diff --git a/.sops.yaml b/.sops.yaml index 8b42227..37d749d 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -4,7 +4,8 @@ # for a more complex example. keys: - &admin_swarsel 4BE7925262289B476DBBC17B76FD3810215AE097 - - &server_nixos age1zdjm8qa5t25mca0xxhhkpuh85mgg4l267mqjj2pdttksq7zg4unqdmqyp4 + - &server_sandbox age1zdjm8qa5t25mca0xxhhkpuh85mgg4l267mqjj2pdttksq7zg4unqdmqyp4 + - &server_nixos age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63 - &server_surface age1zlnxraee6tddr07xn59mx5rdexw8qxryd53eqlsajasfhfy78fkq705dfg - &server_fourside age1s3faa0due0fvp9qu2rd8ex0upg4mcms8wl936yazylv72r6nn3rq2xv5g0 - &server_stand age1hkajkcje5xvg8jd4zj2e0s9tndpv36hwhn7p38x9lyq2z8g7v45q2nhlej @@ -26,6 +27,7 @@ creation_rules: - *admin_swarsel age: - *server_nixos + - *server_sandbox - *server_surface - *server_stand - *server_fourside @@ -36,10 +38,17 @@ creation_rules: - *admin_swarsel age: - *server_nixos + - *server_sandbox - *server_surface - *server_stand - *server_fourside - *server_transmiss + - path_regex: secrets/server/winters/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - pgp: + - *admin_swarsel + age: + - *server_nixos - path_regex: secrets/surface/[^/]+\.(yaml|json|env|ini)$ key_groups: - pgp: diff --git a/SwarselSystems.org b/SwarselSystems.org index aba7a72..2078051 100644 --- a/SwarselSystems.org +++ b/SwarselSystems.org @@ -6575,36 +6575,39 @@ Also, the system state version is set here. No need to touch it. **** NGINX #+begin_src nix :tangle profiles/server/common/nginx.nix -{ pkgs, config, ... }: -{ - environment.systemPackages = with pkgs; [ - lego - ]; - sops = { - secrets.dnstokenfull = { owner = "acme"; }; - templates."certs.secret".content = '' - CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull} - ''; - }; + { pkgs, config, ... }: + { + environment.systemPackages = with pkgs; [ + lego + ]; - security.acme = { - acceptTerms = true; - preliminarySelfsigned = false; - defaults.email = "mrswarsel@gmail.com"; - defaults.dnsProvider = "cloudflare"; - defaults.environmentFile = "${config.sops.templates."certs.secret".path}"; - }; + users.users.acme = {}; - services.nginx = { - enable = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - recommendedOptimisation = true; - recommendedGzipSettings = true; - # virtualHosts are defined in the respective sections - }; + sops = { + secrets.dnstokenfull = { owner = "acme"; }; + templates."certs.secret".content = '' + CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull} + ''; + }; -} + security.acme = { + acceptTerms = true; + preliminarySelfsigned = false; + defaults.email = "mrswarsel@gmail.com"; + defaults.dnsProvider = "cloudflare"; + defaults.environmentFile = "${config.sops.templates."certs.secret".path}"; + }; + + services.nginx = { + enable = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + # virtualHosts are defined in the respective sections + }; + + } #+end_src **** ssh @@ -6616,6 +6619,9 @@ Also, the system state version is set here. No need to touch it. enable = true; settings.PermitRootLogin = "yes"; }; + users.users.swarsel.openssh.authorizedKeys.keyFiles = [ + ../../../secrets/keys/authorized_keys + ]; users.users.root.openssh.authorizedKeys.keyFiles = [ ../../../secrets/keys/authorized_keys ]; @@ -6650,7 +6656,7 @@ Also, the system state version is set here. No need to touch it. acmeRoot = null; locations = { "/" = { - proxyPass = "http://192.168.1.22:8080"; + proxyPass = "http://192.168.1.2:8080"; extraConfig = '' client_max_body_size 0; ''; @@ -6687,7 +6693,7 @@ Also, the system state version is set here. No need to touch it. services.jellyfin = { enable = true; user = "jellyfin"; - # openFirewall = true; # this works only for the default ports + openFirewall = true; # this works only for the default ports }; services.nginx = { @@ -6698,7 +6704,7 @@ Also, the system state version is set here. No need to touch it. acmeRoot = null; locations = { "/" = { - proxyPass = "http://192.168.1.16:8096"; + proxyPass = "http://192.168.1.2:8096"; extraConfig = '' client_max_body_size 0; ''; @@ -6715,82 +6721,83 @@ Also, the system state version is set here. No need to touch it. **** navidrome #+begin_src nix :tangle profiles/server/common/navidrome.nix -{ pkgs, lib, config, ... }: -{ - config = lib.mkIf config.swarselsystems.server.navidrome { - environment.systemPackages = with pkgs; [ - pciutils - alsa-utils - mpv - ]; - - users = { - groups = { - navidrome = { - gid = 61593; - }; - }; + { pkgs, lib, config, ... }: + { + config = lib.mkIf config.swarselsystems.server.navidrome { + environment.systemPackages = with pkgs; [ + pciutils + alsa-utils + mpv + ]; users = { - navidrome = { - isSystemUser = true; - uid = 61593; - group = "navidrome"; - extraGroups = [ "audio" "utmp" ]; + groups = { + navidrome = { + gid = 61593; + }; + }; + + users = { + navidrome = { + isSystemUser = true; + uid = 61593; + group = "navidrome"; + extraGroups = [ "audio" "utmp" ]; + }; }; }; - }; - hardware.enableAllFirmware = true; + hardware.enableAllFirmware = true; - services.navidrome = { - enable = true; - settings = { - Address = "0.0.0.0"; - Port = 4040; - MusicFolder = "/media"; - EnableSharing = true; - EnableTranscodingConfig = true; - Scanner.GroupAlbumReleases = true; - ScanSchedule = "@every 1d"; - # Insert these values locally as sops-nix does not work for them - # LastFM.ApiKey = TEMPLATE; - # LastFM.Secret = TEMPLATE; - # Spotify.ID = TEMPLATE; - # Spotify.Secret = TEMPLATE; - UILoginBackgroundUrl = "https://i.imgur.com/OMLxi7l.png"; - UIWelcomeMessage = "~SwarselSound~"; + services.navidrome = { + enable = true; + openFirewall = true; + settings = { + Address = "0.0.0.0"; + Port = 4040; + MusicFolder = "/media"; + EnableSharing = true; + EnableTranscodingConfig = true; + Scanner.GroupAlbumReleases = true; + ScanSchedule = "@every 1d"; + # Insert these values locally as sops-nix does not work for them + # LastFM.ApiKey = TEMPLATE; + # LastFM.Secret = TEMPLATE; + # Spotify.ID = TEMPLATE; + # Spotify.Secret = TEMPLATE; + UILoginBackgroundUrl = "https://i.imgur.com/OMLxi7l.png"; + UIWelcomeMessage = "~SwarselSound~"; + }; }; - }; - services.nginx = { - virtualHosts = { - "sound.swarsel.win" = { - enableACME = true; - forceSSL = true; - acmeRoot = null; - locations = { - "/" = { - proxyPass = "http://192.168.1.13:4040"; - proxyWebsockets = true; - extraConfig = '' - proxy_redirect http:// https://; - proxy_read_timeout 600s; - proxy_send_timeout 600s; - proxy_buffering off; - proxy_request_buffering off; - client_max_body_size 0; - ''; + services.nginx = { + virtualHosts = { + "sound.swarsel.win" = { + enableACME = true; + forceSSL = true; + acmeRoot = null; + locations = { + "/" = { + proxyPass = "http://192.168.1.2:4040"; + proxyWebsockets = true; + extraConfig = '' + proxy_redirect http:// https://; + proxy_read_timeout 600s; + proxy_send_timeout 600s; + proxy_buffering off; + proxy_request_buffering off; + client_max_body_size 0; + ''; + }; }; }; }; }; }; - }; -} + } #+end_src **** spotifyd @@ -6886,279 +6893,281 @@ Also, the system state version is set here. No need to touch it. **** matrix #+begin_src nix :tangle profiles/server/common/matrix.nix -{ config, lib, pkgs, modulesPath, sops, ... }: -let - matrixDomain = "swatrix.swarsel.win"; -in -{ + { config, lib, pkgs, modulesPath, sops, ... }: + let + matrixDomain = "swatrix.swarsel.win"; + in + { - config = lib.mkIf config.swarselsystems.server.matrix { - environment.systemPackages = with pkgs; [ - matrix-synapse - lottieconverter - ffmpeg - ]; - - sops = { - secrets = { - matrixsharedsecret = { owner = "matrix-synapse"; }; - mautrixtelegram_as = { owner = "matrix-synapse"; }; - mautrixtelegram_hs = { owner = "matrix-synapse"; }; - mautrixtelegram_api_id = { owner = "matrix-synapse"; }; - mautrixtelegram_api_hash = { owner = "matrix-synapse"; }; - }; - templates = { - "matrix_user_register.sh".content = '' - register_new_matrix_user -k ${config.sops.placeholder.matrixsharedsecret} http://localhost:8008 - ''; - matrixshared = { - owner = "matrix-synapse"; - content = '' - registration_shared_secret: ${config.sops.placeholder.matrixsharedsecret} - ''; - }; - mautrixtelegram = { - owner = "matrix-synapse"; - content = '' - MAUTRIX_TELEGRAM_APPSERVICE_AS_TOKEN=${config.sops.placeholder.mautrixtelegram_as} - MAUTRIX_TELEGRAM_APPSERVICE_HS_TOKEN=${config.sops.placeholder.mautrixtelegram_hs} - MAUTRIX_TELEGRAM_TELEGRAM_API_ID=${config.sops.placeholder.mautrixtelegram_api_id} - MAUTRIX_TELEGRAM_TELEGRAM_API_HASH=${config.sops.placeholder.mautrixtelegram_api_hash} - ''; - }; - }; - }; - - services.postgresql = { - enable = true; - initialScript = pkgs.writeText "synapse-init.sql" '' - CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; - CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" - TEMPLATE template0 - LC_COLLATE = "C" - LC_CTYPE = "C"; - CREATE ROLE "mautrix-telegram" WITH LOGIN PASSWORD 'telegram'; - CREATE DATABASE "mautrix-telegram" WITH OWNER "mautrix-telegram" - TEMPLATE template0 - LC_COLLATE = "C" - LC_CTYPE = "C"; - CREATE ROLE "mautrix-whatsapp" WITH LOGIN PASSWORD 'whatsapp'; - CREATE DATABASE "mautrix-whatsapp" WITH OWNER "mautrix-whatsapp" - TEMPLATE template0 - LC_COLLATE = "C" - LC_CTYPE = "C"; - CREATE ROLE "mautrix-signal" WITH LOGIN PASSWORD 'signal'; - CREATE DATABASE "mautrix-signal" WITH OWNER "mautrix-signal" - TEMPLATE template0 - LC_COLLATE = "C" - LC_CTYPE = "C"; - ''; - }; - - services.matrix-synapse = { - enable = true; - settings = { - app_service_config_files = [ - "/var/lib/matrix-synapse/telegram-registration.yaml" - "/var/lib/matrix-synapse/whatsapp-registration.yaml" - "/var/lib/matrix-synapse/signal-registration.yaml" - "/var/lib/matrix-synapse/doublepuppet.yaml" - ]; - server_name = matrixDomain; - public_baseurl = "https://${matrixDomain}"; - listeners = [ - { - port = 8008; - bind_addresses = [ "0.0.0.0" ]; - type = "http"; - tls = false; - x_forwarded = true; - resources = [ - { - names = [ "client" "federation" ]; - compress = true; - } - ]; - } - ]; - }; - extraConfigFiles = [ - config.sops.templates.matrixshared.path + config = lib.mkIf config.swarselsystems.server.matrix { + environment.systemPackages = with pkgs; [ + matrix-synapse + lottieconverter + ffmpeg ]; - }; - services.mautrix-telegram = { - enable = true; - environmentFile = config.sops.templates.mautrixtelegram.path; - settings = { - homeserver = { - address = "http://localhost:8008"; - domain = matrixDomain; + sops = { + secrets = { + matrixsharedsecret = { owner = "matrix-synapse"; }; + mautrixtelegram_as = { owner = "matrix-synapse"; }; + mautrixtelegram_hs = { owner = "matrix-synapse"; }; + mautrixtelegram_api_id = { owner = "matrix-synapse"; }; + mautrixtelegram_api_hash = { owner = "matrix-synapse"; }; }; - appservice = { - address = "http://localhost:29317"; - hostname = "0.0.0.0"; - port = "29317"; - provisioning.enabled = true; - id = "telegram"; - # ephemeral_events = true; # not needed due to double puppeting - public = { - enabled = false; + templates = { + "matrix_user_register.sh".content = '' + register_new_matrix_user -k ${config.sops.placeholder.matrixsharedsecret} http://localhost:8008 + ''; + matrixshared = { + owner = "matrix-synapse"; + content = '' + registration_shared_secret: ${config.sops.placeholder.matrixsharedsecret} + ''; + }; + mautrixtelegram = { + owner = "matrix-synapse"; + content = '' + MAUTRIX_TELEGRAM_APPSERVICE_AS_TOKEN=${config.sops.placeholder.mautrixtelegram_as} + MAUTRIX_TELEGRAM_APPSERVICE_HS_TOKEN=${config.sops.placeholder.mautrixtelegram_hs} + MAUTRIX_TELEGRAM_TELEGRAM_API_ID=${config.sops.placeholder.mautrixtelegram_api_id} + MAUTRIX_TELEGRAM_TELEGRAM_API_HASH=${config.sops.placeholder.mautrixtelegram_api_hash} + ''; }; - database = "postgresql:///mautrix-telegram?host=/run/postgresql"; }; - bridge = { - relaybot.authless_portals = true; - allow_avatar_remove = true; - allow_contact_info = true; - sync_channel_members = true; - startup_sync = true; - sync_create_limit = 0; - sync_direct_chats = true; - telegram_link_preview = true; - permissions = { - "*" = "relaybot"; - "@swarsel:${matrixDomain}" = "admin"; + }; + + services.postgresql = { + enable = true; + initialScript = pkgs.writeText "synapse-init.sql" '' + CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; + CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + CREATE ROLE "mautrix-telegram" WITH LOGIN PASSWORD 'telegram'; + CREATE DATABASE "mautrix-telegram" WITH OWNER "mautrix-telegram" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + CREATE ROLE "mautrix-whatsapp" WITH LOGIN PASSWORD 'whatsapp'; + CREATE DATABASE "mautrix-whatsapp" WITH OWNER "mautrix-whatsapp" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + CREATE ROLE "mautrix-signal" WITH LOGIN PASSWORD 'signal'; + CREATE DATABASE "mautrix-signal" WITH OWNER "mautrix-signal" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + ''; + }; + + services.matrix-synapse = { + enable = true; + settings = { + app_service_config_files = [ + "/var/lib/matrix-synapse/telegram-registration.yaml" + "/var/lib/matrix-synapse/whatsapp-registration.yaml" + "/var/lib/matrix-synapse/signal-registration.yaml" + "/var/lib/matrix-synapse/doublepuppet.yaml" + ]; + server_name = matrixDomain; + public_baseurl = "https://${matrixDomain}"; + listeners = [ + { + port = 8008; + bind_addresses = [ "0.0.0.0" ]; + type = "http"; + tls = false; + x_forwarded = true; + resources = [ + { + names = [ "client" "federation" ]; + compress = true; + } + ]; + } + ]; + }; + extraConfigFiles = [ + config.sops.templates.matrixshared.path + ]; + }; + + services.mautrix-telegram = { + enable = true; + environmentFile = config.sops.templates.mautrixtelegram.path; + settings = { + homeserver = { + address = "http://localhost:8008"; + domain = matrixDomain; }; - animated_sticker = { - target = "gif"; - args = { - width = 256; - height = 256; - fps = 30; # only for webm - background = "020202"; # only for gif, transparency not supported + appservice = { + address = "http://localhost:29317"; + hostname = "0.0.0.0"; + port = "29317"; + provisioning.enabled = true; + id = "telegram"; + # ephemeral_events = true; # not needed due to double puppeting + public = { + enabled = false; + }; + database = "postgresql:///mautrix-telegram?host=/run/postgresql"; + }; + bridge = { + relaybot.authless_portals = true; + allow_avatar_remove = true; + allow_contact_info = true; + sync_channel_members = true; + startup_sync = true; + sync_create_limit = 0; + sync_direct_chats = true; + telegram_link_preview = true; + permissions = { + "*" = "relaybot"; + "@swarsel:${matrixDomain}" = "admin"; + }; + animated_sticker = { + target = "gif"; + args = { + width = 256; + height = 256; + fps = 30; # only for webm + background = "020202"; # only for gif, transparency not supported + }; + }; + }; + }; + }; + systemd.services.mautrix-telegram.path = with pkgs; [ + lottieconverter # for animated stickers conversion, unfree package + ffmpeg # if converting animated stickers to webm (very slow!) + ]; + + services.mautrix-whatsapp = { + enable = true; + registerToSynapse = true; + settings = { + homeserver = { + address = "http://localhost:8008"; + domain = matrixDomain; + }; + appservice = { + address = "http://localhost:29318"; + hostname = "0.0.0.0"; + port = 29318; + database = { + type = "postgres"; + uri = "postgresql:///mautrix-whatsapp?host=/run/postgresql"; + }; + }; + bridge = { + displayname_template = "{{or .FullName .PushName .JID}} (WA)"; + history_sync = { + backfill = true; + max_initial_conversations = -1; + message_count = -1; + request_full_sync = true; + full_sync_config = { + days_limit = 900; + size_mb_limit = 5000; + storage_quota_mb = 5000; + }; + }; + login_shared_secret_map = { + matrixDomain = "as_token:doublepuppet"; + }; + sync_manual_marked_unread = true; + send_presence_on_typing = true; + parallel_member_sync = true; + url_previews = true; + caption_in_message = true; + extev_polls = true; + permissions = { + "*" = "relaybot"; + "@swarsel:${matrixDomain}" = "admin"; + }; + }; + }; + }; + + services.mautrix-signal = { + enable = true; + registerToSynapse = true; + settings = { + homeserver = { + address = "http://localhost:8008"; + domain = matrixDomain; + }; + appservice = { + + address = "http://localhost:29328"; + hostname = "0.0.0.0"; + port = 29328; + database = { + type = "postgres"; + uri = "postgresql:///mautrix-signal?host=/run/postgresql"; + }; + }; + bridge = { + displayname_template = "{{or .ContactName .ProfileName .PhoneNumber}} (Signal)"; + login_shared_secret_map = { + matrixDomain = "as_token:doublepuppet"; + }; + caption_in_message = true; + permissions = { + "*" = "relaybot"; + "@swarsel:${matrixDomain}" = "admin"; + }; + }; + }; + }; + + # restart the bridges daily. this is done for the signal bridge mainly which stops carrying + # messages out after a while. + + systemd.timers."restart-bridges" = { + wantedBy = [ "timers.target" ]; + timerConfig = { + OnBootSec = "1d"; + OnUnitActiveSec = "1d"; + Unit = "restart-bridges.service"; + }; + }; + + systemd.services."restart-bridges" = { + script = '' + systemctl restart mautrix-whatsapp.service + systemctl restart mautrix-signal.service + systemctl restart mautrix-telegram.service + ''; + serviceConfig = { + Type = "oneshot"; + User = "root"; + }; + }; + + services.nginx = { + virtualHosts = { + "swatrix.swarsel.win" = { + enableACME = true; + forceSSL = true; + acmeRoot = null; + locations = { + "~ ^(/_matrix|/_synapse/client)" = { + proxyPass = "http://192.168.1.2:8008"; + extraConfig = '' + client_max_body_size 0; + ''; + }; }; }; }; }; }; - systemd.services.mautrix-telegram.path = with pkgs; [ - lottieconverter # for animated stickers conversion, unfree package - ffmpeg # if converting animated stickers to webm (very slow!) - ]; - - services.mautrix-whatsapp = { - enable = true; - settings = { - homeserver = { - address = "http://localhost:8008"; - domain = matrixDomain; - }; - appservice = { - address = "http://localhost:29318"; - hostname = "0.0.0.0"; - port = 29318; - database = { - type = "postgres"; - uri = "postgresql:///mautrix-whatsapp?host=/run/postgresql"; - }; - }; - bridge = { - displayname_template = "{{or .FullName .PushName .JID}} (WA)"; - history_sync = { - backfill = true; - max_initial_conversations = -1; - message_count = -1; - request_full_sync = true; - full_sync_config = { - days_limit = 900; - size_mb_limit = 5000; - storage_quota_mb = 5000; - }; - }; - login_shared_secret_map = { - matrixDomain = "as_token:doublepuppet"; - }; - sync_manual_marked_unread = true; - send_presence_on_typing = true; - parallel_member_sync = true; - url_previews = true; - caption_in_message = true; - extev_polls = true; - permissions = { - "*" = "relaybot"; - "@swarsel:${matrixDomain}" = "admin"; - }; - }; - }; - }; - - services.mautrix-signal = { - enable = true; - settings = { - homeserver = { - address = "http://localhost:8008"; - domain = matrixDomain; - }; - appservice = { - - address = "http://localhost:29328"; - hostname = "0.0.0.0"; - port = 29328; - database = { - type = "postgres"; - uri = "postgresql:///mautrix-signal?host=/run/postgresql"; - }; - }; - bridge = { - displayname_template = "{{or .ContactName .ProfileName .PhoneNumber}} (Signal)"; - login_shared_secret_map = { - matrixDomain = "as_token:doublepuppet"; - }; - caption_in_message = true; - permissions = { - "*" = "relaybot"; - "@swarsel:${matrixDomain}" = "admin"; - }; - }; - }; - }; - - # restart the bridges daily. this is done for the signal bridge mainly which stops carrying - # messages out after a while. - - systemd.timers."restart-bridges" = { - wantedBy = [ "timers.target" ]; - timerConfig = { - OnBootSec = "1d"; - OnUnitActiveSec = "1d"; - Unit = "restart-bridges.service"; - }; - }; - - systemd.services."restart-bridges" = { - script = '' - systemctl restart mautrix-whatsapp.service - systemctl restart mautrix-signal.service - systemctl restart mautrix-telegram.service - ''; - serviceConfig = { - Type = "oneshot"; - User = "root"; - }; - }; - - services.nginx = { - virtualHosts = { - "swatrix.swarsel.win" = { - enableACME = true; - forceSSL = true; - acmeRoot = null; - locations = { - "~ ^(/_matrix|/_synapse/client)" = { - proxyPass = "http://192.168.1.23:8008"; - extraConfig = '' - client_max_body_size 0; - ''; - }; - }; - }; - }; - }; - }; -} + } #+end_src diff --git a/profiles/server/common/jellyfin.nix b/profiles/server/common/jellyfin.nix index 39d0414..28d2da2 100644 --- a/profiles/server/common/jellyfin.nix +++ b/profiles/server/common/jellyfin.nix @@ -19,7 +19,7 @@ services.jellyfin = { enable = true; user = "jellyfin"; - # openFirewall = true; # this works only for the default ports + openFirewall = true; # this works only for the default ports }; services.nginx = { @@ -30,7 +30,7 @@ acmeRoot = null; locations = { "/" = { - proxyPass = "http://192.168.1.16:8096"; + proxyPass = "http://192.168.1.2:8096"; extraConfig = '' client_max_body_size 0; ''; diff --git a/profiles/server/common/kavita.nix b/profiles/server/common/kavita.nix index d901018..7a299f2 100644 --- a/profiles/server/common/kavita.nix +++ b/profiles/server/common/kavita.nix @@ -22,7 +22,7 @@ acmeRoot = null; locations = { "/" = { - proxyPass = "http://192.168.1.22:8080"; + proxyPass = "http://192.168.1.2:8080"; extraConfig = '' client_max_body_size 0; ''; diff --git a/profiles/server/common/matrix.nix b/profiles/server/common/matrix.nix index 1ebc370..9d36d93 100644 --- a/profiles/server/common/matrix.nix +++ b/profiles/server/common/matrix.nix @@ -151,6 +151,7 @@ in services.mautrix-whatsapp = { enable = true; + registerToSynapse = true; settings = { homeserver = { address = "http://localhost:8008"; @@ -197,6 +198,7 @@ in services.mautrix-signal = { enable = true; + registerToSynapse = true; settings = { homeserver = { address = "http://localhost:8008"; @@ -258,7 +260,7 @@ in acmeRoot = null; locations = { "~ ^(/_matrix|/_synapse/client)" = { - proxyPass = "http://192.168.1.23:8008"; + proxyPass = "http://192.168.1.2:8008"; extraConfig = '' client_max_body_size 0; ''; diff --git a/profiles/server/common/navidrome.nix b/profiles/server/common/navidrome.nix index fefd49b..e0d4061 100644 --- a/profiles/server/common/navidrome.nix +++ b/profiles/server/common/navidrome.nix @@ -29,6 +29,7 @@ services.navidrome = { enable = true; + openFirewall = true; settings = { Address = "0.0.0.0"; Port = 4040; @@ -55,7 +56,7 @@ acmeRoot = null; locations = { "/" = { - proxyPass = "http://192.168.1.13:4040"; + proxyPass = "http://192.168.1.2:4040"; proxyWebsockets = true; extraConfig = '' proxy_redirect http:// https://; diff --git a/profiles/server/common/nginx.nix b/profiles/server/common/nginx.nix index 75ac81e..2883003 100644 --- a/profiles/server/common/nginx.nix +++ b/profiles/server/common/nginx.nix @@ -3,6 +3,9 @@ environment.systemPackages = with pkgs; [ lego ]; + + users.users.acme = { }; + sops = { secrets.dnstokenfull = { owner = "acme"; }; templates."certs.secret".content = '' diff --git a/profiles/server/common/ssh.nix b/profiles/server/common/ssh.nix index c3f2511..174bd78 100644 --- a/profiles/server/common/ssh.nix +++ b/profiles/server/common/ssh.nix @@ -4,6 +4,9 @@ _: enable = true; settings.PermitRootLogin = "yes"; }; + users.users.swarsel.openssh.authorizedKeys.keyFiles = [ + ../../../secrets/keys/authorized_keys + ]; users.users.root.openssh.authorizedKeys.keyFiles = [ ../../../secrets/keys/authorized_keys ];