mx42/homelab
1
0
Fork 0
Code Issues 14 Packages Projects Releases Wiki Activity

feat: several fixes & updates

Browse Source
This commit is contained in:
Xavier Morel
2025-11-15 18:53:32 +01:00
parent 92f0a1ef19
commit e0335cb666
13 changed files with 143 additions and 308 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
config/alloy/default-journal-logger.alloy.nix
View File

@@ -8,7 +8,7 @@
let
hostname = tools.build_hostname container;
ip = tools.build_ip container;
prefix = "${container}_${service}";
prefix = "${container}_${builtins.replaceStrings [ "-" ] [ "_" ] service}";
in
{
out = ''

51
config/alloy/matrix-mas.alloy.nix
View File

@@ -1,51 +0,0 @@
{ ip, domainname, ... }:
{
out = ''
loki.relabel "mas_journal" {
forward_to = []
rule {
source_labels = ["__journal__priority_keyword"]
target_label = "level"
}
rule {
source_labels = ["__journal__SYSLOG_IDENTIFIER"]
target_label = "app"
}
}
loki.source.journal "mas_journal_scrape" {
forward_to = [loki.process.mas_router.receiver]
matches = "_SYSTEMD_UNIT=matrix-authentication-service.service"
relabel_rules = loki.relabel.mas_journal.rules
labels = {
service = "matrix-authentication-service",
host = "${domainname}",
host_ip = "${ip}",
}
}
loki.process "mas_router" {
stage.regex {
expression = "^(?P<timestamp>\\S+) (?P<level>\\S+) (?P<facility>\\S+) (?P<worker>\\S+) - (?P<message>.*)$"
}
stage.timestamp {
source = "timestamp"
format = "RFC3339Nano"
}
stage.labels {
values = {
level = "",
facility = "",
worker = "",
}
}
stage.output {
source = "message"
}
forward_to = [loki.write.grafana_loki.receiver]
}
'';
}

104
config/matrix-mas.config.nix
View File

@@ -1,104 +0,0 @@
{ config, tools, ... }:
let
mask = tools.mask_cidr;
db_host = tools.build_ip "db";
db_pass = (import ../config/_passwords.nix).matrix;
hostname = tools.build_hostname "matrix";
auth = tools.build_hostname "auth";
sec = import ../config/_matrix_secrets.nix;
in
{
http = {
listeners = [
{
name = "web";
resources = [
{ name = "discovery"; }
{ name = "human"; }
{ name = "oauth"; }
{ name = "compat"; }
{ name = "graphql"; }
{ name = "assets"; }
];
binds = [
{ address = "[::]:8080"; }
];
proxy_protocol = false;
}
{
name = "internal";
resources = [
{ name = "health"; }
];
binds = [
{
host = "localhost";
port = 8081;
}
];
proxy_protocol = false;
}
];
trusted_proxies = [
mask
"127.0.0.1/8"
];
public_base = "http://[::]:8080/";
issuer = "http://[::]:8080/";
database = {
uri = "postgresql://matrix:${db_pass}@${db_host}:5432/matrix_mas";
max_connections = 10;
min_connections = 0;
connect_timeout = 30;
idle_timeout = 600;
max_lifetime = 1800;
};
email = {
from = "\"Authentication Service\" <root@localhost>";
reply_to = "\"Authentication Service\" <root@localhost>";
transport = "blackhole";
};
secrets = sec.mas;
passwords = {
enabled = true;
schemes = [
{
version = 1;
algorithm = "bcrypt";
minimum_complexity = 3;
}
];
};
matrix = {
kind = "synapse";
homeserver = hostname;
secret = sec.mas_secret;
endpoint = "http://localhost:8008/";
upstream_oauth2 = {
providers = [
{
id = sec.oidc_provider_id;
synapse_idp_id = "oidc-authentik";
issuer = "https://${auth}";
client_id = sec.oidc_client_id;
client_secret = sec.oidc_client_secret;
scope = "openid profile email";
discovery_mode = "insecure";
claims_imports = {
localpart = {
action = "require";
template = "{{ user.preferred_username }}";
on_conflicts = "add";
};
displayname = {
action = "suggest";
template = "{{ user.name }}";
};
};
}
];
};
};
};
}

31
config/matrix-mas.nix
View File

@@ -1,31 +0,0 @@
{
config,
tools,
pkgs,
...
}:
let
yaml = pkgs.format.yaml { };
in
{
environment.systemPackages = [
pkgs.matrix-authentication-service
];
environment.etc = {
"mas/config.yaml".source = yaml.generate "mas-config.yaml" (
import ./matrix-mas.config.yaml { inherit config tools; }
);
"alloy/logs-mas.alloy".text = (import ./alloy/matrix-mas.alloy.nix { inherit config tools; }).out;
};
systemd.services.matrix-authentication-service = {
enable = true;
description = "Matrix Authentication Service";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = "${pkgs.matrix-authentication-service}/bin/mas-cli server --config /etc/mas/config.yaml";
Restart = "on-failure";
RestartSec = 5;
};
};
}

5
config/matrix-nginx.nix
View File

@@ -18,6 +18,7 @@ in
inherit tools;
container = "matrix";
service = "nginx";
additional_stages = ""; # TODO: ...
}).out;
};
services.nginx = {
@@ -34,7 +35,7 @@ in
};
"= /config.json" = {
alias = json.generate "element.config.json" (
import ./config/matrix-element.config.nix { inherit tools config; }
import ./matrix-element.config.nix { inherit tools config; }
);
};
};
@@ -54,7 +55,7 @@ in
};
"= /config.json" = {
alias = json.generate "synapse-admin.config.json" (
import ./config/matrix-synapse-admin.config.nix { inherit tools config; }
import ./matrix-synapse-admin.config.nix { inherit tools config; }
);
};
};

27
config/matrix-synapse.nix
View File

@@ -8,7 +8,7 @@ let
container = "matrix";
hostname = tools.build_hostname container;
admin_handle = "@${config.globals.master.login}:${hostname}";
db_host = tools.build_hostname "db";
db_host = tools.build_ip "db";
auth_host = tools.build_hostname "auth";
db_pass = config.my-lxc.matrix.db.password;
sec = import ../config/_matrix_secrets.nix;
@@ -38,11 +38,13 @@ in
services.matrix-synapse = {
enable = true;
extras = [
"jwt"
"oidc"
"postgres"
"systemd"
"url-preview"
# "url-preview"
];
# plugins matrix-synapse-ldap3?
settings = {
admin_users = [
admin_handle
@@ -69,10 +71,11 @@ in
resources = [
{
compress = true;
names = [
"client"
"federation"
];
names = [ "client" ];
}
{
compress = false;
names = [ "federation" ];
}
];
tls = false;
@@ -80,11 +83,11 @@ in
x_forwarded = true;
}
];
matrix-authentication-service = {
enable = true;
endpoint = "http://localhost:8080/";
secret = sec.mas_secret;
};
# matrix-authentication-service = {
# enable = true;
# endpoint = "http://localhost:8080/";
# secret = sec.mas_secret;
# };
jwt_config = {
enabled = true;
secret = sec.jwt_secret;
@@ -109,6 +112,8 @@ in
};
}
];
macaroon_secret_key = sec.macaroon;
suppress_key_server_warning = true;
};
};
}

13
config/monitoring-grafana.nix
View File

@@ -12,11 +12,12 @@ in
services.grafana = {
enable = true;
openFirewall = true;
declarativePlugins = [
pkgs.grafanaPlugins.grafana-mqtt-datasource
pkgs.grafanaPlugins.grafana-lokiexplore-app
pkgs.grafanaPlugins.grafana-metricsdrilldown-app
];
## NOTE: Installs the plugins but it doesn't work ... however then removing declarative plugins make them work...
# declarativePlugins = [
# pkgs.grafanaPlugins.grafana-mqtt-datasource
# pkgs.grafanaPlugins.grafana-lokiexplore-app
# pkgs.grafanaPlugins.grafana-metricsdrilldown-app
# ];
provision = {
enable = true;
alerting = { };
@@ -43,7 +44,7 @@ in
analytics = {
feedback_links_enabled = false;
reporting_enabled = false;
check_for_plugin_updates = false;
check_for_plugin_updates = true;
check_for_updates = false;
};
database = {

181
config/proxy-traefik.nix
View File

@@ -83,6 +83,12 @@ in
addServicesLabels = true;
};
};
experimental.plugins = {
staticResponse = {
moduleName = "github.com/jdel/staticresponse";
version = "v0.0.1";
};
};
};
dynamicConfigOptions = {
tcp = {
@@ -153,88 +159,111 @@ in
"Remote-Name"
];
};
matrix-wellknown.plugin.staticResponse = {
statusCode = 200;
body = ''{"m.server": "${tools.build_hostname "matrix"}:443"}'';
headers = {
"Content-Type" = "application/json";
};
};
};
routers = mergeConf (
lib.concatLists (
(lib.mapAttrsToList (
ct: def:
(map (
d:
lib.optionalAttrs (d.raw_tcp == false) {
${d.subdomain} = {
rule = (
if (d.customRule != null) then
(lib.replaceStrings [ "#DOMAIN#" ] [ dmn ] d.customRule)
else
("Host(`${d.subdomain}${dmn}`) " + (if (d.private == true) then internal else ""))
);
service = "${d.subdomain}-service";
entryPoints = [ "websecure" ];
middlewares = if (d.auth) then [ "authentik" ] else [ ];
tls.certResolver = "letsencrypt";
};
}
) def.otherDomains)
++ [
(lib.optionalAttrs (def.system.port != null) {
${ct} = {
rule = "Host(`${ct}${dmn}`) " + (if (def.private == true) then internal else "");
service = "${ct}-service";
entryPoints = [ "websecure" ];
middlewares = if (def.auth) then [ "authentik" ] else [ ];
tls.certResolver = "letsencrypt";
};
})
]
) config.my-lxc)
++ [
(map (h: {
${h.hostname} = {
rule = "Host(`${h.hostname}${dmn}`) " + (if (h.private == true) then internal else "");
service = "${h.hostname}-service";
entryPoints = [ "websecure" ];
middlewares = if (h.auth) then [ "authentik" ] else [ ];
tls.certResolver = "letsencrypt";
};
}) config.globals.other_hosts)
]
)
);
services = mergeConf (
lib.concatLists (
(lib.mapAttrsToList (
ct: def:
(map (d: {
"${d.subdomain}-service" = {
loadBalancer.servers = [
{ url = "http://${ip ct}:${toString d.port}/"; }
];
};
}) def.otherDomains)
++ [
(
routers =
mergeConf (
lib.concatLists (
(lib.mapAttrsToList (
ct: def:
(map (
d:
lib.optionalAttrs (d.raw_tcp == false) {
${d.subdomain} = {
rule = (
if (d.customRule != null) then
(lib.replaceStrings [ "#DOMAIN#" ] [ dmn ] d.customRule)
else
("Host(`${d.subdomain}${dmn}`) " + (if (d.private == true) then internal else ""))
);
service = "${d.subdomain}-service";
entryPoints = [ "websecure" ];
middlewares = if (d.auth) then [ "authentik" ] else [ ];
tls.certResolver = "letsencrypt";
};
}
) def.otherDomains)
++ [
(lib.optionalAttrs (def.system.port != null) {
"${ct}-service" = {
loadBalancer.servers = [ { url = "http://${ip ct}:${toString def.system.port}/"; } ];
${ct} = {
rule = "Host(`${ct}${dmn}`) " + (if (def.private == true) then internal else "");
service = "${ct}-service";
entryPoints = [ "websecure" ];
middlewares = if (def.auth) then [ "authentik" ] else [ ];
tls.certResolver = "letsencrypt";
};
})
)
]
) config.my-lxc)
++ [
(map (h: {
${h.hostname} = {
rule = "Host(`${h.hostname}${dmn}`) " + (if (h.private == true) then internal else "");
service = "${h.hostname}-service";
entryPoints = [ "websecure" ];
middlewares = if (h.auth) then [ "authentik" ] else [ ];
tls.certResolver = "letsencrypt";
};
}) config.globals.other_hosts)
]
) config.my-lxc)
++ [
(map (h: {
"${h.hostname}-service" = {
loadBalancer = {
servers = [ { url = h.addr; } ];
}
// (lib.optionalAttrs (h.useCustomCA) {
serversTransport = "${h.hostname}-transport";
});
};
}) config.globals.other_hosts)
]
)
)
);
// {
matrix-wellknown = {
rule = "Path(`/\.well-known/matrix/server`)";
entryPoints = [ "websecure" ];
service = "noop";
middlewares = [ "matrix-wellknown" ];
tls.certResolver = "letsencrypt";
};
}
;
services =
mergeConf (
lib.concatLists (
(lib.mapAttrsToList (
ct: def:
(map (d: {
"${d.subdomain}-service" = {
loadBalancer.servers = [
{ url = "http://${ip ct}:${toString d.port}/"; }
];
};
}) def.otherDomains)
++ [
(
(lib.optionalAttrs (def.system.port != null) {
"${ct}-service" = {
loadBalancer.servers = [ { url = "http://${ip ct}:${toString def.system.port}/"; } ];
};
})
)
]
) config.my-lxc)
++ [
(map (h: {
"${h.hostname}-service" = {
loadBalancer = {
servers = [ { url = h.addr; } ];
}
// (lib.optionalAttrs (h.useCustomCA) {
serversTransport = "${h.hostname}-transport";
});
};
}) config.globals.other_hosts)
]
)
)
// {
noop.loadBalancer.servers = [ ];
};
serversTransports = mergeConf (
(map (
h: