feat(nixos/cobalt): dendrite: init

author: sefidel <contact@sefidel.net> 2023-02-06 18:17:58 +0900
committer: sefidel <contact@sefidel.net> 2023-02-06 18:26:22 +0900
commit: 0b0793d63d7c2e2f93e8fa5b796ba60cf8d27a51 (patch)
tree: d7f045c3587deb0e9f2d31b8422ced39e1acea11 /nixos/cobalt/services
parent: 374f2f364a3a5de5438dd310f6cb50490eae6f1e (diff)
download: nixrc-0b0793d63d7c2e2f93e8fa5b796ba60cf8d27a51.zip
2 files changed, 158 insertions, 0 deletions
diff --git a/nixos/cobalt/services/acme.nix b/nixos/cobalt/services/acme.nix
index 58a5c77..aaf4b12 100644
--- a/nixos/cobalt/services/acme.nix
+++ b/nixos/cobalt/services/acme.nix
@@ -17,6 +17,7 @@ in
         extraDomainNames = [
           "bouncer.sefidel.com"
           "git.sefidel.com"
+          "matrix.sefidel.com"
         ];
         dnsProvider = "hetzner";
         dnsPropagationCheck = true;
diff --git a/nixos/cobalt/services/dendrite.nix b/nixos/cobalt/services/dendrite.nix
new file mode 100644
index 0000000..a5ef98e
--- /dev/null
+++ b/nixos/cobalt/services/dendrite.nix
@@ -0,0 +1,157 @@
+{ config, ... }:
+
+let
+  database = {
+    connection_string = "postgres:///dendrite?host=/run/postgresql";
+    max_open_conns = 97;
+    max_idle_conns = 5;
+    conn_max_lifetime = -1;
+  };
+in
+{
+  # Adapted from Mic92/dotfiles, (C) 2021 Jörg Thalheim (MIT)
+  sops.secrets.matrix-server-key = { };
+
+  services.dendrite = {
+    enable = true;
+    settings = {
+      global = {
+        server_name = "sefidel.com";
+        # `private_key` has the type `path`
+        # prefix a `/` to make `path` happy
+        private_key = "/$CREDENTIALS_DIRECTORY/matrix-server-key";
+        trusted_third_party_id_servers = [
+          "matrix.org"
+          "vector.im"
+        ];
+        metrics.enable = true;
+      };
+      logging = [
+        {
+          type = "std";
+          level = "warn";
+        }
+      ];
+      app_service_api = {
+        inherit database;
+        config_files = [ ];
+      };
+      client_api = {
+        registration_disabled = true;
+        rate_limiting.enabled = false;
+        # registration_shared_secret = ""; # Initially set this option to configure the admin user.
+      };
+      media_api = {
+        inherit database;
+        dynamic_thumbnails = true;
+      };
+      room_server = {
+        inherit database;
+      };
+      push_server = {
+        inherit database;
+      };
+      mscs = {
+        inherit database;
+        mscs = [ "msc2836" "msc2946" ];
+      };
+      sync_api = {
+        inherit database;
+        real_ip_header = "X-Real-IP";
+      };
+      key_server = {
+        inherit database;
+      };
+      federation_api = {
+        inherit database;
+        key_perspectives = [
+          {
+            server_name = "matrix.org";
+            keys = [
+              {
+                key_id = "ed25519:auto";
+                public_key = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw";
+              }
+              {
+                key_id = "ed25519:a_RXGa";
+                public_key = "l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ";
+              }
+            ];
+          }
+        ];
+        prefer_direct_fetch = false;
+      };
+      user_api = {
+        account_database = database;
+        device_database = database;
+      };
+    };
+    loadCredential = [ "matrix-server-key:${config.sops.secrets.matrix-server-key.path}" ];
+  };
+
+  environment.persistence."/persist".directories = [
+    "/var/lib/private/dendrite"
+  ];
+
+  services.postgresql.enable = true;
+  services.postgresql.ensureDatabases = [ "dendrite" ];
+  services.postgresql.ensureUsers = [
+    {
+      name = "dendrite";
+      ensurePermissions."DATABASE dendrite" = "ALL PRIVILEGES";
+    }
+  ];
+
+
+  services.nginx.virtualHosts."matrix.sefidel.com" = {
+    forceSSL = true;
+    useACMEHost = "sefidel.com";
+    listen = [
+      { addr = "0.0.0.0"; port = 443; ssl = true; }
+      { addr = "[::]"; port = 443; ssl = true; }
+      { addr = "0.0.0.0"; port = 8448; ssl = true; }
+      { addr = "[::]"; port = 8448; ssl = true; }
+
+    ];
+    extraConfig = ''
+      proxy_set_header Host $host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_read_timeout 600;
+      client_max_body_size 50M;
+    '';
+    locations."/_matrix".proxyPass = "http://[::1]:${toString config.services.dendrite.httpPort}";
+    locations."/_dendrite".proxyPass = "http://[::1]:${toString config.services.dendrite.httpPort}";
+    locations."/_synapse".proxyPass = "http://[::1]:${toString config.services.dendrite.httpPort}";
+    # TODO: web client
+  };
+
+  services.nginx.virtualHosts."sefidel.com" =
+    let
+      server-hello = { "m.server" = "matrix.sefidel.com:443"; };
+      client-hello = {
+        "m.homeserver"."base_url" = "https://matrix.sefidel.com";
+        "m.identity_server"."base_url" = "https://vector.im";
+      };
+    in
+    {
+      addSSL = true;
+      useACMEHost = "sefidel.com";
+      locations = {
+        "/.well-known/matrix/server" = {
+          extraConfig = ''
+            add_header Content-Type application/json;
+            return 200 '${builtins.toJSON server-hello}';
+          '';
+        };
+        "/.well-known/matrix/client" = {
+          extraConfig = ''
+            add_header Content-Type application/json;
+            add_header Access-Control-Allow-Origin *;
+            return 200 '${builtins.toJSON client-hello}';
+          '';
+        };
+      };
+    };
+
+  networking.firewall.allowedTCPPorts = [ 8448 ];
+}
author	sefidel <contact@sefidel.net>	2023-02-06 18:17:58 +0900
committer	sefidel <contact@sefidel.net>	2023-02-06 18:26:22 +0900
commit	0b0793d63d7c2e2f93e8fa5b796ba60cf8d27a51 (patch)
tree	d7f045c3587deb0e9f2d31b8422ced39e1acea11 /nixos/cobalt/services
parent	374f2f364a3a5de5438dd310f6cb50490eae6f1e (diff)
download	nixrc-0b0793d63d7c2e2f93e8fa5b796ba60cf8d27a51.zip