diff options
| author | Silas Schöffel <sils@sils.li> | 2025-01-21 15:04:25 +0100 |
|---|---|---|
| committer | Silas Schöffel <sils@sils.li> | 2025-01-21 16:05:26 +0100 |
| commit | 03777c3d8c67b8b21155c1cdccb56f451cfee089 (patch) | |
| tree | 27192665a618181e38c90a7b9a86983f32c2fabe | |
| parent | feat(modules/mastodon): init on server3 (diff) | |
| download | nixos-server-03777c3d8c67b8b21155c1cdccb56f451cfee089.zip | |
feat(modules/matrix): init on server3
| -rw-r--r-- | hosts/by-name/server3/configuration.nix | 5 | ||||
| -rw-r--r-- | modules/by-name/co/constants/module.nix | 3 | ||||
| -rw-r--r-- | modules/by-name/ma/matrix/module.nix | 167 | ||||
| -rw-r--r-- | modules/by-name/ma/matrix/passwd.age | 15 | ||||
| -rw-r--r-- | secrets.nix | 2 | ||||
| -rw-r--r-- | system/secrets/default.nix | 6 | ||||
| -rw-r--r-- | system/secrets/matrix-synapse/passwd.age | 14 | ||||
| -rw-r--r-- | system/services/default.nix | 1 | ||||
| -rw-r--r-- | system/services/matrix/default.nix | 133 |
9 files changed, 191 insertions, 155 deletions
diff --git a/hosts/by-name/server3/configuration.nix b/hosts/by-name/server3/configuration.nix index 470275b..13cd833 100644 --- a/hosts/by-name/server3/configuration.nix +++ b/hosts/by-name/server3/configuration.nix @@ -12,6 +12,11 @@ enableTLD = false; tld = "vhack.eu"; }; + matrix = { + enable = true; + fqdn = "matrix.vhack.eu"; + url = "vhack.eu"; + }; miniflux = { enable = true; domain = "miniflux.foss-syndicate.org"; diff --git a/modules/by-name/co/constants/module.nix b/modules/by-name/co/constants/module.nix index de3ebac..fd00a34 100644 --- a/modules/by-name/co/constants/module.nix +++ b/modules/by-name/co/constants/module.nix @@ -29,6 +29,8 @@ peertube = 992; # TODO Sort correctly mastodon = 996; redis-mastodon = 991; + matrix-synapse = 224; + mautrix-whatsapp = 225; # As per the NixOS file, the uids should not be greater or equal to 400; }; @@ -44,6 +46,7 @@ peertube = 992; mastodon = 996; redis-mastodon = 991; + matrix-synapse = 224; # The gid should match the uid. Thus should not be >= 400; }; diff --git a/modules/by-name/ma/matrix/module.nix b/modules/by-name/ma/matrix/module.nix new file mode 100644 index 0000000..a73fd13 --- /dev/null +++ b/modules/by-name/ma/matrix/module.nix @@ -0,0 +1,167 @@ +{ + config, + pkgs, + lib, + ... +}: let + cfg = config.vhack.matrix; + clientConfig."m.homeserver".base_url = "https://${cfg.fqdn}"; + serverConfig."m.server" = "${cfg.fqdn}:443"; + mkWellKnown = data: '' + add_header Content-Type application/json; + add_header Access-Control-Allow-Origin *; + return 200 '${builtins.toJSON data}'; + ''; +in { + options.vhack.matrix = { + enable = lib.mkEnableOption "matrix setup based on synapse"; + fqdn = lib.mkOption { + type = lib.types.str; + description = "The FQDN on which matrix-synapse should be served."; + example = "matrix.vhack.eu"; + }; + url = lib.mkOption { + type = lib.types.str; + description = "The url the matrix-server should be known under."; + }; + }; + config = lib.mkIf cfg.enable { + age.secrets.matrix-synapse_registration_shared_secret = { + file = ./passwd.age; + mode = "700"; + owner = "matrix-synapse"; + group = "matrix-synapse"; + }; + networking.firewall.allowedTCPPorts = [80 443]; + + vhack.persist.directories = [ + { + directory = "/var/lib/matrix"; + user = "matrix-synapse"; + group = "matrix-synapse"; + mode = "0700"; + } + { + directory = "/var/lib/mautrix-whatsapp"; + user = "mautrix-whatsapp"; + group = "matrix-synapse"; + mode = "0750"; + } + ]; + systemd.tmpfiles.rules = [ + "d /etc/matrix 0755 matrix-synapse matrix-synapse" + ]; + + vhack.postgresql.enable = true; + vhack.nginx.enable = true; + + services = { + postgresql = { + enable = true; + initialScript = pkgs.writeText "synapse-init.sql" '' + --Matrix: + CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; + CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + + --Whatsapp-bridge: + CREATE ROLE "mautrix-whatsapp" WITH LOGIN PASSWORD 'whatsapp'; + CREATE DATABASE "mautrix-whatsapp" WITH OWNER "mautrix-whatsapp" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + ''; + }; + + nginx = { + enable = true; + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + virtualHosts = { + "${cfg.url}" = { + enableACME = true; + forceSSL = true; + locations = { + "/.well-known/matrix/server".extraConfig = mkWellKnown serverConfig; + "/.well-known/matrix/client".extraConfig = mkWellKnown clientConfig; + }; + }; + "${cfg.fqdn}" = { + enableACME = true; + forceSSL = true; + locations = { + "/".return = "404"; + "/_matrix".proxyPass = "http://[::1]:8008"; + "/_synapse/client".proxyPass = "http://[::1]:8008"; + }; + }; + }; + }; + + mautrix-whatsapp = { + # FIXME(@bpeetz): This was disabled because `mautrix-whatsapp` dependends on libolm. + # Re-enable it, when this has changed. <2024-09-06> + enable = false; + settings = { + appservice = { + database = { + type = "postgres"; + uri = "postgres:///mautrix-whatsapp?host=/run/postgresql"; + }; + whatsapp = { + # TODO: See https://github.com/tulir/whatsmeow/blob/efc632c008604016ddde63bfcfca8de4e5304da9/binary/proto/def.proto#L43-L64 for a list. + # This also determines the WhatsApp icon + browser_name = "unknown"; + }; + }; + homeserver.address = "https://${cfg.fqdn}"; + bridge.permissions = { + "@soispha:vhack.eu" = "admin"; + "@sils:vhack.eu" = "admin"; + "@nightingale:vhack.eu" = "admin"; + }; + }; + }; + + matrix-synapse = { + enable = true; + dataDir = "/var/lib/matrix"; + configFile = "/etc/matrix/matrix.conf"; + settings = { + media_store_path = "/var/lib/matrix/media_store"; + registration_shared_secret_path = "${config.age.secrets.matrix-synapse_registration_shared_secret.path}"; + server_name = cfg.url; + listeners = [ + { + port = 8008; + bind_addresses = ["::1"]; + type = "http"; + tls = false; + x_forwarded = true; + resources = [ + { + names = ["client" "federation"]; + compress = true; + } + ]; + } + ]; + }; + }; + }; + users = { + users = { + matrix-synapse.uid = config.vhack.constants.ids.uids.matrix-synapse; + mautrix-whatsapp = { + uid = config.vhack.constants.ids.uids.mautrix-whatsapp; + group = "matrix-synapse"; + }; + }; + groups.matrix-synapse.gid = config.vhack.constants.ids.gids.matrix-synapse; + }; + }; +} diff --git a/modules/by-name/ma/matrix/passwd.age b/modules/by-name/ma/matrix/passwd.age new file mode 100644 index 0000000..6386ed6 --- /dev/null +++ b/modules/by-name/ma/matrix/passwd.age @@ -0,0 +1,15 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrRFcxajBUb2s4dDVKeVZF +bFE1NUNwS2p0NjhZd2Y0MWNNbFFDcE1VSTJ3Cmdsdmh1MFJ2bWcxVWZlVm1idGdC +aXU3bnlmVkpydXpMYnh2djNURjd6L0UKLT4gWDI1NTE5IHRidGtkVGZDV0Npck9q +Y1pRYjVUVWVYMkZxcCtyTGRkQWRGQXB1dEhVR3cKQzNwQndqZTBHTVBnbUg5bWNk +ZFpOSG1UZzZXQ2kxQjRXUS80Tmx0ZURiMAotPiBzc2gtZWQyNTUxOSBweXU5Ymcg +YmNaeGV2WTJqZFFSTXhDS1hScDZrV1ZWU1FyYWRtSGNoR3NGUjZ0WmpqSQptRnR5 +cDI4VDFXL2t3VzdnSGF5VzBIbzhzU1NuQmNuUXhReHNVNGd4bnFJCi0+ICJ9OUlg +LWdyZWFzZQpDYks4Y2dUeEowTHh6cnJsNmpXRGpDYWU1RkRwbC9nYjB2RmtMZjhy +dTBhVEU1ak04U0VYUkh0WUJsK3h5cXBRCmZ4ekRRczFDZWptWkJQbXZ6NDU0dUh3 +RTlkVkxxQ00xeHNmMkZSS0JIZGpmOU5UYSt1bWdRNlZWbC9ZdQotLS0gbG9RR0Iv +OTBleHBTS1ZVYjZSODEranR5cGxsTkh1elZwQi9Gd21VbUxkRQoJ+dUdl1CVle6A +sLVikThgDKKpMekZeLhx97gC6Vxfxd9oJiw1SS7xOjMZz6xcOCG1l1NidrNHmhnK +4xQMcvHU+5Ogw3YUnPcL1sGjYWkvgUcwie+WEKZFXkCaJwz91ria +-----END AGE ENCRYPTED FILE----- diff --git a/secrets.nix b/secrets.nix index 8efc4ba..1c34530 100644 --- a/secrets.nix +++ b/secrets.nix @@ -29,11 +29,11 @@ in { "./modules/by-name/pe/peertube/secrets/smtp.age".publicKeys = server3; "./modules/by-name/mi/miniflux/secrets/admin.age".publicKeys = server3; "./modules/by-name/ma/mastodon/mail.age".publicKeys = server3; + "./modules/by-name/ma/matrix/passwd.age".publicKeys = server3; "./system/secrets/backup/backuppass.age".publicKeys = server1; "./system/secrets/backup/backupssh.age".publicKeys = server1; "./system/secrets/invidious/hmac.age".publicKeys = server1; - "./system/secrets/matrix-synapse/passwd.age".publicKeys = server1; "./system/secrets/taskserver/ca.age".publicKeys = server1; "./system/secrets/taskserver/systemd_tmpfiles.age".publicKeys = server1; } diff --git a/system/secrets/default.nix b/system/secrets/default.nix index a8071eb..ab89942 100644 --- a/system/secrets/default.nix +++ b/system/secrets/default.nix @@ -7,12 +7,6 @@ owner = "root"; group = "root"; }; - matrix-synapse_registration_shared_secret = { - file = ./matrix-synapse/passwd.age; - mode = "700"; - owner = "matrix-synapse"; - group = "matrix-synapse"; - }; resticpass = { file = ./backup/backuppass.age; mode = "0700"; diff --git a/system/secrets/matrix-synapse/passwd.age b/system/secrets/matrix-synapse/passwd.age deleted file mode 100644 index bf8b576..0000000 --- a/system/secrets/matrix-synapse/passwd.age +++ /dev/null @@ -1,14 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZMmVseVg2dGVvWUFWTzd6 -UWtrZFJoQnViYllWb0dBdDA0NTZHaXg5S0c0CmdEYmJlTFFqck1OaHVQdVVtbEtT -a2RrV3N1ZysvUFhOWUE3TFFuVURuWGcKLT4gWDI1NTE5IEp2amhvcEtiYktjTWpD -bU1iWGpGWnJVNjhhY1o1d2hkZ3JzVFFJVVJIbncKanR0cDJ5RTJVK2tmRUJ1ZFZz -TWdERGk1L1dzTFF2VVlFTzN4UHFtWVMyUQotPiBzc2gtZWQyNTUxOSBPRDhUNGcg -d1E1aW5BcUsvUEJPZVRUSUtPOVArZGFzRTBwK1cvVTlrbG8vMGl5a0NDRQo2clg2 -U1JTb1ZOVmNnQTFOa1J2Z3dsNGRXMERST0NkYWw4cG16TnhRTjh3Ci0+IDp7Q2Mt -Z3JlYXNlIF8gPzZbIDYgby5QNUIKZE01WitsUWJSdmhPNFk5Yng2dktoaW8xbndM -L3luT2RmTEpBaTczbHlWTS81bytkNGQvckVTbjMvd3RWeWlleQo3RUpHCi0tLSB3 -Z0tZRmNxeThCMHlPOVVqSFZHaWQ0OGFpTEUrdENmVWwzVHEzNzZhdGhvCm8fAu6t -6CJU7gUglt6INcFhfkTI4TZPESnsEb+2XD3gPDaO9zKfxZgTudksfBZLrbDvr3xr -YM1Og84ogdIr6f2dUq3AOxrTZv1zKyy6rXOmusfOiBTr0D8hvx8J8K695xk= ------END AGE ENCRYPTED FILE----- diff --git a/system/services/default.nix b/system/services/default.nix index 967bad0..d78ee28 100644 --- a/system/services/default.nix +++ b/system/services/default.nix @@ -2,7 +2,6 @@ imports = [ ./invidious ./mail - ./matrix ./minecraft ./restic ./taskserver diff --git a/system/services/matrix/default.nix b/system/services/matrix/default.nix deleted file mode 100644 index 043d9c0..0000000 --- a/system/services/matrix/default.nix +++ /dev/null @@ -1,133 +0,0 @@ -{ - config, - pkgs, - ... -}: let - fqdn = "matrix.vhack.eu"; - clientConfig."m.homeserver".base_url = "https://${fqdn}"; - serverConfig."m.server" = "${fqdn}:443"; - mkWellKnown = data: '' - add_header Content-Type application/json; - add_header Access-Control-Allow-Origin *; - return 200 '${builtins.toJSON data}'; - ''; -in { - networking.firewall.allowedTCPPorts = [80 443]; - - vhack.persist.directories = [ - { - directory = "/var/lib/matrix"; - user = "matrix-synapse"; - group = "matrix-synapse"; - mode = "0700"; - } - { - directory = "/var/lib/mautrix-whatsapp"; - user = "mautrix-whatsapp"; - group = "matrix-synapse"; - mode = "0750"; - } - ]; - systemd.tmpfiles.rules = [ - "d /etc/matrix 0755 matrix-synapse matrix-synapse" - ]; - - services = { - postgresql = { - enable = true; - initialScript = pkgs.writeText "synapse-init.sql" '' - --Matrix: - CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; - CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" - TEMPLATE template0 - LC_COLLATE = "C" - LC_CTYPE = "C"; - - --Whatsapp-bridge: - CREATE ROLE "mautrix-whatsapp" WITH LOGIN PASSWORD 'whatsapp'; - CREATE DATABASE "mautrix-whatsapp" WITH OWNER "mautrix-whatsapp" - TEMPLATE template0 - LC_COLLATE = "C" - LC_CTYPE = "C"; - ''; - }; - - nginx = { - enable = true; - recommendedTlsSettings = true; - recommendedOptimisation = true; - recommendedGzipSettings = true; - recommendedProxySettings = true; - virtualHosts = { - "vhack.eu" = { - enableACME = true; - forceSSL = true; - locations = { - "/.well-known/matrix/server".extraConfig = mkWellKnown serverConfig; - "/.well-known/matrix/client".extraConfig = mkWellKnown clientConfig; - }; - }; - "matrix.vhack.eu" = { - enableACME = true; - forceSSL = true; - locations = { - "/".return = "404"; - "/_matrix".proxyPass = "http://[::1]:8008"; - "/_synapse/client".proxyPass = "http://[::1]:8008"; - }; - }; - }; - }; - - mautrix-whatsapp = { - # FIXME(@bpeetz): This was disabled because `mautrix-whatsapp` dependends on libolm. - # Re-enable it, when this has changed. <2024-09-06> - enable = false; - settings = { - appservice = { - database = { - type = "postgres"; - uri = "postgres:///mautrix-whatsapp?host=/run/postgresql"; - }; - whatsapp = { - # TODO: See https://github.com/tulir/whatsmeow/blob/efc632c008604016ddde63bfcfca8de4e5304da9/binary/proto/def.proto#L43-L64 for a list. - # This also determines the WhatsApp icon - browser_name = "unknown"; - }; - }; - homeserver.address = "https://matrix.vhack.eu"; - bridge.permissions = { - "@soispha:vhack.eu" = "admin"; - "@sils:vhack.eu" = "admin"; - "@nightingale:vhack.eu" = "admin"; - }; - }; - }; - - matrix-synapse = { - enable = true; - dataDir = "/var/lib/matrix"; - configFile = "/etc/matrix/matrix.conf"; - settings = { - media_store_path = "/var/lib/matrix/media_store"; - registration_shared_secret_path = "${config.age.secrets.matrix-synapse_registration_shared_secret.path}"; - server_name = "vhack.eu"; - listeners = [ - { - port = 8008; - bind_addresses = ["::1"]; - type = "http"; - tls = false; - x_forwarded = true; - resources = [ - { - names = ["client" "federation"]; - compress = true; - } - ]; - } - ]; - }; - }; - }; -} |