From e0335cb666107cb0a3e400298b0216111d4c16ed Mon Sep 17 00:00:00 2001 From: Xavier Morel Date: Sat, 15 Nov 2025 18:53:32 +0100 Subject: [PATCH] feat: several fixes & updates --- config/alloy/default-journal-logger.alloy.nix | 2 +- config/alloy/matrix-mas.alloy.nix | 51 ----- config/matrix-mas.config.nix | 104 ---------- config/matrix-mas.nix | 31 --- config/matrix-nginx.nix | 5 +- config/matrix-synapse.nix | 27 +-- config/monitoring-grafana.nix | 13 +- config/proxy-traefik.nix | 181 ++++++++++-------- containers/git.nix | 2 +- containers/matrix.nix | 28 +-- containers/monitoring.nix | 5 +- containers/music.nix | 1 + containers/power.nix | 1 + 13 files changed, 143 insertions(+), 308 deletions(-) delete mode 100644 config/alloy/matrix-mas.alloy.nix delete mode 100644 config/matrix-mas.config.nix delete mode 100644 config/matrix-mas.nix diff --git a/config/alloy/default-journal-logger.alloy.nix b/config/alloy/default-journal-logger.alloy.nix index 5cfb02f..f5e9d1d 100644 --- a/config/alloy/default-journal-logger.alloy.nix +++ b/config/alloy/default-journal-logger.alloy.nix @@ -8,7 +8,7 @@ let hostname = tools.build_hostname container; ip = tools.build_ip container; - prefix = "${container}_${service}"; + prefix = "${container}_${builtins.replaceStrings [ "-" ] [ "_" ] service}"; in { out = '' diff --git a/config/alloy/matrix-mas.alloy.nix b/config/alloy/matrix-mas.alloy.nix deleted file mode 100644 index 17f93de..0000000 --- a/config/alloy/matrix-mas.alloy.nix +++ /dev/null @@ -1,51 +0,0 @@ -{ ip, domainname, ... }: -{ - out = '' - loki.relabel "mas_journal" { - forward_to = [] - rule { - source_labels = ["__journal__priority_keyword"] - target_label = "level" - } - rule { - source_labels = ["__journal__SYSLOG_IDENTIFIER"] - target_label = "app" - } - } - loki.source.journal "mas_journal_scrape" { - forward_to = [loki.process.mas_router.receiver] - matches = "_SYSTEMD_UNIT=matrix-authentication-service.service" - relabel_rules = loki.relabel.mas_journal.rules - labels = { - service = "matrix-authentication-service", - host = "${domainname}", - host_ip = "${ip}", - } - } - - loki.process "mas_router" { - stage.regex { - expression = "^(?P\\S+) (?P\\S+) (?P\\S+) (?P\\S+) - (?P.*)$" - } - - stage.timestamp { - source = "timestamp" - format = "RFC3339Nano" - } - - stage.labels { - values = { - level = "", - facility = "", - worker = "", - } - } - - stage.output { - source = "message" - } - - forward_to = [loki.write.grafana_loki.receiver] - } - ''; -} diff --git a/config/matrix-mas.config.nix b/config/matrix-mas.config.nix deleted file mode 100644 index cb2e01a..0000000 --- a/config/matrix-mas.config.nix +++ /dev/null @@ -1,104 +0,0 @@ -{ config, tools, ... }: -let - mask = tools.mask_cidr; - db_host = tools.build_ip "db"; - db_pass = (import ../config/_passwords.nix).matrix; - - hostname = tools.build_hostname "matrix"; - auth = tools.build_hostname "auth"; - sec = import ../config/_matrix_secrets.nix; -in -{ - http = { - listeners = [ - { - name = "web"; - resources = [ - { name = "discovery"; } - { name = "human"; } - { name = "oauth"; } - { name = "compat"; } - { name = "graphql"; } - { name = "assets"; } - ]; - binds = [ - { address = "[::]:8080"; } - ]; - proxy_protocol = false; - } - { - name = "internal"; - resources = [ - { name = "health"; } - ]; - binds = [ - { - host = "localhost"; - port = 8081; - } - ]; - proxy_protocol = false; - } - ]; - trusted_proxies = [ - mask - "127.0.0.1/8" - ]; - public_base = "http://[::]:8080/"; - issuer = "http://[::]:8080/"; - database = { - uri = "postgresql://matrix:${db_pass}@${db_host}:5432/matrix_mas"; - max_connections = 10; - min_connections = 0; - connect_timeout = 30; - idle_timeout = 600; - max_lifetime = 1800; - }; - email = { - from = "\"Authentication Service\" "; - reply_to = "\"Authentication Service\" "; - transport = "blackhole"; - }; - secrets = sec.mas; - passwords = { - enabled = true; - schemes = [ - { - version = 1; - algorithm = "bcrypt"; - minimum_complexity = 3; - } - ]; - }; - matrix = { - kind = "synapse"; - homeserver = hostname; - secret = sec.mas_secret; - endpoint = "http://localhost:8008/"; - upstream_oauth2 = { - providers = [ - { - id = sec.oidc_provider_id; - synapse_idp_id = "oidc-authentik"; - issuer = "https://${auth}"; - client_id = sec.oidc_client_id; - client_secret = sec.oidc_client_secret; - scope = "openid profile email"; - discovery_mode = "insecure"; - claims_imports = { - localpart = { - action = "require"; - template = "{{ user.preferred_username }}"; - on_conflicts = "add"; - }; - displayname = { - action = "suggest"; - template = "{{ user.name }}"; - }; - }; - } - ]; - }; - }; - }; -} diff --git a/config/matrix-mas.nix b/config/matrix-mas.nix deleted file mode 100644 index 3639f55..0000000 --- a/config/matrix-mas.nix +++ /dev/null @@ -1,31 +0,0 @@ -{ - config, - tools, - pkgs, - ... -}: -let - yaml = pkgs.format.yaml { }; -in -{ - environment.systemPackages = [ - pkgs.matrix-authentication-service - ]; - environment.etc = { - "mas/config.yaml".source = yaml.generate "mas-config.yaml" ( - import ./matrix-mas.config.yaml { inherit config tools; } - ); - "alloy/logs-mas.alloy".text = (import ./alloy/matrix-mas.alloy.nix { inherit config tools; }).out; - }; - systemd.services.matrix-authentication-service = { - enable = true; - description = "Matrix Authentication Service"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - ExecStart = "${pkgs.matrix-authentication-service}/bin/mas-cli server --config /etc/mas/config.yaml"; - Restart = "on-failure"; - RestartSec = 5; - }; - }; -} diff --git a/config/matrix-nginx.nix b/config/matrix-nginx.nix index 24602a3..79744e7 100644 --- a/config/matrix-nginx.nix +++ b/config/matrix-nginx.nix @@ -18,6 +18,7 @@ in inherit tools; container = "matrix"; service = "nginx"; + additional_stages = ""; # TODO: ... }).out; }; services.nginx = { @@ -34,7 +35,7 @@ in }; "= /config.json" = { alias = json.generate "element.config.json" ( - import ./config/matrix-element.config.nix { inherit tools config; } + import ./matrix-element.config.nix { inherit tools config; } ); }; }; @@ -54,7 +55,7 @@ in }; "= /config.json" = { alias = json.generate "synapse-admin.config.json" ( - import ./config/matrix-synapse-admin.config.nix { inherit tools config; } + import ./matrix-synapse-admin.config.nix { inherit tools config; } ); }; }; diff --git a/config/matrix-synapse.nix b/config/matrix-synapse.nix index fac3a1e..7bc2a00 100644 --- a/config/matrix-synapse.nix +++ b/config/matrix-synapse.nix @@ -8,7 +8,7 @@ let container = "matrix"; hostname = tools.build_hostname container; admin_handle = "@${config.globals.master.login}:${hostname}"; - db_host = tools.build_hostname "db"; + db_host = tools.build_ip "db"; auth_host = tools.build_hostname "auth"; db_pass = config.my-lxc.matrix.db.password; sec = import ../config/_matrix_secrets.nix; @@ -38,11 +38,13 @@ in services.matrix-synapse = { enable = true; extras = [ + "jwt" "oidc" "postgres" "systemd" - "url-preview" + # "url-preview" ]; + # plugins matrix-synapse-ldap3? settings = { admin_users = [ admin_handle @@ -69,10 +71,11 @@ in resources = [ { compress = true; - names = [ - "client" - "federation" - ]; + names = [ "client" ]; + } + { + compress = false; + names = [ "federation" ]; } ]; tls = false; @@ -80,11 +83,11 @@ in x_forwarded = true; } ]; - matrix-authentication-service = { - enable = true; - endpoint = "http://localhost:8080/"; - secret = sec.mas_secret; - }; + # matrix-authentication-service = { + # enable = true; + # endpoint = "http://localhost:8080/"; + # secret = sec.mas_secret; + # }; jwt_config = { enabled = true; secret = sec.jwt_secret; @@ -109,6 +112,8 @@ in }; } ]; + macaroon_secret_key = sec.macaroon; + suppress_key_server_warning = true; }; }; } diff --git a/config/monitoring-grafana.nix b/config/monitoring-grafana.nix index 8827f17..7d8117d 100644 --- a/config/monitoring-grafana.nix +++ b/config/monitoring-grafana.nix @@ -12,11 +12,12 @@ in services.grafana = { enable = true; openFirewall = true; - declarativePlugins = [ - pkgs.grafanaPlugins.grafana-mqtt-datasource - pkgs.grafanaPlugins.grafana-lokiexplore-app - pkgs.grafanaPlugins.grafana-metricsdrilldown-app - ]; + ## NOTE: Installs the plugins but it doesn't work ... however then removing declarative plugins make them work... + # declarativePlugins = [ + # pkgs.grafanaPlugins.grafana-mqtt-datasource + # pkgs.grafanaPlugins.grafana-lokiexplore-app + # pkgs.grafanaPlugins.grafana-metricsdrilldown-app + # ]; provision = { enable = true; alerting = { }; @@ -43,7 +44,7 @@ in analytics = { feedback_links_enabled = false; reporting_enabled = false; - check_for_plugin_updates = false; + check_for_plugin_updates = true; check_for_updates = false; }; database = { diff --git a/config/proxy-traefik.nix b/config/proxy-traefik.nix index e5d635f..8e05470 100644 --- a/config/proxy-traefik.nix +++ b/config/proxy-traefik.nix @@ -83,6 +83,12 @@ in addServicesLabels = true; }; }; + experimental.plugins = { + staticResponse = { + moduleName = "github.com/jdel/staticresponse"; + version = "v0.0.1"; + }; + }; }; dynamicConfigOptions = { tcp = { @@ -153,88 +159,111 @@ in "Remote-Name" ]; }; + matrix-wellknown.plugin.staticResponse = { + statusCode = 200; + body = ''{"m.server": "${tools.build_hostname "matrix"}:443"}''; + headers = { + "Content-Type" = "application/json"; + }; + }; }; - routers = mergeConf ( - lib.concatLists ( - (lib.mapAttrsToList ( - ct: def: - (map ( - d: - lib.optionalAttrs (d.raw_tcp == false) { - ${d.subdomain} = { - rule = ( - if (d.customRule != null) then - (lib.replaceStrings [ "#DOMAIN#" ] [ dmn ] d.customRule) - else - ("Host(`${d.subdomain}${dmn}`) " + (if (d.private == true) then internal else "")) - ); - service = "${d.subdomain}-service"; - entryPoints = [ "websecure" ]; - middlewares = if (d.auth) then [ "authentik" ] else [ ]; - tls.certResolver = "letsencrypt"; - }; - } - ) def.otherDomains) - ++ [ - (lib.optionalAttrs (def.system.port != null) { - ${ct} = { - rule = "Host(`${ct}${dmn}`) " + (if (def.private == true) then internal else ""); - service = "${ct}-service"; - entryPoints = [ "websecure" ]; - middlewares = if (def.auth) then [ "authentik" ] else [ ]; - tls.certResolver = "letsencrypt"; - }; - }) - ] - ) config.my-lxc) - ++ [ - (map (h: { - ${h.hostname} = { - rule = "Host(`${h.hostname}${dmn}`) " + (if (h.private == true) then internal else ""); - service = "${h.hostname}-service"; - entryPoints = [ "websecure" ]; - middlewares = if (h.auth) then [ "authentik" ] else [ ]; - tls.certResolver = "letsencrypt"; - }; - }) config.globals.other_hosts) - ] - ) - ); - services = mergeConf ( - lib.concatLists ( - (lib.mapAttrsToList ( - ct: def: - (map (d: { - "${d.subdomain}-service" = { - loadBalancer.servers = [ - { url = "http://${ip ct}:${toString d.port}/"; } - ]; - }; - }) def.otherDomains) - ++ [ - ( + routers = + mergeConf ( + lib.concatLists ( + (lib.mapAttrsToList ( + ct: def: + (map ( + d: + lib.optionalAttrs (d.raw_tcp == false) { + ${d.subdomain} = { + rule = ( + if (d.customRule != null) then + (lib.replaceStrings [ "#DOMAIN#" ] [ dmn ] d.customRule) + else + ("Host(`${d.subdomain}${dmn}`) " + (if (d.private == true) then internal else "")) + ); + service = "${d.subdomain}-service"; + entryPoints = [ "websecure" ]; + middlewares = if (d.auth) then [ "authentik" ] else [ ]; + tls.certResolver = "letsencrypt"; + }; + } + ) def.otherDomains) + ++ [ (lib.optionalAttrs (def.system.port != null) { - "${ct}-service" = { - loadBalancer.servers = [ { url = "http://${ip ct}:${toString def.system.port}/"; } ]; + ${ct} = { + rule = "Host(`${ct}${dmn}`) " + (if (def.private == true) then internal else ""); + service = "${ct}-service"; + entryPoints = [ "websecure" ]; + middlewares = if (def.auth) then [ "authentik" ] else [ ]; + tls.certResolver = "letsencrypt"; }; }) - ) + ] + ) config.my-lxc) + ++ [ + (map (h: { + ${h.hostname} = { + rule = "Host(`${h.hostname}${dmn}`) " + (if (h.private == true) then internal else ""); + service = "${h.hostname}-service"; + entryPoints = [ "websecure" ]; + middlewares = if (h.auth) then [ "authentik" ] else [ ]; + tls.certResolver = "letsencrypt"; + }; + }) config.globals.other_hosts) ] - ) config.my-lxc) - ++ [ - (map (h: { - "${h.hostname}-service" = { - loadBalancer = { - servers = [ { url = h.addr; } ]; - } - // (lib.optionalAttrs (h.useCustomCA) { - serversTransport = "${h.hostname}-transport"; - }); - }; - }) config.globals.other_hosts) - ] + ) ) - ); + // { + matrix-wellknown = { + rule = "Path(`/\.well-known/matrix/server`)"; + entryPoints = [ "websecure" ]; + service = "noop"; + middlewares = [ "matrix-wellknown" ]; + tls.certResolver = "letsencrypt"; + }; + } + + ; + services = + mergeConf ( + lib.concatLists ( + (lib.mapAttrsToList ( + ct: def: + (map (d: { + "${d.subdomain}-service" = { + loadBalancer.servers = [ + { url = "http://${ip ct}:${toString d.port}/"; } + ]; + }; + }) def.otherDomains) + ++ [ + ( + (lib.optionalAttrs (def.system.port != null) { + "${ct}-service" = { + loadBalancer.servers = [ { url = "http://${ip ct}:${toString def.system.port}/"; } ]; + }; + }) + ) + ] + ) config.my-lxc) + ++ [ + (map (h: { + "${h.hostname}-service" = { + loadBalancer = { + servers = [ { url = h.addr; } ]; + } + // (lib.optionalAttrs (h.useCustomCA) { + serversTransport = "${h.hostname}-transport"; + }); + }; + }) config.globals.other_hosts) + ] + ) + ) + // { + noop.loadBalancer.servers = [ ]; + }; serversTransports = mergeConf ( (map ( h: diff --git a/containers/git.nix b/containers/git.nix index c94a7c9..7296a7d 100644 --- a/containers/git.nix +++ b/containers/git.nix @@ -24,7 +24,7 @@ in enable = true; metricsEnable = true; }; - private = true; # available only on private lan + private = false; # available only on private lan auth = false; # auth overlay }; } diff --git a/containers/matrix.nix b/containers/matrix.nix index 2cefbe4..6321c84 100644 --- a/containers/matrix.nix +++ b/containers/matrix.nix @@ -7,30 +7,26 @@ in { my-lxc.matrix = { container = { + enable = true; cores = 2; memory = 2048; - disk = "4G"; + disk = "6G"; swap = 512; }; system = { + port = 8008; # -> synapse additionalPorts = [ - 80 - 8008 - 8080 - 5173 + 80 # element web + 5173 # synapse admin ]; importConfig = [ ../config/matrix-synapse.nix - ../config/matrix-mas.nix ../config/matrix-nginx.nix ]; }; db = { enable = true; password = db_pass.matrix; - additionalDB = [ - "matrix_mas" - ]; }; logging = { enable = true; @@ -45,20 +41,6 @@ in private = false; auth = false; } - { - subdomain = "matrix"; - port = 8008; - private = false; - auth = false; - customRule = "Host(`matrix#DOMAIN#`) && !(PathPrefix(`/_matrix/client/*/login`) || PathPrefix(`/_matrix/client/*/logout`) || PathPrefix(`/_matrix/client/*/refresh`))"; - } - { - subdomain = "matrix_auth"; - port = 8080; - private = false; - auth = false; - customRule = "Host(`matrix#DOMAIN#`) && (PathPrefix(`/_matrix/client/*/login`) || PathPrefix(`/_matrix/client/*/logout`) || PathPrefix(`/_matrix/client/*/refresh`))"; - } { subdomain = "matrix-admin"; port = 5173; diff --git a/containers/monitoring.nix b/containers/monitoring.nix index ad4d9f0..53f9023 100644 --- a/containers/monitoring.nix +++ b/containers/monitoring.nix @@ -5,10 +5,11 @@ in { my-lxc.monitoring = { container = { + enable = true; cores = 2; - memory = 1024; + memory = 2048; disk = "10G"; - swap = 512; + swap = 1024; }; system = { port = 3000; # grafana diff --git a/containers/music.nix b/containers/music.nix index 7148bb8..b414829 100644 --- a/containers/music.nix +++ b/containers/music.nix @@ -25,6 +25,7 @@ in "dlna" "filesystem_local" "filesystem_smb" + "hass" "hass_players" "jellyfin" "player_group" diff --git a/containers/power.nix b/containers/power.nix index d484931..2c7a8ed 100644 --- a/containers/power.nix +++ b/containers/power.nix @@ -9,6 +9,7 @@ swap = 512; }; system = { + port = 80; importConfig = [ ../config/power-ups.nix ];