From 4dc516722bec6cb039b91dc4bce3e2fe7866b963 Mon Sep 17 00:00:00 2001 From: Luke Granger-Brown Date: Sat, 22 May 2021 21:48:13 +0000 Subject: [PATCH] ops/nixos: add bvm-matrix --- ops/nixos/bvm-matrix/default.nix | 125 ++++++++++++++++++ ops/nixos/default.nix | 1 + ops/nixos/installcd/default.nix | 2 +- .../coredns/zones/db.1.4.4.a.9.0.a.2.ip6.arpa | 4 +- .../coredns/zones/db.28.118.92.in-addr.arpa | 4 +- ops/nixos/lib/coredns/zones/db.as205479.net | 5 +- 6 files changed, 136 insertions(+), 5 deletions(-) create mode 100644 ops/nixos/bvm-matrix/default.nix diff --git a/ops/nixos/bvm-matrix/default.nix b/ops/nixos/bvm-matrix/default.nix new file mode 100644 index 0000000000..9cc9a6f886 --- /dev/null +++ b/ops/nixos/bvm-matrix/default.nix @@ -0,0 +1,125 @@ +# SPDX-FileCopyrightText: 2020 Luke Granger-Brown +# +# SPDX-License-Identifier: Apache-2.0 + +{ config, depot, pkgs, lib, ... }: +let + inherit (depot.ops) secrets; + machineSecrets = secrets.machineSpecific.bvm-matrix; +in { + imports = [ + ../lib/bvm.nix + ]; + + # Networking! + networking = { + hostName = "bvm-matrix"; + hostId = "1c2786ad"; + + interfaces.enp1s0 = { + ipv4.addresses = [{ address = "10.100.0.205"; prefixLength = 23; }]; + }; + interfaces.enp6s0 = { + ipv4.addresses = [{ address = "92.118.28.6"; prefixLength = 24; }]; + ipv6.addresses = [{ address = "2a09:a441::6"; prefixLength = 32; }]; + }; + defaultGateway = { address = "92.118.28.1"; interface = "enp6s0"; }; + defaultGateway6 = { address = "2a09:a441::1"; interface = "enp6s0"; }; + + firewall.allowedUDPPorts = [ + 3478 # TURN + ]; + firewall.allowedTCPPorts = [ + 80 443 # HTTP/S + 3478 # TURN + ]; + }; + #my.ip.tailscale = "100.86.22.44"; + + services.postgresql = { + enable = true; + ensureDatabases = [ "matrix-synapse" ]; + ensureUsers = [{ + name = "matrix-synapse"; + ensurePermissions = { + "DATABASE matrix-synapse" = "ALL PRIVILEGES"; + }; + }]; + }; + services.coturn = { + enable = true; + use-auth-secret = true; + realm = "matrix.zxcvbnm.ninja"; + static-auth-secret = machineSecrets.turnSecret; + cert = "${config.security.acme.certs."matrix.zxcvbnm.ninja".directory}/fullchain.pem"; + pkey = "${config.security.acme.certs."matrix.zxcvbnm.ninja".directory}/key.pem"; + }; + services.nginx = { + enable = true; + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + + virtualHosts = { + "zxcvbnm.ninja" = { + forceSSL = true; + useACMEHost = "matrix.zxcvbnm.ninja"; + locations = let + inherit (lib) mapAttrs' nameValuePair; + wellKnown = { + "matrix/server" = { "m.server" = "matrix.zxcvbnm.ninja:443"; }; + "matrix/client" = { + "m.homeserver" = { "base_url" = "https://matrix.zxcvbnm.ninja"; }; + "m.identity_server" = { "base_url" = "https://vector.im"; }; + }; + }; + in + mapAttrs' (name: value: nameValuePair "= /.well-known/${name}" { extraConfig = '' + add_header Content-Type application/json; + add_header Access-Control-Allow-Origin *; + return 200 '${builtins.toJSON value}'; + ''; }) wellKnown; + }; + "matrix.zxcvbnm.ninja" = { + forceSSL = true; + useACMEHost = "matrix.zxcvbnm.ninja"; + locations."/".return = "301 https://element.zxcvbnm.ninja$request_uri"; + locations."/_matrix".proxyPass = "http://[::1]:8008"; + }; + }; + }; + services.matrix-synapse = { + enable = true; + server_name = "zxcvbnm.ninja"; + listeners = [{ + port = 8008; + bind_address = "::1"; + type = "http"; + tls = false; + x_forwarded = true; + resources = [{ + names = [ "client" "federation" ]; + compress = false; + }]; + }]; + }; + + # Users allowed to use SSL certificate for matrix.zxcvbnm.ninja. + users.groups.matrixcert = { + members = [ "turnserver" "nginx" ]; + }; + + security.acme = { + acceptTerms = true; + email = "letsencrypt@lukegb.com"; + certs."matrix.zxcvbnm.ninja" = { + group = "matrixcert"; + dnsProvider = "cloudflare"; + credentialsFile = secrets.cloudflareCredentials; + extraDomainNames = [ "element.zxcvbnm.ninja" "zxcvbnm.ninja" ]; + }; + }; + + system.stateVersion = "21.05"; +} diff --git a/ops/nixos/default.nix b/ops/nixos/default.nix index 617d2e6afd..af997c5a5e 100644 --- a/ops/nixos/default.nix +++ b/ops/nixos/default.nix @@ -38,6 +38,7 @@ let "bvm-twitterchiver" "bvm-prosody" "bvm-ipfs" + "bvm-matrix" ]; rebuilder = system: (import ./lib/rebuilder.nix (args // { system = system; })); systemCfgs = lib.genAttrs systems diff --git a/ops/nixos/installcd/default.nix b/ops/nixos/installcd/default.nix index 76eefbccba..0a4e981457 100644 --- a/ops/nixos/installcd/default.nix +++ b/ops/nixos/installcd/default.nix @@ -13,7 +13,7 @@ in { isoImage.isoName = lib.mkForce "nixos-${depot.version}-${pkgs.stdenv.hostPlatform.system}.iso"; isoImage.storeContents = [ - depot.ops.nixos.systems.howl + depot.ops.nixos.systems.bvm-matrix ]; system.stateVersion = "21.05"; diff --git a/ops/nixos/lib/coredns/zones/db.1.4.4.a.9.0.a.2.ip6.arpa b/ops/nixos/lib/coredns/zones/db.1.4.4.a.9.0.a.2.ip6.arpa index e7cd918d46..86d98715be 100644 --- a/ops/nixos/lib/coredns/zones/db.1.4.4.a.9.0.a.2.ip6.arpa +++ b/ops/nixos/lib/coredns/zones/db.1.4.4.a.9.0.a.2.ip6.arpa @@ -3,13 +3,15 @@ ; SPDX-License-Identifier: Apache-2.0 ; MNAME RNAME SERIAL REFRESH RETRY EXPIRE TTL -@ 600 IN SOA frantech-lux01.as205479.net. hostmaster.lukegb.com. 7 600 450 3600 300 +@ 600 IN SOA frantech-lux01.as205479.net. hostmaster.lukegb.com. 8 600 450 3600 300 $INCLUDE tmpl.ns 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 3600 IN PTR bvm-korobi.public.as205479.net. 3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 3600 IN PTR bvm-prosody.public.as205479.net. 4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 3600 IN PTR bvm-ipfs.public.as205479.net. +5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 3600 IN PTR bvm-nixosmgmt.public.as205479.net. +6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 3600 IN PTR bvm-matrix.public.as205479.net. 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 3600 IN PTR gw.public.as205479.net. e.f.f.f.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 3600 IN PTR blade-paris.public.as205479.net. f.f.f.f.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 3600 IN PTR blade-tuvok.public.as205479.net. diff --git a/ops/nixos/lib/coredns/zones/db.28.118.92.in-addr.arpa b/ops/nixos/lib/coredns/zones/db.28.118.92.in-addr.arpa index 141f38936c..933ceafd55 100644 --- a/ops/nixos/lib/coredns/zones/db.28.118.92.in-addr.arpa +++ b/ops/nixos/lib/coredns/zones/db.28.118.92.in-addr.arpa @@ -3,7 +3,7 @@ ; SPDX-License-Identifier: Apache-2.0 ; MNAME RNAME SERIAL REFRESH RETRY EXPIRE TTL -@ 600 IN SOA frantech-lux01.as205479.net. hostmaster.lukegb.com. 7 600 450 3600 300 +@ 600 IN SOA frantech-lux01.as205479.net. hostmaster.lukegb.com. 8 600 450 3600 300 $INCLUDE tmpl.ns @@ -13,7 +13,7 @@ $INCLUDE tmpl.ns 3 600 IN PTR bvm-prosody.public.as205479.net. 4 600 IN PTR bvm-ipfs.public.as205479.net. 5 600 IN PTR bvm-nixosmgmt.public.as205479.net. -6 600 IN PTR 92-118-28-6.ptr.as205479.net. +6 600 IN PTR bvm-matrix.public.as205479.net. 7 600 IN PTR 92-118-28-7.ptr.as205479.net. 8 600 IN PTR 92-118-28-8.ptr.as205479.net. 9 600 IN PTR 92-118-28-9.ptr.as205479.net. diff --git a/ops/nixos/lib/coredns/zones/db.as205479.net b/ops/nixos/lib/coredns/zones/db.as205479.net index 1676481dab..8111049984 100644 --- a/ops/nixos/lib/coredns/zones/db.as205479.net +++ b/ops/nixos/lib/coredns/zones/db.as205479.net @@ -3,7 +3,7 @@ ; SPDX-License-Identifier: Apache-2.0 ; MNAME RNAME SERIAL REFRESH RETRY EXPIRE TTL -@ 600 IN SOA frantech-lux01.as205479.net. hostmaster.lukegb.com. 18 600 450 3600 300 +@ 600 IN SOA frantech-lux01.as205479.net. hostmaster.lukegb.com. 19 600 450 3600 300 ; NB: this are also glue records in Google Domains. $INCLUDE tmpl.ns @@ -103,6 +103,7 @@ bvm-twitterchiver.blade 3600 IN A 10.100.0.201 bvm-prosody.blade 3600 IN A 10.100.0.202 bvm-ipfs.blade 3600 IN A 10.100.0.203 bvm-win10.blade 3600 IN A 10.100.0.204 +bvm-matrix.blade 3600 IN A 10.100.0.205 ; services ; ceph-mon: blade-tuvok, blade-janeway, blade-paris @@ -129,6 +130,8 @@ bvm-ipfs.public 3600 IN A 92.118.28.4 bvm-ipfs.public 3600 IN AAAA 2a09:a441::4 bvm-nixosmgmt.public 3600 IN A 92.118.28.5 bvm-nixosmgmt.public 3600 IN AAAA 2a09:a441::5 +bvm-matrix.public 3600 IN A 92.118.28.6 +bvm-matrix.public 3600 IN AAAA 2a09:a441::6 92-118-28-0.ptr 6000 IN A 92.118.28.0 92-118-28-1.ptr 6000 IN A 92.118.28.1