diff --git a/flake.lock b/flake.lock index 2eaeddc..8c96268 100644 --- a/flake.lock +++ b/flake.lock @@ -236,11 +236,11 @@ }, "fork": { "locked": { - "lastModified": 1729895651, - "narHash": "sha256-jsDi++W3uhb2lxYU257H4zXVgC6lbJ1hbI4vqqag6lE=", + "lastModified": 1729963002, + "narHash": "sha256-2zrYfd/qdfExU5zVwvH80uJnKc/dMeK6zp3O1UtW2Mo=", "owner": "teutat3s", "repo": "nixpkgs", - "rev": "e60ba9494f5783468e1aab1a490cf764a24ca0c0", + "rev": "005faaacbeede0296dec5c844f508027ab8a3ff6", "type": "github" }, "original": { diff --git a/hosts/default.nix b/hosts/default.nix index ae1cde5..e7a8f2e 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -198,7 +198,6 @@ self.nixosModules.postgresql self.nixosModules.matrix self.nixosModules.matrix-irc - self.nixosModules.matrix-telegram self.nixosModules.nginx self.nixosModules.nginx-matrix ]; diff --git a/hosts/nachtigall/configuration.nix b/hosts/nachtigall/configuration.nix index c226ed0..eb7e657 100644 --- a/hosts/nachtigall/configuration.nix +++ b/hosts/nachtigall/configuration.nix @@ -48,6 +48,7 @@ owner = "root"; }; + # keycloak age.secrets.keycloak-database-password = { file = "${flake.self}/secrets/keycloak-database-password.age"; mode = "600"; @@ -59,6 +60,50 @@ database-password-file = config.age.secrets.keycloak-database-password.path; }; + # matrix-synapse + age.secrets."nachtigall-matrix-synapse-signing-key" = { + file = "${flake.self}/secrets/nachtigall-matrix-synapse-signing-key.age"; + mode = "400"; + owner = "matrix-synapse"; + }; + + age.secrets."nachtigall-matrix-synapse-secret-config.yaml" = { + file = "${flake.self}/secrets/nachtigall-matrix-synapse-secret-config.yaml.age"; + mode = "400"; + owner = "matrix-synapse"; + }; + + age.secrets."nachtigall-matrix-synapse-sliding-sync-secret" = { + file = "${flake.self}/secrets/nachtigall-matrix-synapse-sliding-sync-secret.age"; + mode = "400"; + owner = "matrix-synapse"; + }; + + + pub-solar-os.matrix-synapse = { + enable = true; + signing_key_path = config.age.secrets."nachtigall-matrix-synapse-signing-key".path; + extra-config-files = [ + config.age.secrets."nachtigall-matrix-synapse-secret-config.yaml".path + + # The registration file is automatically generated after starting the + # appservice for the first time. + # cp /var/lib/mautrix-telegram/telegram-registration.yaml \ + # /var/lib/matrix-synapse/ + # chown matrix-synapse:matrix-synapse \ + # /var/lib/matrix-synapse/telegram-registration.yaml + "/var/lib/matrix-synapse/telegram-registration.yaml" + ]; + app-service-config-files = [ + "/var/lib/matrix-synapse/telegram-registration.yaml" + "/var/lib/matrix-appservice-irc/registration.yml" + # "/matrix-appservice-slack-registration.yaml" + # "/hookshot-registration.yml" + # "/matrix-mautrix-signal-registration.yaml" + # "/matrix-mautrix-telegram-registration.yaml" + ]; + }; + systemd.services.postgresql = { after = [ "var-lib-postgresql.mount" ]; requisite = [ "var-lib-postgresql.mount" ]; diff --git a/hosts/underground/configuration.nix b/hosts/underground/configuration.nix index fca294f..b53f5dd 100644 --- a/hosts/underground/configuration.nix +++ b/hosts/underground/configuration.nix @@ -15,73 +15,61 @@ systemd.tmpfiles.rules = [ "f /tmp/dbf 1777 root root 10d password" ]; + # keycloak pub-solar-os.auth = { enable = true; database-password-file = "/tmp/dbf"; }; services.keycloak.database.createLocally = true; + # matrix-synapse + # test.pub.solar /.well-known is required for federation + services.nginx.virtualHosts."${config.pub-solar-os.networking.domain}" = { + default = true; + enableACME = true; + forceSSL = true; + }; + + age.secrets."underground-matrix-synapse-secret-config.yaml" = { + file = "${flake.self}/secrets/underground-matrix-synapse-secret-config.yaml.age"; + mode = "400"; + owner = "matrix-synapse"; + }; + + age.secrets."underground-matrix-authentication-service-secret-config.yml" = { + file = "${flake.self}/secrets/underground-matrix-authentication-service-secret-config.yml.age"; + mode = "400"; + owner = "matrix-authentication-service"; + }; + + pub-solar-os.matrix-synapse = { + enable = true; + extra-config-files = [ + config.age.secrets."underground-matrix-synapse-secret-config.yaml".path + + # The registration file is automatically generated after starting the + # appservice for the first time. + # cp /var/lib/mautrix-telegram/telegram-registration.yaml \ + # /var/lib/matrix-synapse/ + # chown matrix-synapse:matrix-synapse \ + # /var/lib/matrix-synapse/telegram-registration.yaml + #"/var/lib/matrix-synapse/telegram-registration.yaml" + ]; + app-service-config-files = [ + "/var/lib/matrix-appservice-irc/registration.yml" + #"/var/lib/matrix-synapse/telegram-registration.yaml" + ]; + }; + services.matrix-authentication-service = { enable = true; createDatabase = true; - extraConfigFiles = [(pkgs.writeText "mas-extra-config.yml" '' -secrets: - encryption: 85c39ce195bd01d17b583687edf20ae09eede66f4ce043f15afc2afa719249c9 - keys: - - kid: LYeYXYzVil - key: | - -----BEGIN RSA PRIVATE KEY----- - MIIEpAIBAAKCAQEA1l1iXIE9yFksgKmJ58hk9oj7UQ4iX5HX9Ll/EUDCRu+fuPuB - kYnski19RNoVIWQt3f8HYTeQLF1vhvj9AKFw+F0jklkC8/YrHzNPiB7LS08X4+K8 - 1DW+YI7EY0u0iB+uaChHvK8zYrk+qRmH0OGR7LdXRNqM75xMglkcnMagFbc/3ipO - 47SgHFaUGkM62epeQPIsJq6BicxCyH/LhoccUtnj5+EOAF+eo8QPRj+ISfDdCebS - L7iYnpECFggVlexgbVRfeFtxDfHu5hpxjKwbTKYjDLMrZwlI0js4ZN9qchREAJ21 - km4Xq4bqP+Pf0QiaEjeoqF/ZMmCFYY2gT3DSUQIDAQABAoIBAHLwd4EqOzplthr2 - zN7e8GPQZxC7B2s/BBBQNfXGR2VJrta85GhpD9QBWB3G4XWaBY325LoX1NI090vj - zaS865oANsaNu6ub3ttH4+kUueSTcDfcp2sRthaH9n1XZmFmu1lV38EoH+FbemGp - Ms2pZVkLpVth5BfGMq/hoBnf1o5NTACSHd2InQnUQAbY16NvYZiY37hI3LllyIPI - z7hBvFcRf2JD3Bn7nmV+lTBOtcYA5f6ZrO0V2Ah75AGb6QAUSWgV9edqXkp6OmAV - jcVqfVsPwoPRpaarQ4M1lcvhYgwBKuUXFtcNPqqNk9ldYuYy/UW4E+psRrXkwvs2 - 50TB78ECgYEA3nx7XBZhYrvUEqLUYeIRhnRGoY0/snyjAMibl6NoJZLpyrk+b70x - Dh1k6LY9RwLfxRHDqnnHy9YY5Iu9QBTBYud8dD0JNOUUC8QWYV1G7AYLS9oe8kM5 - z4aWhgNR3a9DidPQtv2SyK+1ZmGhB80T7nDlsK17fjjTUnj7lMhgnbUCgYEA9qe4 - zzHfCZsDwoPPuMuAkZIjRxnwReY9fyAGGMdW4VrOgrOyVj4dDF0/R8p3LlS+TiUw - 6bVlWqbP+H3Zkx9VaH7EUmiTFulshi/MxSBizdj4SHDhYHK+4H5PkeDusMTGAvOk - QaXB8ZbulHT3mdUc8lHucRHw2TIs8O8zaFBMo60CgYEAyCsxBYnxNlaNF/M9p48w - e0qT3XdqjphKQ0M5kXVoFx4Vj9mYTgnmX6+cgS6s9P2l+/TemLsWQdMu9DixHT1P - PD/OnfnoFZngrjFOfWzhiSpq8WSeIRLQqWCKfqnv9sZfulpC1tBPRpWnXCSML6uX - uhgC3zFGASr5HaNRneul2V0CgYBbkYSQlwkgPcY1jk2tYw9F+6TRHpYOvR0TdsYM - qOReISINb7zDO6f5ER0O/+Ei+B72T+RKvybzcn4+2CnP7o/8jSNBHMWOefXqExDI - Fe/YT7ZM3mstLSwjl4DevUyfn02LhvvxyyGnGMtVnd7V40Ity7DjlS9+0pvQjlzd - WwI4uQKBgQDQA3JSEl95T2nYmmlvX8a5rSNSSK/d6GRDvaNFAk659Jf3X2aYpHFM - TRO5t2EDIrBCpgBG2Tj9yOnm9Zht/T+783ziQ/6p2q1QX7Lfr6MiwnND4Cw0ZvYL - 9xDiujZMtAEaEiz0a6pfHn/EfTA6Qvw/KYFmtXFGa+KuOwX4KgFlwQ== - -----END RSA PRIVATE KEY----- - - kid: cdMTgbM9rx - key: | - -----BEGIN EC PRIVATE KEY----- - MHcCAQEEIOlSK0D4WKNjPrfxojWNJSoFzYJ7TUNC4qVv0C3b+LSioAoGCCqGSM49 - AwEHoUQDQgAE0lqYrp1gpDmCZASZ1L7Y5r0Kk9kbv6Qjn8FXzP4ujnFN8tFkHsun - MqmeW3j5Qmtw24gcEU1IPW6QwMz/ozosWQ== - -----END EC PRIVATE KEY----- - - kid: Hb1P9OK0rc - key: | - -----BEGIN EC PRIVATE KEY----- - MIGkAgEBBDAuDEN6zp1bBf2R3bBEKn8yGKlkV8jfNe1lZ1yvfsVWBPbVBoxJcEWG - krR1vBYdtjSgBwYFK4EEACKhZANiAAThozHhNOUZcybKe7W9K5zVZIXgmM3Fze/e - s6bHLpwPR1EEYNARPW7aLPPjf4d+iPXW5y6J0KCKvaXWvFAM9eL6a8X/W93VZmgO - 8A9QN/PWOUz2ZOsp1xLWvgmZl4zHYNw= - -----END EC PRIVATE KEY----- - - kid: NpIOF10t5M - key: | - -----BEGIN EC PRIVATE KEY----- - MHQCAQEEIP3Vit8kpPw+JxnPLviS7+bM1EAJquG+0HFN6MT4Q1eDoAcGBSuBBAAK - oUQDQgAE2rnrYryxmN3RAgwh9JqrS7/cft592o9dG6C7sUloIpYcZVmZsVGpOUzB - UMyVVDVWwkAdxfASbDGu4yiSwy9uEw== - -----END EC PRIVATE KEY----- - - '')]; + extraConfigFiles = [ + config.age.secrets."underground-matrix-authentication-service-secret-config.yml".path + ]; settings = { + http.public_base = "https://mas.${config.pub-solar-os.networking.domain}"; + http.issuer = "https://mas.${config.pub-solar-os.networking.domain}"; http.listeners = [ { name = "web"; @@ -109,43 +97,7 @@ secrets: proxy_protocol = false; } ]; - clients = [ { - client_id = "0000000000000000000SYNAPSE"; - client_auth_method = "client_secret_basic"; - client_secret = "unsecure123"; - } ]; - matrix = { - homeserver = config.services.matrix-synapse.settings.server_name; - secret = "unsecure123"; - endpoint = "https://localhost:8448"; - }; - upstream_oauth2 = { - providers = [ - { - id = "01H8PKNWKKRPCBW4YGH1RWV279"; - issuer = "https:///realms/"; - token_endpoint_auth_method = "client_secret_basic"; - client_id = "matrix-authentication-service"; - client_secret = ""; - scope = "openid profile email"; - claims_imports = { - localpart = { - action = "require"; - template = "{{ user.preferred_username }}"; - }; - displayname = { - action = "suggest"; - template = "{{ user.name }}"; - }; - email = { - action = "suggest"; - template = "{{ user.email }}"; - set_email_verification = "always"; - }; - }; - } - ]; - }; + passwords.enabled = false; }; }; diff --git a/modules/coturn/default.nix b/modules/coturn/default.nix index d8635aa..a7d3e86 100644 --- a/modules/coturn/default.nix +++ b/modules/coturn/default.nix @@ -5,8 +5,8 @@ ... }: { - age.secrets."coturn-static-auth-secret" = { - file = "${flake.self}/secrets/coturn-static-auth-secret.age"; + age.secrets."nachtigall-coturn-static-auth-secret" = { + file = "${flake.self}/secrets/nachtigall-coturn-static-auth-secret.age"; mode = "400"; owner = "turnserver"; }; @@ -18,7 +18,7 @@ min-port = 49000; max-port = 50000; use-auth-secret = true; - static-auth-secret-file = "/run/agenix/coturn-static-auth-secret"; + static-auth-secret-file = "/run/agenix/nachtigall-coturn-static-auth-secret"; realm = "turn.${config.pub-solar-os.networking.domain}"; cert = "${config.security.acme.certs.${realm}.directory}/full.pem"; pkey = "${config.security.acme.certs.${realm}.directory}/key.pem"; diff --git a/modules/matrix-irc/default.nix b/modules/matrix-irc/default.nix index f64d25c..02217d2 100644 --- a/modules/matrix-irc/default.nix +++ b/modules/matrix-irc/default.nix @@ -16,11 +16,6 @@ let synapseClientPort = "${toString listenerWithClient.port}"; in { - systemd.services.matrix-appservice-irc.serviceConfig.SystemCallFilter = lib.mkForce [ - "@system-service @pkey" - "~@privileged @resources" - "@chown" - ]; services.matrix-appservice-irc = { enable = true; localpart = "irc_bot"; diff --git a/modules/matrix/default.nix b/modules/matrix/default.nix index 6cffd5e..d8518d3 100644 --- a/modules/matrix/default.nix +++ b/modules/matrix/default.nix @@ -1,6 +1,7 @@ { flake, config, + lib, pkgs, ... }: @@ -9,302 +10,291 @@ let serverDomain = "${config.pub-solar-os.networking.domain}"; in { - age.secrets."matrix-synapse-signing-key" = { - file = "${flake.self}/secrets/matrix-synapse-signing-key.age"; - mode = "400"; - owner = "matrix-synapse"; + options.pub-solar-os.matrix-synapse = { + enable = lib.mkEnableOption "Enable matrix-synapse to run on the node"; + + app-service-config-files = lib.mkOption { + description = "List of app service config files"; + type = lib.types.listOf lib.types.str; + default = []; + }; + + extra-config-files = lib.mkOption { + description = "List of extra synapse config files"; + type = lib.types.listOf lib.types.str; + default = []; + }; + + signing_key_path = lib.mkOption { + description = "Path to file containing the signing key"; + type = lib.types.str; + default = "${config.services.matrix-synapse.dataDir}/homeserver.signing.key"; + }; }; - age.secrets."matrix-synapse-secret-config.yaml" = { - file = "${flake.self}/secrets/matrix-synapse-secret-config.yaml.age"; - mode = "400"; - owner = "matrix-synapse"; - }; - - age.secrets."matrix-synapse-sliding-sync-secret" = { - file = "${flake.self}/secrets/matrix-synapse-sliding-sync-secret.age"; - mode = "400"; - owner = "matrix-synapse"; - }; - - services.matrix-synapse = { - enable = true; - settings = { - server_name = serverDomain; - public_baseurl = "https://${publicDomain}/"; - database = { - name = "psycopg2"; - args = { - host = "/run/postgresql"; - cp_max = 10; - cp_min = 5; - database = "matrix"; + config = lib.mkIf config.pub-solar-os.matrix-synapse.enable { + services.matrix-synapse = { + enable = true; + settings = { + server_name = serverDomain; + public_baseurl = "https://${publicDomain}/"; + database = { + name = "psycopg2"; + args = { + host = "/run/postgresql"; + cp_max = 10; + cp_min = 5; + database = "matrix"; + }; + allow_unsafe_locale = false; + txn_limit = 0; }; - allow_unsafe_locale = false; - txn_limit = 0; - }; - listeners = [ - { - bind_addresses = [ "127.0.0.1" ]; - port = 8008; - resources = [ - { - compress = true; - names = [ "client" ]; - } - { - compress = false; - names = [ "federation" ]; - } - ]; - tls = false; - type = "http"; - x_forwarded = true; - } - { - bind_addresses = [ "127.0.0.1" ]; - port = 8012; - resources = [ { names = [ "metrics" ]; } ]; - tls = false; - type = "metrics"; - } - ]; + listeners = [ + { + bind_addresses = [ "127.0.0.1" ]; + port = 8008; + resources = [ + { + compress = true; + names = [ "client" ]; + } + { + compress = false; + names = [ "federation" ]; + } + ]; + tls = false; + type = "http"; + x_forwarded = true; + } + { + bind_addresses = [ "127.0.0.1" ]; + port = 8012; + resources = [ { names = [ "metrics" ]; } ]; + tls = false; + type = "metrics"; + } + ]; - account_threepid_delegates.msisdn = ""; - alias_creation_rules = [ - { - action = "allow"; - alias = "*"; - room_id = "*"; - user_id = "*"; - } - ]; - allow_guest_access = false; - allow_public_rooms_over_federation = true; - allow_public_rooms_without_auth = false; - auto_join_rooms = [ - "#community:${serverDomain}" - "#general:${serverDomain}" - ]; + account_threepid_delegates.msisdn = ""; + alias_creation_rules = [ + { + action = "allow"; + alias = "*"; + room_id = "*"; + user_id = "*"; + } + ]; + allow_guest_access = false; + allow_public_rooms_over_federation = true; + allow_public_rooms_without_auth = false; + auto_join_rooms = [ + "#community:${serverDomain}" + "#general:${serverDomain}" + ]; - autocreate_auto_join_rooms = true; - caches.global_factor = 0.5; + autocreate_auto_join_rooms = true; + caches.global_factor = 0.5; - default_room_version = "10"; - disable_msisdn_registration = true; - enable_media_repo = true; - enable_metrics = true; - mau_stats_only = true; - enable_registration = false; - enable_registration_captcha = false; - enable_registration_without_verification = false; - enable_room_list_search = true; - encryption_enabled_by_default_for_room_type = "off"; - event_cache_size = "100K"; - federation_rr_transactions_per_room_per_second = 50; - federation_client_minimum_tls_version = "1.2"; - forget_rooms_on_leave = true; - include_profile_data_on_invite = true; - instance_map = { }; - limit_profile_requests_to_users_who_share_rooms = false; + default_room_version = "10"; + disable_msisdn_registration = true; + enable_media_repo = true; + enable_metrics = true; + mau_stats_only = true; + enable_registration = false; + enable_registration_captcha = false; + enable_registration_without_verification = false; + enable_room_list_search = true; + encryption_enabled_by_default_for_room_type = "off"; + event_cache_size = "100K"; + federation_rr_transactions_per_room_per_second = 50; + federation_client_minimum_tls_version = "1.2"; + forget_rooms_on_leave = true; + include_profile_data_on_invite = true; + instance_map = { }; + limit_profile_requests_to_users_who_share_rooms = false; - max_spider_size = "10M"; - max_upload_size = "50M"; - media_storage_providers = [ ]; + max_spider_size = "10M"; + max_upload_size = "50M"; + media_storage_providers = [ ]; - password_config = { - enabled = false; - localdb_enabled = false; - pepper = ""; - }; + password_config = { + enabled = false; + localdb_enabled = false; + pepper = ""; + }; - presence.enabled = true; - push.include_content = false; + presence.enabled = true; + push.include_content = false; - rc_admin_redaction = { - burst_count = 50; - per_second = 1; - }; - rc_federation = { - concurrent = 3; - reject_limit = 50; - sleep_delay = 500; - sleep_limit = 10; - window_size = 1000; - }; - rc_invites = { - per_issuer = { + rc_admin_redaction = { + burst_count = 50; + per_second = 1; + }; + rc_federation = { + concurrent = 3; + reject_limit = 50; + sleep_delay = 500; + sleep_limit = 10; + window_size = 1000; + }; + rc_invites = { + per_issuer = { + burst_count = 10; + per_second = 0.3; + }; + per_room = { + burst_count = 10; + per_second = 0.3; + }; + per_user = { + burst_count = 5; + per_second = 3.0e-3; + }; + }; + rc_joins = { + local = { + burst_count = 10; + per_second = 0.1; + }; + remote = { + burst_count = 10; + per_second = 1.0e-2; + }; + }; + rc_login = { + account = { + burst_count = 3; + per_second = 0.17; + }; + address = { + burst_count = 3; + per_second = 0.17; + }; + failed_attempts = { + burst_count = 3; + per_second = 0.17; + }; + }; + rc_message = { burst_count = 10; - per_second = 0.3; + per_second = 0.2; }; - per_room = { - burst_count = 10; - per_second = 0.3; - }; - per_user = { - burst_count = 5; - per_second = 3.0e-3; - }; - }; - rc_joins = { - local = { - burst_count = 10; - per_second = 0.1; - }; - remote = { - burst_count = 10; - per_second = 1.0e-2; - }; - }; - rc_login = { - account = { + rc_registration = { burst_count = 3; per_second = 0.17; }; - address = { - burst_count = 3; - per_second = 0.17; - }; - failed_attempts = { - burst_count = 3; - per_second = 0.17; + redaction_retention_period = "7d"; + forgotten_room_retention_period = "7d"; + redis.enabled = false; + registration_requires_token = false; + registrations_require_3pid = [ "email" ]; + report_stats = false; + require_auth_for_profile_requests = false; + room_list_publication_rules = [ + { + action = "allow"; + alias = "*"; + room_id = "*"; + user_id = "*"; + } + ]; + + signing_key_path = config.pub-solar-os.matrix-synapse.signing_key_path; + + stream_writers = { }; + trusted_key_servers = [ { server_name = "matrix.org"; } ]; + suppress_key_server_warning = true; + + turn_allow_guests = false; + turn_uris = [ + "turn:${config.services.coturn.realm}:3478?transport=udp" + "turn:${config.services.coturn.realm}:3478?transport=tcp" + ]; + turn_user_lifetime = "1h"; + + url_preview_accept_language = [ + "en-US" + "en" + ]; + url_preview_enabled = true; + url_preview_ip_range_blacklist = [ + "127.0.0.0/8" + "10.0.0.0/8" + "172.16.0.0/12" + "192.168.0.0/16" + "100.64.0.0/10" + "192.0.0.0/24" + "169.254.0.0/16" + "192.88.99.0/24" + "198.18.0.0/15" + "192.0.2.0/24" + "198.51.100.0/24" + "203.0.113.0/24" + "224.0.0.0/4" + "::1/128" + "fe80::/10" + "fc00::/7" + "2001:db8::/32" + "ff00::/8" + "fec0::/10" + ]; + + user_directory = { + prefer_local_users = false; + search_all_users = false; }; + user_ips_max_age = "28d"; + + app_service_config_files = config.pub-solar-os.matrix-synapse.app-service-config-files; }; - rc_message = { - burst_count = 10; - per_second = 0.2; - }; - rc_registration = { - burst_count = 3; - per_second = 0.17; - }; - redaction_retention_period = "7d"; - forgotten_room_retention_period = "7d"; - redis.enabled = false; - registration_requires_token = false; - registrations_require_3pid = [ "email" ]; - report_stats = false; - require_auth_for_profile_requests = false; - room_list_publication_rules = [ - { - action = "allow"; - alias = "*"; - room_id = "*"; - user_id = "*"; - } + + withJemalloc = true; + + extraConfigFiles = config.pub-solar-os.matrix-synapse.extra-config-files; + + extras = [ + "oidc" + "redis" ]; - signing_key_path = "/run/agenix/matrix-synapse-signing-key"; - - stream_writers = { }; - trusted_key_servers = [ { server_name = "matrix.org"; } ]; - suppress_key_server_warning = true; - - turn_allow_guests = false; - turn_uris = [ - "turn:${config.services.coturn.realm}:3478?transport=udp" - "turn:${config.services.coturn.realm}:3478?transport=tcp" - ]; - turn_user_lifetime = "1h"; - - url_preview_accept_language = [ - "en-US" - "en" - ]; - url_preview_enabled = true; - url_preview_ip_range_blacklist = [ - "127.0.0.0/8" - "10.0.0.0/8" - "172.16.0.0/12" - "192.168.0.0/16" - "100.64.0.0/10" - "192.0.0.0/24" - "169.254.0.0/16" - "192.88.99.0/24" - "198.18.0.0/15" - "192.0.2.0/24" - "198.51.100.0/24" - "203.0.113.0/24" - "224.0.0.0/4" - "::1/128" - "fe80::/10" - "fc00::/7" - "2001:db8::/32" - "ff00::/8" - "fec0::/10" - ]; - - user_directory = { - prefer_local_users = false; - search_all_users = false; - }; - user_ips_max_age = "28d"; - - app_service_config_files = [ - "/var/lib/matrix-synapse/telegram-registration.yaml" - "/var/lib/matrix-appservice-irc/registration.yml" - # "/matrix-appservice-slack-registration.yaml" - # "/hookshot-registration.yml" - # "/matrix-mautrix-signal-registration.yaml" - # "/matrix-mautrix-telegram-registration.yaml" - ]; + plugins = [ config.services.matrix-synapse.package.plugins.matrix-synapse-shared-secret-auth ]; }; - withJemalloc = true; + #services.matrix-sliding-sync = { + # enable = true; + # settings = { + # SYNCV3_SERVER = "https://${publicDomain}"; + # SYNCV3_BINDADDR = "127.0.0.1:8011"; + # # The bind addr for Prometheus metrics, which will be accessible at + # # /metrics at this address + # SYNCV3_PROM = "127.0.0.1:9100"; + # }; + # environmentFile = config.age.secrets."matrix-synapse-sliding-sync-secret".path; + #}; - extraConfigFiles = [ - "/run/agenix/matrix-synapse-secret-config.yaml" - - # The registration file is automatically generated after starting the - # appservice for the first time. - # cp /var/lib/mautrix-telegram/telegram-registration.yaml \ - # /var/lib/matrix-synapse/ - # chown matrix-synapse:matrix-synapse \ - # /var/lib/matrix-synapse/telegram-registration.yaml - "/var/lib/matrix-synapse/telegram-registration.yaml" - ]; - - extras = [ - "oidc" - "redis" - ]; - - plugins = [ config.services.matrix-synapse.package.plugins.matrix-synapse-shared-secret-auth ]; - }; - - services.matrix-sliding-sync = { - enable = true; - settings = { - SYNCV3_SERVER = "https://${publicDomain}"; - SYNCV3_BINDADDR = "127.0.0.1:8011"; - # The bind addr for Prometheus metrics, which will be accessible at - # /metrics at this address - SYNCV3_PROM = "127.0.0.1:9100"; + pub-solar-os.backups.restic.matrix-synapse = { + paths = [ + "/var/lib/matrix-synapse" + "/var/lib/matrix-appservice-irc" + "/var/lib/mautrix-telegram" + "/tmp/matrix-synapse-backup.sql" + ]; + timerConfig = { + OnCalendar = "*-*-* 05:00:00 Etc/UTC"; + }; + initialize = true; + backupPrepareCommand = '' + ${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d matrix > /tmp/matrix-synapse-backup.sql + ''; + backupCleanupCommand = '' + rm /tmp/matrix-synapse-backup.sql + ''; + pruneOpts = [ + "--keep-daily 7" + "--keep-weekly 4" + "--keep-monthly 3" + ]; }; - environmentFile = config.age.secrets."matrix-synapse-sliding-sync-secret".path; - }; - - pub-solar-os.backups.restic.keycloak = { - paths = [ - "/var/lib/matrix-synapse" - "/var/lib/matrix-appservice-irc" - "/var/lib/mautrix-telegram" - "/tmp/matrix-synapse-backup.sql" - ]; - timerConfig = { - OnCalendar = "*-*-* 05:00:00 Etc/UTC"; - }; - initialize = true; - backupPrepareCommand = '' - ${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d matrix > /tmp/matrix-synapse-backup.sql - ''; - backupCleanupCommand = '' - rm /tmp/matrix-synapse-backup.sql - ''; - pruneOpts = [ - "--keep-daily 7" - "--keep-weekly 4" - "--keep-monthly 3" - ]; }; } diff --git a/modules/nginx-matrix/default.nix b/modules/nginx-matrix/default.nix index 0e236dc..603de36 100644 --- a/modules/nginx-matrix/default.nix +++ b/modules/nginx-matrix/default.nix @@ -10,11 +10,14 @@ let add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-XSS-Protection "1; mode=block"; ''; - clientConfig = import ./element-client-config.nix { inherit lib pkgs; }; + clientConfig = import ./element-client-config.nix { inherit config lib pkgs; }; wellKnownClient = domain: { "m.homeserver".base_url = "https://matrix.${domain}"; "m.identity_server".base_url = "https://matrix.${domain}"; - "org.matrix.msc3575.proxy".url = "https://matrix.${domain}"; + "org.matrix.msc2965.authentication" = { + issuer = "https://mas.${domain}/"; + account = "https://mas.${domain}/account"; + }; "im.vector.riot.e2ee".default = true; "io.element.e2ee" = { default = true; @@ -85,6 +88,27 @@ in root = pkgs.element-stickerpicker; }; + "mas.${config.pub-solar-os.networking.domain}" = { + root = "/dev/null"; + + forceSSL = lib.mkDefault true; + enableACME = lib.mkDefault true; + + locations = { + "/" = { + proxyPass = "http://127.0.0.1:8090"; + + extraConfig = '' + ${commonHeaders} + proxy_http_version 1.1; + + # Forward the client IP address + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + ''; + }; + }; + }; + "matrix.${config.pub-solar-os.networking.domain}" = { root = "/dev/null"; @@ -99,28 +123,41 @@ in locations = { # For telegram "/c3c3f34b-29fb-5feb-86e5-98c75ec8214b" = { + priority = 100; proxyPass = "http://127.0.0.1:8009"; extraConfig = commonHeaders; }; - # sliding-sync - "~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = { - proxyPass = "http://127.0.0.1:8011"; - extraConfig = commonHeaders; + # Forward to the auth service + "~ ^/_matrix/client/(.*)/(login|logout|refresh)" = { + priority = 100; + proxyPass = "http://127.0.0.1:8090"; + + extraConfig = '' + ${commonHeaders} + proxy_http_version 1.1; + + # Forward the client IP address + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + ''; }; - "~* ^(/_matrix|/_synapse/client|/_synapse/oidc)" = { + # Forward to Synapse + # as per https://element-hq.github.io/synapse/latest/reverse_proxy.html#nginx + "~ ^(/_matrix|/_synapse/client)" = { + priority = 200; proxyPass = "http://127.0.0.1:8008"; extraConfig = '' ${commonHeaders} + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; client_body_buffer_size 25M; client_max_body_size 50M; proxy_max_temp_file_size 0; + proxy_http_version 1.1; ''; }; }; diff --git a/modules/nginx-matrix/element-client-config.nix b/modules/nginx-matrix/element-client-config.nix index b3eaf9b..617d3bc 100644 --- a/modules/nginx-matrix/element-client-config.nix +++ b/modules/nginx-matrix/element-client-config.nix @@ -1,9 +1,9 @@ -{ pkgs, lib, ... }: +{ config, pkgs, lib, ... }: { default_server_config = { "m.homeserver" = { - base_url = "https://matrix.pub.solar"; - server_name = "pub.solar"; + base_url = "https://matrix.${config.pub-solar-os.networking.domain}"; + server_name = "${config.pub-solar-os.networking.domain}"; }; "m.identity_server" = { base_url = ""; diff --git a/secrets/coturn-static-auth-secret.age b/secrets/nachtigall-coturn-static-auth-secret.age similarity index 100% rename from secrets/coturn-static-auth-secret.age rename to secrets/nachtigall-coturn-static-auth-secret.age diff --git a/secrets/matrix-synapse-secret-config.yaml.age b/secrets/nachtigall-matrix-synapse-secret-config.yaml.age similarity index 100% rename from secrets/matrix-synapse-secret-config.yaml.age rename to secrets/nachtigall-matrix-synapse-secret-config.yaml.age diff --git a/secrets/matrix-synapse-signing-key.age b/secrets/nachtigall-matrix-synapse-signing-key.age similarity index 100% rename from secrets/matrix-synapse-signing-key.age rename to secrets/nachtigall-matrix-synapse-signing-key.age diff --git a/secrets/matrix-synapse-sliding-sync-secret.age b/secrets/nachtigall-matrix-synapse-sliding-sync-secret.age similarity index 100% rename from secrets/matrix-synapse-sliding-sync-secret.age rename to secrets/nachtigall-matrix-synapse-sliding-sync-secret.age diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 999cec9..402fc79 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -7,6 +7,7 @@ let trinkgenossin-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDZXRDpom/LtyoCxvRuoONARKxIT6wNUwEyUjzHRE7DG root@trinkgenossin"; delite-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAKo7zlfQhcJ5/okFTOoOstZtmEL1iNlHxQ4q2baEcWT root@delite"; blue-shell-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP9g9X0a/MaVtbh44IeLxcq+McuYec0GYAdLsseBpk5f root@blue-shell"; + underground-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGF3PtA89yhVkmN7aJI6gqXK8DW9L7kI71IgiK4TAEwI root@underground"; adminKeys = builtins.foldl' ( keys: login: keys ++ (builtins.attrValues login.secretEncryptionKeys) @@ -24,6 +25,8 @@ let blueshellKeys = [ blue-shell-host ]; + undergroundKeys = [ underground-host ]; + garageKeys = [ trinkgenossin-host delite-host @@ -62,9 +65,12 @@ in "forgejo-ssh-private-key.age".publicKeys = nachtigallKeys ++ adminKeys; "matrix-mautrix-telegram-env-file.age".publicKeys = nachtigallKeys ++ adminKeys; - "matrix-synapse-signing-key.age".publicKeys = nachtigallKeys ++ adminKeys; - "matrix-synapse-secret-config.yaml.age".publicKeys = nachtigallKeys ++ adminKeys; - "matrix-synapse-sliding-sync-secret.age".publicKeys = nachtigallKeys ++ adminKeys; + "nachtigall-matrix-synapse-signing-key.age".publicKeys = nachtigallKeys ++ adminKeys; + "nachtigall-matrix-synapse-secret-config.yaml.age".publicKeys = nachtigallKeys ++ adminKeys; + "nachtigall-matrix-synapse-sliding-sync-secret.age".publicKeys = nachtigallKeys ++ adminKeys; + + "underground-matrix-synapse-secret-config.yaml.age".publicKeys = undergroundKeys ++ adminKeys; + "underground-matrix-authentication-service-secret-config.yml.age".publicKeys = undergroundKeys ++ adminKeys; "nextcloud-secrets.age".publicKeys = nachtigallKeys ++ adminKeys; "nextcloud-admin-pass.age".publicKeys = nachtigallKeys ++ adminKeys; @@ -84,7 +90,7 @@ in "mediawiki-oidc-client-secret.age".publicKeys = nachtigallKeys ++ adminKeys; "mediawiki-secret-key.age".publicKeys = nachtigallKeys ++ adminKeys; - "coturn-static-auth-secret.age".publicKeys = nachtigallKeys ++ adminKeys; + "nachtigall-coturn-static-auth-secret.age".publicKeys = nachtigallKeys ++ adminKeys; "grafana-admin-password.age".publicKeys = trinkgenossinKeys ++ adminKeys; "grafana-keycloak-client-secret.age".publicKeys = trinkgenossinKeys ++ adminKeys; diff --git a/secrets/underground-matrix-authentication-service-secret-config.yml.age b/secrets/underground-matrix-authentication-service-secret-config.yml.age new file mode 100644 index 0000000..eaab469 Binary files /dev/null and b/secrets/underground-matrix-authentication-service-secret-config.yml.age differ diff --git a/secrets/underground-matrix-synapse-secret-config.yaml.age b/secrets/underground-matrix-synapse-secret-config.yaml.age new file mode 100644 index 0000000..54154b9 Binary files /dev/null and b/secrets/underground-matrix-synapse-secret-config.yaml.age differ diff --git a/terraform/dns.tf b/terraform/dns.tf index b52e366..5372c39 100644 --- a/terraform/dns.tf +++ b/terraform/dns.tf @@ -337,6 +337,16 @@ resource "namecheap_domain_records" "pub-solar" { type = "A" address = "80.244.242.3" } + record { + hostname = "test" + type = "CNAME" + address = "underground.pub.solar." + } + record { + hostname = "mas.test" + type = "CNAME" + address = "underground.pub.solar." + } record { hostname = "matrix.test" type = "CNAME"