mx42/homelab
1
0
Fork 0
Code Issues 14 Packages Projects Releases Wiki Activity

feat: several fixes & updates

Browse Source
This commit is contained in:
Xavier Morel
2025-11-15 18:53:32 +01:00
parent 92f0a1ef19
commit e0335cb666
13 changed files with 143 additions and 308 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
config/alloy/default-journal-logger.alloy.nix
View File

@@ -8,7 +8,7 @@
let let
hostname = tools.build_hostname container; hostname = tools.build_hostname container;
ip = tools.build_ip container; ip = tools.build_ip container;
prefix = "${container}_${service}"; prefix = "${container}_${builtins.replaceStrings [ "-" ] [ "_" ] service}";
in in
{ {
out = '' out = ''

51
config/alloy/matrix-mas.alloy.nix
View File

@@ -1,51 +0,0 @@
{ ip, domainname, ... }:
{
out = ''
loki.relabel "mas_journal" {
forward_to = []
rule {
source_labels = ["__journal__priority_keyword"]
target_label = "level"
}
rule {
source_labels = ["__journal__SYSLOG_IDENTIFIER"]
target_label = "app"
}
}
loki.source.journal "mas_journal_scrape" {
forward_to = [loki.process.mas_router.receiver]
matches = "_SYSTEMD_UNIT=matrix-authentication-service.service"
relabel_rules = loki.relabel.mas_journal.rules
labels = {
service = "matrix-authentication-service",
host = "${domainname}",
host_ip = "${ip}",
}
}
loki.process "mas_router" {
stage.regex {
expression = "^(?P<timestamp>\\S+) (?P<level>\\S+) (?P<facility>\\S+) (?P<worker>\\S+) - (?P<message>.*)$"
}
stage.timestamp {
source = "timestamp"
format = "RFC3339Nano"
}
stage.labels {
values = {
level = "",
facility = "",
worker = "",
}
}
stage.output {
source = "message"
}
forward_to = [loki.write.grafana_loki.receiver]
}
'';
}

104
config/matrix-mas.config.nix
View File

@@ -1,104 +0,0 @@
{ config, tools, ... }:
let
mask = tools.mask_cidr;
db_host = tools.build_ip "db";
db_pass = (import ../config/_passwords.nix).matrix;
hostname = tools.build_hostname "matrix";
auth = tools.build_hostname "auth";
sec = import ../config/_matrix_secrets.nix;
in
{
http = {
listeners = [
{
name = "web";
resources = [
{ name = "discovery"; }
{ name = "human"; }
{ name = "oauth"; }
{ name = "compat"; }
{ name = "graphql"; }
{ name = "assets"; }
];
binds = [
{ address = "[::]:8080"; }
];
proxy_protocol = false;
}
{
name = "internal";
resources = [
{ name = "health"; }
];
binds = [
{
host = "localhost";
port = 8081;
}
];
proxy_protocol = false;
}
];
trusted_proxies = [
mask
"127.0.0.1/8"
];
public_base = "http://[::]:8080/";
issuer = "http://[::]:8080/";
database = {
uri = "postgresql://matrix:${db_pass}@${db_host}:5432/matrix_mas";
max_connections = 10;
min_connections = 0;
connect_timeout = 30;
idle_timeout = 600;
max_lifetime = 1800;
};
email = {
from = "\"Authentication Service\" <root@localhost>";
reply_to = "\"Authentication Service\" <root@localhost>";
transport = "blackhole";
};
secrets = sec.mas;
passwords = {
enabled = true;
schemes = [
{
version = 1;
algorithm = "bcrypt";
minimum_complexity = 3;
}
];
};
matrix = {
kind = "synapse";
homeserver = hostname;
secret = sec.mas_secret;
endpoint = "http://localhost:8008/";
upstream_oauth2 = {
providers = [
{
id = sec.oidc_provider_id;
synapse_idp_id = "oidc-authentik";
issuer = "https://${auth}";
client_id = sec.oidc_client_id;
client_secret = sec.oidc_client_secret;
scope = "openid profile email";
discovery_mode = "insecure";
claims_imports = {
localpart = {
action = "require";
template = "{{ user.preferred_username }}";
on_conflicts = "add";
};
displayname = {
action = "suggest";
template = "{{ user.name }}";
};
};
}
];
};
};
};
}

31
config/matrix-mas.nix
View File

@@ -1,31 +0,0 @@
{
config,
tools,
pkgs,
...
}:
let
yaml = pkgs.format.yaml { };
in
{
environment.systemPackages = [
pkgs.matrix-authentication-service
];
environment.etc = {
"mas/config.yaml".source = yaml.generate "mas-config.yaml" (
import ./matrix-mas.config.yaml { inherit config tools; }
);
"alloy/logs-mas.alloy".text = (import ./alloy/matrix-mas.alloy.nix { inherit config tools; }).out;
};
systemd.services.matrix-authentication-service = {
enable = true;
description = "Matrix Authentication Service";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = "${pkgs.matrix-authentication-service}/bin/mas-cli server --config /etc/mas/config.yaml";
Restart = "on-failure";
RestartSec = 5;
};
};
}

5
config/matrix-nginx.nix
View File

@@ -18,6 +18,7 @@ in
inherit tools; inherit tools;
container = "matrix"; container = "matrix";
service = "nginx"; service = "nginx";
additional_stages = ""; # TODO: ...
}).out; }).out;
}; };
services.nginx = { services.nginx = {
@@ -34,7 +35,7 @@ in
}; };
"= /config.json" = { "= /config.json" = {
alias = json.generate "element.config.json" ( alias = json.generate "element.config.json" (
import ./config/matrix-element.config.nix { inherit tools config; } import ./matrix-element.config.nix { inherit tools config; }
); );
}; };
}; };
@@ -54,7 +55,7 @@ in
}; };
"= /config.json" = { "= /config.json" = {
alias = json.generate "synapse-admin.config.json" ( alias = json.generate "synapse-admin.config.json" (
import ./config/matrix-synapse-admin.config.nix { inherit tools config; } import ./matrix-synapse-admin.config.nix { inherit tools config; }
); );
}; };
}; };

27
config/matrix-synapse.nix
View File

@@ -8,7 +8,7 @@ let
container = "matrix"; container = "matrix";
hostname = tools.build_hostname container; hostname = tools.build_hostname container;
admin_handle = "@${config.globals.master.login}:${hostname}"; admin_handle = "@${config.globals.master.login}:${hostname}";
db_host = tools.build_hostname "db"; db_host = tools.build_ip "db";
auth_host = tools.build_hostname "auth"; auth_host = tools.build_hostname "auth";
db_pass = config.my-lxc.matrix.db.password; db_pass = config.my-lxc.matrix.db.password;
sec = import ../config/_matrix_secrets.nix; sec = import ../config/_matrix_secrets.nix;
@@ -38,11 +38,13 @@ in
services.matrix-synapse = { services.matrix-synapse = {
enable = true; enable = true;
extras = [ extras = [
"jwt"
"oidc" "oidc"
"postgres" "postgres"
"systemd" "systemd"
"url-preview" # "url-preview"
]; ];
# plugins matrix-synapse-ldap3?
settings = { settings = {
admin_users = [ admin_users = [
admin_handle admin_handle
@@ -69,10 +71,11 @@ in
resources = [ resources = [
{ {
compress = true; compress = true;
names = [ names = [ "client" ];
"client" }
"federation" {
]; compress = false;
names = [ "federation" ];
} }
]; ];
tls = false; tls = false;
@@ -80,11 +83,11 @@ in
x_forwarded = true; x_forwarded = true;
} }
]; ];
matrix-authentication-service = { # matrix-authentication-service = {
enable = true; # enable = true;
endpoint = "http://localhost:8080/"; # endpoint = "http://localhost:8080/";
secret = sec.mas_secret; # secret = sec.mas_secret;
}; # };
jwt_config = { jwt_config = {
enabled = true; enabled = true;
secret = sec.jwt_secret; secret = sec.jwt_secret;
@@ -109,6 +112,8 @@ in
}; };
} }
]; ];
macaroon_secret_key = sec.macaroon;
suppress_key_server_warning = true;
}; };
}; };
} }

13
config/monitoring-grafana.nix
View File

@@ -12,11 +12,12 @@ in
services.grafana = { services.grafana = {
enable = true; enable = true;
openFirewall = true; openFirewall = true;
declarativePlugins = [ ## NOTE: Installs the plugins but it doesn't work ... however then removing declarative plugins make them work...
pkgs.grafanaPlugins.grafana-mqtt-datasource # declarativePlugins = [
pkgs.grafanaPlugins.grafana-lokiexplore-app # pkgs.grafanaPlugins.grafana-mqtt-datasource
pkgs.grafanaPlugins.grafana-metricsdrilldown-app # pkgs.grafanaPlugins.grafana-lokiexplore-app
]; # pkgs.grafanaPlugins.grafana-metricsdrilldown-app
# ];
provision = { provision = {
enable = true; enable = true;
alerting = { }; alerting = { };
@@ -43,7 +44,7 @@ in
analytics = { analytics = {
feedback_links_enabled = false; feedback_links_enabled = false;
reporting_enabled = false; reporting_enabled = false;
check_for_plugin_updates = false; check_for_plugin_updates = true;
check_for_updates = false; check_for_updates = false;
}; };
database = { database = {

181
config/proxy-traefik.nix
View File

@@ -83,6 +83,12 @@ in
addServicesLabels = true; addServicesLabels = true;
}; };
}; };
experimental.plugins = {
staticResponse = {
moduleName = "github.com/jdel/staticresponse";
version = "v0.0.1";
};
};
}; };
dynamicConfigOptions = { dynamicConfigOptions = {
tcp = { tcp = {
@@ -153,88 +159,111 @@ in
"Remote-Name" "Remote-Name"
]; ];
}; };
matrix-wellknown.plugin.staticResponse = {
statusCode = 200;
body = ''{"m.server": "${tools.build_hostname "matrix"}:443"}'';
headers = {
"Content-Type" = "application/json";
};
};
}; };
routers = mergeConf ( routers =
lib.concatLists ( mergeConf (
(lib.mapAttrsToList ( lib.concatLists (
ct: def: (lib.mapAttrsToList (
(map ( ct: def:
d: (map (
lib.optionalAttrs (d.raw_tcp == false) { d:
${d.subdomain} = { lib.optionalAttrs (d.raw_tcp == false) {
rule = ( ${d.subdomain} = {
if (d.customRule != null) then rule = (
(lib.replaceStrings [ "#DOMAIN#" ] [ dmn ] d.customRule) if (d.customRule != null) then
else (lib.replaceStrings [ "#DOMAIN#" ] [ dmn ] d.customRule)
("Host(`${d.subdomain}${dmn}`) " + (if (d.private == true) then internal else "")) else
); ("Host(`${d.subdomain}${dmn}`) " + (if (d.private == true) then internal else ""))
service = "${d.subdomain}-service"; );
entryPoints = [ "websecure" ]; service = "${d.subdomain}-service";
middlewares = if (d.auth) then [ "authentik" ] else [ ]; entryPoints = [ "websecure" ];
tls.certResolver = "letsencrypt"; middlewares = if (d.auth) then [ "authentik" ] else [ ];
}; tls.certResolver = "letsencrypt";
} };
) def.otherDomains) }
++ [ ) def.otherDomains)
(lib.optionalAttrs (def.system.port != null) { ++ [
${ct} = {
rule = "Host(`${ct}${dmn}`) " + (if (def.private == true) then internal else "");
service = "${ct}-service";
entryPoints = [ "websecure" ];
middlewares = if (def.auth) then [ "authentik" ] else [ ];
tls.certResolver = "letsencrypt";
};
})
]
) config.my-lxc)
++ [
(map (h: {
${h.hostname} = {
rule = "Host(`${h.hostname}${dmn}`) " + (if (h.private == true) then internal else "");
service = "${h.hostname}-service";
entryPoints = [ "websecure" ];
middlewares = if (h.auth) then [ "authentik" ] else [ ];
tls.certResolver = "letsencrypt";
};
}) config.globals.other_hosts)
]
)
);
services = mergeConf (
lib.concatLists (
(lib.mapAttrsToList (
ct: def:
(map (d: {
"${d.subdomain}-service" = {
loadBalancer.servers = [
{ url = "http://${ip ct}:${toString d.port}/"; }
];
};
}) def.otherDomains)
++ [
(
(lib.optionalAttrs (def.system.port != null) { (lib.optionalAttrs (def.system.port != null) {
"${ct}-service" = { ${ct} = {
loadBalancer.servers = [ { url = "http://${ip ct}:${toString def.system.port}/"; } ]; rule = "Host(`${ct}${dmn}`) " + (if (def.private == true) then internal else "");
service = "${ct}-service";
entryPoints = [ "websecure" ];
middlewares = if (def.auth) then [ "authentik" ] else [ ];
tls.certResolver = "letsencrypt";
}; };
}) })
) ]
) config.my-lxc)
++ [
(map (h: {
${h.hostname} = {
rule = "Host(`${h.hostname}${dmn}`) " + (if (h.private == true) then internal else "");
service = "${h.hostname}-service";
entryPoints = [ "websecure" ];
middlewares = if (h.auth) then [ "authentik" ] else [ ];
tls.certResolver = "letsencrypt";
};
}) config.globals.other_hosts)
] ]
) config.my-lxc) )
++ [
(map (h: {
"${h.hostname}-service" = {
loadBalancer = {
servers = [ { url = h.addr; } ];
}
// (lib.optionalAttrs (h.useCustomCA) {
serversTransport = "${h.hostname}-transport";
});
};
}) config.globals.other_hosts)
]
) )
); // {
matrix-wellknown = {
rule = "Path(`/\.well-known/matrix/server`)";
entryPoints = [ "websecure" ];
service = "noop";
middlewares = [ "matrix-wellknown" ];
tls.certResolver = "letsencrypt";
};
}
;
services =
mergeConf (
lib.concatLists (
(lib.mapAttrsToList (
ct: def:
(map (d: {
"${d.subdomain}-service" = {
loadBalancer.servers = [
{ url = "http://${ip ct}:${toString d.port}/"; }
];
};
}) def.otherDomains)
++ [
(
(lib.optionalAttrs (def.system.port != null) {
"${ct}-service" = {
loadBalancer.servers = [ { url = "http://${ip ct}:${toString def.system.port}/"; } ];
};
})
)
]
) config.my-lxc)
++ [
(map (h: {
"${h.hostname}-service" = {
loadBalancer = {
servers = [ { url = h.addr; } ];
}
// (lib.optionalAttrs (h.useCustomCA) {
serversTransport = "${h.hostname}-transport";
});
};
}) config.globals.other_hosts)
]
)
)
// {
noop.loadBalancer.servers = [ ];
};
serversTransports = mergeConf ( serversTransports = mergeConf (
(map ( (map (
h: h:

2
containers/git.nix
View File

@@ -24,7 +24,7 @@ in
enable = true; enable = true;
metricsEnable = true; metricsEnable = true;
}; };
private = true; # available only on private lan private = false; # available only on private lan
auth = false; # auth overlay auth = false; # auth overlay
}; };
} }

28
containers/matrix.nix
View File

@@ -7,30 +7,26 @@ in
{ {
my-lxc.matrix = { my-lxc.matrix = {
container = { container = {
enable = true;
cores = 2; cores = 2;
memory = 2048; memory = 2048;
disk = "4G"; disk = "6G";
swap = 512; swap = 512;
}; };
system = { system = {
port = 8008; # -> synapse
additionalPorts = [ additionalPorts = [
80 80 # element web
8008 5173 # synapse admin
8080
5173
]; ];
importConfig = [ importConfig = [
../config/matrix-synapse.nix ../config/matrix-synapse.nix
../config/matrix-mas.nix
../config/matrix-nginx.nix ../config/matrix-nginx.nix
]; ];
}; };
db = { db = {
enable = true; enable = true;
password = db_pass.matrix; password = db_pass.matrix;
additionalDB = [
"matrix_mas"
];
}; };
logging = { logging = {
enable = true; enable = true;
@@ -45,20 +41,6 @@ in
private = false; private = false;
auth = false; auth = false;
} }
{
subdomain = "matrix";
port = 8008;
private = false;
auth = false;
customRule = "Host(`matrix#DOMAIN#`) && !(PathPrefix(`/_matrix/client/*/login`) || PathPrefix(`/_matrix/client/*/logout`) || PathPrefix(`/_matrix/client/*/refresh`))";
}
{
subdomain = "matrix_auth";
port = 8080;
private = false;
auth = false;
customRule = "Host(`matrix#DOMAIN#`) && (PathPrefix(`/_matrix/client/*/login`) || PathPrefix(`/_matrix/client/*/logout`) || PathPrefix(`/_matrix/client/*/refresh`))";
}
{ {
subdomain = "matrix-admin"; subdomain = "matrix-admin";
port = 5173; port = 5173;

5
containers/monitoring.nix
View File

@@ -5,10 +5,11 @@ in
{ {
my-lxc.monitoring = { my-lxc.monitoring = {
container = { container = {
enable = true;
cores = 2; cores = 2;
memory = 1024; memory = 2048;
disk = "10G"; disk = "10G";
swap = 512; swap = 1024;
}; };
system = { system = {
port = 3000; # grafana port = 3000; # grafana

1
containers/music.nix
View File

@@ -25,6 +25,7 @@ in
"dlna" "dlna"
"filesystem_local" "filesystem_local"
"filesystem_smb" "filesystem_smb"
"hass"
"hass_players" "hass_players"
"jellyfin" "jellyfin"
"player_group" "player_group"

1
containers/power.nix
View File

@@ -9,6 +9,7 @@
swap = 512; swap = 512;
}; };
system = { system = {
port = 80;
importConfig = [ importConfig = [
../config/power-ups.nix ../config/power-ups.nix
]; ];