diff --git a/config/hosts/matrix/configuration.nix b/config/hosts/matrix/configuration.nix new file mode 100644 index 0000000..bb36380 --- /dev/null +++ b/config/hosts/matrix/configuration.nix @@ -0,0 +1,17 @@ +{ ... }: + +{ + networking = { + hostName = "matrix"; + }; + + fileSystems = { + "/mnt/data" = { + device = "/dev/disk/by-label/data"; + fsType = "ext4"; + autoResize = true; + }; + }; + + system.stateVersion = "23.05"; +} diff --git a/config/hosts/matrix/default.nix b/config/hosts/matrix/default.nix new file mode 100644 index 0000000..c0a7703 --- /dev/null +++ b/config/hosts/matrix/default.nix @@ -0,0 +1,11 @@ +{ ... }: + +{ + imports = [ + ./configuration.nix + ./networking.nix + ./postgresql.nix + ./matrix-synapse.nix + ./nginx.nix + ]; +} diff --git a/config/hosts/matrix/matrix-synapse.nix b/config/hosts/matrix/matrix-synapse.nix new file mode 100644 index 0000000..e409805 --- /dev/null +++ b/config/hosts/matrix/matrix-synapse.nix @@ -0,0 +1,61 @@ +{ ... }: + +{ + services.matrix-synapse = { + enable = true; + + settings = { + listeners = [ + { + port = 8008; + bind_addresses = [ + "::1" + "127.0.0.1" + ]; + type = "http"; + tls = false; + x_forwarded = true; + + resources = [ + { + compress = true; + names = [ "client" ]; + } + { + compress = false; + names = [ "federation" ]; + } + ]; + } + ]; + + server_name = "hamburg.ccc.de"; + public_baseurl = "https://matrix.hamburg.ccc.de"; + + database = { + name = "psycopg2"; + args.password = "synapse"; + }; + + media_store_path = "/mnt/data/synapse_media_store"; + max_upload_size = "500M"; + + admin_contact = "mailto:yuri+ccchh@nekover.se"; + }; + + extraConfigFiles = [ + "/secrets/matrix-registration-shared-secret.secret" + ]; + }; + + deployment.keys = { + "matrix-registration-shared-secret.secret" = { + keyCommand = [ "pass" "noc/vm-secrets/chaosknoten/matrix/registration-shared-secret" ]; + destDir = "/secrets"; + user = "matrix-synapse"; + group = "matrix-synapse"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + }; +} diff --git a/config/hosts/matrix/networking.nix b/config/hosts/matrix/networking.nix new file mode 100644 index 0000000..370bbbd --- /dev/null +++ b/config/hosts/matrix/networking.nix @@ -0,0 +1,20 @@ +{ ... }: + +{ + networking.interfaces.net0 = { + ipv4.addresses = [ + { + address = "172.31.17.150"; + prefixLength = 25; + } + ]; + }; + networking.defaultGateway = "172.31.17.129"; + networking.nameservers = [ "212.12.50.158" "192.76.134.90" ]; + networking.search = [ "hamburg.ccc.de" ]; + + systemd.network.links."10-net0" = { + matchConfig.MACAddress = "2A:A5:80:C3:8E:32"; + linkConfig.Name = "net0"; + }; +} diff --git a/config/hosts/matrix/nginx.nix b/config/hosts/matrix/nginx.nix new file mode 100644 index 0000000..e5770b5 --- /dev/null +++ b/config/hosts/matrix/nginx.nix @@ -0,0 +1,63 @@ +{ config, ... }: + +{ + services.nginx = { + enable = true; + + virtualHosts."acme-matrix.hamburg.ccc.de" = { + default = true; + enableACME = true; + serverName = "matrix.hamburg.ccc.de"; + + listen = [ + { + addr = "0.0.0.0"; + port = 31820; + } + ]; + }; + + virtualHosts."matrix.hamburg.ccc.de" = { + default = true; + forceSSL = true; + useACMEHost = "matrix.hamburg.ccc.de"; + + listen = [ + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + extraParameters = [ "proxy_protocol" ]; + } + { + addr = "0.0.0.0"; + port = 8448; + ssl = true; + extraParameters = [ "proxy_protocol" ]; + } + ]; + + locations."~ ^(/_matrix|/_synapse/client)" = { + proxyPass = "http://localhost:8008"; + extraConfig = '' + # Nginx by default only allows file uploads up to 1M in size + # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml + client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size}; + ''; + }; + + extraConfig = '' + # Make use of the ngx_http_realip_module to set the $remote_addr and + # $remote_port to the client address and client port, when using proxy + # protocol. + # First set our proxy protocol proxy as trusted. + set_real_ip_from 172.31.17.140; + # Then tell the realip_module to get the addreses from the proxy protocol + # header. + real_ip_header proxy_protocol; + ''; + }; + }; + + networking.firewall.allowedTCPPorts = [ 8443 8448 31820 ]; +} diff --git a/config/hosts/matrix/postgresql.nix b/config/hosts/matrix/postgresql.nix new file mode 100644 index 0000000..20bcdd5 --- /dev/null +++ b/config/hosts/matrix/postgresql.nix @@ -0,0 +1,17 @@ +{ pkgs, config, ... }: + +{ + services.postgresql = { + enable = true; + + initialScript = pkgs.writeText "synapse-init.sql" '' + CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; + CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + ''; + + dataDir = "/mnt/data/postgresql/${config.services.postgresql.package.psqlSchema}"; + }; +} diff --git a/flake.nix b/flake.nix index bc5d1d0..f8b4b7a 100644 --- a/flake.nix +++ b/flake.nix @@ -76,6 +76,20 @@ ./config/hosts/netbox ]; }; + + matrix = { + deployment = { + targetHost = "matrix-intern.hamburg.ccc.de"; + targetPort = 22; + targetUser = "colmena-deploy"; + tags = [ "chaosknoten" ]; + }; + imports = [ + ./config/common + ./config/proxmox-vm + ./config/hosts/matrix + ]; + }; }; packages.x86_64-linux = {