From 03777c3d8c67b8b21155c1cdccb56f451cfee089 Mon Sep 17 00:00:00 2001
From: Silas Schöffel <sils@sils.li>
Date: Tue, 21 Jan 2025 15:04:25 +0100
Subject: feat(modules/matrix): init on server3

---
 modules/by-name/co/constants/module.nix |   3 +
 modules/by-name/ma/matrix/module.nix    | 167 ++++++++++++++++++++++++++++++++
 modules/by-name/ma/matrix/passwd.age    |  15 +++
 3 files changed, 185 insertions(+)
 create mode 100644 modules/by-name/ma/matrix/module.nix
 create mode 100644 modules/by-name/ma/matrix/passwd.age

(limited to 'modules/by-name')

diff --git a/modules/by-name/co/constants/module.nix b/modules/by-name/co/constants/module.nix
index de3ebac..fd00a34 100644
--- a/modules/by-name/co/constants/module.nix
+++ b/modules/by-name/co/constants/module.nix
@@ -29,6 +29,8 @@
       peertube = 992; # TODO Sort correctly
       mastodon = 996;
       redis-mastodon = 991;
+      matrix-synapse = 224;
+      mautrix-whatsapp = 225;
 
       # As per the NixOS file, the uids should not be greater or equal to 400;
     };
@@ -44,6 +46,7 @@
       peertube = 992;
       mastodon = 996;
       redis-mastodon = 991;
+      matrix-synapse = 224;
 
       # The gid should match the uid. Thus should not be >= 400;
     };
diff --git a/modules/by-name/ma/matrix/module.nix b/modules/by-name/ma/matrix/module.nix
new file mode 100644
index 0000000..a73fd13
--- /dev/null
+++ b/modules/by-name/ma/matrix/module.nix
@@ -0,0 +1,167 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: let
+  cfg = config.vhack.matrix;
+  clientConfig."m.homeserver".base_url = "https://${cfg.fqdn}";
+  serverConfig."m.server" = "${cfg.fqdn}:443";
+  mkWellKnown = data: ''
+    add_header Content-Type application/json;
+    add_header Access-Control-Allow-Origin *;
+    return 200 '${builtins.toJSON data}';
+  '';
+in {
+  options.vhack.matrix = {
+    enable = lib.mkEnableOption "matrix setup based on synapse";
+    fqdn = lib.mkOption {
+      type = lib.types.str;
+      description = "The FQDN on which matrix-synapse should be served.";
+      example = "matrix.vhack.eu";
+    };
+    url = lib.mkOption {
+      type = lib.types.str;
+      description = "The url the matrix-server should be known under.";
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    age.secrets.matrix-synapse_registration_shared_secret = {
+      file = ./passwd.age;
+      mode = "700";
+      owner = "matrix-synapse";
+      group = "matrix-synapse";
+    };
+    networking.firewall.allowedTCPPorts = [80 443];
+
+    vhack.persist.directories = [
+      {
+        directory = "/var/lib/matrix";
+        user = "matrix-synapse";
+        group = "matrix-synapse";
+        mode = "0700";
+      }
+      {
+        directory = "/var/lib/mautrix-whatsapp";
+        user = "mautrix-whatsapp";
+        group = "matrix-synapse";
+        mode = "0750";
+      }
+    ];
+    systemd.tmpfiles.rules = [
+      "d /etc/matrix 0755 matrix-synapse matrix-synapse"
+    ];
+
+    vhack.postgresql.enable = true;
+    vhack.nginx.enable = true;
+
+    services = {
+      postgresql = {
+        enable = true;
+        initialScript = pkgs.writeText "synapse-init.sql" ''
+          --Matrix:
+          CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
+          CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
+            TEMPLATE template0
+            LC_COLLATE = "C"
+            LC_CTYPE = "C";
+
+          --Whatsapp-bridge:
+          CREATE ROLE "mautrix-whatsapp" WITH LOGIN PASSWORD 'whatsapp';
+          CREATE DATABASE "mautrix-whatsapp" WITH OWNER "mautrix-whatsapp"
+            TEMPLATE template0
+            LC_COLLATE = "C"
+            LC_CTYPE = "C";
+        '';
+      };
+
+      nginx = {
+        enable = true;
+        recommendedTlsSettings = true;
+        recommendedOptimisation = true;
+        recommendedGzipSettings = true;
+        recommendedProxySettings = true;
+        virtualHosts = {
+          "${cfg.url}" = {
+            enableACME = true;
+            forceSSL = true;
+            locations = {
+              "/.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
+              "/.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
+            };
+          };
+          "${cfg.fqdn}" = {
+            enableACME = true;
+            forceSSL = true;
+            locations = {
+              "/".return = "404";
+              "/_matrix".proxyPass = "http://[::1]:8008";
+              "/_synapse/client".proxyPass = "http://[::1]:8008";
+            };
+          };
+        };
+      };
+
+      mautrix-whatsapp = {
+        # FIXME(@bpeetz): This was disabled because `mautrix-whatsapp` dependends on libolm.
+        # Re-enable it, when this has changed. <2024-09-06>
+        enable = false;
+        settings = {
+          appservice = {
+            database = {
+              type = "postgres";
+              uri = "postgres:///mautrix-whatsapp?host=/run/postgresql";
+            };
+            whatsapp = {
+              # TODO: See https://github.com/tulir/whatsmeow/blob/efc632c008604016ddde63bfcfca8de4e5304da9/binary/proto/def.proto#L43-L64 for a list.
+              # This also determines the WhatsApp icon
+              browser_name = "unknown";
+            };
+          };
+          homeserver.address = "https://${cfg.fqdn}";
+          bridge.permissions = {
+            "@soispha:vhack.eu" = "admin";
+            "@sils:vhack.eu" = "admin";
+            "@nightingale:vhack.eu" = "admin";
+          };
+        };
+      };
+
+      matrix-synapse = {
+        enable = true;
+        dataDir = "/var/lib/matrix";
+        configFile = "/etc/matrix/matrix.conf";
+        settings = {
+          media_store_path = "/var/lib/matrix/media_store";
+          registration_shared_secret_path = "${config.age.secrets.matrix-synapse_registration_shared_secret.path}";
+          server_name = cfg.url;
+          listeners = [
+            {
+              port = 8008;
+              bind_addresses = ["::1"];
+              type = "http";
+              tls = false;
+              x_forwarded = true;
+              resources = [
+                {
+                  names = ["client" "federation"];
+                  compress = true;
+                }
+              ];
+            }
+          ];
+        };
+      };
+    };
+    users = {
+      users = {
+        matrix-synapse.uid = config.vhack.constants.ids.uids.matrix-synapse;
+        mautrix-whatsapp = {
+          uid = config.vhack.constants.ids.uids.mautrix-whatsapp;
+          group = "matrix-synapse";
+        };
+      };
+      groups.matrix-synapse.gid = config.vhack.constants.ids.gids.matrix-synapse;
+    };
+  };
+}
diff --git a/modules/by-name/ma/matrix/passwd.age b/modules/by-name/ma/matrix/passwd.age
new file mode 100644
index 0000000..6386ed6
--- /dev/null
+++ b/modules/by-name/ma/matrix/passwd.age
@@ -0,0 +1,15 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrRFcxajBUb2s4dDVKeVZF
+bFE1NUNwS2p0NjhZd2Y0MWNNbFFDcE1VSTJ3Cmdsdmh1MFJ2bWcxVWZlVm1idGdC
+aXU3bnlmVkpydXpMYnh2djNURjd6L0UKLT4gWDI1NTE5IHRidGtkVGZDV0Npck9q
+Y1pRYjVUVWVYMkZxcCtyTGRkQWRGQXB1dEhVR3cKQzNwQndqZTBHTVBnbUg5bWNk
+ZFpOSG1UZzZXQ2kxQjRXUS80Tmx0ZURiMAotPiBzc2gtZWQyNTUxOSBweXU5Ymcg
+YmNaeGV2WTJqZFFSTXhDS1hScDZrV1ZWU1FyYWRtSGNoR3NGUjZ0WmpqSQptRnR5
+cDI4VDFXL2t3VzdnSGF5VzBIbzhzU1NuQmNuUXhReHNVNGd4bnFJCi0+ICJ9OUlg
+LWdyZWFzZQpDYks4Y2dUeEowTHh6cnJsNmpXRGpDYWU1RkRwbC9nYjB2RmtMZjhy
+dTBhVEU1ak04U0VYUkh0WUJsK3h5cXBRCmZ4ekRRczFDZWptWkJQbXZ6NDU0dUh3
+RTlkVkxxQ00xeHNmMkZSS0JIZGpmOU5UYSt1bWdRNlZWbC9ZdQotLS0gbG9RR0Iv
+OTBleHBTS1ZVYjZSODEranR5cGxsTkh1elZwQi9Gd21VbUxkRQoJ+dUdl1CVle6A
+sLVikThgDKKpMekZeLhx97gC6Vxfxd9oJiw1SS7xOjMZz6xcOCG1l1NidrNHmhnK
+4xQMcvHU+5Ogw3YUnPcL1sGjYWkvgUcwie+WEKZFXkCaJwz91ria
+-----END AGE ENCRYPTED FILE-----
-- 
cgit 1.4.1