From 92acadbfd0a588883b20041689abe628bafc3c46 Mon Sep 17 00:00:00 2001 From: Kabbone Date: Tue, 27 Dec 2022 20:15:39 +0100 Subject: [PATCH] services: finish matrix prototype --- modules/services/server/matrix.nix | 65 ++++++++++++++++++++++++++-- secrets/services/matrix/synapse.age | Bin 1922 -> 2081 bytes 2 files changed, 62 insertions(+), 3 deletions(-) diff --git a/modules/services/server/matrix.nix b/modules/services/server/matrix.nix index 6b4b46d..1e756e8 100644 --- a/modules/services/server/matrix.nix +++ b/modules/services/server/matrix.nix @@ -4,17 +4,76 @@ { config, lib, pkgs, ... }: -{ +let + fqdn = "matrix.${config.networking.domain}"; + clientConfig = { + "m.homeserver".base_url = "https://${fqdn}"; + "m.identity_server" = {}; + }; + serverConfig."m.server" = "${config.services.matrix-synapse.settings.server_name}:443"; + mkWellKnown = data: '' + add_header Content-Type application/json; + add_header Access-Control-Allow-Origin *; + return 200 '${builtins.toJSON data}'; + ''; +in { + services.nginx = { + enable = true; + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + virtualHosts = { + "${config.networking.domain}" = { + enableACME = true; + forceSSL = true; + locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig; + locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig; + }; + "${fqdn}" = { + enableACME = true; + forceSSL = true; + locations."/".extraConfig = '' + return 404; + ''; + locations."/_matrix".proxyPass = "http://[::1]:8008"; + locations."/_synapse/client".proxyPass = "http://[::1]:8008"; + }; + }; + }; + services.matrix-synapse = { enable = true; settings = { - server_name = "kabtop.de"; - public_baseurl = "https://kabtop.de:8448"; + server_name = config.networking.domain; + listeners = [ + { port = 8008; + bind_addresses = [ "::1" ]; + type = "http"; + tls = false; + x_forwarded = true; + resources = [ { + names = [ "client" "federation" ]; + compress = true; + } ]; + } + ]; database.args.user = "synapse"; database.args.database = "synapsedb"; extraConfigFiles = [ config.age.secrets."services/matrix/synapse.yml".path ]; }; + }; + security.acme.certs.${config.services.matrix-synapse.server_name} = { + /* insert here the right configuration to obtain a certificate */ + postRun = "systemctl restart synapse.service"; + group = "synapse"; + }; + + age.secrets."services/matrix/synapse.yml" = { + file = ../../../secrets/services/matrix/synapse.age; + owner = "synapse"; + }; } diff --git a/secrets/services/matrix/synapse.age b/secrets/services/matrix/synapse.age index e27dc49378ca7c34a25a89196e34c9d92735bb1f..1895380ae41edf7e3ce664d7645cf0a132cddcca 100644 GIT binary patch literal 2081 zcmX|=iFXqP0*6)ZL0~}&REiW-wh%(@iw7<_CdVX`dy+}8g=CV5JyoQNRjri&!Y|p9iF&AV=-7kr_$%ONNp&a(CPSMCZSJz85Kh*kpJ0e zCRFarQKpOw&?(>$!GUQ?04Hz}sn@$OIDf*$7;`OQd|MWO$cI*Aebqp zNP8$SX($w(p%jodgiRKgPashQa>bb6q>6&xVkjk&1+;!Q3elN#QDfDLSy*M`i6n-( z5)d3!XNoKt_i~Ki00dCf9!11{4S~{n%InL6ewRUHS46plsepw9)?|W5tt{(j&01|V zZ2{F*y`7LcP&sC!=zIYv@&!nyw&8N4)E0@$?8QPr;PeP6ze9moc^DR}V1p&VIncO~ zRX}zKbw_cR5n)JmQX~!efLPm8n%unjxG4Z!&BT zYZV5m+D(bWMOF<#un!WjNW^Fd%t=TbU<3wI$vNb4%Ff~s6T8gkaC@$eLtECzk)B+5blZ)j_tv^m>Fy4)(j0%{Nnlp0NF5%;#hhlw> zv_lh0o8%lLGr5g|FeY)aBFsQ}3 zNbas`Mza*7Gs2Y8m-fgYfcNE8ah1at4ykM!vliiKHKZ>< zE{~nWV{j6WCzEMgj+Mdrz^^;bka=N7s!*2Wv|FVplxulBlhBG|nxI>)@$o1o<@JT6 zL5c-rgqnmYIN-BcAOt7lbP_OGxVR&pK!c2x2xPM0w6Jrsz!K8tb))=5H zqHJ6o^6NPpg^DwLT1ohAMm>*Ue2|9?xWVN%NZ?RP8v}psnktM4aXK1eqUGrdAmRjF z4kQ>Wq)>^>7e%zRO$14FR!mCj^AvB=n_)j0AVnFkn>VwjphWI5M~ZnR3sb0B;t2u< zP{g5mn%8*>AwETCU8;N_UQ0ukw&ec;qhkKU% zusGk(H1MAlZ|!-t`}zAdOiOR5t@hGA@V(QgX4U#+r#ktuo&86x95a31TFrNB+wbA` zHzqGG$~OZ>`0CXQ$GFALH>cF>8ar>4Uex2^Bj)!{yGmOo4mJ$g{PsVNE`>kal-|2z z2~al@ANYlBK6Y%!=Z#O?=r^*8A7AX;4liT3t`3fFI`XQx?4)ec#AoA|7v%SdPun<4 z$#d=QKMfkN?Ox7vtD>oIeO>A4{@YFCKUDqB!Jcj%g$%x{xHajIp+mD*EdA*4BQe|i z!Q}_Q!!0H02|v4@RsZxu=&)tzfa)>%e%ChaZ?>mL^s4{7jlD&$=U*H>f^F?Ns5pJb zxfPwOD)#p|`gc3OCA?BS30uNVp4+nTo@`a7WuvemUufAg`TQFfe|!3knJ?r9%otOs z%=ao=cXD(0OS(a2!n#9=b3Nd8SH=E@;8)MxWluLQU%aUnxjY)~e6oD_-aNQhw?lgH zN^N|2=aOC3^=0EOocXk}tQt%r6m5oE$El@%4jCy}BzOxp#bW z^O!+){7jc&%jJumki^YgypwN+bzWt(m+x&sX_TPJPu!*dSbUl4xwc{FClpcWRb>Iked{pRC3|v-0*YkLa#8?Z4V6xUw1CU6L(3 zVm~zYAU&a@vhMNC4NI@DKeAxz`MWBA{VI_++hrZL=DWut#{aLziGgpw8Zcqlw=az7 z+~+Hq`))^b``a&_^ZhMz_rgqZ>mH)Dt;#NepC9moJO6Ta4lC%>IPh`m_1o9ZG#)y4 mV9ll<>x$dtOIEgl@1%BZ=zOJX+|1@de>I)Vt2^K^BmWI(m_`f$ literal 1922 zcmX|=i*wV40mgZB3=9pBrVO@FvhJV-&G;!NfE&Ht_80u_`+eURit$Q5 z%N3+tDIsL13Wb=eqERS+*HA3Rm3%}Cf*PbD%bP`xYRDARXjUJzRg$iXE+rcz)TGkL zHr`GSOQ#Yj4}fKx z)2Q`%qX|d^IoJ{P2h(X|4rARem{-6|HcE>oOd@o6$i^aGgbYV)R4Tv#MU6jb^r;AQ z)}cuz%O(*glWJQGK(u9tEI}L$Q3*j&z)c*MkctVe>^C_zjMphpDIp`{6|Ds}=O8uX zk}FQZVr3H*95cuzuz)+X2vpUi=z`5JDx4Lk!4a1uX``&k=Xqby0+rPm84k%B3*>Tm zd})@H+&mUB!jzu2XS`I-ZFCpJpg;t?C~Q%HF>Ba_avlH^)j`-U7+a$x`!oeT<_=xD%{x8`A|6_8NIO({Zg#K;P!fZ+9%0%AyOVdI#DK~`GU zxgCNQw&yEa15C%vYC|HKmJ^j!UXV(*oY!0x_yikMMB_f(Ot3CvRIA64Bnf9BpPIJw z0?x}moG09vTNTk533H12amTqtMVZrrP(!TXF@V(uv=j#eP}FU(=Y3Vq$mKXKMHm2| zB@{4)le&PFu~Z2sV`Sn*LgDq|E~((xK}8w>Vu>PEYs>3A&oF#WE1)`7?f~BzNRwXQu!L7(R{Ti3Q zYD%doHIc*8Bq7luJ-`BLJc%NK5=q+xBUG@d)aD;^iA||ONEs{ep(3x)73nOJ_E1(X z;dFqel9?0~N~N;F?Z>QzYCaSVh5|%7n3tGznn*ZsE}{02CRTc0g1!{s=r~C#hFyKS ztY`fo43xLtUAO$*Kiv7v_{aZx`OUii8I6NmJd5RbJ#X!uIlgH{X8PeHM`wMt;o4B! zp0g)f|2DU!25&pMzC(IYJ9yIOYZEt&z283O$-pD^qnOFia^`aP!U@TjKCQ8@4vXeh z2a0FW2gz6O&)XvRoSNO;ySl5|c>LuN3;xceK%Jg)&Br4?!I7q_|8xa?*B$!a%|J<--9;e;_EkSh}LIQwhmw2TsNd{n&X}# z@=4ndQxAUe((TDB&iD@W?O%DTzjN`n7FXN(zOLC1m8a&{|J3*=R4aWP-8y949{u}E z4sDs^-`P{FUph_r$CMqenwoVhd*^)l-ndt;-|Ad%*nMeEarcn<+sAb62%Y=P=DW>} z8*uR4L+IZdq3#)XGmXQWSKP^yts_rLBZSZlQTfY7_v?N>9cs_NIk2$o!Qp$G_webzt?<BNM)o%h#$@Zwp{R_&|3`T33NlJ>e~ynplT&Y!focMb%eJvu(> z*ZXDi%V%)UzWxwVi@mn;*$XWL5X-NI{iXGzn$}FuhFx19)_yxv{r$Q}7aw(vUvlN6 zy3E@P{P&mMxa~WBPdoOD6=UR8E!-O;CUwNEOHK}H930!&K55LWGq>Td-2MQ)dUx*X z>6H27wF}=vzESRqk6KO>hc@_TO@4G`^V;0}eQS50+3RXrv};QH#Pc6(UJ+I5vJ9f~FA&tg!v*Li*G01ZvxX-59IQQz*jn{fl@N)mb oNg}cHV&hC^T<_EN-p4zi9xNO%oql7@-fug55b)aGe=Z;MA4rV*3IG5A