diff --git a/hosts/nachtigall/configuration.nix b/hosts/nachtigall/configuration.nix index dac4fc6..8bfba8d 100644 --- a/hosts/nachtigall/configuration.nix +++ b/hosts/nachtigall/configuration.nix @@ -82,28 +82,39 @@ owner = "matrix-synapse"; }; - pub-solar-os.matrix-synapse = { - enable = true; - sliding-sync.enable = true; - signing_key_path = config.age.secrets."matrix-synapse-signing-key".path; - extra-config-files = [ - config.age.secrets."matrix-synapse-secret-config.yaml".path + age.secrets."matrix-authentication-service-secret-config.yml" = { + file = "${flake.self}/secrets/matrix-authentication-service-secret-config.yml.age"; + mode = "400"; + owner = "matrix-authentication-service"; + }; - # The registration file is automatically generated after starting the - # appservice for the first time. - # cp /var/lib/mautrix-telegram/telegram-registration.yaml \ - # /var/lib/matrix-synapse/ - # chown matrix-synapse:matrix-synapse \ - # /var/lib/matrix-synapse/telegram-registration.yaml - "/var/lib/matrix-synapse/telegram-registration.yaml" - ]; - app-service-config-files = [ - "/var/lib/matrix-synapse/telegram-registration.yaml" - "/var/lib/matrix-appservice-irc/registration.yml" - # "/matrix-appservice-slack-registration.yaml" - # "/hookshot-registration.yml" - # "/matrix-mautrix-signal-registration.yaml" - # "/matrix-mautrix-telegram-registration.yaml" + pub-solar-os.matrix = { + enable = true; + synapse = { + sliding-sync.enable = true; + signing_key_path = config.age.secrets."matrix-synapse-signing-key".path; + extra-config-files = [ + config.age.secrets."matrix-synapse-secret-config.yaml".path + + # The registration file is automatically generated after starting the + # appservice for the first time. + # cp /var/lib/mautrix-telegram/telegram-registration.yaml \ + # /var/lib/matrix-synapse/ + # chown matrix-synapse:matrix-synapse \ + # /var/lib/matrix-synapse/telegram-registration.yaml + "/var/lib/matrix-synapse/telegram-registration.yaml" + ]; + app-service-config-files = [ + "/var/lib/matrix-synapse/telegram-registration.yaml" + "/var/lib/matrix-appservice-irc/registration.yml" + # "/matrix-appservice-slack-registration.yaml" + # "/hookshot-registration.yml" + # "/matrix-mautrix-signal-registration.yaml" + # "/matrix-mautrix-telegram-registration.yaml" + ]; + }; + matrix-authentication-service.extra-config-files = [ + config.age.secrets."matrix-authentication-service-secret-config.yml".path ]; }; diff --git a/hosts/nachtigall/default.nix b/hosts/nachtigall/default.nix index 9a69c4f..100759a 100644 --- a/hosts/nachtigall/default.nix +++ b/hosts/nachtigall/default.nix @@ -9,10 +9,12 @@ ./networking.nix ./wireguard.nix ./backups.nix + "${flake.inputs.fork}/nixos/modules/services//matrix/matrix-authentication-service.nix" "${flake.inputs.unstable}/nixos/modules/services/web-apps/mastodon.nix" ]; disabledModules = [ + "services/matrix/matrix-authentication-service.nix " "services/web-apps/mastodon.nix" ]; } diff --git a/hosts/underground/configuration.nix b/hosts/underground/configuration.nix index 74b1d79..ff1c809 100644 --- a/hosts/underground/configuration.nix +++ b/hosts/underground/configuration.nix @@ -42,72 +42,28 @@ owner = "matrix-authentication-service"; }; - pub-solar-os.matrix-synapse = { + pub-solar-os.matrix = { enable = true; - extra-config-files = [ - config.age.secrets."staging-matrix-synapse-secret-config.yaml".path + synapse = { + extra-config-files = [ + config.age.secrets."staging-matrix-synapse-secret-config.yaml".path - # The registration file is automatically generated after starting the - # appservice for the first time. - # cp /var/lib/mautrix-telegram/telegram-registration.yaml \ - # /var/lib/matrix-synapse/ - # chown matrix-synapse:matrix-synapse \ - # /var/lib/matrix-synapse/telegram-registration.yaml - #"/var/lib/matrix-synapse/telegram-registration.yaml" - ]; - app-service-config-files = [ - "/var/lib/matrix-appservice-irc/registration.yml" - #"/var/lib/matrix-synapse/telegram-registration.yaml" - ]; - }; - - services.matrix-authentication-service = { - enable = true; - createDatabase = true; - extraConfigFiles = [ + # The registration file is automatically generated after starting the + # appservice for the first time. + # cp /var/lib/mautrix-telegram/telegram-registration.yaml \ + # /var/lib/matrix-synapse/ + # chown matrix-synapse:matrix-synapse \ + # /var/lib/matrix-synapse/telegram-registration.yaml + #"/var/lib/matrix-synapse/telegram-registration.yaml" + ]; + app-service-config-files = [ + "/var/lib/matrix-appservice-irc/registration.yml" + #"/var/lib/matrix-synapse/telegram-registration.yaml" + ]; + }; + matrix-authentication-service.extra-config-files = [ config.age.secrets."staging-matrix-authentication-service-secret-config.yml".path ]; - settings = { - http.public_base = "https://mas.${config.pub-solar-os.networking.domain}"; - http.issuer = "https://mas.${config.pub-solar-os.networking.domain}"; - http.listeners = [ - { - name = "web"; - resources = [ - { name = "discovery"; } - { name = "human"; } - { name = "oauth"; } - { name = "compat"; } - { name = "graphql"; } - { - name = "assets"; - path = "${config.services.matrix-authentication-service.package}/share/matrix-authentication-service/assets"; - } - ]; - binds = [ - { - host = "0.0.0.0"; - port = 8090; - } - ]; - proxy_protocol = false; - } - { - name = "internal"; - resources = [ - { name = "health"; } - ]; - binds = [ - { - host = "0.0.0.0"; - port = 8081; - } - ]; - proxy_protocol = false; - } - ]; - passwords.enabled = false; - }; }; services.openssh.openFirewall = true; diff --git a/modules/matrix/default.nix b/modules/matrix/default.nix index 1d95597..0f6963c 100644 --- a/modules/matrix/default.nix +++ b/modules/matrix/default.nix @@ -10,33 +10,46 @@ let serverDomain = "${config.pub-solar-os.networking.domain}"; in { - options.pub-solar-os.matrix-synapse = { - enable = lib.mkEnableOption "Enable matrix-synapse to run on the node"; + options.pub-solar-os = { + matrix = { + enable = lib.mkEnableOption "Enable matrix-synapse and matrix-authentication-service to run on the node"; - app-service-config-files = lib.mkOption { - description = "List of app service config files"; - type = lib.types.listOf lib.types.str; - default = [ ]; - }; + synapse = { + app-service-config-files = lib.mkOption { + description = "List of app service config files"; + type = lib.types.listOf lib.types.str; + default = [ ]; + }; - extra-config-files = lib.mkOption { - description = "List of extra synapse config files"; - type = lib.types.listOf lib.types.str; - default = [ ]; - }; + extra-config-files = lib.mkOption { + description = "List of extra synapse config files"; + type = lib.types.listOf lib.types.str; + default = [ ]; + }; - signing_key_path = lib.mkOption { - description = "Path to file containing the signing key"; - type = lib.types.str; - default = "${config.services.matrix-synapse.dataDir}/homeserver.signing.key"; - }; - sliding-sync.enable = lib.mkEnableOption { - description = "Whether to enable a sliding-sync proxy, no longer needed with synapse version 1.114+"; - default = false; + signing_key_path = lib.mkOption { + description = "Path to file containing the signing key"; + type = lib.types.str; + default = "${config.services.matrix-synapse.dataDir}/homeserver.signing.key"; + }; + + sliding-sync.enable = lib.mkEnableOption { + description = "Whether to enable a sliding-sync proxy, no longer needed with synapse version 1.114+"; + default = false; + }; + }; + + matrix-authentication-service = { + extra-config-files = lib.mkOption { + description = "List of extra mas config files"; + type = lib.types.listOf lib.types.str; + default = [ ]; + }; + }; }; }; - config = lib.mkIf config.pub-solar-os.matrix-synapse.enable { + config = lib.mkIf config.pub-solar-os.matrix.enable { services.matrix-synapse = { enable = true; settings = { @@ -265,6 +278,54 @@ in plugins = [ config.services.matrix-synapse.package.plugins.matrix-synapse-shared-secret-auth ]; }; + services.matrix-authentication-service = { + enable = true; + createDatabase = true; + extraConfigFiles = config.pub-solar-os.matrix.matrix-authentication-service.extra-config-files; + + settings = { + http.public_base = "https://mas.${config.pub-solar-os.networking.domain}"; + http.issuer = "https://mas.${config.pub-solar-os.networking.domain}"; + http.listeners = [ + { + name = "web"; + resources = [ + { name = "discovery"; } + { name = "human"; } + { name = "oauth"; } + { name = "compat"; } + { name = "graphql"; } + { + name = "assets"; + path = "${config.services.matrix-authentication-service.package}/share/matrix-authentication-service/assets"; + } + ]; + binds = [ + { + host = "0.0.0.0"; + port = 8090; + } + ]; + proxy_protocol = false; + } + { + name = "internal"; + resources = [ + { name = "health"; } + ]; + binds = [ + { + host = "0.0.0.0"; + port = 8081; + } + ]; + proxy_protocol = false; + } + ]; + passwords.enabled = false; + }; + }; + services.matrix-sliding-sync = { enable = config.pub-solar-os.matrix-synapse.sliding-sync.enable; settings = { diff --git a/secrets/matrix-authentication-service-secret-config.yml.age b/secrets/matrix-authentication-service-secret-config.yml.age new file mode 100644 index 0000000..50cd3f2 Binary files /dev/null and b/secrets/matrix-authentication-service-secret-config.yml.age differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 6eaede2..88a632a 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -68,6 +68,7 @@ in "matrix-synapse-signing-key.age".publicKeys = nachtigallKeys ++ adminKeys; "matrix-synapse-secret-config.yaml.age".publicKeys = nachtigallKeys ++ adminKeys; "matrix-synapse-sliding-sync-secret.age".publicKeys = nachtigallKeys ++ adminKeys; + "matrix-authentication-service-secret-config.yml.age".publicKeys = nachtigallKeys ++ adminKeys; "staging-matrix-synapse-secret-config.yaml.age".publicKeys = undergroundKeys ++ adminKeys; "staging-matrix-authentication-service-secret-config.yml.age".publicKeys =