initial retooling

2026-03-27 14:29:26 -05:00
parent 5057ed2a05 5bee5ad99b
commit 10b0ac6cea
7 changed files with 638 additions and 0 deletions
--- a/configuration.nix
+++ b/configuration.nix
@@ -1,5 +1,6 @@
 { config, pkgs, lib, ... }:
 <<<<<<< HEAD
 {
  imports = [
    ./modules/modules.nix
@@ -71,11 +72,107 @@
  # ── Flatpak ────────────────────────────────────────────────
  services.flatpak.enable = true;
 =======
 let
 	personalization = import ./modules/personalization.nix;		
 in
 {
  	imports =
 		[ 
 			./modules/modules.nix
 		];
 	# Bootloader.
 	boot.loader.systemd-boot.enable = true;
 	boot.loader.efi.canTouchEfiVariables = true;
 	boot.loader.efi.efiSysMountPoint = "/boot/efi";
 	boot.kernelPackages =  pkgs.linuxPackages_latest;
 	# Enable Automount without Fail for Internal Drive.
 	fileSystems."/run/media/Second_Drive" = {
 		device = "LABEL=BTCEcoandBackup";
 		fsType = "ext4";
 		options = [ "nofail" ];
 	};
 	fileSystems."/boot/efi".options = [ "umask=0077" "defaults" ];
 	nix.settings = {
 		experimental-features = [ "nix-command" "flakes" ];
 		download-buffer-size = 524288000;
 	};
 	networking.hostName = "nixos"; # Define your hostname.
 	# Enable networking
 	networking.networkmanager.enable = true;
 	# Set your time zone.
 	time.timeZone = "America/Los_Angeles";
 	# Select internationalisation properties.
 	i18n.defaultLocale = "en_US.UTF-8";
 	# Enable the X11 windowing system.
 	services.xserver.enable = true;
 	# Enable the GNOME Desktop Environment.
 	services.displayManager.gdm.enable = true;
 	services.desktopManager.gnome.enable = true;
 	# Configure keymap in X11
 	services.xserver.xkb = {
 		layout = "us";
 		variant = "";
 	};
 	# Enable CUPS to print documents.
 	services.printing.enable = true;
 	# Systemd Settings
 	systemd.enableEmergencyMode = false;
 	# Enable sound with pipewire.
 	services.pulseaudio.enable = false;
 	security.rtkit.enable = true;
 	services.pipewire = {
 		enable = true;
 		alsa.enable = true;
 		alsa.support32Bit = true;
 		pulse.enable = true;
 	};
 	users.users = {
 		free = {
 			isNormalUser = true;
 			description = "free";
 			extraGroups = [ "networkmanager" ];
 		};
 	};
 	# Enable automatic login for the user.
 	services.displayManager.autoLogin.enable = true;
 	services.displayManager.autoLogin.user = "free";
 	# Allow Flatpak
 	services.flatpak.enable = true;
 >>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8
  systemd.services.flatpak-repo = {
    wantedBy = [ "multi-user.target" ];
    after = [ "network-online.target" ];
    wants = [ "network-online.target" ];
    path = [ pkgs.flatpak ];
 <<<<<<< HEAD
    script = ''
      flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
    '';
@@ -140,6 +237,222 @@
  services.rsnapshot = {
    enable = true;
    extraConfig = ''
 =======
      script = ''
        flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
    '';
  };
 	# Allow unfree packages
 	nixpkgs.config.allowUnfree = true;
 	nixpkgs.config.permittedInsecurePackages = [
 		"jitsi-meet-1.0.8043"
 	];
 	# List packages installed
 	environment.systemPackages = with pkgs; [
 		git
 		wget
 		fish
 		htop
 		btop
    gnomeExtensions.transparent-top-bar-adjustable-transparency
 		gnomeExtensions.systemd-manager
    gnomeExtensions.dash-to-dock
 		gnomeExtensions.vitals
 		gnomeExtensions.pop-shell
 		gnomeExtensions.just-perfection
 		gnomeExtensions.appindicator
 		gnomeExtensions.date-menu-formatter
 		gnome-tweaks
 		papirus-icon-theme
 		ranger
 		fastfetch
 		gedit
 		matrix-synapse
 		openssl
 		pwgen
 		aspell
 		aspellDicts.en
 		lm_sensors
 		hunspell
 		hunspellDicts.en_US
 		synadm
 		brave
 		dua
 		bitwarden-desktop
 		gparted
 		pv
 		unzip
 		parted
 		screen
 		zenity
 		libargon2
 		gnome-terminal
 		libreoffice-fresh
 		dig
 		firefox
 		element-desktop
 		wp-cli
    axel
    lk-jwt-service
    livekit-libwebrtc
    livekit-cli
    livekit
 	];
 	programs.nixvim = {
 		enable = true;
 		colorschemes.catppuccin.enable = true;
 		plugins.lualine.enable = true;
  };
 	programs.bash.promptInit = "fish";
 	programs.fish = {
 		enable = true;
 		promptInit = "fastfetch";
 	};
 	####### CADDY  #######
 	services.caddy = {
 		enable = true;
 		user = "caddy";
 		group = "root";
 		email = "${personalization.caddy_email_for_acme}";
 		virtualHosts = {
 			"${personalization.wordpress_url}" = {
 				 extraConfig = ''
 					encode gzip zstd
 					root * /var/lib/www/wordpress
 					php_fastcgi unix//run/phpfpm/mypool.sock
 					file_server browse
 					'';
 			};
 			"${personalization.nextcloud_url}" = {
 				extraConfig = ''
 					encode gzip zstd
 					root * /var/lib/www/nextcloud
 					php_fastcgi unix//run/phpfpm/mypool.sock {
 						trusted_proxies private_ranges
 					}
 					file_server
 					redir /.well-known/carddav /remote.php/dav/ 301
 					redir /.well-known/caldav /remote.php/dav/ 301
 					header {
 						Strict-Transport-Security max-age=31536000;
 						}
 					'';
 			 };
 			"${personalization.matrix_url}" = {
 					extraConfig = ''
 						reverse_proxy /_matrix/* http://localhost:8008
 						reverse_proxy /_synapse/client/* http://localhost:8008
 					'';
 			};
 			"${personalization.matrix_url}:8448" = {
 					extraConfig = ''
 							reverse_proxy http://localhost:8008
 					'';
 			};
 			"${personalization.btcpayserver_url}" = {
 					extraConfig = ''
 						reverse_proxy http://localhost:23000
 						encode gzip zstd
 					'';
 			};
 			"https://${personalization.vaultwarden_url}" = {
 					extraConfig = ''
 						reverse_proxy http://localhost:8777
 						encode gzip zstd
 					'';
 			};
 			":3051" = {
 					extraConfig = ''
 						reverse_proxy :3050
 						encode gzip zstd
 					'';
 			};
 		};
 	};
 	###### AGENIX ######
 	age.identityPaths = [ "/root/.ssh/agenix/agenix-secret-keys" ];
 	age.secrets.matrix_reg_secret = {
 		file = /var/lib/agenix-secrets/matrix_reg_secret.age;
 		mode = "770";
 		owner = "matrix-synapse";
 		group = "matrix-synapse";
  };
 	###### CREATE DATABASE (WORDPRESS, MATRIX_SYNAPSE, AND NEXTCLOUD) #######
 	services.postgresql = {
 		enable = true;
 	};
 	services.postgresql.authentication = lib.mkForce ''
 			# Generated file; do not edit!
 			# TYPE  DATABASE        USER            ADDRESS                 METHOD
 			local   all             all                                     trust
 			host    all             all             127.0.0.1/32            trust
 			host    all             all             ::1/128                 trust
 			'';
 	services.mysql = {
 		enable = true;
 		package = pkgs.mariadb;
 	};
 	services.postgresql.initialScript = pkgs.writeText "begin-init.sql" ''
 		CREATE ROLE "ncusr" WITH LOGIN PASSWORD '${personalization.nextclouddb}';
 		CREATE DATABASE "nextclouddb" WITH OWNER "ncusr"
 			TEMPLATE template0
 			LC_COLLATE = "C"
 			LC_CTYPE = "C";
 		CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD '${personalization.matrixdb}';
 		CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
 			TEMPLATE template0
 			LC_COLLATE = "C"
 			LC_CTYPE = "C";    
 	''
 	;
 	services.mysql.initialScript = pkgs.writeText "wordpress-init.sql" ''
 		CREATE DATABASE wordpressdb;
 		CREATE USER 'wpusr'@'localhost' IDENTIFIED BY '${personalization.wordpressdb}';
 		GRANT ALL ON wordpressdb.* TO 'wpusr'@'localhost';
 		FLUSH PRIVILEGES;
 	''
 	;
 	####### KEEP AWAKE for DISPLAY and HEADLESS #######
 	services.displayManager.gdm.autoSuspend = false;
 	####### BACKUP TO INTERNAL DRIVE #######
 	services.rsnapshot = {
 		enable = true;
 		extraConfig = ''
 >>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8
 snapshot_root	/run/media/Second_Drive/BTCEcoandBackup/NixOS_Snapshot_Backup
 retain	hourly	5
 retain	daily	5
@@ -147,6 +460,7 @@ backup	/home/	localhost/
 backup	/var/lib/	localhost/
 backup	/etc/nixos/	localhost/
 backup	/etc/nix-bitcoin-secrets/	localhost/
 <<<<<<< HEAD
    '';
    cronIntervals = {
      daily = "50 21 * * *";
@@ -188,4 +502,83 @@ backup	/etc/nix-bitcoin-secrets/	localhost/
  nix.gc = { automatic = true; dates = "weekly"; options = "--delete-older-than 7d"; };
  system.stateVersion = "22.05";
 =======
 		'';
 	 	cronIntervals = {
 			daily = "50 21 * * *";
 			hourly = "0 * * * *";
 		};
 	};
 	####### CRON #######
 	services.cron = {
 		enable = true;
 		systemCronJobs = [
 		"*/5 * * * * caddy  /run/current-system/sw/bin/php -f /var/lib/www/nextcloud/cron.php"
 		"*/15 * * * * root  /run/current-system/sw/bin/bash /var/lib/njalla/njalla.sh"
 		"*/15 * * * * root  /run/current-system/sw/bin/bash /var/lib/external_ip/external_ip.sh"
 		"0 0 * * 0 docker-user  yes | /run/current-system/sw/bin/docker system prune -a"
 		];
 	};
 	####### TOR #######
 	services.tor = {
 		enable = true;
 		client.enable = true;
 		torsocks.enable = true;
 	};
 	services.privoxy.enableTor = true;
 	####### Enable the SSH #######
 	services.openssh = {
 		enable = true;
 		settings = {
 			PasswordAuthentication = false;
 			KbdInteractiveAuthentication = false;
 			PermitRootLogin = "yes";
 		};
 	};
 	#######FailtoBan#######
 	services.fail2ban = {
 		enable = true;
 		ignoreIP = [
 		"127.0.0.0/8" 
 		"10.0.0.0/8" 
 		"172.16.0.0/12" 
 		"192.168.0.0/16"
 		"8.8.8.8"
 		];
 	};
 	####### Open ports in the firewall #######
 	networking.firewall.allowedTCPPorts = [ 80 443 5349 8448 3051 ];
 	networking.firewall.allowedUDPPorts = [ 80 443 5349 8448 3051 ];
 	networking.firewall.allowedUDPPortRanges = [
 		{ from=49152; to=65535; } # TURN relay
 	];
 	networking.firewall.enable = true;
 	####### AUTO COLLECT GARABAGE #######
 	nix.gc = {
 		automatic = true;
 		dates = "weekly";
 		options = "--delete-older-than 7d";
 	};
 	system.stateVersion = "22.05";
 >>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8
 }
--- a/modules/bip110.nix
+++ b/modules/bip110.nix
@@ -4,12 +4,20 @@ let
  cfg = config.sovran_systemsOS;
 in
 {
 <<<<<<< HEAD
 =======
  # ✅ Option definition
 >>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8
  options.sovran_systemsOS.packages.bip110 = lib.mkOption {
    type = lib.types.nullOr lib.types.package;
    default = null;
    description = "BIP110 Bitcoin package";
  };
 <<<<<<< HEAD
 =======
  # ✅ Implementation
 >>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8
  config = lib.mkIf (
    cfg.features.bip110 &&
    cfg.packages.bip110 != null
--- a/modules/element-calling.nix
+++ b/modules/element-calling.nix
@@ -1,6 +1,10 @@
 { config, pkgs, lib, ... }:
 let
 <<<<<<< HEAD
 =======
  personalization = import ./personalization.nix;
 >>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8
  livekitKeyFile = "/var/lib/livekit/livekit_keyFile";
 in
@@ -15,6 +19,10 @@ lib.mkIf config.sovran_systemsOS.features.element-calling {
    description = "Generate LiveKit key file if missing";
    wantedBy = [ "multi-user.target" ];
    before = [ "livekit.service" "lk-jwt-service.service" ];
 <<<<<<< HEAD
 =======
    requires = [];
 >>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8
    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;
@@ -39,6 +47,7 @@ lib.mkIf config.sovran_systemsOS.features.element-calling {
  systemd.services.lk-jwt-service.after = [ "livekit-key-setup.service" ];
  systemd.services.lk-jwt-service.wants = [ "livekit-key-setup.service" ];
 <<<<<<< HEAD
  ####### CADDY SNIPPET — written to /run/caddy for caddy.nix to pick up #######
  systemd.services.element-calling-caddy-config = {
    description = "Generate Element Calling Caddy config snippet";
@@ -58,12 +67,19 @@ lib.mkIf config.sovran_systemsOS.features.element-calling {
      cat > /run/caddy/element-calling.snippet <<EOF
      $MATRIX {
 =======
  ####### CADDY CONFIGS #######
  services.caddy.virtualHosts = lib.mkForce {
    "${personalization.matrix_url}" = {
      extraConfig = ''
 >>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8
        reverse_proxy /_matrix/* http://localhost:8008
        reverse_proxy /_synapse/client/* http://localhost:8008
        header /.well-known/matrix/* Content-Type "application/json"
        header /.well-known/matrix/* Access-Control-Allow-Origin "*"
        header /.well-known/matrix/* Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
        header /.well-known/matrix/* Access-Control-Allow-Headers "X-Requested-With, Content-Type, Authorization"
 <<<<<<< HEAD
        respond /.well-known/matrix/client \`{ "m.homeserver": {"base_url": "https://$MATRIX" }, "org.matrix.msc4143.rtc_foci": [{ "type":"livekit", "livekit_service_url":"https://$ELEMENT_CALLING/livekit/jwt" }] }\`
      }
@@ -72,6 +88,14 @@ lib.mkIf config.sovran_systemsOS.features.element-calling {
      }
      $ELEMENT_CALLING {
 =======
        respond /.well-known/matrix/client `{ "m.homeserver": {"base_url": "https://${personalization.matrix_url}" }, "org.matrix.msc4143.rtc_foci": [{ "type":"livekit", "livekit_service_url":"https://${personalization.element-calling_url}/livekit/jwt" }] }`
      '';
    };
    "${personalization.element-calling_url}" = {
      extraConfig = ''
 >>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8
        handle /livekit/jwt/sfu/get {
          uri strip_prefix /livekit/jwt
          reverse_proxy [::1]:8073 {
@@ -84,6 +108,7 @@ lib.mkIf config.sovran_systemsOS.features.element-calling {
        handle {
          reverse_proxy localhost:7880
        }
 <<<<<<< HEAD
      }
      EOF
    '';
@@ -115,6 +140,10 @@ lib.mkIf config.sovran_systemsOS.features.element-calling {
      chmod 640 /run/livekit/runtime-config.yaml
    '';
 =======
      '';
    };
 >>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8
  };
  ####### LIVEKIT SERVICE #######
@@ -128,8 +157,16 @@ lib.mkIf config.sovran_systemsOS.features.element-calling {
      room.auto_create = false;
      turn = {
        enabled = true;
 <<<<<<< HEAD
        tls_port = 5349;
        udp_port = 3478;
 =======
        domain = "${personalization.matrix_url}";
        tls_port = 5349;
        udp_port = 3478;
        cert_file = "/var/lib/livekit/${personalization.matrix_url}.crt";
        key_file = "/var/lib/livekit/${personalization.matrix_url}.key";
 >>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8
      };
    };
  };
@@ -140,6 +177,7 @@ lib.mkIf config.sovran_systemsOS.features.element-calling {
  ];
  ####### JWT SERVICE #######
 <<<<<<< HEAD
  systemd.services.lk-jwt-service-runtime-config = {
    description = "Generate lk-jwt-service runtime config from domain files";
    before = [ "lk-jwt-service.service" ];
@@ -215,6 +253,29 @@ lib.mkIf config.sovran_systemsOS.features.element-calling {
    extraConfigFiles = [ "/run/matrix-synapse/element-calling-config.yaml" ];
    settings = lib.mkForce {
      push.include_content = false;
 =======
  services.lk-jwt-service = {
    enable = true;
    port = 8073;
    livekitUrl = "wss://${personalization.element-calling_url}";
    keyFile = livekitKeyFile;
  };
  ####### MATRIX-SYNAPSE SETTINGS #######
  services.matrix-synapse = {
    settings = lib.mkForce {
      serve_server_wellknown = true;
      public_baseurl = "${personalization.matrix_url}";
      experimental_features = {
        msc3266_enabled = true;
        msc4222_enabled = true;
      };
      max_event_delay_duration = "24h";
      rc_message = { per_second = 0.5; burst_count = 30; };
      rc_delayed_event_mgmt = { per_second = 1; burst_count = 20; };
      push.include_content = false;
      server_name = personalization.matrix_url;
 >>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8
      url_preview_enabled = true;
      group_unread_count_by_room = false;
      encryption_enabled_by_default_for_room_type = "invite";
--- a/modules/haven.nix
+++ b/modules/haven.nix
@@ -1,11 +1,16 @@
 { config, pkgs, lib, ... }:
 let
 <<<<<<< HEAD
 =======
  personalization = import ./personalization.nix;
 >>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8
  npub = config.sovran_systemsOS.nostr_npub;
 in
 lib.mkIf (config.sovran_systemsOS.features.haven && npub != "") {
 <<<<<<< HEAD
  # ── Caddy vhost is now handled centrally in caddy.nix ─────
  # ── Generate Haven runtime config from domain files ───────
@@ -41,11 +46,17 @@ lib.mkIf (config.sovran_systemsOS.features.haven && npub != "") {
    '';
  };
 =======
 >>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8
  services.haven = {
    enable = true;
    settings = {
      OWNER_NPUB = npub;
 <<<<<<< HEAD
      # RELAY_URL injected at runtime via EnvironmentFile
 =======
      RELAY_URL = personalization.haven_url;
 >>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8
      RELAY_PORT = 3355;
      RELAY_BIND_ADDRESS = "0.0.0.0";
@@ -53,6 +64,7 @@ lib.mkIf (config.sovran_systemsOS.features.haven && npub != "") {
      LMDB_MAPSIZE = 3000000000;
      BLOSSOM_PATH = "blossom/";
 <<<<<<< HEAD
      # Relay names/descriptions injected at runtime via EnvironmentFile
      PRIVATE_RELAY_NPUB = npub;
      CHAT_RELAY_NPUB = npub;
@@ -60,6 +72,27 @@ lib.mkIf (config.sovran_systemsOS.features.haven && npub != "") {
      INBOX_PULL_INTERVAL_SECONDS = 600;
 =======
      PRIVATE_RELAY_NAME = "${personalization.haven_url} private relay";
      PRIVATE_RELAY_NPUB = npub;
      PRIVATE_RELAY_DESCRIPTION = "The Relay From Sovran Systems";
      CHAT_RELAY_NAME = "${personalization.haven_url} chat relay";
      CHAT_RELAY_NPUB = npub;
      CHAT_RELAY_DESCRIPTION = "a relay for private chats";
      OUTBOX_RELAY_NAME = "${personalization.haven_url} outbox relay";
      OUTBOX_RELAY_NPUB = npub;
      OUTBOX_RELAY_DESCRIPTION = "a relay and Blossom server for public messages and media";
      INBOX_RELAY_NAME = "${personalization.haven_url} inbox relay";
      INBOX_RELAY_NPUB = npub;
      INBOX_RELAY_DESCRIPTION = "send your interactions with my notes here";
      INBOX_PULL_INTERVAL_SECONDS = 600;
      # ... all your rate limiter and WOT settings unchanged ...
 >>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8
      PRIVATE_RELAY_EVENT_IP_LIMITER_TOKENS_PER_INTERVAL = 50;
      PRIVATE_RELAY_EVENT_IP_LIMITER_INTERVAL = 1;
      PRIVATE_RELAY_EVENT_IP_LIMITER_MAX_TOKENS = 100;
@@ -124,10 +157,13 @@ lib.mkIf (config.sovran_systemsOS.features.haven && npub != "") {
    ];
  };
 <<<<<<< HEAD
  systemd.services.haven.serviceConfig.EnvironmentFile = [
    "/run/haven/runtime.env"
  ];
 =======
 >>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8
  systemd.tmpfiles.rules = [
    "d /var/lib/haven 0750 haven haven -"
  ];
@@ -153,6 +189,30 @@ lib.mkIf (config.sovran_systemsOS.features.haven && npub != "") {
    '';
  };
 <<<<<<< HEAD
  systemd.services.haven.after = [ "haven-whitelist-setup.service" "haven-runtime-config.service" ];
  systemd.services.haven.wants = [ "haven-whitelist-setup.service" "haven-runtime-config.service" ];
 =======
  systemd.services.haven.after = [ "haven-whitelist-setup.service" ];
  systemd.services.haven.wants = [ "haven-whitelist-setup.service" ];
  services.caddy.virtualHosts = {
    "${personalization.haven_url}" = {
      extraConfig = ''
        reverse_proxy localhost:3355 {
          header_up Host {host}
          header_up X-Real-IP {remote_host}
          header_up X-Forwarded-For {remote_host}
          header_up X-Forwarded-Proto {scheme}
          transport http {
            versions 1.1
          }
        }
        request_body {
          max_size 100MB
        }
      '';
    };
  };
 >>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8
 }
--- a/modules/modules.nix
+++ b/modules/modules.nix
@@ -1,6 +1,7 @@
 { config, pkgs, lib, ... }:
 {
 <<<<<<< HEAD
  imports = [
    ./core/roles.nix
    ./core/role-logic.nix
@@ -13,6 +14,20 @@
    ./wordpress.nix
    ./nextcloud.nix
    ./btcpayserver.nix
 =======
  imports = [
    ./core/roles.nix
    ./core/role-logic.nix
    ./php.nix
    ./Sovran_SystemsOS_File_Fixes_And_New_Services.nix
    # Always imported feature modules
    ./synapse.nix
    ./coturn.nix
    ./bitcoinecosystem.nix
 >>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8
    ./vaultwarden.nix
    ./haven.nix
    ./bip110.nix
@@ -20,6 +35,12 @@
    ./mempool.nix
    ./bitcoin-core.nix
    ./rdp.nix
 <<<<<<< HEAD
    ./bitcoinecosystem.nix
  ];
 =======
  ];
 >>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8
 }
--- a/modules/synapse.nix
+++ b/modules/synapse.nix
@@ -1,5 +1,6 @@
 { config, pkgs, lib, ... }:
 <<<<<<< HEAD
 {
  # ── PostgreSQL database for Matrix ──────────────────────────
  services.postgresql = {
@@ -133,4 +134,76 @@
      };
    };
  }
 =======
 ####### CREATE NEW USER (ADMIN OR NOT) VIA TERMINAL #######
 #  (Run as root in terminal) matrix-synapse-register_new_matrix_user #
 ####### #######
 let
 	personalization = import ./personalization.nix;
 in
 lib.mkIf config.sovran_systemsOS.features.synapse {
 	services.matrix-synapse = {
 		enable = true;
 		settings = {
 			push.include_content = false;
 			group_unread_count_by_room = false;
 			encryption_enabled_by_default_for_room_type = "invite";
 			allow_profile_lookup_over_federation = false;
 			allow_device_name_lookup_over_federation = false;
 			server_name = personalization.matrix_url;
 		 	url_preview_enabled = true;
 		 	max_upload_size = "1024M";
 		 	url_preview_ip_range_blacklist = [
 				"10.0.0.0/8"
 				"100.64.0.0/10"
 				"169.254.0.0/16"
 				"172.16.0.0/12"
 				"192.0.0.0/24"
 				"192.0.2.0/24"
 				"192.168.0.0/16"
 				"192.88.99.0/24"
 				"198.18.0.0/15"
 				"198.51.100.0/24"
 				"2001:db8::/32"
 				"203.0.113.0/24"
 				"224.0.0.0/4"
 				"::1/128"
 				"fc00::/7"
 				"fe80::/10"
 				"fec0::/10"
 				"ff00::/8"
 				];
 		 	url_preview_ip_ranger_whitelist = [ "127.0.0.1" ];
 		 	turn_shared_secret = "${personalization.coturn_static_auth_secret}";
    			turn_uris = [
      				"turn:${personalization.matrix_url}:5349?transport=udp"
      				"turn:${personalization.matrix_url}:5349?transport=tcp"
 			];
 			presence.enabled = true;
 			enable_registration = false;
 			registration_shared_secret = config.age.secrets.matrix_reg_secret.path;
 			listeners = [
 				{
 					port = 8008;
 					bind_addresses = [ "::1" ];
 					type = "http";
 					tls = false;
 					x_forwarded = true;
 					resources = [ {
 						names = [ "client" ];
 						compress = true;
 					} 
 					{
 						names = [ "federation" ];
 						compress = false;
 					} ];
 				}
 			];
 		};
 	};
 >>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8
 }
--- a/modules/vaultwarden.nix
+++ b/modules/vaultwarden.nix
@@ -1,5 +1,6 @@
 { config, pkgs, lib, ... }:
 <<<<<<< HEAD
 lib.mkIf config.sovran_systemsOS.features.vaultwarden {
  # ── Caddy vhost is now handled centrally in caddy.nix ─────
@@ -44,4 +45,25 @@ lib.mkIf config.sovran_systemsOS.features.vaultwarden {
  systemd.services.vaultwarden.serviceConfig.EnvironmentFile = lib.mkAfter [
    "/run/vaultwarden/runtime.env"
  ];
 =======
 let
 	personalization = import ./personalization.nix;
 in
 lib.mkIf config.sovran_systemsOS.features.vaultwarden {
 	services.vaultwarden = {
 		enable = true;
 		    config = {
        		DOMAIN = "https://${personalization.vaultwarden_url}";
        		SIGNUPS_ALLOWED = false;
        		ROCKET_ADDRESS = "127.0.0.1";
        		ROCKET_PORT = 8777;
        		ROCKET_LOG = "critical";
        	};
 		dbBackend = "sqlite";
 		environmentFile = "/var/lib/secrets/vaultwarden/vaultwarden.env";
 	};
 >>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8
 }