diff --git a/flake.lock b/flake.lock index 3309dea..f44686d 100644 --- a/flake.lock +++ b/flake.lock @@ -908,11 +908,11 @@ "secrets": { "flake": false, "locked": { - "lastModified": 1675175172, - "narHash": "sha256-dzsn+X8S94JfMxN2Maq2UYwgzBTYr7SocJUcz1yYIr8=", + "lastModified": 1675861033, + "narHash": "sha256-N7jtUdy718AzP097ItsqzzxutiNmiBSfEd9AuL1yCoQ=", "ref": "main", - "rev": "e95db1263a5ff908bf2123fb0e45d0ff43d55d91", - "revCount": 43, + "rev": "847d654dd6393ad31627484785ffb28a73fe034f", + "revCount": 44, "type": "git", "url": "ssh://gitea@git.ingolf-wagner.de/palo/nixos-secrets.git" }, diff --git a/nixos/machines/robi/configuration.nix b/nixos/machines/robi/configuration.nix index abd401c..2bc7d3f 100644 --- a/nixos/machines/robi/configuration.nix +++ b/nixos/machines/robi/configuration.nix @@ -43,6 +43,9 @@ #./weechat.nix #./property.nix # flask sucks, find something else + # matrix + ./dendrite.nix + # logging ./loki.nix ./loki-promtail.nix diff --git a/nixos/machines/robi/dendrite.nix b/nixos/machines/robi/dendrite.nix new file mode 100644 index 0000000..96b814d --- /dev/null +++ b/nixos/machines/robi/dendrite.nix @@ -0,0 +1,119 @@ +{ config, pkgs, ... }: +let + + inherit (config.services.dendrite.settings.global) server_name; + + nginx-vhost = "matrix.terranix.org"; + element-web-terranix.org = + pkgs.runCommand "element-web-with-config" + { + nativeBuildInputs = [ pkgs.buildPackages.jq ]; + } '' + cp -r ${pkgs.element-web} $out + chmod -R u+w $out + jq '."default_server_config"."m.homeserver" = { "base_url": "https://${nginx-vhost}:443", "server_name": "${server_name}" }' \ + > $out/config.json < ${pkgs.element-web}/config.json + ln -s $out/config.json $out/config.${nginx-vhost}.json + ''; +in +{ + + # $ nix-shell -p dendrite --run 'generate-keys --private-key /tmp/key' + sops.secrets.matrix-server-key = { }; + + services.dendrite = { + enable = true; + httpPort = 8043; + settings = { + global = { + server_name = "terranix.org"; + # `private_key` has the type `path` + # prefix a `/` to make `path` happy + private_key = "/$CREDENTIALS_DIRECTORY/matrix-server-key"; + trusted_third_party_id_servers = [ + "matrix.org" + "vector.im" + "xaos.space" + "lassul.us" + "thalheim.io" + ]; + metrics.enabled = false; + }; + logging = [ + { + type = "std"; + level = "warn"; + } + ]; + client_api = { + registration_disabled = true; + rate_limiting.enabled = false; + # set only for the first admin account, than remove. + #registration_shared_secret = ""; # disable once first admin account is created + }; + media_api = { + dynamic_thumbnails = true; + }; + mscs = { + mscs = [ "msc2836" "msc2946" ]; + }; + sync_api = { + real_ip_header = "X-Real-IP"; + }; + federation_api = { + key_perspectives = [ + { + server_name = "matrix.org"; + keys = [ + { + key_id = "ed25519:auto"; + public_key = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"; + } + { + key_id = "ed25519:a_RXGa"; + public_key = "l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ"; + } + ]; + } + ]; + prefer_direct_fetch = false; + }; + }; + }; + + systemd.services.dendrite.serviceConfig.LoadCredential = [ + "matrix-server-key:${config.sops.secrets.matrix-server-key.path}" + ]; + + systemd.services.dendrite.after = [ "postgresql.service" ]; + services.postgresql = { + ensureDatabases = [ "dendrite" ]; + ensureUsers = [ + { + name = "dendrite"; + ensurePermissions."DATABASE dendrite" = "ALL PRIVILEGES"; + } + ]; + }; + + services.nginx.virtualHosts.${nginx-vhost} = { + forceSSL = true; + enableACME = true; + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_read_timeout 600; + ''; + locations."/_matrix".proxyPass = "http://127.0.0.1:${toString config.services.dendrite.httpPort}"; + # for remote admin access + locations."/_synapse".proxyPass = "http://127.0.0.1:${toString config.services.dendrite.httpPort}"; + locations."/".root = element-web-terranix.org; + }; + + services.nginx.virtualHosts.${server_name} = { + locations."= /.well-known/matrix/server".alias = + pkgs.writeText "matrix-server" (builtins.toJSON { "m.server" = "${nginx-vhost}:443"; }); + locations."= /.well-known/matrix/client".alias = + pkgs.writeText "matrix-client" (builtins.toJSON { "m.homeserver".base_url = "https://${nginx-vhost}"; }); + }; +} diff --git a/nixos/machines/robi/matrix.nix b/nixos/machines/robi/matrix.nix deleted file mode 100644 index 5041d71..0000000 --- a/nixos/machines/robi/matrix.nix +++ /dev/null @@ -1,51 +0,0 @@ -{ config, ... }: -{ - services.matrix-conduit = { - enable = true; - settings.global = { - server_name = "ingolf-wagner.de"; - - # This is the only directory where Conduit will save its data - database_path = "/var/lib/matrix-conduit/"; - database_backend = "rocksdb"; - - # The port Conduit will be running on. You need to set up a reverse proxy in - # your web server (e.g. apache or nginx), so all requests to /_matrix on port - # 443 and 8448 will be forwarded to the Conduit instance running on this port - # Docker users: Don't change this, you'll need to map an external port to this. - port = 6167; - - # Max size for uploads in bytes - max_request_size = "20_000_000"; - - # Enables registration. If set to false, no users can register on this server. - allow_registration = true; - allow_federation = true; - - # Enable the display name lightning bolt on registration. - enable_lightning_bolt = true; - - trusted_servers = [ "matrix.org" "nixos.org" "xaos.space" "lassul.us" ]; - - #max_concurrent_requests = 100 # How many requests Conduit sends to other servers at the same time - #log = "warn,state_res=warn,rocket=off,_=off,sled=off" - - address = "127.0.0.1"; # This makes sure Conduit can only be reached using the reverse proxy - - - }; - }; - - services.nginx = { - enable = true; - virtualHosts. "ingolf-wagner.de" = { - forceSSL = true; - enableACME = true; - locations."/_matrix" = { - recommendedProxySettings = true; - proxyWebsockets = true; - proxyPass = "http://localhost:${toString config.services.matrix-conduit.settings.global.port}"; - }; - }; - }; -}