Configure matrix-authentication-service

2025-02-11 23:09:22 +01:00 · 2025-02-11 23:09:22 +01:00 · 881189eb62
parent e484360f91
commit 881189eb62
9 changed files with 172 additions and 42 deletions
--- a/config/hosts/matrix/default.nix
+++ b/config/hosts/matrix/default.nix
@ -4,6 +4,7 @@
    ./configuration.nix
    ./hardware-configuration.nix
    ./postgresql.nix
    ./matrix-authentication-service.nix
    ./matrix-synapse.nix
    ./nginx.nix
  ];
--- a/config/hosts/matrix/matrix-authentication-service.nix
+++ b/config/hosts/matrix/matrix-authentication-service.nix
@ -0,0 +1,94 @@
 { pkgs, ... }:
 let
  masSettings = {
    http = {
      listeners = [
        {
          name = "web";
          resources = [
            { name = "discovery"; }
            { name = "human"; }
            { name = "oauth"; }
            { name = "compat"; }
            { name = "graphql"; }
            { 
              name = "assets";
              path = "${pkgs.matrix-authentication-service}/share/matrix-authentication-service/assets/";
            }
          ];
          binds = [{
            host = "localhost";
            port = 8080;
          }];
          proxy_protocol = false;
        }
        {
          name = "internal";
          resources = [{
            name = "health";
          }];
          binds = [{
            host = "localhost";
            port = 8081;
          }];
          proxy_protocol = false;
        }
      ];
      trusted_proxies = [
        "192.168.0.0/16"
        "172.16.0.0/12"
        "10.0.0.0/10"
        "127.0.0.1/8"
        "fd00::/8"
        "::1/128"
      ];
      public_base = "https://mas.nekover.se";
    };
    database = {
      uri = "postgresql://mas_user:mas@localhost/mas";
      max_connections = 10;
      min_connections = 0;
      connect_timeout = 30;
      idle_timeout = 600;
      max_lifetime = 1800;
    };
    passwords = {
      enabled = true;
      schemes = [
        {
          version = 1;
          algorithm = "bcrypt";
        }
        {
          version = 2;
          algorithm = "argon2id";
        }
      ]; 
      minimum_complexity = 8;
    };
  };
  masSettingsFile = ((pkgs.formats.yaml { }).generate "mas-config" masSettings);
 in
 {
  environment.systemPackages = with pkgs; [
    matrix-authentication-service
    syn2mas
  ];
  systemd.services.matrix-authentication-service = {
    description = "Matrix Authentication Service";
    serviceConfig = {
      Type = "simple";
      ExecStart = "${pkgs.matrix-authentication-service}/bin/mas-cli server --config=${masSettingsFile} --config=/secrets/matrix-mas-secret-config.secret";
      WorkingDirectory = "${pkgs.matrix-authentication-service}";
      User = "matrix-synapse";
      Group = "matrix-synapse";
    };
    wantedBy = [
      "multi-user.target"
    ];
  };
 }
--- a/config/hosts/matrix/matrix-synapse.nix
+++ b/config/hosts/matrix/matrix-synapse.nix
@ -1,9 +1,5 @@
-{ pkgs, ... }:
+{ ... }:
 {
  environment.systemPackages = with pkgs; [
    matrix-authentication-service
    syn2mas
  ];
  services.matrix-synapse = {
    enable = true;
    settings = {
@ -56,7 +52,7 @@
      "/secrets/matrix-registration-shared-secret.secret"
      "/secrets/matrix-turn-shared-secret.secret"
      "/secrets/matrix-email-smtp-pass.secret"
-      "/secrets/matrix-keycloak-client-secret.secret"
+      "/secrets/matrix-homeserver-mas-config.secret"
    ];
  };
 }
--- a/config/hosts/matrix/nginx.nix
+++ b/config/hosts/matrix/nginx.nix
@ -2,40 +2,65 @@
 {
  services.nginx = {
    enable = true;
-    virtualHosts."matrix.nekover.se" = {
+    virtualHosts = {
-      forceSSL = true;
+      "matrix.nekover.se" = {
-      enableACME = true;
+        forceSSL = true;
-      listen = [
+        enableACME = true;
-        {
+        listen = [
-          addr = "0.0.0.0";
+          {
-          port = 80;
+            addr = "0.0.0.0";
-        }
+            port = 80;
-        {
+          }
-          addr = "0.0.0.0";
+          {
-          port = 8448;
+            addr = "0.0.0.0";
-          ssl = true;
+            port = 8448;
-        }
+            ssl = true;
-      ];
+          }
-      locations = {
+        ];
-        "~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = {
+        locations = {
-          proxyPass = "http://127.0.0.1:8009";
+          "~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = {
-          priority = 999;
+            proxyPass = "http://localhost:8009";
            priority = 998;
          };
          "~ ^/_matrix/client/(.*)/(login|logout|refresh)" = {
            proxyPass = "http://localhost:8080";
            priority = 999;
          };
          "~ ^(/_matrix|/_synapse/client)" = {
            proxyPass = "http://localhost:8008";
            extraConfig = ''
              # Nginx by default only allows file uploads up to 1M in size
              # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
              client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size};
            '';
          };
        };
-        "~ ^(/_matrix|/_synapse/client)" = {
+        extraConfig = ''
-          proxyPass = "http://127.0.0.1:8008";
+          listen 0.0.0.0:8443 http2 ssl proxy_protocol;
          extraConfig = ''
            # Nginx by default only allows file uploads up to 1M in size
            # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
            client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size};
          '';
        };
      };
      extraConfig = ''
        listen 0.0.0.0:8443 http2 ssl proxy_protocol;
-        set_real_ip_from 10.202.41.100;
+          set_real_ip_from 10.202.41.100;
-        real_ip_header proxy_protocol;
+          real_ip_header proxy_protocol;
-      '';
+        '';
      };
      "mas.nekover.se" = {
        forceSSL = true;
        enableACME = true;
        listen = [
          {
            addr = "0.0.0.0";
            port = 80;
          }
        ];
        locations."/" = {
          proxyPass = "http://localhost:8080";
        };
        extraConfig = ''
          listen 0.0.0.0:8443 http2 ssl proxy_protocol;
          set_real_ip_from 10.202.41.100;
          real_ip_header proxy_protocol;
        '';
      };
    };
  };
 }
--- a/config/hosts/matrix/postgresql.nix
+++ b/config/hosts/matrix/postgresql.nix
@ -8,6 +8,11 @@
        TEMPLATE template0
        LC_COLLATE = "C"
        LC_CTYPE = "C";
      CREATE ROLE "mas_user" WITH LOGIN PASSWORD 'mas';
      CREATE DATABASE "mas" WITH OWNER "mas_user"
        TEMPLATE template0
        LC_COLLATE = "C"
        LC_CTYPE = "C";
    '';
  };
 }
--- a/config/hosts/matrix/secrets.nix
+++ b/config/hosts/matrix/secrets.nix
@ -33,8 +33,16 @@
      permissions = "0640";
      uploadAt = "pre-activation";
    };
-    "matrix-keycloak-client-secret.secret" = {
+    "matrix-homeserver-mas-config.secret" = {
-      keyCommand = keyCommandEnv ++ [ "pass" "matrix/keycloak-client-secret" ];
+      keyCommand = keyCommandEnv ++ [ "pass" "matrix/homeserver-mas-config" ];
      destDir = "/secrets";
      user = "matrix-synapse";
      group = "matrix-synapse";
      permissions = "0640";
      uploadAt = "pre-activation";
    };
    "matrix-mas-secret-config.secret" = {
      keyCommand = keyCommandEnv ++ [ "pass" "matrix/mas-secret-config" ];
      destDir = "/secrets";
      user = "matrix-synapse";
      group = "matrix-synapse";
--- a/config/hosts/web-public-2/nginx.nix
+++ b/config/hosts/web-public-2/nginx.nix
@ -17,7 +17,6 @@
      stream {
        map $ssl_preread_server_name $address {
          anisync.grzb.de 127.0.0.1:8443;
          birdsite.nekover.se 10.202.41.107:8443;
          cloud.nekover.se 10.202.41.122:8443;
          element.nekover.se 127.0.0.1:8443;
          fi.nekover.se 10.202.41.125:8443;
@ -26,6 +25,7 @@
          git.nekover.se 10.202.41.106:8443;
          hydra.nekover.se 10.202.41.121:8443;
          id.nekover.se 10.202.41.124:8443;
          mas.nekover.se 10.202.41.112:8443;
          matrix.nekover.se 10.202.41.112:8443;
          mewtube.nekover.se 127.0.0.1:8443;
          nekover.se 127.0.0.1:8443;
--- a/config/hosts/web-public-2/virtualHosts/acme-challenge.nix
+++ b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix
@ -3,6 +3,7 @@ let
  acmeDomainMap = {
    "jellyfin.grzb.de" = "jellyfin.vs.grzb.de";
    "mail-1.grzb.de" = "mail-1.vs.grzb.de";
    "mas.nekover.se" = "matrix.vs.grzb.de";
    "matrix.nekover.se" = "matrix.vs.grzb.de";
    "netbox.grzb.de" = "netbox.vs.grzb.de";
    "git.nekover.se" = "forgejo.vs.grzb.de";
--- a/config/hosts/web-public-2/virtualHosts/nekover.se.nix
+++ b/config/hosts/web-public-2/virtualHosts/nekover.se.nix
@ -16,7 +16,7 @@
      '';
    };
    locations."/.well-known/matrix/client" = {
-      return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.nekover.se\"}, \"m.identity_server\": {\"base_url\": \"https://vector.im\"}, \"org.matrix.msc3575.proxy\": {\"url\": \"https://matrix.nekover.se\"}, \"org.matrix.msc2965.authentication\": {\"issuer\": \"https://id.nekover.se/realms/nekoverse\", \"account\": \"https://id.nekover.se/realms/nekoverse/account/\"}}'";
+      return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.nekover.se\"}, \"m.identity_server\": {\"base_url\": \"https://vector.im\"}, \"org.matrix.msc3575.proxy\": {\"url\": \"https://matrix.nekover.se\"}, \"org.matrix.msc2965.authentication\": {\"issuer\": \"https://mas.nekover.se\", \"account\": \"https://mas.nekover.se/account\"}}'";
      extraConfig = ''
        default_type application/json;
        add_header Access-Control-Allow-Origin *;