From 4d7c667c45f0deb9299b3dc1eb90d26ee6e2cafd Mon Sep 17 00:00:00 2001
From: yuri <yuri@nekover.se>
Date: Tue, 29 Aug 2023 16:10:22 +0200
Subject: [PATCH] Add matrix-synapse host

---
 flake.lock                                    | 12 +++----
 hosts.nix                                     |  3 ++
 hosts/matrix/configuration.nix                | 17 +++++++++
 hosts/matrix/default.nix                      | 10 ++++++
 hosts/matrix/hardware-configuration.nix       | 21 +++++++++++
 hosts/matrix/matrix-synapse.nix               | 36 +++++++++++++++++++
 hosts/matrix/nginx.nix                        | 35 ++++++++++++++++++
 hosts/matrix/postgresql.nix                   | 13 +++++++
 hosts/matrix/secrets.nix                      | 35 ++++++++++++++++++
 hosts/web-public-2/nginx.nix                  |  2 +-
 .../virtualHosts/acme-challenge.nix           |  9 +++++
 hosts/web-public-2/virtualHosts/default.nix   |  1 -
 .../virtualHosts/matrix.nekover.se.nix        | 33 -----------------
 13 files changed, 186 insertions(+), 41 deletions(-)
 create mode 100644 hosts/matrix/configuration.nix
 create mode 100644 hosts/matrix/default.nix
 create mode 100644 hosts/matrix/hardware-configuration.nix
 create mode 100644 hosts/matrix/matrix-synapse.nix
 create mode 100644 hosts/matrix/nginx.nix
 create mode 100644 hosts/matrix/postgresql.nix
 create mode 100644 hosts/matrix/secrets.nix
 delete mode 100644 hosts/web-public-2/virtualHosts/matrix.nekover.se.nix

diff --git a/flake.lock b/flake.lock
index 8c5ec2a..61995d3 100644
--- a/flake.lock
+++ b/flake.lock
@@ -38,11 +38,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1691406141,
-        "narHash": "sha256-5GME9kMEiPix0R383spkuYYvtmnYHxS1/0Q+ki6W8Gs=",
+        "lastModified": 1693183237,
+        "narHash": "sha256-c7OtyBkZ/vZE/WosBpRGRtkbWZjDHGJP7fg1FyB9Dsc=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "9ba5e0b04727309ed8583079a3eaefd0290c7a2b",
+        "rev": "ea5234e7073d5f44728c499192544a84244bf35a",
         "type": "github"
       },
       "original": {
@@ -54,11 +54,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1691420187,
-        "narHash": "sha256-FTrMlGQqHViHbOPkI0JCNxMysxnPw1UA0+SiL4+Wafc=",
+        "lastModified": 1693184707,
+        "narHash": "sha256-MqCT/wuRKC79QJKlYhdfkUNerPcm63vZLd6P7lZGC0M=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "b367b9cf872c8de59d2379330dfe4f541f3ba5cc",
+        "rev": "48516a891d020801bc5304375739d2604400c741",
         "type": "github"
       },
       "original": {
diff --git a/hosts.nix b/hosts.nix
index ff6d3f3..d608e79 100644
--- a/hosts.nix
+++ b/hosts.nix
@@ -37,6 +37,9 @@ in
       hostNixpkgs = nixpkgs-unstable;
       site = "vs";
     };
+    matrix = {
+      site = "vs";
+    };
     metrics = {
       site = "vs";
     };
diff --git a/hosts/matrix/configuration.nix b/hosts/matrix/configuration.nix
new file mode 100644
index 0000000..9ffa4c6
--- /dev/null
+++ b/hosts/matrix/configuration.nix
@@ -0,0 +1,17 @@
+{ ... }:
+{
+  boot.loader.grub = {
+    enable = true;
+    device = "/dev/vda";
+  };
+
+  networking = {
+    hostName = "matrix";
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [ 80 8443 8448 ];
+    };
+  };
+
+  system.stateVersion = "23.05";
+}
diff --git a/hosts/matrix/default.nix b/hosts/matrix/default.nix
new file mode 100644
index 0000000..27528b7
--- /dev/null
+++ b/hosts/matrix/default.nix
@@ -0,0 +1,10 @@
+{ ... }:
+{
+  imports = [
+    ./configuration.nix
+    ./hardware-configuration.nix
+    ./postgresql.nix
+    ./matrix-synapse.nix
+    ./nginx.nix
+  ];
+}
diff --git a/hosts/matrix/hardware-configuration.nix b/hosts/matrix/hardware-configuration.nix
new file mode 100644
index 0000000..d014f39
--- /dev/null
+++ b/hosts/matrix/hardware-configuration.nix
@@ -0,0 +1,21 @@
+{ config, ... }:
+{
+  fileSystems."/mnt/data" = {
+    device = "/dev/disk/by-label/data";
+    fsType = "ext4";
+    autoFormat = true;
+    autoResize = true;
+  };
+  fileSystems."/var/lib/matrix-synapse/media_store" = {
+    depends = [ "/mnt/data" ];
+    device = "/mnt/data/media_store";
+    fsType = "none";
+    options = [ "bind" "X-mount.owner=matrix-synapse" "X-mount.group=matrix-synapse" ];
+  };
+  fileSystems."/var/lib/postgresql/${config.services.postgresql.package.psqlSchema}" = {
+    depends = [ "/mnt/data" ];
+    device = "/mnt/data/database";
+    fsType = "none";
+    options = [ "bind" "X-mount.owner=postgres" "X-mount.group=postgres" ];
+  };
+}
diff --git a/hosts/matrix/matrix-synapse.nix b/hosts/matrix/matrix-synapse.nix
new file mode 100644
index 0000000..e4f508e
--- /dev/null
+++ b/hosts/matrix/matrix-synapse.nix
@@ -0,0 +1,36 @@
+{ ... }:
+{
+  services.matrix-synapse = {
+    enable = true;
+    settings = {
+      server_name = "nekover.se";
+      public_baseurl = "https://matrix.nekover.se";
+      database = {
+        name = "psycopg2";
+        args.password = "synapse";
+      };
+      email = {
+        smtp_host = "mail.grzb.de";
+        smtp_port = 465;
+        smtp_user = "matrix";
+        force_tls = true;
+        notif_from = "Nekoverse Matrix Server <nyareply@nekover.se>";
+      };
+      max_upload_size = "500M";
+      signing_key_path = "/secrets/matrix-homeserver-signing-key.secret";
+      admin_contact = "mailto:admin@nekover.se";
+      web_client_location = "https://element.nekover.se";
+      turn_uris = [
+        "turns:turn.nekover.se?transport=udp"
+        "turns:turn.nekover.se?transport=tcp"
+      ];
+      turn_user_lifetime = 86400000;
+      turn_allow_guests = true;
+    };
+    extraConfigFiles = [
+      "/secrets/matrix-registration-shared-secret.secret"
+      "/secrets/matrix-turn-shared-secret.secret"
+      "/secrets/matrix-email-smtp-pass.secret"
+    ];
+  };
+}
diff --git a/hosts/matrix/nginx.nix b/hosts/matrix/nginx.nix
new file mode 100644
index 0000000..de8f332
--- /dev/null
+++ b/hosts/matrix/nginx.nix
@@ -0,0 +1,35 @@
+{ config, ... }:
+{
+  services.nginx = {
+    enable = true;
+    virtualHosts."matrix.nekover.se" = {
+      forceSSL = true;
+      enableACME = true;
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 80;
+        }
+        {
+          addr = "0.0.0.0";
+          port = 8448;
+          ssl = true;
+        }
+      ];
+      locations."~ ^(/_matrix|/_synapse/client)" = {
+        proxyPass = "http://localhost:8008";
+        extraConfig = ''
+          # Nginx by default only allows file uploads up to 1M in size
+          # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
+          client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size};
+        '';
+      };
+      extraConfig = ''
+        listen 0.0.0.0:8443 http2 ssl proxy_protocol;
+
+        set_real_ip_from 10.202.41.100;
+        real_ip_header proxy_protocol;
+      '';
+    };
+  };
+}
diff --git a/hosts/matrix/postgresql.nix b/hosts/matrix/postgresql.nix
new file mode 100644
index 0000000..03b753a
--- /dev/null
+++ b/hosts/matrix/postgresql.nix
@@ -0,0 +1,13 @@
+{ pkgs, ... }:
+{
+  services.postgresql = {
+    enable = true;
+    initialScript = pkgs.writeText "synapse-init.sql" ''
+      CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
+      CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
+        TEMPLATE template0
+        LC_COLLATE = "C"
+        LC_CTYPE = "C";
+    '';
+  };
+}
diff --git a/hosts/matrix/secrets.nix b/hosts/matrix/secrets.nix
new file mode 100644
index 0000000..24329ea
--- /dev/null
+++ b/hosts/matrix/secrets.nix
@@ -0,0 +1,35 @@
+{ ... }:
+{
+  deployment.keys."matrix-registration-shared-secret.secret" = {
+    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "matrix/registration-shared-secret" ];
+    destDir = "/secrets";
+    user = "matrix-synapse";
+    group = "matrix-synapse";
+    permissions = "0640";
+    uploadAt = "pre-activation";
+  };
+  deployment.keys."matrix-turn-shared-secret.secret" = {
+    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "matrix/turn-shared-secret" ];
+    destDir = "/secrets";
+    user = "matrix-synapse";
+    group = "matrix-synapse";
+    permissions = "0640";
+    uploadAt = "pre-activation";
+  };
+  deployment.keys."matrix-email-smtp-pass.secret" = {
+    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "matrix/email-smtp-pass" ];
+    destDir = "/secrets";
+    user = "matrix-synapse";
+    group = "matrix-synapse";
+    permissions = "0640";
+    uploadAt = "pre-activation";
+  };
+  deployment.keys."matrix-homeserver-signing-key.secret" = {
+    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "matrix/homeserver-signing-key" ];
+    destDir = "/secrets";
+    user = "matrix-synapse";
+    group = "matrix-synapse";
+    permissions = "0640";
+    uploadAt = "pre-activation";
+  };
+}
diff --git a/hosts/web-public-2/nginx.nix b/hosts/web-public-2/nginx.nix
index 713a09d..52acd48 100644
--- a/hosts/web-public-2/nginx.nix
+++ b/hosts/web-public-2/nginx.nix
@@ -16,7 +16,7 @@
         gameserver.grzb.de 127.0.0.1:8443;
         git.grzb.de 127.0.0.1:8443;
         hydra.nekover.se 10.202.41.121:8443;
-        matrix.nekover.se 127.0.0.1:8443;
+        matrix.nekover.se 10.202.41.112:8443;
         mewtube.nekover.se 127.0.0.1:8443;
         nekover.se 127.0.0.1:8443;
         nextcloud.grzb.de 127.0.0.1:8443;
diff --git a/hosts/web-public-2/virtualHosts/acme-challenge.nix b/hosts/web-public-2/virtualHosts/acme-challenge.nix
index 6ec8d36..c04b2e8 100644
--- a/hosts/web-public-2/virtualHosts/acme-challenge.nix
+++ b/hosts/web-public-2/virtualHosts/acme-challenge.nix
@@ -9,6 +9,15 @@
       proxyPass = "http://jellyfin.vs.grzb.de:80";
     };
   };
+  services.nginx.virtualHosts."matrix.nekover.se" = {
+    listen = [{ 
+      addr = "0.0.0.0";
+      port = 80;
+    }];
+    locations."^~ /.well-known/acme-challenge/" = {
+      proxyPass = "http://matrix.vs.grzb.de:80";
+    };
+  };
   services.nginx.virtualHosts."netbox.grzb.de" = {
     listen = [{ 
       addr = "0.0.0.0";
diff --git a/hosts/web-public-2/virtualHosts/default.nix b/hosts/web-public-2/virtualHosts/default.nix
index 06d0bfd..7df558e 100644
--- a/hosts/web-public-2/virtualHosts/default.nix
+++ b/hosts/web-public-2/virtualHosts/default.nix
@@ -6,7 +6,6 @@
     ./element.nekover.se.nix
     ./gameserver.grzb.de.nix
     ./git.grzb.de.nix
-    ./matrix.nekover.se.nix
     ./mewtube.nekover.se.nix
     ./nekover.se.nix
     ./nextcloud.grzb.de.nix
diff --git a/hosts/web-public-2/virtualHosts/matrix.nekover.se.nix b/hosts/web-public-2/virtualHosts/matrix.nekover.se.nix
deleted file mode 100644
index 82455bf..0000000
--- a/hosts/web-public-2/virtualHosts/matrix.nekover.se.nix
+++ /dev/null
@@ -1,33 +0,0 @@
-{ ... }:
-{
-  services.nginx.virtualHosts."matrix.nekover.se" = {
-    forceSSL = true;
-    enableACME = true;
-    listen = [
-      {
-        addr = "0.0.0.0";
-        port = 8448;
-        ssl = true;
-      }
-      {
-        addr = "[::]";
-        port = 8448;
-        ssl = true;
-      }
-      {
-        addr = "localhost";
-        port = 8443;
-        ssl = true;
-        proxyProtocol = true;
-      }
-    ];
-    locations."~ ^(/_matrix|/_synapse/client)" = {
-      proxyPass = "http://matrix.vs.grzb.de:8008";
-      extraConfig = ''
-        # Nginx by default only allows file uploads up to 1M in size
-        # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
-        client_max_body_size 500M;
-      '';
-    };
-  };
-}