pub-solar/infra
6
1
Fork 3
Code Issues 25 Pull requests 11 Actions Packages Projects 1 Releases Wiki Activity

wip: tested both element-web + element x
Some checks failed
Flake checks / Check (pull_request) Failing after 1m56s
Details

Browse source
This commit is contained in:
teutat3s 2024-10-27 02:48:10 +02:00
parent b15f7a38f2
commit 4e2a081671
Signed by: teutat3s
GPG key ID: 4FA1D3FA524F22C1
17 changed files with 430 additions and 396 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
flake.lock
View file

@ -236,11 +236,11 @@
},
"fork": {
"locked": {
"lastModified": 1729895651,
"narHash": "sha256-jsDi++W3uhb2lxYU257H4zXVgC6lbJ1hbI4vqqag6lE=",
"lastModified": 1729963002,
"narHash": "sha256-2zrYfd/qdfExU5zVwvH80uJnKc/dMeK6zp3O1UtW2Mo=",
"owner": "teutat3s",
"repo": "nixpkgs",
"rev": "e60ba9494f5783468e1aab1a490cf764a24ca0c0",
"rev": "005faaacbeede0296dec5c844f508027ab8a3ff6",
"type": "github"
},
"original": {

1
hosts/default.nix
View file

@ -198,7 +198,6 @@
self.nixosModules.postgresql
self.nixosModules.matrix
self.nixosModules.matrix-irc
self.nixosModules.matrix-telegram
self.nixosModules.nginx
self.nixosModules.nginx-matrix
];

45
hosts/nachtigall/configuration.nix
View file

@ -48,6 +48,7 @@
owner = "root";
};
# keycloak
age.secrets.keycloak-database-password = {
file = "${flake.self}/secrets/keycloak-database-password.age";
mode = "600";
@ -59,6 +60,50 @@
database-password-file = config.age.secrets.keycloak-database-password.path;
};
# matrix-synapse
age.secrets."nachtigall-matrix-synapse-signing-key" = {
file = "${flake.self}/secrets/nachtigall-matrix-synapse-signing-key.age";
mode = "400";
owner = "matrix-synapse";
};
age.secrets."nachtigall-matrix-synapse-secret-config.yaml" = {
file = "${flake.self}/secrets/nachtigall-matrix-synapse-secret-config.yaml.age";
mode = "400";
owner = "matrix-synapse";
};
age.secrets."nachtigall-matrix-synapse-sliding-sync-secret" = {
file = "${flake.self}/secrets/nachtigall-matrix-synapse-sliding-sync-secret.age";
mode = "400";
owner = "matrix-synapse";
};
pub-solar-os.matrix-synapse = {
enable = true;
signing_key_path = config.age.secrets."nachtigall-matrix-synapse-signing-key".path;
extra-config-files = [
config.age.secrets."nachtigall-matrix-synapse-secret-config.yaml".path
# The registration file is automatically generated after starting the
# appservice for the first time.
# cp /var/lib/mautrix-telegram/telegram-registration.yaml \
# /var/lib/matrix-synapse/
# chown matrix-synapse:matrix-synapse \
# /var/lib/matrix-synapse/telegram-registration.yaml
"/var/lib/matrix-synapse/telegram-registration.yaml"
];
app-service-config-files = [
"/var/lib/matrix-synapse/telegram-registration.yaml"
"/var/lib/matrix-appservice-irc/registration.yml"
# "/matrix-appservice-slack-registration.yaml"
# "/hookshot-registration.yml"
# "/matrix-mautrix-signal-registration.yaml"
# "/matrix-mautrix-telegram-registration.yaml"
];
};
systemd.services.postgresql = {
after = [ "var-lib-postgresql.mount" ];
requisite = [ "var-lib-postgresql.mount" ];

140
hosts/underground/configuration.nix
View file

@ -15,73 +15,61 @@
systemd.tmpfiles.rules = [ "f /tmp/dbf 1777 root root 10d password" ];
# keycloak
pub-solar-os.auth = {
enable = true;
database-password-file = "/tmp/dbf";
};
services.keycloak.database.createLocally = true;
# matrix-synapse
# test.pub.solar /.well-known is required for federation
services.nginx.virtualHosts."${config.pub-solar-os.networking.domain}" = {
default = true;
enableACME = true;
forceSSL = true;
};
age.secrets."underground-matrix-synapse-secret-config.yaml" = {
file = "${flake.self}/secrets/underground-matrix-synapse-secret-config.yaml.age";
mode = "400";
owner = "matrix-synapse";
};
age.secrets."underground-matrix-authentication-service-secret-config.yml" = {
file = "${flake.self}/secrets/underground-matrix-authentication-service-secret-config.yml.age";
mode = "400";
owner = "matrix-authentication-service";
};
pub-solar-os.matrix-synapse = {
enable = true;
extra-config-files = [
config.age.secrets."underground-matrix-synapse-secret-config.yaml".path
# The registration file is automatically generated after starting the
# appservice for the first time.
# cp /var/lib/mautrix-telegram/telegram-registration.yaml \
# /var/lib/matrix-synapse/
# chown matrix-synapse:matrix-synapse \
# /var/lib/matrix-synapse/telegram-registration.yaml
#"/var/lib/matrix-synapse/telegram-registration.yaml"
];
app-service-config-files = [
"/var/lib/matrix-appservice-irc/registration.yml"
#"/var/lib/matrix-synapse/telegram-registration.yaml"
];
};
services.matrix-authentication-service = {
enable = true;
createDatabase = true;
extraConfigFiles = [(pkgs.writeText "mas-extra-config.yml" ''
secrets:
encryption: 85c39ce195bd01d17b583687edf20ae09eede66f4ce043f15afc2afa719249c9
keys:
- kid: LYeYXYzVil
key: |
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA1l1iXIE9yFksgKmJ58hk9oj7UQ4iX5HX9Ll/EUDCRu+fuPuB
kYnski19RNoVIWQt3f8HYTeQLF1vhvj9AKFw+F0jklkC8/YrHzNPiB7LS08X4+K8
1DW+YI7EY0u0iB+uaChHvK8zYrk+qRmH0OGR7LdXRNqM75xMglkcnMagFbc/3ipO
47SgHFaUGkM62epeQPIsJq6BicxCyH/LhoccUtnj5+EOAF+eo8QPRj+ISfDdCebS
L7iYnpECFggVlexgbVRfeFtxDfHu5hpxjKwbTKYjDLMrZwlI0js4ZN9qchREAJ21
km4Xq4bqP+Pf0QiaEjeoqF/ZMmCFYY2gT3DSUQIDAQABAoIBAHLwd4EqOzplthr2
zN7e8GPQZxC7B2s/BBBQNfXGR2VJrta85GhpD9QBWB3G4XWaBY325LoX1NI090vj
zaS865oANsaNu6ub3ttH4+kUueSTcDfcp2sRthaH9n1XZmFmu1lV38EoH+FbemGp
Ms2pZVkLpVth5BfGMq/hoBnf1o5NTACSHd2InQnUQAbY16NvYZiY37hI3LllyIPI
z7hBvFcRf2JD3Bn7nmV+lTBOtcYA5f6ZrO0V2Ah75AGb6QAUSWgV9edqXkp6OmAV
jcVqfVsPwoPRpaarQ4M1lcvhYgwBKuUXFtcNPqqNk9ldYuYy/UW4E+psRrXkwvs2
50TB78ECgYEA3nx7XBZhYrvUEqLUYeIRhnRGoY0/snyjAMibl6NoJZLpyrk+b70x
Dh1k6LY9RwLfxRHDqnnHy9YY5Iu9QBTBYud8dD0JNOUUC8QWYV1G7AYLS9oe8kM5
z4aWhgNR3a9DidPQtv2SyK+1ZmGhB80T7nDlsK17fjjTUnj7lMhgnbUCgYEA9qe4
zzHfCZsDwoPPuMuAkZIjRxnwReY9fyAGGMdW4VrOgrOyVj4dDF0/R8p3LlS+TiUw
6bVlWqbP+H3Zkx9VaH7EUmiTFulshi/MxSBizdj4SHDhYHK+4H5PkeDusMTGAvOk
QaXB8ZbulHT3mdUc8lHucRHw2TIs8O8zaFBMo60CgYEAyCsxBYnxNlaNF/M9p48w
e0qT3XdqjphKQ0M5kXVoFx4Vj9mYTgnmX6+cgS6s9P2l+/TemLsWQdMu9DixHT1P
PD/OnfnoFZngrjFOfWzhiSpq8WSeIRLQqWCKfqnv9sZfulpC1tBPRpWnXCSML6uX
uhgC3zFGASr5HaNRneul2V0CgYBbkYSQlwkgPcY1jk2tYw9F+6TRHpYOvR0TdsYM
qOReISINb7zDO6f5ER0O/+Ei+B72T+RKvybzcn4+2CnP7o/8jSNBHMWOefXqExDI
Fe/YT7ZM3mstLSwjl4DevUyfn02LhvvxyyGnGMtVnd7V40Ity7DjlS9+0pvQjlzd
WwI4uQKBgQDQA3JSEl95T2nYmmlvX8a5rSNSSK/d6GRDvaNFAk659Jf3X2aYpHFM
TRO5t2EDIrBCpgBG2Tj9yOnm9Zht/T+783ziQ/6p2q1QX7Lfr6MiwnND4Cw0ZvYL
9xDiujZMtAEaEiz0a6pfHn/EfTA6Qvw/KYFmtXFGa+KuOwX4KgFlwQ==
-----END RSA PRIVATE KEY-----
- kid: cdMTgbM9rx
key: |
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIOlSK0D4WKNjPrfxojWNJSoFzYJ7TUNC4qVv0C3b+LSioAoGCCqGSM49
AwEHoUQDQgAE0lqYrp1gpDmCZASZ1L7Y5r0Kk9kbv6Qjn8FXzP4ujnFN8tFkHsun
MqmeW3j5Qmtw24gcEU1IPW6QwMz/ozosWQ==
-----END EC PRIVATE KEY-----
- kid: Hb1P9OK0rc
key: |
-----BEGIN EC PRIVATE KEY-----
MIGkAgEBBDAuDEN6zp1bBf2R3bBEKn8yGKlkV8jfNe1lZ1yvfsVWBPbVBoxJcEWG
krR1vBYdtjSgBwYFK4EEACKhZANiAAThozHhNOUZcybKe7W9K5zVZIXgmM3Fze/e
s6bHLpwPR1EEYNARPW7aLPPjf4d+iPXW5y6J0KCKvaXWvFAM9eL6a8X/W93VZmgO
8A9QN/PWOUz2ZOsp1xLWvgmZl4zHYNw=
-----END EC PRIVATE KEY-----
- kid: NpIOF10t5M
key: |
-----BEGIN EC PRIVATE KEY-----
MHQCAQEEIP3Vit8kpPw+JxnPLviS7+bM1EAJquG+0HFN6MT4Q1eDoAcGBSuBBAAK
oUQDQgAE2rnrYryxmN3RAgwh9JqrS7/cft592o9dG6C7sUloIpYcZVmZsVGpOUzB
UMyVVDVWwkAdxfASbDGu4yiSwy9uEw==
-----END EC PRIVATE KEY-----
'')];
extraConfigFiles = [
config.age.secrets."underground-matrix-authentication-service-secret-config.yml".path
];
settings = {
http.public_base = "https://mas.${config.pub-solar-os.networking.domain}";
http.issuer = "https://mas.${config.pub-solar-os.networking.domain}";
http.listeners = [
{
name = "web";
@ -109,43 +97,7 @@ secrets:
proxy_protocol = false;
}
];
clients = [ {
client_id = "0000000000000000000SYNAPSE";
client_auth_method = "client_secret_basic";
client_secret = "unsecure123";
} ];
matrix = {
homeserver = config.services.matrix-synapse.settings.server_name;
secret = "unsecure123";
endpoint = "https://localhost:8448";
};
upstream_oauth2 = {
providers = [
{
id = "01H8PKNWKKRPCBW4YGH1RWV279";
issuer = "https://<keycloak>/realms/<realm>";
token_endpoint_auth_method = "client_secret_basic";
client_id = "matrix-authentication-service";
client_secret = "<client-secret>";
scope = "openid profile email";
claims_imports = {
localpart = {
action = "require";
template = "{{ user.preferred_username }}";
};
displayname = {
action = "suggest";
template = "{{ user.name }}";
};
email = {
action = "suggest";
template = "{{ user.email }}";
set_email_verification = "always";
};
};
}
];
};
passwords.enabled = false;
};
};

6
modules/coturn/default.nix
View file

@ -5,8 +5,8 @@
...
}:
{
age.secrets."coturn-static-auth-secret" = {
file = "${flake.self}/secrets/coturn-static-auth-secret.age";
age.secrets."nachtigall-coturn-static-auth-secret" = {
file = "${flake.self}/secrets/nachtigall-coturn-static-auth-secret.age";
mode = "400";
owner = "turnserver";
};
@ -18,7 +18,7 @@
min-port = 49000;
max-port = 50000;
use-auth-secret = true;
static-auth-secret-file = "/run/agenix/coturn-static-auth-secret";
static-auth-secret-file = "/run/agenix/nachtigall-coturn-static-auth-secret";
realm = "turn.${config.pub-solar-os.networking.domain}";
cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";

5
modules/matrix-irc/default.nix
View file

@ -16,11 +16,6 @@ let
synapseClientPort = "${toString listenerWithClient.port}";
in
{
systemd.services.matrix-appservice-irc.serviceConfig.SystemCallFilter = lib.mkForce [
"@system-service @pkey"
"~@privileged @resources"
"@chown"
];
services.matrix-appservice-irc = {
enable = true;
localpart = "irc_bot";

538
modules/matrix/default.nix
View file

@ -1,6 +1,7 @@
{
flake,
config,
lib,
pkgs,
...
}:
@ -9,302 +10,291 @@ let
serverDomain = "${config.pub-solar-os.networking.domain}";
in
{
age.secrets."matrix-synapse-signing-key" = {
file = "${flake.self}/secrets/matrix-synapse-signing-key.age";
mode = "400";
owner = "matrix-synapse";
options.pub-solar-os.matrix-synapse = {
enable = lib.mkEnableOption "Enable matrix-synapse to run on the node";
app-service-config-files = lib.mkOption {
description = "List of app service config files";
type = lib.types.listOf lib.types.str;
default = [];
};
extra-config-files = lib.mkOption {
description = "List of extra synapse config files";
type = lib.types.listOf lib.types.str;
default = [];
};
signing_key_path = lib.mkOption {
description = "Path to file containing the signing key";
type = lib.types.str;
default = "${config.services.matrix-synapse.dataDir}/homeserver.signing.key";
};
};
age.secrets."matrix-synapse-secret-config.yaml" = {
file = "${flake.self}/secrets/matrix-synapse-secret-config.yaml.age";
mode = "400";
owner = "matrix-synapse";
};
age.secrets."matrix-synapse-sliding-sync-secret" = {
file = "${flake.self}/secrets/matrix-synapse-sliding-sync-secret.age";
mode = "400";
owner = "matrix-synapse";
};
services.matrix-synapse = {
enable = true;
settings = {
server_name = serverDomain;
public_baseurl = "https://${publicDomain}/";
database = {
name = "psycopg2";
args = {
host = "/run/postgresql";
cp_max = 10;
cp_min = 5;
database = "matrix";
config = lib.mkIf config.pub-solar-os.matrix-synapse.enable {
services.matrix-synapse = {
enable = true;
settings = {
server_name = serverDomain;
public_baseurl = "https://${publicDomain}/";
database = {
name = "psycopg2";
args = {
host = "/run/postgresql";
cp_max = 10;
cp_min = 5;
database = "matrix";
};
allow_unsafe_locale = false;
txn_limit = 0;
};
allow_unsafe_locale = false;
txn_limit = 0;
};
listeners = [
{
bind_addresses = [ "127.0.0.1" ];
port = 8008;
resources = [
{
compress = true;
names = [ "client" ];
}
{
compress = false;
names = [ "federation" ];
}
];
tls = false;
type = "http";
x_forwarded = true;
}
{
bind_addresses = [ "127.0.0.1" ];
port = 8012;
resources = [ { names = [ "metrics" ]; } ];
tls = false;
type = "metrics";
}
];
listeners = [
{
bind_addresses = [ "127.0.0.1" ];
port = 8008;
resources = [
{
compress = true;
names = [ "client" ];
}
{
compress = false;
names = [ "federation" ];
}
];
tls = false;
type = "http";
x_forwarded = true;
}
{
bind_addresses = [ "127.0.0.1" ];
port = 8012;
resources = [ { names = [ "metrics" ]; } ];
tls = false;
type = "metrics";
}
];
account_threepid_delegates.msisdn = "";
alias_creation_rules = [
{
action = "allow";
alias = "*";
room_id = "*";
user_id = "*";
}
];
allow_guest_access = false;
allow_public_rooms_over_federation = true;
allow_public_rooms_without_auth = false;
auto_join_rooms = [
"#community:${serverDomain}"
"#general:${serverDomain}"
];
account_threepid_delegates.msisdn = "";
alias_creation_rules = [
{
action = "allow";
alias = "*";
room_id = "*";
user_id = "*";
}
];
allow_guest_access = false;
allow_public_rooms_over_federation = true;
allow_public_rooms_without_auth = false;
auto_join_rooms = [
"#community:${serverDomain}"
"#general:${serverDomain}"
];
autocreate_auto_join_rooms = true;
caches.global_factor = 0.5;
autocreate_auto_join_rooms = true;
caches.global_factor = 0.5;
default_room_version = "10";
disable_msisdn_registration = true;
enable_media_repo = true;
enable_metrics = true;
mau_stats_only = true;
enable_registration = false;
enable_registration_captcha = false;
enable_registration_without_verification = false;
enable_room_list_search = true;
encryption_enabled_by_default_for_room_type = "off";
event_cache_size = "100K";
federation_rr_transactions_per_room_per_second = 50;
federation_client_minimum_tls_version = "1.2";
forget_rooms_on_leave = true;
include_profile_data_on_invite = true;
instance_map = { };
limit_profile_requests_to_users_who_share_rooms = false;
default_room_version = "10";
disable_msisdn_registration = true;
enable_media_repo = true;
enable_metrics = true;
mau_stats_only = true;
enable_registration = false;
enable_registration_captcha = false;
enable_registration_without_verification = false;
enable_room_list_search = true;
encryption_enabled_by_default_for_room_type = "off";
event_cache_size = "100K";
federation_rr_transactions_per_room_per_second = 50;
federation_client_minimum_tls_version = "1.2";
forget_rooms_on_leave = true;
include_profile_data_on_invite = true;
instance_map = { };
limit_profile_requests_to_users_who_share_rooms = false;
max_spider_size = "10M";
max_upload_size = "50M";
media_storage_providers = [ ];
max_spider_size = "10M";
max_upload_size = "50M";
media_storage_providers = [ ];
password_config = {
enabled = false;
localdb_enabled = false;
pepper = "";
};
password_config = {
enabled = false;
localdb_enabled = false;
pepper = "";
};
presence.enabled = true;
push.include_content = false;
presence.enabled = true;
push.include_content = false;
rc_admin_redaction = {
burst_count = 50;
per_second = 1;
};
rc_federation = {
concurrent = 3;
reject_limit = 50;
sleep_delay = 500;
sleep_limit = 10;
window_size = 1000;
};
rc_invites = {
per_issuer = {
rc_admin_redaction = {
burst_count = 50;
per_second = 1;
};
rc_federation = {
concurrent = 3;
reject_limit = 50;
sleep_delay = 500;
sleep_limit = 10;
window_size = 1000;
};
rc_invites = {
per_issuer = {
burst_count = 10;
per_second = 0.3;
};
per_room = {
burst_count = 10;
per_second = 0.3;
};
per_user = {
burst_count = 5;
per_second = 3.0e-3;
};
};
rc_joins = {
local = {
burst_count = 10;
per_second = 0.1;
};
remote = {
burst_count = 10;
per_second = 1.0e-2;
};
};
rc_login = {
account = {
burst_count = 3;
per_second = 0.17;
};
address = {
burst_count = 3;
per_second = 0.17;
};
failed_attempts = {
burst_count = 3;
per_second = 0.17;
};
};
rc_message = {
burst_count = 10;
per_second = 0.3;
per_second = 0.2;
};
per_room = {
burst_count = 10;
per_second = 0.3;
};
per_user = {
burst_count = 5;
per_second = 3.0e-3;
};
};
rc_joins = {
local = {
burst_count = 10;
per_second = 0.1;
};
remote = {
burst_count = 10;
per_second = 1.0e-2;
};
};
rc_login = {
account = {
rc_registration = {
burst_count = 3;
per_second = 0.17;
};
address = {
burst_count = 3;
per_second = 0.17;
};
failed_attempts = {
burst_count = 3;
per_second = 0.17;
redaction_retention_period = "7d";
forgotten_room_retention_period = "7d";
redis.enabled = false;
registration_requires_token = false;
registrations_require_3pid = [ "email" ];
report_stats = false;
require_auth_for_profile_requests = false;
room_list_publication_rules = [
{
action = "allow";
alias = "*";
room_id = "*";
user_id = "*";
}
];
signing_key_path = config.pub-solar-os.matrix-synapse.signing_key_path;
stream_writers = { };
trusted_key_servers = [ { server_name = "matrix.org"; } ];
suppress_key_server_warning = true;
turn_allow_guests = false;
turn_uris = [
"turn:${config.services.coturn.realm}:3478?transport=udp"
"turn:${config.services.coturn.realm}:3478?transport=tcp"
];
turn_user_lifetime = "1h";
url_preview_accept_language = [
"en-US"
"en"
];
url_preview_enabled = true;
url_preview_ip_range_blacklist = [
"127.0.0.0/8"
"10.0.0.0/8"
"172.16.0.0/12"
"192.168.0.0/16"
"100.64.0.0/10"
"192.0.0.0/24"
"169.254.0.0/16"
"192.88.99.0/24"
"198.18.0.0/15"
"192.0.2.0/24"
"198.51.100.0/24"
"203.0.113.0/24"
"224.0.0.0/4"
"::1/128"
"fe80::/10"
"fc00::/7"
"2001:db8::/32"
"ff00::/8"
"fec0::/10"
];
user_directory = {
prefer_local_users = false;
search_all_users = false;
};
user_ips_max_age = "28d";
app_service_config_files = config.pub-solar-os.matrix-synapse.app-service-config-files;
};
rc_message = {
burst_count = 10;
per_second = 0.2;
};
rc_registration = {
burst_count = 3;
per_second = 0.17;
};
redaction_retention_period = "7d";
forgotten_room_retention_period = "7d";
redis.enabled = false;
registration_requires_token = false;
registrations_require_3pid = [ "email" ];
report_stats = false;
require_auth_for_profile_requests = false;
room_list_publication_rules = [
{
action = "allow";
alias = "*";
room_id = "*";
user_id = "*";
}
withJemalloc = true;
extraConfigFiles = config.pub-solar-os.matrix-synapse.extra-config-files;
extras = [
"oidc"
"redis"
];
signing_key_path = "/run/agenix/matrix-synapse-signing-key";
stream_writers = { };
trusted_key_servers = [ { server_name = "matrix.org"; } ];
suppress_key_server_warning = true;
turn_allow_guests = false;
turn_uris = [
"turn:${config.services.coturn.realm}:3478?transport=udp"
"turn:${config.services.coturn.realm}:3478?transport=tcp"
];
turn_user_lifetime = "1h";
url_preview_accept_language = [
"en-US"
"en"
];
url_preview_enabled = true;
url_preview_ip_range_blacklist = [
"127.0.0.0/8"
"10.0.0.0/8"
"172.16.0.0/12"
"192.168.0.0/16"
"100.64.0.0/10"
"192.0.0.0/24"
"169.254.0.0/16"
"192.88.99.0/24"
"198.18.0.0/15"
"192.0.2.0/24"
"198.51.100.0/24"
"203.0.113.0/24"
"224.0.0.0/4"
"::1/128"
"fe80::/10"
"fc00::/7"
"2001:db8::/32"
"ff00::/8"
"fec0::/10"
];
user_directory = {
prefer_local_users = false;
search_all_users = false;
};
user_ips_max_age = "28d";
app_service_config_files = [
"/var/lib/matrix-synapse/telegram-registration.yaml"
"/var/lib/matrix-appservice-irc/registration.yml"
# "/matrix-appservice-slack-registration.yaml"
# "/hookshot-registration.yml"
# "/matrix-mautrix-signal-registration.yaml"
# "/matrix-mautrix-telegram-registration.yaml"
];
plugins = [ config.services.matrix-synapse.package.plugins.matrix-synapse-shared-secret-auth ];
};
withJemalloc = true;
#services.matrix-sliding-sync = {
# enable = true;
# settings = {
# SYNCV3_SERVER = "https://${publicDomain}";
# SYNCV3_BINDADDR = "127.0.0.1:8011";
# # The bind addr for Prometheus metrics, which will be accessible at
# # /metrics at this address
# SYNCV3_PROM = "127.0.0.1:9100";
# };
# environmentFile = config.age.secrets."matrix-synapse-sliding-sync-secret".path;
#};
extraConfigFiles = [
"/run/agenix/matrix-synapse-secret-config.yaml"
# The registration file is automatically generated after starting the
# appservice for the first time.
# cp /var/lib/mautrix-telegram/telegram-registration.yaml \
# /var/lib/matrix-synapse/
# chown matrix-synapse:matrix-synapse \
# /var/lib/matrix-synapse/telegram-registration.yaml
"/var/lib/matrix-synapse/telegram-registration.yaml"
];
extras = [
"oidc"
"redis"
];
plugins = [ config.services.matrix-synapse.package.plugins.matrix-synapse-shared-secret-auth ];
};
services.matrix-sliding-sync = {
enable = true;
settings = {
SYNCV3_SERVER = "https://${publicDomain}";
SYNCV3_BINDADDR = "127.0.0.1:8011";
# The bind addr for Prometheus metrics, which will be accessible at
# /metrics at this address
SYNCV3_PROM = "127.0.0.1:9100";
pub-solar-os.backups.restic.matrix-synapse = {
paths = [
"/var/lib/matrix-synapse"
"/var/lib/matrix-appservice-irc"
"/var/lib/mautrix-telegram"
"/tmp/matrix-synapse-backup.sql"
];
timerConfig = {
OnCalendar = "*-*-* 05:00:00 Etc/UTC";
};
initialize = true;
backupPrepareCommand = ''
${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d matrix > /tmp/matrix-synapse-backup.sql
'';
backupCleanupCommand = ''
rm /tmp/matrix-synapse-backup.sql
'';
pruneOpts = [
"--keep-daily 7"
"--keep-weekly 4"
"--keep-monthly 3"
];
};
environmentFile = config.age.secrets."matrix-synapse-sliding-sync-secret".path;
};
pub-solar-os.backups.restic.keycloak = {
paths = [
"/var/lib/matrix-synapse"
"/var/lib/matrix-appservice-irc"
"/var/lib/mautrix-telegram"
"/tmp/matrix-synapse-backup.sql"
];
timerConfig = {
OnCalendar = "*-*-* 05:00:00 Etc/UTC";
};
initialize = true;
backupPrepareCommand = ''
${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d matrix > /tmp/matrix-synapse-backup.sql
'';
backupCleanupCommand = ''
rm /tmp/matrix-synapse-backup.sql
'';
pruneOpts = [
"--keep-daily 7"
"--keep-weekly 4"
"--keep-monthly 3"
];
};
}

55
modules/nginx-matrix/default.nix
View file

@ -10,11 +10,14 @@ let
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-XSS-Protection "1; mode=block";
'';
clientConfig = import ./element-client-config.nix { inherit lib pkgs; };
clientConfig = import ./element-client-config.nix { inherit config lib pkgs; };
wellKnownClient = domain: {
"m.homeserver".base_url = "https://matrix.${domain}";
"m.identity_server".base_url = "https://matrix.${domain}";
"org.matrix.msc3575.proxy".url = "https://matrix.${domain}";
"org.matrix.msc2965.authentication" = {
issuer = "https://mas.${domain}/";
account = "https://mas.${domain}/account";
};
"im.vector.riot.e2ee".default = true;
"io.element.e2ee" = {
default = true;
@ -85,6 +88,27 @@ in
root = pkgs.element-stickerpicker;
};
"mas.${config.pub-solar-os.networking.domain}" = {
root = "/dev/null";
forceSSL = lib.mkDefault true;
enableACME = lib.mkDefault true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:8090";
extraConfig = ''
${commonHeaders}
proxy_http_version 1.1;
# Forward the client IP address
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
'';
};
};
};
"matrix.${config.pub-solar-os.networking.domain}" = {
root = "/dev/null";
@ -99,28 +123,41 @@ in
locations = {
# For telegram
"/c3c3f34b-29fb-5feb-86e5-98c75ec8214b" = {
priority = 100;
proxyPass = "http://127.0.0.1:8009";
extraConfig = commonHeaders;
};
# sliding-sync
"~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = {
proxyPass = "http://127.0.0.1:8011";
extraConfig = commonHeaders;
# Forward to the auth service
"~ ^/_matrix/client/(.*)/(login|logout|refresh)" = {
priority = 100;
proxyPass = "http://127.0.0.1:8090";
extraConfig = ''
${commonHeaders}
proxy_http_version 1.1;
# Forward the client IP address
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
'';
};
"~* ^(/_matrix|/_synapse/client|/_synapse/oidc)" = {
# Forward to Synapse
# as per https://element-hq.github.io/synapse/latest/reverse_proxy.html#nginx
"~ ^(/_matrix|/_synapse/client)" = {
priority = 200;
proxyPass = "http://127.0.0.1:8008";
extraConfig = ''
${commonHeaders}
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
client_body_buffer_size 25M;
client_max_body_size 50M;
proxy_max_temp_file_size 0;
proxy_http_version 1.1;
'';
};
};

6
modules/nginx-matrix/element-client-config.nix
View file

@ -1,9 +1,9 @@
{ pkgs, lib, ... }:
{ config, pkgs, lib, ... }:
{
default_server_config = {
"m.homeserver" = {
base_url = "https://matrix.pub.solar";
server_name = "pub.solar";
base_url = "https://matrix.${config.pub-solar-os.networking.domain}";
server_name = "${config.pub-solar-os.networking.domain}";
};
"m.identity_server" = {
base_url = "";

0
secrets/coturn-static-auth-secret.age → secrets/nachtigall-coturn-static-auth-secret.age
View file

0
secrets/matrix-synapse-secret-config.yaml.age → secrets/nachtigall-matrix-synapse-secret-config.yaml.age
View file

0
secrets/matrix-synapse-signing-key.age → secrets/nachtigall-matrix-synapse-signing-key.age
View file

0
secrets/matrix-synapse-sliding-sync-secret.age → secrets/nachtigall-matrix-synapse-sliding-sync-secret.age
View file

14
secrets/secrets.nix
View file

@ -7,6 +7,7 @@ let
trinkgenossin-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDZXRDpom/LtyoCxvRuoONARKxIT6wNUwEyUjzHRE7DG root@trinkgenossin";
delite-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAKo7zlfQhcJ5/okFTOoOstZtmEL1iNlHxQ4q2baEcWT root@delite";
blue-shell-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP9g9X0a/MaVtbh44IeLxcq+McuYec0GYAdLsseBpk5f root@blue-shell";
underground-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGF3PtA89yhVkmN7aJI6gqXK8DW9L7kI71IgiK4TAEwI root@underground";
adminKeys = builtins.foldl' (
keys: login: keys ++ (builtins.attrValues login.secretEncryptionKeys)
@ -24,6 +25,8 @@ let
blueshellKeys = [ blue-shell-host ];
undergroundKeys = [ underground-host ];
garageKeys = [
trinkgenossin-host
delite-host
@ -62,9 +65,12 @@ in
"forgejo-ssh-private-key.age".publicKeys = nachtigallKeys ++ adminKeys;
"matrix-mautrix-telegram-env-file.age".publicKeys = nachtigallKeys ++ adminKeys;
"matrix-synapse-signing-key.age".publicKeys = nachtigallKeys ++ adminKeys;
"matrix-synapse-secret-config.yaml.age".publicKeys = nachtigallKeys ++ adminKeys;
"matrix-synapse-sliding-sync-secret.age".publicKeys = nachtigallKeys ++ adminKeys;
"nachtigall-matrix-synapse-signing-key.age".publicKeys = nachtigallKeys ++ adminKeys;
"nachtigall-matrix-synapse-secret-config.yaml.age".publicKeys = nachtigallKeys ++ adminKeys;
"nachtigall-matrix-synapse-sliding-sync-secret.age".publicKeys = nachtigallKeys ++ adminKeys;
"underground-matrix-synapse-secret-config.yaml.age".publicKeys = undergroundKeys ++ adminKeys;
"underground-matrix-authentication-service-secret-config.yml.age".publicKeys = undergroundKeys ++ adminKeys;
"nextcloud-secrets.age".publicKeys = nachtigallKeys ++ adminKeys;
"nextcloud-admin-pass.age".publicKeys = nachtigallKeys ++ adminKeys;
@ -84,7 +90,7 @@ in
"mediawiki-oidc-client-secret.age".publicKeys = nachtigallKeys ++ adminKeys;
"mediawiki-secret-key.age".publicKeys = nachtigallKeys ++ adminKeys;
"coturn-static-auth-secret.age".publicKeys = nachtigallKeys ++ adminKeys;
"nachtigall-coturn-static-auth-secret.age".publicKeys = nachtigallKeys ++ adminKeys;
"grafana-admin-password.age".publicKeys = trinkgenossinKeys ++ adminKeys;
"grafana-keycloak-client-secret.age".publicKeys = trinkgenossinKeys ++ adminKeys;

BIN
secrets/underground-matrix-authentication-service-secret-config.yml.age Normal file
View file

Binary file not shown.

BIN
secrets/underground-matrix-synapse-secret-config.yaml.age Normal file
View file

Binary file not shown.

10
terraform/dns.tf
View file

@ -337,6 +337,16 @@ resource "namecheap_domain_records" "pub-solar" {
type = "A"
address = "80.244.242.3"
}
record {
hostname = "test"
type = "CNAME"
address = "underground.pub.solar."
}
record {
hostname = "mas.test"
type = "CNAME"
address = "underground.pub.solar."
}
record {
hostname = "matrix.test"
type = "CNAME"