From c8bcc35e7c14937090be2827a0225d769df261c9 Mon Sep 17 00:00:00 2001 From: DerGrumpf Date: Sat, 11 Apr 2026 11:36:08 +0200 Subject: [PATCH] Migrated Docker config to nix --- hosts/cyper-node-1/configuration.nix | 2 ++ nixos/roles/matrix.nix | 42 ++++++++++++++++++++---- nixos/roles/monitoring.nix | 9 ++--- nixos/roles/postgresql.nix | 13 ++++++++ nixos/roles/wyl.nix | 49 ++++++++++++++++++++++++++++ nixos/sops.nix | 5 +++ secrets/secrets.yaml | 6 ++-- 7 files changed, 114 insertions(+), 12 deletions(-) create mode 100644 nixos/roles/postgresql.nix create mode 100644 nixos/roles/wyl.nix diff --git a/hosts/cyper-node-1/configuration.nix b/hosts/cyper-node-1/configuration.nix index 7e19056..667095d 100644 --- a/hosts/cyper-node-1/configuration.nix +++ b/hosts/cyper-node-1/configuration.nix @@ -3,6 +3,8 @@ ./hardware-configuration.nix ../../nixos/roles/monitoring.nix ../../nixos/roles/matrix.nix + ../../nixos/roles/postgresql.nix + ../../nixos/roles/wyl.nix ]; networking = { diff --git a/nixos/roles/matrix.nix b/nixos/roles/matrix.nix index 00ab6c3..4ba75c7 100644 --- a/nixos/roles/matrix.nix +++ b/nixos/roles/matrix.nix @@ -1,6 +1,14 @@ -{ pkgs, ... }: +{ pkgs, config, ... }: +let + serverIP = builtins.head ( + builtins.match "([0-9.]+)/.*" config.systemd.network.networks."10-ethernet".networkConfig.Address + ); +in { - networking.firewall.allowedTCPPorts = [ 8448 ]; + networking.firewall.allowedTCPPorts = [ + 8448 + 8080 + ]; services = { matrix-synapse = { @@ -8,6 +16,12 @@ settings = { server_name = "cyperpunk.de"; public_baseurl = "http://matrix.cyperpunk.de"; + enable_registration = false; # TODO: disable + enable_registration_without_verfication = true; + trusted_key_servers = [ { server_name = "matrix.org"; } ]; + suppress_key_server_warning = true; + registration_shared_secret_path = config.sops.secrets.matrix_registration_secret.path; + macaroon_secret_key = "$__file{${config.sops.secrets.matrix_macaroon_secret.path}}"; listeners = [ { port = 8008; @@ -34,17 +48,33 @@ virtualHosts = { "matrix.cyperpunk.de" = { locations."/" = { - proxyPass = "http://127.0.0.1:8008"; + proxyPass = "http://127.0.0.1:${toString (builtins.elemAt config.services.matrix-synapse.settings.listeners 0).port}"; proxyWebsockets = true; extraConfig = '' proxy_set_header Host matrix.cyperpunk.de; ''; }; }; - "cinny.cyperpunk.de" = { + "cinny" = { + listen = [ + { + addr = "0.0.0.0"; + port = 8080; + } + ]; locations."/" = { - root = pkgs.cinny; - tryFiles = "$uri $uri/ /index.html"; + alias = "${pkgs.cinny}/"; + extraConfig = '' + try_files $uri $uri/ /index.html; + ''; + }; + }; + "${serverIP}" = { + locations = { + "/_matrix/" = { + proxyPass = "http://127.0.0.1:${toString (builtins.elemAt config.services.matrix-synapse.settings.listeners 0).port}"; + proxyWebsockets = true; + }; }; }; }; diff --git a/nixos/roles/monitoring.nix b/nixos/roles/monitoring.nix index 0e8ed89..92d31b7 100644 --- a/nixos/roles/monitoring.nix +++ b/nixos/roles/monitoring.nix @@ -33,7 +33,8 @@ in domain = serverIP; # "grafana.cyperpunk.de"; http_port = 2342; http_addr = "127.0.0.1"; - serve_from_sub_path = false; + root_url = "http://${serverIP}/grafana/"; + serve_from_sub_path = true; }; security = { secret_key = "$__file{${config.sops.secrets.grafana_secret_key.path}}"; @@ -48,12 +49,12 @@ in # nginx reverse proxy nginx = { enable = true; - virtualHosts.${config.services.grafana.settings.server.domain} = { - locations."/" = { + virtualHosts."${serverIP}" = { + locations."/grafana/" = { proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}"; proxyWebsockets = true; extraConfig = '' - proxy_set_header Host ${config.services.grafana.settings.server.domain}; + proxy_set_header Host ${serverIP}; ''; }; }; diff --git a/nixos/roles/postgresql.nix b/nixos/roles/postgresql.nix new file mode 100644 index 0000000..03b753a --- /dev/null +++ b/nixos/roles/postgresql.nix @@ -0,0 +1,13 @@ +{ pkgs, ... }: +{ + services.postgresql = { + enable = true; + initialScript = pkgs.writeText "synapse-init.sql" '' + CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; + CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + ''; + }; +} diff --git a/nixos/roles/wyl.nix b/nixos/roles/wyl.nix new file mode 100644 index 0000000..de7b7c7 --- /dev/null +++ b/nixos/roles/wyl.nix @@ -0,0 +1,49 @@ +{ config, pkgs, ... }: +let + serverIP = builtins.head ( + builtins.match "([0-9.]+)/.*" config.systemd.network.networks."10-ethernet".networkConfig.Address + ); + iface = config.systemd.network.networks."10-ethernet".matchConfig.Name; +in +{ + networking.firewall.allowedTCPPorts = [ 8840 ]; + + systemd.services.watchyourlan = { + description = "WatchYourLAN network scanner"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + serviceConfig = { + ExecStart = "${pkgs.watchyourlan}/bin/WatchYourLAN"; + Restart = "always"; + StateDirectory = "watchyourlan"; + WorkingDirectory = "/var/lib/watchyourlan"; + AmbientCapabilities = [ "CAP_NET_RAW" ]; + }; + environment = { + IFACES = iface; + GUIIP = "127.0.0.1"; + GUIPORT = "8840"; + PROMETHEUS = "true"; + }; + }; + + services = { + nginx = { + enable = true; + virtualHosts."${serverIP}".locations."/wyl/" = { + proxyPass = "http://127.0.0.1:8840/"; + proxyWebsockets = true; + }; + }; + prometheus.scrapeConfigs = [ + { + job_name = "watchyourlan"; + static_configs = [ + { + targets = [ "127.0.0.1:8840" ]; + } + ]; + } + ]; + }; +} diff --git a/nixos/sops.nix b/nixos/sops.nix index c274b11..5ff6f32 100644 --- a/nixos/sops.nix +++ b/nixos/sops.nix @@ -9,6 +9,11 @@ owner = "grafana"; group = "grafana"; }; + matrix_macaroon_secret = { }; + matrix_registration_secret = { + owner = "matrix-synapse"; + group = "matrix-synapse"; + }; }; }; } diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index d6d5294..b149bd0 100644 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -1,6 +1,8 @@ GROQ_API_KEY: ENC[AES256_GCM,data:OyuC4jfw67sCDa0XBGr78S6pzPV1ruy7KiIqPMgWWcOCVm3Y/khXEYPMjUTGrq9YLOw1MLso0OE=,iv:0y9klMYVtGsqAaLc2JidjZYSLhhbcbWbnBf8sZiC3rM=,tag:r6G2pzZn2d9JIaS+ozKnmg==,type:str] OPENWEATHER_API_KEY: ENC[AES256_GCM,data:bcuLz70u40nZfNgPTaeNRXdR/zjx0SQjwMbMNNFqROI=,iv:VCzse1a1/k1ZDIpFPL1QhjuS6YaDyohWi61JZaoc0Ws=,tag:UJSNyniNNLfGGRY/uiJcRA==,type:str] grafana_secret_key: ENC[AES256_GCM,data:d6tu4kL7flfbdeOYk21zkSRmVe+NvVwd14jgr9Ds0adfgYetN852G25Z8/g=,iv:uWuwGBZVK1syhEfO9nLZUWwa801759tNJx+Pmnz3xeg=,tag:X6/NcdGZHAdIlOwxNPo/Ew==,type:str] +matrix_macaroon_secret: ENC[AES256_GCM,data:a9nMar+p+FXIsxxSqO/to2OJOvD1erfwLwwBeKOcWBu7xykHxqD+pCmrGhg=,iv:rp4ZDVIlZ7SN1RFHB2CfSV5ISPMl9pC4U8Jgqpz48Qs=,tag:LxmWUZE3mG4acagQmlieag==,type:str] +matrix_registration_secret: ENC[AES256_GCM,data:KhKkJZqwE8xk4/tuQ7NYTv/Ot1qCAiy8yUbDyVvRa0H5BT4amCBIdATfR4Q=,iv:HBN+GorT1VpWCVkDugk4UxYLEYKJIoDZh2d+oUDLc8g=,tag:hHus458yVnH0qaQ4u37IZg==,type:str] ssh_private_key: ENC[AES256_GCM,data:R511mVFVk1ogAd5CKk/2P6rtT4NnHIFfKyqeCen545QgcvDqDFmW0rFBmPJyipaya2srJNoWvKJbnvxWtTYeJh2tPAybRMoUicStIFMUn3FPNfjx/WuQFLhKLoU3UOHHPJnkFqkQ9MBqLq2k5K7MVsNNFTxIDCKS1jPgkTmAWjRZ0EFiRXLa+Gvnz3GP5ltgfjDwdPeb5xp0/AqKPD8jea9w5ClR6ckrRHCLsfXhL2e9IaF4B96JlIv4rICLX3HmeIgM2PKl2MnSt8we5z39bBoLSA0yWG6BvpiMBaFqbo7jeHf1SxI6R404/emHhwW3pwSCDrq2ZE1ATG2UmA5NssFcVuaBPBoQer+n5haVYMNpNUp6rtKZeAIbf5JEOXJ6CJqiInfnnzOMNGhGFkGUYkhsy3p6Ti/lmNMPX/xtY+8ZqMwXf5drssm5KgnQ5nDbVqnTWAhoT/D3t+cJVAaXGTGw88fU0X95dZr8vaL/5nBCj1uUdv5cRBJ8PGhqbBX8PoiXrtGooBGhxf6nHbxIneSzG1++MZGo3e1G,iv:D1lgCnZKm3Gyv6cZpQ7zGW7JXN5RCwoaas+LroTkhPc=,tag:WI6Nr1cX8gm5pjFpu/Ok0w==,type:str] ssh_github_key: ENC[AES256_GCM,data:vZAH4cRDsgGXLAppQKOyUPOvmBJZ27bujMGz4hQ8tt0xhGFUP28llwGZz/VRuU02Yv4alLgVWBAIPuyhZT9f35KnjIR1Mmb7HXk/6oaNM59/lBiISLrnOpC10WmJ9O5krKdxwP8ZDvHA34B0s+oYNkTNXiU0S8AVg3icploax7ylKH5Dorj53kjdYSTjd8KN6ZsgCKmcz97+GnP0IgdmauyNL7e+kv9WIfE8Xx1kGvC8WVnidX2YhSxm6vt8l60eUj9etRigU88oFYTDZ+mIf4lucSpzaLZutz2fM/16D/o9SS7mmTrEllj2S+IXc9ZZTRKKDLbW+yv0XUi0XZi+OHAdZScjS54NZKyT9uWrc/IDJHammGsoHRQpHZtbGhkeFi/KdJsYBsWItslXjM0xJVtFIM2tMnd10kv9UGuXsSl9J4NC0rpz3aXnQqG4ZAhMjN9D/DTJpB4K0pcFyd2FDWdrbKq5iPfnU/V6ecnHPML6wCt6gua/LdK1MWoG3l2SqwMLYj1r7UW5fQZqSw1EK0BAtp9cQMLBL/2w8ykMfWpLekE=,iv:gcinU7xOoXQkFVkLNB3sQYHAcZy3pZN+bDRIq4sspys=,tag:yawgAHBKIkGpnKPHsRId4g==,type:str] sops: @@ -14,7 +16,7 @@ sops: N3I5dzUwc3JtYzczMUhyT04vSHlZamMKT+FzYcDLmlEFYxm/XoBpJb8XaZzBH1v9 6fuez+zApathZfl14w41kAUojPWBznnxDqYtNvzVVLXwnpp3BMx+7w== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-04-10T20:33:31Z" - mac: ENC[AES256_GCM,data:RTz1ZbpCCDluloug1bRrGtgsZ0CA0EAv5GOhrVyuvZOSTgDSPqesT8vzogsKGjHvhQLBgdriQ/OdzUpS30uG3QK4ltj7PnSVAUCLj3TMBwZClUxQhGhQHG7m450uY+XBtGkmpkC4J1XbFAVRqxz0NUAGDghRrYO5XJH3qzcTdt4=,iv:6PIPNz0L3yKkUCBjSufuqcbD9ljidl46BAI/Zuto+fo=,tag:EE4FqCwCUBh4PPP5hMzIBA==,type:str] + lastmodified: "2026-04-10T23:41:09Z" + mac: ENC[AES256_GCM,data:fmuWldQQtFdifhnWzoopi34flCEgPIk9QUB5KeSj0AAhFPMkSNmnL7lpgrCotvti4TUqn/mbpzxa0yVUWdWv7Ti9dPQ8P8PM6cnyqLHFd57wrVURkEo8hgaigEj+QTn3Jz2Yl5IA97V/OJkhIBEL45GCNi1RMWIAA/xrSla7bcE=,iv:sKlziFvnY0dKa6mKHtUFqSWwV0id970StiTk+nua8jk=,tag:vC7HktIcoCfQ2+0sfUtutQ==,type:str] unencrypted_suffix: _unencrypted version: 3.12.2