{ pkgs, ... }: { # ops-jrz1 production VPS configuration # Imports extracted Matrix modules from ops-base # Disable built-in NixOS maubot module to use our sops-nix enhanced version disabledModules = [ "services/matrix/maubot.nix" ]; imports = [ # Hardware configuration ../hardware-configuration.nix # Matrix platform modules ../modules/matrix-continuwuity.nix ../modules/mautrix-slack.nix ../modules/maubot.nix ../modules/musiclink.nix ../modules/dev-services.nix ../modules/security/fail2ban.nix ../modules/security/ssh-hardening.nix ../modules/matrix-secrets ../modules/backup.nix ../modules/backup-b2.nix ]; # System configuration networking.hostName = "jrz1"; # sops-nix secrets management sops = { defaultSopsFile = ../secrets/secrets.yaml; age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; secrets = { # Used by dev-services.nix matrix-continuwuity via systemd LoadCredential # Root ownership is correct for DynamicUser services matrix-registration-token.mode = "0400"; # Maubot management interface admin password maubot-admin-password.mode = "0400"; # Maubot session secret key maubot-secret-key.mode = "0400"; # Slack dev tokens - shared with devs group for learner bot development slack-bot-token = { owner = "root"; group = "devs"; mode = "0440"; }; slack-app-token = { owner = "root"; group = "devs"; mode = "0440"; }; # Forgejo API token for dev user provisioning (root only) forgejo-api-token.mode = "0400"; # Matrix token for MusicLink bot musiclink-matrix-token.mode = "0400"; }; }; # Matrix homeserver configuration # NOTE: Disabled in favor of dev-platform.matrix which provides integrated # bridge coordination and systemd credential-based secrets management # services.matrix-homeserver = { # enable = true; # domain = "clarun.xyz"; # port = 8008; # enableRegistration = true; # enableFederation = false; # }; # Development platform services (Matrix, Forgejo, bridges) services.dev-platform = { enable = true; domain = "clarun.xyz"; matrix = { enable = true; serverName = "clarun.xyz"; port = 8008; }; forgejo = { enable = true; subdomain = "git"; port = 3000; }; slackBridge = { enable = true; workspace = "chochacho"; port = 29319; }; maubot = { enable = false; port = 29316; plugins = [ ../modules/plugins/sna-instagram-bot.mbp ]; }; musiclink = { enable = true; matrix = { server = "http://127.0.0.1:8008"; userId = "@musiclink:clarun.xyz"; rooms = [ "!whU7Geg7JPrBL5wHcW:clarun.xyz" "!dT40EUcemb8e6bPiig:clarun.xyz" "!DPQveBnfuDrbgOe6dm:clarun.xyz" ]; shadow = false; healthAddr = "127.0.0.1:8080"; stateStorePath = "data/matrix-state.db"; }; }; }; # Local backup service (Phase 1: manual trigger) services.backup.enable = true; # B2 offsite backup (daily automated via restic) services.backup-b2.enable = true; # Security hardening - DISABLED pending fixes # security.fail2ban-enhanced.enable = true; # security.ssh-hardening.enable = true; # SSH known hosts for git.clarun.xyz (prevents interactive prompt for devs/agents) programs.ssh.knownHosts = { "git.clarun.xyz" = { publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINs/geVYoQh1ldL2TgyAJy+ErCxaJt91ocgpFRvHDUXl"; }; }; # nix-ld for VS Code Remote-SSH (runs pre-compiled VS Code Server binary) programs.nix-ld.enable = true; programs.nix-ld.libraries = with pkgs; [ stdenv.cc.cc.lib zlib openssl ]; system.stateVersion = "24.05"; }