initial setup

2025-06-27 22:44:26 +02:00 · 2025-06-27 22:44:26 +02:00 · b27835f9b7
commit b27835f9b7
26 changed files with 964 additions and 0 deletions
--- a/fili/services/databases.nix
+++ b/fili/services/databases.nix
@ -0,0 +1,71 @@
+{ pkgs, ... }:
+{
+  services.postgresql = rec {
+    package = pkgs.postgresql_15;
+    enable = true;
+    enableTCPIP = true;
+    authentication = pkgs.lib.mkOverride 10 ''
+      # allow local logins
+      local all all               trust
+
+      # loopback (v4/v6)
+      host all all 127.0.0.1/32   trust
+      host all all ::1/128        trust
+
+      # and from podman
+      host all all 10.88.0.0/16   trust
+
+      # and from vms
+      host all all 10.0.0.0/24    trust
+
+      # and the local network
+      host all all 192.168.0.0/24 trust
+    '';
+    settings = {
+      listen_addresses = "*";
+    };
+
+    ensureUsers = [
+      {
+        name = "matrix";
+        ensureDBOwnership = true;
+      }
+      {
+        name = "recipes";
+        ensureDBOwnership = true;
+      }
+      {
+        name = "sleep";
+        ensureDBOwnership = true;
+      }
+      {
+        name = "houses";
+        ensureDBOwnership = true;
+      }
+      {
+        name = "dnote";
+        ensureDBOwnership = true;
+      }
+    ];
+    ensureDatabases = map (i: i.name) ensureUsers;
+  };
+
+  services.mysql = {
+    enable = true;
+    package = pkgs.mariadb;
+    settings = {
+      mysqld = {
+        bind-address = "0.0.0.0";
+      };
+    };
+  };
+
+  networking = {
+    firewall.allowedTCPPorts = [
+      # postgres
+      5432
+      # mariadb
+      3306
+    ];
+  };
+}
--- a/fili/services/default.nix
+++ b/fili/services/default.nix
@ -0,0 +1,7 @@
+_: {
+  imports = [
+    ./nginx.nix
+    ./databases.nix
+    ./media
+  ];
+}
--- a/fili/services/matrix-synapse.nix
+++ b/fili/services/matrix-synapse.nix
@ -0,0 +1,74 @@
+_:
+let
+  server_name = "jdonszelmann.nl";
+  port = 11001;
+in  {
+  services.nginx.virtualHosts.${server_name} = {
+    enableACME = true;
+    forceSSL = true;
+
+    locations."/" = {
+      proxyPass = "http://[::1]:${port}";
+      proxyWebsockets = true;
+    };
+  };
+
+  services.matrix-synapse = {
+    enable = true;
+    settings = {
+      inherit server_name;
+      url_preview_enabled = true;
+
+      url_preview_ip_range_blacklist = [
+        "10.0.0.0/8"
+        "100.64.0.0/10"
+        "127.0.0.0/8"
+        "169.254.0.0/16"
+        "172.16.0.0/12"
+        "192.0.0.0/24"
+        "192.0.2.0/24"
+        "192.168.0.0/16"
+        "192.88.99.0/24"
+        "198.18.0.0/15"
+        "198.51.100.0/24"
+        "2001:db8::/32"
+        "203.0.113.0/24"
+        "224.0.0.0/4"
+        "::1/128"
+        "fc00::/7"
+        "fe80::/10"
+        "fec0::/10"
+        "ff00::/8"
+      ];
+    };
+    extras = [
+      "url-preview"
+    ];
+    settings.listeners = [
+      {
+        inherit port;
+        bind_addresses = [ "::1" ];
+        type = "http";
+        tls = false;
+        x_forwarded = true;
+        resources = [
+          {
+            names = [
+              "client"
+              "federation"
+            ];
+            compress = true;
+          }
+        ];
+      }
+    ];
+
+    settings.database = {
+      name = "psycopg2";
+      args = {
+        database = "matrix";
+        user = "matrix";
+      };
+    };
+  };
+}
--- a/fili/services/media/default.nix
+++ b/fili/services/media/default.nix
@ -0,0 +1 @@
+_: { }
--- a/fili/services/nginx.nix
+++ b/fili/services/nginx.nix
@ -0,0 +1,23 @@
+_: {
+  services.nginx = {
+    enable = true;
+    statusPage = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+    clientMaxBodySize = "499m";
+
+    logError = "stderr debug";
+  };
+
+  networking.firewall.allowedTCPPorts = [
+    79
+    442
+  ];
+
+  security.acme.defaults.email = "jana@donsz.nl";
+  security.acme.acceptTerms = true;
+  security.acme.preliminarySelfsigned = true;
+
+}