diff --git a/nixos/machines/orbi/social-matrix.nix b/nixos/machines/orbi/social-matrix.nix index 78818b1..27528e0 100644 --- a/nixos/machines/orbi/social-matrix.nix +++ b/nixos/machines/orbi/social-matrix.nix @@ -3,7 +3,6 @@ let # 1. create DNS entry `_matrix._tcp.ingolf-wagner.de SRV - 10 8448 matrix.ingolf-wagner.de` (8448 for federation) # 2. create DNS entry `matrix.ingolf-wagner.de A - 95.216.66.212` # 3. test with : https://federationtester.matrix.org/#ingolf-wagner.de - # 4. info at : https://silvio.github.io/docker-matrix/Example.configs.html domain = "ingolf-wagner.de"; baseUrl = "https://matrix.${domain}"; @@ -122,47 +121,47 @@ in recommendedGzipSettings = true; recommendedProxySettings = true; virtualHosts = { - # If the A and AAAA DNS records on example.org do not point on the same host as the - # records for myhostname.example.org, you can easily move the /.well-known - # virtualHost section of the code to the host that is serving example.org, while - # the rest stays on myhostname.example.org with no other changes required. - # This pattern also allows to seamlessly move the homeserver from - # myhostname.example.org to myotherhost.example.org by only changing the - # /.well-known redirection target. - "${domain}" = { - enableACME = true; - forceSSL = true; - # This section is not needed if the server_name of matrix-synapse is equal to - # the domain (i.e. example.org from @foo:example.org) and the federation port - # is 8448. - # Further reference can be found in the docs about delegation under - # https://element-hq.github.io/synapse/latest/delegate.html - locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig; - # This is usually needed for homeserver discovery (from e.g. other Matrix clients). - # Further reference can be found in the upstream docs at - # https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixclient - locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig; - }; + # # If the A and AAAA DNS records on example.org do not point on the same host as the + # # records for myhostname.example.org, you can easily move the /.well-known + # # virtualHost section of the code to the host that is serving example.org, while + # # the rest stays on myhostname.example.org with no other changes required. + # # This pattern also allows to seamlessly move the homeserver from + # # myhostname.example.org to myotherhost.example.org by only changing the + # # /.well-known redirection target. + # "${domain}" = { + # enableACME = true; + # forceSSL = true; + # # This section is not needed if the server_name of matrix-synapse is equal to + # # the domain (i.e. example.org from @foo:example.org) and the federation port + # # is 8448. + # # Further reference can be found in the docs about delegation under + # # https://element-hq.github.io/synapse/latest/delegate.html + # locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig; + # # This is usually needed for homeserver discovery (from e.g. other Matrix clients). + # # Further reference can be found in the upstream docs at + # # https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixclient + # locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig; + # }; "matrix.${domain}" = { - listen = [ - { - addr = "0.0.0.0"; - port = 80; - } - { - addr = "0.0.0.0"; - port = 443; - ssl = true; - } - # for federation - { - addr = "0.0.0.0"; - port = 8448; - ssl = true; - } - ]; - serverAliases = [ "ingolf-wagner.de" ]; + #listen = [ + # { + # addr = "0.0.0.0"; + # port = 80; + # } + # { + # addr = "0.0.0.0"; + # port = 443; + # ssl = true; + # } + # # for federation + # { + # addr = "0.0.0.0"; + # port = 8448; + # ssl = true; + # } + #]; + #serverAliases = [ "ingolf-wagner.de" ]; enableACME = true; forceSSL = true; # It's also possible to do a redirect here or something else, this vhost is not @@ -177,6 +176,7 @@ in # Forward requests for e.g. SSO and password-resets. #locations."/_synapse/client".proxyPass = "http://[::1]:8008"; }; + "element.${domain}" = { forceSSL = true; enableACME = true; @@ -185,90 +185,11 @@ in proxy_set_header X-Real-IP $remote_addr; proxy_read_timeout 600; ''; - # locations."/_matrix".proxyPass = "http://127.0.0.1:${toString config.services.dendrite.httpPort}"; - # # for remote admin access - # locations."/_synapse".proxyPass = "http://127.0.0.1:${toString config.services.dendrite.httpPort}"; locations."/".root = element-web; }; + }; }; - - # $ nix-shell -p dendrite --run 'generate-keys --private-key /tmp/key' - #sops.secrets.matrix-server-key = { }; - - #services.dendrite = { - # enable = true; - # httpPort = 8448; - # settings = { - # global = { - # server_name = "terranix.org"; - # # `private_key` has the type `path` - # # prefix a `/` to make `path` happy - # private_key = "/$CREDENTIALS_DIRECTORY/matrix-server-key"; - # trusted_third_party_id_servers = [ - # "matrix.org" - # "vector.im" - # "xaos.space" - # "lassul.us" - # "thalheim.io" - # "nixos.org" - # ]; - # metrics.enabled = false; - # }; - # logging = [ - # { - # type = "std"; - # level = "warn"; - # } - # ]; - # client_api = { - # registration_disabled = true; - # rate_limiting.enabled = false; - # # set only for the first admin account, than remove. - # #registration_shared_secret = ""; # disable once first admin account is created - # }; - # media_api = { - # dynamic_thumbnails = true; - # }; - # mscs = { - # mscs = [ "msc2836" "msc2946" ]; - # }; - # sync_api = { - # real_ip_header = "X-Real-IP"; - # }; - # federation_api = { - # key_perspectives = [ - # { - # server_name = "matrix.org"; - # keys = [ - # { - # key_id = "ed25519:auto"; - # public_key = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"; - # } - # { - # key_id = "ed25519:a_RXGa"; - # public_key = "l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ"; - # } - # ]; - # } - # ]; - # prefer_direct_fetch = false; - # }; - # }; - #}; - - #systemd.services.dendrite.serviceConfig.LoadCredential = [ - # "matrix-server-key:${config.sops.secrets.matrix-server-key.path}" - #]; - - - #services.nginx.virtualHosts.${server_name} = { - # locations."= /.well-known/matrix/server".alias = - # pkgs.writeText "matrix-server" (builtins.toJSON { "m.server" = "${nginx-vhost}:443"; }); - # locations."= /.well-known/matrix/client".alias = - # pkgs.writeText "matrix-client" (builtins.toJSON { "m.homeserver".base_url = "https://${nginx-vhost}"; }); - #}; - } diff --git a/nixos/machines/robi/configuration.nix b/nixos/machines/robi/configuration.nix index 43658dc..21f33a2 100644 --- a/nixos/machines/robi/configuration.nix +++ b/nixos/machines/robi/configuration.nix @@ -33,6 +33,7 @@ # matrix ./terranix-dendrite.nix + ./social-matrix.nix # logging ./loki.nix diff --git a/nixos/machines/robi/social-matrix.nix b/nixos/machines/robi/social-matrix.nix new file mode 100644 index 0000000..9519792 --- /dev/null +++ b/nixos/machines/robi/social-matrix.nix @@ -0,0 +1,57 @@ +{ config, pkgs, ... }: +let + # 1. create DNS entry `matrix.ingolf-wagner.de A - 95.216.66.212` + # 2. test with : https://federationtester.matrix.org/#ingolf-wagner.de + # 3. info at : https://silvio.github.io/docker-matrix/Example.configs.html + + domain = "ingolf-wagner.de"; + baseUrl = "https://matrix.${domain}"; + + clientConfig."m.homeserver".base_url = baseUrl; + serverConfig."m.server" = "matrix.${domain}:443"; + mkWellKnown = data: '' + default_type application/json; + add_header Access-Control-Allow-Origin *; + return 200 '${builtins.toJSON data}'; + ''; + +in +{ + + networking.firewall.allowedTCPPorts = [ 80 443 ]; + networking.firewall.allowedUDPPorts = [ 80 443 ]; + + services.nginx = { + enable = true; + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + virtualHosts = { + # If the A and AAAA DNS records on example.org do not point on the same host as the + # records for myhostname.example.org, you can easily move the /.well-known + # virtualHost section of the code to the host that is serving example.org, while + # the rest stays on myhostname.example.org with no other changes required. + # This pattern also allows to seamlessly move the homeserver from + # myhostname.example.org to myotherhost.example.org by only changing the + # /.well-known redirection target. + "${domain}" = { + enableACME = true; + forceSSL = true; + # This section is not needed if the server_name of matrix-synapse is equal to + # the domain (i.e. example.org from @foo:example.org) and the federation port + # is 8448. + # Further reference can be found in the docs about delegation under + # https://element-hq.github.io/synapse/latest/delegate.html + locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig; + # This is usually needed for homeserver discovery (from e.g. other Matrix clients). + # Further reference can be found in the upstream docs at + # https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixclient + locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig; + }; + + }; + + }; + +}