fix: merge conflicts

flake.nix

@@ -37,7 +37,7 @@
     };
   };
 
-  outputs = { nixpkgs, self, agenix, iceshrimp, catppuccin, ...} @ inputs:
+  outputs = { nixpkgs, self, iceshrimp, agenix, catppuccin, ...} @ inputs:
   let
     selfPkgs = import ./pkgs;
     username = "liv";
@@ -71,7 +71,7 @@
         modules = [(
           import ./hosts/violet
         )];
-        specialArgs = { host="violet"; inherit self inputs username iceshrimp ; };
+        specialArgs = { host="violet"; inherit self inputs username agenix iceshrimp ; };
       };
 
       vm = nixpkgs.lib.nixosSystem {

hosts/violet/default.nix

@@ -1,10 +1,11 @@
-{ pkgs, config, iceshrimp, ... }: 
+{ pkgs, config, iceshrimp, agenix, ... }: 
 {
   imports = [
     ./hardware-configuration.nix
     ./../../modules/core
     ./../../modules/services/violet.nix
     iceshrimp.nixosModules.default
+    agenix.nixosModules.default
   ];
 
   networking.hostName = "violet";
@@ -31,19 +32,19 @@
       criticalPowerAction = "PowerOff";
     };
 
-    auto-cpufreq = {
+    # auto-cpufreq = {
-      enable = true;
+    #   enable = true;
-      settings = {
+    #   settings = {
-        battery = {
+    #     battery = {
-          governor = "powersave";
+    #       governor = "powersave";
-          turbo = "auto";
+    #       turbo = "auto";
-        };
+    #     };
-        charger = {
+    #     charger = {
-          governor = "performance";
+    #       governor = "performance";
-          turbo = "auto";
+    #       turbo = "auto";
-        };
+    #     };
-      };
+    #   };
-    };
+    # };
   };
 
   boot = {

modules/core/wireguard.nix

@@ -0,0 +1,18 @@
+{ ... }:
+{
+  networking.wg-quick.interfaces = {
+    wg0 = {
+      address = [ "10.7.0.2/24" "fddd:2c4:2c4:2c4::2/64" ];
+      dns = [ "9.9.9.9" "149.112.112.112" ];
+      privateKeyFile = "/root/wireguard-keys/privatekey";
+      
+      peers = [{
+        publicKey = "GfrFhe2JV8FS/711WAdx6CLF/QIEj1KoOGP/ErxBHkg=";
+        presharedKeyFile = "/root/wireguard-keys/preshared_from_peer0_key";
+        allowedIPs = [ "0.0.0.0/0" "::/0" ];
+        endpoint = "57.129.46.171:51820";
+        persistentKeepalive = 25;
+      }];
+    };
+  };
+}

modules/services/iceshrimp.nix

@@ -2,12 +2,17 @@
 {
 
   services = {
-    # redis.servers.iceshrimp = {
+    postgresql = {
-    #   enable = true;
+      enable = true;
-    #   port = 6380;
+      initialScript = pkgs.writeText "synapse-init.sql" ''
-    #   bind = "0.0.0.0";
+        CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
-    #   settings.protected-mode = "no";
+        CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
-    # };
+          TEMPLATE template0
+          LC_COLLATE = "C"
+          LC_CTYPE = "C";
+      '';
+    };
+
 
     iceshrimp = {
       enable = true;

modules/services/matrix/default.nix

@@ -1,18 +1,19 @@
-{ pkgs, lib, config, ... }:
+{ pkgs, lib, config, agenix, ... }:
 let
-  fqdn = "quack.social";
+  fqdn = "liv.town";
   baseUrl = "https://${fqdn}";
   clientConfig."m.homeserver".base_url = baseUrl;
   serverConfig."m.server" = "${fqdn}:443";
   mkWellKnown = data: ''
     default_type application/json;
-    add_header Access-Control-Allow-Origin *;
+    # add_header Access-Control-Allow-Origin *;
     return 200 '${builtins.toJSON data}';
   '';
 in {
-  #age.secrets.matrix-synapse = {
+  security.acme = {
-  #    file = "../../../secrets/matrix-synapse.age";
+    acceptTerms = true;
-  #};
+    defaults.email = "ahwx@ahwx.org";
+  };
 
   services = {
     # postgresql.enable = true;
@@ -30,6 +31,32 @@ in {
       recommendedOptimisation = true;
       recommendedGzipSettings = true;
       recommendedProxySettings = true;
+
+      # Hardened TLS and HSTS preloading
+      appendHttpConfig = ''
+        # Add HSTS header with preloading to HTTPS requests.
+        # Do not add HSTS header to HTTP requests.
+        map $scheme $hsts_header {
+            https   "max-age=31536000; includeSubdomains; preload";
+        }
+        add_header Strict-Transport-Security $hsts_header;
+
+        # Enable CSP for your services.
+        #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+
+        # Minimize information leaked to other domains
+        add_header 'Referrer-Policy' 'origin-when-cross-origin';
+
+        # Disable embedding as a frame
+        add_header X-Frame-Options DENY;
+
+        # Prevent injection of code in other mime types (XSS Attacks)
+        add_header X-Content-Type-Options nosniff;
+
+        # This might create errors
+        # proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+      '';
+
       virtualHosts = {
         # If the A and AAAA DNS records on example.org do not point on the same host as the
         # records for myhostname.example.org, you can easily move the /.well-known
@@ -67,18 +94,29 @@ in {
       };
     };
 
+    postgresql = {
+      enable = true;
+      initialScript = pkgs.writeText "synapse-init.sql" ''
+        CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
+        CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
+          TEMPLATE template0
+          LC_COLLATE = "C"
+          LC_CTYPE = "C";
+      '';
+    };
+
     matrix-synapse = {
       enable = true;
       settings = {
-        # database.name = "psycopg2";
+        database.name = "psycopg2";
-        # database.args = {
+        database.args = {
-        #   user = "matrix-synapse";
+          user = "matrix-synapse";
-        #   password = "synapse";
+          password = "synapse";
-        # };
+        };
         server_name = "${fqdn}";
         public_baseurl = "https://${fqdn}";
         enable_registration = false;
-        #registration_shared_secret = config.age.secrets.matrix-synapse;
+        registration_shared_secret = config.age.secrets.matrix-synapse;
         #macaroon_secret_key = config.age.secrets.matrix-synapse;
         listeners = [
           { port = 8008;

modules/services/violet.nix

@@ -1,5 +1,6 @@
 { ...}: {
   imports =
-    [(import ./iceshrimp.nix)];
+       [(import ./iceshrimp.nix)]
+    ++ [(import ./matrix/default.nix)];
     # ++ [(import ./tmux.nix)];
 }