services: major overhaul on service modules

1 files changed, 124 insertions, 106 deletions

diff --git a/modules/services/matrix/default.nix b/modules/services/matrix/default.nix
index c6d8755..0cfa56b 100644
--- a/modules/services/matrix/default.nix
+++ b/modules/services/matrix/default.nix
@@ -1,130 +1,148 @@
 {
-  inputs,
   config,
   lib,
   pkgs,
   ...
 }:
+with lib;
 let
-  baseUrl = "https://${fqdn}";
-  fqdn = "synapse.${config.networking.domain}";
-  synPort = 8008;
+  cfg = config.modules.services.matrix;
 in
 {
-  age.secrets = {
-    coturnStaticAuth = {
-      file = "${inputs.self}/secrets/coturnStaticAuth.age";
-      owner = "turnserver";
+  options.modules.services.matrix = {
+    enable = mkEnableOption "matrix";
+    port = mkOption {
+      default = 8008;
+      type = types.int;
     };
-    synapseYaml = {
-      file = "${inputs.self}/secrets/synapseYaml.age";
-      owner = "matrix-synapse";
+    url = mkOption {
+      type = types.str;
+    };
+    registrationSecret = mkOption {
+      type = types.str;
+      description = "Path to registration shared secret yaml file.";
+    };
+    coturnStaticAuth = mkOption {
+      type = types.str;
+      description = "Path to static auth secret file.";
     };
   };
 
-  networking.domain = "tdback.net";
-  networking.firewall =
-    let
-      coturnPorts = [
-        3478
-        5349
-      ];
-      range =
-        with config.services.coturn;
-        lib.singleton {
-          from = min-port;
-          to = max-port;
-        };
-    in
-    {
-      allowedUDPPortRanges = range;
-      allowedUDPPorts = coturnPorts;
-      allowedTCPPortRanges = [ ];
-      allowedTCPPorts = coturnPorts ++ [
-        80
-        443
-      ];
+  config = mkIf cfg.enable {
+    age.secrets = {
+      registrationSecret = {
+        file = cfg.registrationSecret;
+        owner = "matrix-synapse";
+      };
+      coturnStaticAuth = {
+        file = cfg.coturnStaticAuth;
+        owner = "turnserver";
+      };
     };
 
-  services.postgresql = {
-    enable = true;
-    package = pkgs.postgresql_17;
-    initialScript = pkgs.writeText "synapse-init.sql" ''
-      CREATE ROLE "matrix-synapse";
-      CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
-        TEMPLATE template0
-        LC_COLLATE = "C"
-        LC_CTYPE = "C";
-    '';
-  };
+    networking.firewall =
+      let
+        coturnPorts = [
+          3478
+          5349
+        ];
+        range =
+          with config.services.coturn;
+          lib.singleton {
+            from = min-port;
+            to = max-port;
+          };
+      in
+      {
+        allowedUDPPortRanges = range;
+        allowedUDPPorts = coturnPorts;
+        allowedTCPPortRanges = [ ];
+        allowedTCPPorts = coturnPorts ++ [
+          80
+          443
+        ];
+      };
 
-  services.coturn = {
-    enable = true;
-    use-auth-secret = true;
-    static-auth-secret-file = config.age.secrets.coturnStaticAuth.path;
-    realm = "turn.${config.networking.domain}";
-    no-tcp-relay = true;
-    no-tls = true;
-    no-dtls = true;
-    extraConfig = ''
-      user-quota=12
-      total-quota=1200
-      no-multicast-peers
-      denied-peer-ip=0.0.0.0-0.255.255.255
-      denied-peer-ip=10.0.0.0-10.255.255.255
-      denied-peer-ip=100.64.0.0-100.127.255.255
-      denied-peer-ip=127.0.0.0-127.255.255.255
-      denied-peer-ip=169.254.0.0-169.254.255.255
-      denied-peer-ip=172.16.0.0-172.31.255.255
-      denied-peer-ip=192.0.0.0-192.0.0.255
-      denied-peer-ip=192.0.2.0-192.0.2.255
-      denied-peer-ip=192.88.99.0-192.88.99.255
-      denied-peer-ip=192.168.0.0-192.168.255.255
-      denied-peer-ip=198.18.0.0-198.19.255.255
-      denied-peer-ip=198.51.100.0-198.51.100.255
-      denied-peer-ip=203.0.113.0-203.0.113.255
-      denied-peer-ip=240.0.0.0-255.255.255.255
-    '';
-  };
+    services.postgresql = {
+      enable = true;
+      package = pkgs.postgresql_17;
+      initialScript = pkgs.writeText "synapse-init.sql" ''
+        CREATE ROLE "matrix-synapse";
+        CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
+          TEMPLATE template0
+          LC_COLLATE = "C"
+          LC_CTYPE = "C";
+      '';
+    };
 
-  services.caddy = {
-    enable = true;
-    virtualHosts = {
-      ${fqdn}.extraConfig =
-        let
-          localhost = "http://localhost:${builtins.toString synPort}";
-        in
-        ''
-          reverse_proxy /_matrix/* ${localhost}
-          reverse_proxy /_synapse/client/* ${localhost}
-        '';
+    services.coturn = {
+      enable = true;
+      use-auth-secret = true;
+      static-auth-secret-file = config.age.secrets.coturnStaticAuth.path;
+      realm = "turn.${cfg.url}";
+      no-tcp-relay = true;
+      no-tls = true;
+      no-dtls = true;
+      extraConfig = ''
+        user-quota=12
+        total-quota=1200
+        no-multicast-peers
+        denied-peer-ip=0.0.0.0-0.255.255.255
+        denied-peer-ip=10.0.0.0-10.255.255.255
+        denied-peer-ip=100.64.0.0-100.127.255.255
+        denied-peer-ip=127.0.0.0-127.255.255.255
+        denied-peer-ip=169.254.0.0-169.254.255.255
+        denied-peer-ip=172.16.0.0-172.31.255.255
+        denied-peer-ip=192.0.0.0-192.0.0.255
+        denied-peer-ip=192.0.2.0-192.0.2.255
+        denied-peer-ip=192.88.99.0-192.88.99.255
+        denied-peer-ip=192.168.0.0-192.168.255.255
+        denied-peer-ip=198.18.0.0-198.19.255.255
+        denied-peer-ip=198.51.100.0-198.51.100.255
+        denied-peer-ip=203.0.113.0-203.0.113.255
+        denied-peer-ip=240.0.0.0-255.255.255.255
+      '';
+    };
+
+    services.caddy = {
+      enable = true;
+      virtualHosts = {
+        "synapse.${cfg.url}".extraConfig =
+          let
+            localhost = "http://localhost:${builtins.toString cfg.port}";
+          in
+          ''
+            reverse_proxy /_matrix/* ${localhost}
+            reverse_proxy /_synapse/client/* ${localhost}
+          '';
+      };
     };
-  };
 
-  services.matrix-synapse = {
-    enable = true;
-    extraConfigFiles = [ config.age.secrets.synapseYaml.path ];
-    settings = {
-      server_name = config.networking.domain;
-      public_baseurl = baseUrl;
-      listeners = lib.singleton {
-        port = synPort;
-        bind_addresses = [ "::1" ];
-        type = "http";
-        tls = false;
-        x_forwarded = true;
-        resources = lib.singleton {
-          names = [
-            "client"
-            "federation"
-          ];
-          compress = true;
+    services.matrix-synapse = {
+      enable = true;
+      extraConfigFiles = [ config.age.secrets.registrationSecret.path ];
+      settings = {
+        server_name = cfg.url;
+        public_baseurl = "https://synapse.${cfg.url}";
+        listeners = lib.singleton {
+          port = cfg.port;
+          bind_addresses = [ "::1" ];
+          type = "http";
+          tls = false;
+          x_forwarded = true;
+          resources = lib.singleton {
+            names = [
+              "client"
+              "federation"
+            ];
+            compress = true;
+          };
         };
+        turn_uris = with config.services.coturn; [
+          "turn:${realm}?transport=udp"
+          "turn:${realm}?transport=tcp"
+        ];
       };
-      turn_uris = with config.services.coturn; [
-        "turn:${realm}?transport=udp"
-        "turn:${realm}?transport=tcp"
-      ];
     };
   };
 }