From 52276c72f19f37da6f6630c50983479959da4944 Mon Sep 17 00:00:00 2001 From: Tristan Date: Thu, 7 Mar 2024 11:46:26 +0000 Subject: [PATCH 1/4] alpine: prometheus: use hostnames not IPs --- nixos/services/prometheus.nix | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/nixos/services/prometheus.nix b/nixos/services/prometheus.nix index 23c10f1..dfc5ade 100644 --- a/nixos/services/prometheus.nix +++ b/nixos/services/prometheus.nix @@ -1,8 +1,9 @@ {config, ...}: let inherit (config.services) prometheus; nodes = [ - "100.65.29.110" - "100.106.241.122" + "alpine" + "fcs-tristan-nixbook" + "zenix" ]; addPort = ip: "${ip}:${toString prometheus.exporters.node.port}"; in { From 7ad8d52e78893f92686424d8bc78a6d07c466078 Mon Sep 17 00:00:00 2001 From: Tristan Date: Thu, 21 Mar 2024 15:24:05 +0000 Subject: [PATCH 2/4] alpine: mautrix-signal --- flake.nix | 1 + nixos/services/signal.nix | 55 +++++++++++++++++++++++++++++++++++++++ secrets/secrets.yaml | 7 +++-- 3 files changed, 61 insertions(+), 2 deletions(-) create mode 100644 nixos/services/signal.nix diff --git a/flake.nix b/flake.nix index 9f5facf..8e0996b 100644 --- a/flake.nix +++ b/flake.nix @@ -69,6 +69,7 @@ ./nixos/services/grafana.nix ./nixos/services/synapse.nix ./nixos/services/whatsapp.nix + ./nixos/services/signal.nix ./nixos/services/nextcloud.nix ] []; diff --git a/nixos/services/signal.nix b/nixos/services/signal.nix new file mode 100644 index 0000000..3a7eeeb --- /dev/null +++ b/nixos/services/signal.nix @@ -0,0 +1,55 @@ +{config, ...}: let + inherit (config) sops; + inherit (sops) templates placeholder; + + toAppRegistration = { + port, + id, + as_token, + hs_token, + sender_localpart, + rate_limited ? false, + ... + } @ conf: + builtins.toJSON ({ + namespaces = { + users = [ + { + exclusive = true; + regex = "^@${id}_.*:tristans.cloud$"; + } + { + exclusive = true; + regex = "^@${id}bot:tristans.cloud$"; + } + ]; + }; + url = "http://localhost:${toString port}"; + } + // conf); + port = 29328; +in { + sops.secrets = { + "mautrix-signal/as_token" = {}; + "mautrix-signal/hs_token" = {}; + }; + sops.templates = { + "mautrix-signal/appservice.yaml" = { + owner = "matrix-synapse"; + content = toAppRegistration { + id = "signal"; + port = port; + as_token = placeholder."mautrix-signal/as_token"; + hs_token = placeholder."mautrix-signal/hs_token"; + sender_localpart = "Gx8tLTHsxVlrdD3qibaPdaP9t7GhfciV"; + "de.sorunome.msc2409.push_ephemeral" = true; + }; + }; + }; + + # mautrix-signal server currently in ansible/podman + + services.matrix-synapse.settings.app_service_config_files = [ + templates."mautrix-signal/appservice.yaml".path + ]; +} diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index 0377671..19c6bb7 100644 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -13,6 +13,9 @@ synapse: mautrix-whatsapp: as_token: ENC[AES256_GCM,data:x1iIfwaRdSzC7wo684FY5ZCytj+uQSS2k8UZ/Sm/0gy7jnjsb6Eyl0I5tdNf7mYk2gdTtfmc+dVThOP3aGIZXQ==,iv:hvVr1MZfpLewomTW5pUhOvrQ2fEkQy4LNnfqslkeFgQ=,tag:5eUZLn5Bd2D5GWyIx9xevw==,type:str] hs_token: ENC[AES256_GCM,data:y8q41zg1NFco0fs7Q/yZVIPCdrUsB8/CRiffBpAVWsH0vCCHQvBs6VUGZmZwJVySkxSfFqBdCc/TF38SPwhxCg==,iv:sJ0cldlCTpGRMYT0u9ZGFVI70m3VBCZqn/l4cwUDyAI=,tag:D0QE2TQxLNnEv6/ECCLnRw==,type:str] +mautrix-signal: + as_token: ENC[AES256_GCM,data:wu9ohlIUn6dBYxa7jZzG9DRVRrBCnmXsc7txntF6U6eW6rpe/bvKWDR5/db1ZtMxAv/MZrTephJ81yqtr8aDsw==,iv:L+Pj1Mg5SlaKs0kb68qPzJX1FI7mV8boh4OonfWBy8o=,tag:J6F3CP5OJbyPBr5iVWhg0w==,type:str] + hs_token: ENC[AES256_GCM,data:8OAHb5+k7uRW5EtjrNiTFjG1lf3txePHjpVYaDtJ1MfbtU8jN/T50PENPwFHR9iJSh2Zma7PGgFjwlWHGQEW8A==,iv:YoHj7qGYVA8C8HL8XLcarHwkVrdc7dQHecYF0yxvqwM=,tag:3y/K1iztmWrWR34/3vjopA==,type:str] sops: kms: [] gcp_kms: [] @@ -28,8 +31,8 @@ sops: NUFIN3NPU2pTZ0NZRXdQY0xhWlI5T3cKd5XCj1aNsD+7+MfiAPGb1iAW9AgzyagG A7cwF9kQwWWLud9z4v6epuDkqGF+7uIy7N/CwBaEgi8+AS8o27wo4g== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-02-26T19:50:48Z" - mac: ENC[AES256_GCM,data:ZmySnwEMEStfSWgKbw7eVULLkYdpH4d4RMV0mDlfE0dXdF8eOtjfBK/NyLCP84VMIWJWFzc/KihOuSWEpzjtoZVJAHi/c/sh87OpigjG4X3RFIJFV7IhKyielyhd5SInQV/yMa0IOPN5MnK40h59+ofRlVZ2371PdYkns6EVUoo=,iv:1PMwsRz78iMCs6QJfnfCUXCofOonEl+je/6e/4GZW+g=,tag:FOqWXMkWOf4C6VhV7ODwMg==,type:str] + lastmodified: "2024-03-21T14:39:41Z" + mac: ENC[AES256_GCM,data:iLzMUM/1bttEAQwMWE7SoT/3vWRKTV2d+k/oPv42cD/4nB/SgZaYgrScK7/A9go7nWwumWmpOfOWl0fK3Fj/AcKUZtgIhpWqpbd+CHfh68gEjddK2QDSPZHJ83NtK9e+OpQ/pYlon36hGtxdjbEGV0wpJduzF5NHwcmqAUZ0DC8=,iv:U0MZsZ9IAGb0P5YbWCn8VJc/rX6RXimT347m+JYF5dY=,tag:YFXldsF5o6itzjcFMc0AKQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 From 140a50310e6a087cf4ab51aa6a3394db4fb1d415 Mon Sep 17 00:00:00 2001 From: Tristan Date: Sun, 28 Apr 2024 11:35:37 +0100 Subject: [PATCH 3/4] alpine: refactor mautrix --- flake.nix | 4 +-- nixos/services/mautrix/instagram.nix | 29 ++++++++++++++++++++++ nixos/services/mautrix/lib.nix | 27 ++++++++++++++++++++ nixos/services/{ => mautrix}/signal.nix | 30 ++--------------------- nixos/services/{ => mautrix}/whatsapp.nix | 27 +------------------- secrets/secrets.yaml | 7 ++++-- 6 files changed, 66 insertions(+), 58 deletions(-) create mode 100644 nixos/services/mautrix/instagram.nix create mode 100644 nixos/services/mautrix/lib.nix rename nixos/services/{ => mautrix}/signal.nix (57%) rename nixos/services/{ => mautrix}/whatsapp.nix (75%) diff --git a/flake.nix b/flake.nix index 8e0996b..e19b321 100644 --- a/flake.nix +++ b/flake.nix @@ -68,8 +68,8 @@ ./nixos/services/prometheus.nix ./nixos/services/grafana.nix ./nixos/services/synapse.nix - ./nixos/services/whatsapp.nix - ./nixos/services/signal.nix + ./nixos/services/mautrix/whatsapp.nix + ./nixos/services/mautrix/signal.nix ./nixos/services/nextcloud.nix ] []; diff --git a/nixos/services/mautrix/instagram.nix b/nixos/services/mautrix/instagram.nix new file mode 100644 index 0000000..763cacb --- /dev/null +++ b/nixos/services/mautrix/instagram.nix @@ -0,0 +1,29 @@ +{config, ...}: let + inherit (config) sops; + inherit (sops) templates placeholder; + inherit (import ./lib.nix) toAppRegistration; +in { + sops.secrets = { + "mautrix-instagram/as_token" = {}; + "mautrix-instagram/hs_token" = {}; + }; + sops.templates = { + "mautrix-instagram/appservice.yaml" = { + owner = "matrix-synapse"; + content = toAppRegistration { + id = "instagram"; + port = 29328; + as_token = placeholder."mautrix-instagram/as_token"; + hs_token = placeholder."mautrix-instagram/hs_token"; + sender_localpart = "Gx8tLTHsxVlrdD3qibaPdaP9t7GhfciV"; + "de.sorunome.msc2409.push_ephemeral" = true; + }; + }; + }; + + # mautrix-instagram server currently in ansible/podman + + services.matrix-synapse.settings.app_service_config_files = [ + templates."mautrix-instagram/appservice.yaml".path + ]; +} diff --git a/nixos/services/mautrix/lib.nix b/nixos/services/mautrix/lib.nix new file mode 100644 index 0000000..268b6d2 --- /dev/null +++ b/nixos/services/mautrix/lib.nix @@ -0,0 +1,27 @@ +{ + toAppRegistration = { + port, + id, + as_token, + hs_token, + sender_localpart, + rate_limited ? false, + ... + } @ conf: + builtins.toJSON ({ + namespaces = { + users = [ + { + exclusive = true; + regex = "^@${id}_.*:tristans.cloud$"; + } + { + exclusive = true; + regex = "^@${id}bot:tristans.cloud$"; + } + ]; + }; + url = "http://localhost:${toString port}"; + } + // conf); +} diff --git a/nixos/services/signal.nix b/nixos/services/mautrix/signal.nix similarity index 57% rename from nixos/services/signal.nix rename to nixos/services/mautrix/signal.nix index 3a7eeeb..b6f1194 100644 --- a/nixos/services/signal.nix +++ b/nixos/services/mautrix/signal.nix @@ -1,33 +1,7 @@ {config, ...}: let inherit (config) sops; inherit (sops) templates placeholder; - - toAppRegistration = { - port, - id, - as_token, - hs_token, - sender_localpart, - rate_limited ? false, - ... - } @ conf: - builtins.toJSON ({ - namespaces = { - users = [ - { - exclusive = true; - regex = "^@${id}_.*:tristans.cloud$"; - } - { - exclusive = true; - regex = "^@${id}bot:tristans.cloud$"; - } - ]; - }; - url = "http://localhost:${toString port}"; - } - // conf); - port = 29328; + inherit (import ./lib.nix) toAppRegistration; in { sops.secrets = { "mautrix-signal/as_token" = {}; @@ -38,7 +12,7 @@ in { owner = "matrix-synapse"; content = toAppRegistration { id = "signal"; - port = port; + port = 29328; as_token = placeholder."mautrix-signal/as_token"; hs_token = placeholder."mautrix-signal/hs_token"; sender_localpart = "Gx8tLTHsxVlrdD3qibaPdaP9t7GhfciV"; diff --git a/nixos/services/whatsapp.nix b/nixos/services/mautrix/whatsapp.nix similarity index 75% rename from nixos/services/whatsapp.nix rename to nixos/services/mautrix/whatsapp.nix index e6fceb1..67b9a5e 100644 --- a/nixos/services/whatsapp.nix +++ b/nixos/services/mautrix/whatsapp.nix @@ -1,32 +1,7 @@ {config, ...}: let inherit (config) sops; inherit (sops) templates placeholder; - - toAppRegistration = { - port, - id, - as_token, - hs_token, - sender_localpart, - rate_limited ? false, - ... - } @ conf: - builtins.toJSON ({ - namespaces = { - users = [ - { - exclusive = true; - regex = "^@${id}_.*:tristans.cloud$"; - } - { - exclusive = true; - regex = "^@${id}bot:tristans.cloud$"; - } - ]; - }; - url = "http://localhost:${toString port}"; - } - // conf); + inherit (import ./lib.nix) toAppRegistration; in { sops.secrets = { "mautrix-whatsapp/as_token" = {}; diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index 19c6bb7..e336487 100644 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -16,6 +16,9 @@ mautrix-whatsapp: mautrix-signal: as_token: ENC[AES256_GCM,data:wu9ohlIUn6dBYxa7jZzG9DRVRrBCnmXsc7txntF6U6eW6rpe/bvKWDR5/db1ZtMxAv/MZrTephJ81yqtr8aDsw==,iv:L+Pj1Mg5SlaKs0kb68qPzJX1FI7mV8boh4OonfWBy8o=,tag:J6F3CP5OJbyPBr5iVWhg0w==,type:str] hs_token: ENC[AES256_GCM,data:8OAHb5+k7uRW5EtjrNiTFjG1lf3txePHjpVYaDtJ1MfbtU8jN/T50PENPwFHR9iJSh2Zma7PGgFjwlWHGQEW8A==,iv:YoHj7qGYVA8C8HL8XLcarHwkVrdc7dQHecYF0yxvqwM=,tag:3y/K1iztmWrWR34/3vjopA==,type:str] +mautrix-instagram: + as_token: ENC[AES256_GCM,data:pNO76BcGejQdCc5X4f/UvSsBIPU6QZCCQTJvwVIXRf3rnb9ewWNMEtYXlqj886yh3g5SgqQ4Uhqby/7vrMxREA==,iv:uYU7ACk4wEPzqUCpt5KBt5Y8LoVIdAlNvdWj5Jm94qM=,tag:vJHOhwJBPlgUPu1SFqI4ew==,type:str] + hs_token: ENC[AES256_GCM,data:m1CK8Ae6QyJKgDZm904xMpZ1KgKxEUpmQ1jdKOkjexgwAWjjtYF+RVximtcXwxPg/0jkbK/LMlxA89ic+zajiA==,iv:YLed92mS+2Cpud2f8Gq+zlpSVyPo7RVNGOUPCIRDi94=,tag:rRwhYn88ZZwm5sDI1etR2g==,type:str] sops: kms: [] gcp_kms: [] @@ -31,8 +34,8 @@ sops: NUFIN3NPU2pTZ0NZRXdQY0xhWlI5T3cKd5XCj1aNsD+7+MfiAPGb1iAW9AgzyagG A7cwF9kQwWWLud9z4v6epuDkqGF+7uIy7N/CwBaEgi8+AS8o27wo4g== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-03-21T14:39:41Z" - mac: ENC[AES256_GCM,data:iLzMUM/1bttEAQwMWE7SoT/3vWRKTV2d+k/oPv42cD/4nB/SgZaYgrScK7/A9go7nWwumWmpOfOWl0fK3Fj/AcKUZtgIhpWqpbd+CHfh68gEjddK2QDSPZHJ83NtK9e+OpQ/pYlon36hGtxdjbEGV0wpJduzF5NHwcmqAUZ0DC8=,iv:U0MZsZ9IAGb0P5YbWCn8VJc/rX6RXimT347m+JYF5dY=,tag:YFXldsF5o6itzjcFMc0AKQ==,type:str] + lastmodified: "2024-03-23T23:24:16Z" + mac: ENC[AES256_GCM,data:bs8t7nH5BdIz4uQd33M2pt+AVhqfBEJy9l8AFl8p80GLAMg5zKlDWxtVCPrWk8viJvfMkhvwEovBizoy3m7gt8iWLf+dtznBjALtUXVAc/+dmACUS8E9JHHKcvOHxT/cYCuU3t6pDJWlbfnpBtKSSHH8Z/YblYMlkeoNeNOoAwU=,iv:9fKO44c5TNMBgHqcuV6Fu+GW8TjND+32KDEerawpZL4=,tag:Ps8kelq+8iY88mdqugRTMg==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 From c1d50bba476063847f4bd29f9e116f4b5b85f89f Mon Sep 17 00:00:00 2001 From: Tristan Date: Sun, 28 Apr 2024 11:47:59 +0100 Subject: [PATCH 4/4] alpine: add ntfy --- flake.nix | 1 + hardware/alpine.nix | 8 -------- nixos/services/ntfy.nix | 19 +++++++++++++++++++ 3 files changed, 20 insertions(+), 8 deletions(-) create mode 100644 nixos/services/ntfy.nix diff --git a/flake.nix b/flake.nix index e19b321..f6cc159 100644 --- a/flake.nix +++ b/flake.nix @@ -71,6 +71,7 @@ ./nixos/services/mautrix/whatsapp.nix ./nixos/services/mautrix/signal.nix ./nixos/services/nextcloud.nix + ./nixos/services/ntfy.nix ] []; vm-sway = diff --git a/hardware/alpine.nix b/hardware/alpine.nix index 7babbd0..29a68ee 100644 --- a/hardware/alpine.nix +++ b/hardware/alpine.nix @@ -140,14 +140,6 @@ in { enableACME = true; root = "/srv/www/tristans.cloud"; }; - "*.thebeanbakery.xyz" = { - globalRedirect = "thebeanbakery.xyz"; - }; - "thebeanbakery.xyz" = { - forceSSL = true; - enableACME = true; - root = "/srv/www/thebeanbakery.xyz"; - }; "auth.tristans.cloud" = { forceSSL = true; enableACME = true; diff --git a/nixos/services/ntfy.nix b/nixos/services/ntfy.nix new file mode 100644 index 0000000..6eaf84d --- /dev/null +++ b/nixos/services/ntfy.nix @@ -0,0 +1,19 @@ +{ config, ... }: +let + domain = "up.${config.networking.domain}"; + port = 8080; +in +{ + services.ntfy-sh = { + enable = true; + settings = { + base-url = "https://${domain}"; + listen-http = ":${toString port}"; + }; + }; + services.nginx.virtualHosts.${domain} = { + forceSSL = true; + enableACME = true; + locations."~".proxyPass = "http://localhost:${toString port}"; + }; +}