re-add bridges, wip docs

2025-07-25 16:22:10 -04:00 · 2025-07-25 16:22:10 -04:00 · 5aef169d60
commit 5aef169d60
parent f8138fcf67
6 changed files with 232 additions and 153 deletions
--- a/clients/quadraticserver/bridges.nix
+++ b/clients/quadraticserver/bridges.nix
@ -0,0 +1,70 @@
+{
+  pkgs,
+  inputs,
+  config,
+  ...
+}: let
+  settings = {
+    backfill.enabled = true;
+
+    appservice = {
+      as_token = "$CUSTOM_AS_TOKEN";
+      hs_token = "$CUSTOM_HS_TOKEN";
+    };
+
+    homeserver = {
+      domain = config.services.grapevine.settings.server_name;
+      address = config.services.grapevine.settings.server_discovery.client.base_url;
+    };
+
+    bridge = {
+      encryption = {
+        allow = true;
+        default = true;
+        require = false;
+      };
+      permissions = {
+        "${config.services.grapevine.settings.server_name}" = "user";
+        "@quadradical:${config.services.grapevine.settings.server_name}" = "admin";
+      };
+    };
+  };
+in {
+  imports = [inputs.nix-matrix-appservices.nixosModule inputs.ooye.modules.default];
+
+  services = let
+    domain = "ooye.federated.nexus";
+  in {
+    matrix-appservices.services = builtins.mapAttrs (name: value:
+      value
+      // {
+        inherit settings;
+        format = "mautrix-go";
+        port = 8000;
+        package = value.package.override {withGoolm = true;};
+      }) {
+      whatsapp = {
+        host = "127.0.0.4";
+        serviceConfig.EnvironmentFile = config.age.secrets."whatsapp.age".path;
+        package = pkgs.mautrix-whatsapp;
+      };
+      gmessages = {
+        host = "127.0.0.5";
+        serviceConfig.EnvironmentFile = config.age.secrets."gmessages.age".path;
+        package = inputs.nixpkgs-goolm.legacyPackages.${pkgs.system}.mautrix-gmessages;
+      };
+    };
+
+    matrix-ooye = {
+      enable = true;
+      homeserver = config.services.grapevine.settings.server_discovery.client.base_url;
+      homeserverName = "federated.nexus";
+      discordTokenPath = config.age.secrets."discordToken.age".path;
+      discordClientSecretPath = config.age.secrets."discordClientSecret.age".path;
+      socket = "8081";
+      bridgeOrigin = "https://${domain}";
+    };
+
+    caddy.virtualHosts."${domain}".extraConfig = "reverse_proxy 127.0.0.1:8081";
+  };
+}
--- a/clients/quadraticserver/caddy.nix
+++ b/clients/quadraticserver/caddy.nix
@ -1,19 +1,12 @@
-{
-  pkgs,
-  lib,
-  ...
-}: {
+{pkgs, ...}: {
  networking.firewall.allowedTCPPorts = [443];
-  services = {
-    nginx.enable = lib.mkForce false;
-    caddy = {
-      enable = true;
-      email = "hen" + "ry@he" + "nryhi" + "les.c" + "om";
+  services.caddy = {
+    enable = true;
+    email = "hen" + "ry@he" + "nryhi" + "les.c" + "om";

-      package = pkgs.caddy.withPlugins {
-        plugins = ["github.com/ggicci/caddy-jwt@v1.1.0"];
-        hash = "sha256-sdhX/dAQ7lIxBo/ZW6XYX8SRuacLO9HobtIVKD/cw0o=";
-      };
+    package = pkgs.caddy.withPlugins {
+      plugins = ["github.com/ggicci/caddy-jwt@v1.1.0"];
+      hash = "sha256-sdhX/dAQ7lIxBo/ZW6XYX8SRuacLO9HobtIVKD/cw0o=";
    };
  };
 }
--- a/clients/quadraticserver/docs.nix
+++ b/clients/quadraticserver/docs.nix
@ -0,0 +1,115 @@
+{
+  config,
+  pkgs,
+  ...
+}: let
+  authDomain = "auth.federated.nexus";
+  domain = "docs.federated.nexus";
+  socket = "/run/lasuite-docs/socket";
+  s3Domain = "http://127.0.0.1${config.services.minio.listenAddress}";
+  s3Url = "${s3Domain}/lasuite-docs";
+in {
+  services = {
+    lasuite-docs = {
+      enable = true;
+      enableNginx = false;
+      redis.createLocally = true;
+      postgresql.createLocally = true;
+      bind = "unix:${socket}";
+      inherit s3Url domain;
+
+      settings = {
+        OIDC_CREATE_USER = true;
+        OIDC_OP_AUTHORIZATION_ENDPOINT = "https://federated.nexus/login";
+        OIDC_OP_TOKEN_ENDPOINT = "http://${authDomain}/token";
+        OIDC_OP_USER_ENDPOINT = "http://${authDomain}/userinfo";
+        OIDC_RP_SIGN_ALGO = "HS256";
+        OIDC_USERINFO_FULLNAME_FIELDS = ''["name"]'';
+        OIDC_USERINFO_SHORTNAME_FIELD = "name";
+
+        AWS_S3_ENDPOINT_URL = s3Domain;
+        AWS_S3_ACCESS_KEY_ID = "minioadmin";
+        AWS_STORAGE_BUCKET_NAME = "lasuite-docs";
+        MEDIA_BASE_URL = "http://${domain}";
+
+        DJANGO_ALLOWED_HOSTS = domain;
+      };
+
+      environmentFile = config.age.secrets."lasuiteSecrets.age".path;
+    };
+
+    minio = {
+      enable = true;
+      browser = false;
+      rootCredentialsFile = config.age.secrets."minioCredentials.age".path;
+    };
+
+    caddy.virtualHosts."${domain}".extraConfig = let
+      cfg = config.services.lasuite-docs;
+    in ''
+      handle_errors {
+        @401 expression {http.error.status_code} == 401
+        rewrite @401 /401
+
+        @403 expression {http.error.status_code} == 403
+        rewrite @403 /403
+
+        @404 expression {http.error.status_code} == 404
+        rewrite @404 /404
+      }
+
+      root * ${pkgs.lasuite-docs-frontend}
+      file_server
+
+      @uuidDocs path_regexp uuidDocs ^/docs/[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}/?$
+      rewrite @uuidDocs /docs/[id]/index.html
+
+      reverse_proxy /api/* unix/${socket}
+
+      reverse_proxy /admin/* unix/${socket}
+
+      reverse_proxy /collaboration/ws/* http://localhost:${toString cfg.collaborationServer.port} {
+        transport http {
+          versions h2c 1.1
+        }
+      }
+
+      reverse_proxy /collaboration/api/* http://localhost:${toString cfg.collaborationServer.port}
+
+      rewrite /media-auth /api/v1.0/documents/media-auth/
+      reverse_proxy /api/v1.0/documents/media-auth/ unix/${socket} {
+        header_up X-Original-URL {uri}
+        header_up -Content-Length
+        header_up X-Original-Method {method}
+        header_up -X-Forwarded-For
+      }
+
+      rewrite /media/* /lasuite-docs
+      reverse_proxy /lasuite-docs ${s3Domain} {
+        header_up Authorization {http.reverse_proxy.header.X-Upstream-Authorization}
+        header_up X-Amz-Date {http.reverse_proxy.header.X-Upstream-X-Amz-Date}
+        header_up X-Amz-Content-SHA256 {http.reverse_proxy.header.X-Upstream-X-Amz-Content-Sha256}
+      }
+    '';
+  };
+
+  systemd.services.minio-init = {
+    description = "Create MinIO bucket";
+    after = ["minio.service"];
+    requires = ["minio.service"];
+    wantedBy = ["multi-user.target"];
+    path = [pkgs.getent pkgs.minio-client];
+
+    serviceConfig = {
+      Type = "oneshot";
+      after = ["minio.service"];
+      requires = ["minio.service"];
+
+      EnvironmentFile = config.age.secrets."minioCredentials.age".path;
+      ExecStart = pkgs.writeShellScript "init-minio" ''
+        mc alias set minio ${s3Domain} "$MINIO_ROOT_USER" "$MINIO_ROOT_PASSWORD" --api s3v4
+        mc --config-dir "$CONFIG_DIR" mb --ignore-existing minio/lasuite-docs
+      '';
+    };
+  };
+}