From 0e6a8e83486f220ac57e8c63bf43e8b1b8c47e9a Mon Sep 17 00:00:00 2001 From: GHOSCHT <31184695+GHOSCHT@users.noreply.github.com> Date: Sat, 20 Apr 2024 20:12:58 +0200 Subject: [PATCH] Franz: add previous matrix installation --- hosts/franz/arion/default.nix | 1 + hosts/franz/arion/matrix/arion-compose.nix | 94 ++++++++++++++++++++++ hosts/franz/arion/matrix/arion-pkgs.nix | 6 ++ hosts/franz/arion/matrix/default.nix | 30 +++++++ hosts/franz/restic.nix | 5 ++ secrets/franz.yaml | 8 +- 6 files changed, 142 insertions(+), 2 deletions(-) create mode 100644 hosts/franz/arion/matrix/arion-compose.nix create mode 100644 hosts/franz/arion/matrix/arion-pkgs.nix create mode 100644 hosts/franz/arion/matrix/default.nix diff --git a/hosts/franz/arion/default.nix b/hosts/franz/arion/default.nix index 402e61b..84bec20 100644 --- a/hosts/franz/arion/default.nix +++ b/hosts/franz/arion/default.nix @@ -18,6 +18,7 @@ ./smarthome ./signal ./feed + ./matrix ]; environment.systemPackages = with pkgs; [arion]; diff --git a/hosts/franz/arion/matrix/arion-compose.nix b/hosts/franz/arion/matrix/arion-compose.nix new file mode 100644 index 0000000..c6e991d --- /dev/null +++ b/hosts/franz/arion/matrix/arion-compose.nix @@ -0,0 +1,94 @@ +{pkgs, ...}: { + project.name = "matrix"; + + networks.dmz = { + name = "dmz"; + external = true; + }; + + networks.transport = {}; + + services = { + synapse.service = { + image = "matrixdotorg/synapse:v1.104.0"; + container_name = "synapse"; + labels = { + "traefik.enable" = "true"; + "traefik.http.routers.synapse.entrypoints" = "websecure"; + "traefik.http.routers.synapse.rule" = "Host(`synapse.ghoscht.com`)"; + "traefik.docker.network" = "dmz"; + "traefik.http.routers.synapse.tls" = "true"; + "traefik.http.routers.synapse.tls.certresolver" = "letsencrypt"; + }; + volumes = [ + "/storage/dataset/docker/matrix/synapse_data:/data" + ]; + env_file = [ + "/home/ghoscht/.docker/matrix/synapse.env" + ]; + environment = { + UID = "1000"; + GID = "1000"; + TZ = "Europe/Berlin"; + }; + dns = ["1.1.1.2" "1.0.0.2" "176.103.130.130" "176.103.130.131" "9.9.9.9" "149.112.112.112" "208.67.222.222" "208.67.220.220"]; + restart = "unless-stopped"; + networks = [ + "dmz" + "transport" + ]; + }; + postgres.service = { + image = "postgres:14"; + env_file = [ + "/home/ghoscht/.docker/matrix/synapse.env" + ]; + volumes = [ + "/storage/dataset/docker/matrix/synapse_db:/var/lib/postgresql/data" + ]; + restart = "unless-stopped"; + networks = [ + "transport" + ]; + }; + matrix-nginx.service = { + container_name = "matrix-nginx"; + image = "nginx:1.25.4"; + volumes = [ + "/storage/dataset/docker/matrix/nginx_data/matrix.conf:/etc/nginx/conf.d/matrix.conf" + "/storage/dataset/docker/matrix/nginx_data/www:/var/www/" + ]; + labels = { + "traefik.enable" = "true"; + "traefik.http.routers.matrix.entrypoints" = "websecure"; + "traefik.http.routers.matrix.rule" = "Host(`matrix.ghoscht.com`)"; + "traefik.docker.network" = "dmz"; + "traefik.http.routers.matrix.tls" = "true"; + "traefik.http.routers.matrix.tls.certresolver" = "letsencrypt"; + }; + restart = "unless-stopped"; + networks = [ + "transport" + "dmz" + ]; + }; + element.service = { + image = "vectorim/element-web:v1.11.64"; + volumes = [ + "/storage/dataset/docker/matrix/element_data/element-config.json:/app/config.json" + ]; + labels = { + "traefik.enable" = "true"; + "traefik.http.routers.element.entrypoints" = "websecure"; + "traefik.http.routers.element.rule" = "Host(`chat.ghoscht.com`)"; + "traefik.docker.network" = "dmz"; + "traefik.http.routers.element.tls" = "true"; + "traefik.http.routers.element.tls.certresolver" = "letsencrypt"; + }; + restart = "unless-stopped"; + networks = [ + "dmz" + ]; + }; + }; +} diff --git a/hosts/franz/arion/matrix/arion-pkgs.nix b/hosts/franz/arion/matrix/arion-pkgs.nix new file mode 100644 index 0000000..69aad13 --- /dev/null +++ b/hosts/franz/arion/matrix/arion-pkgs.nix @@ -0,0 +1,6 @@ +# Instead of pinning Nixpkgs, we can opt to use the one in NIX_PATH +import { + # We specify the architecture explicitly. Use a Linux remote builder when + # calling arion from other platforms. + system = "x86_64-linux"; +} diff --git a/hosts/franz/arion/matrix/default.nix b/hosts/franz/arion/matrix/default.nix new file mode 100644 index 0000000..19d7e74 --- /dev/null +++ b/hosts/franz/arion/matrix/default.nix @@ -0,0 +1,30 @@ +{config, ...}: let + vars = import ../../../../vars.nix; +in { + # virtualisation.arion = { + # projects.matrix.settings = { + # imports = [./arion-compose.nix]; + # }; + # }; + + sops.secrets."matrix/postgres_password" = { + owner = vars.user; + }; + sops.secrets."matrix/postgres_database" = { + owner = vars.user; + }; + sops.secrets."matrix/postgres_user" = { + owner = vars.user; + }; + + sops.templates."synapse.env" = { + path = "/home/${vars.user}/.docker/matrix/synapse.env"; + owner = vars.user; + mode = "0775"; + content = '' + POSTGRES_DB="${config.sops.placeholder."matrix/postgres_database"}" + POSTGRES_USER="${config.sops.placeholder."matrix/postgres_user"}" + POSTGRES_PASSWORD="${config.sops.placeholder."matrix/postgres_password"}" + ''; + }; +} diff --git a/hosts/franz/restic.nix b/hosts/franz/restic.nix index 7bfd231..8f7f0d3 100644 --- a/hosts/franz/restic.nix +++ b/hosts/franz/restic.nix @@ -147,6 +147,11 @@ in { - arion -f ${arionPath}/passwords/arion-compose.nix -p ${arionPath}/passwords/arion-pkgs.nix stop after: - arion -f ${arionPath}/passwords/arion-compose.nix -p ${arionPath}/passwords/arion-pkgs.nix start + matrix: + from: /storage/dataset/docker/matrix + to: + - zfs + cron: '0 4 * * 0' # Every Sunday at 4:00 backends: zfs: type: local diff --git a/secrets/franz.yaml b/secrets/franz.yaml index 8de6483..e1f9b9f 100644 --- a/secrets/franz.yaml +++ b/secrets/franz.yaml @@ -31,6 +31,10 @@ autorestic: zfs_key: ENC[AES256_GCM,data:HyZBD202BoG6ncw37Tg9LPvfvQPnOaLJKk+gMvdZflt+XZ/7lx6TZOp/loiDhSSBTMusAXaI/aDkAFx2a7yDUQ==,iv:nQAHi9TyUXamSlFq99NYvWLOBSuZstuYNJLgVpxF1JU=,tag:mIS/E4Wr6IdWsZtehNY7UA==,type:str] ssd_key: ENC[AES256_GCM,data:xgJCpNkmIn8VU+jG++0kLW8WM9RbTBmsZeOuOz1WWmc4sOdN4lWfPvLjcTAHZDIXFvX7NodEcGAYDmcWNw7QBw==,iv:wGJcz7CEjhwsUlVEyuHOBcayzE97PfWi2f0TvITzafg=,tag:wpaJFcQBd/kAmExfD6fwJQ==,type:str] eustachius_key: ENC[AES256_GCM,data:qiq6Y05bV7mf0OOBDzR09MrW5g01WxmWVHB3vJ04XQaOVMGzl7hZq0ewcLOxitbFw3VcN5GQBpA8smlmahz8VA==,iv:epq7+tXG9QYAjNu8qHI2gjBYUuoPNdZg8+2XCLOwu1Q=,tag:qM8YdSZhwwM3GDrNPfo/Jg==,type:str] +matrix: + postgres_database: ENC[AES256_GCM,data:9O0vYjbTuQ==,iv:L5QCwhFSjPW0OiUMjCQo6BcLktUXJcqTsTXEi5JdaWo=,tag:LUPRSZl0pza5WOWI8RrAmw==,type:str] + postgres_user: ENC[AES256_GCM,data:S9ksmTOAbBg=,iv:q/6Oo9JhiSAqQq3ZKa0dbQGtfYAuD0oeiDLR4YwV0nk=,tag:RIc/1UVs88Jg8+4zGnW6vQ==,type:str] + postgres_password: ENC[AES256_GCM,data:sKlU4HKDDNERv4LZK9/M2+kvnNht1uxQ7+pQSIZWPkk=,iv:fD98XPUMjo+eZOmE/cVOh5TFkmTY/KDCjfZcf5fSWOg=,tag:B5zsxgjvs7+czDWcCst/eg==,type:str] sops: kms: [] gcp_kms: [] @@ -46,8 +50,8 @@ sops: VUUxcEhvYi8zeXlCUUViUTl0eWdhcU0KXOfbnDc+zc8lnBcyEAV5EiJSjcSU6AgI EfeRw8qVqwChrYn1agslcNnDbE0WQsOCBuA6cE4V3kRofp9HU949ig== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-04-09T20:05:32Z" - mac: ENC[AES256_GCM,data:QpiN3iCM46/cg3YpHSXvQ4hz33oc24yqcMYuYfumUCwFZiP/tBIgjAOTm8abnyR7+Vs8vrs3BATiHoA8xpIWIWgJGROLqbyM4yFOP4YE0CTrJq86QQbtluYB3aidgijsHERfL6MJ2/na0oC2KC39P7c0dwmF4HOGfGGq3eqAis4=,iv:FfHAgntSRKCOQ5m88X/k30OXk1QdcSw32NxYcaZQitU=,tag:zndSmXNnNt7p/ElRHdqe1Q==,type:str] + lastmodified: "2024-04-13T14:40:45Z" + mac: ENC[AES256_GCM,data:KnlhlaJkO0WMjXn9xqSTViciHL1Hvb9nlb40H5jB0AF6QzcZbteLZRCRfX1VGgsoGoqRprkNEAIZfirnRHxIId8rnLJezV/+e0R5+py8UkOOIAPxrnTyIJ2ThCsAxvfV2JTGo3TwM8PdzxH/zbhVpSaea4Or2+Y3pipZB+qtq74=,iv:lSWzwg9pdqeJzbuxZHIS1upfkFHklFQCfhzE4nqnPl4=,tag:iYx6xkhomksHkpz78WCw3w==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1