diff --git a/configuration.nix b/configuration.nix index 9b5c0a6..6ee88b4 100644 --- a/configuration.nix +++ b/configuration.nix @@ -1,5 +1,6 @@ { config, pkgs, lib, ... }: +<<<<<<< HEAD { imports = [ ./modules/modules.nix @@ -71,11 +72,107 @@ # ── Flatpak ──────────────────────────────────────────────── services.flatpak.enable = true; +======= + +let + personalization = import ./modules/personalization.nix; +in + +{ + + imports = + + [ + + ./modules/modules.nix + + ]; + + + # Bootloader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + boot.loader.efi.efiSysMountPoint = "/boot/efi"; + boot.kernelPackages = pkgs.linuxPackages_latest; + + # Enable Automount without Fail for Internal Drive. + fileSystems."/run/media/Second_Drive" = { + device = "LABEL=BTCEcoandBackup"; + fsType = "ext4"; + options = [ "nofail" ]; + }; + + fileSystems."/boot/efi".options = [ "umask=0077" "defaults" ]; + + nix.settings = { + + experimental-features = [ "nix-command" "flakes" ]; + download-buffer-size = 524288000; + + }; + + networking.hostName = "nixos"; # Define your hostname. + + # Enable networking + networking.networkmanager.enable = true; + + # Set your time zone. + time.timeZone = "America/Los_Angeles"; + + # Select internationalisation properties. + i18n.defaultLocale = "en_US.UTF-8"; + + # Enable the X11 windowing system. + services.xserver.enable = true; + + # Enable the GNOME Desktop Environment. + services.displayManager.gdm.enable = true; + services.desktopManager.gnome.enable = true; + + # Configure keymap in X11 + services.xserver.xkb = { + layout = "us"; + variant = ""; + }; + + # Enable CUPS to print documents. + services.printing.enable = true; + + # Systemd Settings + systemd.enableEmergencyMode = false; + + # Enable sound with pipewire. + services.pulseaudio.enable = false; + security.rtkit.enable = true; + services.pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + }; + + users.users = { + free = { + isNormalUser = true; + description = "free"; + extraGroups = [ "networkmanager" ]; + }; + }; + + # Enable automatic login for the user. + services.displayManager.autoLogin.enable = true; + services.displayManager.autoLogin.user = "free"; + + # Allow Flatpak + services.flatpak.enable = true; + +>>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8 systemd.services.flatpak-repo = { wantedBy = [ "multi-user.target" ]; after = [ "network-online.target" ]; wants = [ "network-online.target" ]; path = [ pkgs.flatpak ]; +<<<<<<< HEAD script = '' flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo ''; @@ -140,6 +237,222 @@ services.rsnapshot = { enable = true; extraConfig = '' +======= + script = '' + flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo + ''; + }; + + # Allow unfree packages + nixpkgs.config.allowUnfree = true; + + nixpkgs.config.permittedInsecurePackages = [ + + "jitsi-meet-1.0.8043" + ]; + + # List packages installed + environment.systemPackages = with pkgs; [ + git + wget + fish + htop + btop + gnomeExtensions.transparent-top-bar-adjustable-transparency + gnomeExtensions.systemd-manager + gnomeExtensions.dash-to-dock + gnomeExtensions.vitals + gnomeExtensions.pop-shell + gnomeExtensions.just-perfection + gnomeExtensions.appindicator + gnomeExtensions.date-menu-formatter + gnome-tweaks + papirus-icon-theme + ranger + fastfetch + gedit + matrix-synapse + openssl + pwgen + aspell + aspellDicts.en + lm_sensors + hunspell + hunspellDicts.en_US + synadm + brave + dua + bitwarden-desktop + gparted + pv + unzip + parted + screen + zenity + libargon2 + gnome-terminal + libreoffice-fresh + dig + firefox + element-desktop + wp-cli + axel + lk-jwt-service + livekit-libwebrtc + livekit-cli + livekit + ]; + + programs.nixvim = { + enable = true; + colorschemes.catppuccin.enable = true; + plugins.lualine.enable = true; + }; + + + programs.bash.promptInit = "fish"; + + programs.fish = { + enable = true; + promptInit = "fastfetch"; + }; + + ####### CADDY ####### + services.caddy = { + enable = true; + user = "caddy"; + group = "root"; + email = "${personalization.caddy_email_for_acme}"; + + virtualHosts = { + "${personalization.wordpress_url}" = { + extraConfig = '' + encode gzip zstd + root * /var/lib/www/wordpress + php_fastcgi unix//run/phpfpm/mypool.sock + file_server browse + ''; + }; + + "${personalization.nextcloud_url}" = { + extraConfig = '' + encode gzip zstd + root * /var/lib/www/nextcloud + php_fastcgi unix//run/phpfpm/mypool.sock { + trusted_proxies private_ranges + } + file_server + redir /.well-known/carddav /remote.php/dav/ 301 + redir /.well-known/caldav /remote.php/dav/ 301 + header { + Strict-Transport-Security max-age=31536000; + } + ''; + }; + + "${personalization.matrix_url}" = { + extraConfig = '' + reverse_proxy /_matrix/* http://localhost:8008 + reverse_proxy /_synapse/client/* http://localhost:8008 + ''; + }; + + "${personalization.matrix_url}:8448" = { + extraConfig = '' + reverse_proxy http://localhost:8008 + ''; + }; + + "${personalization.btcpayserver_url}" = { + extraConfig = '' + reverse_proxy http://localhost:23000 + encode gzip zstd + ''; + }; + + "https://${personalization.vaultwarden_url}" = { + extraConfig = '' + reverse_proxy http://localhost:8777 + encode gzip zstd + ''; + }; + + ":3051" = { + extraConfig = '' + reverse_proxy :3050 + encode gzip zstd + ''; + }; + }; + }; + + ###### AGENIX ###### + age.identityPaths = [ "/root/.ssh/agenix/agenix-secret-keys" ]; + + age.secrets.matrix_reg_secret = { + + file = /var/lib/agenix-secrets/matrix_reg_secret.age; + mode = "770"; + owner = "matrix-synapse"; + group = "matrix-synapse"; + + }; + + ###### CREATE DATABASE (WORDPRESS, MATRIX_SYNAPSE, AND NEXTCLOUD) ####### + services.postgresql = { + enable = true; + }; + + + services.postgresql.authentication = lib.mkForce '' + # Generated file; do not edit! + # TYPE DATABASE USER ADDRESS METHOD + local all all trust + host all all 127.0.0.1/32 trust + host all all ::1/128 trust + ''; + + + services.mysql = { + enable = true; + package = pkgs.mariadb; + }; + + + services.postgresql.initialScript = pkgs.writeText "begin-init.sql" '' + CREATE ROLE "ncusr" WITH LOGIN PASSWORD '${personalization.nextclouddb}'; + CREATE DATABASE "nextclouddb" WITH OWNER "ncusr" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + + + CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD '${personalization.matrixdb}'; + CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + + '' + ; + + services.mysql.initialScript = pkgs.writeText "wordpress-init.sql" '' + CREATE DATABASE wordpressdb; + CREATE USER 'wpusr'@'localhost' IDENTIFIED BY '${personalization.wordpressdb}'; + GRANT ALL ON wordpressdb.* TO 'wpusr'@'localhost'; + FLUSH PRIVILEGES; + '' + ; + + ####### KEEP AWAKE for DISPLAY and HEADLESS ####### + services.displayManager.gdm.autoSuspend = false; + + + ####### BACKUP TO INTERNAL DRIVE ####### + services.rsnapshot = { + enable = true; + extraConfig = '' +>>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8 snapshot_root /run/media/Second_Drive/BTCEcoandBackup/NixOS_Snapshot_Backup retain hourly 5 retain daily 5 @@ -147,6 +460,7 @@ backup /home/ localhost/ backup /var/lib/ localhost/ backup /etc/nixos/ localhost/ backup /etc/nix-bitcoin-secrets/ localhost/ +<<<<<<< HEAD ''; cronIntervals = { daily = "50 21 * * *"; @@ -188,4 +502,83 @@ backup /etc/nix-bitcoin-secrets/ localhost/ nix.gc = { automatic = true; dates = "weekly"; options = "--delete-older-than 7d"; }; system.stateVersion = "22.05"; +======= + ''; + cronIntervals = { + daily = "50 21 * * *"; + hourly = "0 * * * *"; + }; + }; + + + ####### CRON ####### + services.cron = { + enable = true; + systemCronJobs = [ + + "*/5 * * * * caddy /run/current-system/sw/bin/php -f /var/lib/www/nextcloud/cron.php" + "*/15 * * * * root /run/current-system/sw/bin/bash /var/lib/njalla/njalla.sh" + "*/15 * * * * root /run/current-system/sw/bin/bash /var/lib/external_ip/external_ip.sh" + "0 0 * * 0 docker-user yes | /run/current-system/sw/bin/docker system prune -a" + + ]; + }; + + + ####### TOR ####### + services.tor = { + enable = true; + client.enable = true; + torsocks.enable = true; + }; + + services.privoxy.enableTor = true; + + + ####### Enable the SSH ####### + services.openssh = { + enable = true; + settings = { + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + PermitRootLogin = "yes"; + }; + }; + + + #######FailtoBan####### + services.fail2ban = { + enable = true; + ignoreIP = [ + "127.0.0.0/8" + "10.0.0.0/8" + "172.16.0.0/12" + "192.168.0.0/16" + "8.8.8.8" + ]; + }; + + + ####### Open ports in the firewall ####### + networking.firewall.allowedTCPPorts = [ 80 443 5349 8448 3051 ]; + networking.firewall.allowedUDPPorts = [ 80 443 5349 8448 3051 ]; + + networking.firewall.allowedUDPPortRanges = [ + { from=49152; to=65535; } # TURN relay + ]; + + networking.firewall.enable = true; + + + ####### AUTO COLLECT GARABAGE ####### + nix.gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 7d"; + }; + + + system.stateVersion = "22.05"; + +>>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8 } diff --git a/modules/bip110.nix b/modules/bip110.nix index e229a80..104a797 100755 --- a/modules/bip110.nix +++ b/modules/bip110.nix @@ -4,12 +4,20 @@ let cfg = config.sovran_systemsOS; in { +<<<<<<< HEAD +======= + # ✅ Option definition +>>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8 options.sovran_systemsOS.packages.bip110 = lib.mkOption { type = lib.types.nullOr lib.types.package; default = null; description = "BIP110 Bitcoin package"; }; +<<<<<<< HEAD +======= + # ✅ Implementation +>>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8 config = lib.mkIf ( cfg.features.bip110 && cfg.packages.bip110 != null diff --git a/modules/element-calling.nix b/modules/element-calling.nix index df90e69..492e9d7 100755 --- a/modules/element-calling.nix +++ b/modules/element-calling.nix @@ -1,6 +1,10 @@ { config, pkgs, lib, ... }: let +<<<<<<< HEAD +======= + personalization = import ./personalization.nix; +>>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8 livekitKeyFile = "/var/lib/livekit/livekit_keyFile"; in @@ -15,6 +19,10 @@ lib.mkIf config.sovran_systemsOS.features.element-calling { description = "Generate LiveKit key file if missing"; wantedBy = [ "multi-user.target" ]; before = [ "livekit.service" "lk-jwt-service.service" ]; +<<<<<<< HEAD +======= + requires = []; +>>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8 serviceConfig = { Type = "oneshot"; RemainAfterExit = true; @@ -39,6 +47,7 @@ lib.mkIf config.sovran_systemsOS.features.element-calling { systemd.services.lk-jwt-service.after = [ "livekit-key-setup.service" ]; systemd.services.lk-jwt-service.wants = [ "livekit-key-setup.service" ]; +<<<<<<< HEAD ####### CADDY SNIPPET — written to /run/caddy for caddy.nix to pick up ####### systemd.services.element-calling-caddy-config = { description = "Generate Element Calling Caddy config snippet"; @@ -58,12 +67,19 @@ lib.mkIf config.sovran_systemsOS.features.element-calling { cat > /run/caddy/element-calling.snippet <>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8 reverse_proxy /_matrix/* http://localhost:8008 reverse_proxy /_synapse/client/* http://localhost:8008 header /.well-known/matrix/* Content-Type "application/json" header /.well-known/matrix/* Access-Control-Allow-Origin "*" header /.well-known/matrix/* Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" header /.well-known/matrix/* Access-Control-Allow-Headers "X-Requested-With, Content-Type, Authorization" +<<<<<<< HEAD respond /.well-known/matrix/client \`{ "m.homeserver": {"base_url": "https://$MATRIX" }, "org.matrix.msc4143.rtc_foci": [{ "type":"livekit", "livekit_service_url":"https://$ELEMENT_CALLING/livekit/jwt" }] }\` } @@ -72,6 +88,14 @@ lib.mkIf config.sovran_systemsOS.features.element-calling { } $ELEMENT_CALLING { +======= + respond /.well-known/matrix/client `{ "m.homeserver": {"base_url": "https://${personalization.matrix_url}" }, "org.matrix.msc4143.rtc_foci": [{ "type":"livekit", "livekit_service_url":"https://${personalization.element-calling_url}/livekit/jwt" }] }` + ''; + }; + + "${personalization.element-calling_url}" = { + extraConfig = '' +>>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8 handle /livekit/jwt/sfu/get { uri strip_prefix /livekit/jwt reverse_proxy [::1]:8073 { @@ -84,6 +108,7 @@ lib.mkIf config.sovran_systemsOS.features.element-calling { handle { reverse_proxy localhost:7880 } +<<<<<<< HEAD } EOF ''; @@ -115,6 +140,10 @@ lib.mkIf config.sovran_systemsOS.features.element-calling { chmod 640 /run/livekit/runtime-config.yaml ''; +======= + ''; + }; +>>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8 }; ####### LIVEKIT SERVICE ####### @@ -128,8 +157,16 @@ lib.mkIf config.sovran_systemsOS.features.element-calling { room.auto_create = false; turn = { enabled = true; +<<<<<<< HEAD tls_port = 5349; udp_port = 3478; +======= + domain = "${personalization.matrix_url}"; + tls_port = 5349; + udp_port = 3478; + cert_file = "/var/lib/livekit/${personalization.matrix_url}.crt"; + key_file = "/var/lib/livekit/${personalization.matrix_url}.key"; +>>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8 }; }; }; @@ -140,6 +177,7 @@ lib.mkIf config.sovran_systemsOS.features.element-calling { ]; ####### JWT SERVICE ####### +<<<<<<< HEAD systemd.services.lk-jwt-service-runtime-config = { description = "Generate lk-jwt-service runtime config from domain files"; before = [ "lk-jwt-service.service" ]; @@ -215,6 +253,29 @@ lib.mkIf config.sovran_systemsOS.features.element-calling { extraConfigFiles = [ "/run/matrix-synapse/element-calling-config.yaml" ]; settings = lib.mkForce { push.include_content = false; +======= + services.lk-jwt-service = { + enable = true; + port = 8073; + livekitUrl = "wss://${personalization.element-calling_url}"; + keyFile = livekitKeyFile; + }; + + ####### MATRIX-SYNAPSE SETTINGS ####### + services.matrix-synapse = { + settings = lib.mkForce { + serve_server_wellknown = true; + public_baseurl = "${personalization.matrix_url}"; + experimental_features = { + msc3266_enabled = true; + msc4222_enabled = true; + }; + max_event_delay_duration = "24h"; + rc_message = { per_second = 0.5; burst_count = 30; }; + rc_delayed_event_mgmt = { per_second = 1; burst_count = 20; }; + push.include_content = false; + server_name = personalization.matrix_url; +>>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8 url_preview_enabled = true; group_unread_count_by_room = false; encryption_enabled_by_default_for_room_type = "invite"; diff --git a/modules/haven.nix b/modules/haven.nix index 914010b..25b5708 100755 --- a/modules/haven.nix +++ b/modules/haven.nix @@ -1,11 +1,16 @@ { config, pkgs, lib, ... }: let +<<<<<<< HEAD +======= + personalization = import ./personalization.nix; +>>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8 npub = config.sovran_systemsOS.nostr_npub; in lib.mkIf (config.sovran_systemsOS.features.haven && npub != "") { +<<<<<<< HEAD # ── Caddy vhost is now handled centrally in caddy.nix ───── # ── Generate Haven runtime config from domain files ─────── @@ -41,11 +46,17 @@ lib.mkIf (config.sovran_systemsOS.features.haven && npub != "") { ''; }; +======= +>>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8 services.haven = { enable = true; settings = { OWNER_NPUB = npub; +<<<<<<< HEAD # RELAY_URL injected at runtime via EnvironmentFile +======= + RELAY_URL = personalization.haven_url; +>>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8 RELAY_PORT = 3355; RELAY_BIND_ADDRESS = "0.0.0.0"; @@ -53,6 +64,7 @@ lib.mkIf (config.sovran_systemsOS.features.haven && npub != "") { LMDB_MAPSIZE = 3000000000; BLOSSOM_PATH = "blossom/"; +<<<<<<< HEAD # Relay names/descriptions injected at runtime via EnvironmentFile PRIVATE_RELAY_NPUB = npub; CHAT_RELAY_NPUB = npub; @@ -60,6 +72,27 @@ lib.mkIf (config.sovran_systemsOS.features.haven && npub != "") { INBOX_PULL_INTERVAL_SECONDS = 600; +======= + PRIVATE_RELAY_NAME = "${personalization.haven_url} private relay"; + PRIVATE_RELAY_NPUB = npub; + PRIVATE_RELAY_DESCRIPTION = "The Relay From Sovran Systems"; + + CHAT_RELAY_NAME = "${personalization.haven_url} chat relay"; + CHAT_RELAY_NPUB = npub; + CHAT_RELAY_DESCRIPTION = "a relay for private chats"; + + OUTBOX_RELAY_NAME = "${personalization.haven_url} outbox relay"; + OUTBOX_RELAY_NPUB = npub; + OUTBOX_RELAY_DESCRIPTION = "a relay and Blossom server for public messages and media"; + + INBOX_RELAY_NAME = "${personalization.haven_url} inbox relay"; + INBOX_RELAY_NPUB = npub; + INBOX_RELAY_DESCRIPTION = "send your interactions with my notes here"; + + INBOX_PULL_INTERVAL_SECONDS = 600; + + # ... all your rate limiter and WOT settings unchanged ... +>>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8 PRIVATE_RELAY_EVENT_IP_LIMITER_TOKENS_PER_INTERVAL = 50; PRIVATE_RELAY_EVENT_IP_LIMITER_INTERVAL = 1; PRIVATE_RELAY_EVENT_IP_LIMITER_MAX_TOKENS = 100; @@ -124,10 +157,13 @@ lib.mkIf (config.sovran_systemsOS.features.haven && npub != "") { ]; }; +<<<<<<< HEAD systemd.services.haven.serviceConfig.EnvironmentFile = [ "/run/haven/runtime.env" ]; +======= +>>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8 systemd.tmpfiles.rules = [ "d /var/lib/haven 0750 haven haven -" ]; @@ -153,6 +189,30 @@ lib.mkIf (config.sovran_systemsOS.features.haven && npub != "") { ''; }; +<<<<<<< HEAD systemd.services.haven.after = [ "haven-whitelist-setup.service" "haven-runtime-config.service" ]; systemd.services.haven.wants = [ "haven-whitelist-setup.service" "haven-runtime-config.service" ]; +======= + systemd.services.haven.after = [ "haven-whitelist-setup.service" ]; + systemd.services.haven.wants = [ "haven-whitelist-setup.service" ]; + + services.caddy.virtualHosts = { + "${personalization.haven_url}" = { + extraConfig = '' + reverse_proxy localhost:3355 { + header_up Host {host} + header_up X-Real-IP {remote_host} + header_up X-Forwarded-For {remote_host} + header_up X-Forwarded-Proto {scheme} + transport http { + versions 1.1 + } + } + request_body { + max_size 100MB + } + ''; + }; + }; +>>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8 } diff --git a/modules/modules.nix b/modules/modules.nix index 8531a99..8450ef3 100644 --- a/modules/modules.nix +++ b/modules/modules.nix @@ -1,6 +1,7 @@ { config, pkgs, lib, ... }: { +<<<<<<< HEAD imports = [ ./core/roles.nix ./core/role-logic.nix @@ -13,6 +14,20 @@ ./wordpress.nix ./nextcloud.nix ./btcpayserver.nix +======= + + imports = [ + + ./core/roles.nix + ./core/role-logic.nix + ./php.nix + ./Sovran_SystemsOS_File_Fixes_And_New_Services.nix + + # Always imported feature modules + ./synapse.nix + ./coturn.nix + ./bitcoinecosystem.nix +>>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8 ./vaultwarden.nix ./haven.nix ./bip110.nix @@ -20,6 +35,12 @@ ./mempool.nix ./bitcoin-core.nix ./rdp.nix +<<<<<<< HEAD ./bitcoinecosystem.nix ]; +======= + + ]; + +>>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8 } diff --git a/modules/synapse.nix b/modules/synapse.nix index 67e921b..d978b61 100644 --- a/modules/synapse.nix +++ b/modules/synapse.nix @@ -1,5 +1,6 @@ { config, pkgs, lib, ... }: +<<<<<<< HEAD { # ── PostgreSQL database for Matrix ────────────────────────── services.postgresql = { @@ -133,4 +134,76 @@ }; }; } +======= + +####### CREATE NEW USER (ADMIN OR NOT) VIA TERMINAL ####### + +# (Run as root in terminal) matrix-synapse-register_new_matrix_user # + +####### ####### + +let + personalization = import ./personalization.nix; +in +lib.mkIf config.sovran_systemsOS.features.synapse { + services.matrix-synapse = { + enable = true; + settings = { + push.include_content = false; + group_unread_count_by_room = false; + encryption_enabled_by_default_for_room_type = "invite"; + allow_profile_lookup_over_federation = false; + allow_device_name_lookup_over_federation = false; + server_name = personalization.matrix_url; + url_preview_enabled = true; + max_upload_size = "1024M"; + url_preview_ip_range_blacklist = [ + "10.0.0.0/8" + "100.64.0.0/10" + "169.254.0.0/16" + "172.16.0.0/12" + "192.0.0.0/24" + "192.0.2.0/24" + "192.168.0.0/16" + "192.88.99.0/24" + "198.18.0.0/15" + "198.51.100.0/24" + "2001:db8::/32" + "203.0.113.0/24" + "224.0.0.0/4" + "::1/128" + "fc00::/7" + "fe80::/10" + "fec0::/10" + "ff00::/8" + ]; + url_preview_ip_ranger_whitelist = [ "127.0.0.1" ]; + turn_shared_secret = "${personalization.coturn_static_auth_secret}"; + turn_uris = [ + "turn:${personalization.matrix_url}:5349?transport=udp" + "turn:${personalization.matrix_url}:5349?transport=tcp" + ]; + presence.enabled = true; + enable_registration = false; + registration_shared_secret = config.age.secrets.matrix_reg_secret.path; + listeners = [ + { + port = 8008; + bind_addresses = [ "::1" ]; + type = "http"; + tls = false; + x_forwarded = true; + resources = [ { + names = [ "client" ]; + compress = true; + } + { + names = [ "federation" ]; + compress = false; + } ]; + } + ]; + }; + }; +>>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8 } diff --git a/modules/vaultwarden.nix b/modules/vaultwarden.nix index 11c8e4e..00b0e54 100755 --- a/modules/vaultwarden.nix +++ b/modules/vaultwarden.nix @@ -1,5 +1,6 @@ { config, pkgs, lib, ... }: +<<<<<<< HEAD lib.mkIf config.sovran_systemsOS.features.vaultwarden { # ── Caddy vhost is now handled centrally in caddy.nix ───── @@ -44,4 +45,25 @@ lib.mkIf config.sovran_systemsOS.features.vaultwarden { systemd.services.vaultwarden.serviceConfig.EnvironmentFile = lib.mkAfter [ "/run/vaultwarden/runtime.env" ]; +======= +let + personalization = import ./personalization.nix; +in + +lib.mkIf config.sovran_systemsOS.features.vaultwarden { + + services.vaultwarden = { + enable = true; + config = { + + DOMAIN = "https://${personalization.vaultwarden_url}"; + SIGNUPS_ALLOWED = false; + ROCKET_ADDRESS = "127.0.0.1"; + ROCKET_PORT = 8777; + ROCKET_LOG = "critical"; + }; + dbBackend = "sqlite"; + environmentFile = "/var/lib/secrets/vaultwarden/vaultwarden.env"; + }; +>>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8 }