diff --git a/.envrc b/.envrc deleted file mode 100644 index 3550a30..0000000 --- a/.envrc +++ /dev/null @@ -1 +0,0 @@ -use flake diff --git a/.gitignore b/.gitignore index d9b4996..6d12da4 100644 --- a/.gitignore +++ b/.gitignore @@ -10,4 +10,3 @@ dkim_private.pem !secrets/secrets.nix.example install.log -.direnv diff --git a/README.md b/README.md index 51dede9..956da57 100644 --- a/README.md +++ b/README.md @@ -17,7 +17,6 @@ This repository uses **untracked secrets**, so you must build the system locally ### 1. Setup Secrets 1. `cp secrets/secrets.nix.example secrets/secrets.nix` 2. Fill in the values (generate random keys, etc). - - `openssl rand -base64 32` is a good way to make a new key - `tailscaleKey` must be a **Reusable** key from the Tailscale admin console. ### 2. Verify Configuration Locally @@ -40,14 +39,14 @@ nix run github:nix-community/nixos-anywhere -- --store-paths \ ``` ### 3. Update Existing Server (No Wipe) -Once the server is running NixOS, use `nh` to push updates. This repository provides `nh` via `direnv` (loaded from `flake.nix` devShell), so just run `direnv allow` first. +Once the server is running NixOS, use `nixos-rebuild` to push updates. This is faster and doesn't wipe data. ```bash # Update via IP -nh os switch --hostname extremist-software --target-host root@ --impure path:. +nixos-rebuild switch --flake path:.#extremist-software --target-host root@ --impure # Update via Tailscale (Once tailored up) -nh os switch --hostname extremist-software --target-host root@extremist-software --impure path:. +nixos-rebuild switch --flake path:.#extremist-software --target-host root@extremist-software --impure ``` repo uses `impure` build to load `secrets/secrets.nix` directly. no encrypted secrets in git. diff --git a/configuration.nix b/configuration.nix index 6ad6d2e..415f677 100644 --- a/configuration.nix +++ b/configuration.nix @@ -9,7 +9,6 @@ ./modules/searx.nix ./modules/matrix.nix ./modules/monitoring.nix - ./modules/ntfy.nix ./secrets/secrets-scheme.nix # Impure Secrets ./secrets/secrets.nix @@ -26,7 +25,7 @@ # Networking networking.hostName = "extremist-software"; networking.firewall.allowedTCPPorts = [ 22 80 443 ]; # SSH, HTTP, HTTPS - + # Tailscale services.tailscale.enable = true; # We assume the user will authenticate manually or via a one-time key service @@ -44,14 +43,6 @@ settings.PermitRootLogin = "prohibit-password"; }; - # nh (yet another nix helper) - programs.nh = { - enable = true; - clean.enable = true; - clean.extraArgs = "--keep 2"; - flake = "/home/jet/Documents/extremist-software"; - }; - # System system.stateVersion = "24.05"; nix.settings.experimental-features = [ "nix-command" "flakes" ]; diff --git a/flake.lock b/flake.lock index abf2aea..25350a6 100644 --- a/flake.lock +++ b/flake.lock @@ -7,11 +7,11 @@ ] }, "locked": { - "lastModified": 1771881364, - "narHash": "sha256-A5uE/hMium5of/QGC6JwF5TGoDAfpNtW00T0s9u/PN8=", + "lastModified": 1771469470, + "narHash": "sha256-GnqdqhrguKNN3HtVfl6z+zbV9R9jhHFm3Z8nu7R6ml0=", "owner": "nix-community", "repo": "disko", - "rev": "a4cb7bf73f264d40560ba527f9280469f1f081c6", + "rev": "4707eec8d1d2db5182ea06ed48c820a86a42dc13", "type": "github" }, "original": { @@ -22,11 +22,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1771848320, - "narHash": "sha256-0MAd+0mun3K/Ns8JATeHT1sX28faLII5hVLq0L3BdZU=", + "lastModified": 1771369470, + "narHash": "sha256-0NBlEBKkN3lufyvFegY4TYv5mCNHbi5OmBDrzihbBMQ=", "owner": "nixos", "repo": "nixpkgs", - "rev": "2fc6539b481e1d2569f25f8799236694180c0993", + "rev": "0182a361324364ae3f436a63005877674cf45efb", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index fd6d838..2308773 100644 --- a/flake.nix +++ b/flake.nix @@ -21,11 +21,5 @@ ./configuration.nix ]; }; - - devShells.x86_64-linux.default = let - pkgs = nixpkgs.legacyPackages.x86_64-linux; - in pkgs.mkShell { - packages = [ pkgs.nh ]; - }; }; } diff --git a/modules/caddy.nix b/modules/caddy.nix index 14e6635..7c8c621 100644 --- a/modules/caddy.nix +++ b/modules/caddy.nix @@ -12,23 +12,8 @@ root * /var/lib/acme/acme-challenge file_server } - handle /.well-known/matrix/server { - header Access-Control-Allow-Origin "*" - header Content-Type "application/json" - respond `{"m.server": "matrix.extremist.software:443"}` - } - handle /.well-known/matrix/client { - header Access-Control-Allow-Origin "*" - header Content-Type "application/json" - respond `{"m.homeserver": {"base_url": "https://matrix.extremist.software"}}` - } - handle /.well-known/matrix/support { - header Access-Control-Allow-Origin "*" - header Content-Type "application/json" - respond `{"admins": [{"matrix_id": "@jet:extremist.software","role": "admin"}]}` - } handle { - redir https://jetpham.com{uri} + respond "Hi" } ''; }; @@ -64,17 +49,10 @@ ''; }; - "ntfy.extremist.software" = { - extraConfig = '' - reverse_proxy localhost:2586 - ''; - }; - "matrix.extremist.software" = { extraConfig = '' - reverse_proxy /_matrix/* 127.0.0.1:8008 - reverse_proxy /_synapse/client/* 127.0.0.1:8008 - reverse_proxy /.well-known/matrix/* 127.0.0.1:8008 + reverse_proxy /_matrix/* localhost:6167 + reverse_proxy /_synapse/client/* localhost:6167 ''; }; }; diff --git a/modules/matrix.nix b/modules/matrix.nix index 9b45778..3ba7954 100644 --- a/modules/matrix.nix +++ b/modules/matrix.nix @@ -1,52 +1,16 @@ { config, pkgs, ... }: { - services.matrix-synapse = { + services.matrix-conduit = { enable = true; settings = { - server_name = "extremist.software"; - public_baseurl = "https://matrix.extremist.software"; - - listeners = [ - { - port = 8008; - bind_addresses = [ "127.0.0.1" ]; - type = "http"; - tls = false; - x_forwarded = true; - resources = [ - { - names = [ "client" "federation" ]; - compress = false; - } - ]; - } - ]; - - enable_registration = false; - registration_shared_secret = "extremist_software_admin_creation"; - macaroon_secret_key = config.mySecrets.matrixMacaroon; - database = { - name = "psycopg2"; - allow_unsafe_locale = true; - args = { - user = "matrix-synapse"; - database = "matrix-synapse"; - host = "/run/postgresql"; - cp_min = 5; - cp_max = 10; - }; + global = { + server_name = "matrix.extremist.software"; + allow_registration = true; # Disable after creating first user + port = 6167; }; }; }; - services.postgresql = { - enable = true; - ensureDatabases = [ "matrix-synapse" ]; - ensureUsers = [{ - name = "matrix-synapse"; - ensureDBOwnership = true; - }]; - }; + networking.firewall.allowedTCPPorts = [ 6167 8448 ]; } - diff --git a/modules/monitoring.nix b/modules/monitoring.nix index 2fb7ab4..e7e2260 100644 --- a/modules/monitoring.nix +++ b/modules/monitoring.nix @@ -34,28 +34,5 @@ secret_key = config.mySecrets.grafanaSecret; }; }; - provision = { - enable = true; - datasources.settings.datasources = [ - { - name = "Prometheus"; - type = "prometheus"; - access = "proxy"; - url = "http://127.0.0.1:9090"; - isDefault = true; - } - ]; - dashboards.settings.providers = [ - { - name = "Node Exporter Full"; - options.path = "/etc/grafana-dashboards"; - } - ]; - }; - }; - - environment.etc."grafana-dashboards/node-exporter-full.json".source = pkgs.fetchurl { - url = "https://grafana.com/api/dashboards/1860/revisions/37/download"; - sha256 = "0qza4j8lywrj08bqbww52dgh2p2b9rkhq5p313g72i57lrlkacfl"; }; } diff --git a/modules/ntfy.nix b/modules/ntfy.nix deleted file mode 100644 index a7a1407..0000000 --- a/modules/ntfy.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ config, pkgs, ... }: - -{ - services.ntfy-sh = { - enable = true; - settings = { - base-url = "https://ntfy.extremist.software"; - listen-http = ":2586"; - behind-proxy = true; - auth-file = "/var/lib/ntfy-sh/user.db"; - auth-default-access = "deny-all"; - enable-login = true; - auth-users = [ - "jet:${config.mySecrets.ntfyAdminHash}:admin" - ]; - auth-access = [ - "*:up*:write-only" - ]; - }; - }; -} diff --git a/modules/searx.nix b/modules/searx.nix index bca9cae..3881960 100644 --- a/modules/searx.nix +++ b/modules/searx.nix @@ -4,28 +4,16 @@ services.searx = { enable = true; package = pkgs.searxng; - redisCreateLocally = true; settings = { server = { port = 8082; bind_address = "127.0.0.1"; secret_key = config.mySecrets.searxKey; }; - search = { - request_timeout = 1.5; - }; - use_default_settings = { - engines = { - keep_only = [ - "google" - "wikipedia" - ]; - }; - }; - engines = [ - { name = "google"; engine = "google"; disabled = false; } - { name = "wikipedia"; engine = "wikipedia"; disabled = false; } - ]; }; }; + + # Inject secret via env vars or file substitution if possible + # Or use `environment.etc` to place config file if service allows. + # For now, simplistic setup. } diff --git a/secrets/secrets-scheme.nix b/secrets/secrets-scheme.nix index 1bb690e..25a43c4 100644 --- a/secrets/secrets-scheme.nix +++ b/secrets/secrets-scheme.nix @@ -29,13 +29,5 @@ with lib; type = types.str; description = "Grafana Secret Key for security"; }; - matrixMacaroon = mkOption { - type = types.str; - description = "Macaroon Secret Key for Matrix Synapse"; - }; - ntfyAdminHash = mkOption { - type = types.str; - description = "Bcrypt hash for ntfy admin user"; - }; }; } diff --git a/secrets/secrets.nix.example b/secrets/secrets.nix.example index a5d3e55..4b59392 100644 --- a/secrets/secrets.nix.example +++ b/secrets/secrets.nix.example @@ -9,7 +9,5 @@ minecraftRcon = "changeme_rcon"; tailscaleKey = "tskey-auth-PLACEHOLDER"; sshPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAA..."; - matrixMacaroon = "changeme_matrix_macaroon_secret_key"; - ntfyAdminHash = "changeme_bcrypt_hash_from_ntfy_user_hash"; }; }