diff options
Diffstat (limited to 'modules/services')
| -rw-r--r-- | modules/services/matrix/default.nix | 125 | ||||
| -rw-r--r-- | modules/services/web/default.nix | 39 |
2 files changed, 157 insertions, 7 deletions
diff --git a/modules/services/matrix/default.nix b/modules/services/matrix/default.nix new file mode 100644 index 0000000..61bc83b --- /dev/null +++ b/modules/services/matrix/default.nix @@ -0,0 +1,125 @@ +{ + inputs, + config, + lib, + pkgs, + ... +}: +let + fqdn = "synapse.${config.networking.domain}"; + baseUrl = "https://${fqdn}"; +in +{ + age.secrets = { + coturnStaticAuth = { + file = "${inputs.self}/secrets/coturnStaticAuth.age"; + owner = "turnserver"; + }; + synapseYaml = { + file = "${inputs.self}/secrets/synapseYaml.age"; + owner = "matrix-synapse"; + }; + }; + + networking.domain = "tdback.net"; + networking.firewall = + let + coturnPorts = [ + 3478 + 5349 + ]; + range = + with config.services.coturn; + lib.singleton { + from = min-port; + to = max-port; + }; + in + { + allowedUDPPortRanges = range; + allowedUDPPorts = coturnPorts; + allowedTCPPortRanges = [ ]; + allowedTCPPorts = coturnPorts ++ [ + 80 + 443 + ]; + }; + + services.postgresql = { + enable = true; + package = pkgs.postgresql_17; + initialScript = pkgs.writeText "synapse-init.sql" '' + CREATE ROLE "matrix-synapse"; + CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + ''; + }; + + services.coturn = { + enable = true; + use-auth-secret = true; + static-auth-secret-file = config.age.secrets.coturnStaticAuth.path; + realm = "turn.${config.networking.domain}"; + no-tcp-relay = true; + no-tls = true; + no-dtls = true; + extraConfig = '' + user-quota=12 + total-quota=1200 + no-multicast-peers + denied-peer-ip=0.0.0.0-0.255.255.255 + denied-peer-ip=10.0.0.0-10.255.255.255 + denied-peer-ip=100.64.0.0-100.127.255.255 + denied-peer-ip=127.0.0.0-127.255.255.255 + denied-peer-ip=169.254.0.0-169.254.255.255 + denied-peer-ip=172.16.0.0-172.31.255.255 + denied-peer-ip=192.0.0.0-192.0.0.255 + denied-peer-ip=192.0.2.0-192.0.2.255 + denied-peer-ip=192.88.99.0-192.88.99.255 + denied-peer-ip=192.168.0.0-192.168.255.255 + denied-peer-ip=198.18.0.0-198.19.255.255 + denied-peer-ip=198.51.100.0-198.51.100.255 + denied-peer-ip=203.0.113.0-203.0.113.255 + denied-peer-ip=240.0.0.0-255.255.255.255 + ''; + }; + + services.caddy = { + enable = true; + virtualHosts = { + ${fqdn}.extraConfig = '' + reverse_proxy /_matrix/* localhost:8008 + reverse_proxy /_synapse/client/* localhost:8008 + ''; + }; + }; + + services.matrix-synapse = { + enable = true; + extraConfigFiles = [ config.age.secrets.synapseYaml.path ]; + settings = { + server_name = config.networking.domain; + public_baseurl = baseUrl; + listeners = lib.singleton { + port = 8008; + bind_addresses = [ "::1" ]; + type = "http"; + tls = false; + x_forwarded = true; + resources = lib.singleton { + names = [ + "client" + "federation" + ]; + compress = true; + }; + }; + turn_uris = with config.services.coturn; [ + "turn:${realm}:3487?transport=udp" + "turn:${realm}:3487?transport=tcp" + ]; + }; + }; +} diff --git a/modules/services/web/default.nix b/modules/services/web/default.nix index b6a45af..0a7b392 100644 --- a/modules/services/web/default.nix +++ b/modules/services/web/default.nix @@ -1,10 +1,35 @@ -{ ... }: +{ config, ... }: +let + fqdn = "synapse.${config.networking.domain}"; + baseUrl = "https://${fqdn}"; +in { - services.caddy.virtualHosts = { - "tdback.net".extraConfig = '' - root * /var/www/tdback.net/ - encode zstd gzip - file_server - ''; + networking.domain = "tdback.net"; + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; + + services.caddy = { + enable = true; + virtualHosts = { + ${config.networking.domain}.extraConfig = '' + handle /.well-known/matrix/server { + header Content-Type application/json + header Access-Control-Allow-Origin * + respond `{"m.server": "${fqdn}:443"}` + } + + handle /.well-known/matrix/client { + header Content-Type application/json + header Access-Control-Allow-Origin * + respond `{"m.homeserver": {"base_url": "${baseUrl}"}}` + } + + root * /var/www/tdback.net/ + encode zstd gzip + file_server + ''; + }; }; } |