From fbfff0e1a7d8421ab998b0e2caed6afe809e1f2d Mon Sep 17 00:00:00 2001 From: schweby Date: Mon, 1 Feb 2021 16:20:08 +0100 Subject: [PATCH] hainich/matrix: init matrix & element --- hosts/hainich/configuration.nix | 3 +- hosts/hainich/services/matrix-synapse.nix | 106 ++++++++++++++++++++++ 2 files changed, 107 insertions(+), 2 deletions(-) create mode 100644 hosts/hainich/services/matrix-synapse.nix diff --git a/hosts/hainich/configuration.nix b/hosts/hainich/configuration.nix index 5cc94e0..322b5ea 100644 --- a/hosts/hainich/configuration.nix +++ b/hosts/hainich/configuration.nix @@ -9,9 +9,7 @@ ./services/mail.nix ./services/codimd.nix ../../common -# ./wireguard.nix ./services/nginx.nix -# ./k8s.nix ./services/docker.nix ./services/gitlab-runner.nix ./services/lantifa.nix @@ -19,6 +17,7 @@ ./services/syncthing.nix ./services/monitoring.nix ./services/workadventure.nix + ./services/matrix-synapse.nix ]; boot.loader.grub.enable = true; boot.loader.grub.version = 2; diff --git a/hosts/hainich/services/matrix-synapse.nix b/hosts/hainich/services/matrix-synapse.nix new file mode 100644 index 0000000..dde8f7f --- /dev/null +++ b/hosts/hainich/services/matrix-synapse.nix @@ -0,0 +1,106 @@ +{config, lib, pkgs, ... }: +{ + networking.firewall.allowedTCPPorts = [ 80 443 ]; + + services.postgresql.enable = true; + services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" '' + CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; + CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + ''; + + services.nginx = { + enable = true; + # only recommendedProxySettings and recommendedGzipSettings are strictly required, + # but the rest make sense as well + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + + virtualHosts = { + # This host section can be placed on a different host than the rest, + # i.e. to delegate from the host being accessible as ${config.networking.domain} + # to another host actually running the Matrix homeserver. + "hacc.space" = { + locations."= /.well-known/matrix/server".extraConfig = + let + # use 443 instead of the default 8448 port to unite + # the client-server and server-server port for simplicity + server = { "m.server" = "matrix.hacc.space:443"; }; + in '' + add_header Content-Type application/json; + return 200 '${builtins.toJSON server}'; + ''; + locations."= /.well-known/matrix/client".extraConfig = + let + client = { + "m.homeserver" = { "base_url" = "https://matrix.hacc.space"; }; + "m.identity_server" = { "base_url" = "https://vector.im"; }; + }; + # ACAO required to allow element-web on any URL to request this json file + in '' + add_header Content-Type application/json; + add_header Access-Control-Allow-Origin *; + return 200 '${builtins.toJSON client}'; + ''; + }; + + # Reverse proxy for Matrix client-server and server-server communication + "matrix.hacc.space" = { + enableACME = true; + forceSSL = true; + + # Or do a redirect instead of the 404, or whatever is appropriate for you. + # But do not put a Matrix Web client here! See the Element web section below. + locations."/".extraConfig = '' + return 404; + ''; + + # forward all Matrix API calls to the synapse Matrix homeserver + locations."/_matrix" = { + proxyPass = "http://[::1]:8008"; # without a trailing / + }; + }; + }; + }; + + services.matrix-synapse = { + enable = true; + server_name = "matrix.hacc.space"; + listeners = [ + { + port = 8008; + bind_address = "::1"; + type = "http"; + tls = false; + x_forwarded = true; + resources = [ + { + names = [ "client" "federation" ]; + compress = false; + } + ]; + } + ]; + }; + + services.nginx.virtualHosts."element.matrix.hacc.space" = { + enableACME = true; + forceSSL = true; + serverAliases = [ + "element.hacc.space" + ]; + + root = pkgs.element-web.override { + conf = { + default_server_config."m.homeserver" = { + "base_url" = "matrix.hacc.space"; + "server_name" = "matrix.hacc.space"; + }; + }; + }; + }; +}