commit 67264c1fd2b51ca51ce685df8ccce817d8601f8e
parent 30a86b82e3a563473bef56acc6a71c8d515ba6df
Author: Katja (zaphyra) <git@ctu.cx>
Date: Sun, 25 May 2025 14:17:40 +0200
parent 30a86b82e3a563473bef56acc6a71c8d515ba6df
Author: Katja (zaphyra) <git@ctu.cx>
Date: Sun, 25 May 2025 14:17:40 +0200
config/nixos/modules/websites: add `grapevine.zaphyra.eu` (and enable on host `morio`)
5 files changed, 431 insertions(+), 9 deletions(-)
A
|
150
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
diff --git a/config/nixos/modules/websites/grapevine.zaphyra.eu.nix b/config/nixos/modules/websites/grapevine.zaphyra.eu.nix @@ -0,0 +1,150 @@ +{ + name, + povSelf, + hostConfig, + config, + pkgs, + lib, + ... +}: + +let + inherit (lib) types; + cfg = lib.getAttrFromPath povSelf config; + cfgWebsites = lib.getAttrFromPath (lib.remove name povSelf) config; + +in +{ + + options = { + enable = { + type = types.bool; + default = false; + }; + domain = { + type = types.str; + default = "zaphyra.eu"; + }; + subdomain = { + type = types.str; + default = "grapevine"; + }; + }; + + config = lib.mkIf cfg.enable { + assertions = [ + { + assertion = cfgWebsites."zaphyra.eu".enable == true; + message = "The option 'modules.websites.\"zaphyra.eu\"' must be enabled in order to use this module."; + } + ]; + + dns.zones."${cfg.domain}".subdomains."${cfg.subdomain}".CNAME = [ "${config.networking.fqdn}." ]; + + sops.secrets."resticPasswords/grapevine" = { }; + + modules.services.resticBackup.paths = { + grapevine = { + enable = true; + passwordFile = config.sops.secrets."resticPasswords/grapevine".path; + paths = [ + "/tmp/grapevine/media" + "/tmp/grapevine/database" + ]; + runBeforeBackup = '' + ${pkgs.systemd}/bin/systemctl stop grapevine.service + ${pkgs.coreutils}/bin/cp -r /var/lib/grapevine /tmp/grapevine + ${pkgs.systemd}/bin/systemctl start grapevine.service + ''; + }; + }; + + systemd.services.grapevine = { + serviceConfig.ExecStartPre = pkgs.writeShellScript "createDirs" '' + mkdir -p /var/lib/grapevine/media; + mkdir -p /var/lib/grapevine/database; + ''; + }; + + services.grapevine = { + enable = true; + + settings = { + server_name = cfg.domain; + max_request_size = 52428800; + + media.allow_unauthenticated_access = true; + + allow_registration = false; + registration_token = "foobar123"; + + database.backend = "rocksdb"; + database.cache_capacity_mb = 128; + + federation.max_concurrent_requests = 10000; + federation.self_test = false; # somehow this fails to unexpected server version + + server_discovery.server.authority = "${cfg.domain}:443"; + server_discovery.client.base_url = "https://${cfg.domain}"; + + observability.logs.format = "pretty"; + + listen = [ + { + type = "tcp"; + address = "::1"; + port = 6167; + } + ]; + }; + }; + + services.nginx = { + enable = true; + virtualHosts = + let + grapevineListen = lib.last config.services.grapevine.settings.listen; + matrixServerConfig = { + "m.server" = "${cfg.subdomain}.${cfg.domain}:443"; + }; + matrixClientConfig = { + "m.homeserver".base_url = "https://${cfg.subdomain}.${cfg.domain}/"; + }; + in + { + "${config.services.grapevine.settings.server_name}" = { + locations = { + "= /.well-known/matrix/server".extraConfig = '' + add_header Content-Type application/json; + return 200 '${builtins.toJSON matrixServerConfig}'; + ''; + "= /.well-known/matrix/client".extraConfig = '' + add_header Content-Type application/json; + return 200 '${builtins.toJSON matrixClientConfig}'; + ''; + }; + }; + "${cfg.subdomain}.${cfg.domain}" = { + useACMEHost = "${config.networking.fqdn}"; + forceSSL = true; + kTLS = true; + locations = { + "/_matrix" = { + proxyPass = "http://[${grapevineListen.address}]:${toString (grapevineListen.port)}"; + proxyWebsockets = true; + }; + "/".root = pkgs.cinny.override { + conf = { + defaultHomeserver = 0; + homeserverList = [ "${cfg.subdomain}.${cfg.domain}" ]; + hashRouter.enabled = true; + allowCustomHomesevrers = false; + }; + }; + }; + }; + }; + }; + }; + +}
diff --git a/flake.lock b/flake.lock @@ -1,5 +1,29 @@ { "nodes": { + "attic": { + "inputs": { + "crane": "crane", + "flake-compat": "flake-compat", + "flake-parts": "flake-parts", + "nix-github-actions": "nix-github-actions", + "nixpkgs": "nixpkgs", + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1738524606, + "narHash": "sha256-hPYEJ4juK3ph7kbjbvv7PlU1D9pAkkhl+pwx8fZY53U=", + "owner": "zhaofengli", + "repo": "attic", + "rev": "ff8a897d1f4408ebbf4d45fa9049c06b3e1e3f4e", + "type": "github" + }, + "original": { + "owner": "zhaofengli", + "ref": "main", + "repo": "attic", + "type": "github" + } + }, "blobs": { "flake": false, "locked": { @@ -18,7 +42,45 @@ }, "crane": { "inputs": { - "nixpkgs": "nixpkgs" + "nixpkgs": [ + "grapevine", + "attic", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1722960479, + "narHash": "sha256-NhCkJJQhD5GUib8zN9JrmYGMwt4lCRp6ZVNzIiYCl0Y=", + "owner": "ipetkov", + "repo": "crane", + "rev": "4c6c77920b8d44cd6660c1621dea6b3fc4b4c4f4", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, + "crane_2": { + "locked": { + "lastModified": 1742394900, + "narHash": "sha256-vVOAp9ahvnU+fQoKd4SEXB2JG2wbENkpqcwlkIXgUC0=", + "owner": "ipetkov", + "repo": "crane", + "rev": "70947c1908108c0c551ddfd73d4f750ff2ea67cd", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "ref": "master", + "repo": "crane", + "type": "github" + } + }, + "crane_3": { + "inputs": { + "nixpkgs": "nixpkgs_2" }, "locked": { "lastModified": 1717535930, @@ -140,6 +202,29 @@ "url": "https://git.zaphyra.eu/dns.nix" } }, + "fenix": { + "inputs": { + "nixpkgs": [ + "grapevine", + "nixpkgs" + ], + "rust-analyzer-src": "rust-analyzer-src" + }, + "locked": { + "lastModified": 1742452566, + "narHash": "sha256-sVuLDQ2UIWfXUBbctzrZrXM2X05YjX08K7XHMztt36E=", + "owner": "nix-community", + "repo": "fenix", + "rev": "7d9ba794daf5e8cc7ee728859bc688d8e26d5f06", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "main", + "repo": "fenix", + "type": "github" + } + }, "firefoxGnomeTheme": { "flake": false, "locked": { @@ -157,6 +242,44 @@ "type": "github" } }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "grapevine", + "attic", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1722555600, + "narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "8471fe90ad337a8074e957b69ca4d0089218391d", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, "flake-utils": { "inputs": { "systems": "systems" @@ -355,6 +478,40 @@ "url": "https://git.zaphyra.eu/gpx-map" } }, + "grapevine": { + "inputs": { + "attic": "attic", + "crane": "crane_2", + "fenix": "fenix", + "flake-compat": [ + "flakeCompat" + ], + "flake-utils": [ + "flakeUtils" + ], + "nix-filter": "nix-filter", + "nixpkgs": [ + "nixpkgs" + ], + "rocksdb": "rocksdb" + }, + "locked": { + "host": "gitlab.computer.surgery", + "lastModified": 1746392626, + "narHash": "sha256-nEqrWmRwMW2KUJKycc3M2aaqUaugqgW5SfHm/2m17b4=", + "owner": "matrix", + "repo": "grapevine", + "rev": "d425ba72f879854e10de5f8f2e4b6bc18257eb89", + "type": "gitlab" + }, + "original": { + "host": "gitlab.computer.surgery", + "owner": "matrix", + "ref": "main", + "repo": "grapevine", + "type": "gitlab" + } + }, "haumea": { "inputs": { "nixpkgs": [ @@ -419,7 +576,7 @@ }, "lanzaboote": { "inputs": { - "crane": "crane", + "crane": "crane_3", "flake-compat": [ "flakeCompat" ], @@ -488,6 +645,44 @@ "url": "https://git.lix.systems/lix-project/nixos-module/archive/main.tar.gz" } }, + "nix-filter": { + "locked": { + "lastModified": 1731533336, + "narHash": "sha256-oRam5PS1vcrr5UPgALW0eo1m/5/pls27Z/pabHNy2Ms=", + "owner": "numtide", + "repo": "nix-filter", + "rev": "f7653272fd234696ae94229839a99b73c9ab7de0", + "type": "github" + }, + "original": { + "owner": "numtide", + "ref": "main", + "repo": "nix-filter", + "type": "github" + } + }, + "nix-github-actions": { + "inputs": { + "nixpkgs": [ + "grapevine", + "attic", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1729742964, + "narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=", + "owner": "nix-community", + "repo": "nix-github-actions", + "rev": "e04df33f62cdcf93d73e9a04142464753a16db67", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nix-github-actions", + "type": "github" + } + }, "nixStd": { "locked": { "lastModified": 1710870712, @@ -520,11 +715,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1747958103, - "narHash": "sha256-qmmFCrfBwSHoWw7cVK4Aj+fns+c54EBP8cGqp/yK410=", + "lastModified": 1726042813, + "narHash": "sha256-LnNKCCxnwgF+575y0pxUdlGZBO/ru1CtGHIqQVfvjlA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "fe51d34885f7b5e3e7b59572796e1bcb427eccb1", + "rev": "159be5db480d1df880a0135ca0bfed84c2f88353", "type": "github" }, "original": { @@ -536,6 +731,22 @@ }, "nixpkgs-stable": { "locked": { + "lastModified": 1724316499, + "narHash": "sha256-Qb9MhKBUTCfWg/wqqaxt89Xfi6qTD3XpTzQ9eXi3JmE=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "797f7dc49e0bc7fab4b57c021cdf68f595e47841", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable_2": { + "locked": { "lastModified": 1710695816, "narHash": "sha256-3Eh7fhEID17pv9ZxrPwCLfqXnYP006RKzSs0JptsN84=", "owner": "NixOS", @@ -568,6 +779,22 @@ }, "nixpkgs_2": { "locked": { + "lastModified": 1747958103, + "narHash": "sha256-qmmFCrfBwSHoWw7cVK4Aj+fns+c54EBP8cGqp/yK410=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "fe51d34885f7b5e3e7b59572796e1bcb427eccb1", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { + "locked": { "lastModified": 1747953325, "narHash": "sha256-y2ZtlIlNTuVJUZCqzZAhIw5rrKP4DOSklev6c8PyCkQ=", "owner": "NixOS", @@ -593,7 +820,7 @@ "lanzaboote", "nixpkgs" ], - "nixpkgs-stable": "nixpkgs-stable" + "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { "lastModified": 1717664902, @@ -609,6 +836,23 @@ "type": "github" } }, + "rocksdb": { + "flake": false, + "locked": { + "lastModified": 1734381914, + "narHash": "sha256-G+DlQwEUyd7JOCjS1Hg1cKWmA/qAiK8UpUIKcP+riGQ=", + "owner": "facebook", + "repo": "rocksdb", + "rev": "ae8fb3e5000e46d8d4c9dbf3a36019c0aaceebff", + "type": "github" + }, + "original": { + "owner": "facebook", + "ref": "v9.10.0", + "repo": "rocksdb", + "type": "github" + } + }, "root": { "inputs": { "ctucxWebsite": "ctucxWebsite", @@ -623,6 +867,7 @@ "flakeyProfile": "flakeyProfile", "flauschehornSexy": "flauschehornSexy", "gpxMap": "gpxMap", + "grapevine": "grapevine", "haumea": "haumea", "homeManager": "homeManager", "homeManagerUnstable": "homeManagerUnstable", @@ -631,13 +876,30 @@ "lixModule": "lixModule", "nixStd": "nixStd", "nixSystemsDefault": "nixSystemsDefault", - "nixpkgs": "nixpkgs_2", + "nixpkgs": "nixpkgs_3", "nixpkgsUnstable": "nixpkgsUnstable", "simpleNixosMailserver": "simpleNixosMailserver", "sopsNix": "sopsNix", "stagit": "stagit" } }, + "rust-analyzer-src": { + "flake": false, + "locked": { + "lastModified": 1742296961, + "narHash": "sha256-gCpvEQOrugHWLimD1wTFOJHagnSEP6VYBDspq96Idu0=", + "owner": "rust-lang", + "repo": "rust-analyzer", + "rev": "15d87419f1a123d8f888d608129c3ce3ff8f13d4", + "type": "github" + }, + "original": { + "owner": "rust-lang", + "ref": "nightly", + "repo": "rust-analyzer", + "type": "github" + } + }, "rust-overlay": { "inputs": { "flake-utils": "flake-utils",
diff --git a/flake.nix b/flake.nix @@ -102,6 +102,7 @@ inputs.lanzaboote.nixosModules.lanzaboote inputs.sopsNix.nixosModules.sops inputs.simpleNixosMailserver.nixosModules.default + inputs.grapevine.nixosModules.default inputs.self.nixosModules.default hostConfig.configuration @@ -188,6 +189,13 @@ deploy-rs.inputs.utils.follows = "flakeUtils"; deploy-rs.inputs.flake-compat.follows = "flakeCompat"; + grapevine.url = "gitlab:matrix/grapevine?host=gitlab.computer.surgery&ref=main"; + grapevine.inputs = { + nixpkgs.follows = "nixpkgs"; + flake-compat.follows = "flakeCompat"; + flake-utils.follows = "flakeUtils"; + }; + ctucxWebsite.url = "git+https://git.katja.wtf/website"; ctucxWebsite.inputs.nixpkgs.follows = "nixpkgs";
diff --git a/hosts/morio/default.nix b/hosts/morio/default.nix @@ -83,6 +83,7 @@ "bikemap.zaphyra.eu".enable = true; "dav.zaphyra.eu".enable = true; "gts.zaphyra.eu".enable = true; + "grapevine.zaphyra.eu".enable = true; }; users.katja.enable = true;
diff --git a/secrets/morio.yaml b/secrets/morio.yaml @@ -7,6 +7,7 @@ resticPasswords: mail: ENC[AES256_GCM,data:wag5v/l0kQrhStO9P3ibtRtkReslszu4IfTEL8Ls4Pc=,iv:QCSveMAylefSBeb8Eaw6Av+1cA6lAvhtv1jNT8QUvIM=,tag:Y+HKURnEXPxKUSvGwaJAjA==,type:str] radicale: ENC[AES256_GCM,data:GsAXncF4JRHaNe0Tkv6PucJpwFFu9cfHo3INIBjc24I=,iv:XVvx9UOGIcC94uh3LnwOFs6g8Zy2YHjodCp0RNWcFrQ=,tag:ekUjoM/fbsmST2KDPNf/VA==,type:str] gotosocial: ENC[AES256_GCM,data:8zc4JZVTyPZQADDUrobjAOuRr/3CpfNROO8edY63nk4=,iv:nxfSNSw+aypsTKXJO68B6SkqFfBbfWFARfcNTPODSBA=,tag:ozsw8R6xbpS8E+fNzCosUQ==,type:str] + grapevine: ENC[AES256_GCM,data:ElNtJC2elPstqJ1vTJRJpNr0OyhTuTxCulh22qq459c=,iv:sgQCekPMcnyFzir/fISJAQZvV91e+43z9D9xShAz4Pg=,tag:LVjr6ZxFO9VmPXZWtz20Uw==,type:str] knotKeys: ENC[AES256_GCM,data:rlTFDvonfEQFST1eSHHcaG3e1CSt5paDUTvfoYmInBV7mjqe7PwT5dtg01W2ANZJYl+SN/cdI3eEvAdJvwYR6FK+7g1LPwn6G1coE68a/XwzsWM5WpSemmDfTykoUiguEUfRCZ0Q3M7YqV0/jDWrKMaH0iKqKqvlv7nEy6VXB5SZBX+aN18KvPVygw5FixQ/kD3XFI2HTTST4vqlMma3CTsjnK6Uwf1421JOIe3JR32qd0V7IfhFvL0mErMIRhLnITO9uJ//t1HJoeaOV7FEY4K6Ohacng1c68fkUjVX5wYBTd6X657nFqevvLiMRDiQnASOJrAJUAeq4Kwf5R7C/I/MeVh+1Hq/U+z4ZQKh/DViEE8+TkJwDMBAWarzlyOz7xDF8O+fj4iH5jTX8H3FmJLU/TVU0QXqnwjcAAVs/YNARNVt0wGdWTb9iyvD7vEIZE57wIp+TIGE8XFjOO11/DRC/0kC8HFkvoXke9IRrTIj1pCP1VIrv31v7aIyphWa5hBuBHfVb0f8g5eaqyKumM03Rge+Fo+jtM/NP7H2gao6uaZM/K4a625nVx+M1lUpW+1c0sIAME2SlDjSyuhTkMknOPGAAYXMwVQGazoOJna6sEBl6jYcgn31w3dHtJXGKyAB0eqELxjt5b0tzcBfJ4pXi7HO7w2yhKrqyL7GuE5LtLp5mkguC5eZbiX+VlGTLX6V2z1kDRUdYDDZMMh3cYGBIrGVoJhWx8xLWrLGm7TrvifiwYJq5Mq13tt2hS7HpY8T8YGBD2x3IdPAHtikZUYgv5cQxs7drSJi8zFQAwDUKofxhJQUvqrnmvNf+eiGkfgI7lQ0//NLg9o4t+5g+T3mV8IUkW4nbJsP46k6azQGBt3udYAVhgrFy/jTE++KrA==,iv:+5NBUUC1QhPjN+6E8nWhzd2SNuH9mLbhsFwDTm8Hy+U=,tag:RtSO5Rmb0wNR9ovtpwJIIg==,type:str] radicaleUsers: ENC[AES256_GCM,data:kH5XW/Gr2xMJWm68unKtZ+L19S74gOf1YXw5QtPcBnp8jJrQsc3mHX5GPOJafuNa23Tnt9BHTFmuO3e5bEzhBcVm8GdoMR/Wz4B0y0W5,iv:Frc4ukXwdWZuWNgauLUyz4ErFKFUvoYoTMN9eZNWAGg=,tag:PLVaetT3syVGR4Ox3AYhUA==,type:str] gotosocialEnv: ENC[AES256_GCM,data:5hvURqX+EqN8zpjirBmh5TIWWgaCga9QxnAfyW1rwOXELnM9ZBJAmqwLdxUa2j2DGrXsqw==,iv:nhVyiAoOJY0HtjB13FnmnQyLB+BWSRwDVrwUiFHBrE4=,tag:P207zPou7yXJKJBf+pxlHg==,type:str] @@ -25,8 +26,8 @@ sops: bDRhUEtDdmlZa0ZENFhSVnNqVjFCR1UKEIkSg3tKFkwlnNXFFqCBtdZBGz1bEmWl wghkTtqTl++759zZAAmjdnFFQWs/AoCZ5g/GUidz6HHcFdxMpGVmiA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-05-24T14:45:42Z" - mac: ENC[AES256_GCM,data:Rh1e8u7KonZAkknJO+2qBknwJk9yayrr1Bae06jT6Fn6+YoMfnXx2IxsVe9fcxtaJchM/SW8JlddYQJftbeKBXzA2sMpiBd569SAIyoXr6hMxC9EwrcExinzECe8dN3sDT1BCZPeFOaJpYQQM8ZcwXYVB2V3iHIM97eMO7peXLg=,iv:0lBIogIHTWrrEPOcljg5Dc6+3zW4mGbj6RtL8cArHGk=,tag:gV77gQ/3/ws4Z+7zAptL2A==,type:str] + lastmodified: "2025-05-25T11:39:45Z" + mac: ENC[AES256_GCM,data:WFvxVYrf/PfAj3pt7xi8+/2FH+LEj3Slz5bYIIt7Tvhz5rX8JDbEscuk+7OophbOP4iFuJV4W+tLmUULTgarWamqI0UEIZij/SVLDQEbvm3i6+n5rEx31re4VcLjmdmLRoplmiSAAClYuk7Tn/12zaiyA1TxA7WW/xaSTCe3V18=,iv:lQJ2vH6RYyIs0aX1gEv7lHm1vtTdJY5iQWOcCNxPTpI=,tag:UNcOCvtx6qNir1+7q59+sA==,type:str] pgp: - created_at: "2025-05-21T08:09:28Z" enc: |-