fi/nix-infra
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

WIP mas

Browse source
This commit is contained in:
Fiona Grzebien 2024-11-08 01:45:53 +01:00
parent 94e279094a
commit 13a9e1bb43
8 changed files with 230 additions and 34 deletions
Download patch file Download diff file Expand all files Collapse all files

125
config/hosts/matrix/mas.nix
View file

@ -1,6 +1,131 @@
{ pkgs, ... }:
let
masConfig = (pkgs.formats.yaml { }).generate "matrix-authentication-service-config.yaml" {
http = {
public_base = "https://matrix-auth.nekover.se";
listeners = [
{
name = "web";
resources = [
{ name = "discovery"; }
{ name = "human"; }
{ name = "oauth"; }
{ name = "compat"; }
{ name = "graphql"; }
{ name = "assets"; }
];
binds = [{ socket = "/var/run/mas.sock"; }];
proxy_protocol = false;
}
{
name = "internal";
resources = [
{ name = "health"; }
];
binds = [
{
host = "localhost";
port = 8081;
}
];
proxy_protocol = false;
}
];
trusted_proxies = [
"192.168.0.0/16"
"172.16.0.0/12"
"10.0.0.0/10"
"127.0.0.1/8"
"fd00::/8"
"::1/128"
];
};
database = {
uri = "postgresql://mas_user:mas@localhost/mas";
max_connections = 10;
min_connections = 0;
connect_timeout = 30;
idle_timeout = 600;
max_lifetime = 1800;
};
email = {
from = "\"Matrix Authentication Service\" <nyareply@nekover.se>";
reply_to = "\"No reply\" <nyareply@nekover.se>";
transport = "smtp";
mode = "tls";
hostname = "mail-1.grzb.de";
port = 465;
username = "matrix@nekover.se";
# password = "";
};
passwords = {
enabled = true;
schemes = [
{
version = 1;
algorithm = "argon2id";
}
];
# See https://github.com/dropbox/zxcvbn#usage
minimum_complexity = 3;
};
matrix = {
homeserver = "nekover.se";
# secret =
endpoint = "http://localhost:8008";
};
upstream_oauth2 = {
providers = [{
id = "01H8PKNWKKRPCBW4YGH1RWV279";
issuer = "https://id.nekover.se/realms/nekoverse";
human_name = "Nekoverse ID";
token_endpoint_auth_method = "client_secret_basic";
client_id = "matrix-authentication-service";
#client_secret = "";
scope = "openid profile email";
claims_imports = {
localpart = {
action = "require";
template = "\"{% if user.matrix_username is defined %}{{ user.matrix_username }}{% else %}{{ user.preferred_username }}{% endif %}\"";
};
displayname = {
action = "suggest";
template = "\"{% if user.matrix_username is defined %}{{ user.matrix_username }}{% else %}{{ user.preferred_username }}{% endif %}\"";
};
email = {
action = "suggest";
template = "\"{{ user.email }}\"";
set_email_verification = "import";
};
};
}];
};
# secrets = { }
};
in
{
environment.systemPackages = with pkgs; [
matrix-authentication-service
];
systemd.services.matrix-authentication-service = {
description = "Matrix Authentication Service";
after = [ "network-online.target" "postgresql.service" ];
requires = [ "postgresql.service" ];
wants = [ "network-online.target" ];
serviceConfig = {
Type = "simple";
ExecReload = "${pkgs.util-linux}/bin/kill -HUP $MAINPID";
Restart = "on-abort";
DynamicUser = "yes";
User = "mas";
Group = "nogroup";
WorkingDirectory = pkgs.matrix-authentication-service;
ExecStart = "${pkgs.matrix-authentication-service}/bin/mas-cli server --config=${masConfig} --config=/secrets/";
SyslogIdentifier = "matrix-authentication-service";
};
wantedBy = [ "multi-user.target" ];
};
}

14
config/hosts/matrix/matrix-synapse.nix
View file

@ -46,6 +46,20 @@
];
turn_user_lifetime = 86400000;
turn_allow_guests = true;
experimental_features = {
msc3861 = {
enabled = true;
# Synapse will call `{issuer}/.well-known/openid-configuration` to get the OIDC configuration
issuer = "https://nekover.se";
client_id = "0000000000000000000SYNAPSE";
client_auth_method = "client_secret_basic";
# Matches the `client_secret` in the auth service config
client_secret = "SomeRandomSecret";
# Matches the `matrix.secret` in the auth service config
admin_token = "AnotherRandomSecret";
account_management_url = "https://id.nekover.se/realms/nekoverse/account/";
};
};
};
extras = [ "oidc" ];
extraConfigFiles = [

100
config/hosts/matrix/nginx.nix
View file

@ -2,40 +2,76 @@
{
services.nginx = {
enable = true;
virtualHosts."matrix.nekover.se" = {
forceSSL = true;
enableACME = true;
listen = [
{
addr = "0.0.0.0";
port = 80;
}
{
addr = "0.0.0.0";
port = 8448;
ssl = true;
}
];
locations = {
"~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = {
proxyPass = "http://127.0.0.1:8009";
priority = 999;
virtualHosts = {
"matrix.nekover.se" = {
forceSSL = true;
enableACME = true;
listen = [
{
addr = "0.0.0.0";
port = 80;
}
{
addr = "0.0.0.0";
port = 8448;
ssl = true;
}
];
locations = {
"~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = {
proxyPass = "http://127.0.0.1:8009";
priority = 999;
};
"~ ^(/_matrix|/_synapse/client)" = {
proxyPass = "http://127.0.0.1:8008";
extraConfig = ''
# Nginx by default only allows file uploads up to 1M in size
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size};
'';
};
};
"~ ^(/_matrix|/_synapse/client)" = {
proxyPass = "http://127.0.0.1:8008";
extraConfig = ''
# Nginx by default only allows file uploads up to 1M in size
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size};
'';
};
};
extraConfig = ''
listen 0.0.0.0:8443 http2 ssl proxy_protocol;
extraConfig = ''
listen 0.0.0.0:8443 http2 ssl proxy_protocol;
set_real_ip_from 10.202.41.100;
real_ip_header proxy_protocol;
'';
set_real_ip_from 10.202.41.100;
real_ip_header proxy_protocol;
'';
};
"matrix-auth.nekover.se" = {
forceSSL = true;
enableACME = true;
listen = [
{
addr = "0.0.0.0";
port = 80;
}
{
addr = "0.0.0.0";
port = 443;
ssl = true;
}
];
locations = {
"/" = {
proxy_pass = "http://unix:/var/run/mas.sock";
};
"~ ^(/_matrix|/_synapse/client)" = {
proxyPass = "http://127.0.0.1:8008";
extraConfig = ''
# Nginx by default only allows file uploads up to 1M in size
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size};
'';
};
};
extraConfig = ''
listen 0.0.0.0:9443 http2 ssl proxy_protocol;
set_real_ip_from 10.202.41.100;
real_ip_header proxy_protocol;
'';
};
};
};
}

1
config/hosts/web-public-2/nginx.nix
View file

@ -26,6 +26,7 @@
hydra.nekover.se 10.202.41.121:8443;
id.nekover.se 10.202.41.124:8443;
matrix.nekover.se 10.202.41.112:8443;
matrix-auth.nekover.se 10.202.41.112:9443;
mewtube.nekover.se 127.0.0.1:8443;
nekover.se 127.0.0.1:8443;
nix-cache.nekover.se 10.202.41.121:8443;

1
config/hosts/web-public-2/virtualHosts/acme-challenge.nix
View file

@ -4,6 +4,7 @@ let
"jellyfin.grzb.de" = "jellyfin.vs.grzb.de";
"mail-1.grzb.de" = "mail-1.vs.grzb.de";
"matrix.nekover.se" = "matrix.vs.grzb.de";
"matrix-auth.nekover.se" = "matrix.vs.grzb.de";
"netbox.grzb.de" = "netbox.vs.grzb.de";
"git.nekover.se" = "forgejo.vs.grzb.de";
"grafana.grzb.de" = "metrics.vs.grzb.de";