url = "http://127.0.0.1:9898"; + as_token = "@AS_TOKEN@"; + hs_token = "@HS_TOKEN@"; + rate_limited = false; + sender_localpart = "heisenbridge"; + namespaces = { + users = [ + { + regex = "@irc_.*"; + exclusive = true; + } + { + regex = "@heisenbridge:.*"; + exclusive = true; + } + ]; + aliases = []; + rooms = []; + }; + }); + + # TODO(tlater): Starting with systemd 253 it will become possible + # to do the credential setup as part of ExecStartPre/preStart + # instead. + # + # This will also make it possible to actually set caps on the + # heisenbridge process using systemd, so that we can run the + # identd process. + execScript = pkgs.writeShellScript "heisenbridge" '' + cp ${registrationFile} "$RUNTIME_DIRECTORY/heisenbridge-registration.yaml" + chmod 600 $RUNTIME_DIRECTORY/heisenbridge-registration.yaml + ${replaceSecretBin} '@AS_TOKEN@' "$CREDENTIALS_DIRECTORY/heisenbridge_as-token" "$RUNTIME_DIRECTORY/heisenbridge-registration.yaml" + ${replaceSecretBin} '@HS_TOKEN@' "$CREDENTIALS_DIRECTORY/heisenbridge_hs-token" "$RUNTIME_DIRECTORY/heisenbridge-registration.yaml" + chmod 400 $RUNTIME_DIRECTORY/heisenbridge-registration.yaml + + ${pkgs.heisenbridge}/bin/heisenbridge \ + --config $RUNTIME_DIRECTORY/heisenbridge-registration.yaml \ + --owner @tlater:matrix.tlater.net \ + 'http://localhost:${toString cfg.settings.global.port}' + ''; + in { + description = "Matrix<->IRC bridge"; + wantedBy = ["multi-user.target"]; + after = ["conduit.service"]; + + serviceConfig = { + Type = "simple"; + + LoadCredential = "heisenbridge:/run/secrets/heisenbridge"; + + ExecStart = execScript; + + DynamicUser = true; + RuntimeDirectory = "heisenbridge"; + RuntimeDirectoryMode = "0700"; + + RestrictNamespaces = true; + PrivateUsers = true; + ProtectHostname = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + RestrictAddressFamilies = ["AF_INET AF_INET6"]; + LockPersonality = true; + RestrictRealtime = true; + ProtectProc = "invisible"; + ProcSubset = "pid"; + UMask = 0077; + + # For the identd port + # CapabilityBoundingSet = ["CAP_NET_BIND_SERVICE"]; + # AmbientCapabilities = ["CAP_NET_BIND_SERVICE"]; + }; + }; + # Pass in the TURN secret via EnvironmentFile, not supported by # upstream module currently. # diff --git a/configuration/sops.nix b/configuration/sops.nix index 21613b2..d02b3f0 100644 --- a/configuration/sops.nix +++ b/configuration/sops.nix @@ -6,6 +6,8 @@ group = "nextcloud"; }; secrets."steam/tlater" = {}; + secrets."heisenbridge/as-token" = {}; + secrets."heisenbridge/hs-token" = {}; secrets."turn/env" = {}; secrets."turn/secret" = { owner = "turnserver"; diff --git a/keys/production.yaml b/keys/production.yaml index 6bc16ad..666b893 100644 --- a/keys/production.yaml +++ b/keys/production.yaml @@ -2,6 +2,9 @@ nextcloud: tlater: ENC[AES256_GCM,data:zNsPm4uFaIRe3LjcwmayRg==,iv:5wam6bP5zP708jC9UrLV0s8qspl3Pm4fPzbMFYBUyPQ=,tag:apnJUMeJwMn9q0NhO4ptmA==,type:str] steam: tlater: ENC[AES256_GCM,data:HNsve/Wid40ftclO9n09yXg=,iv:VQxAz4eR9lfxEvM0zl1FpJpbKrEFxjIYLyCqL9Aool0=,tag:LHcpHCXAHe8p2kOvOnKXyw==,type:str] +heisenbridge: + as-token: ENC[AES256_GCM,data:+2yo6T18j34622H8ZWblAFB2phLw1q0k0vUQEZ5sFj7dQaRnkEiAMi0R3p17Zq0pOtGEC0RRZuPLYkcZ1oKP0w==,iv:lGwrQYp//FufpmJocrLIVyy9RK7lEEVcpAi0wmkjr34=,tag:yV06UbhAYJQz36O2XdhY+A==,type:str] + hs-token: ENC[AES256_GCM,data:u52WpkQFd/J7JFoE/rfNluebyZQLOokvkVdL7+AEAvrhJhrkJli1ztkD79lbC+6tGUH4tT3T+nX9wvGKnrRUQg==,iv:as+9fVuvMg2IoE2WIKD9mHi+znhNcWRh5Zq+yr0xcDQ=,tag:mZ7fh7U0MfgI8hyq/28Bcg==,type:str] turn: env: ENC[AES256_GCM,data:kt5nhVo9pb/ZbPUEcqSYXxN9YMgQKnFb5VRfFFS/qoIaJ73uD2fuJKqcxAyVRrdLqnSAWSQBgTgunBzdP7xqLAK2qt8DYAQWHkIe9uxFbSXZpdmw,iv:9lq6SFwTFN4GGm6gPiJpUMasMdnHVF6XLGYrsyG3kjU=,tag:428Qf9DOiiHt/Wjb188b8g==,type:str] secret: ENC[AES256_GCM,data:si7ee6Xfhdgdyzbp6aQpF7pz3TmTBb7iQ82lRPVXNDg9JfHI+lbmgAsSnRLX5qMCA6P9R045sSMosqidL8QwRg==,iv:SrhpZKK8D45yxCEfDb9P3TwtA14+qEI+wcRqcN/a6pw=,tag:PiwV+mOL9xHJgJft6sc61g==,type:str] @@ -14,8 +17,8 @@ sops: azure_kv: [] hc_vault: [] age: [] - lastmodified: "2022-11-05T18:45:55Z" - mac: ENC[AES256_GCM,data:xPCfjqVkewEqrUjHroXa9RGHITntVj2uGPaRZfj0lqTUPFG6GQDn3Yq6L6cV3EPOYQ4OedJlaVXy05OHkzZwjYEbBQVGQ0aH/ZOP7X301eebBX5MvHLFU4mcnjMITWGH/E7SXz3pPF75s9eM/onx374PcQt6zevbBF+Jp0Fz71I=,iv:84JL69nF3ougygMAVFOoTaCn37thvm4lF6HYdgTiftg=,tag:ATQ18acehgUAE/dX+vYugQ==,type:str] + lastmodified: "2023-02-21T10:51:11Z" + mac: ENC[AES256_GCM,data:uMqT+7ljd6t1RpF9IH7illO62pq5cERoAtJlRic5BNOeawy/+7ufVorhhya15m39WTKnlGyIY0MEd3tDueHBm4rjf+Pmh6PQ+owRv+deXHv0jXYWX2sz/6i1aYbv9DDMWsvNbkdidKEme+ctY6EVgjSjN5nxxcx+vH+u1OyQ3t0=,iv:VKXznTlMH34SOS+4dpfOVaoiiUTRmIbUMnTPNpyawvY=,tag:onA5C4o/tcGjdBxO9JxMGw==,type:str] pgp: - created_at: "2022-10-12T00:46:51Z" enc: | diff --git a/keys/staging.yaml b/keys/staging.yaml index 069a405..41e20ac 100644 --- a/keys/staging.yaml +++ b/keys/staging.yaml @@ -2,6 +2,9 @@ nextcloud: tlater: ENC[AES256_GCM,data:91kDcO4hpng=,iv:ayuILRmRru4ZxTCur9H2xHuLjkDzwPdS/4lEog/tesU=,tag:qYhJxnNDcCwUM7xe7Tlcjw==,type:str] steam: tlater: ENC[AES256_GCM,data:jcW4wacGzOQ=,iv:KstKGHflscSWDFXGbnAZUcsqGN4Ot+w7sRbsAUwZNHQ=,tag:n9sRWvaKSgagpIgV/NF/Og==,type:str] +heisenbridge: + as-token: ENC[AES256_GCM,data:tXbOeo7nv8I=,iv:wJAKcOXX9nGIw4n38ThOoj29u7dUWhsxSQG/p79JlEw=,tag:rTVaGS2UuWcea1uBa8YX2g==,type:str] + hs-token: ENC[AES256_GCM,data:VBwvwomv0Xg=,iv:q6INtJ+rg+QiXj8uBdBzQYQZUBBXp+9odxDHwvu8Jxc=,tag:XKhm8nxygAkKaiVPJ2Fcdg==,type:str] turn: env: ENC[AES256_GCM,data:xjIz/AY109lyiL5N01p5T3HcYco/rM5CJSRTtg==,iv:16bW6OpyOK/QL0QPGQp/Baa9xyT8E3ZsYkwqmjuofk0=,tag:J5re3uKxIykw3YunvQWBgg==,type:str] secret: ENC[AES256_GCM,data:eQ7dAocoZtg=,iv:fgzjTPv30WqTKlLy+yMn5MsKQgjhPnwlGFFwYEg3gWs=,tag:1ze33U1NBkgMX/9SiaBNQg==,type:str] @@ -14,8 +17,8 @@ sops: azure_kv: [] hc_vault: [] age: [] - lastmodified: "2023-01-11T01:49:31Z" - mac: ENC[AES256_GCM,data:5IcHdNQ/mh6Jz60dlpgqbBtVGKYml4EOs7YXsBcejgAoPzZqEK+xb3f9+rq2G6sCcMXzROHJsdQUfp1wMgfp8DwVm4H+XO+SQh/E1kFuWO8G/IpXOT4P9RQC+wHxrVuxHd8pwl9CLv6uuMnO+FNg9TeWB2GAVxIBsY8JHwGN/BA=,iv:/Yqfij58LGNooyyhmr8aWCpknd4dN+b4iSvokVoDGls=,tag:XHm8Qcg75B1+pTOcgZubIQ==,type:str] + lastmodified: "2023-02-21T08:32:04Z" + mac: ENC[AES256_GCM,data:ZZtL4zYX7FsYeGJ1CcTq5AzRkrvOxIeCoVf77JyEj9k3gApm3k7z2eXe/D+8qvwahlleuvAqhVCUH/I5yHaQSjXXsHO1flULiTnQVk4hrX0fDwXp97NQwpvDovSRyGqx4F25dISfYLVhFpb+64yaPxqMzThVk+Q7Xn40GCY5PR8=,iv:xNeyqB5K2EBDDJEq72IDwpGqzKkAlcxHO6GlJY/iHmM=,tag:Qxz0GTQ/I4EsZhFZh2VxKg==,type:str] pgp: - created_at: "2022-10-12T16:48:23Z" enc: | -- 2.50.1