nix-infra/config/hosts/matrix/mas.nix

{ pkgs, ... }:
let
  masSettings = {
    http = {
      listeners = [
        {
          name = "web";
          resources = [
            { name = "discovery"; }
            { name = "human"; }
            { name = "oauth"; }
            { name = "compat"; }
            { name = "graphql"; }
            {
              name = "assets";
              path = "${pkgs.matrix-authentication-service}/share/matrix-authentication-service/assets/";
            }
          ];
          binds = [{
            host = "localhost";
            port = 8080;
          }];
          proxy_protocol = false;
        }
        {
          name = "internal";
          resources = [{
            name = "health";
          }];
          binds = [{
            host = "localhost";
            port = 8081;
          }];
          proxy_protocol = false;
        }
      ];
      trusted_proxies = [
        "127.0.0.1/8"
        "::1/128"
      ];
      public_base = "https://mas.hamburg.ccc.de";
    };
    database = {
      uri = "postgresql://mas_user:mas@localhost/mas";
      max_connections = 10;
      min_connections = 0;
      connect_timeout = 30;
      idle_timeout = 600;
      max_lifetime = 1800;
    };
    email = {
      from = "\"Authentication Service\" <root@localhost>";
      reply_to = "\"Authentication Service\" <root@localhost>";
      # Don't send any emails.
      transport = "blackhole";
    };
    passwords = {
      enabled = true;
      schemes = [
        {
          version = 1;
          algorithm = "bcrypt";
          unicode_normalization = true;
        }
        {
          version = 2;
          algorithm = "argon2id";
        }
      ];
      minimum_complexity = 8;
    };
  };
  # matrix and secrets sections in secret
  masSettingsFile = ((pkgs.formats.yaml { }).generate "mas-config" masSettings);
in
{
  environment.systemPackages = with pkgs; [
    matrix-authentication-service
  ];

  systemd.services.matrix-authentication-service = {
    description = "Matrix Authentication Service";
    after = [ "network-online.target" "postgresql.service" ];
    requires = [ "postgresql.service" ];
    wants = [ "network-online.target" ];

    serviceConfig = {
      Type = "oneshot";
      ExecStart = "${pkgs.matrix-authentication-service}/bin/mas-cli server --config=${masSettingsFile} --config=/run/secrets/mas_secrets_config --config=/run/secrets/mas_matrix_config";
      WorkingDirectory = "${pkgs.matrix-authentication-service}";
      User = "matrix-synapse";
      Group = "matrix-synapse";
    };

    wantedBy = [
      "multi-user.target"
    ];
  };

  sops.secrets."mas_secrets_config" = {
    mode = "0440";
    owner = "matrix-synapse";
    group = "matrix-synapse";
    restartUnits = [ "matrix-authentication-service.service" ];
  };

  sops.secrets."mas_matrix_config" = {
    mode = "0440";
    owner = "matrix-synapse";
    group = "matrix-synapse";
    restartUnits = [ "matrix-authentication-service.service" ];
  };
}