fi/nix-infra
1
1
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Add matrix-synapse host

Browse source
This commit is contained in:
fi 2023-08-29 16:10:22 +02:00
parent b7864a6798
commit e93c605ebb
Signed by: fi
SSH key fingerprint: SHA256:d+6fQoDPMbSFK95zRVflRKZLRKF4cPSQb7VIxYkhFsA
13 changed files with 186 additions and 41 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
flake.lock
View file

@ -38,11 +38,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1691406141, "lastModified": 1693183237,
"narHash": "sha256-5GME9kMEiPix0R383spkuYYvtmnYHxS1/0Q+ki6W8Gs=", "narHash": "sha256-c7OtyBkZ/vZE/WosBpRGRtkbWZjDHGJP7fg1FyB9Dsc=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "9ba5e0b04727309ed8583079a3eaefd0290c7a2b", "rev": "ea5234e7073d5f44728c499192544a84244bf35a",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -54,11 +54,11 @@
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1691420187, "lastModified": 1693184707,
"narHash": "sha256-FTrMlGQqHViHbOPkI0JCNxMysxnPw1UA0+SiL4+Wafc=", "narHash": "sha256-MqCT/wuRKC79QJKlYhdfkUNerPcm63vZLd6P7lZGC0M=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "b367b9cf872c8de59d2379330dfe4f541f3ba5cc", "rev": "48516a891d020801bc5304375739d2604400c741",
"type": "github" "type": "github"
}, },
"original": { "original": {

3
hosts.nix
View file

@ -37,6 +37,9 @@ in
hostNixpkgs = nixpkgs-unstable; hostNixpkgs = nixpkgs-unstable;
site = "vs"; site = "vs";
}; };
matrix = {
site = "vs";
};
metrics = { metrics = {
site = "vs"; site = "vs";
}; };

17
hosts/matrix/configuration.nix Normal file
View file

@ -0,0 +1,17 @@
{ ... }:
{
boot.loader.grub = {
enable = true;
device = "/dev/vda";
};
networking = {
hostName = "matrix";
firewall = {
enable = true;
allowedTCPPorts = [ 80 8443 8448 ];
};
};
system.stateVersion = "23.05";
}

10
hosts/matrix/default.nix Normal file
View file

@ -0,0 +1,10 @@
{ ... }:
{
imports = [
./configuration.nix
./hardware-configuration.nix
./postgresql.nix
./matrix-synapse.nix
./nginx.nix
];
}

21
hosts/matrix/hardware-configuration.nix Normal file
View file

@ -0,0 +1,21 @@
{ config, ... }:
{
fileSystems."/mnt/data" = {
device = "/dev/disk/by-label/data";
fsType = "ext4";
autoFormat = true;
autoResize = true;
};
fileSystems."/var/lib/matrix-synapse/media_store" = {
depends = [ "/mnt/data" ];
device = "/mnt/data/media_store";
fsType = "none";
options = [ "bind" "X-mount.owner=matrix-synapse" "X-mount.group=matrix-synapse" ];
};
fileSystems."/var/lib/postgresql/${config.services.postgresql.package.psqlSchema}" = {
depends = [ "/mnt/data" ];
device = "/mnt/data/database";
fsType = "none";
options = [ "bind" "X-mount.owner=postgres" "X-mount.group=postgres" ];
};
}

36
hosts/matrix/matrix-synapse.nix Normal file
View file

@ -0,0 +1,36 @@
{ ... }:
{
services.matrix-synapse = {
enable = true;
settings = {
server_name = "nekover.se";
public_baseurl = "https://matrix.nekover.se";
database = {
name = "psycopg2";
args.password = "synapse";
};
email = {
smtp_host = "mail.grzb.de";
smtp_port = 465;
smtp_user = "matrix";
force_tls = true;
notif_from = "Nekoverse Matrix Server <nyareply@nekover.se>";
};
max_upload_size = "500M";
signing_key_path = "/secrets/matrix-homeserver-signing-key.secret";
admin_contact = "mailto:admin@nekover.se";
web_client_location = "https://element.nekover.se";
turn_uris = [
"turns:turn.nekover.se?transport=udp"
"turns:turn.nekover.se?transport=tcp"
];
turn_user_lifetime = 86400000;
turn_allow_guests = true;
};
extraConfigFiles = [
"/secrets/matrix-registration-shared-secret.secret"
"/secrets/matrix-turn-shared-secret.secret"
"/secrets/matrix-email-smtp-pass.secret"
];
};
}

35
hosts/matrix/nginx.nix Normal file
View file

@ -0,0 +1,35 @@
{ config, ... }:
{
services.nginx = {
enable = true;
virtualHosts."matrix.nekover.se" = {
forceSSL = true;
enableACME = true;
listen = [
{
addr = "0.0.0.0";
port = 80;
}
{
addr = "0.0.0.0";
port = 8448;
ssl = true;
}
];
locations."~ ^(/_matrix|/_synapse/client)" = {
proxyPass = "http://localhost:8008";
extraConfig = ''
# Nginx by default only allows file uploads up to 1M in size
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size};
'';
};
extraConfig = ''
listen 0.0.0.0:8443 http2 ssl proxy_protocol;
set_real_ip_from 10.202.41.100;
real_ip_header proxy_protocol;
'';
};
};
}

13
hosts/matrix/postgresql.nix Normal file
View file

@ -0,0 +1,13 @@
{ pkgs, ... }:
{
services.postgresql = {
enable = true;
initialScript = pkgs.writeText "synapse-init.sql" ''
CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
'';
};
}

35
hosts/matrix/secrets.nix Normal file
View file

@ -0,0 +1,35 @@
{ ... }:
{
deployment.keys."matrix-registration-shared-secret.secret" = {
keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "matrix/registration-shared-secret" ];
destDir = "/secrets";
user = "matrix-synapse";
group = "matrix-synapse";
permissions = "0640";
uploadAt = "pre-activation";
};
deployment.keys."matrix-turn-shared-secret.secret" = {
keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "matrix/turn-shared-secret" ];
destDir = "/secrets";
user = "matrix-synapse";
group = "matrix-synapse";
permissions = "0640";
uploadAt = "pre-activation";
};
deployment.keys."matrix-email-smtp-pass.secret" = {
keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "matrix/email-smtp-pass" ];
destDir = "/secrets";
user = "matrix-synapse";
group = "matrix-synapse";
permissions = "0640";
uploadAt = "pre-activation";
};
deployment.keys."matrix-homeserver-signing-key.secret" = {
keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "matrix/homeserver-signing-key" ];
destDir = "/secrets";
user = "matrix-synapse";
group = "matrix-synapse";
permissions = "0640";
uploadAt = "pre-activation";
};
}

2
hosts/web-public-2/nginx.nix
View file

@ -16,7 +16,7 @@
gameserver.grzb.de 127.0.0.1:8443; gameserver.grzb.de 127.0.0.1:8443;
git.grzb.de 127.0.0.1:8443; git.grzb.de 127.0.0.1:8443;
hydra.nekover.se 10.202.41.121:8443; hydra.nekover.se 10.202.41.121:8443;
matrix.nekover.se 127.0.0.1:8443; matrix.nekover.se 10.202.41.112:8443;
mewtube.nekover.se 127.0.0.1:8443; mewtube.nekover.se 127.0.0.1:8443;
nekover.se 127.0.0.1:8443; nekover.se 127.0.0.1:8443;
nextcloud.grzb.de 127.0.0.1:8443; nextcloud.grzb.de 127.0.0.1:8443;

9
hosts/web-public-2/virtualHosts/acme-challenge.nix
View file

@ -9,6 +9,15 @@
proxyPass = "http://jellyfin.vs.grzb.de:80"; proxyPass = "http://jellyfin.vs.grzb.de:80";
}; };
}; };
services.nginx.virtualHosts."matrix.nekover.se" = {
listen = [{
addr = "0.0.0.0";
port = 80;
}];
locations."^~ /.well-known/acme-challenge/" = {
proxyPass = "http://matrix.vs.grzb.de:80";
};
};
services.nginx.virtualHosts."netbox.grzb.de" = { services.nginx.virtualHosts."netbox.grzb.de" = {
listen = [{ listen = [{
addr = "0.0.0.0"; addr = "0.0.0.0";

1
hosts/web-public-2/virtualHosts/default.nix
View file

@ -6,7 +6,6 @@
./element.nekover.se.nix ./element.nekover.se.nix
./gameserver.grzb.de.nix ./gameserver.grzb.de.nix
./git.grzb.de.nix ./git.grzb.de.nix
./matrix.nekover.se.nix
./mewtube.nekover.se.nix ./mewtube.nekover.se.nix
./nekover.se.nix ./nekover.se.nix
./nextcloud.grzb.de.nix ./nextcloud.grzb.de.nix

33
hosts/web-public-2/virtualHosts/matrix.nekover.se.nix
View file

@ -1,33 +0,0 @@
{ ... }:
{
services.nginx.virtualHosts."matrix.nekover.se" = {
forceSSL = true;
enableACME = true;
listen = [
{
addr = "0.0.0.0";
port = 8448;
ssl = true;
}
{
addr = "[::]";
port = 8448;
ssl = true;
}
{
addr = "localhost";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
locations."~ ^(/_matrix|/_synapse/client)" = {
proxyPass = "http://matrix.vs.grzb.de:8008";
extraConfig = ''
# Nginx by default only allows file uploads up to 1M in size
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
client_max_body_size 500M;
'';
};
};
}