Sovran_Systems/Sovran_SystemsOS
1
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

removed agenix

Browse Source
This commit is contained in:
naturallaw77
2026-03-27 20:45:09 -05:00
parent c63b56960c
commit 6e96b2b968
5 changed files with 76 additions and 92 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
configuration.nix
View File

@@ -103,7 +103,7 @@
libargon2 gnome-terminal libreoffice-fresh libargon2 gnome-terminal libreoffice-fresh
dig firefox element-desktop wp-cli axel dig firefox element-desktop wp-cli axel
lk-jwt-service livekit-libwebrtc livekit-cli livekit lk-jwt-service livekit-libwebrtc livekit-cli livekit
matrix-synapse matrix-synapse age
]; ];
# ── Shell ────────────────────────────────────────────────── # ── Shell ──────────────────────────────────────────────────
@@ -126,15 +126,6 @@
''; '';
}; };
# ── Agenix ─────────────────────────────────────────────────
age.identityPaths = [ "/root/.ssh/agenix/agenix-secret-keys" ];
age.secrets.matrix_reg_secret = {
file = /var/lib/agenix-secrets/matrix_reg_secret.age;
mode = "770";
owner = "matrix-synapse";
group = "matrix-synapse";
};
# ── Backups ──────────────────────────────────────────────── # ── Backups ────────────────────────────────────────────────
services.rsnapshot = { services.rsnapshot = {
enable = true; enable = true;
@@ -153,7 +144,7 @@ backup /etc/nix-bitcoin-secrets/ localhost/
}; };
}; };
# ── Cron (base system crons only) ───────────────────────── # ── Cron ───────────────────────────────────────────────────
services.cron = { services.cron = {
enable = true; enable = true;
systemCronJobs = [ systemCronJobs = [
@@ -165,6 +156,7 @@ backup /etc/nix-bitcoin-secrets/ localhost/
# ── Tor ──────────────────────────────────────────────────── # ── Tor ────────────────────────────────────────────────────
services.tor = { enable = true; client.enable = true; torsocks.enable = true; }; services.tor = { enable = true; client.enable = true; torsocks.enable = true; };
services.privoxy.enableTor = true;
# ── SSH ──────────────────────────────────────────────────── # ── SSH ────────────────────────────────────────────────────
services.openssh = { services.openssh = {

11
flake.nix
View File

@@ -3,16 +3,14 @@
inputs = { inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
nix-bitcoin.url = "github:fort-nix/nix-bitcoin/release"; nix-bitcoin.url = "github:fort-nix/nix-bitcoin/release";
agenix.url = "github:ryantm/agenix";
agenix.inputs.darwin.follows = "";
nixvim.url = "github:nix-community/nixvim"; nixvim.url = "github:nix-community/nixvim";
btc-clients.url = "github:emmanuelrosa/btc-clients-nix"; btc-clients.url = "github:emmanuelrosa/btc-clients-nix";
nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.11"; nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.11";
bip110.url = "github:emmanuelrosa/bitcoin-knots-bip-110-nix"; bip110.url = "github:emmanuelrosa/bitcoin-knots-bip-110-nix";
}; };
outputs = { self, nixpkgs, nix-bitcoin, nixvim, agenix, btc-clients, nixpkgs-stable, bip110, ... }: outputs = { self, nixpkgs, nix-bitcoin, nixvim, btc-clients, nixpkgs-stable, bip110, ... }:
let let
overlay-stable = final: prev: { overlay-stable = final: prev: {
@@ -22,8 +20,8 @@
}; };
}; };
in in
{ {
nixosConfigurations.nixos = nixpkgs.lib.nixosSystem { nixosConfigurations.nixos = nixpkgs.lib.nixosSystem {
modules = [ modules = [
{ nixpkgs.hostPlatform = "x86_64-linux"; } { nixpkgs.hostPlatform = "x86_64-linux"; }
@@ -36,7 +34,6 @@
}) })
./configuration.nix ./configuration.nix
nix-bitcoin.nixosModules.default nix-bitcoin.nixosModules.default
agenix.nixosModules.default
nixvim.nixosModules.nixvim nixvim.nixosModules.nixvim
]; ];
config = { config = {

27
modules/core/matrix-secret.nix Normal file
View File

@@ -0,0 +1,27 @@
{ config, pkgs, lib, ... }:
{
# ── Generate Matrix registration secret at runtime ──────────
systemd.services.matrix-synapse-secret-init = {
description = "Generate Matrix Synapse registration secret if missing";
wantedBy = [ "multi-user.target" ];
before = [ "matrix-synapse.service" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
path = [ pkgs.pwgen pkgs.coreutils ];
script = ''
SECRET_FILE="/var/lib/matrix-synapse/registration-secret"
if [ ! -f "$SECRET_FILE" ]; then
mkdir -p /var/lib/matrix-synapse
pwgen -s 64 1 > "$SECRET_FILE"
chown matrix-synapse:matrix-synapse "$SECRET_FILE"
chmod 600 "$SECRET_FILE"
echo "Generated Matrix registration secret"
else
echo "Matrix registration secret already exists, skipping"
fi
'';
};
}

1
modules/modules.nix
View File

@@ -7,6 +7,7 @@
./core/role-logic.nix ./core/role-logic.nix
./core/caddy.nix ./core/caddy.nix
./core/njalla.nix ./core/njalla.nix
./core/matrix-secret.nix
./core/sovran-manage-domains.nix ./core/sovran-manage-domains.nix
# ── Always on (no flag) ─────────────────────────────────── # ── Always on (no flag) ───────────────────────────────────

115
modules/synapse.nix
View File

@@ -2,9 +2,7 @@
lib.mkIf config.sovran_systemsOS.services.synapse { lib.mkIf config.sovran_systemsOS.services.synapse {
# ── PostgreSQL database for Matrix ──────────────────────────
services.postgresql = { services.postgresql = {
enable = true;
ensureDatabases = [ "matrix-synapse" ]; ensureDatabases = [ "matrix-synapse" ];
ensureUsers = [ ensureUsers = [
{ {
@@ -14,47 +12,33 @@ lib.mkIf config.sovran_systemsOS.services.synapse {
]; ];
}; };
# ── Auto-generate DB password and initialize ────────────────
systemd.services.matrix-synapse-db-init = { systemd.services.matrix-synapse-db-init = {
description = "Initialize Matrix Synapse PostgreSQL database with auto-generated password"; description = "Generate Matrix Synapse DB password if missing";
after = [ "postgresql.service" ];
requires = [ "postgresql.service" ];
before = [ "matrix-synapse.service" ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
before = [ "matrix-synapse.service" ];
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
RemainAfterExit = true; RemainAfterExit = true;
}; };
path = [ config.services.postgresql.package pkgs.pwgen pkgs.coreutils ]; path = [ pkgs.pwgen ];
script = '' script = ''
set -euo pipefail SECRET_FILE="/var/lib/matrix-synapse/db-password"
SECRET_DIR="/var/lib/secrets"
SECRET_FILE="$SECRET_DIR/matrix_db_secret"
mkdir -p "$SECRET_DIR"
if [ ! -f "$SECRET_FILE" ]; then if [ ! -f "$SECRET_FILE" ]; then
pwgen -s 64 1 > "$SECRET_FILE" mkdir -p /var/lib/matrix-synapse
chmod 600 "$SECRET_FILE" pwgen -s 32 1 > "$SECRET_FILE"
chown matrix-synapse:matrix-synapse "$SECRET_FILE" chown matrix-synapse:matrix-synapse "$SECRET_FILE"
fi chmod 600 "$SECRET_FILE"
echo "Generated new DB password at $SECRET_FILE"
DB_PASS=$(cat "$SECRET_FILE") else
echo "DB password already exists, skipping"
psql -U postgres -c "ALTER ROLE \"matrix-synapse\" WITH LOGIN PASSWORD '$DB_PASS';"
if ! psql -U postgres -lqt | cut -d \| -f 1 | grep -qw "matrix-synapse"; then
psql -U postgres -c "CREATE DATABASE \"matrix-synapse\" WITH OWNER \"matrix-synapse\" TEMPLATE template0 LC_COLLATE = 'C' LC_CTYPE = 'C';"
fi fi
''; '';
}; };
# ── Generate Synapse runtime config from domain files ───────
systemd.services.matrix-synapse-runtime-config = { systemd.services.matrix-synapse-runtime-config = {
description = "Generate Matrix Synapse runtime config from domain files"; description = "Generate Synapse runtime config from domain files";
before = [ "matrix-synapse.service" ]; before = [ "matrix-synapse.service" ];
after = [ "matrix-synapse-db-init.service" ]; after = [ "matrix-synapse-db-init.service" "matrix-synapse-secret-init.service" ];
requiredBy = [ "matrix-synapse.service" ]; requiredBy = [ "matrix-synapse.service" ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
serviceConfig = { serviceConfig = {
@@ -66,70 +50,50 @@ lib.mkIf config.sovran_systemsOS.services.synapse {
}; };
path = [ pkgs.coreutils ]; path = [ pkgs.coreutils ];
script = '' script = ''
set -euo pipefail
MATRIX=$(cat /var/lib/domains/matrix) MATRIX=$(cat /var/lib/domains/matrix)
RUNTIME_DIR="/run/matrix-synapse"
mkdir -p "$RUNTIME_DIR"
# Include TURN config if coturn secret exists (deployed machines) mkdir -p /run/matrix-synapse
if [ -f /var/lib/secrets/coturn_static_auth_secret ]; then
COTURN_SECRET=$(cat /var/lib/secrets/coturn_static_auth_secret)
cat > "$RUNTIME_DIR/runtime-config.yaml" <<EOF
server_name: "$MATRIX"
turn_shared_secret: "$COTURN_SECRET"
turn_uris:
- "turn:$MATRIX:5349?transport=udp"
- "turn:$MATRIX:5349?transport=tcp"
EOF
else
cat > "$RUNTIME_DIR/runtime-config.yaml" <<EOF
server_name: "$MATRIX"
EOF
fi
chown matrix-synapse:matrix-synapse "$RUNTIME_DIR/runtime-config.yaml" cat > /run/matrix-synapse/runtime-config.yaml <<EOF
chmod 640 "$RUNTIME_DIR/runtime-config.yaml" server_name: "$MATRIX"
public_baseurl: "https://$MATRIX"
registration_shared_secret_path: "/var/lib/matrix-synapse/registration-secret"
EOF
chown matrix-synapse:matrix-synapse /run/matrix-synapse/runtime-config.yaml
chmod 640 /run/matrix-synapse/runtime-config.yaml
''; '';
}; };
# ── Synapse service ─────────────────────────────────────────
services.matrix-synapse = { services.matrix-synapse = {
enable = true; enable = true;
extraConfigFiles = [ "/run/matrix-synapse/runtime-config.yaml" ]; extraConfigFiles = [
"/run/matrix-synapse/runtime-config.yaml"
];
settings = { settings = {
# server_name, turn_shared_secret, turn_uris injected at runtime database = {
name = "psycopg2";
args = {
host = "localhost";
database = "matrix-synapse";
user = "matrix-synapse";
};
};
push.include_content = false; push.include_content = false;
url_preview_enabled = true;
group_unread_count_by_room = false; group_unread_count_by_room = false;
encryption_enabled_by_default_for_room_type = "invite"; encryption_enabled_by_default_for_room_type = "invite";
allow_profile_lookup_over_federation = false; allow_profile_lookup_over_federation = false;
allow_device_name_lookup_over_federation = false; allow_device_name_lookup_over_federation = false;
url_preview_enabled = true;
max_upload_size = "1024M";
url_preview_ip_range_blacklist = [ url_preview_ip_range_blacklist = [
"10.0.0.0/8" "10.0.0.0/8" "100.64.0.0/10" "169.254.0.0/16" "172.16.0.0/12"
"100.64.0.0/10" "192.0.0.0/24" "192.0.2.0/24" "192.168.0.0/16" "192.88.99.0/24"
"169.254.0.0/16" "198.18.0.0/15" "198.51.100.0/24" "2001:db8::/32" "203.0.113.0/24"
"172.16.0.0/12" "224.0.0.0/4" "::1/128" "fc00::/7" "fe80::/10" "fec0::/10" "ff00::/8"
"192.0.0.0/24"
"192.0.2.0/24"
"192.168.0.0/16"
"192.88.99.0/24"
"198.18.0.0/15"
"198.51.100.0/24"
"2001:db8::/32"
"203.0.113.0/24"
"224.0.0.0/4"
"::1/128"
"fc00::/7"
"fe80::/10"
"fec0::/10"
"ff00::/8"
]; ];
url_preview_ip_ranger_whitelist = [ "127.0.0.1" ]; url_preview_ip_ranger_whitelist = [ "127.0.0.1" ];
presence.enabled = true; presence.enabled = true;
enable_registration = false; enable_registration = false;
registration_shared_secret = config.age.secrets.matrix_reg_secret.path;
listeners = [ listeners = [
{ {
port = 8008; port = 8008;
@@ -145,7 +109,10 @@ EOF
]; ];
}; };
}; };
systemd.services.matrix-synapse.after = [ "matrix-synapse-secret-init.service" ];
systemd.services.matrix-synapse.wants = [ "matrix-synapse-secret-init.service" ];
sovran_systemsOS.domainRequirements = [ sovran_systemsOS.domainRequirements = [
{ name = "matrix"; label = "Matrix Synapse"; example = "matrix.yourdomain.com"; } { name = "matrix"; label = "Matrix Synapse"; example = "matrix.yourdomain.com"; }
]; ];