From 36856800c78bb200f2194280a59fa18e849c873a Mon Sep 17 00:00:00 2001
From: tdback <tyler@tdback.net>
Date: Sat, 18 Jan 2025 11:25:12 -0500
Subject: feat: configure matrix server and secrets

---
 modules/services/matrix/default.nix | 125 ++++++++++++++++++++++++++++++++++++
 secrets/coturnStaticAuth.age        |   6 ++
 secrets/secrets.nix                 |   2 +
 secrets/synapseYaml.age             |   5 ++
 4 files changed, 138 insertions(+)
 create mode 100644 modules/services/matrix/default.nix
 create mode 100644 secrets/coturnStaticAuth.age
 create mode 100644 secrets/synapseYaml.age

diff --git a/modules/services/matrix/default.nix b/modules/services/matrix/default.nix
new file mode 100644
index 0000000..a49d886
--- /dev/null
+++ b/modules/services/matrix/default.nix
@@ -0,0 +1,125 @@
+{
+  inputs,
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  fqdn = "synapse.${config.networking.domain}";
+  baseUrl = "https://${fqdn}";
+in
+{
+  age.secrets = {
+    coturnStaticAuth = {
+      file = "${inputs.self}/secrets/coturnStaticAuth.age";
+      owner = "turnserver";
+    };
+    synapseYaml = {
+      file = "${inputs.self}/secrets/synapseYaml.age";
+      owner = "matrix-synapse";
+    };
+  };
+
+  networking.domain = "tdback.net";
+  networking.firewall =
+    let
+      coturnPorts = [
+        3478
+        5349
+      ];
+      range =
+        with config.services.coturn;
+        lib.singleton {
+          from = min-port;
+          to = max-port;
+        };
+    in
+    {
+      allowedUDPPortRanges = range;
+      allowedUDPPorts = coturnPorts;
+      allowedTCPPortRanges = [ ];
+      allowedTCPPorts = coturnPorts ++ [
+        80
+        443
+      ];
+    };
+
+  services.postgresql = {
+    enable = true;
+    package = pkgs.postgresql_17;
+    initialScript = pkgs.writeText "synapse-init.sql" ''
+      CREATE ROLE "matrix-synapse";
+      CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
+        TEMPLATE template0
+        LC_COLLATE = "C"
+        LC_CTYPE = "C";
+    '';
+  };
+
+  services.coturn = {
+    enable = true;
+    use-auth-secret = true;
+    static-auth-secret-file = config.age.secrets.coturnStaticAuth.path;
+    realm = "turn.${config.networking.domain}";
+    no-tcp-relay = true;
+    no-tls = true;
+    no-dtls = true;
+    extraConfig = ''
+      user-quota=12
+      total-quota=1200
+      no-multicast-peers
+      denied-peer-ip=0.0.0.0-0.255.255.255
+      denied-peer-ip=10.0.0.0-10.255.255.255
+      denied-peer-ip=100.64.0.0-100.127.255.255
+      denied-peer-ip=127.0.0.0-127.255.255.255
+      denied-peer-ip=169.254.0.0-169.254.255.255
+      denied-peer-ip=172.16.0.0-172.31.255.255
+      denied-peer-ip=192.0.0.0-192.0.0.255
+      denied-peer-ip=192.0.2.0-192.0.2.255
+      denied-peer-ip=192.88.99.0-192.88.99.255
+      denied-peer-ip=192.168.0.0-192.168.255.255
+      denied-peer-ip=198.18.0.0-198.19.255.255
+      denied-peer-ip=198.51.100.0-198.51.100.255
+      denied-peer-ip=203.0.113.0-203.0.113.255
+      denied-peer-ip=240.0.0.0-255.255.255.255
+    '';
+  };
+
+  services.caddy = {
+    enable = true;
+    virtualHosts = {
+      ${fqdn}.extraConfig = ''
+        reverse_proxy /_matrix/* localhost:8008
+        reverse_proxy /_synapse/client/* localhost:8008
+      '';
+    };
+  };
+
+  services.matrix-synapse = {
+    enable = true;
+    extraConfigFiles = [ config.age.secrets.synapseYaml.path ];
+    settings = {
+      server_name = config.networking.domain;
+      public_baseurl = baseUrl;
+      listeners = lib.singleton {
+        port = 8008;
+        bind_address = [ "::1" ];
+        type = "http";
+        tls = false;
+        x_forwarded = true;
+        resources = lib.singleton {
+          names = [
+            "client"
+            "federation"
+          ];
+          compress = true;
+        };
+      };
+      turn_uris = with config.services.coturn; [
+        "turn:${realm}:3487?transport=udp"
+        "turn:${realm}:3487?transport=tcp"
+      ];
+    };
+  };
+}
diff --git a/secrets/coturnStaticAuth.age b/secrets/coturnStaticAuth.age
new file mode 100644
index 0000000..c5e9aed
--- /dev/null
+++ b/secrets/coturnStaticAuth.age
@@ -0,0 +1,6 @@
+age-encryption.org/v1
+-> ssh-ed25519 2ZEkNQ rKk00rj47FRYw6wMqQ+MM/LVpiQcGU2Tsodlh4+fP3U
+32ofZYKduO+tRpjuHZ+u7Ak19lMWolm/O9D9ARGeNBE
+--- vAX7yL5CkMgRlFAIRNT0ez0BnJOyA9wE4/tN21Iy+WU
+}p¶HˆU/
+ž¦}Ý7±^ƒâ'7_‘Â¥ÕäàµÐÂkO)Q,‰CÂà¤´,{›+!lãê(«ÆN4ökåÕ}Ð¦“ÄÜŠ‚g	)¸ýâxÐ@¿Ð¶îæ6Œ×
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index fdb8fc5..358e600 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -10,6 +10,8 @@ let
   allSystems = builtins.attrValues systems;
 in
 {
+  "coturnStaticAuth.age".publicKeys = [ systems.loki ];
   "pushoverAppToken.age".publicKeys = allSystems;
   "pushoverUserToken.age".publicKeys = allSystems;
+  "synapseYaml.age".publicKeys = [ systems.loki ];
 }
diff --git a/secrets/synapseYaml.age b/secrets/synapseYaml.age
new file mode 100644
index 0000000..5ecf1bc
--- /dev/null
+++ b/secrets/synapseYaml.age
@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 2ZEkNQ QLzSOT7N03ZHuQaTwaZr/l/7RnU4LHyBSKUXVnorZyE
+Yv1dfO7RKQxS5EUfIMVpy39evbXpW6yzOB9kU7vy05k
+--- Oj7ObzSkNDu76wuAegfOX7VnKk1KNImvjnjvKZ0aXWQ
+Ôµ{Ì³~m¹Îz@Xá$á"F|@9!xS„	Ô•šêª;üô|Óæ½Vì¬ÂÅÁÒyn>­ÿ@Il3^iÐÜQl€"¶ƒ@"ïWÂ*Š°®Eè7ü¼þ0ÚEx½„…“¢|m&õ&ÕcæbëjRs„á=­bx:x
\ No newline at end of file
-- 
cgit v1.2.3