From a3a98ec3f2ea88bafccd4a9a7a3720a7ddcd4a54 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Thu, 24 Feb 2022 21:20:44 +0100 Subject: surtr: synapse.li: ... --- hosts/surtr/default.nix | 2 +- hosts/surtr/dns/default.nix | 1 + hosts/surtr/dns/zones/li.synapse.soa | 5 ++++- hosts/surtr/matrix.nix | 26 +++++++++++++++++++++++++- hosts/surtr/postgres.nix | 20 -------------------- hosts/surtr/postgresql.nix | 15 +++++++++++++++ 6 files changed, 46 insertions(+), 23 deletions(-) delete mode 100644 hosts/surtr/postgres.nix create mode 100644 hosts/surtr/postgresql.nix diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix index 7ab3199b..0e24bd54 100644 --- a/hosts/surtr/default.nix +++ b/hosts/surtr/default.nix @@ -2,7 +2,7 @@ { imports = with flake.nixosModules.systemProfiles; [ qemu-guest openssh rebuild-machines zfs - ./zfs.nix ./dns ./tls ./http.nix ./bifrost ./matrix.nix ./postgres.nix + ./zfs.nix ./dns ./tls ./http.nix ./bifrost ./matrix.nix ./postgresql.nix ]; config = { diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix index e9ae3183..13928ad2 100644 --- a/hosts/surtr/dns/default.nix +++ b/hosts/surtr/dns/default.nix @@ -170,6 +170,7 @@ in { addACLs = { "xmpp.li" = ["ymir_acme_acl"]; }; } { domain = "synapse.li"; + acmeDomains = ["element.synapse.li" "synapse.li"]; } { domain = "dirty-haskell.org"; addACLs = { "dirty-haskell.org" = ["ymir_acme_acl"]; }; diff --git a/hosts/surtr/dns/zones/li.synapse.soa b/hosts/surtr/dns/zones/li.synapse.soa index 539f0297..fc171bc2 100644 --- a/hosts/surtr/dns/zones/li.synapse.soa +++ b/hosts/surtr/dns/zones/li.synapse.soa @@ -1,7 +1,7 @@ $ORIGIN synapse.li $TTL 3600 @ IN SOA ns.yggdrasil.li. root.yggdrasil.li. ( - 2022022401 ; serial + 2022022402 ; serial 10800 ; refresh 3600 ; retry 604800 ; expire @@ -26,4 +26,7 @@ $TTL 3600 * IN MX 0 ymir.yggdrasil.li * IN TXT "v=spf1 redirect=yggdrasil.li" +element IN CNAME synapse.li. +_acme-challenge.element IN NS ns.yggdrasil.li. + _acme-challenge IN NS ns.yggdrasil.li. diff --git a/hosts/surtr/matrix.nix b/hosts/surtr/matrix.nix index 315490cb..e3373df6 100644 --- a/hosts/surtr/matrix.nix +++ b/hosts/surtr/matrix.nix @@ -68,7 +68,27 @@ add_header Strict-Transport-Security "max-age=63072000" always; ''; }; - in { "/_matrix" = synapse; "/_synapse/client" = synapse; }; + in { + "/_matrix" = synapse; + "/_synapse/client" = synapse; + "/".return = "301 https://element.synapse.li$request_uri"; + }; + }; + + virtualHosts."element.synapse.li" = { + forceSSL = true; + sslCertificate = "/run/credentials/nginx.service/element.synapse.li.pem"; + sslCertificateKey = "/run/credentials/nginx.service/element.synapse.li.key.pem"; + sslTrustedCertificate = "/run/credentials/nginx.service/element.synapse.li.chain.pem"; + + root = pkgs.element-web.override { + conf = { + default_server_config."m.homeserver" = { + "base_url" = "https://synapse.li"; + "server_name" = "synapse.li"; + }; + }; + }; }; }; @@ -78,6 +98,10 @@ "synapse.li.key.pem:${config.security.acme.certs."synapse.li".directory}/key.pem" "synapse.li.pem:${config.security.acme.certs."synapse.li".directory}/fullchain.pem" "synapse.li.chain.pem:${config.security.acme.certs."synapse.li".directory}/chain.pem" + + "element.synapse.li.key.pem:${config.security.acme.certs."element.synapse.li".directory}/key.pem" + "element.synapse.li.pem:${config.security.acme.certs."element.synapse.li".directory}/fullchain.pem" + "element.synapse.li.chain.pem:${config.security.acme.certs."element.synapse.li".directory}/chain.pem" ]; }; }; diff --git a/hosts/surtr/postgres.nix b/hosts/surtr/postgres.nix deleted file mode 100644 index e8ea73be..00000000 --- a/hosts/surtr/postgres.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ pkgs, ... }: -{ - config = { - services.postgresql = { - enable = true; - package = pkgs.postgresql_14; - ensureDatabases = [ - "matrix-synapse" - ]; - ensureUsers = [ - { name = "matrix-synapse"; - ensurePermissions = { - "DATABASE \"matrix-synapse\"" = "ALL PRIVILEGES"; - "ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES"; - }; - } - ]; - }; - }; -} diff --git a/hosts/surtr/postgresql.nix b/hosts/surtr/postgresql.nix new file mode 100644 index 00000000..f0cb155b --- /dev/null +++ b/hosts/surtr/postgresql.nix @@ -0,0 +1,15 @@ +{ pkgs, ... }: +{ + config = { + services.postgresql = { + enable = true; + package = pkgs.postgresql_14; + initalScript = pkgs.writeText "schema.sql" '' + CREATE DATABASE "matrix-synapse" WITH ENCODING "UTF8" LOCALE "C"; + CREATE USER "matrix-synapse"; + GRANT ALL PRIVILEGES ON DATABASE "matrix-synapse" TO "matrix-synapse"; + GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO "matrix-synapse"; + ''; + }; + }; +} -- cgit v1.2.3