add nova

clients/nova/continuwuity.nix

@@ -0,0 +1,10 @@
+{
+  quad.matrix = {
+    enable = true;
+    domain = "polyphony.chat";
+    settings.well_known = {
+      support_email = "info@polyphony.chat";
+      support_mxid = null;
+    };
+  };
+}

clients/nova/flori.nix

@@ -0,0 +1,16 @@
+{ config, ... }:
+{
+  users = {
+    mutableUsers = true;
+    users.flori = {
+      isNormalUser = true;
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcXzWUeVwJN7iPxMT/1lhJySY4t6Z2/fH/GHVuzQFr6 cardno:32_241_564"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBnstd9HyyIjfXWfGymWDcRlK9nZuqgTIcueiqPUDaQ star@starforge"
+      ];
+      hashedPasswordFile = config.age.secrets."initialFloriPassword.age".path;
+      description = "Flori";
+      extraGroups = [ "wheel" ];
+    };
+  };
+}

clients/nova/hardware-configuration.nix

@@ -0,0 +1,7 @@
+{
+  boot.kernelParams = [ "ip=dhcp" ];
+  boot.initrd.availableKernelModules = [
+    "virtio_pci"
+    "virtio_net"
+  ];
+}

clients/nova/unlock-ssh-initrd.nix

@@ -0,0 +1,20 @@
+{ config, ... }:
+{
+  fileSystems."/".options = [ "x-systemd.device-timeout=0" ];
+  networking.firewall.allowedTCPPorts = [ 222 ];
+  boot = {
+    loader.grub.enable = false;
+    initrd = {
+      systemd = {
+        enable = true;
+        users.root.shell = "/bin/systemd-tty-ask-password-agent";
+      };
+      network.ssh = {
+        enable = true;
+        port = 222;
+        hostKeys = [ "/etc/ssh/ssh_host_ed25519_key_initrd" ];
+        authorizedKeys = config.users.users.ava.openssh.authorizedKeys.keys;
+      };
+    };
+  };
+}

clients/quadraticserver/caddy.nix

@@ -1,52 +0,0 @@
-{
-  config,
-  pkgs,
-  lib,
-  ...
-}:
-{
-  config = {
-    systemd.services.caddy.serviceConfig.Restart = lib.mkForce "always";
-    networking.firewall.allowedTCPPorts = [ 443 ];
-    services.caddy = {
-      enable = true;
-      email = "henry@henryhiles.com";
-      environmentFile = config.age.secrets."base64JwtSecret.age".path;
-      package = pkgs.caddy.withPlugins {
-        plugins = [
-          "github.com/ggicci/caddy-jwt@v1.1.0"
-          "pkg.jsn.cam/caddy-defender@v0.9.0"
-        ];
-        hash = "sha256-DO4jgD7UWva6z2/pQT+4RfBfKoBAAZVCgjXC/unYCQk=";
-      };
-
-      virtualHosts = lib.mapAttrs (domain: host: {
-        extraConfig =
-          let
-            auth = "https://auth.federated.nexus";
-          in
-          ''
-            handle_errors 401 {
-              redir https://federated.nexus/login?redirect_uri=${auth}/bridge?redirect_uri=https://${domain}{uri} 302
-            }
-
-            route {
-              jwtauth {
-                from_cookies id_token
-                sign_key {$JWK_SECRET}
-                issuer_whitelist ${auth}
-                audience_whitelist proxy
-              }
-
-              ${host}
-            }
-          '';
-      }) config.services.caddy.authedHosts;
-    };
-  };
-
-  options.services.caddy.authedHosts = lib.mkOption {
-    type = lib.types.attrsOf lib.types.lines;
-    default = [ ];
-  };
-}

clients/quadraticserver/disko.nix

@@ -0,0 +1,35 @@
+{ inputs, ... }:
+{
+  imports = [ inputs.disko.nixosModules.disko ];
+  disko.devices.disk.main = {
+    type = "disk";
+    device = "/dev/sda";
+    content = {
+      type = "gpt";
+      partitions = {
+        boot = {
+          size = "1M";
+          type = "EF02"; # for grub MBR
+        };
+        ESP = {
+          size = "1G";
+          type = "EF00";
+          content = {
+            type = "filesystem";
+            format = "vfat";
+            mountpoint = "/boot";
+            mountOptions = [ "umask=0077" ];
+          };
+        };
+        root = {
+          size = "100%";
+          content = {
+            type = "filesystem";
+            format = "ext4";
+            mountpoint = "/";
+          };
+        };
+      };
+    };
+  };
+}

clients/quadraticserver/matrix/bridges.nix

@@ -66,7 +66,7 @@ in
       matrix-ooye = {
         enable = true;
         homeserver = client;
-        homeserverName = "federated.nexus";
+        homeserverName = server_name;
         discordTokenPath = config.age.secrets."discordToken.age".path;
         discordClientSecretPath = config.age.secrets."discordClientSecret.age".path;
         socket = "8081";

clients/quadraticserver/matrix/continuwuity.nix

@@ -1,39 +1,10 @@
-{ lib, ... }:
 {
-  systemd.services.continuwuity.serviceConfig.Restart = lib.mkForce "always";
-
-  services =
-    let
-      domain = "federated.nexus";
-      subdomain = "matrix.${domain}";
-      socket = "/var/run/continuwuity/continuwuity.sock";
-    in
-    {
-      matrix-continuwuity = {
-        enable = true;
-        group = "caddy";
-        settings.global = {
-          server_name = domain;
-          unix_socket_path = socket;
-          new_user_displayname_suffix = "";
-          allow_public_room_directory_over_federation = true;
-          trusted_servers = [
-            "matrix.org"
-            "tchncs.de"
-            "maunium.net"
-          ];
-          ignore_messages_from_server_names = [ ];
-          url_preview_domain_explicit_allowlist = [ "*" ];
-
-          well_known = {
-            client = "https://${subdomain}";
-            server = "${subdomain}:443";
-            support_email = "henry@henryhiles.com";
-            support_mxid = "@quadradical:${domain}";
-          };
-        };
-      };
-
-      caddy.virtualHosts."${subdomain}".extraConfig = "reverse_proxy unix/${socket}";
+  quad.matrix = rec {
+    enable = true;
+    domain = "federated.nexus";
+    settings.well_known = {
+      support_email = "henry@henryhiles.com";
+      support_mxid = "@quadradical:${domain}";
     };
+  };
 }

clients/quadraticserver/ssh.nix

@@ -0,0 +1 @@
+{ services.openssh.ports = [ 2222 ]; }