diff --git a/flake.lock b/flake.lock index c328b6a..bdc4bc5 100644 --- a/flake.lock +++ b/flake.lock @@ -23,6 +23,29 @@ "type": "github" } }, + "attic": { + "inputs": { + "crane": "crane", + "flake-compat": "flake-compat_2", + "flake-utils": "flake-utils_2", + "nixpkgs": "nixpkgs", + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1711742460, + "narHash": "sha256-0O4v6e4a1toxXZ2gf5INhg4WPE5C5T+SVvsBt+45Mcc=", + "owner": "zhaofengli", + "repo": "attic", + "rev": "4dbdbee45728d8ce5788db6461aaaa89d98081f0", + "type": "github" + }, + "original": { + "owner": "zhaofengli", + "ref": "main", + "repo": "attic", + "type": "github" + } + }, "bats-assert": { "flake": false, "locked": { @@ -78,6 +101,50 @@ "type": "github" } }, + "crane": { + "inputs": { + "nixpkgs": [ + "grapevine", + "attic", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1702918879, + "narHash": "sha256-tWJqzajIvYcaRWxn+cLUB9L9Pv4dQ3Bfit/YjU5ze3g=", + "owner": "ipetkov", + "repo": "crane", + "rev": "7195c00c272fdd92fc74e7d5a0a2844b9fadb2fb", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, + "crane_2": { + "inputs": { + "nixpkgs": [ + "grapevine", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1716569590, + "narHash": "sha256-5eDbq8TuXFGGO3mqJFzhUbt5zHVTf5zilQoyW5jnJwo=", + "owner": "ipetkov", + "repo": "crane", + "rev": "109987da061a1bf452f435f1653c47511587d919", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "ref": "master", + "repo": "crane", + "type": "github" + } + }, "darwin": { "inputs": { "nixpkgs": [ @@ -100,6 +167,29 @@ "type": "github" } }, + "fenix": { + "inputs": { + "nixpkgs": [ + "grapevine", + "nixpkgs" + ], + "rust-analyzer-src": "rust-analyzer-src" + }, + "locked": { + "lastModified": 1716359173, + "narHash": "sha256-pYcjP6Gy7i6jPWrjiWAVV0BCQp+DdmGaI/k65lBb/kM=", + "owner": "nix-community", + "repo": "fenix", + "rev": "b6fc5035b28e36a98370d0eac44f4ef3fd323df6", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "main", + "repo": "fenix", + "type": "github" + } + }, "flake-compat": { "flake": false, "locked": { @@ -117,6 +207,39 @@ } }, "flake-compat_2": { + "flake": false, + "locked": { + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_3": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "ref": "master", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_4": { "flake": false, "locked": { "lastModified": 1696426674, @@ -148,6 +271,40 @@ } }, "flake-utils_2": { + "locked": { + "lastModified": 1667395993, + "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_3": { + "inputs": { + "systems": "systems_2" + }, + "locked": { + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "type": "github" + }, + "original": { + "owner": "numtide", + "ref": "main", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_4": { "locked": { "lastModified": 1634851050, "narHash": "sha256-N83GlSGPJJdcqhUxSCS/WwW5pksYf3VP1M13cDRTSVA=", @@ -162,6 +319,34 @@ "type": "github" } }, + "grapevine": { + "inputs": { + "attic": "attic", + "crane": "crane_2", + "fenix": "fenix", + "flake-compat": "flake-compat_3", + "flake-utils": "flake-utils_3", + "nix-filter": "nix-filter", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "host": "gitlab.computer.surgery", + "lastModified": 1719530301, + "narHash": "sha256-jteW09FEGmI0scXvs8naqbORoEo8TlzY1QjOZt3rdKY=", + "owner": "matrix", + "repo": "grapevine-fork", + "rev": "b05c91b13e215816da1d7b45862952c2c73b8d55", + "type": "gitlab" + }, + "original": { + "host": "gitlab.computer.surgery", + "owner": "matrix", + "repo": "grapevine-fork", + "type": "gitlab" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -206,7 +391,7 @@ }, "nix": { "inputs": { - "flake-compat": "flake-compat_2", + "flake-compat": "flake-compat_4", "nix2container": "nix2container", "nixpkgs": [ "hydra", @@ -229,6 +414,22 @@ "url": "https://git@git.lix.systems/lix-project/lix" } }, + "nix-filter": { + "locked": { + "lastModified": 1710156097, + "narHash": "sha256-1Wvk8UP7PXdf8bCCaEoMnOT1qe5/Duqgj+rL8sRQsSM=", + "owner": "numtide", + "repo": "nix-filter", + "rev": "3342559a24e85fc164b295c3444e8a139924675b", + "type": "github" + }, + "original": { + "owner": "numtide", + "ref": "main", + "repo": "nix-filter", + "type": "github" + } + }, "nix2container": { "flake": false, "locked": { @@ -247,11 +448,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1719082008, - "narHash": "sha256-jHJSUH619zBQ6WdC21fFAlDxHErKVDJ5fpN0Hgx4sjs=", + "lastModified": 1711401922, + "narHash": "sha256-QoQqXoj8ClGo0sqD/qWKFWezgEwUL0SUh37/vY2jNhc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "9693852a2070b398ee123a329e68f0dab5526681", + "rev": "07262b18b97000d16a4bdb003418bd2fb067a932", "type": "github" }, "original": { @@ -277,7 +478,39 @@ "type": "github" } }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1711460390, + "narHash": "sha256-akSgjDZL6pVHEfSE6sz1DNSXuYX6hq+P/1Z5IoYWs7E=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "44733514b72e732bd49f5511bd0203dea9b9a434", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs_2": { + "locked": { + "lastModified": 1719082008, + "narHash": "sha256-jHJSUH619zBQ6WdC21fFAlDxHErKVDJ5fpN0Hgx4sjs=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "9693852a2070b398ee123a329e68f0dab5526681", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { "locked": { "lastModified": 1636823747, "narHash": "sha256-oWo1nElRAOZqEf90Yek2ixdHyjD+gqtS/pAgwaQ9UhQ=", @@ -312,15 +545,33 @@ "inputs": { "agenix": "agenix", "colmena": "colmena", + "grapevine": "grapevine", "hydra": "hydra", "lix": [ "hydra", "nix" ], - "nixpkgs": "nixpkgs", + "nixpkgs": "nixpkgs_2", "terranix": "terranix" } }, + "rust-analyzer-src": { + "flake": false, + "locked": { + "lastModified": 1716107283, + "narHash": "sha256-NJgrwLiLGHDrCia5AeIvZUHUY7xYGVryee0/9D3Ir1I=", + "owner": "rust-lang", + "repo": "rust-analyzer", + "rev": "21ec8f523812b88418b2bfc64240c62b3dd967bd", + "type": "github" + }, + "original": { + "owner": "rust-lang", + "ref": "nightly", + "repo": "rust-analyzer", + "type": "github" + } + }, "stable": { "locked": { "lastModified": 1696039360, @@ -352,12 +603,27 @@ "type": "github" } }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "terranix": { "inputs": { "bats-assert": "bats-assert", "bats-support": "bats-support", - "flake-utils": "flake-utils_2", - "nixpkgs": "nixpkgs_2", + "flake-utils": "flake-utils_4", + "nixpkgs": "nixpkgs_3", "terranix-examples": "terranix-examples" }, "locked": { diff --git a/flake.nix b/flake.nix index c3abfa6..4a760e8 100644 --- a/flake.nix +++ b/flake.nix @@ -15,6 +15,14 @@ hydra.inputs.nixpkgs.follows = "nixpkgs"; lix.follows = "hydra/nix"; + + grapevine = { + type = "gitlab"; + host = "gitlab.computer.surgery"; + owner = "matrix"; + repo = "grapevine-fork"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = { self, nixpkgs, terranix, ... } @ inputs: diff --git a/hosts/meta01.nixpkgs.lahfa.xyz/default.nix b/hosts/meta01.nixpkgs.lahfa.xyz/default.nix index 1654ebb..00cc652 100755 --- a/hosts/meta01.nixpkgs.lahfa.xyz/default.nix +++ b/hosts/meta01.nixpkgs.lahfa.xyz/default.nix @@ -24,6 +24,8 @@ bagel.services.prometheus.enable = true; bagel.services.loki.enable = true; bagel.services.grafana.enable = true; + bagel.services.grapevine.enable = true; + bagel.services.hookshot.enable = true; i18n.defaultLocale = "fr_FR.UTF-8"; diff --git a/services/default.nix b/services/default.nix index 0f0954d..556424e 100644 --- a/services/default.nix +++ b/services/default.nix @@ -4,6 +4,7 @@ ./postgres ./netbox ./gerrit + ./matrix ./monitoring ]; } diff --git a/services/matrix/default.nix b/services/matrix/default.nix new file mode 100644 index 0000000..4818ebe --- /dev/null +++ b/services/matrix/default.nix @@ -0,0 +1,68 @@ +{ + config, + lib, + inputs, + ... +}: + +let + cfg = config.bagel.services.grapevine; + inherit (lib) mkEnableOption mkIf; +in + +{ + imports = [ + inputs.grapevine.nixosModules.default + ./hookshot.nix + ]; + + options.bagel.services.grapevine.enable = mkEnableOption "Grapevine"; + + config = mkIf cfg.enable { + services = { + grapevine = { + enable = true; + settings = { + listen = [ + { + type = "tcp"; + address = "127.0.0.1"; + port = 6167; + } + ]; + server_name = "forkos.org"; + database.backend = "rocksdb"; + }; + }; + + nginx = { + upstreams.grapevine.servers."127.0.0.1:6167" = { }; + + virtualHosts = { + "matrix.forkos.org" = { + forceSSL = true; + enableACME = true; + locations."/".proxyPass = "http://grapevine"; + }; + + "forkos.org" = { + forceSSL = true; + enableACME = true; + locations = { + "= /.well-known/matrix/server".extraConfig = '' + add_header Content-Type application/json; + add_header Access-Control-Allow-Origin *; + return 200 '{"m.server": "matrix.forkos.org:443"}'; + ''; + "= /.well-known/matrix/client".extraConfig = '' + add_header Content-Type application/json; + add_header Access-Control-Allow-Origin *; + return 200 '{"m.homeserver": {"base_url": "https://matrix.forkos.org/"}, "m.identity_server": {"base_url": "https://matrix.org/"}, "org.matrix.msc3575.proxy": {"url": "https://matrix.forkos.org"}}'; + ''; + }; + }; + }; + }; + }; + }; +} diff --git a/services/matrix/hookshot.nix b/services/matrix/hookshot.nix new file mode 100644 index 0000000..cca239a --- /dev/null +++ b/services/matrix/hookshot.nix @@ -0,0 +1,60 @@ +{ + config, + lib, + pkgs, + ... +}: +let + cfg = config.bagel.services.hookshot; + inherit (lib) mkEnableOption mkIf mkOption; + keyPath = "/var/lib/matrix-hookshot/key.pem"; +in +{ + options.bagel.services.hookshot = { + enable = mkEnableOption "matrix-hookshot"; + settings = mkOption { + description = "Settings"; + type = (pkgs.formats.yaml { }).type; + }; + }; + + config = mkIf cfg.enable { + systemd.services.matrix-hookshot = { + wantedBy = ["multi-user.target"]; + wants = ["network-online.target"]; + after = ["network-online.target"]; + serviceConfig = { + ExecStart = "${lib.getExe pkgs.matrix-hookshot} ${pkgs.writers.writeYAML "config.yaml" cfg.settings}"; + ExecStartPre = pkgs.writeShellScript "hookshot-generate-key" '' + if [ ! -f ${keyPath} ]; then + mkdir -p $(dirname ${keyPath}) + ${lib.getExe pkgs.openssl} genpkey -out ${keyPath} -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:4096 + fi + ''; + DynamicUser = true; + StateDirectory = "matrix-hookshot"; + WorkingDirectory = "/var/lib/matrix-hookshot"; + }; + }; + + bagel.services.hookshot.settings = { + bridge = { + domain = "forkos.org"; + url = "https://matrix.forkos.org"; + mediaUrl = "https://forkos.org"; + port = 9993; + bindAddress = "127.0.0.1"; + }; + passFile = keyPath; + listeners = [{ + port = 9994; + bindAddress = "127.0.0.1"; + resources = [ "webhooks" ]; + }]; + generic = { + enabled = true; + urlPrefix = "https://alerts.forkos.org/webhook"; + }; + }; + }; +}