diff options
Diffstat (limited to '')
| -rw-r--r-- | system/file_system_layouts/default.nix | 4 | ||||
| -rw-r--r-- | system/services/default.nix | 5 | ||||
| -rw-r--r-- | system/services/matrix/conduit/default.nix | 125 | ||||
| -rw-r--r-- | system/services/matrix/default.nix | 5 |
4 files changed, 137 insertions, 2 deletions
diff --git a/system/file_system_layouts/default.nix b/system/file_system_layouts/default.nix index 31b0b0b..ed18892 100644 --- a/system/file_system_layouts/default.nix +++ b/system/file_system_layouts/default.nix @@ -44,6 +44,10 @@ in { device = "/srv/acme"; options = ["bind"]; }; + "/var/lib/matrix-conduit" = { + device = "/srv/matrix-conduit"; + options = ["bind"]; + }; }; }; } diff --git a/system/services/default.nix b/system/services/default.nix index d80bdab..761902c 100644 --- a/system/services/default.nix +++ b/system/services/default.nix @@ -1,12 +1,13 @@ {config, ...}: { imports = [ ./acme - # ./firewall + ./fail2ban + #./firewall + ./matrix #./minecraft ./nginx ./nix ./opensshd ./rust-motd - ./fail2ban ]; } diff --git a/system/services/matrix/conduit/default.nix b/system/services/matrix/conduit/default.nix new file mode 100644 index 0000000..e583ca4 --- /dev/null +++ b/system/services/matrix/conduit/default.nix @@ -0,0 +1,125 @@ +# vim: ts=2 +{ + config, + pkgs, + flake-inputs, + ... +}: let + server_name = "vhack.eu"; + + matrix_hostname = "matrix.${server_name}"; + + well_known_server = pkgs.writeText "well-known-matrix-server" '' + { + "m.server": "${matrix_hostname}" + } + ''; + + well_known_client = pkgs.writeText "well-known-matrix-client" '' + { + "m.homeserver": { + "base_url": "https://${matrix_hostname}" + } + } + ''; +in { + services.matrix-conduit = { + enable = true; + + settings.global = { + inherit server_name; + database_backend = "rocksdb"; + trusted_servers = ["matrix.org" "sils.li" "asra.gr"]; + allow_registration = false; + }; + }; + + # Configure NGINX as a reverse proxy + services.nginx = { + enable = true; + recommendedProxySettings = true; + + virtualHosts = { + "${matrix_hostname}" = { + forceSSL = true; + enableACME = true; + + listen = [ + { + addr = "0.0.0.0"; + port = 443; + ssl = true; + } + { + addr = "0.0.0.0"; + port = 8448; + ssl = true; + } + { + addr = "::0"; + port = 443; + ssl = true; + } + { + addr = "::0"; + port = 8448; + ssl = true; + } + ]; + + locations."/_matrix/" = { + proxyPass = "http://backend_conduit$request_uri"; + proxyWebsockets = true; + extraConfig = '' + proxy_set_header Host $host; + proxy_buffering off; + ''; + }; + + extraConfig = '' + merge_slashes off; + ''; + }; + + "${server_name}" = { + forceSSL = true; + enableACME = true; + + locations."=/.well-known/matrix/server" = { + # Use the contents of the derivation built previously + alias = "${well_known_server}"; + + extraConfig = '' + # Set the header since by default NGINX thinks it's just bytes + default_type application/json; + ''; + }; + + locations."=/.well-known/matrix/client" = { + # Use the contents of the derivation built previously + alias = "${well_known_client}"; + + extraConfig = '' + # Set the header since by default NGINX thinks it's just bytes + default_type application/json; + + # https://matrix.org/docs/spec/client_server/r0.4.0#web-browser-clients + add_header Access-Control-Allow-Origin "*"; + ''; + }; + }; + }; + + upstreams = { + "backend_conduit" = { + servers = { + "localhost:${toString config.services.matrix-conduit.settings.global.port}" = {}; + }; + }; + }; + }; + + # Open firewall ports for HTTP, HTTPS, and Matrix federation + networking.firewall.allowedTCPPorts = [80 443 8448]; + networking.firewall.allowedUDPPorts = [80 443 8448]; +} diff --git a/system/services/matrix/default.nix b/system/services/matrix/default.nix new file mode 100644 index 0000000..7f2a357 --- /dev/null +++ b/system/services/matrix/default.nix @@ -0,0 +1,5 @@ +{config, ...}: { + imports = [ + ./conduit + ]; +} |