nixos-dotfiles

https://git.tonybtw.com/nixos-dotfiles.git git://git.tonybtw.com/nixos-dotfiles.git

2,379 bytes raw

{
  config,
  pkgs,
  lib,
  ...
}: let
  domain = "tonybtw.com";
  matrixDomain = "matrix.${domain}";
  clientConfig = {
    "m.homeserver".base_url = "https://${matrixDomain}";
    "m.identity_server" = {};
  };
  serverConfig = {
    "m.server" = "${matrixDomain}:443";
  };
  mkWellKnown = data: ''
    default_type application/json;
    add_header Access-Control-Allow-Origin *;
    return 200 '${builtins.toJSON data}';
  '';
in {
  services.matrix-synapse = {
    enable = true;
    settings = {
      server_name = domain;
      public_baseurl = "https://${matrixDomain}";

      listeners = [
        {
          port = 8008;
          bind_addresses = ["127.0.0.1"];
          type = "http";
          tls = false;
          x_forwarded = true;
          resources = [
            {
              names = ["client" "federation"];
              compress = true;
            }
          ];
        }
      ];

      database = {
        name = "psycopg2";
        allow_unsafe_locale = true;
        args = {
          user = "matrix-synapse";
          database = "matrix-synapse";
          host = "/run/postgresql";
        };
      };

      max_upload_size_mib = 100;
      url_preview_enabled = true;
      enable_registration = false;
      enable_metrics = false;
      registration_shared_secret_path = "/var/lib/matrix-synapse/registration_secret";

      trusted_key_servers = [
        {
          server_name = "matrix.org";
        }
      ];
    };
  };

  services.postgresql = {
    enable = true;
    ensureDatabases = ["matrix-synapse"];
    ensureUsers = [
      {
        name = "matrix-synapse";
        ensureDBOwnership = true;
      }
    ];
  };

  services.nginx.virtualHosts.${domain} = {
    enableACME = true;
    forceSSL = true;
    locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
    locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
  };

  services.nginx.virtualHosts.${matrixDomain} = {
    enableACME = true;
    forceSSL = true;
    locations."/" = {
      proxyPass = "http://127.0.0.1:8008";
      extraConfig = ''
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $host;
        client_max_body_size 100M;
      '';
    };
  };

  networking.firewall.allowedTCPPorts = [8448];
}

1	`{`
2	`config,`
3	`pkgs,`
4	`lib,`
5	`...`
6	`}: let`
7	`domain = "tonybtw.com";`
8	`matrixDomain = "matrix.${domain}";`
9	`clientConfig = {`
10	`"m.homeserver".base_url = "https://${matrixDomain}";`
11	`"m.identity_server" = {};`
12	`};`
13	`serverConfig = {`
14	`"m.server" = "${matrixDomain}:443";`
15	`};`
16	`mkWellKnown = data: ''`
17	`default_type application/json;`
18	`add_header Access-Control-Allow-Origin *;`
19	`return 200 '${builtins.toJSON data}';`
20	`'';`
21	`in {`
22	`services.matrix-synapse = {`
23	`enable = true;`
24	`settings = {`
25	`server_name = domain;`
26	`public_baseurl = "https://${matrixDomain}";`
27
28	`listeners = [`
29	`{`
30	`port = 8008;`
31	`bind_addresses = ["127.0.0.1"];`
32	`type = "http";`
33	`tls = false;`
34	`x_forwarded = true;`
35	`resources = [`
36	`{`
37	`names = ["client" "federation"];`
38	`compress = true;`
39	`}`
40	`];`
41	`}`
42	`];`
43
44	`database = {`
45	`name = "psycopg2";`
46	`allow_unsafe_locale = true;`
47	`args = {`
48	`user = "matrix-synapse";`
49	`database = "matrix-synapse";`
50	`host = "/run/postgresql";`
51	`};`
52	`};`
53
54	`max_upload_size_mib = 100;`
55	`url_preview_enabled = true;`
56	`enable_registration = false;`
57	`enable_metrics = false;`
58	`registration_shared_secret_path = "/var/lib/matrix-synapse/registration_secret";`
59
60	`trusted_key_servers = [`
61	`{`
62	`server_name = "matrix.org";`
63	`}`
64	`];`
65	`};`
66	`};`
67
68	`services.postgresql = {`
69	`enable = true;`
70	`ensureDatabases = ["matrix-synapse"];`
71	`ensureUsers = [`
72	`{`
73	`name = "matrix-synapse";`
74	`ensureDBOwnership = true;`
75	`}`
76	`];`
77	`};`
78
79	`services.nginx.virtualHosts.${domain} = {`
80	`enableACME = true;`
81	`forceSSL = true;`
82	`locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;`
83	`locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;`
84	`};`
85
86	`services.nginx.virtualHosts.${matrixDomain} = {`
87	`enableACME = true;`
88	`forceSSL = true;`
89	`locations."/" = {`
90	`proxyPass = "http://127.0.0.1:8008";`
91	`extraConfig = ''`
92	`proxy_set_header X-Forwarded-For $remote_addr;`
93	`proxy_set_header X-Forwarded-Proto $scheme;`
94	`proxy_set_header Host $host;`
95	`client_max_body_size 100M;`
96	`'';`
97	`};`
98	`};`
99
100	`networking.firewall.allowedTCPPorts = [8448];`
101	`}`