setup matrix/synapse

2022-07-28 14:23:32 +02:00 · 2022-07-28 14:23:32 +02:00 · 6e3b07a67f
parent 0bbea5954c
commit 6e3b07a67f
3 changed files with 87 additions and 2 deletions
--- a/hosts.nix
+++ b/hosts.nix
@ -132,6 +132,11 @@
    mac = "9E:8A:6C:39:27:DE";
    nix = false;
  }
+  {
+    hostname = "synapse";
+    ip = "10.42.42.28";
+    mac = "9E:86:D3:46:EE:AE";
+  }
  {
    hostname = "nuc";
    ip = "10.42.42.42";
--- a/nixos/hosts/nginx/configuration.nix
+++ b/nixos/hosts/nginx/configuration.nix
@ -9,6 +9,16 @@ let
    };
  };
  k8s_proxy = proxy "http://10.42.42.150:8000/";
+  clientConfig = {
+    "m.homeserver".base_url = "https://chat.meowy.tech";
+    "m.identity_server" = {};
+  };
+  serverConfig."m.server" = "chat.meowy.tech:443";
+  mkWellKnown = data: ''
+    add_header Content-Type application/json;
+    add_header Access-Control-Allow-Origin *;
+    return 200 '${builtins.toJSON data}';
+  '';
 in
 {
  networking.hostName = "nginx";
@ -43,6 +53,23 @@ in
    virtualHosts."git.0x76.dev" = proxy "http://gitea.olympus:3000";
    virtualHosts."o.0x76.dev" = proxy "http://minio.olympus:9000";

+    # Meow
+    virtualHosts."meowy.tech" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
+      locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
+    };
+    virtualHosts."chat.meowy.tech" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/".extraConfig = ''
+        return 404;
+      '';
+      locations."/_matrix".proxyPass = "http://synapse.olympus:8008";
+      locations."/_synapse/client".proxyPass = "http://synapse.olympus:8008";
+    };
+
    # Kubernetes endpoints
    virtualHosts."0x76.dev" = k8s_proxy;
    virtualHosts."drone.0x76.dev" = k8s_proxy;
--- a/nixos/hosts/synapse/configuration.nix
+++ b/nixos/hosts/synapse/configuration.nix
@ -3,7 +3,10 @@
 # and in the NixOS manual (accessible by running ‘nixos-help’).

 { config, pkgs, ... }:
-
+let
+  vs = config.vault-secrets.secrets;
+  port = 8008;
+in
 {
  imports = [ ];

@ -20,5 +23,55 @@
  # Additional packages
  environment.systemPackages = with pkgs; [ ];

-  networking.firewall.allowedTCPPorts = [ ];
+  networking.firewall.allowedTCPPorts = [ port ];
+
+  vault-secrets.secrets.synapse = {
+    user = "matrix-synapse";
+    group = "matrix-synapse";
+    services = [ "matrix-synapse" ];
+   };
+
+  services.postgresql = {
+    enable = true;
+    initialScript = pkgs.writeText "synapse-init.sql" ''
+      CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
+      CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
+        TEMPLATE template0
+        LC_COLLATE = "C"
+        LC_CTYPE = "C";
+    '';
+  };
+
+  services.matrix-synapse = {
+    enable = true;
+    withJemalloc = true;
+
+    extraConfigFiles = [
+      "${vs.synapse}/macaroon_secret_key"
+      "${vs.synapse}/registration_shared_secret"
+      "${vs.synapse}/form_secret"
+      "${vs.synapse}/turn_shared_secret"
+    ];
+
+    settings =
+      {
+        server_name = "meowy.tech";
+        public_baseurl = "https://chat.meowy.tech";
+        listeners = [
+          {
+            inherit port;
+            bind_addresses = [ "0.0.0.0" ];
+            type = "http";
+            tls = false;
+            x_forwarded = true;
+            resources = [
+              {
+                names = [ "client" "federation" ];
+                compress = true;
+              }
+            ];
+          }
+        ];
+      };
+  };
 }