initial retooling

2026-03-27 14:29:26 -05:00
parent 5057ed2a05 5bee5ad99b
commit 10b0ac6cea
7 changed files with 638 additions and 0 deletions
--- a/modules/bip110.nix
+++ b/modules/bip110.nix
@@ -4,12 +4,20 @@ let
  cfg = config.sovran_systemsOS;
 in
 {
+<<<<<<< HEAD
+=======
+  # ✅ Option definition
+>>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8
  options.sovran_systemsOS.packages.bip110 = lib.mkOption {
    type = lib.types.nullOr lib.types.package;
    default = null;
    description = "BIP110 Bitcoin package";
  };

+<<<<<<< HEAD
+=======
+  # ✅ Implementation
+>>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8
  config = lib.mkIf (
    cfg.features.bip110 &&
    cfg.packages.bip110 != null
--- a/modules/element-calling.nix
+++ b/modules/element-calling.nix
@@ -1,6 +1,10 @@
 { config, pkgs, lib, ... }:

 let
+<<<<<<< HEAD
+=======
+  personalization = import ./personalization.nix;
+>>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8
  livekitKeyFile = "/var/lib/livekit/livekit_keyFile";
 in

@@ -15,6 +19,10 @@ lib.mkIf config.sovran_systemsOS.features.element-calling {
    description = "Generate LiveKit key file if missing";
    wantedBy = [ "multi-user.target" ];
    before = [ "livekit.service" "lk-jwt-service.service" ];
+<<<<<<< HEAD
+=======
+    requires = [];
+>>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8
    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;
@@ -39,6 +47,7 @@ lib.mkIf config.sovran_systemsOS.features.element-calling {
  systemd.services.lk-jwt-service.after = [ "livekit-key-setup.service" ];
  systemd.services.lk-jwt-service.wants = [ "livekit-key-setup.service" ];

+<<<<<<< HEAD
  ####### CADDY SNIPPET — written to /run/caddy for caddy.nix to pick up #######
  systemd.services.element-calling-caddy-config = {
    description = "Generate Element Calling Caddy config snippet";
@@ -58,12 +67,19 @@ lib.mkIf config.sovran_systemsOS.features.element-calling {

      cat > /run/caddy/element-calling.snippet <<EOF
      $MATRIX {
+=======
+  ####### CADDY CONFIGS #######
+  services.caddy.virtualHosts = lib.mkForce {
+    "${personalization.matrix_url}" = {
+      extraConfig = ''
+>>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8
        reverse_proxy /_matrix/* http://localhost:8008
        reverse_proxy /_synapse/client/* http://localhost:8008
        header /.well-known/matrix/* Content-Type "application/json"
        header /.well-known/matrix/* Access-Control-Allow-Origin "*"
        header /.well-known/matrix/* Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
        header /.well-known/matrix/* Access-Control-Allow-Headers "X-Requested-With, Content-Type, Authorization"
+<<<<<<< HEAD
        respond /.well-known/matrix/client \`{ "m.homeserver": {"base_url": "https://$MATRIX" }, "org.matrix.msc4143.rtc_foci": [{ "type":"livekit", "livekit_service_url":"https://$ELEMENT_CALLING/livekit/jwt" }] }\`
      }

@@ -72,6 +88,14 @@ lib.mkIf config.sovran_systemsOS.features.element-calling {
      }

      $ELEMENT_CALLING {
+=======
+        respond /.well-known/matrix/client `{ "m.homeserver": {"base_url": "https://${personalization.matrix_url}" }, "org.matrix.msc4143.rtc_foci": [{ "type":"livekit", "livekit_service_url":"https://${personalization.element-calling_url}/livekit/jwt" }] }`
+      '';
+    };
+
+    "${personalization.element-calling_url}" = {
+      extraConfig = ''
+>>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8
        handle /livekit/jwt/sfu/get {
          uri strip_prefix /livekit/jwt
          reverse_proxy [::1]:8073 {
@@ -84,6 +108,7 @@ lib.mkIf config.sovran_systemsOS.features.element-calling {
        handle {
          reverse_proxy localhost:7880
        }
+<<<<<<< HEAD
      }
      EOF
    '';
@@ -115,6 +140,10 @@ lib.mkIf config.sovran_systemsOS.features.element-calling {

      chmod 640 /run/livekit/runtime-config.yaml
    '';
+=======
+      '';
+    };
+>>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8
  };

  ####### LIVEKIT SERVICE #######
@@ -128,8 +157,16 @@ lib.mkIf config.sovran_systemsOS.features.element-calling {
      room.auto_create = false;
      turn = {
        enabled = true;
+<<<<<<< HEAD
        tls_port = 5349;
        udp_port = 3478;
+=======
+        domain = "${personalization.matrix_url}";
+        tls_port = 5349;
+        udp_port = 3478;
+        cert_file = "/var/lib/livekit/${personalization.matrix_url}.crt";
+        key_file = "/var/lib/livekit/${personalization.matrix_url}.key";
+>>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8
      };
    };
  };
@@ -140,6 +177,7 @@ lib.mkIf config.sovran_systemsOS.features.element-calling {
  ];

  ####### JWT SERVICE #######
+<<<<<<< HEAD
  systemd.services.lk-jwt-service-runtime-config = {
    description = "Generate lk-jwt-service runtime config from domain files";
    before = [ "lk-jwt-service.service" ];
@@ -215,6 +253,29 @@ lib.mkIf config.sovran_systemsOS.features.element-calling {
    extraConfigFiles = [ "/run/matrix-synapse/element-calling-config.yaml" ];
    settings = lib.mkForce {
      push.include_content = false;
+=======
+  services.lk-jwt-service = {
+    enable = true;
+    port = 8073;
+    livekitUrl = "wss://${personalization.element-calling_url}";
+    keyFile = livekitKeyFile;
+  };
+
+  ####### MATRIX-SYNAPSE SETTINGS #######
+  services.matrix-synapse = {
+    settings = lib.mkForce {
+      serve_server_wellknown = true;
+      public_baseurl = "${personalization.matrix_url}";
+      experimental_features = {
+        msc3266_enabled = true;
+        msc4222_enabled = true;
+      };
+      max_event_delay_duration = "24h";
+      rc_message = { per_second = 0.5; burst_count = 30; };
+      rc_delayed_event_mgmt = { per_second = 1; burst_count = 20; };
+      push.include_content = false;
+      server_name = personalization.matrix_url;
+>>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8
      url_preview_enabled = true;
      group_unread_count_by_room = false;
      encryption_enabled_by_default_for_room_type = "invite";
--- a/modules/haven.nix
+++ b/modules/haven.nix
@@ -1,11 +1,16 @@
 { config, pkgs, lib, ... }:

 let
+<<<<<<< HEAD
+=======
+  personalization = import ./personalization.nix;
+>>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8
  npub = config.sovran_systemsOS.nostr_npub;
 in

 lib.mkIf (config.sovran_systemsOS.features.haven && npub != "") {

+<<<<<<< HEAD
  # ── Caddy vhost is now handled centrally in caddy.nix ─────

  # ── Generate Haven runtime config from domain files ───────
@@ -41,11 +46,17 @@ lib.mkIf (config.sovran_systemsOS.features.haven && npub != "") {
    '';
  };

+=======
+>>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8
  services.haven = {
    enable = true;
    settings = {
      OWNER_NPUB = npub;
+<<<<<<< HEAD
      # RELAY_URL injected at runtime via EnvironmentFile
+=======
+      RELAY_URL = personalization.haven_url;
+>>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8

      RELAY_PORT = 3355;
      RELAY_BIND_ADDRESS = "0.0.0.0";
@@ -53,6 +64,7 @@ lib.mkIf (config.sovran_systemsOS.features.haven && npub != "") {
      LMDB_MAPSIZE = 3000000000;
      BLOSSOM_PATH = "blossom/";

+<<<<<<< HEAD
      # Relay names/descriptions injected at runtime via EnvironmentFile
      PRIVATE_RELAY_NPUB = npub;
      CHAT_RELAY_NPUB = npub;
@@ -60,6 +72,27 @@ lib.mkIf (config.sovran_systemsOS.features.haven && npub != "") {

      INBOX_PULL_INTERVAL_SECONDS = 600;

+=======
+      PRIVATE_RELAY_NAME = "${personalization.haven_url} private relay";
+      PRIVATE_RELAY_NPUB = npub;
+      PRIVATE_RELAY_DESCRIPTION = "The Relay From Sovran Systems";
+
+      CHAT_RELAY_NAME = "${personalization.haven_url} chat relay";
+      CHAT_RELAY_NPUB = npub;
+      CHAT_RELAY_DESCRIPTION = "a relay for private chats";
+
+      OUTBOX_RELAY_NAME = "${personalization.haven_url} outbox relay";
+      OUTBOX_RELAY_NPUB = npub;
+      OUTBOX_RELAY_DESCRIPTION = "a relay and Blossom server for public messages and media";
+
+      INBOX_RELAY_NAME = "${personalization.haven_url} inbox relay";
+      INBOX_RELAY_NPUB = npub;
+      INBOX_RELAY_DESCRIPTION = "send your interactions with my notes here";
+
+      INBOX_PULL_INTERVAL_SECONDS = 600;
+
+      # ... all your rate limiter and WOT settings unchanged ...
+>>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8
      PRIVATE_RELAY_EVENT_IP_LIMITER_TOKENS_PER_INTERVAL = 50;
      PRIVATE_RELAY_EVENT_IP_LIMITER_INTERVAL = 1;
      PRIVATE_RELAY_EVENT_IP_LIMITER_MAX_TOKENS = 100;
@@ -124,10 +157,13 @@ lib.mkIf (config.sovran_systemsOS.features.haven && npub != "") {
    ];
  };

+<<<<<<< HEAD
  systemd.services.haven.serviceConfig.EnvironmentFile = [
    "/run/haven/runtime.env"
  ];

+=======
+>>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8
  systemd.tmpfiles.rules = [
    "d /var/lib/haven 0750 haven haven -"
  ];
@@ -153,6 +189,30 @@ lib.mkIf (config.sovran_systemsOS.features.haven && npub != "") {
    '';
  };

+<<<<<<< HEAD
  systemd.services.haven.after = [ "haven-whitelist-setup.service" "haven-runtime-config.service" ];
  systemd.services.haven.wants = [ "haven-whitelist-setup.service" "haven-runtime-config.service" ];
+=======
+  systemd.services.haven.after = [ "haven-whitelist-setup.service" ];
+  systemd.services.haven.wants = [ "haven-whitelist-setup.service" ];
+
+  services.caddy.virtualHosts = {
+    "${personalization.haven_url}" = {
+      extraConfig = ''
+        reverse_proxy localhost:3355 {
+          header_up Host {host}
+          header_up X-Real-IP {remote_host}
+          header_up X-Forwarded-For {remote_host}
+          header_up X-Forwarded-Proto {scheme}
+          transport http {
+            versions 1.1
+          }
+        }
+        request_body {
+          max_size 100MB
+        }
+      '';
+    };
+  };
+>>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8
 }
--- a/modules/modules.nix
+++ b/modules/modules.nix
@@ -1,6 +1,7 @@
 { config, pkgs, lib, ... }:

 {
+<<<<<<< HEAD
  imports = [
    ./core/roles.nix
    ./core/role-logic.nix
@@ -13,6 +14,20 @@
    ./wordpress.nix
    ./nextcloud.nix
    ./btcpayserver.nix
+=======
+ 
+  imports = [
+    
+    ./core/roles.nix
+    ./core/role-logic.nix
+    ./php.nix
+    ./Sovran_SystemsOS_File_Fixes_And_New_Services.nix
+
+    # Always imported feature modules
+    ./synapse.nix
+    ./coturn.nix
+    ./bitcoinecosystem.nix
+>>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8
    ./vaultwarden.nix
    ./haven.nix
    ./bip110.nix
@@ -20,6 +35,12 @@
    ./mempool.nix
    ./bitcoin-core.nix
    ./rdp.nix
+<<<<<<< HEAD
    ./bitcoinecosystem.nix
  ];
+=======
+
+  ];
+
+>>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8
 }
--- a/modules/synapse.nix
+++ b/modules/synapse.nix
@@ -1,5 +1,6 @@
 { config, pkgs, lib, ... }:

+<<<<<<< HEAD
 {
  # ── PostgreSQL database for Matrix ──────────────────────────
  services.postgresql = {
@@ -133,4 +134,76 @@
      };
    };
  }
+=======
+
+####### CREATE NEW USER (ADMIN OR NOT) VIA TERMINAL #######
+
+#  (Run as root in terminal) matrix-synapse-register_new_matrix_user #
+
+####### #######
+
+let
+	personalization = import ./personalization.nix;
+in
+lib.mkIf config.sovran_systemsOS.features.synapse {
+	services.matrix-synapse = {
+		enable = true;
+		settings = {
+			push.include_content = false;
+			group_unread_count_by_room = false;
+			encryption_enabled_by_default_for_room_type = "invite";
+			allow_profile_lookup_over_federation = false;
+			allow_device_name_lookup_over_federation = false;
+			server_name = personalization.matrix_url;
+		 	url_preview_enabled = true;
+		 	max_upload_size = "1024M";
+		 	url_preview_ip_range_blacklist = [
+				"10.0.0.0/8"
+				"100.64.0.0/10"
+				"169.254.0.0/16"
+				"172.16.0.0/12"
+				"192.0.0.0/24"
+				"192.0.2.0/24"
+				"192.168.0.0/16"
+				"192.88.99.0/24"
+				"198.18.0.0/15"
+				"198.51.100.0/24"
+				"2001:db8::/32"
+				"203.0.113.0/24"
+				"224.0.0.0/4"
+				"::1/128"
+				"fc00::/7"
+				"fe80::/10"
+				"fec0::/10"
+				"ff00::/8"
+				];
+		 	url_preview_ip_ranger_whitelist = [ "127.0.0.1" ];
+		 	turn_shared_secret = "${personalization.coturn_static_auth_secret}";
+    			turn_uris = [
+      				"turn:${personalization.matrix_url}:5349?transport=udp"
+      				"turn:${personalization.matrix_url}:5349?transport=tcp"
+			];
+			presence.enabled = true;
+			enable_registration = false;
+			registration_shared_secret = config.age.secrets.matrix_reg_secret.path;
+			listeners = [
+				{
+					port = 8008;
+					bind_addresses = [ "::1" ];
+					type = "http";
+					tls = false;
+					x_forwarded = true;
+					resources = [ {
+						names = [ "client" ];
+						compress = true;
+					} 
+					{
+						names = [ "federation" ];
+						compress = false;
+					} ];
+				}
+			];
+		};
+ 	};
+>>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8
 }
--- a/modules/vaultwarden.nix
+++ b/modules/vaultwarden.nix
@@ -1,5 +1,6 @@
 { config, pkgs, lib, ... }:

+<<<<<<< HEAD
 lib.mkIf config.sovran_systemsOS.features.vaultwarden {

  # ── Caddy vhost is now handled centrally in caddy.nix ─────
@@ -44,4 +45,25 @@ lib.mkIf config.sovran_systemsOS.features.vaultwarden {
  systemd.services.vaultwarden.serviceConfig.EnvironmentFile = lib.mkAfter [
    "/run/vaultwarden/runtime.env"
  ];
+=======
+let
+	personalization = import ./personalization.nix;
+in
+
+lib.mkIf config.sovran_systemsOS.features.vaultwarden {
+
+	services.vaultwarden = {
+		enable = true;
+		    config = {
+
+        		DOMAIN = "https://${personalization.vaultwarden_url}";
+        		SIGNUPS_ALLOWED = false;
+        		ROCKET_ADDRESS = "127.0.0.1";
+        		ROCKET_PORT = 8777;
+        		ROCKET_LOG = "critical";
+        	};
+		dbBackend = "sqlite";
+		environmentFile = "/var/lib/secrets/vaultwarden/vaultwarden.env";
+	};
+>>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8
 }