diff options
Diffstat (limited to 'modules/by-name/ma')
| -rw-r--r-- | modules/by-name/ma/mail/module.nix | 167 | ||||
| -rw-r--r-- | modules/by-name/ma/mastodon/module.nix | 123 | ||||
| -rw-r--r-- | modules/by-name/ma/mastodon/patches/0001-feat-treewide-Increase-character-limit-to-5000-in-me.patch | 40 | ||||
| -rw-r--r-- | modules/by-name/ma/matrix/module.nix | 171 |
4 files changed, 501 insertions, 0 deletions
diff --git a/modules/by-name/ma/mail/module.nix b/modules/by-name/ma/mail/module.nix new file mode 100644 index 0000000..55f2fb8 --- /dev/null +++ b/modules/by-name/ma/mail/module.nix @@ -0,0 +1,167 @@ +{ + config, + lib, + ... +}: let + cfg = config.vhack.mail; + all_admins = [ + "sils@vhack.eu" + "soispha@vhack.eu" + "nightingale@vhack.eu" + ]; +in { + options.vhack.mail = { + enable = lib.mkEnableOption "sophisticated mail setup with simple-nixos-mailserver"; + fqdn = lib.mkOption { + type = lib.types.str; + description = "The fqdn mailserver should be served on."; + }; + }; + + config = lib.mkIf cfg.enable { + vhack.persist.directories = [ + { + directory = "/var/lib/mail/backup"; + user = "virtualMail"; + group = "virtualMail"; + mode = "0700"; + } + { + directory = "/var/lib/mail/sieve"; + user = "virtualMail"; + group = "virtualMail"; + mode = "0700"; + } + { + directory = "/var/lib/mail/vmail"; + user = "virtualMail"; + group = "virtualMail"; + mode = "0700"; + } + { + directory = "/var/lib/mail/dkim"; + user = "opendkim"; + group = "opendkim"; + mode = "0700"; + } + { + directory = "/var/lib/postfix/data"; + user = "postfix"; + group = "postfix"; + mode = "0700"; + } + { + directory = "/var/lib/postfix/queue"; + user = "postfix"; + group = "postfix"; + mode = "0700"; + } + { + directory = "/var/lib/rspamd"; + user = "rspamd"; + group = "rspamd"; + mode = "0700"; + } + ]; + vhack.nginx.enable = true; + security.acme.certs = { + "${cfg.fqdn}" = { + domain = cfg.fqdn; + }; + }; + mailserver = { + enable = true; + inherit (cfg) fqdn; + + useFsLayout = true; + + extraVirtualAliases = { + "abuse@vhack.eu" = all_admins; + "postmaster@vhack.eu" = all_admins; + "admin@vhack.eu" = all_admins; + }; + + mailDirectory = "/var/lib/mail/vmail"; + dkimKeyDirectory = "/var/lib/mail/dkim"; + sieveDirectory = "/var/lib/mail/sieve"; + backup.snapshotRoot = "/var/lib/mail/backup"; + + enableImap = false; + enableImapSsl = true; + enablePop3 = false; + enablePop3Ssl = true; + # SMTP + enableSubmission = false; + enableSubmissionSsl = true; + openFirewall = true; + + keyFile = "/var/lib/acme/${cfg.fqdn}/key.pem"; + certificateScheme = "acme"; + certificateFile = "/var/lib/acme/${cfg.fqdn}/fullchain.pem"; + + domains = [ + "vhack.eu" + + "s-schoeffel.de" + "b-peetz.de" + + "sils.li" + "nightingale.sils.li" + "sils.sils.li" + ]; + + loginAccounts = { + "sils@vhack.eu" = { + hashedPassword = "$2b$05$RW/Svgk7iGxvP5W7ZwUZ1e.a3fj4fteevb2MtfFYYD0d1DQ17y9Fm"; + }; + "soispha@vhack.eu" = { + hashedPassword = "$2b$05$XX36sJuHNbTFvi8DFldscOeQBHahluSkiUqD9QGzQaET7NJusSuQW"; + }; + + "benedikt.peetz@b-peetz.de" = { + hashedPassword = "$2b$05$MfET8utot2OolPZNASqoDe4VXNoG2chnEWhdfQ2E92mit0TvI2gBy"; + aliases = ["@b-peetz.de"]; + }; + "silas.schoeffel@s-schoeffel.de" = { + hashedPassword = "$2b$05$Qb8rl7ncpCcTbsSdsduJBuOITp8RTD6sfOTjuxJsVtD9vjAYY9n8e"; + aliases = ["@s-schoeffel.de"]; + }; + + "nightingale@vhack.eu" = { + hashedPassword = "$2b$05$nDKVVq1EktKXWqGFhnOLP.plLovXFyvWSuptK9GIkxA5DScKFx6YS"; + aliases = [ + "@nightingale.sils.li" + ]; + }; + "sils@sils.li" = { + hashedPassword = "$2b$05$Ebzh2ZhuWkz1p4tqJ172IejNZg10FtCxPDY4k6umYrpirXg7ezIRq"; + aliases = [ + "@sils.sils.li" + "@sils.li" + ]; + }; + + # Mail-Account used by hosted software + "mastodon@vhack.eu" = { + hashedPassword = "$2b$05$pSby3x2p3cHg0FyAE8IiJ.nYUqtAIR10JA8HNpHwMAiLXqc.ltSK."; + }; + "peertube@vhack.eu" = { + hashedPassword = "$y$j9T$hyWQ8Awd2Xrc6qsK.2hwE1$LxACfaeW.yHGbkQL95dWtID9.zXL/aMwT6lp.yU/0g0"; + }; + }; + }; + + users = { + users = { + knot-resolver.uid = config.vhack.constants.ids.uids.knot-resolver; + redis-rspamd.uid = config.vhack.constants.ids.uids.redis-rspamd; + rspamd.uid = config.vhack.constants.ids.uids.rspamd; + }; + groups = { + knot-resolver.gid = lib.mkForce config.vhack.constants.ids.gids.knot-resolver; + redis-rspamd.gid = config.vhack.constants.ids.gids.redis-rspamd; + rspamd.gid = config.vhack.constants.ids.gids.rspamd; + }; + }; + }; +} diff --git a/modules/by-name/ma/mastodon/module.nix b/modules/by-name/ma/mastodon/module.nix new file mode 100644 index 0000000..895428d --- /dev/null +++ b/modules/by-name/ma/mastodon/module.nix @@ -0,0 +1,123 @@ +{ + config, + pkgs, + lib, + ... +}: let + emailAddress = "mastodon@vhack.eu"; + applyPatches = pkg: + pkg.overrideAttrs (attrs: { + patches = (attrs.patches or []) ++ [./patches/0001-feat-treewide-Increase-character-limit-to-5000-in-me.patch]; + }); + cfg = config.vhack.mastodon; +in { + options.vhack.mastodon = { + enable = lib.mkEnableOption "a mastodon instance"; + domain = lib.mkOption { + type = lib.types.str; + description = "The Domain mastodon should be served on"; + example = "mastodon.vhack.eu"; + }; + enableTLD = lib.mkEnableOption "using the tld as handle, configured via + webfinger (note: this requires the tld to point to the same server as domain)"; + tld = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + example = "vhack.eu"; + }; + mailPwFile = lib.mkOption { + type = lib.types.path; + description = "The age encrypted mail password file passed to agenix"; + }; + }; + config = lib.mkIf cfg.enable { + age.secrets.mastodonMail = { + file = cfg.mailPwFile; + mode = "700"; + owner = "mastodon"; + group = "mastodon"; + }; + vhack.persist.directories = [ + { + directory = "/var/lib/mastodon"; + user = "mastodon"; + group = "mastodon"; + mode = "0700"; + } + ]; + + vhack.postgresql.enable = true; + services.mastodon = { + enable = true; + + package = applyPatches pkgs.mastodon; + + # Unstable Mastodon package, used if + # security updates aren't backported. + #package = applyPatches pkgs-unstable.mastodon; + + localDomain = + if cfg.enableTLD + then cfg.tld + else cfg.domain; + smtp = { + authenticate = true; + createLocally = false; + fromAddress = emailAddress; + user = emailAddress; + host = "mail.foss-syndicate.org"; + passwordFile = config.age.secrets.mastodonMail.path; + }; + streamingProcesses = 3; # Number of Cores - 1 + extraConfig = { + WEB_DOMAIN = cfg.domain; + EMAIL_DOMAIN_ALLOWLIST = "vhack.eu|sils.li"; + }; + }; + + vhack.nginx.enable = true; + services.nginx = { + enable = true; + recommendedProxySettings = true; # required for redirections to work + virtualHosts = { + "${cfg.domain}" = { + root = "${config.services.mastodon.package}/public/"; + # mastodon only supports https, but you can override this if you offload tls elsewhere. + forceSSL = true; + enableACME = true; + + locations = { + "/system/".alias = "/var/lib/mastodon/public-system/"; + "/".tryFiles = "$uri @proxy"; + "@proxy" = { + proxyPass = "http://unix:/run/mastodon-web/web.socket"; + proxyWebsockets = true; + }; + "/api/v1/streaming/" = { + proxyPass = "http://unix:/run/mastodon-streaming/streaming.socket"; + proxyWebsockets = true; + }; + }; + }; + "${cfg.tld}" = + if cfg.enableTLD + then { + locations."/.well-known/webfinger".return = "301 https://${cfg.domain}$request_uri"; + } + else {}; + }; + }; + + users = { + users.mastodon.uid = config.vhack.constants.ids.uids.mastodon; + users.redis-mastodon.uid = config.vhack.constants.ids.uids.redis-mastodon; + groups.redis-mastodon.gid = config.vhack.constants.ids.gids.redis-mastodon; + groups.mastodon = { + gid = config.vhack.constants.ids.gids.mastodon; + members = [ + config.services.nginx.user + ]; + }; + }; + }; +} diff --git a/modules/by-name/ma/mastodon/patches/0001-feat-treewide-Increase-character-limit-to-5000-in-me.patch b/modules/by-name/ma/mastodon/patches/0001-feat-treewide-Increase-character-limit-to-5000-in-me.patch new file mode 100644 index 0000000..35dc809 --- /dev/null +++ b/modules/by-name/ma/mastodon/patches/0001-feat-treewide-Increase-character-limit-to-5000-in-me.patch @@ -0,0 +1,40 @@ +From ab67426c53d343eee349de501767ecbbf5d211ad Mon Sep 17 00:00:00 2001 +From: Benedikt Peetz <benedikt.peetz@b-peetz.de> +Date: Sat, 21 Dec 2024 20:07:11 +0100 +Subject: [PATCH] feat(treewide): Increase character limit to 5000 in messages + +The default of 500 was just not enough. +--- + .../features/compose/containers/compose_form_container.js | 2 +- + app/validators/status_length_validator.rb | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/app/javascript/mastodon/features/compose/containers/compose_form_container.js b/app/javascript/mastodon/features/compose/containers/compose_form_container.js +index bda2edba6..76ac65bf3 100644 +--- a/app/javascript/mastodon/features/compose/containers/compose_form_container.js ++++ b/app/javascript/mastodon/features/compose/containers/compose_form_container.js +@@ -28,7 +28,7 @@ const mapStateToProps = state => ({ + anyMedia: state.getIn(['compose', 'media_attachments']).size > 0, + isInReply: state.getIn(['compose', 'in_reply_to']) !== null, + lang: state.getIn(['compose', 'language']), +- maxChars: state.getIn(['server', 'server', 'configuration', 'statuses', 'max_characters'], 500), ++ maxChars: state.getIn(['server', 'server', 'configuration', 'statuses', 'max_characters'], 5000), + }); + + const mapDispatchToProps = (dispatch) => ({ +diff --git a/app/validators/status_length_validator.rb b/app/validators/status_length_validator.rb +index dc841ded3..9cb1ec94b 100644 +--- a/app/validators/status_length_validator.rb ++++ b/app/validators/status_length_validator.rb +@@ -1,7 +1,7 @@ + # frozen_string_literal: true + + class StatusLengthValidator < ActiveModel::Validator +- MAX_CHARS = 500 ++ MAX_CHARS = 5000 + URL_PLACEHOLDER_CHARS = 23 + URL_PLACEHOLDER = 'x' * 23 + +-- +2.47.0 + diff --git a/modules/by-name/ma/matrix/module.nix b/modules/by-name/ma/matrix/module.nix new file mode 100644 index 0000000..4b730da --- /dev/null +++ b/modules/by-name/ma/matrix/module.nix @@ -0,0 +1,171 @@ +{ + config, + pkgs, + lib, + ... +}: let + cfg = config.vhack.matrix; + clientConfig."m.homeserver".base_url = "https://${cfg.fqdn}"; + serverConfig."m.server" = "${cfg.fqdn}:443"; + mkWellKnown = data: '' + add_header Content-Type application/json; + add_header Access-Control-Allow-Origin *; + return 200 '${builtins.toJSON data}'; + ''; +in { + options.vhack.matrix = { + enable = lib.mkEnableOption "matrix setup based on synapse"; + fqdn = lib.mkOption { + type = lib.types.str; + description = "The FQDN on which matrix-synapse should be served."; + example = "matrix.vhack.eu"; + }; + url = lib.mkOption { + type = lib.types.str; + description = "The url the matrix-server should be known under."; + }; + sharedSecretFile = lib.mkOption { + type = lib.types.path; + description = "The age encrypted shared secret file for synapse, passed to agenix"; + }; + }; + config = lib.mkIf cfg.enable { + age.secrets.matrix-synapse_registration_shared_secret = { + file = cfg.sharedSecretFile; + mode = "700"; + owner = "matrix-synapse"; + group = "matrix-synapse"; + }; + networking.firewall.allowedTCPPorts = [80 443]; + + vhack.persist.directories = [ + { + directory = "/var/lib/matrix"; + user = "matrix-synapse"; + group = "matrix-synapse"; + mode = "0700"; + } + { + directory = "/var/lib/mautrix-whatsapp"; + user = "mautrix-whatsapp"; + group = "matrix-synapse"; + mode = "0750"; + } + ]; + systemd.tmpfiles.rules = [ + "d /etc/matrix 0755 matrix-synapse matrix-synapse" + ]; + + vhack.postgresql.enable = true; + vhack.nginx.enable = true; + + services = { + postgresql = { + enable = true; + initialScript = pkgs.writeText "synapse-init.sql" '' + --Matrix: + CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; + CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + + --Whatsapp-bridge: + CREATE ROLE "mautrix-whatsapp" WITH LOGIN PASSWORD 'whatsapp'; + CREATE DATABASE "mautrix-whatsapp" WITH OWNER "mautrix-whatsapp" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + ''; + }; + + nginx = { + enable = true; + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + virtualHosts = { + "${cfg.url}" = { + enableACME = true; + forceSSL = true; + locations = { + "/.well-known/matrix/server".extraConfig = mkWellKnown serverConfig; + "/.well-known/matrix/client".extraConfig = mkWellKnown clientConfig; + }; + }; + "${cfg.fqdn}" = { + enableACME = true; + forceSSL = true; + locations = { + "/".return = "404"; + "/_matrix".proxyPass = "http://[::1]:8008"; + "/_synapse/client".proxyPass = "http://[::1]:8008"; + }; + }; + }; + }; + + mautrix-whatsapp = { + # FIXME(@bpeetz): This was disabled because `mautrix-whatsapp` dependends on libolm. + # Re-enable it, when this has changed. <2024-09-06> + enable = false; + settings = { + appservice = { + database = { + type = "postgres"; + uri = "postgres:///mautrix-whatsapp?host=/run/postgresql"; + }; + whatsapp = { + # TODO: See https://github.com/tulir/whatsmeow/blob/efc632c008604016ddde63bfcfca8de4e5304da9/binary/proto/def.proto#L43-L64 for a list. + # This also determines the WhatsApp icon + browser_name = "unknown"; + }; + }; + homeserver.address = "https://${cfg.fqdn}"; + bridge.permissions = { + "@soispha:vhack.eu" = "admin"; + "@sils:vhack.eu" = "admin"; + "@nightingale:vhack.eu" = "admin"; + }; + }; + }; + + matrix-synapse = { + enable = true; + dataDir = "/var/lib/matrix"; + configFile = "/etc/matrix/matrix.conf"; + settings = { + media_store_path = "/var/lib/matrix/media_store"; + registration_shared_secret_path = "${config.age.secrets.matrix-synapse_registration_shared_secret.path}"; + server_name = cfg.url; + listeners = [ + { + port = 8008; + bind_addresses = ["::1"]; + type = "http"; + tls = false; + x_forwarded = true; + resources = [ + { + names = ["client" "federation"]; + compress = true; + } + ]; + } + ]; + }; + }; + }; + users = { + users = { + matrix-synapse.uid = config.vhack.constants.ids.uids.matrix-synapse; + mautrix-whatsapp = { + uid = config.vhack.constants.ids.uids.mautrix-whatsapp; + group = "matrix-synapse"; + }; + }; + groups.matrix-synapse.gid = config.vhack.constants.ids.gids.matrix-synapse; + }; + }; +} |