1 files changed, 132 insertions, 0 deletions
diff --git a/hosts/surtr/matrix/default.nix b/hosts/surtr/matrix/default.nix
new file mode 100644
index 00000000..aad9bc90
--- /dev/null
+++ b/hosts/surtr/matrix/default.nix
@@ -0,0 +1,132 @@
+{ config, pkgs, ... }:
+{
+  config = {
+    services.matrix-synapse = {
+      enable = true;
+      enable_metrics = true;
+      enable_registration = false;
+      allow_guest_access = false;
+      server_name = "synapse.li";
+      listeners = [
+        { bind_address = "localhost";
+          port = 8008;
+          resources = [
+            { names = [ "client" ];
+              compress = true;
+            }
+            { names = [ "federation" ];
+              compress = false;
+            }
+          ];
+          tls = false;
+          type = "http";
+          x_forwarded = true;
+        }
+      ];
+      tls_certificate_path = "/run/credentials/matrix-synapse/synapse.li.pem";
+      tls_private_key_path = "/run/credentials/matrix-synapse/synapse.li.key.pem";
+      tls_dh_params_path = config.security.dhparams.params.matrix-synapse.path;
+      extraConfigFiles = ["/run/credentials/matrix-synapse/registration.yaml"];
+    };
+    sops.secrets."matrix-synapse-registration.yaml" = {
+      format = "binary";
+      sopsFile = ./registration.yaml;
+    };
+    systemd.services.matrix-synapse = {
+      serviceConfig = {
+        LoadCredential = [
+          "synapse.li.key.pem:${config.security.acme.certs."synapse.li".directory}/key.pem"
+          "synapse.li.pem:${config.security.acme.certs."synapse.li".directory}/fullchain.pem"
+          "registration.yaml:${config.sops.secrets."matrix-synapse-registration.yaml".path}"
+        ];
+      };
+    };
+    services.nginx = {
+      recommendedProxySettings = true;
+      upstreams."matrix-synapse" = {
+        servers = {
+          "127.0.0.1:8008" = {};
+        };
+      };
+      virtualHosts."synapse.li" = {
+        forceSSL = true;
+        sslCertificate = "/run/credentials/nginx.service/synapse.li.pem";
+        sslCertificateKey = "/run/credentials/nginx.service/synapse.li.key.pem";
+        sslTrustedCertificate = "/run/credentials/nginx.service/synapse.li.chain.pem";
+        listen = [
+          { addr = "0.0.0.0"; port = 443; ssl = true; }
+          { addr = "[::0]"; port = 443; ssl = true; }
+          { addr = "0.0.0.0"; port = 8448; ssl = true; }
+          { addr = "[::0]"; port = 8448; ssl = true; }
+        ];
+        locations = let
+          synapse = {
+            proxyPass = "http://matrix-synapse";
+            extraConfig = ''
+              add_header Strict-Transport-Security "max-age=63072000" always;
+            '';
+          };
+        in {
+          "/_matrix" = synapse;
+          "/_synapse/client" = synapse;
+          "/".return = "301 https://element.synapse.li$request_uri";
+        };
+      };
+      virtualHosts."element.synapse.li" = {
+        forceSSL = true;
+        sslCertificate = "/run/credentials/nginx.service/element.synapse.li.pem";
+        sslCertificateKey = "/run/credentials/nginx.service/element.synapse.li.key.pem";
+        sslTrustedCertificate = "/run/credentials/nginx.service/element.synapse.li.chain.pem";
+        root = pkgs.element-web.override {
+          conf = {
+            default_server_config."m.homeserver" = {
+              "base_url" = "https://synapse.li";
+              "server_name" = "synapse.li";
+            };
+          };
+        };
+      };
+    };
+    security.acme.domains = {
+      "element.synapse.li" = {
+        zone = "synapse.li";
+        certCfg = {
+          postRun = ''
+            ${pkgs.systemd}/bin/systemctl try-restart nginx.service
+          '';
+        };
+      };
+      "synapse.li".certCfg = {
+        postRun = ''
+          ${pkgs.systemd}/bin/systemctl try-restart nginx.service
+        '';       
+      };
+    };
+    systemd.services.nginx = {
+      serviceConfig = {
+        LoadCredential = [
+          "synapse.li.key.pem:${config.security.acme.certs."synapse.li".directory}/key.pem"
+          "synapse.li.pem:${config.security.acme.certs."synapse.li".directory}/fullchain.pem"
+          "synapse.li.chain.pem:${config.security.acme.certs."synapse.li".directory}/chain.pem"
+          "element.synapse.li.key.pem:${config.security.acme.certs."element.synapse.li".directory}/key.pem"
+          "element.synapse.li.pem:${config.security.acme.certs."element.synapse.li".directory}/fullchain.pem"
+          "element.synapse.li.chain.pem:${config.security.acme.certs."element.synapse.li".directory}/chain.pem"
+        ];
+      };
+    };
+  };
+}

diff --git a/hosts/surtr/matrix/default.nix b/hosts/surtr/matrix/default.nix new file mode 100644 index 00000000..aad9bc90 --- /dev/null +++ b/hosts/surtr/matrix/default.nix
@@ -0,0 +1,132 @@
	1	{ config, pkgs, ... }:
	2	{
	3	config = {
	4	services.matrix-synapse = {
	5	enable = true;
	6	enable_metrics = true;
	7
	8	enable_registration = false;
	9	allow_guest_access = false;
	10
	11	server_name = "synapse.li";
	12
	13	listeners = [
	14	{ bind_address = "localhost";
	15	port = 8008;
	16	resources = [
	17	{ names = [ "client" ];
	18	compress = true;
	19	}
	20	{ names = [ "federation" ];
	21	compress = false;
	22	}
	23	];
	24	tls = false;
	25	type = "http";
	26	x_forwarded = true;
	27	}
	28	];
	29
	30	tls_certificate_path = "/run/credentials/matrix-synapse/synapse.li.pem";
	31	tls_private_key_path = "/run/credentials/matrix-synapse/synapse.li.key.pem";
	32	tls_dh_params_path = config.security.dhparams.params.matrix-synapse.path;
	33
	34	extraConfigFiles = ["/run/credentials/matrix-synapse/registration.yaml"];
	35	};
	36	sops.secrets."matrix-synapse-registration.yaml" = {
	37	format = "binary";
	38	sopsFile = ./registration.yaml;
	39	};
	40
	41	systemd.services.matrix-synapse = {
	42	serviceConfig = {
	43	LoadCredential = [
	44	"synapse.li.key.pem:${config.security.acme.certs."synapse.li".directory}/key.pem"
	45	"synapse.li.pem:${config.security.acme.certs."synapse.li".directory}/fullchain.pem"
	46	"registration.yaml:${config.sops.secrets."matrix-synapse-registration.yaml".path}"
	47	];
	48	};
	49	};
	50
	51	services.nginx = {
	52	recommendedProxySettings = true;
	53
	54	upstreams."matrix-synapse" = {
	55	servers = {
	56	"127.0.0.1:8008" = {};
	57	};
	58	};
	59
	60	virtualHosts."synapse.li" = {
	61	forceSSL = true;
	62	sslCertificate = "/run/credentials/nginx.service/synapse.li.pem";
	63	sslCertificateKey = "/run/credentials/nginx.service/synapse.li.key.pem";
	64	sslTrustedCertificate = "/run/credentials/nginx.service/synapse.li.chain.pem";
	65	listen = [
	66	{ addr = "0.0.0.0"; port = 443; ssl = true; }
	67	{ addr = "[::0]"; port = 443; ssl = true; }
	68	{ addr = "0.0.0.0"; port = 8448; ssl = true; }
	69	{ addr = "[::0]"; port = 8448; ssl = true; }
	70	];
	71	locations = let
	72	synapse = {
	73	proxyPass = "http://matrix-synapse";
	74	extraConfig = ''
	75	add_header Strict-Transport-Security "max-age=63072000" always;
	76	'';
	77	};
	78	in {
	79	"/_matrix" = synapse;
	80	"/_synapse/client" = synapse;
	81	"/".return = "301 https://element.synapse.li$request_uri";
	82	};
	83	};
	84
	85	virtualHosts."element.synapse.li" = {
	86	forceSSL = true;
	87	sslCertificate = "/run/credentials/nginx.service/element.synapse.li.pem";
	88	sslCertificateKey = "/run/credentials/nginx.service/element.synapse.li.key.pem";
	89	sslTrustedCertificate = "/run/credentials/nginx.service/element.synapse.li.chain.pem";
	90
	91	root = pkgs.element-web.override {
	92	conf = {
	93	default_server_config."m.homeserver" = {
	94	"base_url" = "https://synapse.li";
	95	"server_name" = "synapse.li";
	96	};
	97	};
	98	};
	99	};
	100	};
	101
	102	security.acme.domains = {
	103	"element.synapse.li" = {
	104	zone = "synapse.li";
	105	certCfg = {
	106	postRun = ''
	107	${pkgs.systemd}/bin/systemctl try-restart nginx.service
	108	'';
	109	};
	110	};
	111	"synapse.li".certCfg = {
	112	postRun = ''
	113	${pkgs.systemd}/bin/systemctl try-restart nginx.service
	114	'';
	115	};
	116	};
	117
	118	systemd.services.nginx = {
	119	serviceConfig = {
	120	LoadCredential = [
	121	"synapse.li.key.pem:${config.security.acme.certs."synapse.li".directory}/key.pem"
	122	"synapse.li.pem:${config.security.acme.certs."synapse.li".directory}/fullchain.pem"
	123	"synapse.li.chain.pem:${config.security.acme.certs."synapse.li".directory}/chain.pem"
	124
	125	"element.synapse.li.key.pem:${config.security.acme.certs."element.synapse.li".directory}/key.pem"
	126	"element.synapse.li.pem:${config.security.acme.certs."element.synapse.li".directory}/fullchain.pem"
	127	"element.synapse.li.chain.pem:${config.security.acme.certs."element.synapse.li".directory}/chain.pem"
	128	];
	129	};
	130	};
	131	};
	132	}