#
# System notifications
#
{ config, lib, pkgs, ... }:
let
fqdn = "matrix.${config.networking.domain}";
clientConfig = {
"m.homeserver".base_url = "https://${fqdn}";
"m.identity_server" = {};
};
serverConfig."m.server" = "${fqdn}:443";
mkWellKnown = data: ''
add_header Content-Type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON data}';
'';
in {
environment.systemPackages = [
pkgs.mautrix-whatsapp
pkgs.signald
pkgs.mautrix-signal
];
services.nginx = {
enable = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
virtualHosts = {
"${config.networking.domain}" = {
enableACME = true;
forceSSL = true;
locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
locations."/_matrix".proxyPass = "http://localhost:8008";
};
"${fqdn}" = {
enableACME = true;
forceSSL = true;
locations."/health".proxyPass = "http://localhost:8008";
locations."/_matrix".proxyPass = "http://localhost:8008";
locations."/_synapse/client".proxyPass = "http://localhost:8008";
locations."/".extraConfig = ''
return 404;
'';
};
# "element.${config.networking.domain}" = {
# enableACME = true;
# forceSSL = true;
#
# root = pkgs.element-web.override {
# conf = {
# default_server_config = clientConfig;
# };
# };
# };
};
};
services.matrix-synapse = {
enable = true;
settings = {
server_name = config.networking.domain;
public_baseurl = "https://matrix.${config.networking.domain}";
listeners = [
{ port = 8008;
bind_addresses = [ "::1" ];
type = "http";
tls = false;
x_forwarded = true;
resources = [
{ names = [ "client" ]; compress = true; }
{ names = [ "federation" ]; compress = false; }
];
}
];
app_service_config_files = [
config.age.secrets."services/matrix/whatsapp-registration.yml".path
config.age.secrets."services/matrix/telegram-registration.yml".path
config.age.secrets."services/matrix/signal-registration.yml".path
];
};
extraConfigFiles = [
config.age.secrets."services/matrix/synapse.yml".path
];
};
systemd.services = {
matrix-synapse = {
requires = [ "postgresql.service" ];
};
mautrix-whatsapp = {
description = "Matrix <-> WhatsApp bridge";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" "postgresql.service" "matrix-synapse.service" ];
requires = [ "postgresql.service" "matrix-synapse.service" ];
script = "${pkgs.mautrix-whatsapp}/bin/mautrix-whatsapp -n --config ${config.age.secrets."services/matrix/mautrix-whatsapp.yml".path}";
serviceConfig = {
User = "mautrix-whatsapp";
Group = "mautrix-whatsapp";
Environment = "HOME=/var/lib/mautrix-whatsapp";
ReadWritePaths="/var/log/mautrix-whatsapp";
NoNewPrivileges=true;
MemoryDenyWriteExecute=true;
PrivateDevices=true;
PrivateTmp=true;
ProtectHome=true;
ProtectSystem="strict";
ProtectControlGroups=true;
RestrictSUIDSGID=true;
RestrictRealtime=true;
LockPersonality=true;
ProtectKernelLogs=true;
ProtectKernelTunables=true;
ProtectHostname=true;
ProtectKernelModules=true;
PrivateUsers=true;
ProtectClock=true;
SystemCallArchitectures="native";
SystemCallErrorNumber="EPERM";
SystemCallFilter="@system-service";
};
};
mautrix-signal = {
description = "Matrix <-> Signal bridge";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" "postgresql.service" "matrix-synapse.service" "signald.service" ];
requires = [ "postgresql.service" "matrix-synapse.service" "signald.service"];
script = "${pkgs.mautrix-signal}/bin/mautrix-signal -n --config ${config.age.secrets."services/matrix/mautrix-signal.yml".path}";
serviceConfig = {
User = "mautrix-signal";
Group = "mautrix-signal";
Environment = "HOME=/var/lib/mautrix-signal";
ReadWritePaths= [
"/var/run/signald/signald.sock"
"/var/log/mautrix-signal"
];
NoNewPrivileges=true;
MemoryDenyWriteExecute=true;
PrivateDevices=true;
PrivateTmp=true;
ProtectHome=true;
ProtectSystem="strict";
ProtectControlGroups=true;
RestrictSUIDSGID=true;
RestrictRealtime=true;
LockPersonality=true;
ProtectKernelLogs=true;
ProtectKernelTunables=true;
ProtectHostname=true;
ProtectKernelModules=true;
PrivateUsers=true;
ProtectClock=true;
SystemCallArchitectures="native";
SystemCallErrorNumber="EPERM";
SystemCallFilter="@system-service";
};
};
};
systemd.tmpfiles.rules = [
"d /var/log/mautrix-whatsapp - mautrix-whatsapp mautrix-whatsapp"
"d /var/log/mautrix-signal - mautrix-signal mautrix-signal"
];
users = {
users = {
mautrix-whatsapp = {
uid = 3001;
group = "mautrix-whatsapp";
isSystemUser = true;
};
mautrix-telegram = {
uid = 3002;
group = "mautrix-telegram";
isSystemUser = true;
};
mautrix-signal = {
uid = 3003;
group = "mautrix-signal";
isSystemUser = true;
};
};
groups = {
mautrix-whatsapp = {
gid = 3001;
};
mautrix-telegram = {
gid = 3002;
};
mautrix-signal = {
gid = 3003;
};
};
};
services = {
mautrix-telegram = {
enable = true;
environmentFile = config.age.secrets."services/matrix/mautrix-telegram.env".path;
settings = {
homeserver = {
address = "http://localhost:8008";
domain = "kabtop.de";
};
appservice = {
hostname = "127.0.0.1";
port = "29317";
provisioning.enabled = false;
id = "telegram";
public = {
enabled = false;
};
};
bridge = {
sync_channel_members = true;
startup_sync = true;
public_portals = true;
double_puppet_server_map = {
"kabtop.de" = "https://kabtop.de";
};
encryption = {
allow = true;
default = true;
verification_levels = {
receive = "cross-signed-untrusted";
send = "cross-signed-untrusted";
};
};
private_chat_portal_meta = "default";
backfill = {
disable_notifications = true;
};
permissions = {
"@kabbone:kabtop.de" = "admin";
};
};
logging = {
loggers = {
mau = {
level = "WARN";
};
telethon = {
level = "WARN";
};
};
root = {
handlers = [
"console"
];
level = "WARN";
};
};
};
};
signald = {
enable = true;
user = "mautrix-signal";
group = "mautrix-signal";
};
};
age.secrets."services/matrix/synapse.yml" = {
file = ../../../secrets/services/matrix/synapse.age;
owner = "matrix-synapse";
};
age.secrets."services/matrix/mautrix-telegram.env" = {
file = ../../../secrets/services/matrix/mautrix-telegram.age;
owner = "mautrix-telegram";
};
age.secrets."services/matrix/mautrix-whatsapp.yml" = {
file = ../../../secrets/services/matrix/mautrix-whatsapp.age;
owner = "mautrix-whatsapp";
};
age.secrets."services/matrix/mautrix-signal.yml" = {
file = ../../../secrets/services/matrix/mautrix-signal.age;
owner = "mautrix-signal";
};
age.secrets."services/matrix/telegram-registration.yml" = {
file = ../../../secrets/services/matrix/telegram-registration.age;
owner = "matrix-synapse";
};
age.secrets."services/matrix/whatsapp-registration.yml" = {
file = ../../../secrets/services/matrix/whatsapp-registration.age;
owner = "matrix-synapse";
};
age.secrets."services/matrix/signal-registration.yml" = {
file = ../../../secrets/services/matrix/signal-registration.age;
owner = "matrix-synapse";
};
}