diff --git a/hosts/nachtigall/apps/matrix/element-client-config.nix b/hosts/nachtigall/apps/matrix/element-client-config.nix new file mode 100644 index 0000000..e89ea95 --- /dev/null +++ b/hosts/nachtigall/apps/matrix/element-client-config.nix @@ -0,0 +1,46 @@ +{ + default_server_config = { + "m.homeserver" = { + base_url = "https://matrix.test.pub.solar"; + server_name = "test.pub.solar"; + }; + "m.identity_server" = { + base_url = ""; + }; + }; + # TODO: Add themes + # setting_defaults = { + # custom_themes = {{ matrix_client_element_setting_defaults_custom_themes | to_json }} + # }; + # default_theme = {{ matrix_client_element_default_theme | string | to_json }}; + # default_country_code = {{ matrix_client_element_default_country_code | string | to_json }}; + permalink_prefix = "https://matrix.to"; + disable_custom_urls = true; + disable_guests = true; + brand = "Element Solar"; + + # TODO: Configure these + integrations_ui_url = ""; + integrations_rest_url = ""; + integrations_widgets_urls = ""; + integrations_jitsi_widget_url = ""; + + bug_report_endpoint_url = "https://element.io/bugreports/submit"; + show_labs_settings = true; + room_directory = { + servers = ["matrix.org"]; + }; + # TODO: This looks wrong + enable_presence_by_hs_url = "\n"; + embedded_pages = { + homeUrl = ""; + }; + branding = { + auth_footer_links = [{ + text = "Privacy"; + url = "https://pub.solar/privacy"; + }]; + # FUTUREWORK: Replace with pub.solar logo + auth_header_logo_url = "themes/element/img/logos/element-logo.svg"; + }; +} diff --git a/hosts/nachtigall/apps/nginx-matrix.nix b/hosts/nachtigall/apps/nginx-matrix.nix new file mode 100644 index 0000000..13dc273 --- /dev/null +++ b/hosts/nachtigall/apps/nginx-matrix.nix @@ -0,0 +1,113 @@ +{ lib, pkgs, ... }: +let + commonHeaders = '' + add_header Permissions-Policy interest-cohort=() always; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header X-XSS-Protection "1; mode=block"; + ''; + clientConfig = import ./matrix/element-client-config.nix; + wellKnownClient."m.homeserver".base_url = "https://matrix.test.pub.solar"; + wellKnownServer."m.server" = "matrix.test.pub.solar:8448"; + mkWellKnown = data: '' + add_header Content-Type application/json; + add_header Access-Control-Allow-Origin *; + return 200 '${builtins.toJSON data}'; + ''; + wellKnownLocations = { + "= /.well-known/matrix/server".extraConfig = mkWellKnown wellKnownServer; + "= /.well-known/matrix/client".extraConfig = mkWellKnown wellKnownClient; + }; +in +{ + services.nginx.virtualHosts = { + "test.pub.solar" = { + root = "/dev/null"; + + forceSSL = lib.mkDefault true; + enableACME = lib.mkDefault true; + + locations = wellKnownLocations; + }; + + "chat.test.pub.solar" = { + forceSSL = true; + enableACME = true; + root = pkgs.element-web.override { + conf = clientConfig; + }; + }; + + "matrix.test.pub.solar" = { + root = "/dev/null"; + + forceSSL = lib.mkDefault true; + enableACME = lib.mkDefault true; + + extraConfig = '' + server_tokens off; + gzip on; + gzip_types text/plain application/json; + ''; + locations = wellKnownLocations // { + # TODO: Configure metrics + # "/metrics" = { + # }; + + "/c3c3f34b-29fb-5feb-86e5-98c75ec8214b" = { + proxyPass = "http://127.0.0.1:8009"; + extraConfig = commonHeaders; + }; + + "~* ^(/_matrix|/_synapse/client|/_synapse/oidc)" = { + proxyPass = "http://127.0.0.1:8008"; + + extraConfig = '' + ${commonHeaders} + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; + + client_body_buffer_size 25M; + client_max_body_size 50M; + proxy_max_temp_file_size 0; + ''; + }; + }; + }; + "matrix.pub.solar-federation" = { + serverName = "matrix.test.pub.solar"; + forceSSL = lib.mkDefault true; + enableACME = lib.mkDefault true; + listen = [{ + port = 8448; + addr = "0.0.0.0"; + ssl = true; + } { + port = 8448; + addr = "[::]"; + ssl = true; + }]; + root = "/dev/null"; + extraConfig = '' + server_tokens off; + + gzip on; + gzip_types text/plain application/json; + ''; + locations."/" = { + proxyPass = "http://127.0.0.1:8008"; + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; + + client_body_buffer_size 25M; + client_max_body_size 150M; + proxy_max_temp_file_size 0; + ''; + }; + }; + }; + networking.firewall.allowedTCPPorts = [8448]; +} + diff --git a/hosts/nachtigall/default.nix b/hosts/nachtigall/default.nix index 5d1781d..f4c1ed8 100644 --- a/hosts/nachtigall/default.nix +++ b/hosts/nachtigall/default.nix @@ -24,5 +24,6 @@ ./apps/matrix/mautrix-telegram.nix ./apps/matrix/synapse.nix + ./apps/nginx-matrix.nix ]; }