From 0b0793d63d7c2e2f93e8fa5b796ba60cf8d27a51 Mon Sep 17 00:00:00 2001 From: sefidel Date: Mon, 6 Feb 2023 18:17:58 +0900 Subject: feat(nixos/cobalt): dendrite: init --- nixos/cobalt/configuration.nix | 1 + nixos/cobalt/secrets/secrets.yaml | 5 +- nixos/cobalt/services/acme.nix | 1 + nixos/cobalt/services/dendrite.nix | 157 +++++++++++++++++++++++++++++++++++++ 4 files changed, 162 insertions(+), 2 deletions(-) create mode 100644 nixos/cobalt/services/dendrite.nix (limited to 'nixos') diff --git a/nixos/cobalt/configuration.nix b/nixos/cobalt/configuration.nix index b4baf47..bb234d9 100644 --- a/nixos/cobalt/configuration.nix +++ b/nixos/cobalt/configuration.nix @@ -32,6 +32,7 @@ in ./services/gitolite.nix ./services/git-daemon.nix ./services/cgit.nix + ./services/dendrite.nix ]; boot.supportedFilesystems = [ "zfs" ]; diff --git a/nixos/cobalt/secrets/secrets.yaml b/nixos/cobalt/secrets/secrets.yaml index 8d2e9f2..bbc771a 100644 --- a/nixos/cobalt/secrets/secrets.yaml +++ b/nixos/cobalt/secrets/secrets.yaml @@ -1,12 +1,13 @@ hetzner-dns-key: ENC[AES256_GCM,data:Ir3gRLc8XXIOC8Vjm43gLAmuhyDw5wysOsTCXlJfBQTcpingEbCENc4+eziStyF6,iv:5R4k9Yb8AJjavSivhs19RWrNh7r3rtkrbB6HdZZudqc=,tag:2tFXwQOXKZKYt/qwfsRr7A==,type:str] +matrix-server-key: ENC[AES256_GCM,data:QZD2CkgHco86GQBb3dQKjBX8oRQ44R7lsK+ZOPzCjtE5Su338b8Tzj5NoKepuodRsdprUPO62yTSIbRFA79E34y4T5oXoq4UyFXX32MfsThVaqxPgyGh369jYfTx405RFGCfxLTXwLTrsHeR3oPm3q9QTWOWRwPQw3NWznq0b+0SJLbA8wQx/cE=,iv:wv93ER7yhvNg87EhmMSR3QoK6ThTrBhhhe2f5zGS3mU=,tag:NV8TvGTnTTF0U4LiRAlFcQ==,type:str] sops: kms: [] gcp_kms: [] azure_kv: [] hc_vault: [] age: [] - lastmodified: "2023-02-06T09:15:44Z" - mac: ENC[AES256_GCM,data:kLl+dIZe6aFaE3VEL7pF597Akn/W9j+klLvGHI8E8o4hcyiF/jlidMp3/oEAX209okuOrERO4w0KZ+sXwuaYymx4XWMhnS7VmMKQqgJ8uOq9xzwAl3rNyH3IWx/4fQk/cyWj/aa6cRLuTQkv+pANZ8n+tSop9FCnX3M5SgCL6F4=,iv:mjNBo7hzpoLlPuxyu6Qlpf9DuXTATkZ6DBNdJMux8eM=,tag:jczhijwEr+iMYrKJ3/wOjQ==,type:str] + lastmodified: "2023-02-06T09:17:19Z" + mac: ENC[AES256_GCM,data:MvOZ8lkcuULUa82fL7DqT2Qkl89+z42O+CivmD1iuFroYQ2NUtLAf5Nn58Ta/Lj8YhI4Y/RiMM8l/1Kbn/FbC6oLMLhj+5P7n3s/4W5tW+OlXgd0qLorZHqdx/WTra84QmoII9KA/F4UHcJML2xbRPGZDZ5m9VkIfgMd3s4r+ps=,iv:z8nx0yqvY1bXOJ2APh6wVyITXOOzpuyZuiHt/PrYDKI=,tag:0pJLyfY8U8tCj2IUFQmz2g==,type:str] pgp: - created_at: "2023-02-05T09:56:11Z" enc: | diff --git a/nixos/cobalt/services/acme.nix b/nixos/cobalt/services/acme.nix index 58a5c77..aaf4b12 100644 --- a/nixos/cobalt/services/acme.nix +++ b/nixos/cobalt/services/acme.nix @@ -17,6 +17,7 @@ in extraDomainNames = [ "bouncer.sefidel.com" "git.sefidel.com" + "matrix.sefidel.com" ]; dnsProvider = "hetzner"; dnsPropagationCheck = true; diff --git a/nixos/cobalt/services/dendrite.nix b/nixos/cobalt/services/dendrite.nix new file mode 100644 index 0000000..a5ef98e --- /dev/null +++ b/nixos/cobalt/services/dendrite.nix @@ -0,0 +1,157 @@ +{ config, ... }: + +let + database = { + connection_string = "postgres:///dendrite?host=/run/postgresql"; + max_open_conns = 97; + max_idle_conns = 5; + conn_max_lifetime = -1; + }; +in +{ + # Adapted from Mic92/dotfiles, (C) 2021 Jörg Thalheim (MIT) + sops.secrets.matrix-server-key = { }; + + services.dendrite = { + enable = true; + settings = { + global = { + server_name = "sefidel.com"; + # `private_key` has the type `path` + # prefix a `/` to make `path` happy + private_key = "/$CREDENTIALS_DIRECTORY/matrix-server-key"; + trusted_third_party_id_servers = [ + "matrix.org" + "vector.im" + ]; + metrics.enable = true; + }; + logging = [ + { + type = "std"; + level = "warn"; + } + ]; + app_service_api = { + inherit database; + config_files = [ ]; + }; + client_api = { + registration_disabled = true; + rate_limiting.enabled = false; + # registration_shared_secret = ""; # Initially set this option to configure the admin user. + }; + media_api = { + inherit database; + dynamic_thumbnails = true; + }; + room_server = { + inherit database; + }; + push_server = { + inherit database; + }; + mscs = { + inherit database; + mscs = [ "msc2836" "msc2946" ]; + }; + sync_api = { + inherit database; + real_ip_header = "X-Real-IP"; + }; + key_server = { + inherit database; + }; + federation_api = { + inherit database; + key_perspectives = [ + { + server_name = "matrix.org"; + keys = [ + { + key_id = "ed25519:auto"; + public_key = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"; + } + { + key_id = "ed25519:a_RXGa"; + public_key = "l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ"; + } + ]; + } + ]; + prefer_direct_fetch = false; + }; + user_api = { + account_database = database; + device_database = database; + }; + }; + loadCredential = [ "matrix-server-key:${config.sops.secrets.matrix-server-key.path}" ]; + }; + + environment.persistence."/persist".directories = [ + "/var/lib/private/dendrite" + ]; + + services.postgresql.enable = true; + services.postgresql.ensureDatabases = [ "dendrite" ]; + services.postgresql.ensureUsers = [ + { + name = "dendrite"; + ensurePermissions."DATABASE dendrite" = "ALL PRIVILEGES"; + } + ]; + + + services.nginx.virtualHosts."matrix.sefidel.com" = { + forceSSL = true; + useACMEHost = "sefidel.com"; + listen = [ + { addr = "0.0.0.0"; port = 443; ssl = true; } + { addr = "[::]"; port = 443; ssl = true; } + { addr = "0.0.0.0"; port = 8448; ssl = true; } + { addr = "[::]"; port = 8448; ssl = true; } + + ]; + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_read_timeout 600; + client_max_body_size 50M; + ''; + locations."/_matrix".proxyPass = "http://[::1]:${toString config.services.dendrite.httpPort}"; + locations."/_dendrite".proxyPass = "http://[::1]:${toString config.services.dendrite.httpPort}"; + locations."/_synapse".proxyPass = "http://[::1]:${toString config.services.dendrite.httpPort}"; + # TODO: web client + }; + + services.nginx.virtualHosts."sefidel.com" = + let + server-hello = { "m.server" = "matrix.sefidel.com:443"; }; + client-hello = { + "m.homeserver"."base_url" = "https://matrix.sefidel.com"; + "m.identity_server"."base_url" = "https://vector.im"; + }; + in + { + addSSL = true; + useACMEHost = "sefidel.com"; + locations = { + "/.well-known/matrix/server" = { + extraConfig = '' + add_header Content-Type application/json; + return 200 '${builtins.toJSON server-hello}'; + ''; + }; + "/.well-known/matrix/client" = { + extraConfig = '' + add_header Content-Type application/json; + add_header Access-Control-Allow-Origin *; + return 200 '${builtins.toJSON client-hello}'; + ''; + }; + }; + }; + + networking.firewall.allowedTCPPorts = [ 8448 ]; +} -- cgit 1.4.1