Migrated Docker config to nix

2026-04-11 11:36:08 +02:00
parent 104b1cfd38
commit c8bcc35e7c
7 changed files with 114 additions and 12 deletions
--- a/nixos/roles/matrix.nix
+++ b/nixos/roles/matrix.nix
@@ -1,6 +1,14 @@
-{ pkgs, ... }:
+{ pkgs, config, ... }:
+let
+  serverIP = builtins.head (
+    builtins.match "([0-9.]+)/.*" config.systemd.network.networks."10-ethernet".networkConfig.Address
+  );
+in
 {
-  networking.firewall.allowedTCPPorts = [ 8448 ];
+  networking.firewall.allowedTCPPorts = [
+    8448
+    8080
+  ];

  services = {
    matrix-synapse = {
@@ -8,6 +16,12 @@
      settings = {
        server_name = "cyperpunk.de";
        public_baseurl = "http://matrix.cyperpunk.de";
+        enable_registration = false; # TODO: disable
+        enable_registration_without_verfication = true;
+        trusted_key_servers = [ { server_name = "matrix.org"; } ];
+        suppress_key_server_warning = true;
+        registration_shared_secret_path = config.sops.secrets.matrix_registration_secret.path;
+        macaroon_secret_key = "$__file{${config.sops.secrets.matrix_macaroon_secret.path}}";
        listeners = [
          {
            port = 8008;
@@ -34,17 +48,33 @@
      virtualHosts = {
        "matrix.cyperpunk.de" = {
          locations."/" = {
-            proxyPass = "http://127.0.0.1:8008";
+            proxyPass = "http://127.0.0.1:${toString (builtins.elemAt config.services.matrix-synapse.settings.listeners 0).port}";
            proxyWebsockets = true;
            extraConfig = ''
              proxy_set_header Host matrix.cyperpunk.de;
            '';
          };
        };
-        "cinny.cyperpunk.de" = {
+        "cinny" = {
+          listen = [
+            {
+              addr = "0.0.0.0";
+              port = 8080;
+            }
+          ];
          locations."/" = {
-            root = pkgs.cinny;
-            tryFiles = "$uri $uri/ /index.html";
+            alias = "${pkgs.cinny}/";
+            extraConfig = ''
+              try_files $uri $uri/ /index.html;
+            '';
+          };
+        };
+        "${serverIP}" = {
+          locations = {
+            "/_matrix/" = {
+              proxyPass = "http://127.0.0.1:${toString (builtins.elemAt config.services.matrix-synapse.settings.listeners 0).port}";
+              proxyWebsockets = true;
+            };
          };
        };
      };
--- a/nixos/roles/monitoring.nix
+++ b/nixos/roles/monitoring.nix
@@ -33,7 +33,8 @@ in
          domain = serverIP; # "grafana.cyperpunk.de";
          http_port = 2342;
          http_addr = "127.0.0.1";
-          serve_from_sub_path = false;
+          root_url = "http://${serverIP}/grafana/";
+          serve_from_sub_path = true;
        };
        security = {
          secret_key = "$__file{${config.sops.secrets.grafana_secret_key.path}}";
@@ -48,12 +49,12 @@ in
    # nginx reverse proxy
    nginx = {
      enable = true;
-      virtualHosts.${config.services.grafana.settings.server.domain} = {
-        locations."/" = {
+      virtualHosts."${serverIP}" = {
+        locations."/grafana/" = {
          proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}";
          proxyWebsockets = true;
          extraConfig = ''
-            proxy_set_header Host ${config.services.grafana.settings.server.domain};
+            proxy_set_header Host ${serverIP};
          '';
        };
      };
--- a/nixos/roles/postgresql.nix
+++ b/nixos/roles/postgresql.nix
@@ -0,0 +1,13 @@
+{ pkgs, ... }:
+{
+  services.postgresql = {
+    enable = true;
+    initialScript = pkgs.writeText "synapse-init.sql" ''
+      CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
+      CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
+        TEMPLATE template0
+        LC_COLLATE = "C"
+        LC_CTYPE = "C";
+    '';
+  };
+}
--- a/nixos/roles/wyl.nix
+++ b/nixos/roles/wyl.nix
@@ -0,0 +1,49 @@
+{ config, pkgs, ... }:
+let
+  serverIP = builtins.head (
+    builtins.match "([0-9.]+)/.*" config.systemd.network.networks."10-ethernet".networkConfig.Address
+  );
+  iface = config.systemd.network.networks."10-ethernet".matchConfig.Name;
+in
+{
+  networking.firewall.allowedTCPPorts = [ 8840 ];
+
+  systemd.services.watchyourlan = {
+    description = "WatchYourLAN network scanner";
+    wantedBy = [ "multi-user.target" ];
+    after = [ "network.target" ];
+    serviceConfig = {
+      ExecStart = "${pkgs.watchyourlan}/bin/WatchYourLAN";
+      Restart = "always";
+      StateDirectory = "watchyourlan";
+      WorkingDirectory = "/var/lib/watchyourlan";
+      AmbientCapabilities = [ "CAP_NET_RAW" ];
+    };
+    environment = {
+      IFACES = iface;
+      GUIIP = "127.0.0.1";
+      GUIPORT = "8840";
+      PROMETHEUS = "true";
+    };
+  };
+
+  services = {
+    nginx = {
+      enable = true;
+      virtualHosts."${serverIP}".locations."/wyl/" = {
+        proxyPass = "http://127.0.0.1:8840/";
+        proxyWebsockets = true;
+      };
+    };
+    prometheus.scrapeConfigs = [
+      {
+        job_name = "watchyourlan";
+        static_configs = [
+          {
+            targets = [ "127.0.0.1:8840" ];
+          }
+        ];
+      }
+    ];
+  };
+}