diff --git a/modules/factories/mkserver.nix b/modules/factories/mkserver.nix index 96993cd..0b1234c 100644 --- a/modules/factories/mkserver.nix +++ b/modules/factories/mkserver.nix @@ -48,6 +48,10 @@ let type = lib.types.bool; default = false; }; + useDefaultProxy = lib.mkOption { + type = lib.types.bool; + default = true; + }; certPath = lib.mkOption { type = lib.types.nullOr lib.types.path; default = null; diff --git a/modules/network/nginx.nix b/modules/network/nginx.nix index 3f2dff4..5f029a5 100644 --- a/modules/network/nginx.nix +++ b/modules/network/nginx.nix @@ -45,9 +45,10 @@ let |> lib.filterAttrs ( name: srv: (srv.enableProxy or false) + && (srv.useDefaultProxy or true) && !(builtins.elem name standardProxyNames) ) - |> lib.mapAttrs (name: _srv: { type = "proxyReverse"; }); + |> lib.mapAttrs (_name: _srv: { type = "proxyReverse"; }); in { config = lib.mkIf config.my.enableProxy { diff --git a/modules/servers/jellyfin.nix b/modules/servers/jellyfin.nix index 7ed6c81..f85c0aa 100644 --- a/modules/servers/jellyfin.nix +++ b/modules/servers/jellyfin.nix @@ -23,22 +23,48 @@ let in { options.my.servers.jellyfin = setup.mkOptions "jellyfin" "flix" 8096; - config = lib.mkIf (cfg.enable && config.my.secureHost) { - environment.systemPackages = [ - pkgs.jellyfin-ffmpeg - ] - ++ (lib.optional cfg.enableCron [ sub-sync-path ]); - users.users.jellyfin = { - uid = 984; - group = "piracy"; - isSystemUser = true; - }; - services = { - jellyfin = { + config = lib.mkMerge [ + (lib.mkIf (cfg.enable && config.my.secureHost) { + environment.systemPackages = [ + pkgs.jellyfin-ffmpeg + ] + ++ (lib.optional cfg.enableCron [ sub-sync-path ]); + users.users.jellyfin = { + uid = 984; + group = "piracy"; + isSystemUser = true; + }; + services.jellyfin = { inherit (cfg) enable; group = "piracy"; }; - nginx = lib.mkIf cfg.enableProxy { + systemd = lib.mkIf cfg.enableCron { + services.sub-sync = { + restartIfChanged = true; + description = "syncronizes subtitles downloaded & modified today"; + wantedBy = [ "default.target" ]; + path = sub-sync-path; + serviceConfig = { + Restart = "on-failure"; + RestartSec = 30; + ExecStart = "${sub-sync}/bin/sub-sync all"; + Type = "simple"; + User = "root"; + }; + }; + timers.sub-sync = { + enable = true; + description = "syncronizes subtitles downloaded & modified today"; + wantedBy = [ "timers.target" ]; + timerConfig = { + OnCalendar = "20:00"; + }; + }; + }; + }) + (lib.mkIf (cfg.enableProxy && config.my.enableProxy) { + my.servers.jellyfin.useDefaultProxy = false; + services.nginx = { appendHttpConfig = '' # JELLYFIN proxy_cache_path /var/cache/nginx/jellyfin levels=1:2 keys_zone=jellyfin:100m max_size=15g inactive=1d use_temp_path=off; @@ -94,29 +120,6 @@ in }; }; }; - }; - systemd = lib.mkIf cfg.enableCron { - services.sub-sync = { - restartIfChanged = true; - description = "syncronizes subtitles downloaded & modified today"; - wantedBy = [ "default.target" ]; - path = sub-sync-path; - serviceConfig = { - Restart = "on-failure"; - RestartSec = 30; - ExecStart = "${sub-sync}/bin/sub-sync all"; - Type = "simple"; - User = "root"; - }; - }; - timers.sub-sync = { - enable = true; - description = "syncronizes subtitles downloaded & modified today"; - wantedBy = [ "timers.target" ]; - timerConfig = { - OnCalendar = "20:00"; - }; - }; - }; - }; + }) + ]; } diff --git a/modules/servers/keycloak.nix b/modules/servers/keycloak.nix index c7e3e5c..dd6527e 100644 --- a/modules/servers/keycloak.nix +++ b/modules/servers/keycloak.nix @@ -10,35 +10,38 @@ let in { options.my.servers.keycloak = setup.mkOptions "keycloak" "auth" 8090; - config = lib.mkIf (cfg.enable && config.my.secureHost) { - sops.secrets.postgres-password.sopsFile = ../../secrets/secrets.yaml; - sops.secrets.keycloak = { - sopsFile = ../../secrets/env.yaml; - restartUnits = [ "keycloak.service" ]; - }; - services.keycloak = { - inherit (cfg) enable; - database = { - type = "postgresql"; - host = "localhost"; - createLocally = false; - username = "keycloak"; - name = "keycloak"; - passwordFile = config.sops.secrets.postgres-password.path; + config = lib.mkMerge [ + (lib.mkIf (cfg.enable && config.my.secureHost) { + sops.secrets.postgres-password.sopsFile = ../../secrets/secrets.yaml; + sops.secrets.keycloak = { + sopsFile = ../../secrets/env.yaml; + restartUnits = [ "keycloak.service" ]; }; - settings = { - hostname = cfg.host; - hostname-strict = true; - hostname-strict-https = false; - http-enabled = true; - http-port = cfg.port; - http-host = cfg.ip; - proxy-headers = "xforwarded"; + services.keycloak = { + inherit (cfg) enable; + database = { + type = "postgresql"; + host = "localhost"; + createLocally = false; + username = "keycloak"; + name = "keycloak"; + passwordFile = config.sops.secrets.postgres-password.path; + }; + settings = { + hostname = cfg.host; + hostname-strict = true; + hostname-strict-https = false; + http-enabled = true; + http-port = cfg.port; + http-host = cfg.ip; + proxy-headers = "xforwarded"; + }; }; - }; - systemd.services.keycloak.serviceConfig.EnvironmentFile = config.sops.secrets.keycloak.path; - services.nginx.virtualHosts.${cfg.host} = lib.mkIf (cfg.enableProxy && config.my.enableProxy) ( - inputs.self.lib.proxyReverseFix cfg - ); - }; + systemd.services.keycloak.serviceConfig.EnvironmentFile = config.sops.secrets.keycloak.path; + }) + (lib.mkIf (cfg.enableProxy && config.my.enableProxy) { + my.servers.keycloak.useDefaultProxy = false; + services.nginx.virtualHosts.${cfg.host} = inputs.self.lib.proxyReverseFix cfg; + }) + ]; } diff --git a/modules/servers/nextcloud.nix b/modules/servers/nextcloud.nix index b1fa423..097c6fb 100644 --- a/modules/servers/nextcloud.nix +++ b/modules/servers/nextcloud.nix @@ -42,128 +42,203 @@ in collabora = setup.mkOptions "collabora" "collabora" 9980; go-vod.enable = lib.mkEnableOption "Go-VOD video transcoding service"; }; - config = lib.mkIf (cfg.enable && config.my.servers.postgres.enable && config.my.secureHost) { - sops.secrets.nextcloud-adminpass = { - owner = config.users.users.nextcloud.name; - inherit (config.users.users.nextcloud) group; - }; - nixpkgs.config.permittedInsecurePackages = [ - "nodejs-14.21.3" - "openssl-1.1.1v" - ]; - users.groups.nextcloud = { inherit gid; }; - users.users.nextcloud = { - inherit uid; - isSystemUser = true; - group = "nextcloud"; - extraGroups = [ "render" ]; - packages = builtins.attrValues { - inherit exiftool pytensorflow; - inherit (pkgs) - ffmpeg - mediainfo - nodejs - perl - ; + config = lib.mkMerge [ + (lib.mkIf (cfg.enable && config.my.servers.postgres.enable && config.my.secureHost) { + sops.secrets.nextcloud-adminpass = { + owner = config.users.users.nextcloud.name; + inherit (config.users.users.nextcloud) group; }; - }; - services = { - nextcloud = { - enable = true; - https = false; # vps - package = pkgs.nextcloud32; - appstoreEnable = true; - configureRedis = true; - extraAppsEnable = true; - enableImagemagick = true; - maxUploadSize = "4096M"; - hostName = cfg.host; - caching = { - redis = true; - memcached = true; - apcu = true; + nixpkgs.config.permittedInsecurePackages = [ + "nodejs-14.21.3" + "openssl-1.1.1v" + ]; + users.groups.nextcloud = { inherit gid; }; + users.users.nextcloud = { + inherit uid; + isSystemUser = true; + group = "nextcloud"; + extraGroups = [ "render" ]; + packages = builtins.attrValues { + inherit exiftool pytensorflow; + inherit (pkgs) + ffmpeg + mediainfo + nodejs + perl + ; }; - config = { - adminpassFile = config.sops.secrets.nextcloud-adminpass.path; - dbtype = "pgsql"; - dbhost = config.my.postgresSocket; - dbname = "nextcloud"; - }; - phpOptions = { - catch_workers_output = "yes"; - display_errors = "stderr"; - error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT"; - expose_php = "Off"; - preview_max_x = 2048; - preview_max_y = 2048; - short_open_tag = "Off"; - "opcache.enable_cli" = "1"; - "opcache.fast_shutdown" = "1"; - "opcache.interned_strings_buffer" = "16"; - "opcache.jit" = "1255"; - "opcache.jit_buffer_size" = "256M"; - "opcache.max_accelerated_files" = "10000"; - "opcache.huge_code_pages" = "1"; - "opcache.enable_file_override" = "1"; - "opcache.memory_consumption" = "256"; - "opcache.revalidate_freq" = "60"; - "opcache.save_comments" = "1"; - "opcache.validate_timestamps" = "0"; - "openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt"; - }; - settings = { - log_type = "file"; - loglevel = 1; - trusted_proxies = [ - config.my.localhost - config.my.localhost6 - config.my.ips.router - config.my.ips.wg-vps - ]; - trusted_domains = [ - cfg.host - config.my.ips.${config.networking.hostName} - "localhost" - "cloud.rotehaare.art" - ]; - overwriteprotocol = "https"; - "overwrite.cli.url" = "${cfg.url}"; - forwarded_for_headers = [ "HTTP_X_FORWARDED_FOR" ]; - default_phone_region = "MX"; - allow_local_remote_servers = true; - mail_smtpmode = "sendmail"; - mail_sendmailmode = "pipe"; - preview_ffmpeg_path = "${pkgs.ffmpeg}/bin/ffmpeg"; - "memories.exiftool" = "${exiftool}/bin/exiftool"; - "memories.ffmpeg_path" = "${pkgs.ffmpeg}/bin/ffmpeg"; - "memories.ffprobe_path" = "${pkgs.ffmpeg}/bin/ffprobe"; - enabledPreviewProviders = [ - "OC\\Preview\\AVI" - "OC\\Preview\\BMP" - "OC\\Preview\\GIF" - "OC\\Preview\\HEIC" - "OC\\Preview\\Image" - "OC\\Preview\\JPEG" - "OC\\Preview\\Krita" - "OC\\Preview\\MKV" - "OC\\Preview\\MP3" - "OC\\Preview\\MP4" - "OC\\Preview\\MarkDown" - "OC\\Preview\\Movie" - "OC\\Preview\\OpenDocument" - "OC\\Preview\\PNG" - "OC\\Preview\\TIFF" - "OC\\Preview\\TXT" - "OC\\Preview\\XBitmap" - ]; - }; - phpExtraExtensions = all: [ - all.pdlib - all.bz2 - ]; }; - nginx.virtualHosts = { - "${cfg.host}" = lib.mkIf cfg.enableProxy { + services = { + nextcloud = { + enable = true; + https = false; # vps + package = pkgs.nextcloud32; + appstoreEnable = true; + configureRedis = true; + extraAppsEnable = true; + enableImagemagick = true; + maxUploadSize = "4096M"; + hostName = cfg.host; + caching = { + redis = true; + memcached = true; + apcu = true; + }; + config = { + adminpassFile = config.sops.secrets.nextcloud-adminpass.path; + dbtype = "pgsql"; + dbhost = config.my.postgresSocket; + dbname = "nextcloud"; + }; + phpOptions = { + catch_workers_output = "yes"; + display_errors = "stderr"; + error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT"; + expose_php = "Off"; + preview_max_x = 2048; + preview_max_y = 2048; + short_open_tag = "Off"; + "opcache.enable_cli" = "1"; + "opcache.fast_shutdown" = "1"; + "opcache.interned_strings_buffer" = "16"; + "opcache.jit" = "1255"; + "opcache.jit_buffer_size" = "256M"; + "opcache.max_accelerated_files" = "10000"; + "opcache.huge_code_pages" = "1"; + "opcache.enable_file_override" = "1"; + "opcache.memory_consumption" = "256"; + "opcache.revalidate_freq" = "60"; + "opcache.save_comments" = "1"; + "opcache.validate_timestamps" = "0"; + "openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt"; + }; + settings = { + log_type = "file"; + loglevel = 1; + trusted_proxies = [ + config.my.localhost + config.my.localhost6 + config.my.ips.router + config.my.ips.wg-vps + ]; + trusted_domains = [ + cfg.host + config.my.ips.${config.networking.hostName} + "localhost" + "cloud.rotehaare.art" + ]; + overwriteprotocol = "https"; + "overwrite.cli.url" = "${cfg.url}"; + forwarded_for_headers = [ "HTTP_X_FORWARDED_FOR" ]; + default_phone_region = "MX"; + allow_local_remote_servers = true; + mail_smtpmode = "sendmail"; + mail_sendmailmode = "pipe"; + preview_ffmpeg_path = "${pkgs.ffmpeg}/bin/ffmpeg"; + "memories.exiftool" = "${exiftool}/bin/exiftool"; + "memories.ffmpeg_path" = "${pkgs.ffmpeg}/bin/ffmpeg"; + "memories.ffprobe_path" = "${pkgs.ffmpeg}/bin/ffprobe"; + enabledPreviewProviders = [ + "OC\\Preview\\AVI" + "OC\\Preview\\BMP" + "OC\\Preview\\GIF" + "OC\\Preview\\HEIC" + "OC\\Preview\\Image" + "OC\\Preview\\JPEG" + "OC\\Preview\\Krita" + "OC\\Preview\\MKV" + "OC\\Preview\\MP3" + "OC\\Preview\\MP4" + "OC\\Preview\\MarkDown" + "OC\\Preview\\Movie" + "OC\\Preview\\OpenDocument" + "OC\\Preview\\PNG" + "OC\\Preview\\TIFF" + "OC\\Preview\\TXT" + "OC\\Preview\\XBitmap" + ]; + }; + phpExtraExtensions = all: [ + all.pdlib + all.bz2 + ]; + }; + }; + virtualisation.oci-containers.containers = { + go-vod = lib.mkIf config.my.servers.go-vod.enable { + autoStart = true; + image = "radialapps/go-vod"; + environment = { + TZ = config.my.timeZone; + NEXTCLOUD_HOST = "https://${config.services.nextcloud.hostName}"; + NVIDIA_VISIBLE_DEVICES = "all"; + }; + volumes = [ "ncdata:/var/www/html:ro" ]; + extraOptions = [ + "--device=/dev/dri" # VA-API (omit for NVENC) + ]; + }; + collabora = lib.mkIf cfgC.enable { + autoStart = true; + image = "collabora/code:latest"; + ports = [ "${toString cfgC.port}:${toString cfgC.port}" ]; + environment = { + TZ = config.my.timeZone; + domain = cfg.host; + aliasgroup1 = "${cfg.url}:443"; + aliasgroup2 = "https://cloud.rotehaare.art:443"; + server_name = cfgC.host; + dictionaries = "en_CA en_US es_MX es_ES fr_FR it pt_BR ru"; + extra_params = '' + --o:ssl.enable=false + --o:ssl.termination=true + --o:remote_font_config.url=${cfg.url}/apps/richdocuments/settings/fonts.json + --o:logging.level=information + ''; + DONT_GEN_SSL_CERT = "1"; + SLEEPFORDEBUGGER = "0"; + }; + extraOptions = [ + "--cap-add" + "MKNOD" + ]; + }; + }; + systemd = lib.mkIf cfg.enableCron { + services = { + nextcloud-cron.path = [ pkgs.perl ]; + nextcloud-cronjob = + let + inherit (inputs.jawz-scripts.packages.x86_64-linux) nextcloud-cronjob; + in + { + description = "Runs various nextcloud-related cronjobs"; + wantedBy = [ "multi-user.target" ]; + path = [ + pkgs.bash + nextcloud-cronjob + ]; + serviceConfig = { + Restart = "on-failure"; + RestartSec = 30; + ExecStart = "${nextcloud-cronjob}/bin/nextcloud-cronjob"; + }; + }; + }; + timers.nextcloud-cronjob = { + enable = true; + description = "Runs various nextcloud-related cronjobs"; + wantedBy = [ "timers.target" ]; + timerConfig = { + OnCalendar = "*:0/10"; + }; + }; + }; + }) + (lib.mkIf (cfg.enableProxy && config.my.enableProxy) { + my.servers.nextcloud.useDefaultProxy = false; + services.nginx.virtualHosts = { + "${cfg.host}" = { forceSSL = false; # vps enableACME = false; # vps http2 = false; # vps @@ -243,76 +318,6 @@ in }; }; }; - }; - virtualisation.oci-containers.containers = { - go-vod = lib.mkIf config.my.servers.go-vod.enable { - autoStart = true; - image = "radialapps/go-vod"; - environment = { - TZ = config.my.timeZone; - NEXTCLOUD_HOST = "https://${config.services.nextcloud.hostName}"; - NVIDIA_VISIBLE_DEVICES = "all"; - }; - volumes = [ "ncdata:/var/www/html:ro" ]; - extraOptions = [ - "--device=/dev/dri" # VA-API (omit for NVENC) - ]; - }; - collabora = lib.mkIf cfgC.enable { - autoStart = true; - image = "collabora/code:latest"; - ports = [ "${toString cfgC.port}:${toString cfgC.port}" ]; - environment = { - TZ = config.my.timeZone; - domain = cfg.host; - aliasgroup1 = "${cfg.url}:443"; - aliasgroup2 = "https://cloud.rotehaare.art:443"; - server_name = cfgC.host; - dictionaries = "en_CA en_US es_MX es_ES fr_FR it pt_BR ru"; - extra_params = '' - --o:ssl.enable=false - --o:ssl.termination=true - --o:remote_font_config.url=${cfg.url}/apps/richdocuments/settings/fonts.json - --o:logging.level=information - ''; - DONT_GEN_SSL_CERT = "1"; - SLEEPFORDEBUGGER = "0"; - }; - extraOptions = [ - "--cap-add" - "MKNOD" - ]; - }; - }; - systemd = lib.mkIf cfg.enableCron { - services = { - nextcloud-cron.path = [ pkgs.perl ]; - nextcloud-cronjob = - let - inherit (inputs.jawz-scripts.packages.x86_64-linux) nextcloud-cronjob; - in - { - description = "Runs various nextcloud-related cronjobs"; - wantedBy = [ "multi-user.target" ]; - path = [ - pkgs.bash - nextcloud-cronjob - ]; - serviceConfig = { - Restart = "on-failure"; - RestartSec = 30; - ExecStart = "${nextcloud-cronjob}/bin/nextcloud-cronjob"; - }; - }; - }; - timers.nextcloud-cronjob = { - enable = true; - description = "Runs various nextcloud-related cronjobs"; - wantedBy = [ "timers.target" ]; - timerConfig = { - OnCalendar = "*:0/10"; - }; - }; - }; - }; + }) + ]; } diff --git a/modules/servers/plex.nix b/modules/servers/plex.nix index 2d761a4..8d64526 100644 --- a/modules/servers/plex.nix +++ b/modules/servers/plex.nix @@ -9,51 +9,52 @@ let in { options.my.servers.plex = setup.mkOptions "plex" "plex" 32400; - config = lib.mkIf (cfg.enable && config.my.secureHost) { - users.users.plex = { - uid = 193; - group = "piracy"; - isSystemUser = true; - }; - services = { - plex = { + config = lib.mkMerge [ + (lib.mkIf (cfg.enable && config.my.secureHost) { + users.users.plex = { + uid = 193; + group = "piracy"; + isSystemUser = true; + }; + services.plex = { inherit (cfg) enable; group = "piracy"; }; - nginx = lib.mkIf cfg.enableProxy { - virtualHosts."${cfg.host}" = { - forceSSL = true; - enableACME = true; - http2 = true; - serverAliases = [ - "plex.rotehaare.art" - ]; - extraConfig = '' - # Some players don't reopen a socket and playback stops totally instead of resuming after an extended pause - send_timeout 100m; - # Plex headers - proxy_set_header X-Plex-Client-Identifier $http_x_plex_client_identifier; - proxy_set_header X-Plex-Device $http_x_plex_device; - proxy_set_header X-Plex-Device-Name $http_x_plex_device_name; - proxy_set_header X-Plex-Platform $http_x_plex_platform; - proxy_set_header X-Plex-Platform-Version $http_x_plex_platform_version; - proxy_set_header X-Plex-Product $http_x_plex_product; - proxy_set_header X-Plex-Token $http_x_plex_token; - proxy_set_header X-Plex-Version $http_x_plex_version; - proxy_set_header X-Plex-Nocache $http_x_plex_nocache; - proxy_set_header X-Plex-Provides $http_x_plex_provides; - proxy_set_header X-Plex-Device-Vendor $http_x_plex_device_vendor; - proxy_set_header X-Plex-Model $http_x_plex_model; - # Buffering off send to the client as soon as the data is received from Plex. - proxy_redirect off; - proxy_buffering off; - ''; - locations."/" = { - proxyPass = cfg.local; - proxyWebsockets = true; - }; + }) + (lib.mkIf (cfg.enableProxy && config.my.enableProxy) { + my.servers.plex.useDefaultProxy = false; + services.nginx.virtualHosts."${cfg.host}" = { + forceSSL = true; + enableACME = true; + http2 = true; + serverAliases = [ + "plex.rotehaare.art" + ]; + extraConfig = '' + # Some players don't reopen a socket and playback stops totally instead of resuming after an extended pause + send_timeout 100m; + # Plex headers + proxy_set_header X-Plex-Client-Identifier $http_x_plex_client_identifier; + proxy_set_header X-Plex-Device $http_x_plex_device; + proxy_set_header X-Plex-Device-Name $http_x_plex_device_name; + proxy_set_header X-Plex-Platform $http_x_plex_platform; + proxy_set_header X-Plex-Platform-Version $http_x_plex_platform_version; + proxy_set_header X-Plex-Product $http_x_plex_product; + proxy_set_header X-Plex-Token $http_x_plex_token; + proxy_set_header X-Plex-Version $http_x_plex_version; + proxy_set_header X-Plex-Nocache $http_x_plex_nocache; + proxy_set_header X-Plex-Provides $http_x_plex_provides; + proxy_set_header X-Plex-Device-Vendor $http_x_plex_device_vendor; + proxy_set_header X-Plex-Model $http_x_plex_model; + # Buffering off send to the client as soon as the data is received from Plex. + proxy_redirect off; + proxy_buffering off; + ''; + locations."/" = { + proxyPass = cfg.local; + proxyWebsockets = true; }; }; - }; - }; + }) + ]; } diff --git a/modules/servers/synapse.nix b/modules/servers/synapse.nix index 1fa4e44..fc17e5f 100644 --- a/modules/servers/synapse.nix +++ b/modules/servers/synapse.nix @@ -25,42 +25,42 @@ in synapse = setup.mkOptions "synapse" "pYLemuAfsrzNBaH77xSu" 8008; element = setup.mkOptions "element" "55a608953f6d64c199" 5345; }; - config = lib.mkIf (cfg.enable && config.my.secureHost) { - my.servers = { - synapse = { inherit domain; }; - element = { inherit domain; }; - }; - users.groups.matrix-synapse = { inherit gid; }; - users.users.matrix-synapse = { - inherit uid; - isSystemUser = true; - group = "matrix-synapse"; - }; - sops.secrets = { - synapse = { - sopsFile = ../../secrets/env.yaml; - owner = "matrix-synapse"; + config = lib.mkMerge [ + (lib.mkIf (cfg.enable && config.my.secureHost) { + my.servers = { + synapse = { inherit domain; }; + element = { inherit domain; }; + }; + users.groups.matrix-synapse = { inherit gid; }; + users.users.matrix-synapse = { + inherit uid; + isSystemUser = true; group = "matrix-synapse"; }; - "iqQCY4iAWO-ca/pem" = { - sopsFile = ../../secrets/certs.yaml; - owner = "nginx"; - group = "nginx"; + sops.secrets = { + synapse = { + sopsFile = ../../secrets/env.yaml; + owner = "matrix-synapse"; + group = "matrix-synapse"; + }; + "iqQCY4iAWO-ca/pem" = { + sopsFile = ../../secrets/certs.yaml; + owner = "nginx"; + group = "nginx"; + }; + "matrix/key" = { + sopsFile = ../../secrets/certs.yaml; + owner = "matrix-synapse"; + group = "matrix-synapse"; + }; + "matrix/cert" = { + sopsFile = ../../secrets/certs.yaml; + owner = "matrix-synapse"; + group = "matrix-synapse"; + }; }; - "matrix/key" = { - sopsFile = ../../secrets/certs.yaml; - owner = "matrix-synapse"; - group = "matrix-synapse"; - }; - "matrix/cert" = { - sopsFile = ../../secrets/certs.yaml; - owner = "matrix-synapse"; - group = "matrix-synapse"; - }; - }; - networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal) [ cfg.port ]; - services = { - matrix-synapse = { + networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal) [ cfg.port ]; + services.matrix-synapse = { inherit (cfg) enable; extraConfigFiles = [ config.sops.secrets.synapse.path @@ -100,7 +100,10 @@ in ]; }; }; - nginx.virtualHosts = lib.mkIf cfg.enableProxy { + }) + (lib.mkIf (cfg.enableProxy && config.my.enableProxy) { + my.servers.synapse.useDefaultProxy = false; + services.nginx.virtualHosts = { "${cfgE.host}" = { enableACME = true; forceSSL = true; @@ -132,6 +135,6 @@ in # ''; }; }; - }; - }; + }) + ]; }