diff --git a/.just/machine.just b/.just/machine.just index 098d879..8d0d37f 100644 --- a/.just/machine.just +++ b/.just/machine.just @@ -7,5 +7,6 @@ [doc('Update the target machine')] [no-exit-message] @update machine: + cd .. && just vars _check {{ machine }} just assert '-d "../systems/x86_64-linux/{{ machine }}"' "Machine {{ machine }} does not exist, must be one of: $(ls ../systems/x86_64-linux/ | sed ':a;N;$!ba;s/\n/, /g')" nixos-rebuild switch -L --sudo --target-host {{ machine }} --build-host {{ machine }} --flake ..#{{ machine }} --log-format internal-json -v |& nom --json diff --git a/.just/vars.just b/.just/vars.just index 1ddfbfd..2c16d1b 100644 --- a/.just/vars.just +++ b/.just/vars.just @@ -23,7 +23,7 @@ edit machine: echo "Done" -[doc('Get var value by {key} of {machine}')] +[doc('Get var by {key} from {machine}')] get machine key: sops decrypt {{ base_path }}/{{ machine }}/secrets.yml | yq ".$(echo "{{ key }}" | sed -E 's/\//./g')" @@ -38,25 +38,52 @@ remove machine key: [script] check: + cd .. + for machine in $(ls {{ base_path }}); do - [ -f "{{ base_path }}/$machine/secrets.yml" ] || continue - [ -f "{{ base_path }}/$machine/default.nix" ] || continue - - echo "Processing $machine" - - mapfile -t missing < <(jq -nr \ - --rawfile defined <(nix eval --json --apply 'builtins.attrNames' ..#nixosConfigurations.$machine.config.sops.secrets 2>/dev/null) \ - --rawfile configured <(sops decrypt {{ base_path }}/$machine/secrets.yml | yq '.') \ - ' - $defined | fromjson as $def - | $configured - | fromjson - | paths(scalars) - | join("/") - | select(. | IN($def[]) | not) - ') - - if (( ${#missing[@]} > 0 )); then - printf 'missing the following %d secret(s):\n%s\n\n' "${#missing[@]}" "$(printf -- '- %s\n' "${missing[@]}")" - fi + just vars _check "$machine" done + +[no-exit-message] +[script] +_check machine: + # If the default nix file is missing, + # we can skip this folder as we are + # missing the files used to compare + # the defined vs the configured secrets + if [ ! -f "{{ base_path }}/{{ machine }}/default.nix" ]; then + printf "\r• %-8sskipped\n" "{{ machine }}" + exit 0 + fi + + exec 3< <(jq -nr \ + --rawfile defined <(nix eval --json ..#nixosConfigurations.{{ machine }}.config.sops.secrets 2>/dev/null) \ + --rawfile configured <([ -f "{{ base_path }}/{{ machine }}/secrets.yml" ] && sops decrypt {{ base_path }}/{{ machine }}/secrets.yml | yq '.' || echo "{}") \ + ' + [ $configured | fromjson | paths(scalars) | join("/") ] as $conf + | $defined + | fromjson + | map(.key | select(. | IN($conf[]) | not)) + | unique + | .[] + ') + + pid=$! # Process Id of the previous running command + spin='⠇⠋⠙⠸⢰⣠⣄⡆' + + i=0 + while kill -0 $pid 2>/dev/null + do + i=$(( (i+1) %${#spin} )) + printf "\r${spin:$i:1} %s" "{{ machine }}" + sleep .1 + done + + mapfile -t missing <&3 + + if (( ${#missing[@]} > 0 )); then + printf '\r✗ %-8smissing %d secret(s):\n%s\n' "{{ machine }}" "${#missing[@]}" "$(printf -- ' %s\n' "${missing[@]}")" + exit 1 + else + printf "\r✓ %-8sup to date\n" "{{ machine }}" + fi diff --git a/modules/nixos/services/communication/matrix/default.nix b/modules/nixos/services/communication/matrix/default.nix index ccdbbaa..8bb79fe 100644 --- a/modules/nixos/services/communication/matrix/default.nix +++ b/modules/nixos/services/communication/matrix/default.nix @@ -15,6 +15,7 @@ port = 4001; database = "synapse"; + keyFile = "/var/lib/element-call/key"; in { options.${namespace}.services.communication.matrix = { enable = mkEnableOption "Matrix server (Synapse)"; @@ -26,8 +27,6 @@ in { # virtualisation.podman.enable = true; }; - networking.firewall.allowedTCPPorts = [4001]; - services = { matrix-synapse = { enable = true; @@ -55,8 +54,27 @@ in { password_config.enabled = true; backchannel_logout_enabled = true; + # Element Call options + max_event_delay_duration = "24h"; + rc_message = { + per_second = 0.5; + burst_count = 30; + }; + rc_delayed_event_mgmt = { + per_second = 1; + burst_count = 20; + }; + turn_uris = ["turn:turn.${domain}:4004?transport=udp" "turn:turn.${domain}:4004?transport=tcp"]; + experimental_features = { + # MSC2965: OAuth 2.0 Authorization Server Metadata discovery msc2965_enabled = true; + + # MSC3266: Room summary API. Used for knocking over federation + msc3266_enabled = true; + # MSC4222 needed for syncv2 state_after. This allow clients to + # correctly track the state of the room. + msc4222_enabled = true; }; sso = { @@ -181,33 +199,180 @@ in { caddy = { enable = true; + # globalConfig = '' + # layer4 { + # 127.0.0.1:4004 + # route { + # proxy { + # upstream synapse:4004 + # } + # } + # } + # 127.0.0.1:4005 + # route { + # proxy { + # upstream synapse:4005 + # } + # } + # } + # } + # ''; virtualHosts = let server = { "m.server" = "${fqn}:443"; }; client = { "m.homeserver".base_url = "https://${fqn}"; - "m.identity_server".base_url = "https://auth.kruining.eu"; + "m.identity_server".base_url = "https://auth.${domain}"; + "org.matrix.msc3575.proxy".url = "https://${domain}"; + "org.matrix.msc4143.rtc_foci" = [ + { + type = "livekit"; + livekit_service_url = "https://${domain}/livekit/jwt"; + } + ]; }; in { - "${domain}".extraConfig = '' + "${domain}, darkch.at".extraConfig = '' + # Route for lk-jwt-service + handle /livekit/jwt* { + uri strip_prefix /livekit/jwt + reverse_proxy http://[::1]:${toString config.services.lk-jwt-service.port} { + header_up Host {host} + header_up X-Forwarded-Server {host} + header_up X-Real-IP {remote_host} + header_up X-Forwarded-For {remote_host} + } + } + + handle_path /livekit/sfu* { + reverse_proxy http://[::1]:${toString config.services.livekit.settings.port} { + header_up Host {host} + header_up X-Forwarded-Server {host} + header_up X-Real-IP {remote_host} + header_up X-Forwarded-For {remote_host} + } + } + header /.well-known/matrix/* Content-Type application/json header /.well-known/matrix/* Access-Control-Allow-Origin * respond /.well-known/matrix/server `${toJSON server}` respond /.well-known/matrix/client `${toJSON client}` ''; "${fqn}".extraConfig = '' - reverse_proxy /_matrix/* http://::1:4001 - reverse_proxy /_synapse/client/* http://::1:4001 + reverse_proxy /_matrix/* http://::1:${toString port} + reverse_proxy /_synapse/client/* http://::1:${toString port} ''; }; }; + + livekit = { + enable = true; + openFirewall = true; + inherit keyFile; + + settings = { + port = 4002; + room.auto_create = false; + }; + }; + + lk-jwt-service = { + enable = true; + port = 4003; + # can be on the same virtualHost as synapse + livekitUrl = "wss://${domain}/livekit/sfu"; + inherit keyFile; + }; + + coturn = rec { + enable = true; + listening-port = 4004; + tls-listening-port = 40004; + no-cli = true; + no-tcp-relay = true; + min-port = 50000; + max-port = 50100; + use-auth-secret = true; + static-auth-secret-file = config.sops.secrets."coturn/secret".path; + realm = "turn.${domain}"; + # cert = "${config.security.acme.certs.${realm}.directory}/full.pem"; + # pkey = "${config.security.acme.certs.${realm}.directory}/key.pem"; + extraConfig = '' + # for debugging + verbose + # ban private IP ranges + no-multicast-peers + denied-peer-ip=0.0.0.0-0.255.255.255 + denied-peer-ip=10.0.0.0-10.255.255.255 + denied-peer-ip=100.64.0.0-100.127.255.255 + denied-peer-ip=127.0.0.0-127.255.255.255 + denied-peer-ip=169.254.0.0-169.254.255.255 + denied-peer-ip=172.16.0.0-172.31.255.255 + denied-peer-ip=192.0.0.0-192.0.0.255 + denied-peer-ip=192.0.2.0-192.0.2.255 + denied-peer-ip=192.88.99.0-192.88.99.255 + denied-peer-ip=192.168.0.0-192.168.255.255 + denied-peer-ip=198.18.0.0-198.19.255.255 + denied-peer-ip=198.51.100.0-198.51.100.255 + denied-peer-ip=203.0.113.0-203.0.113.255 + denied-peer-ip=240.0.0.0-255.255.255.255 + denied-peer-ip=::1 + denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff + denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255 + denied-peer-ip=100::-100::ffff:ffff:ffff:ffff + denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff + denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff + denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff + denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff + ''; + }; + }; + + networking.firewall = { + allowedTCPPortRanges = []; + allowedTCPPorts = [ + # Synapse + port + + # coTURN ports + config.services.coturn.listening-port + config.services.coturn.alt-listening-port + config.services.coturn.tls-listening-port + config.services.coturn.alt-tls-listening-port + ]; + allowedUDPPortRanges = with config.services.coturn; + lib.singleton { + from = min-port; + to = max-port; + }; + allowedUDPPorts = [ + # coTURN ports + config.services.coturn.listening-port + config.services.coturn.alt-listening-port + ]; + }; + + systemd = { + services.livekit-key = { + before = ["lk-jwt-service.service" "livekit.service"]; + wantedBy = ["multi-user.target"]; + path = with pkgs; [livekit coreutils gawk]; + script = '' + echo "Key missing, generating key" + echo "lk-jwt-service: $(livekit-server generate-keys | tail -1 | awk '{print $3}')" > "${keyFile}" + ''; + serviceConfig.Type = "oneshot"; + unitConfig.ConditionPathExists = "!${keyFile}"; + }; + services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = "${domain}"; }; sops = { secrets = { "synapse/oidc_id" = {}; "synapse/oidc_secret" = {}; + "coturn/secret" = {}; }; templates = { @@ -222,13 +387,19 @@ in { scopes: - openid - profile + - email + - offline_access client_id: '${config.sops.placeholder."synapse/oidc_id"}' client_secret: '${config.sops.placeholder."synapse/oidc_secret"}' backchannel_logout_enabled: true + user_profile_method: userinfo_endpoint + allow_existing_users: true + enable_registration: true user_mapping_provider: config: localpart_template: "{{ user.preferred_username }}" display_name_template: "{{ user.name }}" + email_template: "{{ user.email }}" ''; restartUnits = ["matrix-synapse.service"]; }; diff --git a/modules/nixos/services/observability/grafana/default.nix b/modules/nixos/services/observability/grafana/default.nix index 05d3570..e2040d4 100644 --- a/modules/nixos/services/observability/grafana/default.nix +++ b/modules/nixos/services/observability/grafana/default.nix @@ -30,6 +30,10 @@ in { domain = "ulmo"; }; + security = { + secret_key = "$__file{${config.sops.secrets."grafana/secret_key".path}}"; + }; + auth = { disable_login_form = false; oauth_auto_login = true; @@ -133,6 +137,10 @@ in { sops = { secrets = { + "grafana/secret_key" = { + owner = "grafana"; + group = "grafana"; + }; "grafana/oidc_id" = { owner = "grafana"; group = "grafana";