diff options
Diffstat (limited to 'modules/by-name/ma')
| -rw-r--r-- | modules/by-name/ma/mail/module.nix | 4 | ||||
| -rw-r--r-- | modules/by-name/ma/mastodon/module.nix | 27 | ||||
| -rw-r--r-- | modules/by-name/ma/matrix/module.nix | 86 | ||||
| -rw-r--r-- | modules/by-name/ma/matrix/passwd.age | 15 |
4 files changed, 70 insertions, 62 deletions
diff --git a/modules/by-name/ma/mail/module.nix b/modules/by-name/ma/mail/module.nix index 55f2fb8..500abd0 100644 --- a/modules/by-name/ma/mail/module.nix +++ b/modules/by-name/ma/mail/module.nix @@ -73,6 +73,8 @@ in { enable = true; inherit (cfg) fqdn; + stateVersion = 3; + useFsLayout = true; extraVirtualAliases = { @@ -156,11 +158,13 @@ in { knot-resolver.uid = config.vhack.constants.ids.uids.knot-resolver; redis-rspamd.uid = config.vhack.constants.ids.uids.redis-rspamd; rspamd.uid = config.vhack.constants.ids.uids.rspamd; + postfix-tlspol.uid = config.vhack.constants.ids.uids.postfix-tlspol; }; groups = { knot-resolver.gid = lib.mkForce config.vhack.constants.ids.gids.knot-resolver; redis-rspamd.gid = config.vhack.constants.ids.gids.redis-rspamd; rspamd.gid = config.vhack.constants.ids.gids.rspamd; + postfix-tlspol.gid = config.vhack.constants.ids.gids.postfix-tlspol; }; }; }; diff --git a/modules/by-name/ma/mastodon/module.nix b/modules/by-name/ma/mastodon/module.nix index 895428d..84f3ec8 100644 --- a/modules/by-name/ma/mastodon/module.nix +++ b/modules/by-name/ma/mastodon/module.nix @@ -37,16 +37,22 @@ in { owner = "mastodon"; group = "mastodon"; }; - vhack.persist.directories = [ - { - directory = "/var/lib/mastodon"; - user = "mastodon"; - group = "mastodon"; - mode = "0700"; - } - ]; - vhack.postgresql.enable = true; + vhack = { + persist.directories = [ + { + directory = "/var/lib/mastodon"; + user = "mastodon"; + group = "mastodon"; + mode = "0700"; + } + ]; + + postgresql.enable = true; + + nginx.enable = true; + }; + services.mastodon = { enable = true; @@ -54,7 +60,7 @@ in { # Unstable Mastodon package, used if # security updates aren't backported. - #package = applyPatches pkgs-unstable.mastodon; + #package = applyPatches pkgsUnstable.mastodon; localDomain = if cfg.enableTLD @@ -75,7 +81,6 @@ in { }; }; - vhack.nginx.enable = true; services.nginx = { enable = true; recommendedProxySettings = true; # required for redirections to work diff --git a/modules/by-name/ma/matrix/module.nix b/modules/by-name/ma/matrix/module.nix index a73fd13..39631ef 100644 --- a/modules/by-name/ma/matrix/module.nix +++ b/modules/by-name/ma/matrix/module.nix @@ -1,6 +1,5 @@ { config, - pkgs, lib, ... }: let @@ -24,55 +23,70 @@ in { type = lib.types.str; description = "The url the matrix-server should be known under."; }; + sharedSecretFile = lib.mkOption { + type = lib.types.path; + description = "The age encrypted shared secret file for synapse, passed to agenix"; + }; }; + config = lib.mkIf cfg.enable { age.secrets.matrix-synapse_registration_shared_secret = { - file = ./passwd.age; + file = cfg.sharedSecretFile; mode = "700"; owner = "matrix-synapse"; group = "matrix-synapse"; }; networking.firewall.allowedTCPPorts = [80 443]; - vhack.persist.directories = [ - { - directory = "/var/lib/matrix"; - user = "matrix-synapse"; - group = "matrix-synapse"; - mode = "0700"; - } - { - directory = "/var/lib/mautrix-whatsapp"; - user = "mautrix-whatsapp"; - group = "matrix-synapse"; - mode = "0750"; - } - ]; - systemd.tmpfiles.rules = [ - "d /etc/matrix 0755 matrix-synapse matrix-synapse" - ]; + vhack = { + persist.directories = [ + { + directory = "/var/lib/matrix"; + user = "matrix-synapse"; + group = "matrix-synapse"; + mode = "0700"; + } + { + directory = "/var/lib/mautrix-whatsapp"; + user = "mautrix-whatsapp"; + group = "matrix-synapse"; + mode = "0750"; + } + ]; + + postgresql.enable = true; + nginx.enable = true; + }; - vhack.postgresql.enable = true; - vhack.nginx.enable = true; + systemd = { + tmpfiles.rules = [ + "d /etc/matrix 0755 matrix-synapse matrix-synapse" + ]; + # TODO: Do we still need this? <2025-12-18> + # The `$PSQL` env var seemed to go away between the 25.05 -> 25.11 update + # services.postgresql.postStart = '' + # $PSQL -tAc "ALTER ROLE \"matrix-synapse\" WITH PASSWORD 'synapse';" + # $PSQL -tAc "ALTER ROLE \"mautrix-whatsapp\" WITH PASSWORD 'whatsapp';" + # ''; + }; services = { postgresql = { enable = true; - initialScript = pkgs.writeText "synapse-init.sql" '' - --Matrix: - CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; - CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" - TEMPLATE template0 - LC_COLLATE = "C" - LC_CTYPE = "C"; - - --Whatsapp-bridge: - CREATE ROLE "mautrix-whatsapp" WITH LOGIN PASSWORD 'whatsapp'; - CREATE DATABASE "mautrix-whatsapp" WITH OWNER "mautrix-whatsapp" - TEMPLATE template0 - LC_COLLATE = "C" - LC_CTYPE = "C"; - ''; + ensureUsers = [ + { + name = "matrix-synapse"; + ensureDBOwnership = true; + } + { + name = "mautrix-whatsapp"; + ensureDBOwnership = true; + } + ]; + ensureDatabases = [ + "matrix-synapse" + "mautrix-whatsapp" + ]; }; nginx = { diff --git a/modules/by-name/ma/matrix/passwd.age b/modules/by-name/ma/matrix/passwd.age deleted file mode 100644 index 6386ed6..0000000 --- a/modules/by-name/ma/matrix/passwd.age +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrRFcxajBUb2s4dDVKeVZF -bFE1NUNwS2p0NjhZd2Y0MWNNbFFDcE1VSTJ3Cmdsdmh1MFJ2bWcxVWZlVm1idGdC -aXU3bnlmVkpydXpMYnh2djNURjd6L0UKLT4gWDI1NTE5IHRidGtkVGZDV0Npck9q -Y1pRYjVUVWVYMkZxcCtyTGRkQWRGQXB1dEhVR3cKQzNwQndqZTBHTVBnbUg5bWNk -ZFpOSG1UZzZXQ2kxQjRXUS80Tmx0ZURiMAotPiBzc2gtZWQyNTUxOSBweXU5Ymcg -YmNaeGV2WTJqZFFSTXhDS1hScDZrV1ZWU1FyYWRtSGNoR3NGUjZ0WmpqSQptRnR5 -cDI4VDFXL2t3VzdnSGF5VzBIbzhzU1NuQmNuUXhReHNVNGd4bnFJCi0+ICJ9OUlg -LWdyZWFzZQpDYks4Y2dUeEowTHh6cnJsNmpXRGpDYWU1RkRwbC9nYjB2RmtMZjhy -dTBhVEU1ak04U0VYUkh0WUJsK3h5cXBRCmZ4ekRRczFDZWptWkJQbXZ6NDU0dUh3 -RTlkVkxxQ00xeHNmMkZSS0JIZGpmOU5UYSt1bWdRNlZWbC9ZdQotLS0gbG9RR0Iv -OTBleHBTS1ZVYjZSODEranR5cGxsTkh1elZwQi9Gd21VbUxkRQoJ+dUdl1CVle6A -sLVikThgDKKpMekZeLhx97gC6Vxfxd9oJiw1SS7xOjMZz6xcOCG1l1NidrNHmhnK -4xQMcvHU+5Ogw3YUnPcL1sGjYWkvgUcwie+WEKZFXkCaJwz91ria ------END AGE ENCRYPTED FILE----- |