Modularize teams sops yazi

2024-08-24 13:25:08 +02:00 · 2024-08-24 13:25:08 +02:00 · c73cb37278
commit c73cb37278
parent 7730cbef59
75 changed files with 3023 additions and 3573 deletions
--- a/hardware/server/configuration.nix
+++ b/hardware/server/configuration.nix
@ -16,8 +16,7 @@ let
    add_header Access-Control-Allow-Origin *;
    return 200 '${builtins.toJSON data}';
  '';
-in
-{
+in {
  networking.hostName = "server";
  networking.domain = "dashie.org";
  imports = [
@ -45,9 +44,7 @@ in
      pkgs.ntfs3g
      pkgs.rsync
    ];
-    openssh.authorizedKeys.keyFiles = [
-      /home/dashie/server.pub
-    ];
+    openssh.authorizedKeys.keyFiles = [ /home/dashie/server.pub ];
  };

  services.openssh = {
@ -68,28 +65,25 @@ in
    enable_registration_without_verification = true;
    suppress_key_server_warning = true;
    max_upload_size = "1G";
-    listeners = [
-      {
-        port = 8008;
-        bind_addresses = [ "::1" ];
-        type = "http";
-        tls = false;
-        x_forwarded = true;
-        resources = [
-          {
-            names = [ "client" "federation" ];
-            compress = true;
-          }
-        ];
-      }
-    ];
+    listeners = [{
+      port = 8008;
+      bind_addresses = [ "::1" ];
+      type = "http";
+      tls = false;
+      x_forwarded = true;
+      resources = [{
+        names = [ "client" "federation" ];
+        compress = true;
+      }];
+    }];
  };
  services.mautrix-whatsapp-dashie.settings = {
    appservice = {
      id = "whatsapp";
      database = {
        type = "postgres";
-        uri = "postgresql:///mautrix_whatsapp?host=/run/postgresql&sslmode=disable&user=mautrix_whatsapp&password=${mautrix_whatsapp_pw}";
+        uri =
+          "postgresql:///mautrix_whatsapp?host=/run/postgresql&sslmode=disable&user=mautrix_whatsapp&password=${mautrix_whatsapp_pw}";
      };
    };
    bridge = {
@ -98,7 +92,8 @@ in
        default = true;
        required = true;
      };
-      displayname_template = "{{if .BusinessName}}{{.BusinessName}}{{else if .PushName}}{{.PushName}}{{else}}{{.JID}}{{end}}";
+      displayname_template =
+        "{{if .BusinessName}}{{.BusinessName}}{{else if .PushName}}{{.PushName}}{{else}}{{.JID}}{{end}}";
      permissions = {
        "@fabio.lenherr:matrix.org" = "admin";
        "@dashie:matrix.dashie.org" = "admin";
@ -110,7 +105,8 @@ in
      id = "signal";
      database = {
        type = "postgres";
-        uri = "postgresql:///mautrix_signal?host=/run/postgresql&sslmode=disable&user=mautrix_signal&password=${mautrix_signal_pw}";
+        uri =
+          "postgresql:///mautrix_signal?host=/run/postgresql&sslmode=disable&user=mautrix_signal&password=${mautrix_signal_pw}";
      };
    };
    bridge = {
@ -119,7 +115,8 @@ in
        default = true;
        required = true;
      };
-      displayname_template = "{{or .ProfileName .PhoneNumber \"Unknown user\"}}";
+      displayname_template =
+        ''{{or .ProfileName .PhoneNumber "Unknown user"}}'';
      permissions = {
        "@fabio.lenherr:matrix.org" = "admin";
        "@dashie:matrix.dashie.org" = "admin";
@ -131,11 +128,13 @@ in
      id = "discord";
      database = {
        type = "postgres";
-        uri = "postgresql:///mautrix_discord?host=/run/postgresql&sslmode=disable&user=mautrix_discord&password=${mautrix_discord_pw}";
+        uri =
+          "postgresql:///mautrix_discord?host=/run/postgresql&sslmode=disable&user=mautrix_discord&password=${mautrix_discord_pw}";
      };
    };
    bridge = {
-      displayname_template = "{{or .GlobalName .Username}}{{if .Bot}} (bot){{end}}";
+      displayname_template =
+        "{{or .GlobalName .Username}}{{if .Bot}} (bot){{end}}";
      permissions = {
        "@fabio.lenherr:matrix.org" = "admin";
        "@dashie:matrix.dashie.org" = "admin";
@ -154,7 +153,12 @@ in
    enableACME = true;
    root = "/var/www/dashie.org/";
  };
-  security.acme.certs."dashie.org".extraDomainNames = [ "cloud.dashie.org" "matrix.dashie.org" "git.dashie.org" "navi.dashie.org" ];
+  security.acme.certs."dashie.org".extraDomainNames = [
+    "cloud.dashie.org"
+    "matrix.dashie.org"
+    "git.dashie.org"
+    "navi.dashie.org"
+  ];
  services.nginx.virtualHosts."cloud.dashie.org" = {
    addSSL = true;
    enableACME = true;
@ -172,12 +176,10 @@ in
  };

  services.nginx.virtualHosts."localhost" = {
-    listen = [
-      {
-        addr = "0.0.0.0";
-        port = 8448;
-      }
-    ];
+    listen = [{
+      addr = "0.0.0.0";
+      port = 8448;
+    }];
    locations."/".proxyPass = "http://[::1]:8008";
  };

@ -185,21 +187,19 @@ in
    forceSSL = true;
    enableACME = true;
    locations."/".extraConfig = ''
-      	return 404;
+      return 404;
    '';
-    locations."/_matrix" = {
-      proxyPass = "http://[::1]:8008";
-    };
+    locations."/_matrix" = { proxyPass = "http://[::1]:8008"; };
    locations."/_synapse/client".proxyPass = "http://[::1]:8008";

-    locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
+    locations."= /.well-known/matrix/server".extraConfig =
+      mkWellKnown serverConfig;
    # This is usually needed for homeserver discovery (from e.g. other Matrix clients).
    # Further reference can be found in the upstream docs at
    # https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixclient
-    locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
-    extraConfig =
-      "client_max_body_size 2G;"
-    ;
+    locations."= /.well-known/matrix/client".extraConfig =
+      mkWellKnown clientConfig;
+    extraConfig = "client_max_body_size 2G;";
  };

  services.nextcloud.enable = true;
@ -325,9 +325,7 @@ in
  system.stateVersion = "24.05";

  nix = {
-    settings = {
-      experimental-features = "nix-command flakes";
-    };
+    settings = { experimental-features = "nix-command flakes"; };
    extraOptions = ''
      !include ${config.sops.secrets.access.path}
    '';
--- a/hardware/server/hardware-configuration.nix
+++ b/hardware/server/hardware-configuration.nix
@ -1,51 +1,44 @@
 { config, lib, modulesPath, ... }: {
-  imports = [
-    (modulesPath + "/installer/scan/not-detected.nix")
-  ];
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];

-  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
+  boot.initrd.availableKernelModules =
+    [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];

-  fileSystems."/" =
-    {
-      device = "/dev/disk/by-uuid/678ecbd1-a5ce-4530-a959-ffb48f76aa43";
-      fsType = "btrfs";
-    };
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/678ecbd1-a5ce-4530-a959-ffb48f76aa43";
+    fsType = "btrfs";
+  };

-  fileSystems."/var/lib/nextcloud" =
-    {
-      device = "/dev/disk/by-label/nextcloud";
-      fsType = "ext4";
-    };
+  fileSystems."/var/lib/nextcloud" = {
+    device = "/dev/disk/by-label/nextcloud";
+    fsType = "ext4";
+  };

-  fileSystems."/mnt/dump3" =
-    {
-      device = "/dev/disk/by-label/backup";
-      fsType = "ext4";
-    };
+  fileSystems."/mnt/dump3" = {
+    device = "/dev/disk/by-label/backup";
+    fsType = "ext4";
+  };

-  fileSystems."/mnt/dump1" =
-    {
-      device = "/dev/disk/by-uuid/CC60532860531912";
-      fsType = "ntfs-3g";
-      options = [ "rw" "uid=1000" ];
-    };
+  fileSystems."/mnt/dump1" = {
+    device = "/dev/disk/by-uuid/CC60532860531912";
+    fsType = "ntfs-3g";
+    options = [ "rw" "uid=1000" ];
+  };

-  fileSystems."/mnt/dump2" =
-    {
-      device = "/dev/disk/by-uuid/F46896AE68966EDC";
-      fsType = "ntfs-3g";
-      options = [ "rw" "uid=1000" ];
-    };
+  fileSystems."/mnt/dump2" = {
+    device = "/dev/disk/by-uuid/F46896AE68966EDC";
+    fsType = "ntfs-3g";
+    options = [ "rw" "uid=1000" ];
+  };

-  fileSystems."/boot" =
-    {
-      device = "/dev/disk/by-uuid/B7BE-AB1C";
-      fsType = "vfat";
-      options = [ "fmask=0022" "dmask=0022" ];
-    };
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/B7BE-AB1C";
+    fsType = "vfat";
+    options = [ "fmask=0022" "dmask=0022" ];
+  };

  swapDevices =
    [{ device = "/dev/disk/by-uuid/832dce11-b4c4-476c-ab28-bd98275a542c"; }];
@ -58,5 +51,6 @@
  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;

  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+  hardware.cpu.intel.updateMicrocode =
+    lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hardware/server/mautrix-discord.nix
+++ b/hardware/server/mautrix-discord.nix
@ -1,15 +1,13 @@
 # derived from mautrix signal on nixpkgs -> https://github.com/NixOS/nixpkgs/blob/nixos-24.05/pkgs/servers/mautrix-signal/default.nix#L27
-{ lib
-, config
-, pkgs
-, ...
-}:
+{ lib, config, pkgs, ... }:
 let
  cfg = config.services.mautrix-discord-dashie;
  dataDir = "/var/lib/mautrix-discord";
  registrationFile = "${dataDir}/discord-registration.yaml";
  settingsFile = "${dataDir}/config.yaml";
-  settingsFileUnsubstituted = settingsFormat.generate "mautrix-discord-config-unsubstituted.json" cfg.settings;
+  settingsFileUnsubstituted =
+    settingsFormat.generate "mautrix-discord-config-unsubstituted.json"
+    cfg.settings;
  settingsFormat = pkgs.formats.json { };
  appservicePort = 29334;

@ -33,7 +31,8 @@ let
    };
    bridge = {
      username_template = "discord_{{.}}";
-      displayname_template = "{{or .ProfileName .PhoneNumber \"Unknown user\"}}";
+      displayname_template =
+        ''{{or .ProfileName .PhoneNumber "Unknown user"}}'';
      double_puppet_server_map = { };
      login_shared_secret_map = { };
      command_prefix = "!discord";
@ -50,10 +49,10 @@ let
    };
  };

-in
-{
+in {
  options.services.mautrix-discord-dashie = {
-    enable = lib.mkEnableOption "mautrix-discord, a Matrix-Discord puppeting bridge.";
+    enable =
+      lib.mkEnableOption "mautrix-discord, a Matrix-Discord puppeting bridge.";

    settings = lib.mkOption {
      apply = lib.recursiveUpdate defaultConfig;
@ -76,9 +75,7 @@ in
          ephemeral_events = false;
        };
        bridge = {
-          history_sync = {
-            request_full_sync = true;
-          };
+          history_sync = { request_full_sync = true; };
          private_chat_portal_meta = true;
          mute_bridging = true;
          encryption = {
@ -86,12 +83,8 @@ in
            default = true;
            require = true;
          };
-          provisioning = {
-            shared_secret = "disable";
-          };
-          permissions = {
-            "example.com" = "user";
-          };
+          provisioning = { shared_secret = "disable"; };
+          permissions = { "example.com" = "user"; };
        };
      };
    };
@ -112,8 +105,10 @@ in

    serviceDependencies = lib.mkOption {
      type = with lib.types; listOf str;
-      default = (lib.optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit)
-        ++ (lib.optional config.services.matrix-conduit.enable "conduit.service");
+      default = (lib.optional config.services.matrix-synapse.enable
+        config.services.matrix-synapse.serviceUnit)
+        ++ (lib.optional config.services.matrix-conduit.enable
+          "conduit.service");
      defaultText = lib.literalExpression ''
        (optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit)
        ++ (optional config.services.matrix-conduit.enable "conduit.service")
@ -155,15 +150,16 @@ in
    };

    # Note: this is defined here to avoid the docs depending on `config`
-    services.mautrix-discord-dashie.settings.homeserver = optOneOf (with config.services; [
-      (lib.mkIf matrix-synapse.enable (mkDefaults {
-        domain = matrix-synapse.settings.server_name;
-      }))
-      (lib.mkIf matrix-conduit.enable (mkDefaults {
-        domain = matrix-conduit.settings.global.server_name;
-        address = "http://localhost:${toString matrix-conduit.settings.global.port}";
-      }))
-    ]);
+    services.mautrix-discord-dashie.settings.homeserver = optOneOf
+      (with config.services; [
+        (lib.mkIf matrix-synapse.enable
+          (mkDefaults { domain = matrix-synapse.settings.server_name; }))
+        (lib.mkIf matrix-conduit.enable (mkDefaults {
+          domain = matrix-conduit.settings.global.server_name;
+          address =
+            "http://localhost:${toString matrix-conduit.settings.global.port}";
+        }))
+      ]);

    systemd.services.mautrix-discord-dashie = {
      description = "mautrix-discord, a Matrix-Discord puppeting bridge.";
@ -241,7 +237,7 @@ in
        SystemCallErrorNumber = "EPERM";
        SystemCallFilter = [ "@system-service" ];
        Type = "simple";
-        UMask = 0027;
+        UMask = 27;
      };
      restartTriggers = [ settingsFileUnsubstituted ];
    };
--- a/hardware/server/mautrix-whatsapp.nix
+++ b/hardware/server/mautrix-whatsapp.nix
@ -1,15 +1,13 @@
 # derived from mautrix signal on nixpkgs -> https://github.com/NixOS/nixpkgs/blob/nixos-24.05/pkgs/servers/mautrix-signal/default.nix#L27
-{ lib
-, config
-, pkgs
-, ...
-}:
+{ lib, config, pkgs, ... }:
 let
  cfg = config.services.mautrix-whatsapp-dashie;
  dataDir = "/var/lib/mautrix-whatsapp";
  registrationFile = "${dataDir}/whatsapp-registration.yaml";
  settingsFile = "${dataDir}/config.yaml";
-  settingsFileUnsubstituted = settingsFormat.generate "mautrix-whatsapp-config-unsubstituted.json" cfg.settings;
+  settingsFileUnsubstituted =
+    settingsFormat.generate "mautrix-whatsapp-config-unsubstituted.json"
+    cfg.settings;
  settingsFormat = pkgs.formats.json { };
  appservicePort = 29318;

@ -33,7 +31,8 @@ let
    };
    bridge = {
      username_template = "whatsapp_{{.}}";
-      displayname_template = "{{or .ProfileName .PhoneNumber \"Unknown user\"}}";
+      displayname_template =
+        ''{{or .ProfileName .PhoneNumber "Unknown user"}}'';
      double_puppet_server_map = { };
      login_shared_secret_map = { };
      command_prefix = "!whatsapp";
@ -50,10 +49,10 @@ let
    };
  };

-in
-{
+in {
  options.services.mautrix-whatsapp-dashie = {
-    enable = lib.mkEnableOption "mautrix-whatsapp, a Matrix-Whatsapp puppeting bridge.";
+    enable = lib.mkEnableOption
+      "mautrix-whatsapp, a Matrix-Whatsapp puppeting bridge.";

    settings = lib.mkOption {
      apply = lib.recursiveUpdate defaultConfig;
@ -76,9 +75,7 @@ in
          ephemeral_events = false;
        };
        bridge = {
-          history_sync = {
-            request_full_sync = true;
-          };
+          history_sync = { request_full_sync = true; };
          private_chat_portal_meta = true;
          mute_bridging = true;
          encryption = {
@ -86,12 +83,8 @@ in
            default = true;
            require = true;
          };
-          provisioning = {
-            shared_secret = "disable";
-          };
-          permissions = {
-            "example.com" = "user";
-          };
+          provisioning = { shared_secret = "disable"; };
+          permissions = { "example.com" = "user"; };
        };
      };
    };
@ -112,8 +105,10 @@ in

    serviceDependencies = lib.mkOption {
      type = with lib.types; listOf str;
-      default = (lib.optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit)
-        ++ (lib.optional config.services.matrix-conduit.enable "conduit.service");
+      default = (lib.optional config.services.matrix-synapse.enable
+        config.services.matrix-synapse.serviceUnit)
+        ++ (lib.optional config.services.matrix-conduit.enable
+          "conduit.service");
      defaultText = lib.literalExpression ''
        (optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit)
        ++ (optional config.services.matrix-conduit.enable "conduit.service")
@ -155,15 +150,16 @@ in
    };

    # Note: this is defined here to avoid the docs depending on `config`
-    services.mautrix-whatsapp-dashie.settings.homeserver = optOneOf (with config.services; [
-      (lib.mkIf matrix-synapse.enable (mkDefaults {
-        domain = matrix-synapse.settings.server_name;
-      }))
-      (lib.mkIf matrix-conduit.enable (mkDefaults {
-        domain = matrix-conduit.settings.global.server_name;
-        address = "http://localhost:${toString matrix-conduit.settings.global.port}";
-      }))
-    ]);
+    services.mautrix-whatsapp-dashie.settings.homeserver = optOneOf
+      (with config.services; [
+        (lib.mkIf matrix-synapse.enable
+          (mkDefaults { domain = matrix-synapse.settings.server_name; }))
+        (lib.mkIf matrix-conduit.enable (mkDefaults {
+          domain = matrix-conduit.settings.global.server_name;
+          address =
+            "http://localhost:${toString matrix-conduit.settings.global.port}";
+        }))
+      ]);

    systemd.services.mautrix-whatsapp-dashie = {
      description = "mautrix-whatsapp, a Matrix-Whatsapp puppeting bridge.";
@ -241,7 +237,7 @@ in
        SystemCallErrorNumber = "EPERM";
        SystemCallFilter = [ "@system-service" ];
        Type = "simple";
-        UMask = 0027;
+        UMask = 27;
      };
      restartTriggers = [ settingsFileUnsubstituted ];
    };