128 lines
3.7 KiB
Nix
128 lines
3.7 KiB
Nix
{
|
|
lib,
|
|
config,
|
|
pkgs,
|
|
...
|
|
}:
|
|
let
|
|
cfg = config.my.servers.synapse;
|
|
cfgE = config.my.servers.element;
|
|
domain = "wedsgk5ac2qcaf9yb.click";
|
|
setup = import ./setup.nix { inherit lib config; };
|
|
clientConfig."m.homeserver".base_url = cfg.url;
|
|
serverConfig."m.server" = "${cfg.host}:443";
|
|
mkWellKnown = data: ''
|
|
default_type application/json;
|
|
add_header Access-Control-Allow-Origin *;
|
|
return 200 '${builtins.toJSON data}';
|
|
'';
|
|
in
|
|
{
|
|
options.my.servers = {
|
|
synapse = setup.mkOptions "synapse" "pYLemuAfsrzNBaH77xSu" 8008;
|
|
element = setup.mkOptions "element" "55a608953f6d64c199" 5345;
|
|
};
|
|
config = lib.mkIf (cfg.enable && config.my.secureHost) {
|
|
my.servers = {
|
|
synapse = { inherit domain; };
|
|
element = { inherit domain; };
|
|
};
|
|
sops.secrets = {
|
|
synapse = {
|
|
sopsFile = ../../secrets/env.yaml;
|
|
owner = "matrix-synapse";
|
|
group = "matrix-synapse";
|
|
};
|
|
"iqQCY4iAWO-ca/pem" = {
|
|
sopsFile = ../../secrets/certs.yaml;
|
|
owner = "nginx";
|
|
group = "nginx";
|
|
};
|
|
"matrix/key" = {
|
|
sopsFile = ../../secrets/certs.yaml;
|
|
owner = "matrix-synapse";
|
|
group = "matrix-synapse";
|
|
};
|
|
"matrix/cert" = {
|
|
sopsFile = ../../secrets/certs.yaml;
|
|
owner = "matrix-synapse";
|
|
group = "matrix-synapse";
|
|
};
|
|
};
|
|
networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal) [ cfg.port ];
|
|
services = {
|
|
matrix-synapse = {
|
|
inherit (cfg) enable;
|
|
extraConfigFiles = [
|
|
config.sops.secrets.synapse.path
|
|
];
|
|
settings = {
|
|
server_name = cfg.domain;
|
|
public_baseurl = cfg.url;
|
|
federation_domain_whitelist = [ ];
|
|
allow_public_rooms_without_auth = false;
|
|
allow_public_rooms_over_federation = false;
|
|
max_upload_size = "4096M";
|
|
tls_private_key_path = config.sops.secrets."matrix/key".path;
|
|
tls_certificate_path = config.sops.secrets."matrix/cert".path;
|
|
listeners = [
|
|
{
|
|
inherit (cfg) port;
|
|
bind_addresses = [
|
|
config.my.localhost
|
|
config.my.localhost6
|
|
config.my.ips.server
|
|
config.my.ips.wg-server
|
|
];
|
|
type = "http";
|
|
tls = false;
|
|
x_forwarded = true;
|
|
resources = [
|
|
{
|
|
names = [
|
|
"client"
|
|
"media"
|
|
];
|
|
compress = true;
|
|
}
|
|
];
|
|
}
|
|
];
|
|
};
|
|
};
|
|
nginx.virtualHosts = lib.mkIf cfg.enableProxy {
|
|
"${cfgE.host}" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
serverAliases = [
|
|
cfgE.host
|
|
];
|
|
root = pkgs.element-web;
|
|
};
|
|
"${cfg.domain}" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
|
|
locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
|
|
};
|
|
"${cfg.host}" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
locations = {
|
|
"/".extraConfig = ''
|
|
return 404;
|
|
'';
|
|
"/_matrix".proxyPass = "http://[${config.my.localhost6}]:${toString cfg.port}";
|
|
"/_synapse/client".proxyPass = "http://[${config.my.localhost6}]:${toString cfg.port}";
|
|
};
|
|
# extraConfig = ''
|
|
# ssl_verify_client on;
|
|
# ssl_client_certificate ${config.sops.secrets."iqQCY4iAWO-ca/pem".path};
|
|
# error_page 403 /403.html;
|
|
# '';
|
|
};
|
|
};
|
|
};
|
|
};
|
|
}
|