Setup mail server and restructure some things

2023-09-14 14:43:49 +02:00 · 2023-09-14 14:43:49 +02:00 · 4a802ab44d
commit 4a802ab44d
parent fa3db3bad6
90 changed files with 512 additions and 66 deletions
--- a/config/hosts/matrix/configuration.nix
+++ b/config/hosts/matrix/configuration.nix
@ -0,0 +1,17 @@
+{ ... }:
+{
+  boot.loader.grub = {
+    enable = true;
+    device = "/dev/vda";
+  };
+
+  networking = {
+    hostName = "matrix";
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [ 80 8443 8448 ];
+    };
+  };
+
+  system.stateVersion = "23.05";
+}
--- a/config/hosts/matrix/default.nix
+++ b/config/hosts/matrix/default.nix
@ -0,0 +1,10 @@
+{ ... }:
+{
+  imports = [
+    ./configuration.nix
+    ./hardware-configuration.nix
+    ./postgresql.nix
+    ./matrix-synapse.nix
+    ./nginx.nix
+  ];
+}
--- a/config/hosts/matrix/hardware-configuration.nix
+++ b/config/hosts/matrix/hardware-configuration.nix
@ -0,0 +1,21 @@
+{ config, ... }:
+{
+  fileSystems."/mnt/data" = {
+    device = "/dev/disk/by-label/data";
+    fsType = "ext4";
+    autoFormat = true;
+    autoResize = true;
+  };
+  fileSystems."/var/lib/matrix-synapse/media_store" = {
+    depends = [ "/mnt/data" ];
+    device = "/mnt/data/media_store";
+    fsType = "none";
+    options = [ "bind" "X-mount.owner=matrix-synapse" "X-mount.group=matrix-synapse" ];
+  };
+  fileSystems."/var/lib/postgresql/${config.services.postgresql.package.psqlSchema}" = {
+    depends = [ "/mnt/data" ];
+    device = "/mnt/data/database";
+    fsType = "none";
+    options = [ "bind" "X-mount.owner=postgres" "X-mount.group=postgres" ];
+  };
+}
--- a/config/hosts/matrix/matrix-synapse.nix
+++ b/config/hosts/matrix/matrix-synapse.nix
@ -0,0 +1,36 @@
+{ ... }:
+{
+  services.matrix-synapse = {
+    enable = true;
+    settings = {
+      server_name = "nekover.se";
+      public_baseurl = "https://matrix.nekover.se";
+      database = {
+        name = "psycopg2";
+        args.password = "synapse";
+      };
+      email = {
+        smtp_host = "mail.grzb.de";
+        smtp_port = 465;
+        smtp_user = "matrix";
+        force_tls = true;
+        notif_from = "Nekoverse Matrix Server <nyareply@nekover.se>";
+      };
+      max_upload_size = "500M";
+      signing_key_path = "/secrets/matrix-homeserver-signing-key.secret";
+      admin_contact = "mailto:admin@nekover.se";
+      web_client_location = "https://element.nekover.se";
+      turn_uris = [
+        "turns:turn.nekover.se?transport=udp"
+        "turns:turn.nekover.se?transport=tcp"
+      ];
+      turn_user_lifetime = 86400000;
+      turn_allow_guests = true;
+    };
+    extraConfigFiles = [
+      "/secrets/matrix-registration-shared-secret.secret"
+      "/secrets/matrix-turn-shared-secret.secret"
+      "/secrets/matrix-email-smtp-pass.secret"
+    ];
+  };
+}
--- a/config/hosts/matrix/nginx.nix
+++ b/config/hosts/matrix/nginx.nix
@ -0,0 +1,35 @@
+{ config, ... }:
+{
+  services.nginx = {
+    enable = true;
+    virtualHosts."matrix.nekover.se" = {
+      forceSSL = true;
+      enableACME = true;
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 80;
+        }
+        {
+          addr = "0.0.0.0";
+          port = 8448;
+          ssl = true;
+        }
+      ];
+      locations."~ ^(/_matrix|/_synapse/client)" = {
+        proxyPass = "http://localhost:8008";
+        extraConfig = ''
+          # Nginx by default only allows file uploads up to 1M in size
+          # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
+          client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size};
+        '';
+      };
+      extraConfig = ''
+        listen 0.0.0.0:8443 http2 ssl proxy_protocol;
+
+        set_real_ip_from 10.202.41.100;
+        real_ip_header proxy_protocol;
+      '';
+    };
+  };
+}
--- a/config/hosts/matrix/postgresql.nix
+++ b/config/hosts/matrix/postgresql.nix
@ -0,0 +1,13 @@
+{ pkgs, ... }:
+{
+  services.postgresql = {
+    enable = true;
+    initialScript = pkgs.writeText "synapse-init.sql" ''
+      CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
+      CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
+        TEMPLATE template0
+        LC_COLLATE = "C"
+        LC_CTYPE = "C";
+    '';
+  };
+}
--- a/config/hosts/matrix/secrets.nix
+++ b/config/hosts/matrix/secrets.nix
@ -0,0 +1,35 @@
+{ ... }:
+{
+  deployment.keys."matrix-registration-shared-secret.secret" = {
+    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "matrix/registration-shared-secret" ];
+    destDir = "/secrets";
+    user = "matrix-synapse";
+    group = "matrix-synapse";
+    permissions = "0640";
+    uploadAt = "pre-activation";
+  };
+  deployment.keys."matrix-turn-shared-secret.secret" = {
+    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "matrix/turn-shared-secret" ];
+    destDir = "/secrets";
+    user = "matrix-synapse";
+    group = "matrix-synapse";
+    permissions = "0640";
+    uploadAt = "pre-activation";
+  };
+  deployment.keys."matrix-email-smtp-pass.secret" = {
+    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "matrix/email-smtp-pass" ];
+    destDir = "/secrets";
+    user = "matrix-synapse";
+    group = "matrix-synapse";
+    permissions = "0640";
+    uploadAt = "pre-activation";
+  };
+  deployment.keys."matrix-homeserver-signing-key.secret" = {
+    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "matrix/homeserver-signing-key" ];
+    destDir = "/secrets";
+    user = "matrix-synapse";
+    group = "matrix-synapse";
+    permissions = "0640";
+    uploadAt = "pre-activation";
+  };
+}