Configure Matrix host

Co-authored-by: julian <julian@jsts.xyz>

config/hosts/matrix/configuration.nix

@@ -0,0 +1,17 @@
+{ ... }:
+
+{
+  networking = {
+    hostName = "matrix";
+  };
+
+  fileSystems = {
+    "/mnt/data" = {
+      device = "/dev/disk/by-label/data";
+      fsType = "ext4";
+      autoResize = true;
+    };
+  };
+
+  system.stateVersion = "23.05";
+}

config/hosts/matrix/default.nix

@@ -0,0 +1,11 @@
+{ ... }:
+
+{
+  imports = [
+    ./configuration.nix
+    ./networking.nix
+    ./postgresql.nix
+    ./matrix-synapse.nix
+    ./nginx.nix
+  ];
+}

config/hosts/matrix/matrix-synapse.nix

@@ -0,0 +1,61 @@
+{ ... }:
+
+{
+  services.matrix-synapse = {
+    enable = true;
+
+    settings = {
+      listeners = [
+        {
+          port = 8008;
+          bind_addresses = [
+            "::1"
+            "127.0.0.1"
+          ];
+          type = "http";
+          tls = false;
+          x_forwarded = true;
+
+          resources = [
+            {
+              compress = true;
+              names = [ "client" ];
+            }
+            {
+              compress = false;
+              names = [ "federation" ];
+            }
+          ];
+        }
+      ];
+
+      server_name = "hamburg.ccc.de";
+      public_baseurl = "https://matrix.hamburg.ccc.de";
+
+      database = {
+        name = "psycopg2";
+        args.password = "synapse";
+      };
+
+      media_store_path = "/mnt/data/synapse_media_store";
+      max_upload_size = "500M";
+      
+      admin_contact = "mailto:yuri+ccchh@nekover.se";
+    };
+
+    extraConfigFiles = [
+      "/secrets/matrix-registration-shared-secret.secret"
+    ];
+  };
+
+  deployment.keys = {
+    "matrix-registration-shared-secret.secret" = {
+      keyCommand = [ "pass" "noc/vm-secrets/chaosknoten/matrix/registration-shared-secret" ];
+      destDir = "/secrets";
+      user = "matrix-synapse";
+      group = "matrix-synapse";
+      permissions = "0640";
+      uploadAt = "pre-activation";
+    };
+  };
+}

config/hosts/matrix/networking.nix

@@ -0,0 +1,20 @@
+{ ... }:
+
+{
+  networking.interfaces.net0 = {
+    ipv4.addresses = [
+      {
+        address = "172.31.17.150";
+        prefixLength = 25;
+      }
+    ];
+  };
+  networking.defaultGateway = "172.31.17.129";
+  networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
+  networking.search = [ "hamburg.ccc.de" ];
+
+  systemd.network.links."10-net0" = {
+    matchConfig.MACAddress = "2A:A5:80:C3:8E:32";
+    linkConfig.Name = "net0";
+  };
+}

config/hosts/matrix/nginx.nix

@@ -0,0 +1,63 @@
+{ config, ... }:
+
+{
+  services.nginx = {
+    enable = true;
+
+    virtualHosts."acme-matrix.hamburg.ccc.de" = {
+      default = true;
+      enableACME = true;
+      serverName = "matrix.hamburg.ccc.de";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 31820;
+        }
+      ];
+    };
+
+    virtualHosts."matrix.hamburg.ccc.de" = {
+      default = true;
+      forceSSL = true;
+      useACMEHost = "matrix.hamburg.ccc.de";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 8443;
+          ssl = true;
+          extraParameters = [ "proxy_protocol" ];
+        }
+        {
+          addr = "0.0.0.0";
+          port = 8448;
+          ssl = true;
+          extraParameters = [ "proxy_protocol" ];
+        }
+      ];
+
+      locations."~ ^(/_matrix|/_synapse/client)" = {
+        proxyPass = "http://localhost:8008";
+        extraConfig = ''
+          # Nginx by default only allows file uploads up to 1M in size
+          # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
+          client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size};
+        '';
+      };
+
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+      '';
+    };
+  };
+  
+  networking.firewall.allowedTCPPorts = [ 8443 8448 31820 ];
+}

config/hosts/matrix/postgresql.nix

@@ -0,0 +1,17 @@
+{ pkgs, config, ... }:
+
+{
+  services.postgresql = {
+    enable = true;
+    
+    initialScript = pkgs.writeText "synapse-init.sql" ''
+      CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
+      CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
+        TEMPLATE template0
+        LC_COLLATE = "C"
+        LC_CTYPE = "C";
+    '';
+
+    dataDir = "/mnt/data/postgresql/${config.services.postgresql.package.psqlSchema}";
+  };
+}

flake.nix

@@ -76,6 +76,20 @@
           ./config/hosts/netbox
         ];
       };
+
+      matrix = {
+        deployment = {
+          targetHost = "matrix-intern.hamburg.ccc.de";
+          targetPort = 22;
+          targetUser = "colmena-deploy";
+          tags = [ "chaosknoten" ];
+        };
+        imports = [ 
+          ./config/common
+          ./config/proxmox-vm
+          ./config/hosts/matrix
+        ];
+      };
     };
 
     packages.x86_64-linux = {