Configure matrix-authentication-service

config/hosts/matrix/default.nix

@@ -4,6 +4,7 @@
     ./configuration.nix
     ./hardware-configuration.nix
     ./postgresql.nix
+    ./matrix-authentication-service.nix
     ./matrix-synapse.nix
     ./nginx.nix
   ];

config/hosts/matrix/matrix-authentication-service.nix

@@ -0,0 +1,94 @@
+{ pkgs, ... }:
+let
+  masSettings = {
+    http = {
+      listeners = [
+        {
+          name = "web";
+          resources = [
+            { name = "discovery"; }
+            { name = "human"; }
+            { name = "oauth"; }
+            { name = "compat"; }
+            { name = "graphql"; }
+            { 
+              name = "assets";
+              path = "${pkgs.matrix-authentication-service}/share/matrix-authentication-service/assets/";
+            }
+          ];
+          binds = [{
+            host = "localhost";
+            port = 8080;
+          }];
+          proxy_protocol = false;
+        }
+        {
+          name = "internal";
+          resources = [{
+            name = "health";
+          }];
+          binds = [{
+            host = "localhost";
+            port = 8081;
+          }];
+          proxy_protocol = false;
+        }
+      ];
+      trusted_proxies = [
+        "192.168.0.0/16"
+        "172.16.0.0/12"
+        "10.0.0.0/10"
+        "127.0.0.1/8"
+        "fd00::/8"
+        "::1/128"
+      ];
+      public_base = "https://mas.nekover.se";
+    };
+    database = {
+      uri = "postgresql://mas_user:mas@localhost/mas";
+      max_connections = 10;
+      min_connections = 0;
+      connect_timeout = 30;
+      idle_timeout = 600;
+      max_lifetime = 1800;
+    };
+    passwords = {
+      enabled = true;
+      schemes = [
+        {
+          version = 1;
+          algorithm = "bcrypt";
+        }
+        {
+          version = 2;
+          algorithm = "argon2id";
+        }
+      ]; 
+      minimum_complexity = 8;
+    };
+  };
+  masSettingsFile = ((pkgs.formats.yaml { }).generate "mas-config" masSettings);
+in
+{
+  environment.systemPackages = with pkgs; [
+    matrix-authentication-service
+    syn2mas
+  ];
+
+
+  systemd.services.matrix-authentication-service = {
+    description = "Matrix Authentication Service";
+
+    serviceConfig = {
+      Type = "simple";
+      ExecStart = "${pkgs.matrix-authentication-service}/bin/mas-cli server --config=${masSettingsFile} --config=/secrets/matrix-mas-secret-config.secret";
+      WorkingDirectory = "${pkgs.matrix-authentication-service}";
+      User = "matrix-synapse";
+      Group = "matrix-synapse";
+    };
+
+    wantedBy = [
+      "multi-user.target"
+    ];
+  };
+}

config/hosts/matrix/matrix-synapse.nix

@@ -1,9 +1,5 @@
-{ pkgs, ... }:
+{ ... }:
 {
-  environment.systemPackages = with pkgs; [
-    matrix-authentication-service
-    syn2mas
-  ];
   services.matrix-synapse = {
     enable = true;
     settings = {
@@ -56,7 +52,7 @@
       "/secrets/matrix-registration-shared-secret.secret"
       "/secrets/matrix-turn-shared-secret.secret"
       "/secrets/matrix-email-smtp-pass.secret"
-      "/secrets/matrix-keycloak-client-secret.secret"
+      "/secrets/matrix-homeserver-mas-config.secret"
     ];
   };
 }

config/hosts/matrix/nginx.nix

@@ -2,7 +2,8 @@
 {
   services.nginx = {
     enable = true;
-    virtualHosts."matrix.nekover.se" = {
+    virtualHosts = {
+      "matrix.nekover.se" = {
         forceSSL = true;
         enableACME = true;
         listen = [
@@ -18,11 +19,15 @@
         ];
         locations = {
           "~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = {
-          proxyPass = "http://127.0.0.1:8009";
+            proxyPass = "http://localhost:8009";
+            priority = 998;
+          };
+          "~ ^/_matrix/client/(.*)/(login|logout|refresh)" = {
+            proxyPass = "http://localhost:8080";
             priority = 999;
           };
           "~ ^(/_matrix|/_synapse/client)" = {
-          proxyPass = "http://127.0.0.1:8008";
+            proxyPass = "http://localhost:8008";
             extraConfig = ''
               # Nginx by default only allows file uploads up to 1M in size
               # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
@@ -37,5 +42,25 @@
           real_ip_header proxy_protocol;
         '';
       };
+      "mas.nekover.se" = {
+        forceSSL = true;
+        enableACME = true;
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 80;
+          }
+        ];
+        locations."/" = {
+          proxyPass = "http://localhost:8080";
+        };
+        extraConfig = ''
+          listen 0.0.0.0:8443 http2 ssl proxy_protocol;
+
+          set_real_ip_from 10.202.41.100;
+          real_ip_header proxy_protocol;
+        '';
+      };
+    };
   };
 }

config/hosts/matrix/postgresql.nix

@@ -8,6 +8,11 @@
         TEMPLATE template0
         LC_COLLATE = "C"
         LC_CTYPE = "C";
+      CREATE ROLE "mas_user" WITH LOGIN PASSWORD 'mas';
+      CREATE DATABASE "mas" WITH OWNER "mas_user"
+        TEMPLATE template0
+        LC_COLLATE = "C"
+        LC_CTYPE = "C";
     '';
   };
 }

config/hosts/matrix/secrets.nix

@@ -33,8 +33,16 @@
       permissions = "0640";
       uploadAt = "pre-activation";
     };
-    "matrix-keycloak-client-secret.secret" = {
-      keyCommand = keyCommandEnv ++ [ "pass" "matrix/keycloak-client-secret" ];
+    "matrix-homeserver-mas-config.secret" = {
+      keyCommand = keyCommandEnv ++ [ "pass" "matrix/homeserver-mas-config" ];
+      destDir = "/secrets";
+      user = "matrix-synapse";
+      group = "matrix-synapse";
+      permissions = "0640";
+      uploadAt = "pre-activation";
+    };
+    "matrix-mas-secret-config.secret" = {
+      keyCommand = keyCommandEnv ++ [ "pass" "matrix/mas-secret-config" ];
       destDir = "/secrets";
       user = "matrix-synapse";
       group = "matrix-synapse";

config/hosts/web-public-2/nginx.nix

@@ -17,7 +17,6 @@
       stream {
         map $ssl_preread_server_name $address {
           anisync.grzb.de 127.0.0.1:8443;
-          birdsite.nekover.se 10.202.41.107:8443;
           cloud.nekover.se 10.202.41.122:8443;
           element.nekover.se 127.0.0.1:8443;
           fi.nekover.se 10.202.41.125:8443;
@@ -26,6 +25,7 @@
           git.nekover.se 10.202.41.106:8443;
           hydra.nekover.se 10.202.41.121:8443;
           id.nekover.se 10.202.41.124:8443;
+          mas.nekover.se 10.202.41.112:8443;
           matrix.nekover.se 10.202.41.112:8443;
           mewtube.nekover.se 127.0.0.1:8443;
           nekover.se 127.0.0.1:8443;

config/hosts/web-public-2/virtualHosts/acme-challenge.nix

@@ -3,6 +3,7 @@ let
   acmeDomainMap = {
     "jellyfin.grzb.de" = "jellyfin.vs.grzb.de";
     "mail-1.grzb.de" = "mail-1.vs.grzb.de";
+    "mas.nekover.se" = "matrix.vs.grzb.de";
     "matrix.nekover.se" = "matrix.vs.grzb.de";
     "netbox.grzb.de" = "netbox.vs.grzb.de";
     "git.nekover.se" = "forgejo.vs.grzb.de";

config/hosts/web-public-2/virtualHosts/nekover.se.nix

@@ -16,7 +16,7 @@
       '';
     };
     locations."/.well-known/matrix/client" = {
-      return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.nekover.se\"}, \"m.identity_server\": {\"base_url\": \"https://vector.im\"}, \"org.matrix.msc3575.proxy\": {\"url\": \"https://matrix.nekover.se\"}, \"org.matrix.msc2965.authentication\": {\"issuer\": \"https://id.nekover.se/realms/nekoverse\", \"account\": \"https://id.nekover.se/realms/nekoverse/account/\"}}'";
+      return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.nekover.se\"}, \"m.identity_server\": {\"base_url\": \"https://vector.im\"}, \"org.matrix.msc3575.proxy\": {\"url\": \"https://matrix.nekover.se\"}, \"org.matrix.msc2965.authentication\": {\"issuer\": \"https://mas.nekover.se\", \"account\": \"https://mas.nekover.se/account\"}}'";
       extraConfig = ''
         default_type application/json;
         add_header Access-Control-Allow-Origin *;