matrix: introduce matrix authentication service

2025-10-12 05:28:00 +02:00 · 2025-10-12 05:28:00 +02:00 · defd0893d7
commit defd0893d7
parent bab1a46be9
6 changed files with 392 additions and 220 deletions
--- a/config/hosts/matrix/nginx.nix
+++ b/config/hosts/matrix/nginx.nix
@ -17,6 +17,18 @@
      ];
    };

+    virtualHosts."acme-mas.hamburg.ccc.de" = {
+      enableACME = true;
+      serverName = "mas.hamburg.ccc.de";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 31820;
+        }
+      ];
+    };
+
    virtualHosts."matrix.hamburg.ccc.de" = {
      default = true;
      forceSSL = true;
@ -37,6 +49,11 @@
        }
      ];

+      locations."~ ^/_matrix/client/(.*)/(login|logout|refresh)" = {
+        proxyPass = "http://localhost:8080";
+        priority = 999;
+      };
+
      locations."~ ^(/_matrix|/_synapse/client)" = {
        # Only proxy to the local host on IPv4, because localhost doesn't seem to work
        # even if matrix-synapse is listening on ::1 as well.
@ -59,6 +76,35 @@
        real_ip_header proxy_protocol;
      '';
    };
+
+    virtualHosts."mas.hamburg.ccc.de" = {
+      forceSSL = true;
+      useACMEHost = "mas.hamburg.ccc.de";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 8443;
+          ssl = true;
+          proxyProtocol = true;
+        }
+      ];
+
+      locations."/" = {
+        proxyPass = "http://localhost:8080";
+      };
+
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+      '';
+    };
  };

  networking.firewall.allowedTCPPorts = [ 8443 8448 31820 ];