From b6b9e09535208f67521407bbda29db771101327e Mon Sep 17 00:00:00 2001 From: main Date: Thu, 27 Oct 2022 11:39:39 +0200 Subject: [PATCH] Matrix setup Signed-off-by: main --- containers/conduit.nix | 2 +- containers/heisenbridge.nix | 42 ++++ containers/mautrix-facebook.nix | 2 +- flake.nix | 1 + nomad/regions/do-1/ingress-upstreams.conf | 43 ++++- nomad/regions/do-1/ingress.hcl | 42 ++-- nomad/regions/homelab-1/conduit.tf | 86 ++++++++- nomad/regions/homelab-1/job/conduit.hcl | 223 ++++++++++++++++++++-- terraform.tfvars | 11 +- 9 files changed, 402 insertions(+), 50 deletions(-) create mode 100644 containers/heisenbridge.nix diff --git a/containers/conduit.nix b/containers/conduit.nix index bca4713..7659f2c 100644 --- a/containers/conduit.nix +++ b/containers/conduit.nix @@ -1,7 +1,7 @@ { nglib, nixpkgs }: nglib.makeSystem { system = "x86_64-linux"; - name = "nixng-gitea"; + name = "synapse"; inherit nixpkgs; config = ({ pkgs, ... }: { diff --git a/containers/heisenbridge.nix b/containers/heisenbridge.nix new file mode 100644 index 0000000..4c25598 --- /dev/null +++ b/containers/heisenbridge.nix @@ -0,0 +1,42 @@ +{ nglib, nixpkgs }: +nglib.makeSystem { + system = "x86_64-linux"; + name = "heisenbridge"; + inherit nixpkgs; + config = ({ pkgs, ... }: + { + dumb-init = { + enable = true; + type.services = { }; + }; + + init.services.heisenbridge = { + enabled = true; + # heisenbridge needs to retry the connection and task restarting does not work currently + shutdownOnExit = false; + script = + let + config = + '' + -l 127.0.0.1 \ + -p 9898 \ + -o @magic_rb:matrix.redalder.org \ + ''; + homeserverURI = "https://matrix.redalder.org/"; + in + pkgs.writeShellScript "heisenbridge" + '' + REGISTRATION_FILE="/var/lib/registrations/heisenbridge.yaml" + + [ -e "$REGISTRATION_FILE" ] || \ + ${pkgs.heisenbridge}/bin/heisenbridge '${homeserverURI}' \ + -c "$REGISTRATION_FILE" \ + ${config} \ + --generate + ${pkgs.heisenbridge}/bin/heisenbridge '${homeserverURI}' \ + -c "$REGISTRATION_FILE" \ + ${config} + ''; + }; + }); +} diff --git a/containers/mautrix-facebook.nix b/containers/mautrix-facebook.nix index 4817f95..dff302d 100644 --- a/containers/mautrix-facebook.nix +++ b/containers/mautrix-facebook.nix @@ -1,7 +1,7 @@ { nglib, nixpkgs }: nglib.makeSystem { system = "x86_64-linux"; - name = "nixng-gitea"; + name = "mautrix-facebook"; inherit nixpkgs; config = ({ pkgs, ... }: { diff --git a/flake.nix b/flake.nix index 7b834f7..af994eb 100644 --- a/flake.nix +++ b/flake.nix @@ -48,6 +48,7 @@ baikal = import ./containers/baikal.nix base; conduit = import ./containers/conduit.nix base; mautrix-facebook = import ./containers/mautrix-facebook.nix base; + heisenbridge = import ./containers/heisenbridge.nix base; }; hydraJobs = diff --git a/nomad/regions/do-1/ingress-upstreams.conf b/nomad/regions/do-1/ingress-upstreams.conf index e64204e..a215d2d 100644 --- a/nomad/regions/do-1/ingress-upstreams.conf +++ b/nomad/regions/do-1/ingress-upstreams.conf @@ -18,8 +18,16 @@ upstream reicio { server {{ env "NOMAD_UPSTREAM_ADDR_reicio" }}; } +upstream matrix-synapse { + server {{ env "NOMAD_UPSTREAM_ADDR_matrix_synapse" }}; +} + +upstream matrix-mautrix-facebook { + server {{ env "NOMAD_UPSTREAM_ADDR_matrix-mautrix-facebook" }}; +} + server { - listen 443 ssl; + listen 443 ssl http2; server_name _; @@ -29,7 +37,7 @@ server { } server { - listen 443 ssl; + listen 443 ssl http2; server_name gitea.redalder.org; @@ -45,7 +53,7 @@ server { } server { - listen 443 ssl; + listen 443 ssl http2; server_name hydra.redalder.org; @@ -59,7 +67,7 @@ server { } server { - listen 443 ssl; + listen 443 ssl http2; server_name redalder.org nixng.org; @@ -80,4 +88,31 @@ server { include /local/headers.conf; proxy_pass http://website; } +} + +server { + listen 443 ssl http2; + listen 8448 ssl http2; + + server_name matrix.redalder.org; + merge_slashes off; + + location /_matrix/ { + proxy_pass http://matrix-synapse$request_uri; + proxy_set_header Host $http_host; + proxy_buffering off; + } + + location /mufb/ { + proxy_pass http://matrix-mautrix-facebook$request_uri; + proxy_set_header Host $http_host; + proxy_buffering off; + } + + location / { + return 404; + } + + include /local/security.conf; + include /local/ssl.conf; } \ No newline at end of file diff --git a/nomad/regions/do-1/ingress.hcl b/nomad/regions/do-1/ingress.hcl index cb0adfe..9ca9be8 100644 --- a/nomad/regions/do-1/ingress.hcl +++ b/nomad/regions/do-1/ingress.hcl @@ -40,6 +40,12 @@ job "ingress" { host_network = "public" } + port "http-matrix" { + static = 8448 + to = 8448 + host_network = "public" + } + port "https" { static = 443 to = 443 @@ -119,13 +125,33 @@ job "ingress" { mode = "local" } } + + upstreams { + destination_name = "matrix-synapse" + local_bind_port = 6167 + datacenter = "homelab-1" + + mesh_gateway { + mode = "local" + } + } + + upstreams { + destination_name = "matrix-mautrix-facebook" + local_bind_port = 29319 + datacenter = "homelab-1" + + mesh_gateway { + mode = "local" + } + } } } } } task "nginx" { - driver = "docker" + driver = "containerd-driver" volume_mount { volume = "ingress-letsencrypt" @@ -133,21 +159,15 @@ job "ingress" { read_only = false } - # artifact { - # source = "http://hydra/build/99/download/1/image.tar.gz" - # } - config { - # load = "nixng-ingress.tar.gz" - image = "nixng-ingress:local" - - ports = ["http", "https", "minecraft"] - memory_hard_limit = 128 + flake_ref = "${var.flake_ref}#nixngSystems.ingressToothpick.config.system.build.toplevel" + flake_sha = var.flake_sha + entrypoint = [ "init" ] } resources { cpu = 200 - memory = 32 + memory = 128 } template { diff --git a/nomad/regions/homelab-1/conduit.tf b/nomad/regions/homelab-1/conduit.tf index afe2161..01544bf 100644 --- a/nomad/regions/homelab-1/conduit.tf +++ b/nomad/regions/homelab-1/conduit.tf @@ -1,9 +1,9 @@ -resource "nomad_volume" "conduit-data" { +resource "nomad_volume" "matrix-synapse" { type = "csi" - plugin_id = "nfs" - volume_id = "conduit-data" - name = "conduit-data" - external_id = "conduit-data" + plugin_id = "org.democratic-csi.nfs" + volume_id = "matrix-synapse" + name = "matrix-synapse" + external_id = "matrix-synapse" capability { access_mode = "single-node-writer" @@ -12,22 +12,92 @@ resource "nomad_volume" "conduit-data" { context = { server = "blowhole.hosts.in.redalder.org" - share = "/var/nfs/conduit-data" + share = "/var/nfs/matrix/synapse" + node_attach_driver = "nfs" + provisioner_driver = "node-manual" } mount_options { fs_type = "nfs" - mount_flags = [ "nolock", "hard" ] + mount_flags = [ "nfsvers=3", "hard", "async" ] } } +resource "nomad_volume" "matrix-registrations" { + type = "csi" + plugin_id = "org.democratic-csi.nfs" + volume_id = "matrix-registrations" + name = "matrix-registrations" + external_id = "matrix-registrations" + + capability { + access_mode = "multi-node-multi-writer" + attachment_mode = "file-system" + } + + context = { + server = "blowhole.hosts.in.redalder.org" + share = "/var/nfs/matrix/registrations" + node_attach_driver = "nfs" + provisioner_driver = "node-manual" + } + + mount_options { + fs_type = "nfs" + mount_flags = [ "nfsvers=3", "hard", "async" ] + } +} + +resource "nomad_volume" "matrix-mautrix-facebook" { + type = "csi" + plugin_id = "org.democratic-csi.nfs" + volume_id = "matrix-mautrix-facebook" + name = "matrix-mautrix-facebook" + external_id = "matrix-mautrix-facebook" + + capability { + access_mode = "single-node-writer" + attachment_mode = "file-system" + } + + context = { + server = "blowhole.hosts.in.redalder.org" + share = "/var/nfs/matrix/mautrix-facebook" + node_attach_driver = "nfs" + provisioner_driver = "node-manual" + } + + mount_options { + fs_type = "nfs" + mount_flags = [ "nfsvers=3", "hard", "async" ] + } +} + +resource "vault_policy" "matrix-mautrix-facebook-policy" { + name = "matrix-mautrix-facebook-policy" + policy = <