From 522c8a27dbde0d337c40aa05597c43df05f5ff8f Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Thu, 24 Feb 2022 20:59:41 +0100 Subject: surtr: synapse.li: ... --- hosts/surtr/default.nix | 12 ++++++- hosts/surtr/http.nix | 4 ++- hosts/surtr/matrix.nix | 85 ++++++++++++++++++++++++++++++++++++++++++++++++ hosts/surtr/postgres.nix | 20 ++++++++++++ hosts/surtr/zfs.nix | 24 +++++++++++--- 5 files changed, 138 insertions(+), 7 deletions(-) create mode 100644 hosts/surtr/matrix.nix create mode 100644 hosts/surtr/postgres.nix diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix index add50653..7ab3199b 100644 --- a/hosts/surtr/default.nix +++ b/hosts/surtr/default.nix @@ -2,7 +2,7 @@ { imports = with flake.nixosModules.systemProfiles; [ qemu-guest openssh rebuild-machines zfs - ./zfs.nix ./dns ./tls ./http.nix ./bifrost + ./zfs.nix ./dns ./tls ./http.nix ./bifrost ./matrix.nix ./postgres.nix ]; config = { @@ -139,5 +139,15 @@ automatic = true; options = "--delete-older-than 30d"; }; + + security.dhparams = { + enable = true; + defaultBitSize = 4096; + params = { + nginx = {}; + matrix-synapse = {}; + }; + stateful = true; + }; }; } diff --git a/hosts/surtr/http.nix b/hosts/surtr/http.nix index fb22492f..a7b61d81 100644 --- a/hosts/surtr/http.nix +++ b/hosts/surtr/http.nix @@ -14,6 +14,7 @@ recommendedGzipSettings = true; recommendedProxySettings = true; recommendedTlsSettings = true; + sslDhparam = config.security.dhparams.params.nginx.path; commonHttpConfig = '' ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1; @@ -25,6 +26,8 @@ access_log syslog:server=unix:/dev/log main; error_log syslog:server=unix:/dev/log info; + + client_body_temp_path /run/nginx-client-bodies; ''; additionalModules = with pkgs.nginxModules; [ dav pam ]; virtualHosts = { @@ -45,7 +48,6 @@ dav_access user:rw; autoindex on; - client_body_temp_path /run/nginx-client-bodies; client_max_body_size 0; create_full_put_path on; diff --git a/hosts/surtr/matrix.nix b/hosts/surtr/matrix.nix new file mode 100644 index 00000000..315490cb --- /dev/null +++ b/hosts/surtr/matrix.nix @@ -0,0 +1,85 @@ +{ config, ... }: +{ + config = { + services.matrix-synapse = { + enable = true; + enable_metrics = true; + + enable_registration = false; + allow_guest_access = false; + + server_name = "synapse.li"; + + listeners = [ + { bind_address = "localhost"; + port = 8008; + resources = [ + { names = [ "client" ]; + compress = true; + } + { names = [ "federation" ]; + compress = false; + } + ]; + tls = false; + type = "http"; + x_forwarded = true; + } + ]; + + tls_certificate_path = "/run/credentials/matrix-synapse/synapse.li.pem"; + tls_private_key_path = "/run/credentials/matrix-synapse/synapse.li.key.pem"; + tls_dh_params_path = config.security.dhparams.params.matrix-synapse.path; + }; + + systemd.services.matrix-synapse = { + serviceConfig = { + LoadCredential = [ + "synapse.li.key.pem:${config.security.acme.certs."synapse.li".directory}/key.pem" + "synapse.li.pem:${config.security.acme.certs."synapse.li".directory}/fullchain.pem" + ]; + }; + }; + + services.nginx = { + recommendedProxySettings = true; + + upstreams."matrix-synapse" = { + servers = { + "127.0.0.1:8008" = {}; + }; + }; + + virtualHosts."synapse.li" = { + forceSSL = true; + sslCertificate = "/run/credentials/nginx.service/synapse.li.pem"; + sslCertificateKey = "/run/credentials/nginx.service/synapse.li.key.pem"; + sslTrustedCertificate = "/run/credentials/nginx.service/synapse.li.chain.pem"; + listen = [ + { addr = "0.0.0.0"; port = 443; ssl = true; } + { addr = "[::]"; port = 443; ssl = true; } + { addr = "0.0.0.0"; port = 8448; ssl = true; } + { addr = "[::]"; port = 8448; ssl = true; } + ]; + locations = let + synapse = { + proxyPass = "http://matrix-synapse"; + extraConfig = '' + add_header Strict-Transport-Security "max-age=63072000" always; + ''; + }; + in { "/_matrix" = synapse; "/_synapse/client" = synapse; }; + }; + }; + + systemd.services.nginx = { + serviceConfig = { + LoadCredential = [ + "synapse.li.key.pem:${config.security.acme.certs."synapse.li".directory}/key.pem" + "synapse.li.pem:${config.security.acme.certs."synapse.li".directory}/fullchain.pem" + "synapse.li.chain.pem:${config.security.acme.certs."synapse.li".directory}/chain.pem" + ]; + }; + }; + }; +} diff --git a/hosts/surtr/postgres.nix b/hosts/surtr/postgres.nix new file mode 100644 index 00000000..e8ea73be --- /dev/null +++ b/hosts/surtr/postgres.nix @@ -0,0 +1,20 @@ +{ pkgs, ... }: +{ + config = { + services.postgresql = { + enable = true; + package = pkgs.postgresql_14; + ensureDatabases = [ + "matrix-synapse" + ]; + ensureUsers = [ + { name = "matrix-synapse"; + ensurePermissions = { + "DATABASE \"matrix-synapse\"" = "ALL PRIVILEGES"; + "ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES"; + }; + } + ]; + }; + }; +} diff --git a/hosts/surtr/zfs.nix b/hosts/surtr/zfs.nix index 3a69fd96..736d5cc9 100644 --- a/hosts/surtr/zfs.nix +++ b/hosts/surtr/zfs.nix @@ -35,11 +35,25 @@ fsType = "zfs"; }; - "/srv" = - { device = "surtr/safe/srv"; - fsType = "zfs"; - options = [ "zfsutil" ]; - }; + # "/srv" = + # { device = "surtr/safe/srv"; + # fsType = "zfs"; + # options = [ "zfsutil" ]; + # }; + }; + + boot.postBootCommands = '' + echo "=== STARTING ZPOOL IMPORT ===" + ${pkgs.zfs}/bin/zpool import -a -N -d /dev + ${pkgs.zfs}/bin/zpool status + ${pkgs.zfs}/bin/zfs mount -a + echo "=== ZPOOL IMPORT COMPLETE ===" + ''; + + system.activationScripts = { + zfsMount.text = '' + ${pkgs.zfs}/bin/zfs mount -a + ''; }; services.zfssnap.enable = true; -- cgit v1.2.3