diff --git a/.sops.yaml b/.sops.yaml index f283a56..dd882ca 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -6,6 +6,7 @@ keys: - &minime age1chq5k0t38882rtyljez8cwmvtcstu4tafzvveuhjrujvsqk72f9s9guc06 # microvms - &auth age1vzwz5s35w9g8ck9l5zaq5skrnl3mqzf3hsnc9w22sj4k8tu8kqfstpg2a8 + - &conduwuit age1vd78txz0chk8sum3tceamg7u6enzcclh3vnpjswyrmarvmdmp46qdx7mqt - &forgejo age1gknaqevzuq7dtqalng3547w5qflk9a0kugymea5h54eg6twu43pqpkr4zt - &immich age1afyntwvj672lcq2e4dpxmw3syplzurnnd8q8j3265843jeedpveqkp465z - &miniflux age15ja22wd9tt60vn32sk59pp6c7vtjsn8y3rypn8qfnvxthug8sp0q6f72uh @@ -59,3 +60,9 @@ creation_rules: - *admin_oxa age: - *forgejo + - path_regex: hosts/conduwuit/[^/]+\.yaml$ + key_groups: + - pgp: + - *admin_oxa + age: + - *conduwuit diff --git a/flake.nix b/flake.nix index e7ae1b4..52c4b5f 100644 --- a/flake.nix +++ b/flake.nix @@ -64,6 +64,7 @@ let microvm-list = [ "auth" + "conduwuit" "forgejo" "immich" "miniflux" diff --git a/hosts/cloud/proxy/conduwuit.nix b/hosts/cloud/proxy/conduwuit.nix new file mode 100644 index 0000000..323590d --- /dev/null +++ b/hosts/cloud/proxy/conduwuit.nix @@ -0,0 +1,45 @@ +{ self, ... }: +let + proxy-conf = '' + client_max_body_size 50M; + proxy_buffering off; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Access-Control-Allow-Origin *; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + proxy_read_timeout 600s; + proxy_send_timeout 600s; + send_timeout 600s; + ''; + +in +{ + services.nginx.upstreams.conduwuit = { + servers = { + "10.89.88.16:6167" = { }; + "[fd31:185d:722f::16]:6167" = { }; + }; + }; + + services.nginx.virtualHosts."oxapentane.com" = { + locations."/_matrix/" = { + proxyPass = "http://conduwuit$request_uri"; + extraConfig = proxy-conf; + }; + locations."/_conduwuit/" = { + proxyPass = "http://conduwuit$request_uri"; + extraConfig = proxy-conf; + }; + locations."/.well-known/matrix" = { + proxyPass = "http://conduwuit$request_uri"; + extraConfig = proxy-conf; + }; + }; +} diff --git a/hosts/cloud/proxy/default.nix b/hosts/cloud/proxy/default.nix index d092b02..e233e65 100644 --- a/hosts/cloud/proxy/default.nix +++ b/hosts/cloud/proxy/default.nix @@ -5,6 +5,7 @@ in { imports = [ ./auth.nix + ./conduwuit.nix ./dav.nix ./git.nix ./immich.nix diff --git a/hosts/conduwuit/conduwuit.nix b/hosts/conduwuit/conduwuit.nix new file mode 100644 index 0000000..6baafa6 --- /dev/null +++ b/hosts/conduwuit/conduwuit.nix @@ -0,0 +1,24 @@ +{ pkgs, ... }: +{ + services.matrix-conduit = { + enable = true; + package = pkgs.conduwuit; + settings = { + global = { + database_backend = "rocksdb"; + new_user_displayname_suffix = ""; + port = 6167; + server_name = "oxapentane.com"; + address = "0.0.0.0"; + trusted_servers = [ + "matrix.org" + "matrix.c3d2.de" + ]; + well_known = { + client = "https://oxapentane.com"; + server = "oxapentane.com:443"; + }; + }; + }; + }; +} diff --git a/hosts/conduwuit/default.nix b/hosts/conduwuit/default.nix new file mode 100644 index 0000000..59beed8 --- /dev/null +++ b/hosts/conduwuit/default.nix @@ -0,0 +1,77 @@ +{ config, lib, ... }: +let + mac = "02:00:00:00:00:06"; +in +{ + imports = [ + ./conduwuit.nix + ]; + sops.defaultSopsFile = ./secrets.yaml; + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + + sops.secrets = { + "wg/0xa-proxy" = { + owner = config.users.users.systemd-network.name; + }; + }; + + microvm = { + hypervisor = "qemu"; + mem = 3 * 1024; + vcpu = 2; + interfaces = [ + { + type = "tap"; + id = "uvm-conduwuit"; + mac = mac; + } + ]; + shares = + [ + { + source = "/nix/store"; + mountPoint = "/nix/.ro-store"; + tag = "store"; + proto = "virtiofs"; + socket = "store.socket"; + } + ] + ++ map + (dir: { + source = dir; + mountPoint = "/${dir}"; + tag = dir; + proto = "virtiofs"; + socket = "${dir}.socket"; + }) + [ + "etc" + "var" + "home" + ]; + }; + + networking.useNetworkd = true; + networking.firewall.enable = lib.mkForce false; # firewalling done by the host + + systemd.network = { + enable = true; + networks."11-host" = { + matchConfig.MACAddress = mac; + networkConfig = { + Address = "10.99.99.16/24"; + DHCP = "no"; + }; + routes = [ + { + Gateway = "10.99.99.1"; + Destination = "0.0.0.0/0"; + Metric = 1024; + } + ]; + }; + }; + + networking.hostName = "conduwuit"; + system.stateVersion = "24.11"; +} diff --git a/hosts/conduwuit/secrets.yaml b/hosts/conduwuit/secrets.yaml new file mode 100644 index 0000000..bf1f154 --- /dev/null +++ b/hosts/conduwuit/secrets.yaml @@ -0,0 +1,42 @@ +wg: + 0xa-proxy: ENC[AES256_GCM,data:e09UIAn928uOf6asUaFSg0VDoeShWGyd1c5gF0O0nwVEk/1ldVvaIyWMcwk=,iv:FS+LAI0S5XOOQO4WVpNfEUIxYHGY1YT6mITh8FpSiZU=,tag:1eM6wN98D3Bz0XlikCu5Gg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1vd78txz0chk8sum3tceamg7u6enzcclh3vnpjswyrmarvmdmp46qdx7mqt + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1akxzWFkzSWJYYk4raFlI + ZStVb1RaV1JUZFNZNlFvQUFmeWwrdDBjSFhrCmpuMmFrUWpXNkdwRThJamcrVGRD + NU41VkRwWEJ3TnhYMmt2UFZMemZDZ28KLS0tIDl6bzJXNkd2SjVldDltNDZWS1ZX + ZU9oZVVSQkwzWHE0ODNZbmtuNnRuQjAKP2zLzUDCe2aZKVzLjPloqirNyac7UcwX + q/hHXH/v0HPjCbjfbleEqN9g0r4RiaHVscpl/viaoIAnAlQcrtj6UQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-02-05T20:41:18Z" + mac: ENC[AES256_GCM,data:LPaVDxkZF3hlDIemauZpGngWspGzLINuhI4UIdP1+vP5gX0EBVhpZWty9wCSfJEeuU1ycKPJFAok0A3hgLbXQdjlvTxW/ba5g3hvVHEoyCXPrOPZiEK2EsFZRaM99tMOijBODVHkGhRY2O0sms0OLs+oQg6A+9fe14+dZxoUjWw=,iv:spAY8/Ghs8XhbNgKB8NQILC/qC8tBPiInnOOzfnuxZI=,tag:cLAmIvb4p0Sz2IIEk98/rg==,type:str] + pgp: + - created_at: "2025-02-05T20:40:53Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA7zUOKwzpAE7AQ/7BZQnlte11FqJkoLZWL8zZzou73zSLspXn1QJNYs0aQck + PhFbsuDvmyGWucvcyHTSuTUpcKMchGeClB5ebCLRzmc8FpFF149XTk+PtHx3P+W9 + CfuokL2CX6oP6xGg4+yVOPt3fY8KzMXUcCJt7Jm9u18M9WGxAHIdfWlDCAnTC1b2 + LnaOLeq9Azaz6QHn4DxGnNUI26HYa+fL7BzprqaSNlSoMm6A3kYttjw64oGE4Xom + qSgXariWdVxzjHevabj0rdMkSWM06q3B50Ug0oaaS1GChPiFDxM0ihngbKRgysfW + uws3FyUwWgDD2/jA4ocKlNkNOfynf252rnnDdn5AjzMsUXsPcTsJZbOLG8KCymmf + c8abr6fEi6TBbTAJaf2xEIL0mJHkiokYVh5gRCYSue9lGZm8n6yvIDxssJuwjBE5 + KktSbfWBInskoIHpmqcOAzJT11sxLv5Em3leU69rtuwv8SGo+4pbifvzF6rdjx8j + /qLElqKJUnugyLuXnFDJeIOYZkEmUUAOflVT/yCsVUgUvb6hjwZlegDdyQ3Ph7Ic + PibWs01ShaC4KKrq6Yk0n1c64SP+CsiCDGuVxLMrlMbRThyJtzWgS/3h9kH6rrCo + 4x7q6uM1B9+L3wn+uuObtxKF4feYv3bNvPCagOl8IIXk1Af88B1KPyGTnamrAcbS + XgFserwnAQbEXt0hE7CQWeo1W8rw3EUptBnuVqz5Um/yaDT+flgwFx6BpNHIGz+l + Od8iOIC/6UCGGS+6nNnz0bprvbuc7Ltfifv16Tpwb8Gsvse3lX8okwPVBNOQUrs= + =/7Ff + -----END PGP MESSAGE----- + fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C + unencrypted_suffix: _unencrypted + version: 3.9.4 diff --git a/modules/wg/proxy.nix b/modules/wg/proxy.nix index a94f7e2..3b92b8d 100644 --- a/modules/wg/proxy.nix +++ b/modules/wg/proxy.nix @@ -63,6 +63,14 @@ publicKey = "pXiOmI3aspl2IvdvLXLddxw76QYMRTACNm42nq+L4D0="; privateKeyFile = config.sops.secrets."wg/0xa-proxy".path; }; + "conduwuit" = { + address = [ + "10.89.88.16/24" + "fd31:185d:722f::16/48" + ]; + publicKey = "dj5/CnTAFe5ELnZ5oWonYc+5VdzDyooTYGb/bqcxf3Y="; + privateKeyFile = config.sops.secrets."wg/0xa-proxy".path; + }; }; } ];