# adapted from https://nixos.org/manual/nixos/stable/index.html#module-services-matrix { modulesPath, config, lib, pkgs, ... }: let storage-device = "/dev/disk/by-id/scsi-0DO_Volume_matrix-storage"; storage-dir = "/opt/matrix-data"; matrix-reg-key = (builtins.readFile ./matrix_reg_key); fqdn = let join = hostName: domain: hostName + lib.optionalString (domain != null) ".${domain}"; in join config.networking.hostName config.networking.domain; in { imports = [ "${toString modulesPath}/virtualisation/digital-ocean-image.nix" ]; environment.systemPackages = [ pkgs.jq ]; services.openssh.enable = true; networking.firewall.allowedTCPPorts = [ 22 80 443 ]; users.users.root.openssh.authorizedKeys.keys = [ (builtins.readFile "/home/mike/.ssh/id_mops.pub") ]; ### app specific config # mount DigitalOcean volume for use by postgres fileSystems."${storage-dir}" = { device = storage-device; }; networking = { hostName = "matrix"; domain = "waffle.farm"; }; services.postgresql = { enable = true; dataDir = "${storage-dir}/db"; initialScript = pkgs.writeText "synapse-init.sql" '' CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" TEMPLATE template0 LC_COLLATE = "C" LC_CTYPE = "C"; ''; }; services.nginx = { enable = true; recommendedTlsSettings = true; recommendedOptimisation = true; recommendedGzipSettings = true; recommendedProxySettings = true; virtualHosts = { "${config.networking.domain}" = { enableACME = true; forceSSL = true; locations."= /.well-known/matrix/server".extraConfig = let # use 443 instead of the default 8448 port to unite # the client-server and server-server port for simplicity server = { "m.server" = "${fqdn}:443"; }; in '' add_header Content-Type application/json; return 200 '${builtins.toJSON server}'; ''; locations."= /.well-known/matrix/client".extraConfig = let client = { "m.homeserver" = { "base_url" = "https://${fqdn}"; }; "m.identity_server" = { "base_url" = "https://vector.im"; }; }; # ACAO required to allow element-web on any URL to request this json file in '' add_header Content-Type application/json; add_header Access-Control-Allow-Origin *; return 200 '${builtins.toJSON client}'; ''; locations."/".extraConfig = '' return 301 https://chat.waffle.farm; ''; }; # Reverse proxy for Matrix client-server and server-server communication ${fqdn} = { enableACME = true; forceSSL = true; # Or do a redirect instead of the 404, or whatever is appropriate for you. # But do not put a Matrix Web client here! See the Element web section below. locations."/".extraConfig = '' return 301 https://chat.waffle.farm; ''; # forward all Matrix API calls to the synapse Matrix homeserver locations."/_matrix" = { proxyPass = "http://[::1]:8008"; # without a trailing / }; }; "chat.${config.networking.domain}" = { enableACME = true; forceSSL = true; serverAliases = [ "chat.${config.networking.domain}" ]; root = pkgs.element-web.override { conf = { default_server_config."m.homeserver" = { "base_url" = "https://${fqdn}"; "server_name" = "${config.networking.domain}"; }; }; }; }; }; }; services.matrix-synapse = { enable = true; server_name = config.networking.domain; registration_shared_secret = matrix-reg-key; listeners = [ { port = 8008; bind_address = "::1"; type = "http"; tls = false; x_forwarded = true; resources = [ { names = [ "client" "federation" ]; compress = false; } ]; } ]; }; security.acme.acceptTerms = true; security.acme.certs = { "${fqdn}".email = "mike@betamike.com"; "${config.networking.domain}".email = "mike@betamike.com"; "chat.${config.networking.domain}".email = "mike@betamike.com"; }; }