matrix: introduce matrix authentication service

2025-10-12 05:28:00 +02:00 · 2025-10-12 05:28:00 +02:00 · defd0893d7
commit defd0893d7
parent bab1a46be9
6 changed files with 392 additions and 220 deletions
--- a/config/hosts/matrix/mas.nix
+++ b/config/hosts/matrix/mas.nix
@ -0,0 +1,113 @@
+{ pkgs, ... }:
+let
+  masSettings = {
+    http = {
+      listeners = [
+        {
+          name = "web";
+          resources = [
+            { name = "discovery"; }
+            { name = "human"; }
+            { name = "oauth"; }
+            { name = "compat"; }
+            { name = "graphql"; }
+            {
+              name = "assets";
+              path = "${pkgs.matrix-authentication-service}/share/matrix-authentication-service/assets/";
+            }
+          ];
+          binds = [{
+            host = "localhost";
+            port = 8080;
+          }];
+          proxy_protocol = false;
+        }
+        {
+          name = "internal";
+          resources = [{
+            name = "health";
+          }];
+          binds = [{
+            host = "localhost";
+            port = 8081;
+          }];
+          proxy_protocol = false;
+        }
+      ];
+      trusted_proxies = [
+        "127.0.0.1/8"
+        "::1/128"
+      ];
+      public_base = "https://mas.hamburg.ccc.de";
+    };
+    database = {
+      uri = "postgresql://mas_user:mas@localhost/mas";
+      max_connections = 10;
+      min_connections = 0;
+      connect_timeout = 30;
+      idle_timeout = 600;
+      max_lifetime = 1800;
+    };
+    email = {
+      from = "\"Authentication Service\" <root@localhost>";
+      reply_to = "\"Authentication Service\" <root@localhost>";
+      # Don't send any emails.
+      transport = "blackhole";
+    };
+    passwords = {
+      enabled = true;
+      schemes = [
+        {
+          version = 1;
+          algorithm = "bcrypt";
+          unicode_normalization = true;
+        }
+        {
+          version = 2;
+          algorithm = "argon2id";
+        }
+      ];
+      minimum_complexity = 8;
+    };
+  };
+  # matrix and secrets sections in secret
+  masSettingsFile = ((pkgs.formats.yaml { }).generate "mas-config" masSettings);
+in
+{
+  environment.systemPackages = with pkgs; [
+    matrix-authentication-service
+  ];
+
+  systemd.services.matrix-authentication-service = {
+    description = "Matrix Authentication Service";
+    after = [ "network-online.target" "postgresql.service" ];
+    requires = [ "postgresql.service" ];
+    wants = [ "network-online.target" ];
+
+    serviceConfig = {
+      Type = "oneshot";
+      ExecStart = "${pkgs.matrix-authentication-service}/bin/mas-cli server --config=${masSettingsFile} --config=/run/secrets/mas_secrets_config --config=/run/secrets/mas_matrix_config";
+      WorkingDirectory = "${pkgs.matrix-authentication-service}";
+      User = "matrix-synapse";
+      Group = "matrix-synapse";
+    };
+
+    wantedBy = [
+      "multi-user.target"
+    ];
+  };
+
+  sops.secrets."mas_secrets_config" = {
+    mode = "0440";
+    owner = "matrix-synapse";
+    group = "matrix-synapse";
+    restartUnits = [ "matrix-authentication-service.service" ];
+  };
+
+  sops.secrets."mas_matrix_config" = {
+    mode = "0440";
+    owner = "matrix-synapse";
+    group = "matrix-synapse";
+    restartUnits = [ "matrix-authentication-service.service" ];
+  };
+}