~sumner/nixos-configuration

nixos-configuration/host-configurations/kessel.nix -rw-r--r-- 3.5 KiB
feec9300Sumner Evans matrix: add shared secret auth for double puppeting 18 hours ago
                                                                                
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
{ config, lib, pkgs, ... }: with lib; {
  hardware.isServer = true;

  nix.enableRemoteBuildOnCoruscant = true;
  nix.enableRemoteBuildOnTatooine = true;

  # Set the hostname
  networking.hostName = "kessel";
  networking.domain = "nevarro.space";

  services.openssh.enable = true;
  services.openssh.permitRootLogin = "prohibit-password";

  networking.interfaces.eth0.useDHCP = true;

  # Enable a lot of swap since we have enough disk. This way, if Airsonic eats
  # memory, it won't crash the box.
  swapDevices = [
    { device = "/var/swapfile"; size = 4096; }
  ];

  fileSystems = {
    "/" = { device = "/dev/disk/by-uuid/eb9f58f4-7c21-4ddc-a2e6-c9816f01e7c8"; fsType = "ext4"; };
    "/mnt/postgresql-data" = { device = "/dev/disk/by-uuid/0a948381-d1c1-430d-ad1b-0841114a00b9"; fsType = "ext4"; };
  };

  # Allow temporary redirects directly to the reverse proxy.
  networking.firewall.allowedTCPPortRanges = [
    { from = 8008; to = 8015; }
  ];

  ############
  # Websites #
  ############
  services.nginx.enable = true;
  services.nginx.websites = [
    { hostname = "nevarro.space"; }
  ];

  ############
  # Services #
  ############
  services.grafana.enable = true;
  services.logrotate.enable = true;

  # Healthcheck
  services.healthcheck = {
    checkId = "ac320939-f60f-4675-a284-76e318080eda";
    disks = [ "/" "/mnt/postgresql-data" ];
  };

  # Heisenbridge
  services.heisenbridge = {
    enable = true;
    homeserver = "https://matrix.nevarro.space";
    identd.enable = true;
    package = pkgs.callPackage ../pkgs/heisenbridge.nix { };
  };
  systemd.services.heisenbridge = {
    before = [ "matrix-synapse.target" ]; # So the registration file can be used by Synapse
  };
  services.matrix-synapse-custom.appServiceConfigFiles = [
    "/var/lib/heisenbridge/registration.yml"
  ];

  # LinkedIn <-> Matrix Bridge
  services.linkedin-matrix = {
    enable = true;
    homeserver = "https://matrix.nevarro.space";
  } // (import ../secrets/matrix/appservices/linkedin-matrix.nix);

  # Mjolnir
  services.mjolnir.enable = true;

  # PosgreSQL
  services.postgresql.enable = true;
  services.postgresql.dataDir = "/mnt/postgresql-data/${config.services.postgresql.package.psqlSchema}";
  services.postgresqlBackup.enable = true;

  # Quotesfilebot
  services.quotesfilebot = {
    enable = true;
    homeserver = "https://matrix.nevarro.space";
    passwordFile = "/etc/nixos/secrets/matrix/bots/quotesfilebot";
  };

  # Restic backup
  services.backup.healthcheckId = "efe08f4f-c0bb-4901-967d-b33774c18d80";
  services.backup.healthcheckPruneId = "7215d3b4-24d4-4ecf-9785-6b4161b3af28";

  # Standupbot
  services.standupbot = {
    enable = true;
    homeserver = "https://matrix.nevarro.space";
    passwordFile = "/etc/nixos/secrets/matrix/bots/standupbot";
  };

  # Synapse
  services.matrix-synapse-custom = {
    enable = true;
    registrationSharedSecretFile = ../secrets/matrix/registration-shared-secret/kessel;
    sharedSecretAuthFile = ../secrets/matrix/shared-secret-auth/nevarro.space;
    emailCfg = {
      smtp_host = "smtp.migadu.com";
      smtp_port = 587;
      require_transport_security = true;

      smtp_user = "matrix@nevarro.space";
      smtp_pass = removeSuffix "\n" (readFile ../secrets/matrix/nevarro-smtp-pass);

      notif_from = "Nevarro %(app)s Admin <matrix@nevarro.space>";
      app_name = "Matrix";
      enable_notifs = true;
      notif_for_new_users = false;
      invite_client_location = "https://app.element.io";
    };
  };
  services.cleanup-synapse.environmentFile = "/etc/nixos/secrets/matrix/cleanup-synapse/kessel";
}