From 0b0793d63d7c2e2f93e8fa5b796ba60cf8d27a51 Mon Sep 17 00:00:00 2001
From: sefidel <contact@sefidel.net>
Date: Mon, 6 Feb 2023 18:17:58 +0900
Subject: feat(nixos/cobalt): dendrite: init

---
 nixos/cobalt/configuration.nix     |   1 +
 nixos/cobalt/secrets/secrets.yaml  |   5 +-
 nixos/cobalt/services/acme.nix     |   1 +
 nixos/cobalt/services/dendrite.nix | 157 +++++++++++++++++++++++++++++++++++++
 4 files changed, 162 insertions(+), 2 deletions(-)
 create mode 100644 nixos/cobalt/services/dendrite.nix

(limited to 'nixos')

diff --git a/nixos/cobalt/configuration.nix b/nixos/cobalt/configuration.nix
index b4baf47..bb234d9 100644
--- a/nixos/cobalt/configuration.nix
+++ b/nixos/cobalt/configuration.nix
@@ -32,6 +32,7 @@ in
       ./services/gitolite.nix
       ./services/git-daemon.nix
       ./services/cgit.nix
+      ./services/dendrite.nix
     ];
 
   boot.supportedFilesystems = [ "zfs" ];
diff --git a/nixos/cobalt/secrets/secrets.yaml b/nixos/cobalt/secrets/secrets.yaml
index 8d2e9f2..bbc771a 100644
--- a/nixos/cobalt/secrets/secrets.yaml
+++ b/nixos/cobalt/secrets/secrets.yaml
@@ -1,12 +1,13 @@
 hetzner-dns-key: ENC[AES256_GCM,data:Ir3gRLc8XXIOC8Vjm43gLAmuhyDw5wysOsTCXlJfBQTcpingEbCENc4+eziStyF6,iv:5R4k9Yb8AJjavSivhs19RWrNh7r3rtkrbB6HdZZudqc=,tag:2tFXwQOXKZKYt/qwfsRr7A==,type:str]
+matrix-server-key: ENC[AES256_GCM,data:QZD2CkgHco86GQBb3dQKjBX8oRQ44R7lsK+ZOPzCjtE5Su338b8Tzj5NoKepuodRsdprUPO62yTSIbRFA79E34y4T5oXoq4UyFXX32MfsThVaqxPgyGh369jYfTx405RFGCfxLTXwLTrsHeR3oPm3q9QTWOWRwPQw3NWznq0b+0SJLbA8wQx/cE=,iv:wv93ER7yhvNg87EhmMSR3QoK6ThTrBhhhe2f5zGS3mU=,tag:NV8TvGTnTTF0U4LiRAlFcQ==,type:str]
 sops:
     kms: []
     gcp_kms: []
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2023-02-06T09:15:44Z"
-    mac: ENC[AES256_GCM,data:kLl+dIZe6aFaE3VEL7pF597Akn/W9j+klLvGHI8E8o4hcyiF/jlidMp3/oEAX209okuOrERO4w0KZ+sXwuaYymx4XWMhnS7VmMKQqgJ8uOq9xzwAl3rNyH3IWx/4fQk/cyWj/aa6cRLuTQkv+pANZ8n+tSop9FCnX3M5SgCL6F4=,iv:mjNBo7hzpoLlPuxyu6Qlpf9DuXTATkZ6DBNdJMux8eM=,tag:jczhijwEr+iMYrKJ3/wOjQ==,type:str]
+    lastmodified: "2023-02-06T09:17:19Z"
+    mac: ENC[AES256_GCM,data:MvOZ8lkcuULUa82fL7DqT2Qkl89+z42O+CivmD1iuFroYQ2NUtLAf5Nn58Ta/Lj8YhI4Y/RiMM8l/1Kbn/FbC6oLMLhj+5P7n3s/4W5tW+OlXgd0qLorZHqdx/WTra84QmoII9KA/F4UHcJML2xbRPGZDZ5m9VkIfgMd3s4r+ps=,iv:z8nx0yqvY1bXOJ2APh6wVyITXOOzpuyZuiHt/PrYDKI=,tag:0pJLyfY8U8tCj2IUFQmz2g==,type:str]
     pgp:
         - created_at: "2023-02-05T09:56:11Z"
           enc: |
diff --git a/nixos/cobalt/services/acme.nix b/nixos/cobalt/services/acme.nix
index 58a5c77..aaf4b12 100644
--- a/nixos/cobalt/services/acme.nix
+++ b/nixos/cobalt/services/acme.nix
@@ -17,6 +17,7 @@ in
         extraDomainNames = [
           "bouncer.sefidel.com"
           "git.sefidel.com"
+          "matrix.sefidel.com"
         ];
         dnsProvider = "hetzner";
         dnsPropagationCheck = true;
diff --git a/nixos/cobalt/services/dendrite.nix b/nixos/cobalt/services/dendrite.nix
new file mode 100644
index 0000000..a5ef98e
--- /dev/null
+++ b/nixos/cobalt/services/dendrite.nix
@@ -0,0 +1,157 @@
+{ config, ... }:
+
+let
+  database = {
+    connection_string = "postgres:///dendrite?host=/run/postgresql";
+    max_open_conns = 97;
+    max_idle_conns = 5;
+    conn_max_lifetime = -1;
+  };
+in
+{
+  # Adapted from Mic92/dotfiles, (C) 2021 Jörg Thalheim (MIT)
+  sops.secrets.matrix-server-key = { };
+
+  services.dendrite = {
+    enable = true;
+    settings = {
+      global = {
+        server_name = "sefidel.com";
+        # `private_key` has the type `path`
+        # prefix a `/` to make `path` happy
+        private_key = "/$CREDENTIALS_DIRECTORY/matrix-server-key";
+        trusted_third_party_id_servers = [
+          "matrix.org"
+          "vector.im"
+        ];
+        metrics.enable = true;
+      };
+      logging = [
+        {
+          type = "std";
+          level = "warn";
+        }
+      ];
+      app_service_api = {
+        inherit database;
+        config_files = [ ];
+      };
+      client_api = {
+        registration_disabled = true;
+        rate_limiting.enabled = false;
+        # registration_shared_secret = ""; # Initially set this option to configure the admin user.
+      };
+      media_api = {
+        inherit database;
+        dynamic_thumbnails = true;
+      };
+      room_server = {
+        inherit database;
+      };
+      push_server = {
+        inherit database;
+      };
+      mscs = {
+        inherit database;
+        mscs = [ "msc2836" "msc2946" ];
+      };
+      sync_api = {
+        inherit database;
+        real_ip_header = "X-Real-IP";
+      };
+      key_server = {
+        inherit database;
+      };
+      federation_api = {
+        inherit database;
+        key_perspectives = [
+          {
+            server_name = "matrix.org";
+            keys = [
+              {
+                key_id = "ed25519:auto";
+                public_key = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw";
+              }
+              {
+                key_id = "ed25519:a_RXGa";
+                public_key = "l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ";
+              }
+            ];
+          }
+        ];
+        prefer_direct_fetch = false;
+      };
+      user_api = {
+        account_database = database;
+        device_database = database;
+      };
+    };
+    loadCredential = [ "matrix-server-key:${config.sops.secrets.matrix-server-key.path}" ];
+  };
+
+  environment.persistence."/persist".directories = [
+    "/var/lib/private/dendrite"
+  ];
+
+  services.postgresql.enable = true;
+  services.postgresql.ensureDatabases = [ "dendrite" ];
+  services.postgresql.ensureUsers = [
+    {
+      name = "dendrite";
+      ensurePermissions."DATABASE dendrite" = "ALL PRIVILEGES";
+    }
+  ];
+
+
+  services.nginx.virtualHosts."matrix.sefidel.com" = {
+    forceSSL = true;
+    useACMEHost = "sefidel.com";
+    listen = [
+      { addr = "0.0.0.0"; port = 443; ssl = true; }
+      { addr = "[::]"; port = 443; ssl = true; }
+      { addr = "0.0.0.0"; port = 8448; ssl = true; }
+      { addr = "[::]"; port = 8448; ssl = true; }
+
+    ];
+    extraConfig = ''
+      proxy_set_header Host $host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_read_timeout 600;
+      client_max_body_size 50M;
+    '';
+    locations."/_matrix".proxyPass = "http://[::1]:${toString config.services.dendrite.httpPort}";
+    locations."/_dendrite".proxyPass = "http://[::1]:${toString config.services.dendrite.httpPort}";
+    locations."/_synapse".proxyPass = "http://[::1]:${toString config.services.dendrite.httpPort}";
+    # TODO: web client
+  };
+
+  services.nginx.virtualHosts."sefidel.com" =
+    let
+      server-hello = { "m.server" = "matrix.sefidel.com:443"; };
+      client-hello = {
+        "m.homeserver"."base_url" = "https://matrix.sefidel.com";
+        "m.identity_server"."base_url" = "https://vector.im";
+      };
+    in
+    {
+      addSSL = true;
+      useACMEHost = "sefidel.com";
+      locations = {
+        "/.well-known/matrix/server" = {
+          extraConfig = ''
+            add_header Content-Type application/json;
+            return 200 '${builtins.toJSON server-hello}';
+          '';
+        };
+        "/.well-known/matrix/client" = {
+          extraConfig = ''
+            add_header Content-Type application/json;
+            add_header Access-Control-Allow-Origin *;
+            return 200 '${builtins.toJSON client-hello}';
+          '';
+        };
+      };
+    };
+
+  networking.firewall.allowedTCPPorts = [ 8448 ];
+}
-- 
cgit 1.4.1