1 files changed, 85 insertions, 0 deletions
diff --git a/hosts/surtr/matrix.nix b/hosts/surtr/matrix.nix
new file mode 100644
index 00000000..315490cb
--- /dev/null
+++ b/hosts/surtr/matrix.nix
@@ -0,0 +1,85 @@
+{ config, ... }:
+{
+  config = {
+    services.matrix-synapse = {
+      enable = true;
+      enable_metrics = true;
+      enable_registration = false;
+      allow_guest_access = false;
+      server_name = "synapse.li";
+      listeners = [
+        { bind_address = "localhost";
+          port = 8008;
+          resources = [
+            { names = [ "client" ];
+              compress = true;
+            }
+            { names = [ "federation" ];
+              compress = false;
+            }
+          ];
+          tls = false;
+          type = "http";
+          x_forwarded = true;
+        }
+      ];
+      tls_certificate_path = "/run/credentials/matrix-synapse/synapse.li.pem";
+      tls_private_key_path = "/run/credentials/matrix-synapse/synapse.li.key.pem";
+      tls_dh_params_path = config.security.dhparams.params.matrix-synapse.path;
+    };
+    systemd.services.matrix-synapse = {
+      serviceConfig = {
+        LoadCredential = [
+          "synapse.li.key.pem:${config.security.acme.certs."synapse.li".directory}/key.pem"
+          "synapse.li.pem:${config.security.acme.certs."synapse.li".directory}/fullchain.pem"
+        ];
+      };
+    };
+    services.nginx = {
+      recommendedProxySettings = true;
+      upstreams."matrix-synapse" = {
+        servers = {
+          "127.0.0.1:8008" = {};
+        };
+      };
+      virtualHosts."synapse.li" = {
+        forceSSL = true;
+        sslCertificate = "/run/credentials/nginx.service/synapse.li.pem";
+        sslCertificateKey = "/run/credentials/nginx.service/synapse.li.key.pem";
+        sslTrustedCertificate = "/run/credentials/nginx.service/synapse.li.chain.pem";
+        listen = [
+          { addr = "0.0.0.0"; port = 443; ssl = true; }
+          { addr = "[::]"; port = 443; ssl = true; }
+          { addr = "0.0.0.0"; port = 8448; ssl = true; }
+          { addr = "[::]"; port = 8448; ssl = true; }
+        ];
+        locations = let
+          synapse = {
+            proxyPass = "http://matrix-synapse";
+            extraConfig = ''
+              add_header Strict-Transport-Security "max-age=63072000" always;
+            '';
+          };
+        in { "/_matrix" = synapse; "/_synapse/client" = synapse; };
+      };
+    };
+    systemd.services.nginx = {
+      serviceConfig = {
+        LoadCredential = [
+          "synapse.li.key.pem:${config.security.acme.certs."synapse.li".directory}/key.pem"
+          "synapse.li.pem:${config.security.acme.certs."synapse.li".directory}/fullchain.pem"
+          "synapse.li.chain.pem:${config.security.acme.certs."synapse.li".directory}/chain.pem"
+        ];
+      };
+    };
+  };
+}

diff --git a/hosts/surtr/matrix.nix b/hosts/surtr/matrix.nix new file mode 100644 index 00000000..315490cb --- /dev/null +++ b/hosts/surtr/matrix.nix
@@ -0,0 +1,85 @@
	1	{ config, ... }:
	2	{
	3	config = {
	4	services.matrix-synapse = {
	5	enable = true;
	6	enable_metrics = true;
	7
	8	enable_registration = false;
	9	allow_guest_access = false;
	10
	11	server_name = "synapse.li";
	12
	13	listeners = [
	14	{ bind_address = "localhost";
	15	port = 8008;
	16	resources = [
	17	{ names = [ "client" ];
	18	compress = true;
	19	}
	20	{ names = [ "federation" ];
	21	compress = false;
	22	}
	23	];
	24	tls = false;
	25	type = "http";
	26	x_forwarded = true;
	27	}
	28	];
	29
	30	tls_certificate_path = "/run/credentials/matrix-synapse/synapse.li.pem";
	31	tls_private_key_path = "/run/credentials/matrix-synapse/synapse.li.key.pem";
	32	tls_dh_params_path = config.security.dhparams.params.matrix-synapse.path;
	33	};
	34
	35	systemd.services.matrix-synapse = {
	36	serviceConfig = {
	37	LoadCredential = [
	38	"synapse.li.key.pem:${config.security.acme.certs."synapse.li".directory}/key.pem"
	39	"synapse.li.pem:${config.security.acme.certs."synapse.li".directory}/fullchain.pem"
	40	];
	41	};
	42	};
	43
	44	services.nginx = {
	45	recommendedProxySettings = true;
	46
	47	upstreams."matrix-synapse" = {
	48	servers = {
	49	"127.0.0.1:8008" = {};
	50	};
	51	};
	52
	53	virtualHosts."synapse.li" = {
	54	forceSSL = true;
	55	sslCertificate = "/run/credentials/nginx.service/synapse.li.pem";
	56	sslCertificateKey = "/run/credentials/nginx.service/synapse.li.key.pem";
	57	sslTrustedCertificate = "/run/credentials/nginx.service/synapse.li.chain.pem";
	58	listen = [
	59	{ addr = "0.0.0.0"; port = 443; ssl = true; }
	60	{ addr = "[::]"; port = 443; ssl = true; }
	61	{ addr = "0.0.0.0"; port = 8448; ssl = true; }
	62	{ addr = "[::]"; port = 8448; ssl = true; }
	63	];
	64	locations = let
	65	synapse = {
	66	proxyPass = "http://matrix-synapse";
	67	extraConfig = ''
	68	add_header Strict-Transport-Security "max-age=63072000" always;
	69	'';
	70	};
	71	in { "/_matrix" = synapse; "/_synapse/client" = synapse; };
	72	};
	73	};
	74
	75	systemd.services.nginx = {
	76	serviceConfig = {
	77	LoadCredential = [
	78	"synapse.li.key.pem:${config.security.acme.certs."synapse.li".directory}/key.pem"
	79	"synapse.li.pem:${config.security.acme.certs."synapse.li".directory}/fullchain.pem"
	80	"synapse.li.chain.pem:${config.security.acme.certs."synapse.li".directory}/chain.pem"
	81	];
	82	};
	83	};
	84	};
	85	}