123 lines
3.9 KiB
Nix
123 lines
3.9 KiB
Nix
{
|
|
pkgs,
|
|
config,
|
|
...
|
|
}: let
|
|
fqdn = "${hostname}.${domain}";
|
|
domain = "tristans.cloud";
|
|
hostname = "matrix";
|
|
mkWellKnown = data: ''
|
|
default_type application/json;
|
|
add_header Access-Control-Allow-Origin *;
|
|
return 200 '${builtins.toJSON data}';
|
|
'';
|
|
port = 8008;
|
|
inherit (config) sops;
|
|
inherit (config.services) matrix-synapse;
|
|
inherit (sops) secrets templates;
|
|
in {
|
|
services.postgresql.enable = true;
|
|
services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" ''
|
|
CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
|
|
CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
|
|
TEMPLATE template0
|
|
LC_COLLATE = "C"
|
|
LC_CTYPE = "C";
|
|
'';
|
|
|
|
sops.secrets = {
|
|
"synapse/signing_key".owner = "matrix-synapse";
|
|
"synapse/oidc_client_secret" = {};
|
|
"synapse/sliding_sync_secret" = {};
|
|
};
|
|
sops.templates = {
|
|
"synapse/secrets.yaml" = {
|
|
owner = "matrix-synapse";
|
|
content = builtins.toJSON {
|
|
oidc_providers = [
|
|
{
|
|
idp_id = "authentik";
|
|
idp_name = "authentik";
|
|
discover = true;
|
|
issuer = "https://auth.tristans.cloud/application/o/chat/";
|
|
client_id = "fdad520e8c57f228aaa658aa74d5e00ba9b164a3";
|
|
client_secret = sops.placeholder."synapse/oidc_client_secret";
|
|
scopes = ["openid" "profile" "email"];
|
|
user_mapping_provider = {
|
|
config = {
|
|
localpart_template = "{{ user.preferred_username }}";
|
|
display_name_template = "{{ user.name|capitalize }}";
|
|
};
|
|
};
|
|
}
|
|
];
|
|
};
|
|
};
|
|
"synapse/sliding_sync_env".content = ''
|
|
SYNCV3_SECRET=${sops.placeholder."synapse/sliding_sync_secret"}
|
|
'';
|
|
};
|
|
|
|
services.matrix-synapse = {
|
|
enable = true;
|
|
extraConfigFiles = [templates."synapse/secrets.yaml".path];
|
|
settings = {
|
|
signing_key_path = secrets."synapse/signing_key".path;
|
|
server_name = domain;
|
|
baseurl = "https://${domain}";
|
|
oidc_providers = [];
|
|
settings.listeners = [
|
|
{
|
|
inherit port;
|
|
bind_addresses = ["localhost"];
|
|
type = "http";
|
|
tls = false;
|
|
x_forwarded = true;
|
|
resources = [
|
|
{
|
|
names = ["client" "federation"];
|
|
compress = true;
|
|
}
|
|
];
|
|
}
|
|
];
|
|
};
|
|
};
|
|
|
|
services.matrix-sliding-sync = {
|
|
enable = true;
|
|
environmentFile = templates."synapse/sliding_sync_env".path;
|
|
settings.SYNCV3_SERVER = "https://${domain}";
|
|
};
|
|
|
|
services.nginx.virtualHosts = {
|
|
${domain} = {
|
|
locations."= /.well-known/matrix/server".extraConfig = mkWellKnown {
|
|
"m.server" = "${fqdn}:443";
|
|
};
|
|
locations."= /.well-known/matrix/client".extraConfig = mkWellKnown {
|
|
"m.homeserver".base_url = "https://${fqdn}";
|
|
"org.matrix.msc3575.proxy"."url" = "https://${fqdn}";
|
|
};
|
|
locations."= /.well-known/matrix/support".extraConfig = mkWellKnown {
|
|
admins = [
|
|
{
|
|
matrix_id = "@tristan:tristans.cloud";
|
|
email_address = "tristan@tristans.cloud";
|
|
role = "admin";
|
|
}
|
|
];
|
|
};
|
|
locations."/_matrix".proxyPass = "http://localhost:${toString port}";
|
|
locations."/_synapse/client".proxyPass = "http://localhost:${toString port}";
|
|
locations."/_matrix/client/unstable/org.matrix.msc3575/sync".proxyPass = "http://${toString matrix-synapse.sliding-sync.settings.SYNCV3_BINDADDR}";
|
|
};
|
|
${fqdn} = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
locations."/_matrix".proxyPass = "http://localhost:${toString port}";
|
|
locations."/_synapse/client".proxyPass = "http://localhost:${toString port}";
|
|
locations."/_matrix/client/unstable/org.matrix.msc3575/sync".proxyPass = "http://${toString matrix-synapse.sliding-sync.settings.SYNCV3_BINDADDR}";
|
|
};
|
|
};
|
|
}
|