From 8a2f83c96a68fa1d889a4a3139e3ed20237c6331 Mon Sep 17 00:00:00 2001 From: Akshay Mankar Date: Sun, 19 Nov 2023 17:22:09 +0100 Subject: [PATCH 1/9] nachtigall: Deploy coturn and configure matrix to use it --- hosts/nachtigall/apps/coturn.nix | 94 ++++++++++++++++++++++++ hosts/nachtigall/apps/matrix/synapse.nix | 7 +- hosts/nachtigall/default.nix | 1 + secrets/coturn-static-auth-secret.age | 28 +++++++ secrets/secrets.nix | 2 + terraform/dns.tf | 6 ++ 6 files changed, 136 insertions(+), 2 deletions(-) create mode 100644 hosts/nachtigall/apps/coturn.nix create mode 100644 secrets/coturn-static-auth-secret.age diff --git a/hosts/nachtigall/apps/coturn.nix b/hosts/nachtigall/apps/coturn.nix new file mode 100644 index 0000000..26157fe --- /dev/null +++ b/hosts/nachtigall/apps/coturn.nix @@ -0,0 +1,94 @@ +{flake, config, lib, ...}: +{ + age.secrets."coturn-static-auth-secret" = { + file = "${flake.self}/secrets/coturn-static-auth-secret.age"; + mode = "400"; + owner = "turnserver"; + }; + + services.coturn = rec { + enable = true; + no-cli = true; + no-tcp-relay = true; + min-port = 49000; + max-port = 50000; + use-auth-secret = true; + static-auth-secret-file = "/run/agenix/coturn-static-auth-secret"; + realm = "turn.test.pub.solar"; + cert = "${config.security.acme.certs.${realm}.directory}/full.pem"; + pkey = "${config.security.acme.certs.${realm}.directory}/key.pem"; + extraConfig = + let + externalIPv4s = lib.strings.concatMapStringsSep "\n" ({address, ...}: "external-ip=${address}") config.networking.interfaces.enp35s0.ipv4.addresses; + externalIPv6s = lib.strings.concatMapStringsSep "\n" ({address, ...}: "external-ip=${address}") config.networking.interfaces.enp35s0.ipv6.addresses; + in '' + ${externalIPv4s} + ${externalIPv6s} + + no-tlsv1 + no-tlsv1_1 + + no-rfc5780 + response-origin-only-with-rfc5780 + + prod + + no-stun-backward-compatibility + + # ban private IP ranges + no-multicast-peers + denied-peer-ip=0.0.0.0-0.255.255.255 + denied-peer-ip=10.0.0.0-10.255.255.255 + denied-peer-ip=100.64.0.0-100.127.255.255 + denied-peer-ip=127.0.0.0-127.255.255.255 + denied-peer-ip=169.254.0.0-169.254.255.255 + denied-peer-ip=172.16.0.0-172.31.255.255 + denied-peer-ip=192.0.0.0-192.0.0.255 + denied-peer-ip=192.0.2.0-192.0.2.255 + denied-peer-ip=192.88.99.0-192.88.99.255 + denied-peer-ip=192.168.0.0-192.168.255.255 + denied-peer-ip=198.18.0.0-198.19.255.255 + denied-peer-ip=198.51.100.0-198.51.100.255 + denied-peer-ip=203.0.113.0-203.0.113.255 + denied-peer-ip=240.0.0.0-255.255.255.255 + denied-peer-ip=::1 + denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff + denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255 + denied-peer-ip=100::-100::ffff:ffff:ffff:ffff + denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff + denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff + denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff + denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff + ''; + + }; + + networking.firewall = { + interfaces.enp35s0 = let + range = with config.services.coturn; [ { + from = min-port; + to = max-port; + } ]; + in + { + allowedUDPPortRanges = range; + allowedUDPPorts = [ 3478 5349 ]; + allowedTCPPortRanges = [ ]; + allowedTCPPorts = [ 3478 5349 ]; + }; + }; + + # get a certificate + security.acme.certs.${config.services.coturn.realm} = { + /* insert here the right configuration to obtain a certificate */ + postRun = "systemctl restart coturn.service"; + group = "turnserver"; + }; + services.nginx.virtualHosts.${config.services.coturn.realm} = { + enableACME = true; + addSSL = true; + globalRedirect = "pub.solar"; + }; + + users.users.nginx.extraGroups = [ "turnserver" ]; +} diff --git a/hosts/nachtigall/apps/matrix/synapse.nix b/hosts/nachtigall/apps/matrix/synapse.nix index a44dec0..617df63 100644 --- a/hosts/nachtigall/apps/matrix/synapse.nix +++ b/hosts/nachtigall/apps/matrix/synapse.nix @@ -169,11 +169,14 @@ in { stream_writers = {}; trusted_key_servers = [{ server_name = "matrix.org";}]; + turn_allow_guests = false; turn_uris = [ - "turn:matrix.pub.solar?transport=udp" - "turn:matrix.pub.solar?transport=tcp" + "turn:${config.services.coturn.realm}:3478?transport=udp" + "turn:${config.services.coturn.realm}:3478?transport=tcp" ]; + turn_user_lifetime = "1h"; + url_preview_accept_language = [ "en-US" "en" diff --git a/hosts/nachtigall/default.nix b/hosts/nachtigall/default.nix index 1c7361f..5e21f53 100644 --- a/hosts/nachtigall/default.nix +++ b/hosts/nachtigall/default.nix @@ -11,6 +11,7 @@ ./apps/nginx.nix ./apps/collabora.nix + ./apps/coturn.nix ./apps/forgejo.nix ./apps/keycloak.nix ./apps/mailman.nix diff --git a/secrets/coturn-static-auth-secret.age b/secrets/coturn-static-auth-secret.age new file mode 100644 index 0000000..b909d6d --- /dev/null +++ b/secrets/coturn-static-auth-secret.age @@ -0,0 +1,28 @@ +age-encryption.org/v1 +-> ssh-ed25519 iDKjwg FkQYu4K7yxWuKQChw28kOJrZqXDelVmzExig/cEmxjI +apgJOiOv/gLcSRTcAkhzDZyLdiKbnsipnNt6okrZ6os +-> ssh-ed25519 uYcDNw wfyuSGgrFXRAcNSZoBTCz8kJOMeocD1BFwQ1hhO6dD0 +J5hhkK/S+RXjDp/kFGOXP1dDxTyKQx5MqhohgKTP8PQ +-> ssh-rsa kFDS0A +arAz7wP/PQBggo5IOFTZrMp/a1eCxCzx5t0QTs07Mfp1mk1h5Xy39VwRB4PIN1Kw +ASRLnBsUmPznZTWJJ+coAjZiISYx0kW0J5BpKmC6g5orxQJHwEieI/c9JZ1KTjUJ +G+Rl0BWfJiOk23SiQaCEs5D9OPQiKpQvE2W6ZUTaRVzRelGlmzSHkx5hAz3yX936 +MXdijUFS15sNKDTaoGrql67YRckYHn8ErrvUaSUEdelNOc9ILhCTT+NSM5SG+oh5 +B1GVdHf2hrgmTqhKqxwB/DgXmwsOzX5ffa7kV+KqgYypdjVHlLlkWy6RLVQLEYBM +ldLIHY4SjpuShqcsuoakZ8jAx/J5aU/SnnRBxIgWcdwwMPbn2dB89wkiK9kVgpVH +Izj4oO5EJiZr6Fx+iCFnnsuzBrzswRR2zZOJsYo1XY2uP7JEq8F5iClAgN3C7C9V +3gU4Cf61sr4GftKCBnRUGrtohfL5KeXBX7sTpvF9+cmjQWTBB+fF5Q2I6UmOH08Z +8OVAkPQsK+zfNaOD5+J8/JoCIXNqZKBq+ShgQoMEPlUFwe3mgy5ji38s8CY09ehY +DrsWhQw1M9ka8z0hlfP95jQjNlztUn4K/TB7OXUXAKj9/n74b7lmLJ8OMCn4miZ2 +EOV9jVyXrCPQF6RujaYOh52OFz3zIRKEINwWwPNfNJY +-> ssh-ed25519 YFSOsg 5H/taWUdjZcoYSFndLcYZPX8JUtK6BJs2ou1oJnT6k0 +dTOUWXMuaERYbfHo6AaiM4NfPWKxTk95YFpRkxq06jQ +-> ssh-ed25519 iHV63A KFTTfUVH8bb+ebLc3WefjyFt2YGdfD8cQiK+VURRplI +d75sa9BchGJl1NdVHCZ5s4f/RqV5TE7jBtC02OnOt2E +-> ssh-ed25519 BVsyTA 8BbKlmlVJvPSoZuVazuOyR2YXncwTHAP80hDYpshjz4 +I+u3zwtSecaLeOOR1WJ5+fwWTgn31PvW38kkPgGQ4sM +-> X}64s-grease V7 +U9Gkb6Sn+PV3lgb6Kzl0ATgibtLzSm//Z60gct7j8F2wVosjicXaWpv+LVfdBo86 +JlXZuA +--- zjT2F/dHJX8rxVXgbjZMsToMSPUXPLwbeAhGiNawKlc +݈ɩ֑ˎ{Hk0ZY*b;X#-Ÿͮ&n/mxl 9|c K$&*$z 1z \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 21e347d..594748b 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -60,4 +60,6 @@ in { "mediawiki-admin-password.age".publicKeys = nachtigallKeys ++ baseKeys; "mediawiki-oidc-client-secret.age".publicKeys = nachtigallKeys ++ baseKeys; "mediawiki-secret-key.age".publicKeys = nachtigallKeys ++ baseKeys; + + "coturn-static-auth-secret.age".publicKeys = nachtigallKeys ++ baseKeys; } diff --git a/terraform/dns.tf b/terraform/dns.tf index 4a425ce..5cd75af 100644 --- a/terraform/dns.tf +++ b/terraform/dns.tf @@ -196,6 +196,12 @@ resource "namecheap_domain_records" "pub-solar" { type = "CNAME" address = "nachtigall.pub.solar." } + record { + hostname = "turn.test" + type = "CNAME" + address = "nachtigall.pub.solar." + ttl = "300" + } # SRV records can only be changed via NameCheap Web UI # add comment } From 7fcefe4b85359776fb5fd78a27ecfa5ab3d75ec0 Mon Sep 17 00:00:00 2001 From: Akshay Mankar Date: Sun, 19 Nov 2023 15:05:38 +0100 Subject: [PATCH 2/9] matrix: Use chat.pub.solar as invite_client_location --- hosts/nachtigall/apps/matrix/synapse.nix | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/hosts/nachtigall/apps/matrix/synapse.nix b/hosts/nachtigall/apps/matrix/synapse.nix index 617df63..b3f5ff6 100644 --- a/hosts/nachtigall/apps/matrix/synapse.nix +++ b/hosts/nachtigall/apps/matrix/synapse.nix @@ -57,8 +57,7 @@ in { client_base_url = "https://chat.pub.solar"; enable_notifs = true; enable_tls = true; - # FUTUREWORK: Maybe we should change this - invite_client_location = "https://app.element.io"; + invite_client_location = "https://chat.pub.solar"; notif_for_new_users = true; notif_from = "Matrix "; require_transport_security = false; From f0c3178b4d081e772ae0a93658f925a9f4416fb4 Mon Sep 17 00:00:00 2001 From: Akshay Mankar Date: Sun, 19 Nov 2023 15:06:33 +0100 Subject: [PATCH 3/9] matrix: Use greenbaum cloud for sending emails --- hosts/nachtigall/apps/matrix/synapse.nix | 6 +++--- secrets/matrix-synapse-secret-config.yaml.age | Bin 2825 -> 2922 bytes 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/hosts/nachtigall/apps/matrix/synapse.nix b/hosts/nachtigall/apps/matrix/synapse.nix index b3f5ff6..f80e906 100644 --- a/hosts/nachtigall/apps/matrix/synapse.nix +++ b/hosts/nachtigall/apps/matrix/synapse.nix @@ -60,9 +60,9 @@ in { invite_client_location = "https://chat.pub.solar"; notif_for_new_users = true; notif_from = "Matrix "; - require_transport_security = false; - smtp_host = "matrix-mailer"; - smtp_port = 8025; + require_transport_security = true; + smtp_host = "mx2.greenbaum.cloud"; + smtp_port = 465; }; enable_media_repo = true; diff --git a/secrets/matrix-synapse-secret-config.yaml.age b/secrets/matrix-synapse-secret-config.yaml.age index 276c7b57c330109b0cf64b71277d28b71272f4ca..81c920879b3601e97cca1b60dd97518967146fa6 100644 GIT binary patch literal 2922 zcmZA0=|d9-0)}ymtE+Lri>i2Fx*n`X%p{Y9i~^d>Qq7=l{fE*%hNp09~;~*FTSY=|PI*PHvC=^hOL}r=9@@I{- z*b!BNjw9?K;IIq5Hoho<78zBdAVh`zRv+ci1RNS06-Y#qA`2M^hGh!1)N5;Yo$5QY>(=a%s;;eZ2Tqjp!!t;oZ*d1_c9by`GmS~%=xN(>eb zfQ9%vh;W3Ge2hsEF0WC}X7iazp+d-%>3J%CjKKmG5mbz-Rdqt1{`9&glBbeq>gaRp@ZxqzY@$-I;1kl=vDzTrHmm~vydn) zDT;^mew$7#@o{u2mmU|ATAek4o1L}@W-EeyPA^vhDv5wbrs0_}kCjRxd3m5-YO-3H zP7y*&qOKSzw8(rG)T(DNGzvB7qIfYYQyvev+zErv9E(K-uvyQCBoyf-_;DU)H>UuD zMFyySK!_GfXb~fWZFS1>On^NPi7TBjM94wVBMORHqL@=IWDx`*^W$EhoTd%QDV5D>-PJ!3S<}&0Um!ufDSY!dT z`b1pGV%UjDKV`#|(v>7Kerr4_axGq{|sEk~$a|HxRRG0awx@;q%#OUdk)h%h?bg7Jw|T zRZGGAKX&}bM=fGZ9d*-#6du!arADPF8KL5^(aSTad@9_`7usD2Po*`QrFkMA5@oX8 zG&x7*VN*6#fdyn@xfu%mY(Nu$NG2KqO<^@5 zR^X0g(hEfF4kxHniwR3nNX0{x5{O2z1q!*7i29kBHlq zQ1)qYXpW;7&q5%@ljb_7o~wU^j*WYFMd#Pm(uL%SU1#uj?5AT~ z>8k!ooxXGPPeV(NTYheT_TK(210SDySO|TNcF~?3o&LZc=seT9aaiggcz5|Px2{fA z->UqsI+eNRwULw z{;s+v%Q#SfI{(|>PBva8iPh5w)zr%Gw6?k1Ru5h>qtaK``{Hm*bD;9){o0J8>bAo7 zxB6BZUROq1FyPv@KK3DJpET#HeoSi}F^H-*S6K2dfC{BXv@u|eU8Yn zhQ%wD)EsZH;b3weG1Z@MJab{Jw$`aHpiYwA;t_@Lo=)T87c0t|%6wJ2#zZ~QJ zRWNOSYuVQLkt5d170l3YN?(pq-; zlXX0r|7cUytm5z@q9JWCWts-oUVA5H7eF^oTs^9&9=XiEf3baD#jeKs3%{O^UHj`~ zm57|1lcTynVi_^?RY}3%tHwQ3H)$SzXx@T_8=q$>23iVwRF(s4i$1*7bs(G8y6^KZ ze>}f_+D;SVSlshow0&gSlrdi&81M?p6fH|%wc$;%D06Pzfk+12HOi4J?me)slgj99 za$zk~ybRIBo4u}&R&A@*Z^8Y7vAo9Ijz__Z+JZZ_vW~;u+s7HVcrHx7w75ER$`2}2 zdg+CA(jVLUrb%}B(rIr)t3if8}&)Qy4(|=-7d1G zy0V0$Hf-d6yHl4HdCr)zz2MFLOsv=ts9jH=xRiaPt-(1--WR+my}Z!ANIQ@xDh2zO zGBbenWwR2`diCzJJXW(Dy^(pZZ`JMWEaiG#{snO{uabe1FQ>b{g&%IVwiH~er*u;w*J>)?LTM~VLz+XK0w literal 2825 zcmZA0S$s@~9tZF!T1JR1J|&jXNG)T`K4(TEb!ItpW;?TQr>>ZpoH?_cSu$sKu~Z0B zOL{f-CDsZ-mC!1w5D~EianT}{r05OGb?wA;ANtbg|HJpc{Qhbj#~>Q++IK|fN6et5><1QQ7|Is$ow#m2V1#+*P=G3 z1c_6%s4^@}A<|HoB?FY0KquvrBUg5eWFN`)&ZW#dv3PYEMLG!-_*@xQb%X{Y)iiGc}H)NVG4F#LAhVT;LaM$iCi z0=$Td00SBzEVCKpBAJB`cx1Sip)^@#L9H0mI*6dpZ^BYM10JT>*m8iK!jrDB9%X^S zgxqXns@Yx%q7mr8h|`7pl0uF@#M5j1`gpWZC>NtNCPPG|1f)zGMD>&iCmQw}5x<*b z(ED-7#xJDV0`f$_>GUT+H3-63OyJ|n`2eDZ^?WQsIEsuR3zOz@e5e)rbQA>ef)S-p zPD**S53LCTh*}d;c-3A&WM(B`jNoAiUy0d3HGzXdR21TAL}3KQCGikpWN1tjCjr0` zm5E3~0wt`FB@l^S&rNx01Qtg`ff%Ml(72mmnsr=nR4Ny7*!pOcgcN#_EldW3)&NC| z1jP)aHY|h1MJA_MEno*ZFlsOgi)0o81`w;kC_`aHP1r>;r%)I6gv?mL>OiGJ0}+*& z0E!dfa+tKBQ0R+jJXp#Tj}&=DsN4nlY2I*9LOMiAk4otP!>W{uP4gOsl8}t8Vx;(1 zr-_CpRTS8#RJp7{0+KsJdacuvNNKgOAYhZAnA55OoKD0M6RI3Cm}&P}G!c@6#&9LU zl3@wR%(YrQ6uy9y;Fuh2j4&Ewe$b_ofh_%p*-Z(nK_m5fNi~5m4N!s`HX4*Nmd?Xd zz#*eiVw4a`IWL}|@RB00$ymf!NYuDOK@9^P{;}T zg%L95V>_&V7aZ}jtWsP@(TLD^{KMLrQXXQADMW>OQjZj}08KQYA$4XQ?y=Y;q?qLw z2LHp%r0zsjO7YB46h9jkS&?Ht(#KKM_NRV#{C0((&TpuVT-Bzp7ZKEh$ zqL_?rR0q`}yI-Vnf*v^`mY{L2Ea24{c>*aIf*jlsLj#%qu6bZHp94}|5fowoa&H3W zsPtmc6bf-^96U*bf>ACQ(~zn}5`}SwnJKbSxG0P3fZP^e9+g&up< zCRDKvYz2xy0+%}#DY7C4XG}+-)9KVgRBL7jY(D0PgW8!1rh&$eNG*^l=H?6STrSRM z_`zr_B_KjJ3N7>l<16cOdx^M5vfC2ZOj6D}MW10>(bw^-`TgTW{|$$xzP=$`MPaRv zd|I>cPTTc__uY&PB=_I~CiYnP@0pp?DIe#=pp94lx$%tYO@9B;bKZ=Sv4td~O+G$ZsxB8+>n7?wbdU zOjqOm$}61o_)Y-|Yo$JHr+Hm0f!uULr9w6J1J+-mA~A zn4G@>*1RqL^6vJQ3;({I(S7y2M8=|J-sXlcPS5{j-)E2fYuB#pS=q6-c(7!QynRj4 z@6;1#XSMy78Wd{G*uJP=XKN!hXY&uMKR>ghvekQP31jc#r*n_I_~o&*^>u-AWJk#* znsnt=@zBv3H9%%$+r@+ES8J|8C}`=Ki^7 z<_&K7c|uzEB~{HWx?Ve(;<7=T-u*FAm-BS^?HjbCZu_KtZv)gV>Frlu?d_AeNajCV z)wC-2(EY4*LqjI_a9Z6U)rc#PO9uL8?LO9}a?@u|7C!j;t1H7dlZcDgVY@>miAg(najYfynmvzq%Ypk(c=s0-lr%Z zuUxshxm){>jH8oAtsA{-Y^eJEd)=scP#@QjZF#k-p*^3+FWoFyS$ujoT2p=dOjhmr z-EY1&HwVKSjK}a#-2W`QOo(v+IsDe|mKm$;?ac zUUhV6&DC$vW8!DzlcAplPgWgY+gzC0`)S?gTaS8|obB8`Pdu`;zhn2dxu%T>3eH~Fxm_GHI@y7t>s+Bbu?!mMxU z@w|%Bi3#-e8@FZ2S7#2aeE+X`OC()ND%SXJDrdelT$`u8T0JI{x{vCfboP@*pzhv< zC_Dm=X53|orqNqg{7LoR{(Wl2kgvao79MCid|mcL^i@p%Kz(Wdy?#!`;& zh-bKZy)1Z!y*PF5$mHhRyZZQ1*R|69J@e#S9V46Wv;+^rg@II;!%(*_ul4K+-Q0Wj IjV{su54&E83;+NC From fe284a20d913dc2c401a85fcfdae8f8123172d4e Mon Sep 17 00:00:00 2001 From: Akshay Mankar Date: Sun, 19 Nov 2023 15:06:55 +0100 Subject: [PATCH 4/9] matrix: Fix typo --- hosts/nachtigall/apps/matrix/synapse.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/nachtigall/apps/matrix/synapse.nix b/hosts/nachtigall/apps/matrix/synapse.nix index f80e906..aab4836 100644 --- a/hosts/nachtigall/apps/matrix/synapse.nix +++ b/hosts/nachtigall/apps/matrix/synapse.nix @@ -91,7 +91,7 @@ in { pepper = ""; }; - presencee.enabled = true; + presence.enabled = true; push.include_content = false; rc_admin_redaction= { From 35afcd9682823fd6823804b081a9938321d8811f Mon Sep 17 00:00:00 2001 From: Akshay Mankar Date: Sun, 19 Nov 2023 15:07:44 +0100 Subject: [PATCH 5/9] matrix: Make public rooms discoverable over federation --- hosts/nachtigall/apps/matrix/synapse.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/nachtigall/apps/matrix/synapse.nix b/hosts/nachtigall/apps/matrix/synapse.nix index aab4836..749f001 100644 --- a/hosts/nachtigall/apps/matrix/synapse.nix +++ b/hosts/nachtigall/apps/matrix/synapse.nix @@ -40,7 +40,7 @@ in { user_id = "*"; }]; allow_guest_access = false; - allow_public_rooms_over_federation = false; + allow_public_rooms_over_federation = true; allow_public_rooms_without_auth = false; auto_join_rooms = [ "#community:${serverDomain}" From 8a2d9462060728b3ca01ac022f77c071c52f34ec Mon Sep 17 00:00:00 2001 From: Akshay Mankar Date: Sun, 19 Nov 2023 15:47:25 +0100 Subject: [PATCH 6/9] matrix: Use production domains --- hosts/nachtigall/apps/coturn.nix | 2 +- .../apps/matrix/element-client-config.nix | 4 ++-- hosts/nachtigall/apps/matrix/irc.nix | 4 ++-- .../apps/matrix/mautrix-telegram.nix | 6 +++--- hosts/nachtigall/apps/matrix/synapse.nix | 6 +++--- hosts/nachtigall/apps/nginx-matrix.nix | 19 ++++--------------- 6 files changed, 15 insertions(+), 26 deletions(-) diff --git a/hosts/nachtigall/apps/coturn.nix b/hosts/nachtigall/apps/coturn.nix index 26157fe..9667c1c 100644 --- a/hosts/nachtigall/apps/coturn.nix +++ b/hosts/nachtigall/apps/coturn.nix @@ -14,7 +14,7 @@ max-port = 50000; use-auth-secret = true; static-auth-secret-file = "/run/agenix/coturn-static-auth-secret"; - realm = "turn.test.pub.solar"; + realm = "turn.pub.solar"; cert = "${config.security.acme.certs.${realm}.directory}/full.pem"; pkey = "${config.security.acme.certs.${realm}.directory}/key.pem"; extraConfig = diff --git a/hosts/nachtigall/apps/matrix/element-client-config.nix b/hosts/nachtigall/apps/matrix/element-client-config.nix index d142540..113cb7e 100644 --- a/hosts/nachtigall/apps/matrix/element-client-config.nix +++ b/hosts/nachtigall/apps/matrix/element-client-config.nix @@ -1,8 +1,8 @@ { pkgs, lib, ... }: { default_server_config = { "m.homeserver" = { - base_url = "https://matrix.test.pub.solar"; - server_name = "test.pub.solar"; + base_url = "https://matrix.pub.solar"; + server_name = "pub.solar"; }; "m.identity_server" = { base_url = ""; diff --git a/hosts/nachtigall/apps/matrix/irc.nix b/hosts/nachtigall/apps/matrix/irc.nix index b00a5b0..8f65985 100644 --- a/hosts/nachtigall/apps/matrix/irc.nix +++ b/hosts/nachtigall/apps/matrix/irc.nix @@ -8,9 +8,9 @@ settings = { homeserver = { # TODO: Use the port from synapse config - domain = "test.pub.solar"; + domain = "pub.solar"; url = "http://127.0.0.1:8008"; - media_url = "https://matrix.test.pub.solar"; + media_url = "https://matrix.pub.solar"; enablePresence = false; }; ircService = { diff --git a/hosts/nachtigall/apps/matrix/mautrix-telegram.nix b/hosts/nachtigall/apps/matrix/mautrix-telegram.nix index 438979d..b9fb60a 100644 --- a/hosts/nachtigall/apps/matrix/mautrix-telegram.nix +++ b/hosts/nachtigall/apps/matrix/mautrix-telegram.nix @@ -13,7 +13,7 @@ homeserver = { # TODO: Use the port from synapse config address = "http://127.0.0.1:8008"; - domain = "test.pub.solar"; + domain = "pub.solar"; verify_ssl = true; }; appservice = { @@ -34,7 +34,7 @@ }; public = { enabled = true; - external = "https://matrix.test.pub.solar/c3c3f34b-29fb-5feb-86e5-98c75ec8214b"; + external = "https://matrix.pub.solar/c3c3f34b-29fb-5feb-86e5-98c75ec8214b"; prefix = "/c3c3f34b-29fb-5feb-86e5-98c75ec8214b"; }; }; @@ -140,7 +140,7 @@ username_template = "telegram_{userid}"; permissions = { - "test.pub.solar" = "full"; + "pub.solar" = "full"; }; }; diff --git a/hosts/nachtigall/apps/matrix/synapse.nix b/hosts/nachtigall/apps/matrix/synapse.nix index 749f001..1429798 100644 --- a/hosts/nachtigall/apps/matrix/synapse.nix +++ b/hosts/nachtigall/apps/matrix/synapse.nix @@ -1,7 +1,7 @@ { flake, config, pkgs, ... }: let - publicDomain = "matrix.test.pub.solar"; - serverDomain = "test.pub.solar"; + publicDomain = "matrix.pub.solar"; + serverDomain = "pub.solar"; in { age.secrets."matrix-synapse-signing-key" = { file = "${flake.self}/secrets/matrix-synapse-signing-key.age"; @@ -19,7 +19,7 @@ in { enable = true; settings = { server_name = serverDomain; - public_baseurl = "https://matrix.test.pub.solar/"; + public_baseurl = "https://${publicDomain}/"; database = { name = "psycopg2"; args = { diff --git a/hosts/nachtigall/apps/nginx-matrix.nix b/hosts/nachtigall/apps/nginx-matrix.nix index dbf927b..eee9c0a 100644 --- a/hosts/nachtigall/apps/nginx-matrix.nix +++ b/hosts/nachtigall/apps/nginx-matrix.nix @@ -47,19 +47,7 @@ in locations = wellKnownLocations "pub.solar"; }; - ####################################### - # Stuff below is still in betatesting # - ####################################### - "test.pub.solar" = { - root = "/dev/null"; - - forceSSL = lib.mkDefault true; - enableACME = lib.mkDefault true; - - locations = (wellKnownLocations "test.pub.solar"); - }; - - "chat.test.pub.solar" = { + "chat.pub.solar" = { forceSSL = true; enableACME = true; root = pkgs.element-web.override { @@ -67,7 +55,7 @@ in }; }; - "matrix.test.pub.solar" = { + "matrix.pub.solar" = { root = "/dev/null"; forceSSL = lib.mkDefault true; @@ -83,6 +71,7 @@ in # "/metrics" = { # }; + # For telegram "/c3c3f34b-29fb-5feb-86e5-98c75ec8214b" = { proxyPass = "http://127.0.0.1:8009"; extraConfig = commonHeaders; @@ -105,7 +94,7 @@ in }; }; "matrix.pub.solar-federation" = { - serverName = "matrix.test.pub.solar"; + serverName = "matrix.pub.solar"; forceSSL = lib.mkDefault true; enableACME = lib.mkDefault true; listen = [{ From ccbfb211fd1bd48e2dc873948032bb5c3188dd61 Mon Sep 17 00:00:00 2001 From: Akshay Mankar Date: Sun, 19 Nov 2023 18:21:45 +0100 Subject: [PATCH 7/9] matrix: Point DNS to nachtigall --- terraform/dns.tf | 24 ++++-------------------- 1 file changed, 4 insertions(+), 20 deletions(-) diff --git a/terraform/dns.tf b/terraform/dns.tf index 5cd75af..1e61160 100644 --- a/terraform/dns.tf +++ b/terraform/dns.tf @@ -74,8 +74,8 @@ resource "namecheap_domain_records" "pub-solar" { } record { hostname = "chat" - type = "A" - address = "85.88.23.162" + type = "CNAME" + address = "nachtigall.pub.solar." ttl = 60 } record { @@ -130,8 +130,8 @@ resource "namecheap_domain_records" "pub-solar" { } record { hostname = "matrix" - type = "A" - address = "85.88.23.162" + type = "CNAME" + address = "nachtigall.pub.solar." ttl = 60 } record { @@ -186,22 +186,6 @@ resource "namecheap_domain_records" "pub-solar" { type = "CNAME" address = "nachtigall.pub.solar." } - record { - hostname = "chat.test" - type = "CNAME" - address = "nachtigall.pub.solar." - } - record { - hostname = "test" - type = "CNAME" - address = "nachtigall.pub.solar." - } - record { - hostname = "turn.test" - type = "CNAME" - address = "nachtigall.pub.solar." - ttl = "300" - } # SRV records can only be changed via NameCheap Web UI # add comment } From 9f633582d19883d9e8544bd02a8fc8f8bb44c4f6 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Sat, 25 Nov 2023 14:25:46 +0100 Subject: [PATCH 8/9] feat: add well-known for matrix support contacts --- hosts/nachtigall/apps/nginx-matrix.nix | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/hosts/nachtigall/apps/nginx-matrix.nix b/hosts/nachtigall/apps/nginx-matrix.nix index eee9c0a..ef4ee28 100644 --- a/hosts/nachtigall/apps/nginx-matrix.nix +++ b/hosts/nachtigall/apps/nginx-matrix.nix @@ -26,6 +26,26 @@ let }; }; wellKnownServer = domain: { "m.server" = "matrix.${domain}:8448"; }; + wellKnownSupport = { + contacts = [ + { + email_address = "crew@pub.solar"; + matrix_id = "@b12f:pub.solar"; + role = "m.role.admin"; + } + { + email_address = "crew@pub.solar"; + matrix_id = "@hensoko:pub.solar"; + role = "m.role.admin"; + } + { + email_address = "crew@pub.solar"; + matrix_id = "@teutat3s:pub.solar"; + role = "m.role.admin"; + } + ]; + support_page = "https://pub.solar/about"; + }; mkWellKnown = data: '' add_header Content-Type application/json; add_header Access-Control-Allow-Origin *; @@ -34,6 +54,7 @@ let wellKnownLocations = domain: { "= /.well-known/matrix/server".extraConfig = mkWellKnown (wellKnownServer domain); "= /.well-known/matrix/client".extraConfig = mkWellKnown (wellKnownClient domain); + "= /.well-known/matrix/support".extraConfig = mkWellKnown wellKnownSupport; }; in { From 2cbc46c1540eb2230f910975cec7be9e31f4fc64 Mon Sep 17 00:00:00 2001 From: Akshay Mankar Date: Sat, 25 Nov 2023 23:37:58 +0100 Subject: [PATCH 9/9] matrix: Move the whole email section into the secret Matrix doesn't deep merge the secrets, so this is necessary --- hosts/nachtigall/apps/matrix/synapse.nix | 13 ------------- secrets/matrix-synapse-secret-config.yaml.age | Bin 2922 -> 3224 bytes 2 files changed, 13 deletions(-) diff --git a/hosts/nachtigall/apps/matrix/synapse.nix b/hosts/nachtigall/apps/matrix/synapse.nix index 1429798..0999038 100644 --- a/hosts/nachtigall/apps/matrix/synapse.nix +++ b/hosts/nachtigall/apps/matrix/synapse.nix @@ -52,19 +52,6 @@ in { default_room_version = "10"; disable_msisdn_registration = true; - email = { - app_name = "Matrix"; - client_base_url = "https://chat.pub.solar"; - enable_notifs = true; - enable_tls = true; - invite_client_location = "https://chat.pub.solar"; - notif_for_new_users = true; - notif_from = "Matrix "; - require_transport_security = true; - smtp_host = "mx2.greenbaum.cloud"; - smtp_port = 465; - }; - enable_media_repo = true; enable_metrics = true; enable_registration = false; diff --git a/secrets/matrix-synapse-secret-config.yaml.age b/secrets/matrix-synapse-secret-config.yaml.age index 81c920879b3601e97cca1b60dd97518967146fa6..3c3afab8d396c91c2186330e724bf87c05fc70e0 100644 GIT binary patch literal 3224 zcmZA0>04BV0tRpdN|?Onnih&^n&>#roY@Bjoqa#EuPQjq%sF#r-xtgz6;xbOAp;@E zT>(=`3e*(bH#DxIq6p#!s7RhMl(eo{wAfnQX|IxfYLz0cdQsC$)DIRih5VeFwu(?TtT16?Bn>Mpuog4JF!l#lZDPyy4X0B(N5-Bonbp*01b48 z5G_;?;UJ)-i+mctQ6g2b+&&yhN7Fhrk1W7?5jwqvg zw00puO`uCX)J(q)hi556E;3rLwlNeDnka}fD#VDHN(9{wm4qxIYxGpF%P-=fL?Tcx zcBl{oS{ac-SW%WfLehZ(qMI!C8X_T~j9{lgHYkXY+!DPOW~fw%Qj?`&a;!Wuok0>8MI*~70j!o_z%$VbA>@O2JdT`a29ySs1%%jU zGF7YzNnsDlsW6%KXoQSdSS)iyZu4mY$O(J3DmT}S!@7iAzQ~XjM)SmfXUR^9)h2LB z&=O^kU<8ROw9JB{vixC_$Hri1F@grBTy6tYY?WULLL3c&C~!K>d{u~{7w{3ljJ8s_ zY91TQ)@8c%Y=y=bgsmi$E5efVEo>(pXY|u_WD(6~v1I~5H=WF~FbOoaE~59VY&N{! z&a}#va#xm)WVaY(A+Jq@mKgu;z{rN&5n5)1?%;+(29<=4P$X8+fM!DuV}uHG0U}#L z(%aN7M5zvDLT-voLUo2*3X(hka&RgSO3YA8a16jJB{x{Le>q9EHROCxy^*w15JObrFp~!t=UaEI4fDM95x_ROWRdP8+0^ z1Y9(aRtckwG>Rikk;?Q8DJ#g7F!=zD%$1S+Ay3E%A`p%0P=;wPv@Hy>|E(cBHJLz9 za%s^ttpyL8v^-`=ZAO9`8_DZ)s#$KO7YO1dfA5D1@;JtbT8wgfiAXyFaZkPzcq&17g5ralvJw^%oI9=Dl9o1@muj~z)Zwa zWd@KFggAH$V50lXvXEA5Bcfz3tWn~2QUG6wtZ_xG3cH)Y(qXM=3t7Mma_N2tRSkOR z5J-3ZU!%{AAT$vM_L>bobCQeXOLCy-Y7U=7Ub&xu12sXH9j2o)5)(T1WP{Qy)^72vWwr6I4qJkM2=}R8B`b3( zrxcv$9+;kbXY={=im*PkeooEB^8c<>eo|0-;aEw`#3{YK?`O=vaOz~Pf5pp9GuB)# zeBzzj`?fl;{9fGr6L-1fZsbg~ERQ;GYzrzexpHP`(<*a12XRNfd22X?IRzyC_%Ux* zFjzC|^bPbQwH91a*^^$IFni&r($By{+1VpR;S@`v_Y1fxe z!ffTXsQ&ijM+@(?-kAQJdcQ0oqVF}E zq%k$z`)?EW$Cs25^NPK5dp>JED7|xAa-oO!4jxE8_xz-%{aBy^b=`g?hx2QE%*n>D z*&UVn&EFUPg`Jg_)72Pk9d~`0Z%gmY`umr^pA!SVm_byskBG4UQD3uQQhvSF!Ccn& z*2Vig=XJ^2(iXm>c~i4!TI$ure4EHql5+aS+K+ARkm~%tJt>8EU0B&JD0lJA`Ms+z zv2=5fSXMrKZ#Cp;R=m0T?1M)6?V$}?bM&hQ?vYkX+mI8u{H3!$cL0MTPiBd?b?e20#{-LxH7sO!1=KBxV2r8=;J}3)CGB_6+iRj{Jx!z~AG`bA(U}#PhjHnf=Pi~W8J+%{RaZ-lUO)J5B4c%0 z4LTt{;qug;wk?h0IP(~cbp#~iBvrq0e9Sp;DDEVRO#$}xBaIDV^ZnVp7lo`ovNQw72DSk zmkmqvRLZ5CZ&to^luK)_d@}vTuurzt72NAly_nLXM|HGnJGv@*x}VGOzjS!Ind4L6 zjTC*Dsu0XRa#B){`D*Jy>X@A!H;T|Xhd!T@yX(8(ax#ZAWiiQh9~35Csc7!mm51n; zL}!=W8>Qc(`3!8V((c~;vH@!suNsYdO6f@)g!{VFizj_wwzXv%YV;z`nVg;z1FUkM zsO;##>`lOm1hbD4#TIsMc-S!V@Y$#zMKjZyQo>&cv5n_r1>c@6y*qnx|E+;&OCXN0 zG;N*u(d59dm$E(!G%(*vFfTsaCx6*Zz4M^SzPoT;*T5e$+Un-~kd1gcyW5Mw?%1-? zy?bx<<5EW-jLT9Ld|GtYWL=VR-CsIO`; zfoFeJo2(yfoIg5n>@jd8-f~oN0nC&(BnF=FFRp(ZD=4^=n*Lxc`72(`{H~E3ms1w) zxV&opa)TzD`&V;r=yA3W8CX&lQ~%)W9pt$~`QJA|GnU<(cwjq_zxxU2u3$s&gg*Yt z2xrW7L+SY4laB(T+X8WybLdg*K_O;W@}GJ#Cn{=t|E(!k&iB8bb}Hky=mM?BdQen! z<;@r0B_}<~wRbOk)p}_#m?tm>-&9jMm7|T88&mmf%5bHiJcJZ-p$|P(B(De$w2wk#q(E9 zd^zUv;G#`~hW@B+`^=kPo++-Vnz^&u|Nf+<9X0oCDE$@TLiJSqa~ALT^{V2jPTz{< zEqm&cGv>UH`*Ibf%XHepR&xY=>#rpL_TG(5oGF z*`IuqH=sEEVOQpZ65#fNS4;BG)@8ON%IcJc#*77NvzsntSMRKuK56N*_Rn>)-l95p zWyQ;%+P=xk*ea?o9F^c-Qg40KQg%AIXnJgHapUn{rJ)nQ`@Vpmx8as4O;Isb>qlz% zd*QZneoRa_a#OSvlXtl7_~f`>I(F{)bYN_JW*ti8_8;#3qp&$|d&MKaZ&JChY$$3L zE2%FX>lJlM?%@{^!P`$zV#h~wThF!+ubp4C1GV~~=d4PR)oM+uP1rp4r`qaUr_TzB z#OWipC>aU5p7$N^>?0LDdpCC0q)9erz5j97p@C}?;IZ*nf4;ut%J>ZUXsP4@0s3n7 z&d8@XYln3PnybC$l*=8(nz=L9%rS}AJ@8$v%kLQ4mhxjPG@+|3l5q7SLg(RkPD*|b Juy4it{{gHyT^;}c literal 2922 zcmZA0=|d9-0)}ymtE+Lri>i2Fx*n`X%p{Y9i~^d>Qq7=l{fE*%hNp09~;~*FTSY=|PI*PHvC=^hOL}r=9@@I{- z*b!BNjw9?K;IIq5Hoho<78zBdAVh`zRv+ci1RNS06-Y#qA`2M^hGh!1)N5;Yo$5QY>(=a%s;;eZ2Tqjp!!t;oZ*d1_c9by`GmS~%=xN(>eb zfQ9%vh;W3Ge2hsEF0WC}X7iazp+d-%>3J%CjKKmG5mbz-Rdqt1{`9&glBbeq>gaRp@ZxqzY@$-I;1kl=vDzTrHmm~vydn) zDT;^mew$7#@o{u2mmU|ATAek4o1L}@W-EeyPA^vhDv5wbrs0_}kCjRxd3m5-YO-3H zP7y*&qOKSzw8(rG)T(DNGzvB7qIfYYQyvev+zErv9E(K-uvyQCBoyf-_;DU)H>UuD zMFyySK!_GfXb~fWZFS1>On^NPi7TBjM94wVBMORHqL@=IWDx`*^W$EhoTd%QDV5D>-PJ!3S<}&0Um!ufDSY!dT z`b1pGV%UjDKV`#|(v>7Kerr4_axGq{|sEk~$a|HxRRG0awx@;q%#OUdk)h%h?bg7Jw|T zRZGGAKX&}bM=fGZ9d*-#6du!arADPF8KL5^(aSTad@9_`7usD2Po*`QrFkMA5@oX8 zG&x7*VN*6#fdyn@xfu%mY(Nu$NG2KqO<^@5 zR^X0g(hEfF4kxHniwR3nNX0{x5{O2z1q!*7i29kBHlq zQ1)qYXpW;7&q5%@ljb_7o~wU^j*WYFMd#Pm(uL%SU1#uj?5AT~ z>8k!ooxXGPPeV(NTYheT_TK(210SDySO|TNcF~?3o&LZc=seT9aaiggcz5|Px2{fA z->UqsI+eNRwULw z{;s+v%Q#SfI{(|>PBva8iPh5w)zr%Gw6?k1Ru5h>qtaK``{Hm*bD;9){o0J8>bAo7 zxB6BZUROq1FyPv@KK3DJpET#HeoSi}F^H-*S6K2dfC{BXv@u|eU8Yn zhQ%wD)EsZH;b3weG1Z@MJab{Jw$`aHpiYwA;t_@Lo=)T87c0t|%6wJ2#zZ~QJ zRWNOSYuVQLkt5d170l3YN?(pq-; zlXX0r|7cUytm5z@q9JWCWts-oUVA5H7eF^oTs^9&9=XiEf3baD#jeKs3%{O^UHj`~ zm57|1lcTynVi_^?RY}3%tHwQ3H)$SzXx@T_8=q$>23iVwRF(s4i$1*7bs(G8y6^KZ ze>}f_+D;SVSlshow0&gSlrdi&81M?p6fH|%wc$;%D06Pzfk+12HOi4J?me)slgj99 za$zk~ybRIBo4u}&R&A@*Z^8Y7vAo9Ijz__Z+JZZ_vW~;u+s7HVcrHx7w75ER$`2}2 zdg+CA(jVLUrb%}B(rIr)t3if8}&)Qy4(|=-7d1G zy0V0$Hf-d6yHl4HdCr)zz2MFLOsv=ts9jH=xRiaPt-(1--WR+my}Z!ANIQ@xDh2zO zGBbenWwR2`diCzJJXW(Dy^(pZZ`JMWEaiG#{snO{uabe1FQ>b{g&%IVwiH~er*u;w*J>)?LTM~VLz+XK0w