From 881189eb6237b44b67ca5f594fcff6ead10b1da3 Mon Sep 17 00:00:00 2001 From: fi Date: Tue, 11 Feb 2025 23:09:22 +0100 Subject: [PATCH] Configure matrix-authentication-service --- config/hosts/matrix/default.nix | 1 + .../matrix/matrix-authentication-service.nix | 94 +++++++++++++++++++ config/hosts/matrix/matrix-synapse.nix | 8 +- config/hosts/matrix/nginx.nix | 89 +++++++++++------- config/hosts/matrix/postgresql.nix | 5 + config/hosts/matrix/secrets.nix | 12 ++- config/hosts/web-public-2/nginx.nix | 2 +- .../virtualHosts/acme-challenge.nix | 1 + .../web-public-2/virtualHosts/nekover.se.nix | 2 +- 9 files changed, 172 insertions(+), 42 deletions(-) create mode 100644 config/hosts/matrix/matrix-authentication-service.nix diff --git a/config/hosts/matrix/default.nix b/config/hosts/matrix/default.nix index 27528b7..5cafdf8 100644 --- a/config/hosts/matrix/default.nix +++ b/config/hosts/matrix/default.nix @@ -4,6 +4,7 @@ ./configuration.nix ./hardware-configuration.nix ./postgresql.nix + ./matrix-authentication-service.nix ./matrix-synapse.nix ./nginx.nix ]; diff --git a/config/hosts/matrix/matrix-authentication-service.nix b/config/hosts/matrix/matrix-authentication-service.nix new file mode 100644 index 0000000..6c69834 --- /dev/null +++ b/config/hosts/matrix/matrix-authentication-service.nix @@ -0,0 +1,94 @@ +{ pkgs, ... }: +let + masSettings = { + http = { + listeners = [ + { + name = "web"; + resources = [ + { name = "discovery"; } + { name = "human"; } + { name = "oauth"; } + { name = "compat"; } + { name = "graphql"; } + { + name = "assets"; + path = "${pkgs.matrix-authentication-service}/share/matrix-authentication-service/assets/"; + } + ]; + binds = [{ + host = "localhost"; + port = 8080; + }]; + proxy_protocol = false; + } + { + name = "internal"; + resources = [{ + name = "health"; + }]; + binds = [{ + host = "localhost"; + port = 8081; + }]; + proxy_protocol = false; + } + ]; + trusted_proxies = [ + "192.168.0.0/16" + "172.16.0.0/12" + "10.0.0.0/10" + "127.0.0.1/8" + "fd00::/8" + "::1/128" + ]; + public_base = "https://mas.nekover.se"; + }; + database = { + uri = "postgresql://mas_user:mas@localhost/mas"; + max_connections = 10; + min_connections = 0; + connect_timeout = 30; + idle_timeout = 600; + max_lifetime = 1800; + }; + passwords = { + enabled = true; + schemes = [ + { + version = 1; + algorithm = "bcrypt"; + } + { + version = 2; + algorithm = "argon2id"; + } + ]; + minimum_complexity = 8; + }; + }; + masSettingsFile = ((pkgs.formats.yaml { }).generate "mas-config" masSettings); +in +{ + environment.systemPackages = with pkgs; [ + matrix-authentication-service + syn2mas + ]; + + + systemd.services.matrix-authentication-service = { + description = "Matrix Authentication Service"; + + serviceConfig = { + Type = "simple"; + ExecStart = "${pkgs.matrix-authentication-service}/bin/mas-cli server --config=${masSettingsFile} --config=/secrets/matrix-mas-secret-config.secret"; + WorkingDirectory = "${pkgs.matrix-authentication-service}"; + User = "matrix-synapse"; + Group = "matrix-synapse"; + }; + + wantedBy = [ + "multi-user.target" + ]; + }; +} diff --git a/config/hosts/matrix/matrix-synapse.nix b/config/hosts/matrix/matrix-synapse.nix index 8d74f50..85e6735 100644 --- a/config/hosts/matrix/matrix-synapse.nix +++ b/config/hosts/matrix/matrix-synapse.nix @@ -1,9 +1,5 @@ -{ pkgs, ... }: +{ ... }: { - environment.systemPackages = with pkgs; [ - matrix-authentication-service - syn2mas - ]; services.matrix-synapse = { enable = true; settings = { @@ -56,7 +52,7 @@ "/secrets/matrix-registration-shared-secret.secret" "/secrets/matrix-turn-shared-secret.secret" "/secrets/matrix-email-smtp-pass.secret" - "/secrets/matrix-keycloak-client-secret.secret" + "/secrets/matrix-homeserver-mas-config.secret" ]; }; } diff --git a/config/hosts/matrix/nginx.nix b/config/hosts/matrix/nginx.nix index 1b28649..518fe1a 100644 --- a/config/hosts/matrix/nginx.nix +++ b/config/hosts/matrix/nginx.nix @@ -2,40 +2,65 @@ { services.nginx = { enable = true; - virtualHosts."matrix.nekover.se" = { - forceSSL = true; - enableACME = true; - listen = [ - { - addr = "0.0.0.0"; - port = 80; - } - { - addr = "0.0.0.0"; - port = 8448; - ssl = true; - } - ]; - locations = { - "~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = { - proxyPass = "http://127.0.0.1:8009"; - priority = 999; + virtualHosts = { + "matrix.nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "0.0.0.0"; + port = 8448; + ssl = true; + } + ]; + locations = { + "~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = { + proxyPass = "http://localhost:8009"; + priority = 998; + }; + "~ ^/_matrix/client/(.*)/(login|logout|refresh)" = { + proxyPass = "http://localhost:8080"; + priority = 999; + }; + "~ ^(/_matrix|/_synapse/client)" = { + proxyPass = "http://localhost:8008"; + extraConfig = '' + # Nginx by default only allows file uploads up to 1M in size + # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml + client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size}; + ''; + }; }; - "~ ^(/_matrix|/_synapse/client)" = { - proxyPass = "http://127.0.0.1:8008"; - extraConfig = '' - # Nginx by default only allows file uploads up to 1M in size - # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml - client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size}; - ''; - }; - }; - extraConfig = '' - listen 0.0.0.0:8443 http2 ssl proxy_protocol; + extraConfig = '' + listen 0.0.0.0:8443 http2 ssl proxy_protocol; - set_real_ip_from 10.202.41.100; - real_ip_header proxy_protocol; - ''; + set_real_ip_from 10.202.41.100; + real_ip_header proxy_protocol; + ''; + }; + "mas.nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + ]; + locations."/" = { + proxyPass = "http://localhost:8080"; + }; + extraConfig = '' + listen 0.0.0.0:8443 http2 ssl proxy_protocol; + + set_real_ip_from 10.202.41.100; + real_ip_header proxy_protocol; + ''; + }; }; }; } diff --git a/config/hosts/matrix/postgresql.nix b/config/hosts/matrix/postgresql.nix index 03b753a..06d10e2 100644 --- a/config/hosts/matrix/postgresql.nix +++ b/config/hosts/matrix/postgresql.nix @@ -8,6 +8,11 @@ TEMPLATE template0 LC_COLLATE = "C" LC_CTYPE = "C"; + CREATE ROLE "mas_user" WITH LOGIN PASSWORD 'mas'; + CREATE DATABASE "mas" WITH OWNER "mas_user" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; ''; }; } diff --git a/config/hosts/matrix/secrets.nix b/config/hosts/matrix/secrets.nix index a95309e..24573fb 100644 --- a/config/hosts/matrix/secrets.nix +++ b/config/hosts/matrix/secrets.nix @@ -33,8 +33,16 @@ permissions = "0640"; uploadAt = "pre-activation"; }; - "matrix-keycloak-client-secret.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "matrix/keycloak-client-secret" ]; + "matrix-homeserver-mas-config.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "matrix/homeserver-mas-config" ]; + destDir = "/secrets"; + user = "matrix-synapse"; + group = "matrix-synapse"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "matrix-mas-secret-config.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "matrix/mas-secret-config" ]; destDir = "/secrets"; user = "matrix-synapse"; group = "matrix-synapse"; diff --git a/config/hosts/web-public-2/nginx.nix b/config/hosts/web-public-2/nginx.nix index 1f14695..d2386b1 100644 --- a/config/hosts/web-public-2/nginx.nix +++ b/config/hosts/web-public-2/nginx.nix @@ -17,7 +17,6 @@ stream { map $ssl_preread_server_name $address { anisync.grzb.de 127.0.0.1:8443; - birdsite.nekover.se 10.202.41.107:8443; cloud.nekover.se 10.202.41.122:8443; element.nekover.se 127.0.0.1:8443; fi.nekover.se 10.202.41.125:8443; @@ -26,6 +25,7 @@ git.nekover.se 10.202.41.106:8443; hydra.nekover.se 10.202.41.121:8443; id.nekover.se 10.202.41.124:8443; + mas.nekover.se 10.202.41.112:8443; matrix.nekover.se 10.202.41.112:8443; mewtube.nekover.se 127.0.0.1:8443; nekover.se 127.0.0.1:8443; diff --git a/config/hosts/web-public-2/virtualHosts/acme-challenge.nix b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix index 59b9d3a..06f828b 100644 --- a/config/hosts/web-public-2/virtualHosts/acme-challenge.nix +++ b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix @@ -3,6 +3,7 @@ let acmeDomainMap = { "jellyfin.grzb.de" = "jellyfin.vs.grzb.de"; "mail-1.grzb.de" = "mail-1.vs.grzb.de"; + "mas.nekover.se" = "matrix.vs.grzb.de"; "matrix.nekover.se" = "matrix.vs.grzb.de"; "netbox.grzb.de" = "netbox.vs.grzb.de"; "git.nekover.se" = "forgejo.vs.grzb.de"; diff --git a/config/hosts/web-public-2/virtualHosts/nekover.se.nix b/config/hosts/web-public-2/virtualHosts/nekover.se.nix index 08a61ea..a6a0ef5 100644 --- a/config/hosts/web-public-2/virtualHosts/nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/nekover.se.nix @@ -16,7 +16,7 @@ ''; }; locations."/.well-known/matrix/client" = { - return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.nekover.se\"}, \"m.identity_server\": {\"base_url\": \"https://vector.im\"}, \"org.matrix.msc3575.proxy\": {\"url\": \"https://matrix.nekover.se\"}, \"org.matrix.msc2965.authentication\": {\"issuer\": \"https://id.nekover.se/realms/nekoverse\", \"account\": \"https://id.nekover.se/realms/nekoverse/account/\"}}'"; + return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.nekover.se\"}, \"m.identity_server\": {\"base_url\": \"https://vector.im\"}, \"org.matrix.msc3575.proxy\": {\"url\": \"https://matrix.nekover.se\"}, \"org.matrix.msc2965.authentication\": {\"issuer\": \"https://mas.nekover.se\", \"account\": \"https://mas.nekover.se/account\"}}'"; extraConfig = '' default_type application/json; add_header Access-Control-Allow-Origin *;