Migrated Docker config to nix

2026-04-11 11:36:08 +02:00
parent 104b1cfd38
commit c8bcc35e7c
7 changed files with 114 additions and 12 deletions
--- a/hosts/cyper-node-1/configuration.nix
+++ b/hosts/cyper-node-1/configuration.nix
@@ -3,6 +3,8 @@
    ./hardware-configuration.nix
    ../../nixos/roles/monitoring.nix
    ../../nixos/roles/matrix.nix
    ../../nixos/roles/postgresql.nix
    ../../nixos/roles/wyl.nix
  ];
  networking = {
--- a/nixos/roles/matrix.nix
+++ b/nixos/roles/matrix.nix
@@ -1,6 +1,14 @@
-{ pkgs, ... }:
+{ pkgs, config, ... }:
 let
  serverIP = builtins.head (
    builtins.match "([0-9.]+)/.*" config.systemd.network.networks."10-ethernet".networkConfig.Address
  );
 in
 {
-  networking.firewall.allowedTCPPorts = [ 8448 ];
+  networking.firewall.allowedTCPPorts = [
    8448
    8080
  ];
  services = {
    matrix-synapse = {
@@ -8,6 +16,12 @@
      settings = {
        server_name = "cyperpunk.de";
        public_baseurl = "http://matrix.cyperpunk.de";
        enable_registration = false; # TODO: disable
        enable_registration_without_verfication = true;
        trusted_key_servers = [ { server_name = "matrix.org"; } ];
        suppress_key_server_warning = true;
        registration_shared_secret_path = config.sops.secrets.matrix_registration_secret.path;
        macaroon_secret_key = "$__file{${config.sops.secrets.matrix_macaroon_secret.path}}";
        listeners = [
          {
            port = 8008;
@@ -34,17 +48,33 @@
      virtualHosts = {
        "matrix.cyperpunk.de" = {
          locations."/" = {
-            proxyPass = "http://127.0.0.1:8008";
+            proxyPass = "http://127.0.0.1:${toString (builtins.elemAt config.services.matrix-synapse.settings.listeners 0).port}";
            proxyWebsockets = true;
            extraConfig = ''
              proxy_set_header Host matrix.cyperpunk.de;
            '';
          };
        };
-        "cinny.cyperpunk.de" = {
+        "cinny" = {
          listen = [
            {
              addr = "0.0.0.0";
              port = 8080;
            }
          ];
          locations."/" = {
-            root = pkgs.cinny;
+            alias = "${pkgs.cinny}/";
-            tryFiles = "$uri $uri/ /index.html";
+            extraConfig = ''
              try_files $uri $uri/ /index.html;
            '';
          };
        };
        "${serverIP}" = {
          locations = {
            "/_matrix/" = {
              proxyPass = "http://127.0.0.1:${toString (builtins.elemAt config.services.matrix-synapse.settings.listeners 0).port}";
              proxyWebsockets = true;
            };
          };
        };
      };
--- a/nixos/roles/monitoring.nix
+++ b/nixos/roles/monitoring.nix
@@ -33,7 +33,8 @@ in
          domain = serverIP; # "grafana.cyperpunk.de";
          http_port = 2342;
          http_addr = "127.0.0.1";
-          serve_from_sub_path = false;
+          root_url = "http://${serverIP}/grafana/";
          serve_from_sub_path = true;
        };
        security = {
          secret_key = "$__file{${config.sops.secrets.grafana_secret_key.path}}";
@@ -48,12 +49,12 @@ in
    # nginx reverse proxy
    nginx = {
      enable = true;
-      virtualHosts.${config.services.grafana.settings.server.domain} = {
+      virtualHosts."${serverIP}" = {
-        locations."/" = {
+        locations."/grafana/" = {
          proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}";
          proxyWebsockets = true;
          extraConfig = ''
-            proxy_set_header Host ${config.services.grafana.settings.server.domain};
+            proxy_set_header Host ${serverIP};
          '';
        };
      };
--- a/nixos/roles/postgresql.nix
+++ b/nixos/roles/postgresql.nix
@@ -0,0 +1,13 @@
 { pkgs, ... }:
 {
  services.postgresql = {
    enable = true;
    initialScript = pkgs.writeText "synapse-init.sql" ''
      CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
      CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
        TEMPLATE template0
        LC_COLLATE = "C"
        LC_CTYPE = "C";
    '';
  };
 }
--- a/nixos/roles/wyl.nix
+++ b/nixos/roles/wyl.nix
@@ -0,0 +1,49 @@
 { config, pkgs, ... }:
 let
  serverIP = builtins.head (
    builtins.match "([0-9.]+)/.*" config.systemd.network.networks."10-ethernet".networkConfig.Address
  );
  iface = config.systemd.network.networks."10-ethernet".matchConfig.Name;
 in
 {
  networking.firewall.allowedTCPPorts = [ 8840 ];
  systemd.services.watchyourlan = {
    description = "WatchYourLAN network scanner";
    wantedBy = [ "multi-user.target" ];
    after = [ "network.target" ];
    serviceConfig = {
      ExecStart = "${pkgs.watchyourlan}/bin/WatchYourLAN";
      Restart = "always";
      StateDirectory = "watchyourlan";
      WorkingDirectory = "/var/lib/watchyourlan";
      AmbientCapabilities = [ "CAP_NET_RAW" ];
    };
    environment = {
      IFACES = iface;
      GUIIP = "127.0.0.1";
      GUIPORT = "8840";
      PROMETHEUS = "true";
    };
  };
  services = {
    nginx = {
      enable = true;
      virtualHosts."${serverIP}".locations."/wyl/" = {
        proxyPass = "http://127.0.0.1:8840/";
        proxyWebsockets = true;
      };
    };
    prometheus.scrapeConfigs = [
      {
        job_name = "watchyourlan";
        static_configs = [
          {
            targets = [ "127.0.0.1:8840" ];
          }
        ];
      }
    ];
  };
 }
--- a/nixos/sops.nix
+++ b/nixos/sops.nix
@@ -9,6 +9,11 @@
        owner = "grafana";
        group = "grafana";
      };
      matrix_macaroon_secret = { };
      matrix_registration_secret = {
        owner = "matrix-synapse";
        group = "matrix-synapse";
      };
    };
  };
 }
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@@ -1,6 +1,8 @@
 GROQ_API_KEY: ENC[AES256_GCM,data:OyuC4jfw67sCDa0XBGr78S6pzPV1ruy7KiIqPMgWWcOCVm3Y/khXEYPMjUTGrq9YLOw1MLso0OE=,iv:0y9klMYVtGsqAaLc2JidjZYSLhhbcbWbnBf8sZiC3rM=,tag:r6G2pzZn2d9JIaS+ozKnmg==,type:str]
 OPENWEATHER_API_KEY: ENC[AES256_GCM,data:bcuLz70u40nZfNgPTaeNRXdR/zjx0SQjwMbMNNFqROI=,iv:VCzse1a1/k1ZDIpFPL1QhjuS6YaDyohWi61JZaoc0Ws=,tag:UJSNyniNNLfGGRY/uiJcRA==,type:str]
 grafana_secret_key: ENC[AES256_GCM,data:d6tu4kL7flfbdeOYk21zkSRmVe+NvVwd14jgr9Ds0adfgYetN852G25Z8/g=,iv:uWuwGBZVK1syhEfO9nLZUWwa801759tNJx+Pmnz3xeg=,tag:X6/NcdGZHAdIlOwxNPo/Ew==,type:str]
 matrix_macaroon_secret: ENC[AES256_GCM,data:a9nMar+p+FXIsxxSqO/to2OJOvD1erfwLwwBeKOcWBu7xykHxqD+pCmrGhg=,iv:rp4ZDVIlZ7SN1RFHB2CfSV5ISPMl9pC4U8Jgqpz48Qs=,tag:LxmWUZE3mG4acagQmlieag==,type:str]
 matrix_registration_secret: ENC[AES256_GCM,data:KhKkJZqwE8xk4/tuQ7NYTv/Ot1qCAiy8yUbDyVvRa0H5BT4amCBIdATfR4Q=,iv:HBN+GorT1VpWCVkDugk4UxYLEYKJIoDZh2d+oUDLc8g=,tag:hHus458yVnH0qaQ4u37IZg==,type:str]
 ssh_private_key: ENC[AES256_GCM,data:R511mVFVk1ogAd5CKk/2P6rtT4NnHIFfKyqeCen545QgcvDqDFmW0rFBmPJyipaya2srJNoWvKJbnvxWtTYeJh2tPAybRMoUicStIFMUn3FPNfjx/WuQFLhKLoU3UOHHPJnkFqkQ9MBqLq2k5K7MVsNNFTxIDCKS1jPgkTmAWjRZ0EFiRXLa+Gvnz3GP5ltgfjDwdPeb5xp0/AqKPD8jea9w5ClR6ckrRHCLsfXhL2e9IaF4B96JlIv4rICLX3HmeIgM2PKl2MnSt8we5z39bBoLSA0yWG6BvpiMBaFqbo7jeHf1SxI6R404/emHhwW3pwSCDrq2ZE1ATG2UmA5NssFcVuaBPBoQer+n5haVYMNpNUp6rtKZeAIbf5JEOXJ6CJqiInfnnzOMNGhGFkGUYkhsy3p6Ti/lmNMPX/xtY+8ZqMwXf5drssm5KgnQ5nDbVqnTWAhoT/D3t+cJVAaXGTGw88fU0X95dZr8vaL/5nBCj1uUdv5cRBJ8PGhqbBX8PoiXrtGooBGhxf6nHbxIneSzG1++MZGo3e1G,iv:D1lgCnZKm3Gyv6cZpQ7zGW7JXN5RCwoaas+LroTkhPc=,tag:WI6Nr1cX8gm5pjFpu/Ok0w==,type:str]
 ssh_github_key: ENC[AES256_GCM,data:vZAH4cRDsgGXLAppQKOyUPOvmBJZ27bujMGz4hQ8tt0xhGFUP28llwGZz/VRuU02Yv4alLgVWBAIPuyhZT9f35KnjIR1Mmb7HXk/6oaNM59/lBiISLrnOpC10WmJ9O5krKdxwP8ZDvHA34B0s+oYNkTNXiU0S8AVg3icploax7ylKH5Dorj53kjdYSTjd8KN6ZsgCKmcz97+GnP0IgdmauyNL7e+kv9WIfE8Xx1kGvC8WVnidX2YhSxm6vt8l60eUj9etRigU88oFYTDZ+mIf4lucSpzaLZutz2fM/16D/o9SS7mmTrEllj2S+IXc9ZZTRKKDLbW+yv0XUi0XZi+OHAdZScjS54NZKyT9uWrc/IDJHammGsoHRQpHZtbGhkeFi/KdJsYBsWItslXjM0xJVtFIM2tMnd10kv9UGuXsSl9J4NC0rpz3aXnQqG4ZAhMjN9D/DTJpB4K0pcFyd2FDWdrbKq5iPfnU/V6ecnHPML6wCt6gua/LdK1MWoG3l2SqwMLYj1r7UW5fQZqSw1EK0BAtp9cQMLBL/2w8ykMfWpLekE=,iv:gcinU7xOoXQkFVkLNB3sQYHAcZy3pZN+bDRIq4sspys=,tag:yawgAHBKIkGpnKPHsRId4g==,type:str]
 sops:
@@ -14,7 +16,7 @@ sops:
            N3I5dzUwc3JtYzczMUhyT04vSHlZamMKT+FzYcDLmlEFYxm/XoBpJb8XaZzBH1v9
            6fuez+zApathZfl14w41kAUojPWBznnxDqYtNvzVVLXwnpp3BMx+7w==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-04-10T20:33:31Z"
+    lastmodified: "2026-04-10T23:41:09Z"
-    mac: ENC[AES256_GCM,data:RTz1ZbpCCDluloug1bRrGtgsZ0CA0EAv5GOhrVyuvZOSTgDSPqesT8vzogsKGjHvhQLBgdriQ/OdzUpS30uG3QK4ltj7PnSVAUCLj3TMBwZClUxQhGhQHG7m450uY+XBtGkmpkC4J1XbFAVRqxz0NUAGDghRrYO5XJH3qzcTdt4=,iv:6PIPNz0L3yKkUCBjSufuqcbD9ljidl46BAI/Zuto+fo=,tag:EE4FqCwCUBh4PPP5hMzIBA==,type:str]
+    mac: ENC[AES256_GCM,data:fmuWldQQtFdifhnWzoopi34flCEgPIk9QUB5KeSj0AAhFPMkSNmnL7lpgrCotvti4TUqn/mbpzxa0yVUWdWv7Ti9dPQ8P8PM6cnyqLHFd57wrVURkEo8hgaigEj+QTn3Jz2Yl5IA97V/OJkhIBEL45GCNi1RMWIAA/xrSla7bcE=,iv:sKlziFvnY0dKa6mKHtUFqSWwV0id970StiTk+nua8jk=,tag:vC7HktIcoCfQ2+0sfUtutQ==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.12.2