Merge pull request 'nachtigall: Add nginx config for serving matrix-synapse' (#33) from feat/matrix-nginx into main

Reviewed-on: pub-solar/infra-new#33 Reviewed-by: teutat3s <teutates@mailbox.org>
2023-10-29 12:45:35 +00:00 · 2023-10-29 12:45:35 +00:00 · 83bcb225f3
parent 0fa32ec92f eaf99a2d78
commit 83bcb225f3
3 changed files with 160 additions and 0 deletions
--- a/hosts/nachtigall/apps/matrix/element-client-config.nix
+++ b/hosts/nachtigall/apps/matrix/element-client-config.nix
@ -0,0 +1,46 @@
+{
+	default_server_config = {
+		"m.homeserver" = {
+			base_url = "https://matrix.test.pub.solar";
+			server_name = "test.pub.solar";
+		};
+		"m.identity_server" = {
+			base_url = "";
+		};
+	};
+  # TODO: Add themes
+	# setting_defaults = {
+	# 	custom_themes = {{ matrix_client_element_setting_defaults_custom_themes | to_json }}
+	# };
+	# default_theme = {{ matrix_client_element_default_theme | string | to_json }};
+	# default_country_code = {{ matrix_client_element_default_country_code | string | to_json }};
+	permalink_prefix = "https://matrix.to";
+	disable_custom_urls = true;
+	disable_guests = true;
+	brand = "Element Solar";
+
+  # TODO: Configure these
+	integrations_ui_url = "";
+	integrations_rest_url = "";
+	integrations_widgets_urls = "";
+	integrations_jitsi_widget_url = "";
+
+	bug_report_endpoint_url = "https://element.io/bugreports/submit";
+	show_labs_settings = true;
+	room_directory = {
+		servers = ["matrix.org"];
+	};
+  # TODO: This looks wrong
+	enable_presence_by_hs_url = "\n";
+	embedded_pages = {
+		homeUrl = "";
+	};
+	branding = {
+		auth_footer_links = [{
+      text = "Privacy";
+      url = "https://pub.solar/privacy";
+    }];
+    # FUTUREWORK: Replace with pub.solar logo
+		auth_header_logo_url = "themes/element/img/logos/element-logo.svg";
+	};
+}
--- a/hosts/nachtigall/apps/nginx-matrix.nix
+++ b/hosts/nachtigall/apps/nginx-matrix.nix
@ -0,0 +1,113 @@
+{ lib, pkgs, ... }:
+let
+  commonHeaders = ''
+    add_header Permissions-Policy interest-cohort=() always;
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+    add_header X-XSS-Protection "1; mode=block";
+  '';
+  clientConfig = import ./matrix/element-client-config.nix;
+  wellKnownClient."m.homeserver".base_url = "https://matrix.test.pub.solar";
+  wellKnownServer."m.server" = "matrix.test.pub.solar:8448";
+  mkWellKnown = data: ''
+    add_header Content-Type application/json;
+    add_header Access-Control-Allow-Origin *;
+    return 200 '${builtins.toJSON data}';
+  '';
+  wellKnownLocations =  {
+    "= /.well-known/matrix/server".extraConfig = mkWellKnown wellKnownServer;
+    "= /.well-known/matrix/client".extraConfig = mkWellKnown wellKnownClient;
+  };
+in
+{
+  services.nginx.virtualHosts = {
+    "test.pub.solar" = {
+      root = "/dev/null";
+
+      forceSSL = lib.mkDefault true;
+      enableACME = lib.mkDefault true;
+
+      locations = wellKnownLocations;
+    };
+
+    "chat.test.pub.solar" = {
+      forceSSL = true;
+      enableACME = true;
+      root = pkgs.element-web.override {
+        conf = clientConfig;
+      };
+    };
+
+    "matrix.test.pub.solar" = {
+      root = "/dev/null";
+
+      forceSSL = lib.mkDefault true;
+      enableACME = lib.mkDefault true;
+
+      extraConfig = ''
+        server_tokens off;
+        gzip on;
+        gzip_types text/plain application/json;
+      '';
+      locations = wellKnownLocations // {
+        # TODO: Configure metrics
+        # "/metrics" = {
+        # };
+
+        "/c3c3f34b-29fb-5feb-86e5-98c75ec8214b" = {
+          proxyPass = "http://127.0.0.1:8009";
+          extraConfig = commonHeaders;
+        };
+
+        "~* ^(/_matrix|/_synapse/client|/_synapse/oidc)" = {
+          proxyPass = "http://127.0.0.1:8008";
+
+          extraConfig = ''
+            ${commonHeaders}
+            proxy_set_header Host $host;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
+
+            client_body_buffer_size 25M;
+            client_max_body_size 50M;
+            proxy_max_temp_file_size 0;
+          '';
+        };
+      };
+    };
+    "matrix.pub.solar-federation" = {
+      serverName = "matrix.test.pub.solar";
+      forceSSL = lib.mkDefault true;
+      enableACME = lib.mkDefault true;
+      listen = [{
+        port = 8448;
+        addr = "0.0.0.0";
+        ssl = true;
+      } {
+        port = 8448;
+        addr = "[::]";
+        ssl = true;
+      }];
+      root = "/dev/null";
+      extraConfig = ''
+        server_tokens off;
+
+        gzip on;
+        gzip_types text/plain application/json;
+      '';
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:8008";
+        extraConfig = ''
+          proxy_set_header Host $host;
+          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
+
+          client_body_buffer_size 25M;
+          client_max_body_size 150M;
+          proxy_max_temp_file_size 0;
+        '';
+      };
+    };
+  };
+  networking.firewall.allowedTCPPorts = [8448];
+}
+
--- a/hosts/nachtigall/default.nix
+++ b/hosts/nachtigall/default.nix
@ -22,5 +22,6 @@

      ./apps/matrix/mautrix-telegram.nix
      ./apps/matrix/synapse.nix
+      ./apps/nginx-matrix.nix
    ];
 }