vm.strangervm: move matrix@hillion.co.uk to vm.strangervm

2022-11-13 16:25:13 +00:00 · 2022-11-13 16:25:13 +00:00 · bf60516170
commit bf60516170
parent 37cb451b4a
6 changed files with 108 additions and 1 deletions
--- a/hosts/vm.strangervm.ts.hillion.co.uk/default.nix
+++ b/hosts/vm.strangervm.ts.hillion.co.uk/default.nix
@ -8,6 +8,7 @@

  imports = [
    ../../modules/common/default.nix
+    ../../modules/matrix/default.nix
    ../../modules/resilio/default.nix
    ../../modules/reverse-proxy/global.nix
    ./hardware-configuration.nix
@ -47,4 +48,3 @@
    { name = "sync"; secretFile = config.age.secrets."resilio/encrypted/sync".path; }
  ];
 }
-
--- a/modules/matrix/default.nix
+++ b/modules/matrix/default.nix
@ -0,0 +1,75 @@
+{ config, pkgs, lib, ... }:
+
+{
+  ## Matrix (matrix.hillion.co.uk)
+  config.age.secrets."matrix/matrix.hillion.co.uk/macaroon_secret_key" = {
+    file = ../../secrets/matrix/matrix.hillion.co.uk/macaroon_secret_key.age;
+    owner = "matrix-synapse";
+    group = "matrix-synapse";
+  };
+  config.age.secrets."matrix/matrix.hillion.co.uk/email" = {
+    file = ../../secrets/matrix/matrix.hillion.co.uk/email.age;
+    owner = "matrix-synapse";
+    group = "matrix-synapse";
+  };
+
+  config.services.postgresql = {
+    enable = true;
+    initialScript = pkgs.writeText "synapse-init.sql" ''
+      CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
+      CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
+        TEMPLATE template0
+        LC_COLLATE = "C"
+        LC_CTYPE = "C";
+    '';
+  };
+
+  config.services.matrix-synapse = {
+    enable = true;
+
+    extraConfigFiles = [
+      config.age.secrets."matrix/matrix.hillion.co.uk/macaroon_secret_key".path
+      config.age.secrets."matrix/matrix.hillion.co.uk/email".path
+    ];
+
+    settings = {
+      server_name = "hillion.co.uk";
+      public_baseurl = "https://matrix.hillion.co.uk/";
+      listeners = [
+        {
+          port = 8008;
+          tls = false;
+          type = "http";
+          x_forwarded = true;
+          bind_addresses = [ "::1" ];
+          resources = [
+            {
+              names = [ "client" "federation" ];
+              compress = false;
+            }
+          ];
+        }
+      ];
+      database = {
+        name = "psycopg2";
+        args = {
+          database = "matrix-synapse";
+          user = "matrix-synapse";
+          password = "synapse";
+          host = "127.0.0.1";
+          cp_min = 5;
+          cp_max = 10;
+        };
+      };
+      enable_registration = true;
+      registrations_require_3pid = [ "email" ];
+      allowed_local_3pids = [
+        {
+          medium = "email";
+          pattern = "^[^@]+@hillion\.co\.uk$";
+        }
+      ];
+      suppress_key_server_warning = true;
+    };
+  };
+}
--- a/modules/reverse-proxy/global.nix
+++ b/modules/reverse-proxy/global.nix
@ -9,6 +9,9 @@
  services.caddy = {
    enable = true;

+    virtualHosts."hillion.co.uk".extraConfig = ''
+      respond /.well-known/matrix/server "{\"m.server\": \"matrix.hillion.co.uk:443\"}" 200
+    '';
    virtualHosts."ts.hillion.co.uk".extraConfig = ''
      reverse_proxy http://10.48.62.14:8080
    '';
@ -21,6 +24,9 @@
    virtualHosts."emby.hillion.co.uk".extraConfig = ''
      reverse_proxy http://plex.mediaserver.ts.hillion.co.uk:8096
    '';
+    virtualHosts."matrix.hillion.co.uk".extraConfig = ''
+      reverse_proxy http://vm.strangervm.ts.hillion.co.uk:8008
+    '';
    virtualHosts."unifi.hillion.co.uk".extraConfig = ''
      reverse_proxy https://unifi.unifi.ts.hillion.co.uk:8443 {
        transport http {
--- a/secrets/matrix/matrix.hillion.co.uk/email.age
+++ b/secrets/matrix/matrix.hillion.co.uk/email.age
--- a/secrets/matrix/matrix.hillion.co.uk/macaroon_secret_key.age
+++ b/secrets/matrix/matrix.hillion.co.uk/macaroon_secret_key.age
@ -0,0 +1,22 @@
+age-encryption.org/v1
+-> ssh-rsa GxPFJQ
+P+0KXVdzP9LOCrfJ8mENrknodn3Eiyt+U7tvQ2sBM4NL7UWoGXm6gk5UiIhY327b
+PDVkxCedvI8ubdm0lHO6krppW6WFdaxJDvojoSQOQi6MNhheJfiyd4A3LnonUfID
+sWGvqoTpKE/2Ua43hxz6PM/tGTMhIRkV9h8XEc0KsTN9UIkL80GQwNPrw5NWGR/I
+6/+t6kYUJiVZdksUHAC/OA3RjnmJezucL/e23emRgFXCrv1i4TgZPIQbOs5PkfZM
+VEOY0Pjz6NYxL6BWIkfgkePmZRL+pzpPVJBqehAUS3aUkf1P5YGfjnO9w32f095w
+HxIiIxUNlF8rZPh3q4i52g
+-> ssh-rsa K9mW1w
+IGBmiwGX626k3yHsX1I56YODkl8qcHEEP3W+r3Ihwqszgxk2nAykAkkO6R9tN1kv
+N0knR5xBVXzLzXIBAhIjaoEgkE5dLy46b0n2sZUcJ5iWG2PdqV/x7dJMrIVu3Ezn
+LU1dztSOYjRJzKuRLI7uKuFPmDH8xq1ey8NWxWVZhuWJ7ETZkHqCxxryGHZzpi6k
+cPu0dM9WQuaXI1qrmhI008iNhyvRgMRNBHMCslC/FCReAIOL9yZQ1i9kmcN5i24m
+LgagL74GFEPRTPmRzynVttLk7DIk81r24gOBdWdvlTVuXGfQMzlG4B+ed1EC31Pv
+u51Wj9TIqWg/RYNOqK7u0g
+-> ssh-ed25519 O0LMHg trgcLiflNv4yLOdCecrvemKOv3gpEXsUnHc2AK93xzc
+neAWZIHgS9Oe76juS0fyMDTEn1E3svP7Q5ak9Qaa66Y
+-> R_$N!<cA-grease
+xY6KvypbZ/PE0YJCu27w/pAvmkiqGIrxZ6t28/Jm02+b9sFY
+--- 56u/OV+nNAceHwVQ7igojGkV4eBB/jADPOZY1au7gQg
+DÝ6=HS¸÷ñ
+38= ÙüDI>Ü}S\M<>Åf¼‚ûA<C3BB>âtœ/g<>>^å»
ÓâÇXc¶,`òÜVmÍ/<2F>÷R¾‡Sè ¦AÁl
ßæUGñ˜;ÈWÂüC3O¦¬?<3F>"À£Â©fRP¥uœ2x]“1÷ì
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -32,4 +32,8 @@ in
  "resilio/plain/projects.age".publicKeys = users ++ [ gendry_terminals ];
  "resilio/plain/resources.age".publicKeys = users ++ [ gendry_terminals ];
  "resilio/plain/sync.age".publicKeys = users ++ [ gendry_terminals ];
+
+  # Matrix Secrets
+  "matrix/matrix.hillion.co.uk/macaroon_secret_key.age".publicKeys = users ++ [ vm_strangervm ];
+  "matrix/matrix.hillion.co.uk/email.age".publicKeys = users ++ [ vm_strangervm ];
 }