From bf6051617062463f033725319db75e37fa3fa976 Mon Sep 17 00:00:00 2001
From: Jake Hillion <jake@hillion.co.uk>
Date: Sun, 13 Nov 2022 16:25:13 +0000
Subject: [PATCH] vm.strangervm: move matrix@hillion.co.uk to vm.strangervm

---
 .../default.nix                               |   2 +-
 modules/matrix/default.nix                    |  75 ++++++++++++++++++
 modules/reverse-proxy/global.nix              |   6 ++
 secrets/matrix/matrix.hillion.co.uk/email.age | Bin 0 -> 1254 bytes
 .../macaroon_secret_key.age                   |  22 +++++
 secrets/secrets.nix                           |   4 +
 6 files changed, 108 insertions(+), 1 deletion(-)
 create mode 100644 modules/matrix/default.nix
 create mode 100644 secrets/matrix/matrix.hillion.co.uk/email.age
 create mode 100644 secrets/matrix/matrix.hillion.co.uk/macaroon_secret_key.age

diff --git a/hosts/vm.strangervm.ts.hillion.co.uk/default.nix b/hosts/vm.strangervm.ts.hillion.co.uk/default.nix
index 104be0a..ff982a2 100644
--- a/hosts/vm.strangervm.ts.hillion.co.uk/default.nix
+++ b/hosts/vm.strangervm.ts.hillion.co.uk/default.nix
@@ -8,6 +8,7 @@
 
   imports = [
     ../../modules/common/default.nix
+    ../../modules/matrix/default.nix
     ../../modules/resilio/default.nix
     ../../modules/reverse-proxy/global.nix
     ./hardware-configuration.nix
@@ -47,4 +48,3 @@
     { name = "sync"; secretFile = config.age.secrets."resilio/encrypted/sync".path; }
   ];
 }
-
diff --git a/modules/matrix/default.nix b/modules/matrix/default.nix
new file mode 100644
index 0000000..d925a3a
--- /dev/null
+++ b/modules/matrix/default.nix
@@ -0,0 +1,75 @@
+{ config, pkgs, lib, ... }:
+
+{
+  ## Matrix (matrix.hillion.co.uk)
+  config.age.secrets."matrix/matrix.hillion.co.uk/macaroon_secret_key" = {
+    file = ../../secrets/matrix/matrix.hillion.co.uk/macaroon_secret_key.age;
+    owner = "matrix-synapse";
+    group = "matrix-synapse";
+  };
+  config.age.secrets."matrix/matrix.hillion.co.uk/email" = {
+    file = ../../secrets/matrix/matrix.hillion.co.uk/email.age;
+    owner = "matrix-synapse";
+    group = "matrix-synapse";
+  };
+
+  config.services.postgresql = {
+    enable = true;
+    initialScript = pkgs.writeText "synapse-init.sql" ''
+      CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
+      CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
+        TEMPLATE template0
+        LC_COLLATE = "C"
+        LC_CTYPE = "C";
+    '';
+  };
+
+  config.services.matrix-synapse = {
+    enable = true;
+
+    extraConfigFiles = [
+      config.age.secrets."matrix/matrix.hillion.co.uk/macaroon_secret_key".path
+      config.age.secrets."matrix/matrix.hillion.co.uk/email".path
+    ];
+
+    settings = {
+      server_name = "hillion.co.uk";
+      public_baseurl = "https://matrix.hillion.co.uk/";
+      listeners = [
+        {
+          port = 8008;
+          tls = false;
+          type = "http";
+          x_forwarded = true;
+          bind_addresses = [ "::1" ];
+          resources = [
+            {
+              names = [ "client" "federation" ];
+              compress = false;
+            }
+          ];
+        }
+      ];
+      database = {
+        name = "psycopg2";
+        args = {
+          database = "matrix-synapse";
+          user = "matrix-synapse";
+          password = "synapse";
+          host = "127.0.0.1";
+          cp_min = 5;
+          cp_max = 10;
+        };
+      };
+      enable_registration = true;
+      registrations_require_3pid = [ "email" ];
+      allowed_local_3pids = [
+        {
+          medium = "email";
+          pattern = "^[^@]+@hillion\.co\.uk$";
+        }
+      ];
+      suppress_key_server_warning = true;
+    };
+  };
+}
diff --git a/modules/reverse-proxy/global.nix b/modules/reverse-proxy/global.nix
index 4df5c84..3c184e2 100644
--- a/modules/reverse-proxy/global.nix
+++ b/modules/reverse-proxy/global.nix
@@ -9,6 +9,9 @@
   services.caddy = {
     enable = true;
 
+    virtualHosts."hillion.co.uk".extraConfig = ''
+      respond /.well-known/matrix/server "{\"m.server\": \"matrix.hillion.co.uk:443\"}" 200
+    '';
     virtualHosts."ts.hillion.co.uk".extraConfig = ''
       reverse_proxy http://10.48.62.14:8080
     '';
@@ -21,6 +24,9 @@
     virtualHosts."emby.hillion.co.uk".extraConfig = ''
       reverse_proxy http://plex.mediaserver.ts.hillion.co.uk:8096
     '';
+    virtualHosts."matrix.hillion.co.uk".extraConfig = ''
+      reverse_proxy http://vm.strangervm.ts.hillion.co.uk:8008
+    '';
     virtualHosts."unifi.hillion.co.uk".extraConfig = ''
       reverse_proxy https://unifi.unifi.ts.hillion.co.uk:8443 {
         transport http {
diff --git a/secrets/matrix/matrix.hillion.co.uk/email.age b/secrets/matrix/matrix.hillion.co.uk/email.age
new file mode 100644
index 0000000000000000000000000000000000000000..9d284a560a6fa766cc38d16388aff0f57523a2f1
GIT binary patch
literal 1254
zcmYk({mT;t0KoC`siaGSG^rHjNlWOt9`AK~Hqu9L+iknu%kH+@Zg)v>yWMu%?Y7(9
z?qz2_JXV4fp^-_&Lx?0L(vu*8P@0j1s1(wh24Rs1W&MzEpk;4A1pNhH_<YrtKB@OK
zXJilC{odNX(}H{in4BJWU1QR5)$v@&XA1)0)cbZD&gw<DH}u#<9ioaD$n`B%pj;|R
z*ND&})J8vN3Sz;QYR$-mlZ+iNHC)G+#Jmn<)n?N*7|;pBl&2NB7E#Z0qjas*iP}=$
z@({Ub_yycj9X})D38_x?YH3ibhy$-wVq+dqk}QsfV8(8Am}I<V1(Aj+9WsKfj9wN{
zYO0!OM_!+5lV%ppbKNPjPul%%z`(xlci;eEWeuzfvdWc99o?l^g2hW6mZ+gYR~;lV
zUxxFoOfH@sWP%W+Lnn;Ud;t@3ip!@6I+g~EQPhJ|MivGWw5kqCvrN%+VMvrpQ{_xQ
ziEvZAmPYf6+=bL;(1da=LnzXY7{{vBfXoj8P(`Cmq32@(9Ftf~QXt2aTmRRlla_=8
zKn0{R$dpaHo?;uWQ7^cynr-&oYN8o-`=M4KplpiZS_K1^Wr-|8x|zY~92ZN=6d%Mr
z0K)rZQ;$cUqmgnpHNuOC1!AC_w~`Gx2Mez3@nTl7qe!A55^N+#CE5ffJ}8US2q|WP
zG%SFoR}spiw$e-qmR^KP4h%{a+ehlS(LgC3RGJmGA!Vx;lWH?e)l8DZc*2P=vEOY1
zDaG%V@s0|6<rpsVP&XCEv_e_(HN+S&u{hRmb}*<>A}wE+f=;S~8gSfzc|x<>t_&9d
zT(vrlMkmLsp+V@)5y~lMex%kwM9HVQfaYmg4A^ogwBrhuLDJ?hz~iY%loJS6gW@e9
zh6o{H+d;Z4jN+*V(Uu}R6#moJ8)z(sB*%*|!{%G#`H<uanoy8Y-VlWW=EmarRx826
ze9<QpeBI7vprD%RX=x4c5yXs8Poy9dCmWIsc8N0X7CS9UKnZxNz~Lm}gECsl1pn5w
z(qzlgRaXZXmZdsYcS<3hh(Z1tKRG!Llhy3Vu?&SsM+qW9GmMZ7Y0oumOX}<OjO6lS
zwGwcQ2m|||{nP9B@?UQ0t-SKFwQ<|!>Dt|=7o4pv`OUeweP-8@CAS^Bu*doF-M{A6
zZkm0yIHUaW>)6J{&CiZLD{Z)W|A$ZMgWK=guC~ET6S-q+g2UJItKI2?%FNiR!9$gg
z?pgT6Dq+{61;q8)rN3-?BWxS{9)7>_-FpX4K6&R06RdZ->z}zkv-;q{L-=6v+2@sc
zXXSmjx|i6s)4S(SoO%@6Ji9eq@vXP;I9r!)>_z=&x+q${aDLtI>o(syHFtjT*RyXW
z+usjt|I&%)4lFBiZ}aCCt|`uZv3|$+{7)Me9T{$UyfbIrAm1E6eC7`F<@sHg&&{6!
zC;q(l^DD<6TPpIekL|zr;_l4M(PIzdS034Mb=l|3XFu7t^%QpU^39zS-)#Q$(6!sZ
er>}g_oLjSVY|jJgOFua8TzzfzisjQUe)Ts{uE$~k

literal 0
HcmV?d00001

diff --git a/secrets/matrix/matrix.hillion.co.uk/macaroon_secret_key.age b/secrets/matrix/matrix.hillion.co.uk/macaroon_secret_key.age
new file mode 100644
index 0000000..49af68d
--- /dev/null
+++ b/secrets/matrix/matrix.hillion.co.uk/macaroon_secret_key.age
@@ -0,0 +1,22 @@
+age-encryption.org/v1
+-> ssh-rsa GxPFJQ
+P+0KXVdzP9LOCrfJ8mENrknodn3Eiyt+U7tvQ2sBM4NL7UWoGXm6gk5UiIhY327b
+PDVkxCedvI8ubdm0lHO6krppW6WFdaxJDvojoSQOQi6MNhheJfiyd4A3LnonUfID
+sWGvqoTpKE/2Ua43hxz6PM/tGTMhIRkV9h8XEc0KsTN9UIkL80GQwNPrw5NWGR/I
+6/+t6kYUJiVZdksUHAC/OA3RjnmJezucL/e23emRgFXCrv1i4TgZPIQbOs5PkfZM
+VEOY0Pjz6NYxL6BWIkfgkePmZRL+pzpPVJBqehAUS3aUkf1P5YGfjnO9w32f095w
+HxIiIxUNlF8rZPh3q4i52g
+-> ssh-rsa K9mW1w
+IGBmiwGX626k3yHsX1I56YODkl8qcHEEP3W+r3Ihwqszgxk2nAykAkkO6R9tN1kv
+N0knR5xBVXzLzXIBAhIjaoEgkE5dLy46b0n2sZUcJ5iWG2PdqV/x7dJMrIVu3Ezn
+LU1dztSOYjRJzKuRLI7uKuFPmDH8xq1ey8NWxWVZhuWJ7ETZkHqCxxryGHZzpi6k
+cPu0dM9WQuaXI1qrmhI008iNhyvRgMRNBHMCslC/FCReAIOL9yZQ1i9kmcN5i24m
+LgagL74GFEPRTPmRzynVttLk7DIk81r24gOBdWdvlTVuXGfQMzlG4B+ed1EC31Pv
+u51Wj9TIqWg/RYNOqK7u0g
+-> ssh-ed25519 O0LMHg trgcLiflNv4yLOdCecrvemKOv3gpEXsUnHc2AK93xzc
+neAWZIHgS9Oe76juS0fyMDTEn1E3svP7Q5ak9Qaa66Y
+-> R_$N!<cA-grease
+xY6KvypbZ/PE0YJCu27w/pAvmkiqGIrxZ6t28/Jm02+b9sFY
+--- 56u/OV+nNAceHwVQ7igojGkV4eBB/jADPOZY1au7gQg
+D�6=HS���
+38= ��DI>�}S\M��f���A��t�/g�>^��
���Xc�,`��Vm�/��R��S� �A�l
��UG�;�W��C3O��?�"��©fRP�u�2x]�1��
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 2b21db4..82a7dcc 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -32,4 +32,8 @@ in
   "resilio/plain/projects.age".publicKeys = users ++ [ gendry_terminals ];
   "resilio/plain/resources.age".publicKeys = users ++ [ gendry_terminals ];
   "resilio/plain/sync.age".publicKeys = users ++ [ gendry_terminals ];
+
+  # Matrix Secrets
+  "matrix/matrix.hillion.co.uk/macaroon_secret_key.age".publicKeys = users ++ [ vm_strangervm ];
+  "matrix/matrix.hillion.co.uk/email.age".publicKeys = users ++ [ vm_strangervm ];
 }