aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authortdback <tyler@tdback.net>2025-01-18 11:25:12 -0500
committertdback <tyler@tdback.net>2025-01-18 11:25:12 -0500
commit36856800c78bb200f2194280a59fa18e849c873a (patch)
tree2d7d050a6363c3dec30237b0d16df27f3fcc7458
parent1c2c09af90870fe45980eaa1dfb9844f1ebfad68 (diff)
feat: configure matrix server and secrets
-rw-r--r--modules/services/matrix/default.nix125
-rw-r--r--secrets/coturnStaticAuth.age6
-rw-r--r--secrets/secrets.nix2
-rw-r--r--secrets/synapseYaml.age5
4 files changed, 138 insertions, 0 deletions
diff --git a/modules/services/matrix/default.nix b/modules/services/matrix/default.nix
new file mode 100644
index 0000000..a49d886
--- /dev/null
+++ b/modules/services/matrix/default.nix
@@ -0,0 +1,125 @@
+{
+ inputs,
+ config,
+ lib,
+ pkgs,
+ ...
+}:
+let
+ fqdn = "synapse.${config.networking.domain}";
+ baseUrl = "https://${fqdn}";
+in
+{
+ age.secrets = {
+ coturnStaticAuth = {
+ file = "${inputs.self}/secrets/coturnStaticAuth.age";
+ owner = "turnserver";
+ };
+ synapseYaml = {
+ file = "${inputs.self}/secrets/synapseYaml.age";
+ owner = "matrix-synapse";
+ };
+ };
+
+ networking.domain = "tdback.net";
+ networking.firewall =
+ let
+ coturnPorts = [
+ 3478
+ 5349
+ ];
+ range =
+ with config.services.coturn;
+ lib.singleton {
+ from = min-port;
+ to = max-port;
+ };
+ in
+ {
+ allowedUDPPortRanges = range;
+ allowedUDPPorts = coturnPorts;
+ allowedTCPPortRanges = [ ];
+ allowedTCPPorts = coturnPorts ++ [
+ 80
+ 443
+ ];
+ };
+
+ services.postgresql = {
+ enable = true;
+ package = pkgs.postgresql_17;
+ initialScript = pkgs.writeText "synapse-init.sql" ''
+ CREATE ROLE "matrix-synapse";
+ CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
+ TEMPLATE template0
+ LC_COLLATE = "C"
+ LC_CTYPE = "C";
+ '';
+ };
+
+ services.coturn = {
+ enable = true;
+ use-auth-secret = true;
+ static-auth-secret-file = config.age.secrets.coturnStaticAuth.path;
+ realm = "turn.${config.networking.domain}";
+ no-tcp-relay = true;
+ no-tls = true;
+ no-dtls = true;
+ extraConfig = ''
+ user-quota=12
+ total-quota=1200
+ no-multicast-peers
+ denied-peer-ip=0.0.0.0-0.255.255.255
+ denied-peer-ip=10.0.0.0-10.255.255.255
+ denied-peer-ip=100.64.0.0-100.127.255.255
+ denied-peer-ip=127.0.0.0-127.255.255.255
+ denied-peer-ip=169.254.0.0-169.254.255.255
+ denied-peer-ip=172.16.0.0-172.31.255.255
+ denied-peer-ip=192.0.0.0-192.0.0.255
+ denied-peer-ip=192.0.2.0-192.0.2.255
+ denied-peer-ip=192.88.99.0-192.88.99.255
+ denied-peer-ip=192.168.0.0-192.168.255.255
+ denied-peer-ip=198.18.0.0-198.19.255.255
+ denied-peer-ip=198.51.100.0-198.51.100.255
+ denied-peer-ip=203.0.113.0-203.0.113.255
+ denied-peer-ip=240.0.0.0-255.255.255.255
+ '';
+ };
+
+ services.caddy = {
+ enable = true;
+ virtualHosts = {
+ ${fqdn}.extraConfig = ''
+ reverse_proxy /_matrix/* localhost:8008
+ reverse_proxy /_synapse/client/* localhost:8008
+ '';
+ };
+ };
+
+ services.matrix-synapse = {
+ enable = true;
+ extraConfigFiles = [ config.age.secrets.synapseYaml.path ];
+ settings = {
+ server_name = config.networking.domain;
+ public_baseurl = baseUrl;
+ listeners = lib.singleton {
+ port = 8008;
+ bind_address = [ "::1" ];
+ type = "http";
+ tls = false;
+ x_forwarded = true;
+ resources = lib.singleton {
+ names = [
+ "client"
+ "federation"
+ ];
+ compress = true;
+ };
+ };
+ turn_uris = with config.services.coturn; [
+ "turn:${realm}:3487?transport=udp"
+ "turn:${realm}:3487?transport=tcp"
+ ];
+ };
+ };
+}
diff --git a/secrets/coturnStaticAuth.age b/secrets/coturnStaticAuth.age
new file mode 100644
index 0000000..c5e9aed
--- /dev/null
+++ b/secrets/coturnStaticAuth.age
@@ -0,0 +1,6 @@
+age-encryption.org/v1
+-> ssh-ed25519 2ZEkNQ rKk00rj47FRYw6wMqQ+MM/LVpiQcGU2Tsodlh4+fP3U
+32ofZYKduO+tRpjuHZ+u7Ak19lMWolm/O9D9ARGeNBE
+--- vAX7yL5CkMgRlFAIRNT0ez0BnJOyA9wE4/tN21Iy+WU
+}pHU/
+}7^'7 _¥ kO)Q,Cऴ,{+!l(N4kՍ}Ц܊g )x@ж6 \ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index fdb8fc5..358e600 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -10,6 +10,8 @@ let
allSystems = builtins.attrValues systems;
in
{
+ "coturnStaticAuth.age".publicKeys = [ systems.loki ];
"pushoverAppToken.age".publicKeys = allSystems;
"pushoverUserToken.age".publicKeys = allSystems;
+ "synapseYaml.age".publicKeys = [ systems.loki ];
}
diff --git a/secrets/synapseYaml.age b/secrets/synapseYaml.age
new file mode 100644
index 0000000..5ecf1bc
--- /dev/null
+++ b/secrets/synapseYaml.age
@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 2ZEkNQ QLzSOT7N03ZHuQaTwaZr/l/7RnU4LHyBSKUXVnorZyE
+Yv1dfO7RKQxS5EUfIMVpy39evbXpW6yzOB9kU7vy05k
+--- Oj7ObzSkNDu76wuAegfOX7VnKk1KNImvjnjvKZ0aXWQ
+Ե{̳~mz@X$"F|@9!xS ;|Vyn>@Il3^iQl"@"W*E7 0Ex|m&&cbjRs=bx:x \ No newline at end of file