surtr: ...

author: Gregor Kleen <gkleen@yggdrasil.li> 2022-02-24 22:20:21 +0100
committer: Gregor Kleen <gkleen@yggdrasil.li> 2022-02-24 22:20:21 +0100
commit: 1e901b985cecb3fb2c96df8b5b7be5e08a5d3723 (patch)
tree: f81940cd1a137aa4b0cb73308164398e06784c1c /hosts/surtr/matrix
parent: c2f78236e3dce44068e3973b891666962b3dc4bc (diff)
download: nixos-1e901b985cecb3fb2c96df8b5b7be5e08a5d3723.tar
nixos-1e901b985cecb3fb2c96df8b5b7be5e08a5d3723.tar.gz
nixos-1e901b985cecb3fb2c96df8b5b7be5e08a5d3723.tar.bz2
nixos-1e901b985cecb3fb2c96df8b5b7be5e08a5d3723.tar.xz
nixos-1e901b985cecb3fb2c96df8b5b7be5e08a5d3723.zip
2 files changed, 158 insertions, 0 deletions
diff --git a/hosts/surtr/matrix/default.nix b/hosts/surtr/matrix/default.nix
new file mode 100644
index 00000000..aad9bc90
--- /dev/null
+++ b/hosts/surtr/matrix/default.nix
@@ -0,0 +1,132 @@
+{ config, pkgs, ... }:
+{
+  config = {
+    services.matrix-synapse = {
+      enable = true;
+      enable_metrics = true;
+      enable_registration = false;
+      allow_guest_access = false;
+      server_name = "synapse.li";
+      listeners = [
+        { bind_address = "localhost";
+          port = 8008;
+          resources = [
+            { names = [ "client" ];
+              compress = true;
+            }
+            { names = [ "federation" ];
+              compress = false;
+            }
+          ];
+          tls = false;
+          type = "http";
+          x_forwarded = true;
+        }
+      ];
+      tls_certificate_path = "/run/credentials/matrix-synapse/synapse.li.pem";
+      tls_private_key_path = "/run/credentials/matrix-synapse/synapse.li.key.pem";
+      tls_dh_params_path = config.security.dhparams.params.matrix-synapse.path;
+      extraConfigFiles = ["/run/credentials/matrix-synapse/registration.yaml"];
+    };
+    sops.secrets."matrix-synapse-registration.yaml" = {
+      format = "binary";
+      sopsFile = ./registration.yaml;
+    };
+    systemd.services.matrix-synapse = {
+      serviceConfig = {
+        LoadCredential = [
+          "synapse.li.key.pem:${config.security.acme.certs."synapse.li".directory}/key.pem"
+          "synapse.li.pem:${config.security.acme.certs."synapse.li".directory}/fullchain.pem"
+          "registration.yaml:${config.sops.secrets."matrix-synapse-registration.yaml".path}"
+        ];
+      };
+    };
+    services.nginx = {
+      recommendedProxySettings = true;
+      upstreams."matrix-synapse" = {
+        servers = {
+          "127.0.0.1:8008" = {};
+        };
+      };
+      virtualHosts."synapse.li" = {
+        forceSSL = true;
+        sslCertificate = "/run/credentials/nginx.service/synapse.li.pem";
+        sslCertificateKey = "/run/credentials/nginx.service/synapse.li.key.pem";
+        sslTrustedCertificate = "/run/credentials/nginx.service/synapse.li.chain.pem";
+        listen = [
+          { addr = "0.0.0.0"; port = 443; ssl = true; }
+          { addr = "[::0]"; port = 443; ssl = true; }
+          { addr = "0.0.0.0"; port = 8448; ssl = true; }
+          { addr = "[::0]"; port = 8448; ssl = true; }
+        ];
+        locations = let
+          synapse = {
+            proxyPass = "http://matrix-synapse";
+            extraConfig = ''
+              add_header Strict-Transport-Security "max-age=63072000" always;
+            '';
+          };
+        in {
+          "/_matrix" = synapse;
+          "/_synapse/client" = synapse;
+          "/".return = "301 https://element.synapse.li$request_uri";
+        };
+      };
+      virtualHosts."element.synapse.li" = {
+        forceSSL = true;
+        sslCertificate = "/run/credentials/nginx.service/element.synapse.li.pem";
+        sslCertificateKey = "/run/credentials/nginx.service/element.synapse.li.key.pem";
+        sslTrustedCertificate = "/run/credentials/nginx.service/element.synapse.li.chain.pem";
+        root = pkgs.element-web.override {
+          conf = {
+            default_server_config."m.homeserver" = {
+              "base_url" = "https://synapse.li";
+              "server_name" = "synapse.li";
+            };
+          };
+        };
+      };
+    };
+    security.acme.domains = {
+      "element.synapse.li" = {
+        zone = "synapse.li";
+        certCfg = {
+          postRun = ''
+            ${pkgs.systemd}/bin/systemctl try-restart nginx.service
+          '';
+        };
+      };
+      "synapse.li".certCfg = {
+        postRun = ''
+          ${pkgs.systemd}/bin/systemctl try-restart nginx.service
+        '';       
+      };
+    };
+    systemd.services.nginx = {
+      serviceConfig = {
+        LoadCredential = [
+          "synapse.li.key.pem:${config.security.acme.certs."synapse.li".directory}/key.pem"
+          "synapse.li.pem:${config.security.acme.certs."synapse.li".directory}/fullchain.pem"
+          "synapse.li.chain.pem:${config.security.acme.certs."synapse.li".directory}/chain.pem"
+          "element.synapse.li.key.pem:${config.security.acme.certs."element.synapse.li".directory}/key.pem"
+          "element.synapse.li.pem:${config.security.acme.certs."element.synapse.li".directory}/fullchain.pem"
+          "element.synapse.li.chain.pem:${config.security.acme.certs."element.synapse.li".directory}/chain.pem"
+        ];
+      };
+    };
+  };
+}
diff --git a/hosts/surtr/matrix/registration.yaml b/hosts/surtr/matrix/registration.yaml
new file mode 100644
index 00000000..44b9ca89
--- /dev/null
+++ b/hosts/surtr/matrix/registration.yaml
@@ -0,0 +1,26 @@
+{
+        "data": "ENC[AES256_GCM,data:RrFw7leN405vBuzzDi8HMMsZ68gGRNuEJ7tuPjgIsGbcI1eYQwaV1+81J3TUMFhqsgpsF3OuPEVcTEBAAaSSPJbPMiUo2dbS1AzZ,iv:+sfQ9yW+rbSDQiRlaPF5plMxwgKI6qa9o/FzLVeVHV0=,tag:Y1dnxQgFDUeRoELbSCiQBg==,type:str]",
+        "sops": {
+                "kms": null,
+                "gcp_kms": null,
+                "azure_kv": null,
+                "hc_vault": null,
+                "age": null,
+                "lastmodified": "2022-02-24T21:20:09Z",
+                "mac": "ENC[AES256_GCM,data:llCJ+LjuyaPhslNPzdARtBt67R7EcllGER9u/w8NEPd1kC2RyGGsUiO2y+LywO1SY4OO0JG5M3FAIYuXEefKofzeDMCzFlmDjPRdjts9N6e6ObGyVSppOCcRIn7J1lyy+Ml+qbxuV0VrP0DN6OxLGO/dOcvtsYjftPKxcUiplNQ=,iv:ZtBLC4Tl++1yNGK07/4GL+Qzq+Hy25gfRNRxJTvL53U=,tag:V6NyCT/1ZN0qNd1tc+NRQg==,type:str]",
+                "pgp": [
+                        {
+                                "created_at": "2022-02-24T21:18:14Z",
+                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAd77XebsH3fPMPEHxFn2zEVKiHBKkhSsCLESuR2PPRksw\nw8zx2eJsnnW7GnjTF7LH/OPYyDEHgSu73ZFcsUebjESupZKbeu/EL/fkNaVdHfFk\n0l4BC8BYAXh22mgnHYV2ZJp0WAfv2WL0nhemY2uQ8Zs2Zdf9866/j57xvj6RQEXP\nbInXWALV1wdXhnBGlYILdEo7U9RPHRVsbqdiRq7KZVi2gNAn93lBk5qcHsQTgIkz\n=4bf7\n-----END PGP MESSAGE-----\n",
+                                "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
+                        },
+                        {
+                                "created_at": "2022-02-24T21:18:14Z",
+                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAi4YnLeLo0H8uz6DbU8knoDxsgxqFcwp1M7kQp4GllFsw\nNjwT3AdoMxCYOOqFF9dNzcEieI4hqwfeN3pxe8hw5TG7EvlUbiY3x7udzoO0+9Tm\n0l4BdV1+kQsB1tldnVo+II7EvP9HWWtNowmZzZgmVRxHt/wTL2VrB3gS7EZFssoV\nDtHpqD7cQ6Pbe+R1bzg1TDmNRamzvMUKYIaJ8tuUgA2HmZI4SiaNBPLX4XML5Zbz\n=9njW\n-----END PGP MESSAGE-----\n",
+                                "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
+                        }
+                ],
+                "unencrypted_suffix": "_unencrypted",
+                "version": "3.7.1"
+        }
+}
+\ No newline at end of file
author	Gregor Kleen <gkleen@yggdrasil.li>	2022-02-24 22:20:21 +0100
committer	Gregor Kleen <gkleen@yggdrasil.li>	2022-02-24 22:20:21 +0100
commit	1e901b985cecb3fb2c96df8b5b7be5e08a5d3723 (patch)
tree	f81940cd1a137aa4b0cb73308164398e06784c1c /hosts/surtr/matrix
parent	c2f78236e3dce44068e3973b891666962b3dc4bc (diff)
download	nixos-1e901b985cecb3fb2c96df8b5b7be5e08a5d3723.tar nixos-1e901b985cecb3fb2c96df8b5b7be5e08a5d3723.tar.gz nixos-1e901b985cecb3fb2c96df8b5b7be5e08a5d3723.tar.bz2 nixos-1e901b985cecb3fb2c96df8b5b7be5e08a5d3723.tar.xz nixos-1e901b985cecb3fb2c96df8b5b7be5e08a5d3723.zip

diff --git a/hosts/surtr/matrix/default.nix b/hosts/surtr/matrix/default.nix new file mode 100644 index 00000000..aad9bc90 --- /dev/null +++ b/hosts/surtr/matrix/default.nix
@@ -0,0 +1,132 @@
	1	{ config, pkgs, ... }:
	2	{
	3	config = {
	4	services.matrix-synapse = {
	5	enable = true;
	6	enable_metrics = true;
	7
	8	enable_registration = false;
	9	allow_guest_access = false;
	10
	11	server_name = "synapse.li";
	12
	13	listeners = [
	14	{ bind_address = "localhost";
	15	port = 8008;
	16	resources = [
	17	{ names = [ "client" ];
	18	compress = true;
	19	}
	20	{ names = [ "federation" ];
	21	compress = false;
	22	}
	23	];
	24	tls = false;
	25	type = "http";
	26	x_forwarded = true;
	27	}
	28	];
	29
	30	tls_certificate_path = "/run/credentials/matrix-synapse/synapse.li.pem";
	31	tls_private_key_path = "/run/credentials/matrix-synapse/synapse.li.key.pem";
	32	tls_dh_params_path = config.security.dhparams.params.matrix-synapse.path;
	33
	34	extraConfigFiles = ["/run/credentials/matrix-synapse/registration.yaml"];
	35	};
	36	sops.secrets."matrix-synapse-registration.yaml" = {
	37	format = "binary";
	38	sopsFile = ./registration.yaml;
	39	};
	40
	41	systemd.services.matrix-synapse = {
	42	serviceConfig = {
	43	LoadCredential = [
	44	"synapse.li.key.pem:${config.security.acme.certs."synapse.li".directory}/key.pem"
	45	"synapse.li.pem:${config.security.acme.certs."synapse.li".directory}/fullchain.pem"
	46	"registration.yaml:${config.sops.secrets."matrix-synapse-registration.yaml".path}"
	47	];
	48	};
	49	};
	50
	51	services.nginx = {
	52	recommendedProxySettings = true;
	53
	54	upstreams."matrix-synapse" = {
	55	servers = {
	56	"127.0.0.1:8008" = {};
	57	};
	58	};
	59
	60	virtualHosts."synapse.li" = {
	61	forceSSL = true;
	62	sslCertificate = "/run/credentials/nginx.service/synapse.li.pem";
	63	sslCertificateKey = "/run/credentials/nginx.service/synapse.li.key.pem";
	64	sslTrustedCertificate = "/run/credentials/nginx.service/synapse.li.chain.pem";
	65	listen = [
	66	{ addr = "0.0.0.0"; port = 443; ssl = true; }
	67	{ addr = "[::0]"; port = 443; ssl = true; }
	68	{ addr = "0.0.0.0"; port = 8448; ssl = true; }
	69	{ addr = "[::0]"; port = 8448; ssl = true; }
	70	];
	71	locations = let
	72	synapse = {
	73	proxyPass = "http://matrix-synapse";
	74	extraConfig = ''
	75	add_header Strict-Transport-Security "max-age=63072000" always;
	76	'';
	77	};
	78	in {
	79	"/_matrix" = synapse;
	80	"/_synapse/client" = synapse;
	81	"/".return = "301 https://element.synapse.li$request_uri";
	82	};
	83	};
	84
	85	virtualHosts."element.synapse.li" = {
	86	forceSSL = true;
	87	sslCertificate = "/run/credentials/nginx.service/element.synapse.li.pem";
	88	sslCertificateKey = "/run/credentials/nginx.service/element.synapse.li.key.pem";
	89	sslTrustedCertificate = "/run/credentials/nginx.service/element.synapse.li.chain.pem";
	90
	91	root = pkgs.element-web.override {
	92	conf = {
	93	default_server_config."m.homeserver" = {
	94	"base_url" = "https://synapse.li";
	95	"server_name" = "synapse.li";
	96	};
	97	};
	98	};
	99	};
	100	};
	101
	102	security.acme.domains = {
	103	"element.synapse.li" = {
	104	zone = "synapse.li";
	105	certCfg = {
	106	postRun = ''
	107	${pkgs.systemd}/bin/systemctl try-restart nginx.service
	108	'';
	109	};
	110	};
	111	"synapse.li".certCfg = {
	112	postRun = ''
	113	${pkgs.systemd}/bin/systemctl try-restart nginx.service
	114	'';
	115	};
	116	};
	117
	118	systemd.services.nginx = {
	119	serviceConfig = {
	120	LoadCredential = [
	121	"synapse.li.key.pem:${config.security.acme.certs."synapse.li".directory}/key.pem"
	122	"synapse.li.pem:${config.security.acme.certs."synapse.li".directory}/fullchain.pem"
	123	"synapse.li.chain.pem:${config.security.acme.certs."synapse.li".directory}/chain.pem"
	124
	125	"element.synapse.li.key.pem:${config.security.acme.certs."element.synapse.li".directory}/key.pem"
	126	"element.synapse.li.pem:${config.security.acme.certs."element.synapse.li".directory}/fullchain.pem"
	127	"element.synapse.li.chain.pem:${config.security.acme.certs."element.synapse.li".directory}/chain.pem"
	128	];
	129	};
	130	};
	131	};
	132	}


diff --git a/hosts/surtr/matrix/registration.yaml b/hosts/surtr/matrix/registration.yaml new file mode 100644 index 00000000..44b9ca89 --- /dev/null +++ b/hosts/surtr/matrix/registration.yaml
@@ -0,0 +1,26 @@
	1	{
	2	"data": "ENC[AES256_GCM,data:RrFw7leN405vBuzzDi8HMMsZ68gGRNuEJ7tuPjgIsGbcI1eYQwaV1+81J3TUMFhqsgpsF3OuPEVcTEBAAaSSPJbPMiUo2dbS1AzZ,iv:+sfQ9yW+rbSDQiRlaPF5plMxwgKI6qa9o/FzLVeVHV0=,tag:Y1dnxQgFDUeRoELbSCiQBg==,type:str]",
	3	"sops": {
	4	"kms": null,
	5	"gcp_kms": null,
	6	"azure_kv": null,
	7	"hc_vault": null,
	8	"age": null,
	9	"lastmodified": "2022-02-24T21:20:09Z",
	10	"mac": "ENC[AES256_GCM,data:llCJ+LjuyaPhslNPzdARtBt67R7EcllGER9u/w8NEPd1kC2RyGGsUiO2y+LywO1SY4OO0JG5M3FAIYuXEefKofzeDMCzFlmDjPRdjts9N6e6ObGyVSppOCcRIn7J1lyy+Ml+qbxuV0VrP0DN6OxLGO/dOcvtsYjftPKxcUiplNQ=,iv:ZtBLC4Tl++1yNGK07/4GL+Qzq+Hy25gfRNRxJTvL53U=,tag:V6NyCT/1ZN0qNd1tc+NRQg==,type:str]",
	11	"pgp": [
	12	{
	13	"created_at": "2022-02-24T21:18:14Z",
	14	"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAd77XebsH3fPMPEHxFn2zEVKiHBKkhSsCLESuR2PPRksw\nw8zx2eJsnnW7GnjTF7LH/OPYyDEHgSu73ZFcsUebjESupZKbeu/EL/fkNaVdHfFk\n0l4BC8BYAXh22mgnHYV2ZJp0WAfv2WL0nhemY2uQ8Zs2Zdf9866/j57xvj6RQEXP\nbInXWALV1wdXhnBGlYILdEo7U9RPHRVsbqdiRq7KZVi2gNAn93lBk5qcHsQTgIkz\n=4bf7\n-----END PGP MESSAGE-----\n",
	15	"fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
	16	},
	17	{
	18	"created_at": "2022-02-24T21:18:14Z",
	19	"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAi4YnLeLo0H8uz6DbU8knoDxsgxqFcwp1M7kQp4GllFsw\nNjwT3AdoMxCYOOqFF9dNzcEieI4hqwfeN3pxe8hw5TG7EvlUbiY3x7udzoO0+9Tm\n0l4BdV1+kQsB1tldnVo+II7EvP9HWWtNowmZzZgmVRxHt/wTL2VrB3gS7EZFssoV\nDtHpqD7cQ6Pbe+R1bzg1TDmNRamzvMUKYIaJ8tuUgA2HmZI4SiaNBPLX4XML5Zbz\n=9njW\n-----END PGP MESSAGE-----\n",
	20	"fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
	21	}
	22	],
	23	"unencrypted_suffix": "_unencrypted",
	24	"version": "3.7.1"
	25	}
	26	} \ No newline at end of file