# adapted from https://nixos.org/manual/nixos/stable/index.html#module-services-matrix { modulesPath, config, lib, pkgs, ... }: let matrix-registration = import ../../matrix-registration/default.nix; storage-device = "/dev/disk/by-id/scsi-0DO_Volume_matrix-storage"; storage-dir = "/srv/matrix-data"; matrix-reg-dir = "${storage-dir}/matrix-registration"; matrix-reg-key = (builtins.readFile ./matrix_reg_key); fqdn = let join = hostName: domain: hostName + lib.optionalString (domain != null) ".${domain}"; in join config.networking.hostName config.networking.domain; in { imports = [ "${toString modulesPath}/virtualisation/digital-ocean-image.nix" ]; environment.systemPackages = [ pkgs.jq matrix-registration ]; services.openssh.enable = true; networking.firewall.allowedTCPPorts = [ 22 80 443 ]; users.users.root.openssh.authorizedKeys.keys = [ (builtins.readFile "/home/mike/.ssh/id_mops.pub") ]; ### app specific config # mount DigitalOcean volume for use by postgres fileSystems."${storage-dir}" = { device = storage-device; }; networking = { hostName = "matrix"; domain = "waffle.farm"; }; services.postgresql = { enable = true; dataDir = "${storage-dir}/db"; initialScript = pkgs.writeText "synapse-init.sql" '' CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" TEMPLATE template0 LC_COLLATE = "C" LC_CTYPE = "C"; ''; }; services.nginx = { enable = true; recommendedTlsSettings = true; recommendedOptimisation = true; recommendedGzipSettings = true; recommendedProxySettings = true; virtualHosts = { "${config.networking.domain}" = { enableACME = true; forceSSL = true; locations."= /.well-known/matrix/server".extraConfig = let # use 443 instead of the default 8448 port to unite # the client-server and server-server port for simplicity server = { "m.server" = "${fqdn}:443"; }; in '' add_header Content-Type application/json; return 200 '${builtins.toJSON server}'; ''; locations."= /.well-known/matrix/client".extraConfig = let client = { "m.homeserver" = { "base_url" = "https://${fqdn}"; }; "m.identity_server" = { "base_url" = "https://vector.im"; }; }; # ACAO required to allow element-web on any URL to request this json file in '' add_header Content-Type application/json; add_header Access-Control-Allow-Origin *; return 200 '${builtins.toJSON client}'; ''; locations."/".extraConfig = '' return 301 https://waffle.farm/register; ''; locations."~ ^/(static|register)" = { proxyPass = "http://localhost:5000"; }; }; # Reverse proxy for Matrix client-server and server-server communication ${fqdn} = { enableACME = true; forceSSL = true; # Or do a redirect instead of the 404, or whatever is appropriate for you. # But do not put a Matrix Web client here! See the Element web section below. locations."/".extraConfig = '' return 301 https://chat.waffle.farm; ''; # forward all Matrix API calls to the synapse Matrix homeserver locations."/_matrix" = { proxyPass = "http://[::1]:8008"; # without a trailing / }; }; "chat.${config.networking.domain}" = { enableACME = true; forceSSL = true; serverAliases = [ "chat.${config.networking.domain}" ]; root = pkgs.element-web.override { conf = { default_server_config."m.homeserver" = { "base_url" = "https://${fqdn}"; "server_name" = "${config.networking.domain}"; }; }; }; }; }; }; services.matrix-synapse = { enable = true; server_name = config.networking.domain; registration_shared_secret = matrix-reg-key; extraConfig = '' allow_public_rooms_over_federation: true auto_join_rooms: - "#cryptic-chat:waffle.farm" ''; listeners = [ { port = 8008; bind_address = "::1"; type = "http"; tls = false; x_forwarded = true; resources = [ { names = [ "client" "federation" ]; compress = false; } ]; } ]; }; security.acme.acceptTerms = true; security.acme.certs = { "${fqdn}".email = "mike@betamike.com"; "${config.networking.domain}".email = "mike@betamike.com"; "chat.${config.networking.domain}".email = "mike@betamike.com"; }; users.users.matrix-registration = { home = matrix-reg-dir; createHome = true; }; systemd.services.matrix-registration = let configFile = pkgs.writeText "matrix-reg-config.yaml" '' server_location: 'https://matrix.waffle.farm:443' base_url: 'waffle.farm' server_name: 'waffle.farm' shared_secret: '${matrix-reg-key}' riot_instance: 'chat.waffle.farm' db: 'sqlite:///${matrix-reg-dir}/db.sqlite3' host: 'localhost' port: 5000 rate_limit: ["100 per day", "10 per minute"] allow_cors: false logging: disable_existing_loggers: False version: 1 root: level: DEBUG handlers: [console] formatters: brief: format: '%(name)s - %(levelname)s - %(message)s' precise: format: '%(asctime)s - %(name)s - %(levelname)s - %(message)s' handlers: console: class: logging.StreamHandler level: INFO formatter: brief stream: ext://sys.stdout password: min_length: 8 ''; in { enable = true; after = [ "matrix-synapse.service" ]; bindsTo = [ "matrix-synapse.service" ]; description = "Matrix-registration daemon"; wantedBy = [ "multi-user.target" ]; serviceConfig = { Type = "simple"; WorkingDirectory = matrix-registration; ExecStart = "${matrix-registration}/bin/matrix-registration --config-path ${configFile} serve"; User = "matrix-registration"; Restart = "always"; }; }; }