Compare commits

..

7 commits

9 changed files with 539 additions and 310 deletions

View file

@ -298,11 +298,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1715947901, "lastModified": 1717670534,
"narHash": "sha256-nAcmnm4/PBA+E3kjtLZJy7aKmzu4Ou5dzVFAC0j9ORM=", "narHash": "sha256-pzkVew3wK8RIa8tQMzU3kd8Cf+u9g1XDfNpBT+k5lyo=",
"owner": "chayleaf", "owner": "chayleaf",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "8620504340e055daa4f81b43117e55952c8b7a87", "rev": "b4313b98b86d588375cdad46f75279b7aa45bd41",
"type": "github" "type": "github"
}, },
"original": { "original": {

View file

@ -26,6 +26,26 @@ in
stable = nixForNixPlugins; stable = nixForNixPlugins;
unstable = nixForNixPlugins; unstable = nixForNixPlugins;
}; };
matrix-appservice-discord = pkgs.matrix-appservice-discord.overrideAttrs (old: {
patches = (old.patches or []) ++ [
(pkgs.fetchpatch {
url = "https://github.com/matrix-org/matrix-appservice-discord/commit/eb989fa710e8db4ebc8f2ce36c6679ee6cbc1a44.patch";
hash = "sha256-GPeFDw3XujqXHJveHSsBHwHuG51vad50p55FX1Esq58=";
})
(pkgs.fetchpatch {
url = "https://github.com/matrix-org/matrix-appservice-discord/commit/a4cd5e3a6a2d544adac2a263e164671c8a9009d9.patch";
hash = "sha256-qQJ4V6/Ns2Msu8+X8JoEycuQ2Jc90TXulsuLLmPecGU=";
})
(pkgs.fetchpatch {
url = "https://github.com/matrix-org/matrix-appservice-discord/commit/fc850ba2473973e28858449ec4020380470d78b2.patch";
hash = "sha256-Lq0FWmR08wLsoq4APRTokZzb7U2po98pgyxH4UR/9/M=";
})
(pkgs.fetchpatch {
url = "https://github.com/matrix-org/matrix-appservice-discord/commit/7f3d41d86ebce057cfdc82ce3aaab64b533e8f0b.patch";
hash = "sha256-HmQ1KASZS+a78fe5yOCVXAnXLRmJUglzc6OxNJazOSk=";
})
];
});
# Various patches to change Nix version of existing packages so they don't error out because of nix-plugins in nix.conf # Various patches to change Nix version of existing packages so they don't error out because of nix-plugins in nix.conf
/*nix-plugins = (pkgs.nix-plugins.override { nix = nixForNixPlugins; }).overrideAttrs (old: { /*nix-plugins = (pkgs.nix-plugins.override { nix = nixForNixPlugins; }).overrideAttrs (old: {
version = "13.0.0"; version = "13.0.0";

File diff suppressed because it is too large Load diff

View file

@ -483,7 +483,7 @@ in {
{ ipv6 = true; extraArgs = [ "fwmark" wan_table "table" wan_table ]; } { ipv6 = true; extraArgs = [ "fwmark" wan_table "table" wan_table ]; }
# below is dnat config # below is dnat config
] ++ builtins.concatLists (map (rule: let ] ++ builtins.concatLists (map (rule: let
table = if rule.inVpn then 0 else wan_table; table = if rule.inVpn then vpn_table else wan_table;
forEachPort = func: port: forEachPort = func: port:
if builtins.isInt port then [ (func port) ] if builtins.isInt port then [ (func port) ]
else if port?set then builtins.concatLists (map (forEachPort func) port.set) else if port?set then builtins.concatLists (map (forEachPort func) port.set)
@ -894,10 +894,12 @@ in {
# fetch vpn_ips.json and vpn_domains.json for unbound # fetch vpn_ips.json and vpn_domains.json for unbound
script = '' script = ''
BLACKLIST=$(${pkgs.coreutils}/bin/mktemp) || exit 1 BLACKLIST=$(${pkgs.coreutils}/bin/mktemp) || exit 1
${pkgs.curl}/bin/curl "https://reestr.rublacklist.net/api/v2/ips/json/" -o "$BLACKLIST" || exit 1 ${pkgs.curl}/bin/curl "https://reestr.rublacklist.net/api/v3/ips/" -o "$BLACKLIST" || exit 1
${pkgs.jq}/bin/jq ".[0:0]" "$BLACKLIST" && chown unbound:unbound "$BLACKLIST" && mv "$BLACKLIST" /var/lib/unbound/vpn_ips.json ${pkgs.jq}/bin/jq ".[0:0]" "$BLACKLIST" && chown unbound:unbound "$BLACKLIST" && mv "$BLACKLIST" /var/lib/unbound/vpn_ips.json
${pkgs.curl}/bin/curl "https://reestr.rublacklist.net/api/v2/domains/json/" -o "$BLACKLIST" || exit 1 ${pkgs.curl}/bin/curl "https://reestr.rublacklist.net/api/v3/domains/" -o "$BLACKLIST" || exit 1
${pkgs.jq}/bin/jq ".[0:0]" "$BLACKLIST" && chown unbound:unbound "$BLACKLIST" && mv "$BLACKLIST" /var/lib/unbound/vpn_domains.json ${pkgs.jq}/bin/jq ".[0:0]" "$BLACKLIST" && chown unbound:unbound "$BLACKLIST" && mv "$BLACKLIST" /var/lib/unbound/vpn_domains.json
${pkgs.curl}/bin/curl "https://reestr.rublacklist.net/api/v3/dpi/" -o "$BLACKLIST" || exit 1
${pkgs.jq}/bin/jq ".[0:0]" "$BLACKLIST" && chown unbound:unbound "$BLACKLIST" && mv "$BLACKLIST" /var/lib/unbound/vpn_dpi.json
''; '';
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";

View file

@ -37,14 +37,14 @@ def main() -> None:
spot.add_argument("--domain", "-d", type=str, required=True) spot.add_argument("--domain", "-d", type=str, required=True)
spot.add_argument("--cache_file", "-c", type=str, required=True) spot.add_argument("--cache_file", "-c", type=str, required=True)
spot.add_argument("certs", type=str, nargs="*") spot.add_argument("certs", type=str, nargs="*")
hash = subparsers.add_parser("hash") tbs = subparsers.add_parser("tbs")
hash.set_defaults(func=print_hash) tbs.set_defaults(func=print_tbs)
hash.add_argument("path", type=str) tbs.add_argument("path", type=str)
args = parser.parse_args() args = parser.parse_args()
args.func(args) args.func(args)
def print_hash(args) -> None: def print_tbs(args) -> None:
with open(args.path, "rb") as f: with open(args.path, "rb") as f:
print(calc_tbs(f.read())) print(calc_tbs(f.read()))

View file

@ -107,14 +107,11 @@ in {
# make sure only hydra has access to this file # make sure only hydra has access to this file
# so normal nix evals don't have access to builtins # so normal nix evals don't have access to builtins
nix.settings.extra-builtins-file = "/secrets/nixos/extra-builtins.nix"; nix.settings.extra-builtins-file = "/secrets/nixos/extra-builtins.nix";
# required for hydra which uses restricted mode
nix.settings.allowed-uris = [ nix.settings.allowed-uris = [
# required for home-manager (no idea if it's required at this point) "https://git.sr.ht/"
"https://git.sr.ht/~rycee/nmd/" "https://api.github.com/repos/"
# ...for the rest of the home config "https://github.com/"
"https://api.github.com/repos/FAForever/"
"https://github.com/nix-community/nix-index-database/releases/download/"
# required for server (I suppose since nvfetcher uses fetchTarball here...)
"https://github.com/searxng/searxng/"
# for nginx CF-Connecting-IP config generation # for nginx CF-Connecting-IP config generation
"https://www.cloudflare.com/ips-v4" "https://www.cloudflare.com/ips-v4"
"https://www.cloudflare.com/ips-v6" "https://www.cloudflare.com/ips-v6"
@ -283,7 +280,7 @@ in {
job_name = "local_medium_freq"; job_name = "local_medium_freq";
scrape_interval = "15m"; scrape_interval = "15m";
static_configs = [ { static_configs = [ {
targets = [ "127.0.0.1:9548" "127.0.0.1:9198" ]; targets = [ "127.0.0.1:9548" "127.0.0.1:9198" "127.0.0.1:9173" ];
labels.machine = "server"; labels.machine = "server";
} ]; } ];
} }
@ -359,6 +356,12 @@ in {
} }
]; ];
}; };
# TODO: enable
services.matrix-appservice-discord.settings.metrics = {
enable = true;
host = "127.0.0.1";
port = 9173;
};
services.matrix-synapse.settings = { services.matrix-synapse.settings = {
enable_metrics = true; enable_metrics = true;
federation_metrics_domains = [ "matrix.org" ]; federation_metrics_domains = [ "matrix.org" ];

View file

@ -36,7 +36,8 @@ in {
# a crude way to make some python packages available for synapse # a crude way to make some python packages available for synapse
services.matrix-synapse.plugins = with pkgs.python3.pkgs; [ authlib ]; services.matrix-synapse.plugins = with pkgs.python3.pkgs; [ authlib ];
services.matrix-synapse.settings.password_config.enabled = false; # i'm managing this manually in a stateful way
# services.matrix-synapse.settings.password_config.enabled = false;
systemd.services.matrix-synapse.after = [ "keycloak.service" ]; systemd.services.matrix-synapse.after = [ "keycloak.service" ];
# See also https://meta.akkoma.dev/t/390 # See also https://meta.akkoma.dev/t/390

View file

@ -1,5 +1,6 @@
{ config { config
, lib , lib
, pkgs
, ... }: , ... }:
let let
@ -51,12 +52,32 @@ in {
homeserver = "http://${lib.quoteListenAddr matrixAddr}:${toString matrixPort}/"; homeserver = "http://${lib.quoteListenAddr matrixAddr}:${toString matrixPort}/";
}; };
services.matrix-appservice-discord = {
enable = true;
environmentFile = "/secrets/discord-bridge-token";
settings = {
auth.usePrivilegedIntents = true;
database.filename = "";
bridge = {
domain = "matrix.${cfg.domainName}";
homeserverUrl = "https://matrix.${cfg.domainName}";
enableSelfServiceBridging = true;
disablePresence = true;
disablePortalBridging = true;
disableInviteNotifications = true;
disableJoinLeaveNotifications = true;
disableRoomTopicNotifications = true;
};
};
};
services.matrix-synapse = { services.matrix-synapse = {
enable = true; enable = true;
extraConfigFiles = [ "/var/lib/matrix-synapse/config.yaml" ]; extraConfigFiles = [ "/var/lib/matrix-synapse/config.yaml" ];
settings = { settings = {
app_service_config_files = [ app_service_config_files = [
"/var/lib/heisenbridge/registration.yml" "/var/lib/heisenbridge/registration.yml"
"/var/lib/matrix-synapse/discord-registration.yaml"
]; ];
allow_guest_access = true; allow_guest_access = true;
url_preview_enabled = true; url_preview_enabled = true;

View file

@ -30,5 +30,6 @@ in {
]; ];
services.maubot.pythonPackages = with pkgs.python3.pkgs; [ services.maubot.pythonPackages = with pkgs.python3.pkgs; [
levenshtein levenshtein
pillow
]; ];
} }