Merge pull request 'Production config for matrix' (#72) from feat/matrix-prod into main

Reviewed-on: #72 Reviewed-by: teutat3s <teutat3s@noreply.git.pub.solar>
2023-11-28 12:58:54 +00:00 · 2023-11-28 12:58:54 +00:00 · ad2eb1fa16
parent 6d39ccc6d4 2cbc46c154
commit ad2eb1fa16
11 changed files with 171 additions and 57 deletions
--- a/hosts/nachtigall/apps/coturn.nix
+++ b/hosts/nachtigall/apps/coturn.nix
@ -0,0 +1,94 @@
+{flake, config, lib, ...}:
+{
+  age.secrets."coturn-static-auth-secret" = {
+    file = "${flake.self}/secrets/coturn-static-auth-secret.age";
+    mode = "400";
+    owner = "turnserver";
+  };
+
+  services.coturn = rec {
+    enable = true;
+    no-cli = true;
+    no-tcp-relay = true;
+    min-port = 49000;
+    max-port = 50000;
+    use-auth-secret = true;
+    static-auth-secret-file = "/run/agenix/coturn-static-auth-secret";
+    realm = "turn.pub.solar";
+    cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
+    pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
+    extraConfig =
+      let
+        externalIPv4s = lib.strings.concatMapStringsSep "\n" ({address, ...}: "external-ip=${address}") config.networking.interfaces.enp35s0.ipv4.addresses;
+        externalIPv6s = lib.strings.concatMapStringsSep "\n" ({address, ...}: "external-ip=${address}") config.networking.interfaces.enp35s0.ipv6.addresses;
+      in ''
+      ${externalIPv4s}
+      ${externalIPv6s}
+
+      no-tlsv1
+      no-tlsv1_1
+
+      no-rfc5780
+      response-origin-only-with-rfc5780
+
+      prod
+
+      no-stun-backward-compatibility
+
+      # ban private IP ranges
+      no-multicast-peers
+      denied-peer-ip=0.0.0.0-0.255.255.255
+      denied-peer-ip=10.0.0.0-10.255.255.255
+      denied-peer-ip=100.64.0.0-100.127.255.255
+      denied-peer-ip=127.0.0.0-127.255.255.255
+      denied-peer-ip=169.254.0.0-169.254.255.255
+      denied-peer-ip=172.16.0.0-172.31.255.255
+      denied-peer-ip=192.0.0.0-192.0.0.255
+      denied-peer-ip=192.0.2.0-192.0.2.255
+      denied-peer-ip=192.88.99.0-192.88.99.255
+      denied-peer-ip=192.168.0.0-192.168.255.255
+      denied-peer-ip=198.18.0.0-198.19.255.255
+      denied-peer-ip=198.51.100.0-198.51.100.255
+      denied-peer-ip=203.0.113.0-203.0.113.255
+      denied-peer-ip=240.0.0.0-255.255.255.255
+      denied-peer-ip=::1
+      denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
+      denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
+      denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
+      denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
+      denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+      denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+      denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+    '';
+
+  };
+
+  networking.firewall = {
+    interfaces.enp35s0 = let
+      range = with config.services.coturn; [ {
+        from = min-port;
+        to = max-port;
+      } ];
+    in
+      {
+        allowedUDPPortRanges = range;
+        allowedUDPPorts = [ 3478 5349 ];
+        allowedTCPPortRanges = [ ];
+        allowedTCPPorts = [ 3478 5349 ];
+      };
+  };
+
+  # get a certificate
+  security.acme.certs.${config.services.coturn.realm} = {
+    /* insert here the right configuration to obtain a certificate */
+    postRun = "systemctl restart coturn.service";
+    group = "turnserver";
+  };
+  services.nginx.virtualHosts.${config.services.coturn.realm} = {
+    enableACME = true;
+    addSSL = true;
+    globalRedirect = "pub.solar";
+  };
+
+  users.users.nginx.extraGroups = [ "turnserver" ];
+}
--- a/hosts/nachtigall/apps/matrix/element-client-config.nix
+++ b/hosts/nachtigall/apps/matrix/element-client-config.nix
@ -1,8 +1,8 @@
 { pkgs, lib, ... }: {
 	default_server_config = {
 		"m.homeserver" = {
-			base_url = "https://matrix.test.pub.solar";
-			server_name = "test.pub.solar";
+			base_url = "https://matrix.pub.solar";
+			server_name = "pub.solar";
 		};
 		"m.identity_server" = {
 			base_url = "";
--- a/hosts/nachtigall/apps/matrix/irc.nix
+++ b/hosts/nachtigall/apps/matrix/irc.nix
@ -8,9 +8,9 @@
    settings = {
      homeserver = {
        # TODO: Use the port from synapse config
-        domain = "test.pub.solar";
+        domain = "pub.solar";
        url = "http://127.0.0.1:8008";
-        media_url = "https://matrix.test.pub.solar";
+        media_url = "https://matrix.pub.solar";
        enablePresence = false;
      };
      ircService = {
--- a/hosts/nachtigall/apps/matrix/mautrix-telegram.nix
+++ b/hosts/nachtigall/apps/matrix/mautrix-telegram.nix
@ -13,7 +13,7 @@
      homeserver = {
        # TODO: Use the port from synapse config
        address = "http://127.0.0.1:8008";
-        domain = "test.pub.solar";
+        domain = "pub.solar";
        verify_ssl = true;
      };
      appservice = {
@ -34,7 +34,7 @@
        };
        public = {
          enabled = true;
-          external = "https://matrix.test.pub.solar/c3c3f34b-29fb-5feb-86e5-98c75ec8214b";
+          external = "https://matrix.pub.solar/c3c3f34b-29fb-5feb-86e5-98c75ec8214b";
          prefix = "/c3c3f34b-29fb-5feb-86e5-98c75ec8214b";
        };
      };
@ -140,7 +140,7 @@
        username_template = "telegram_{userid}";

        permissions = {
-          "test.pub.solar" = "full";
+          "pub.solar" = "full";
        };
      };

--- a/hosts/nachtigall/apps/matrix/synapse.nix
+++ b/hosts/nachtigall/apps/matrix/synapse.nix
@ -1,7 +1,7 @@
 { flake, config, pkgs, ... }:
 let
-  publicDomain  = "matrix.test.pub.solar";
-  serverDomain = "test.pub.solar";
+  publicDomain  = "matrix.pub.solar";
+  serverDomain = "pub.solar";
 in {
  age.secrets."matrix-synapse-signing-key" = {
    file = "${flake.self}/secrets/matrix-synapse-signing-key.age";
@ -19,7 +19,7 @@ in {
    enable = true;
    settings = {
      server_name = serverDomain;
-      public_baseurl = "https://matrix.test.pub.solar/";
+      public_baseurl = "https://${publicDomain}/";
      database = {
        name = "psycopg2";
        args = {
@ -40,7 +40,7 @@ in {
        user_id = "*";
      }];
      allow_guest_access = false;
-      allow_public_rooms_over_federation = false;
+      allow_public_rooms_over_federation = true;
      allow_public_rooms_without_auth = false;
      auto_join_rooms = [
        "#community:${serverDomain}"
@ -52,20 +52,6 @@ in {

      default_room_version = "10";
      disable_msisdn_registration = true;
-      email = {
-        app_name = "Matrix";
-        client_base_url = "https://chat.pub.solar";
-        enable_notifs = true;
-        enable_tls = true;
-        # FUTUREWORK: Maybe we should change this
-        invite_client_location = "https://app.element.io";
-        notif_for_new_users = true;
-        notif_from = "Matrix <no-reply@pub.solar>";
-        require_transport_security = false;
-        smtp_host = "matrix-mailer";
-        smtp_port = 8025;
-      };
-
      enable_media_repo = true;
      enable_metrics = true;
      enable_registration = false;
@ -92,7 +78,7 @@ in {
        pepper = "";
      };

-      presencee.enabled = true;
+      presence.enabled = true;
      push.include_content = false;

      rc_admin_redaction= {
@ -169,11 +155,14 @@ in {

      stream_writers = {};
      trusted_key_servers = [{ server_name = "matrix.org";}];
+
      turn_allow_guests = false;
      turn_uris = [
-        "turn:matrix.pub.solar?transport=udp"
-        "turn:matrix.pub.solar?transport=tcp"
+        "turn:${config.services.coturn.realm}:3478?transport=udp"
+        "turn:${config.services.coturn.realm}:3478?transport=tcp"
      ];
+      turn_user_lifetime = "1h";
+
      url_preview_accept_language = [
        "en-US"
        "en"
--- a/hosts/nachtigall/apps/nginx-matrix.nix
+++ b/hosts/nachtigall/apps/nginx-matrix.nix
@ -26,6 +26,26 @@ let
    };
  };
  wellKnownServer = domain: { "m.server" = "matrix.${domain}:8448"; };
+  wellKnownSupport = {
+    contacts = [
+        {
+            email_address = "crew@pub.solar";
+            matrix_id = "@b12f:pub.solar";
+            role = "m.role.admin";
+        }
+        {
+            email_address = "crew@pub.solar";
+            matrix_id = "@hensoko:pub.solar";
+            role = "m.role.admin";
+        }
+        {
+            email_address = "crew@pub.solar";
+            matrix_id = "@teutat3s:pub.solar";
+            role = "m.role.admin";
+        }
+    ];
+    support_page = "https://pub.solar/about";
+  };
  mkWellKnown = data: ''
    add_header Content-Type application/json;
    add_header Access-Control-Allow-Origin *;
@ -34,6 +54,7 @@ let
  wellKnownLocations = domain: {
    "= /.well-known/matrix/server".extraConfig = mkWellKnown (wellKnownServer domain);
    "= /.well-known/matrix/client".extraConfig = mkWellKnown (wellKnownClient domain);
+    "= /.well-known/matrix/support".extraConfig = mkWellKnown wellKnownSupport;
  };
 in
 {
@ -47,19 +68,7 @@ in
      locations = wellKnownLocations "pub.solar";
    };

-    #######################################
-    # Stuff below is still in betatesting #
-    #######################################
-    "test.pub.solar" = {
-      root = "/dev/null";
-
-      forceSSL = lib.mkDefault true;
-      enableACME = lib.mkDefault true;
-
-      locations = (wellKnownLocations "test.pub.solar");
-    };
-
-    "chat.test.pub.solar" = {
+    "chat.pub.solar" = {
      forceSSL = true;
      enableACME = true;
      root = pkgs.element-web.override {
@ -67,7 +76,7 @@ in
      };
    };

-    "matrix.test.pub.solar" = {
+    "matrix.pub.solar" = {
      root = "/dev/null";

      forceSSL = lib.mkDefault true;
@ -83,6 +92,7 @@ in
        # "/metrics" = {
        # };

+        # For telegram
        "/c3c3f34b-29fb-5feb-86e5-98c75ec8214b" = {
          proxyPass = "http://127.0.0.1:8009";
          extraConfig = commonHeaders;
@ -105,7 +115,7 @@ in
      };
    };
    "matrix.pub.solar-federation" = {
-      serverName = "matrix.test.pub.solar";
+      serverName = "matrix.pub.solar";
      forceSSL = lib.mkDefault true;
      enableACME = lib.mkDefault true;
      listen = [{
--- a/hosts/nachtigall/default.nix
+++ b/hosts/nachtigall/default.nix
@ -11,6 +11,7 @@
      ./apps/nginx.nix

      ./apps/collabora.nix
+      ./apps/coturn.nix
      ./apps/forgejo.nix
      ./apps/keycloak.nix
      ./apps/mailman.nix
--- a/secrets/coturn-static-auth-secret.age
+++ b/secrets/coturn-static-auth-secret.age
@ -0,0 +1,28 @@
+age-encryption.org/v1
+-> ssh-ed25519 iDKjwg FkQYu4K7yxWuKQChw28kOJrZqXDelVmzExig/cEmxjI
+apgJOiOv/gLcSRTcAkhzDZyLdiKbnsipnNt6okrZ6os
+-> ssh-ed25519 uYcDNw wfyuSGgrFXRAcNSZoBTCz8kJOMeocD1BFwQ1hhO6dD0
+J5hhkK/S+RXjDp/kFGOXP1dDxTyKQx5MqhohgKTP8PQ
+-> ssh-rsa kFDS0A
+arAz7wP/PQBggo5IOFTZrMp/a1eCxCzx5t0QTs07Mfp1mk1h5Xy39VwRB4PIN1Kw
+ASRLnBsUmPznZTWJJ+coAjZiISYx0kW0J5BpKmC6g5orxQJHwEieI/c9JZ1KTjUJ
+G+Rl0BWfJiOk23SiQaCEs5D9OPQiKpQvE2W6ZUTaRVzRelGlmzSHkx5hAz3yX936
+MXdijUFS15sNKDTaoGrql67YRckYHn8ErrvUaSUEdelNOc9ILhCTT+NSM5SG+oh5
+B1GVdHf2hrgmTqhKqxwB/DgXmwsOzX5ffa7kV+KqgYypdjVHlLlkWy6RLVQLEYBM
+ldLIHY4SjpuShqcsuoakZ8jAx/J5aU/SnnRBxIgWcdwwMPbn2dB89wkiK9kVgpVH
+Izj4oO5EJiZr6Fx+iCFnnsuzBrzswRR2zZOJsYo1XY2uP7JEq8F5iClAgN3C7C9V
+3gU4Cf61sr4GftKCBnRUGrtohfL5KeXBX7sTpvF9+cmjQWTBB+fF5Q2I6UmOH08Z
+8OVAkPQsK+zfNaOD5+J8/JoCIXNqZKBq+ShgQoMEPlUFwe3mgy5ji38s8CY09ehY
+DrsWhQw1M9ka8z0hlfP95jQjNlztUn4K/TB7OXUXAKj9/n74b7lmLJ8OMCn4miZ2
+EOV9jVyXrCPQF6RujaYOh52OFz3zIRKEINwWwPNfNJY
+-> ssh-ed25519 YFSOsg 5H/taWUdjZcoYSFndLcYZPX8JUtK6BJs2ou1oJnT6k0
+dTOUWXMuaERYbfHo6AaiM4NfPWKxTk95YFpRkxq06jQ
+-> ssh-ed25519 iHV63A KFTTfUVH8bb+ebLc3WefjyFt2YGdfD8cQiK+VURRplI
+d75sa9BchGJl1NdVHCZ5s4f/RqV5TE7jBtC02OnOt2E
+-> ssh-ed25519 BVsyTA 8BbKlmlVJvPSoZuVazuOyR2YXncwTHAP80hDYpshjz4
+I+u3zwtSecaLeOOR1WJ5+fwWTgn31PvW38kkPgGQ4sM
+-> X}64s-grease V7
+U9Gkb6Sn+PV3lgb6Kzl0ATgibtLzSm//Z60gct7j8F2wVosjicXaWpv+LVfdBo86
+JlXZuA
+--- zjT2F/dHJX8rxVXgbjZMsToMSPUXPLwbeAhGiNawKlc
+†ÝˆÉ©õÖ‘èËŽ{´–ýÍHª™©kÂ0Z•Yê*¯ÿð“òb;—ÕX#æˆ-•Å¸æé£Í®¸´£Ýé&n<>/mxl
9ò<39>|œc	K$åÐú&‹þâ*Š$zÿ‹1÷zÐ
--- a/secrets/matrix-synapse-secret-config.yaml.age
+++ b/secrets/matrix-synapse-secret-config.yaml.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -60,4 +60,6 @@ in {
  "mediawiki-admin-password.age".publicKeys = nachtigallKeys ++ baseKeys;
  "mediawiki-oidc-client-secret.age".publicKeys = nachtigallKeys ++ baseKeys;
  "mediawiki-secret-key.age".publicKeys = nachtigallKeys ++ baseKeys;
+
+  "coturn-static-auth-secret.age".publicKeys = nachtigallKeys ++ baseKeys;
 }
--- a/terraform/dns.tf
+++ b/terraform/dns.tf
@ -74,8 +74,8 @@ resource "namecheap_domain_records" "pub-solar" {
  }
  record {
    hostname = "chat"
-    type = "A"
-    address = "85.88.23.162"
+    type = "CNAME"
+    address = "nachtigall.pub.solar."
    ttl = 60
  }
  record {
@ -130,8 +130,8 @@ resource "namecheap_domain_records" "pub-solar" {
  }
  record {
    hostname = "matrix"
-    type = "A"
-    address = "85.88.23.162"
+    type = "CNAME"
+    address = "nachtigall.pub.solar."
    ttl = 60
  }
  record {
@ -186,16 +186,6 @@ resource "namecheap_domain_records" "pub-solar" {
    type = "CNAME"
    address = "nachtigall.pub.solar."
  }
-  record {
-    hostname = "chat.test"
-    type = "CNAME"
-    address = "nachtigall.pub.solar."
-  }
-  record {
-    hostname = "test"
-    type = "CNAME"
-    address = "nachtigall.pub.solar."
-  }
  # SRV records can only be changed via NameCheap Web UI
  # add comment
 }