infra/modules/nginx-matrix/default.nix
Benjamin Yule Bädorf 68278ad983
All checks were successful
Flake checks / Check (pull_request) Successful in 5m52s
refactor: use options for config parts
This works towards having reusable modules

* `config.pub-solar-os.networking.domain` is used for the main domain
* `config.pub-solar-os.privacyPolicUrl` links towards the privacy policy
* `config.pub-solar-os.imprintUrl` links towards the imprint
* `config.pub-solar-os.auth.enable` enables the keycloak installation.
  This is needed because `config.pub-solar-os.auth` has to be available
  everywhere, but we do not want to install keycloak everywhere.
* `config.pub-solar-os.auth.realm` sets the keycloak realm name
2024-05-08 19:47:47 +02:00

163 lines
4.7 KiB
Nix

{ lib, pkgs, config, ... }:
let
commonHeaders = ''
add_header Permissions-Policy interest-cohort=() always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-XSS-Protection "1; mode=block";
'';
clientConfig = import ./element-client-config.nix { inherit lib pkgs; };
wellKnownClient = domain: {
"m.homeserver".base_url = "https://matrix.${domain}";
"m.identity_server".base_url = "https://matrix.${domain}";
"org.matrix.msc3575.proxy".url = "https://matrix.${domain}";
"im.vector.riot.e2ee".default = true;
"io.element.e2ee" = {
default = true;
secure_backup_required = false;
secure_backup_setup_methods = [ ];
};
"m.integrations" = {
managers = [
{
api_url = "https://dimension.${domain}/api/v1/scalar";
ui_url = "https://dimension.${domain}/element";
}
];
};
};
wellKnownServer = domain: { "m.server" = "matrix.${domain}:8448"; };
wellKnownSupport = {
contacts = [
{
email_address = "crew@pub.solar";
matrix_id = "@b12f:pub.solar";
role = "m.role.admin";
}
{
email_address = "crew@pub.solar";
matrix_id = "@hensoko:pub.solar";
role = "m.role.admin";
}
{
email_address = "crew@pub.solar";
matrix_id = "@teutat3s:pub.solar";
role = "m.role.admin";
}
];
support_page = "https://${config.pub-solar-os.networking.domain}/about";
};
mkWellKnown = data: ''
add_header Content-Type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON data}';
'';
wellKnownLocations = domain: {
"= /.well-known/matrix/server".extraConfig = mkWellKnown (wellKnownServer domain);
"= /.well-known/matrix/client".extraConfig = mkWellKnown (wellKnownClient domain);
"= /.well-known/matrix/support".extraConfig = mkWellKnown wellKnownSupport;
};
in
{
services.nginx.virtualHosts = {
#####################################
# This is already in production use #
#####################################
"${config.pub-solar-os.networking.domain}" = {
locations = wellKnownLocations "${config.pub-solar-os.networking.domain}";
};
"chat.${config.pub-solar-os.networking.domain}" = {
forceSSL = true;
enableACME = true;
root = pkgs.element-web.override {
conf = clientConfig;
};
};
"stickers.chat.${config.pub-solar-os.networking.domain}" = {
forceSSL = true;
enableACME = true;
root = pkgs.element-stickerpicker;
};
"matrix.${config.pub-solar-os.networking.domain}" = {
root = "/dev/null";
forceSSL = lib.mkDefault true;
enableACME = lib.mkDefault true;
extraConfig = ''
server_tokens off;
gzip on;
gzip_types text/plain application/json;
'';
locations = {
# For telegram
"/c3c3f34b-29fb-5feb-86e5-98c75ec8214b" = {
proxyPass = "http://127.0.0.1:8009";
extraConfig = commonHeaders;
};
# sliding-sync
"~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = {
proxyPass = "http://127.0.0.1:8011";
extraConfig = commonHeaders;
};
"~* ^(/_matrix|/_synapse/client|/_synapse/oidc)" = {
proxyPass = "http://127.0.0.1:8008";
extraConfig = ''
${commonHeaders}
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
client_body_buffer_size 25M;
client_max_body_size 50M;
proxy_max_temp_file_size 0;
'';
};
};
};
"matrix.${config.pub-solar-os.networking.domain}-federation" = {
serverName = "matrix.${config.pub-solar-os.networking.domain}";
forceSSL = lib.mkDefault true;
enableACME = lib.mkDefault true;
listen = [{
port = 8448;
addr = "0.0.0.0";
ssl = true;
}
{
port = 8448;
addr = "[::]";
ssl = true;
}];
root = "/dev/null";
extraConfig = ''
server_tokens off;
gzip on;
gzip_types text/plain application/json;
'';
locations."/" = {
proxyPass = "http://127.0.0.1:8008";
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
client_body_buffer_size 25M;
client_max_body_size 150M;
proxy_max_temp_file_size 0;
'';
};
};
};
networking.firewall.allowedTCPPorts = [ 8448 ];
}