services: finish matrix prototype

2022-12-27 20:15:39 +01:00 · 2022-12-27 20:15:39 +01:00 · 92acadbfd0
commit 92acadbfd0
parent ae034a0581
2 changed files with 62 additions and 3 deletions
--- a/modules/services/server/matrix.nix
+++ b/modules/services/server/matrix.nix
@ -4,17 +4,76 @@

 { config, lib, pkgs, ... }:

-{
+let
+  fqdn = "matrix.${config.networking.domain}";
+  clientConfig = {
+    "m.homeserver".base_url = "https://${fqdn}";
+    "m.identity_server" = {};
+  };
+  serverConfig."m.server" = "${config.services.matrix-synapse.settings.server_name}:443";
+  mkWellKnown = data: ''
+    add_header Content-Type application/json;
+    add_header Access-Control-Allow-Origin *;
+    return 200 '${builtins.toJSON data}';
+  '';
+in {
+  services.nginx = {
+    enable = true;
+    recommendedTlsSettings = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+    recommendedProxySettings = true;
+    virtualHosts = {
+      "${config.networking.domain}" = { 
+        enableACME = true;
+        forceSSL = true;
+        locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig; 
+        locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig; 
+      };
+      "${fqdn}" = {
+        enableACME = true;
+        forceSSL = true;
+        locations."/".extraConfig = '' 
+          return 404;
+        '';
+        locations."/_matrix".proxyPass = "http://[::1]:8008"; 
+        locations."/_synapse/client".proxyPass = "http://[::1]:8008"; 
+      };
+    };
+  };
+
  services.matrix-synapse = {
    enable = true;
    settings = {
-        server_name = "kabtop.de";
-        public_baseurl = "https://kabtop.de:8448";
+        server_name = config.networking.domain;
+        listeners = [
+          { port = 8008;
+            bind_addresses = [ "::1" ];
+            type = "http";
+            tls = false;
+            x_forwarded = true;
+            resources = [ {
+              names = [ "client" "federation" ];
+              compress = true;
+            } ];
+          }
+        ];
        database.args.user = "synapse";
        database.args.database = "synapsedb";
        extraConfigFiles = [
            config.age.secrets."services/matrix/synapse.yml".path
        ];
    };
+  };

+  security.acme.certs.${config.services.matrix-synapse.server_name} = {
+    /* insert here the right configuration to obtain a certificate */
+    postRun = "systemctl restart synapse.service";
+    group = "synapse";
+  };
+
+  age.secrets."services/matrix/synapse.yml" = {
+     file = ../../../secrets/services/matrix/synapse.age;
+     owner = "synapse";
+  };
 }
--- a/secrets/services/matrix/synapse.age
+++ b/secrets/services/matrix/synapse.age