From 6e3b07a67fc37d1a00110ed065b0b733b8cb60d7 Mon Sep 17 00:00:00 2001 From: Victor Date: Thu, 28 Jul 2022 14:23:32 +0200 Subject: [PATCH] setup matrix/synapse --- hosts.nix | 5 +++ nixos/hosts/nginx/configuration.nix | 27 +++++++++++++ nixos/hosts/synapse/configuration.nix | 57 ++++++++++++++++++++++++++- 3 files changed, 87 insertions(+), 2 deletions(-) diff --git a/hosts.nix b/hosts.nix index 196efae..63d9d40 100644 --- a/hosts.nix +++ b/hosts.nix @@ -132,6 +132,11 @@ mac = "9E:8A:6C:39:27:DE"; nix = false; } + { + hostname = "synapse"; + ip = "10.42.42.28"; + mac = "9E:86:D3:46:EE:AE"; + } { hostname = "nuc"; ip = "10.42.42.42"; diff --git a/nixos/hosts/nginx/configuration.nix b/nixos/hosts/nginx/configuration.nix index 949c5b7..aa77cfc 100644 --- a/nixos/hosts/nginx/configuration.nix +++ b/nixos/hosts/nginx/configuration.nix @@ -9,6 +9,16 @@ let }; }; k8s_proxy = proxy "http://10.42.42.150:8000/"; + clientConfig = { + "m.homeserver".base_url = "https://chat.meowy.tech"; + "m.identity_server" = {}; + }; + serverConfig."m.server" = "chat.meowy.tech:443"; + mkWellKnown = data: '' + add_header Content-Type application/json; + add_header Access-Control-Allow-Origin *; + return 200 '${builtins.toJSON data}'; + ''; in { networking.hostName = "nginx"; @@ -43,6 +53,23 @@ in virtualHosts."git.0x76.dev" = proxy "http://gitea.olympus:3000"; virtualHosts."o.0x76.dev" = proxy "http://minio.olympus:9000"; + # Meow + virtualHosts."meowy.tech" = { + enableACME = true; + forceSSL = true; + locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig; + locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig; + }; + virtualHosts."chat.meowy.tech" = { + enableACME = true; + forceSSL = true; + locations."/".extraConfig = '' + return 404; + ''; + locations."/_matrix".proxyPass = "http://synapse.olympus:8008"; + locations."/_synapse/client".proxyPass = "http://synapse.olympus:8008"; + }; + # Kubernetes endpoints virtualHosts."0x76.dev" = k8s_proxy; virtualHosts."drone.0x76.dev" = k8s_proxy; diff --git a/nixos/hosts/synapse/configuration.nix b/nixos/hosts/synapse/configuration.nix index 0d25540..2d909a2 100644 --- a/nixos/hosts/synapse/configuration.nix +++ b/nixos/hosts/synapse/configuration.nix @@ -3,7 +3,10 @@ # and in the NixOS manual (accessible by running ‘nixos-help’). { config, pkgs, ... }: - +let + vs = config.vault-secrets.secrets; + port = 8008; +in { imports = [ ]; @@ -20,5 +23,55 @@ # Additional packages environment.systemPackages = with pkgs; [ ]; - networking.firewall.allowedTCPPorts = [ ]; + networking.firewall.allowedTCPPorts = [ port ]; + + vault-secrets.secrets.synapse = { + user = "matrix-synapse"; + group = "matrix-synapse"; + services = [ "matrix-synapse" ]; + }; + + services.postgresql = { + enable = true; + initialScript = pkgs.writeText "synapse-init.sql" '' + CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; + CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + ''; + }; + + services.matrix-synapse = { + enable = true; + withJemalloc = true; + + extraConfigFiles = [ + "${vs.synapse}/macaroon_secret_key" + "${vs.synapse}/registration_shared_secret" + "${vs.synapse}/form_secret" + "${vs.synapse}/turn_shared_secret" + ]; + + settings = + { + server_name = "meowy.tech"; + public_baseurl = "https://chat.meowy.tech"; + listeners = [ + { + inherit port; + bind_addresses = [ "0.0.0.0" ]; + type = "http"; + tls = false; + x_forwarded = true; + resources = [ + { + names = [ "client" "federation" ]; + compress = true; + } + ]; + } + ]; + }; + }; }