From 78a47101acaa5d308464c3fac391dd1c59f9aa5b Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Tue, 17 Oct 2023 10:39:14 +0200 Subject: [PATCH] matrix: init --- flake.lock | 30 +++--- hosts/falkenstein-1/modules/nginx/default.nix | 23 +++++ hosts/nuc/default.nix | 3 +- hosts/nuc/modules/matrix/default.nix | 97 +++++++++++++++++++ hosts/nuc/modules/networks/default.nix | 12 +-- secrets/nuc.yaml | 10 +- users/rouven/modules/packages.nix | 3 + 7 files changed, 153 insertions(+), 25 deletions(-) create mode 100644 hosts/nuc/modules/matrix/default.nix diff --git a/flake.lock b/flake.lock index 74675bd..044d333 100644 --- a/flake.lock +++ b/flake.lock @@ -171,11 +171,11 @@ ] }, "locked": { - "lastModified": 1696940889, - "narHash": "sha256-p2Wic74A1tZpFcld1wSEbFQQbrZ/tPDuLieCnspamQo=", + "lastModified": 1697410455, + "narHash": "sha256-jCs/ffIP3tUPN7HWWuae4BB8+haAw2NI02z5BQvWMGM=", "owner": "nix-community", "repo": "home-manager", - "rev": "6bba64781e4b7c1f91a733583defbd3e46b49408", + "rev": "78125bc681d12364cb65524eaa887354134053d0", "type": "github" }, "original": { @@ -206,11 +206,11 @@ }, "impermanence": { "locked": { - "lastModified": 1694622745, - "narHash": "sha256-z397+eDhKx9c2qNafL1xv75lC0Q4nOaFlhaU1TINqb8=", + "lastModified": 1697303681, + "narHash": "sha256-caJ0rXeagaih+xTgRduYtYKL1rZ9ylh06CIrt1w5B4g=", "owner": "nix-community", "repo": "impermanence", - "rev": "e9643d08d0d193a2e074a19d4d90c67a874d932e", + "rev": "0f317c2e9e56550ce12323eb39302d251618f5b5", "type": "github" }, "original": { @@ -272,11 +272,11 @@ ] }, "locked": { - "lastModified": 1696736548, - "narHash": "sha256-Dg0gJ9xVXud55sAbXspMapFYZOpVAldQQo7MFp91Vb0=", + "lastModified": 1697340827, + "narHash": "sha256-XlrR68N7jyaZ0bs8TPrhqcWG0IPG3pbjrKzJMpYOsos=", "owner": "nix-community", "repo": "nix-index-database", - "rev": "2902dc66f64f733bfb45754e984e958e9fe7faf9", + "rev": "29977d0796c058bbcfb2df5b18eb5badf1711007", "type": "github" }, "original": { @@ -347,11 +347,11 @@ }, "nixpkgs-stable_2": { "locked": { - "lastModified": 1696717752, - "narHash": "sha256-qEq1styCyQHSrw7AOhskH2qwCFx93bOwsGEzUIrZC0g=", + "lastModified": 1697332183, + "narHash": "sha256-ACYvYsgLETfEI2xM1jjp8ZLVNGGC0onoCGe+69VJGGE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "2f3b6b3fcd9fa0a4e6b544180c058a70890a7cc1", + "rev": "0e1cff585c1a85aeab059d3109f66134a8f76935", "type": "github" }, "original": { @@ -481,11 +481,11 @@ "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1697064251, - "narHash": "sha256-xxp2sB+4vqB6S6zC/L5J8LlRKgVbgIZOcYl9/TDrEzI=", + "lastModified": 1697339241, + "narHash": "sha256-ITsFtEtRbCBeEH9XrES1dxZBkE1fyNNUfIyQjQ2AYQs=", "owner": "Mic92", "repo": "sops-nix", - "rev": "f995ea159252a53b25fa99824f2891e3b479d511", + "rev": "51186b8012068c417dac7c31fb12861726577898", "type": "github" }, "original": { diff --git a/hosts/falkenstein-1/modules/nginx/default.nix b/hosts/falkenstein-1/modules/nginx/default.nix index 1b972ab..59b5042 100644 --- a/hosts/falkenstein-1/modules/nginx/default.nix +++ b/hosts/falkenstein-1/modules/nginx/default.nix @@ -1,4 +1,25 @@ { config, ... }: +# matrix homeserver discovery +let + matrix_domain = "matrix.${config.networking.domain}"; + serverConfig = { + "m.server" = "${matrix_domain}:443"; + }; + clientConfig = { + "m.homeserver" = { + base_url = "https://${matrix_domain}"; + # server_name = config.networking.domain; + }; + "org.matrix.msc3575.proxy" = { + url = "https://${matrix_domain}"; + }; + }; + mkWellKnown = data: '' + add_header Content-Type application/json; + add_header Access-Control-Allow-Origin *; + return 200 '${builtins.toJSON data}'; + ''; +in { networking.firewall.allowedTCPPorts = [ 80 443 ]; services.nginx = { @@ -12,6 +33,8 @@ enableACME = true; forceSSL = true; root = "/srv/web/${config.networking.domain}"; + locations."/.well-known/matrix/client".extraConfig = mkWellKnown clientConfig; + locations."/.well-known/matrix/server".extraConfig = mkWellKnown serverConfig; }; }; security.acme = { diff --git a/hosts/nuc/default.nix b/hosts/nuc/default.nix index f45f17a..7c8c332 100644 --- a/hosts/nuc/default.nix +++ b/hosts/nuc/default.nix @@ -5,10 +5,11 @@ [ # Include the results of the hardware scan. ./hardware-configuration.nix - ./modules/adguard + # ./modules/adguard ./modules/networks ./modules/backup ./modules/hydra + ./modules/matrix ./modules/nextcloud ./modules/seafile ./modules/uptime-kuma diff --git a/hosts/nuc/modules/matrix/default.nix b/hosts/nuc/modules/matrix/default.nix new file mode 100644 index 0000000..0aaa6ce --- /dev/null +++ b/hosts/nuc/modules/matrix/default.nix @@ -0,0 +1,97 @@ +{ config, pkgs, ... }: +let + domain = "matrix.${config.networking.domain}"; +in +{ + + sops.secrets = { + "matrix/shared_secret" = { + owner = config.systemd.services.matrix-synapse.serviceConfig.User; + }; + "matrix/sync/environment" = { + # owner = "matrix-sliding-sync"; + }; + }; + + services = { + postgresql = { + enable = true; + ensureUsers = [{ + name = "matrix-synapse"; + }]; + }; + + + matrix-synapse = { + enable = true; + configureRedisLocally = true; + extraConfigFiles = [ config.sops.secrets."matrix/shared_secret".path ]; + + settings = { + server_name = config.networking.domain; + + listeners = [{ + port = 8008; + bind_addresses = [ "::1" ]; + type = "http"; + tls = false; + x_forwarded = true; + resources = [{ + names = [ "client" "federation" ]; + compress = false; + }]; + }]; + }; + sliding-sync = { + enable = true; + settings = { + SYNCV3_SERVER = "https://${domain}"; + }; + environmentFile = config.sops.secrets."matrix/sync/environment".path; + }; + }; + + + nginx = { + recommendedProxySettings = true; + virtualHosts = { + # synapse + "${domain}" = { + enableACME = true; + forceSSL = true; + + + # locations."/".extraConfig = "return 404;"; + + # # proxy to synapse + # locations."/_matrix".proxyPass = "http://[::1]:8008"; + locations."/".proxyPass = "http://[::1]:8008"; + locations."~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)".proxyPass = "http://localhost:8009"; + # locations."/_synapse/client".proxyPass = "http://[::1]:8008"; + }; + }; + }; + }; + + systemd.services.matrix-synapse.after = [ "matrix-synapse-pgsetup.service" ]; + + systemd.services.matrix-synapse-pgsetup = { + description = "Prepare Synapse postgres database"; + wantedBy = [ "multi-user.target" ]; + after = [ "networking.target" "postgresql.service" ]; + serviceConfig.Type = "oneshot"; + + path = [ pkgs.sudo config.services.postgresql.package ]; + + # create database for synapse. will silently fail if it already exists + script = '' + sudo -u ${config.services.postgresql.superUser} psql <