diff --git a/README.md b/README.md index 956da57..600b96d 100644 --- a/README.md +++ b/README.md @@ -17,6 +17,7 @@ This repository uses **untracked secrets**, so you must build the system locally ### 1. Setup Secrets 1. `cp secrets/secrets.nix.example secrets/secrets.nix` 2. Fill in the values (generate random keys, etc). + - `openssl rand -base64 32` is a good way to make a new key - `tailscaleKey` must be a **Reusable** key from the Tailscale admin console. ### 2. Verify Configuration Locally diff --git a/configuration.nix b/configuration.nix index 52ee07d..a623e34 100644 --- a/configuration.nix +++ b/configuration.nix @@ -9,6 +9,7 @@ ./modules/searx.nix ./modules/matrix.nix ./modules/monitoring.nix + ./modules/ntfy.nix ./secrets/secrets-scheme.nix # Impure Secrets ./secrets/secrets.nix diff --git a/modules/caddy.nix b/modules/caddy.nix index e39f780..14e6635 100644 --- a/modules/caddy.nix +++ b/modules/caddy.nix @@ -22,6 +22,11 @@ header Content-Type "application/json" respond `{"m.homeserver": {"base_url": "https://matrix.extremist.software"}}` } + handle /.well-known/matrix/support { + header Access-Control-Allow-Origin "*" + header Content-Type "application/json" + respond `{"admins": [{"matrix_id": "@jet:extremist.software","role": "admin"}]}` + } handle { redir https://jetpham.com{uri} } @@ -59,6 +64,12 @@ ''; }; + "ntfy.extremist.software" = { + extraConfig = '' + reverse_proxy localhost:2586 + ''; + }; + "matrix.extremist.software" = { extraConfig = '' reverse_proxy /_matrix/* 127.0.0.1:8008 diff --git a/modules/matrix.nix b/modules/matrix.nix index 198f0b0..9b45778 100644 --- a/modules/matrix.nix +++ b/modules/matrix.nix @@ -23,7 +23,30 @@ } ]; - enable_registration = true; + enable_registration = false; + registration_shared_secret = "extremist_software_admin_creation"; + macaroon_secret_key = config.mySecrets.matrixMacaroon; + database = { + name = "psycopg2"; + allow_unsafe_locale = true; + args = { + user = "matrix-synapse"; + database = "matrix-synapse"; + host = "/run/postgresql"; + cp_min = 5; + cp_max = 10; + }; + }; }; }; + + services.postgresql = { + enable = true; + ensureDatabases = [ "matrix-synapse" ]; + ensureUsers = [{ + name = "matrix-synapse"; + ensureDBOwnership = true; + }]; + }; } + diff --git a/modules/ntfy.nix b/modules/ntfy.nix new file mode 100644 index 0000000..a7a1407 --- /dev/null +++ b/modules/ntfy.nix @@ -0,0 +1,21 @@ +{ config, pkgs, ... }: + +{ + services.ntfy-sh = { + enable = true; + settings = { + base-url = "https://ntfy.extremist.software"; + listen-http = ":2586"; + behind-proxy = true; + auth-file = "/var/lib/ntfy-sh/user.db"; + auth-default-access = "deny-all"; + enable-login = true; + auth-users = [ + "jet:${config.mySecrets.ntfyAdminHash}:admin" + ]; + auth-access = [ + "*:up*:write-only" + ]; + }; + }; +} diff --git a/secrets/secrets-scheme.nix b/secrets/secrets-scheme.nix index 25a43c4..1bb690e 100644 --- a/secrets/secrets-scheme.nix +++ b/secrets/secrets-scheme.nix @@ -29,5 +29,13 @@ with lib; type = types.str; description = "Grafana Secret Key for security"; }; + matrixMacaroon = mkOption { + type = types.str; + description = "Macaroon Secret Key for Matrix Synapse"; + }; + ntfyAdminHash = mkOption { + type = types.str; + description = "Bcrypt hash for ntfy admin user"; + }; }; } diff --git a/secrets/secrets.nix.example b/secrets/secrets.nix.example index 4b59392..a5d3e55 100644 --- a/secrets/secrets.nix.example +++ b/secrets/secrets.nix.example @@ -9,5 +9,7 @@ minecraftRcon = "changeme_rcon"; tailscaleKey = "tskey-auth-PLACEHOLDER"; sshPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAA..."; + matrixMacaroon = "changeme_matrix_macaroon_secret_key"; + ntfyAdminHash = "changeme_bcrypt_hash_from_ntfy_user_hash"; }; }