fix: merge conflicts

2025-12-04 23:00:14 +01:00 · 2024-07-22 11:19:37 +02:00 · 2024-07-22 11:19:37 +02:00 · 5a6a1f117a
commit 5a6a1f117a
parent 1b79aa0860 a0693e6983
6 changed files with 98 additions and 35 deletions
--- a/flake.nix
+++ b/flake.nix
@ -37,7 +37,7 @@
    };
  };

-  outputs = { nixpkgs, self, agenix, iceshrimp, catppuccin, ...} @ inputs:
+  outputs = { nixpkgs, self, iceshrimp, agenix, catppuccin, ...} @ inputs:
  let
    selfPkgs = import ./pkgs;
    username = "liv";
@ -71,7 +71,7 @@
        modules = [(
          import ./hosts/violet
        )];
-        specialArgs = { host="violet"; inherit self inputs username iceshrimp ; };
+        specialArgs = { host="violet"; inherit self inputs username agenix iceshrimp ; };
      };

      vm = nixpkgs.lib.nixosSystem {
--- a/hosts/violet/default.nix
+++ b/hosts/violet/default.nix
@ -1,10 +1,11 @@
-{ pkgs, config, iceshrimp, ... }: 
+{ pkgs, config, iceshrimp, agenix, ... }: 
 {
  imports = [
    ./hardware-configuration.nix
    ./../../modules/core
    ./../../modules/services/violet.nix
    iceshrimp.nixosModules.default
+    agenix.nixosModules.default
  ];

  networking.hostName = "violet";
@ -31,19 +32,19 @@
      criticalPowerAction = "PowerOff";
    };

-    auto-cpufreq = {
-      enable = true;
-      settings = {
-        battery = {
-          governor = "powersave";
-          turbo = "auto";
-        };
-        charger = {
-          governor = "performance";
-          turbo = "auto";
-        };
-      };
-    };
+    # auto-cpufreq = {
+    #   enable = true;
+    #   settings = {
+    #     battery = {
+    #       governor = "powersave";
+    #       turbo = "auto";
+    #     };
+    #     charger = {
+    #       governor = "performance";
+    #       turbo = "auto";
+    #     };
+    #   };
+    # };
  };

  boot = {
--- a/modules/core/wireguard.nix
+++ b/modules/core/wireguard.nix
@ -0,0 +1,18 @@
+{ ... }:
+{
+  networking.wg-quick.interfaces = {
+    wg0 = {
+      address = [ "10.7.0.2/24" "fddd:2c4:2c4:2c4::2/64" ];
+      dns = [ "9.9.9.9" "149.112.112.112" ];
+      privateKeyFile = "/root/wireguard-keys/privatekey";
+      
+      peers = [{
+        publicKey = "GfrFhe2JV8FS/711WAdx6CLF/QIEj1KoOGP/ErxBHkg=";
+        presharedKeyFile = "/root/wireguard-keys/preshared_from_peer0_key";
+        allowedIPs = [ "0.0.0.0/0" "::/0" ];
+        endpoint = "57.129.46.171:51820";
+        persistentKeepalive = 25;
+      }];
+    };
+  };
+}
--- a/modules/services/iceshrimp.nix
+++ b/modules/services/iceshrimp.nix
@ -2,12 +2,17 @@
 {

  services = {
-    # redis.servers.iceshrimp = {
-    #   enable = true;
-    #   port = 6380;
-    #   bind = "0.0.0.0";
-    #   settings.protected-mode = "no";
-    # };
+    postgresql = {
+      enable = true;
+      initialScript = pkgs.writeText "synapse-init.sql" ''
+        CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
+        CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
+          TEMPLATE template0
+          LC_COLLATE = "C"
+          LC_CTYPE = "C";
+      '';
+    };
+

    iceshrimp = {
      enable = true;
--- a/modules/services/matrix/default.nix
+++ b/modules/services/matrix/default.nix
@ -1,18 +1,19 @@
-{ pkgs, lib, config, ... }:
+{ pkgs, lib, config, agenix, ... }:
 let
-  fqdn = "quack.social";
+  fqdn = "liv.town";
  baseUrl = "https://${fqdn}";
  clientConfig."m.homeserver".base_url = baseUrl;
  serverConfig."m.server" = "${fqdn}:443";
  mkWellKnown = data: ''
    default_type application/json;
-    add_header Access-Control-Allow-Origin *;
+    # add_header Access-Control-Allow-Origin *;
    return 200 '${builtins.toJSON data}';
  '';
 in {
-  #age.secrets.matrix-synapse = {
-  #    file = "../../../secrets/matrix-synapse.age";
-  #};
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "ahwx@ahwx.org";
+  };

  services = {
    # postgresql.enable = true;
@ -30,6 +31,32 @@ in {
      recommendedOptimisation = true;
      recommendedGzipSettings = true;
      recommendedProxySettings = true;
+
+      # Hardened TLS and HSTS preloading
+      appendHttpConfig = ''
+        # Add HSTS header with preloading to HTTPS requests.
+        # Do not add HSTS header to HTTP requests.
+        map $scheme $hsts_header {
+            https   "max-age=31536000; includeSubdomains; preload";
+        }
+        add_header Strict-Transport-Security $hsts_header;
+
+        # Enable CSP for your services.
+        #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+
+        # Minimize information leaked to other domains
+        add_header 'Referrer-Policy' 'origin-when-cross-origin';
+
+        # Disable embedding as a frame
+        add_header X-Frame-Options DENY;
+
+        # Prevent injection of code in other mime types (XSS Attacks)
+        add_header X-Content-Type-Options nosniff;
+
+        # This might create errors
+        # proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+      '';
+
      virtualHosts = {
        # If the A and AAAA DNS records on example.org do not point on the same host as the
        # records for myhostname.example.org, you can easily move the /.well-known
@ -67,18 +94,29 @@ in {
      };
    };

+    postgresql = {
+      enable = true;
+      initialScript = pkgs.writeText "synapse-init.sql" ''
+        CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
+        CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
+          TEMPLATE template0
+          LC_COLLATE = "C"
+          LC_CTYPE = "C";
+      '';
+    };
+
    matrix-synapse = {
      enable = true;
      settings = {
-        # database.name = "psycopg2";
-        # database.args = {
-        #   user = "matrix-synapse";
-        #   password = "synapse";
-        # };
+        database.name = "psycopg2";
+        database.args = {
+          user = "matrix-synapse";
+          password = "synapse";
+        };
        server_name = "${fqdn}";
        public_baseurl = "https://${fqdn}";
        enable_registration = false;
-        #registration_shared_secret = config.age.secrets.matrix-synapse;
+        registration_shared_secret = config.age.secrets.matrix-synapse;
        #macaroon_secret_key = config.age.secrets.matrix-synapse;
        listeners = [
          { port = 8008;
--- a/modules/services/violet.nix
+++ b/modules/services/violet.nix
@ -1,5 +1,6 @@
 { ...}: {
  imports =
-    [(import ./iceshrimp.nix)];
+       [(import ./iceshrimp.nix)]
+    ++ [(import ./matrix/default.nix)];
    # ++ [(import ./tmux.nix)];
 }