From 40573a44778b758dc8bea56090e9ffcc3d30aa58 Mon Sep 17 00:00:00 2001
From: Andrea Ciceri <andrea.ciceri@autistici.org>
Date: Sun, 11 Feb 2024 14:09:04 +0100
Subject: [PATCH] Self host `matrixy-synapse` on `sisko`

---
 hosts/default.nix                             |   2 +
 hosts/sisko/default.nix                       |   1 +
 modules/cloudflare-dyndns/default.nix         |   4 +-
 modules/matrix/default.nix                    |  77 ++++++++++++++++++
 secrets/hass-ssh-key.age                      | Bin 0 -> 2035 bytes
 secrets/matrix-registration-shared-secret.age |  29 +++++++
 secrets/secrets.nix                           |   2 +
 7 files changed, 114 insertions(+), 1 deletion(-)
 create mode 100644 modules/matrix/default.nix
 create mode 100644 secrets/hass-ssh-key.age
 create mode 100644 secrets/matrix-registration-shared-secret.age

diff --git a/hosts/default.nix b/hosts/default.nix
index de8e4d2..66865e8 100644
--- a/hosts/default.nix
+++ b/hosts/default.nix
@@ -142,6 +142,8 @@
           "restic-hetzner-password" = {};
           "minio-credentials".owner = "minio";
           "aws-credentials".owner = "hercules-ci-agent";
+          "hass-ssh-key".owner = "hass";
+          "matrix-registration-shared-secret".owner = "matrix-synapse";
         };
       };
     };
diff --git a/hosts/sisko/default.nix b/hosts/sisko/default.nix
index 01818df..1e33ebf 100644
--- a/hosts/sisko/default.nix
+++ b/hosts/sisko/default.nix
@@ -28,6 +28,7 @@
       "restic"
       "syncthing"
       "minio"
+      "matrix"
     ]
     ++ [
       ./disko.nix
diff --git a/modules/cloudflare-dyndns/default.nix b/modules/cloudflare-dyndns/default.nix
index c7beae2..d9c40b5 100644
--- a/modules/cloudflare-dyndns/default.nix
+++ b/modules/cloudflare-dyndns/default.nix
@@ -4,13 +4,15 @@
     ipv4 = true;
     ipv6 = false; # not anymore 😭
     domains = [
-      # "sevenofnix.aciceri.dev"
+      "aciceri.dev"
+      "git.aciceri.dev"
       "home.aciceri.dev"
       "torrent.aciceri.dev"
       "search.aciceri.dev"
       "invidious.aciceri.dev"
       "vpn.aciceri.dev"
       "cache.aciceri.dev"
+      "matrix.aciceri.dev"
     ];
     apiTokenFile = config.age.secrets.cloudflare-dyndns-api-token.path;
   };
diff --git a/modules/matrix/default.nix b/modules/matrix/default.nix
new file mode 100644
index 0000000..c248ac3
--- /dev/null
+++ b/modules/matrix/default.nix
@@ -0,0 +1,77 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  clientConfig."m.homeserver".base_url = "https://matrix.aciceri.dev";
+  serverConfig."m.server" = "matrix.aciceri.dev:443";
+  mkWellKnown = data: ''
+    default_type application/json;
+    add_header Access-Control-Allow-Origin *;
+    return 200 '${builtins.toJSON data}';
+  '';
+in {
+  imports = [../nginx-base];
+
+  services.nginx.virtualHosts = {
+    "aciceri.dev" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
+      locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
+    };
+    "matrix.aciceri.dev" = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/".proxyPass = "http://127.0.0.1:${builtins.toString (lib.head config.services.matrix-synapse.settings.listeners).port}";
+      locations."/_matrix".proxyPass = "http://localhost:8008";
+      locations."/_synapse/client".proxyPass = "http://localhost:8008";
+    };
+  };
+
+  services.postgresql = {
+    enable = true;
+    initialScript = pkgs.writeText "synapse-init.sql" ''
+           CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
+           CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
+             TEMPLATE template0
+      LC_COLLATE = "C"
+             LC_CTYPE = "C";
+    '';
+  };
+
+  services.matrix-synapse = {
+    enable = true;
+    settings = {
+      server_name = "aciceri.dev";
+      public_baseurl = "https://matrix.aciceri.dev";
+      listeners = [
+        {
+          port = 8008;
+          bind_addresses = ["127.0.0.1"];
+          type = "http";
+          tls = false;
+          x_forwarded = true;
+          resources = [
+            {
+              names = ["client" "federation"];
+              compress = true;
+            }
+          ];
+        }
+      ];
+    };
+    extraConfigFiles = [config.age.secrets.matrix-registration-shared-secret.path];
+  };
+
+  backup.paths = [
+    "/var/lib/matrix-synapse"
+    "/var/backup/postgresql/matrix-synapse.sql.gz"
+  ];
+
+  services.postgresqlBackup = {
+    enable = true;
+    databases = ["matrix-synapse"];
+  };
+}
diff --git a/secrets/hass-ssh-key.age b/secrets/hass-ssh-key.age
new file mode 100644
index 0000000000000000000000000000000000000000..689dc4acecdb5a395f2d42e6d8a6e6d33f6c76ed
GIT binary patch
literal 2035
zcmYk5`|leC0l*E6819=ax-mh5%QqT>dVF_xy<U5b5$QeJyY_mI_U_y3Z4$57-uvBa
zdu^uKAlumF6=sGpF+wKE=6ERCm~LN~*_Z>2$$&6<WEsYVd<6yz3&toi_lt>t!6*6T
z^U<y0(l9jAS)4ghxG734Xo3JscP@@b_EI|17on<d5mTV0qLVD;Nr5UQRLjU)%ar7y
z!Zc*WK{(S0KE)-Jm!YNzwwr9EG@({+IG9!7ob1Ijj0J43Wr;*KXYhC+1_<vCQ8OXn
zA{obi#L(t&PF6#nbsK>#*2)RP@l9q#OlWRuj7k*I1#+{l3Y8=_3xqywTUCBMW~@@^
z`y3k&n5ijrwOX;EjeMmDJA4Ti{G^j56D=r^n8(XB&|wD^3Lg~h3ER;fwA-4Hep)NJ
zogD9xU3@u=^6HdPRM$bE(C%AVFXGg^JTAyc8d*pJ1hhiOGX`snrih};<tXSUq2Hu4
zxYVi^3b8oo&+wpEh-kAqUABusoviWE1nOhUDA=qm1ARegx|ywoiJci#pIy#cbRp=J
za}zJ3!+^42IIYY^q@Fra1ycJCWA_wu+!)fO`YcynKwzDuBBA=kERV5TuUIry9zq1W
ziI>$n0y??Og>s!IqKY>ULlG&6c3_W~S>2p8hnf=r4u}p29${0zoHPQT7TS%DE~4Bt
zhpHp6Cs<VyjVgoExQiKl#0+ajSN5nF9Mj73WUOI8;&vUGC<tSs-VGpDXW-n=HH@yB
zZHiKbAtBdl1yroZL|dWkKu%dgoD^Mps)q_$uW10|X0t4k$Am~>6*Za-xw$n~ote~@
zM8YgJBw+-#Act}BTt)?@Nf@!~wRx@tYMr`ON`N};X<onX)ogl5(cMvffVbFuEYL9A
z1k2-54PkYUWn2nn|G#62Nl~Z@blKU2cWfpd_e>3=Dj43FD^voGyi7+UpECt3LkEH9
zO$-)Anp{L71}7<eV0Ln;R2BguhedVS466`{mO;VK?2Ko}<7_bGdXsTlDL9xMwA-v}
z3_WjZG@7%1qm<W!&T^?0f`I@K5oMtklMmbu1y1Q;2G1A+mo!xI8)8ZnRaEiH6r_Vr
zspbU&TqHy<8rc4%T|f~buK``qL}Iq(jL0fVi5<umthnQMIGTi=#8rw`(8E>6of3Xq
zL#(uK_v-_1CJ*3Y#VcVr4HUI<BXrS%D^;mjka13IF^p`wWIUf0ugzZQYc+l{n?q&B
zoYFX}@+Q{mMVb_#N`_Z`VB(jNtb?g-&8tyGIk=`#Aw30-b*zmxLPgg}ykyNr^RAH_
zJ;6=XDa&Q@un9^TsN)n62ULqH!!xAS=?q~))G<hby<SCS^;Sd^ZfDBHxmjGE&u12l
zDmgySEgtG~9Rv(jJ)Hn9nN$f`R%vj=XQ5Iqs3hq5BQl>BnzRy@Jvk+LMKtIP*Igcr
z%Nkj<6TQb`QwU921?UE`T4k^R0nx~*w0&B_=m|0?g=({>>){k4WJN_rE~TkGNGMf}
zDWml?UoFfKWnK>3z%?=>Qcza!lOe6mtCTtENOaM6+otWqnwb|vhze7dGTMAmHzm6*
z)dmeC2%LUx4oMO)8p_F3D~KJ3o8w)6jD?Yy2s#mXVZu2HgTi$`uuuY2;s13!9277N
zsVoXsgCVDj8f7S5vJz{se{Gqx8n@;!4$_s9jP^}@BpGwxRRg=i!BwDO*J}`Jsm%#l
zM9VsZ)T*3>*9LhJ)U+w2WhUN=8DD3{MPO-ZX%XcZtj;=qWHHRL-t8?L*o;S$iYg_3
z8%^hw-INNZ;h4Mxtbc)iTz~tfdrqBeZai`E%Fchk^WNU{;hjHt`K{f^FFxA0@59><
zZusSz^Pjfy-#nSWaeN<h@^5FI&xPhqr|!S>Joo)aF6{l;^A&T={?+8t%C5aD#D5MR
zeeBTt3*GdIFZ|(a9|I>2J=*$)@WSCw-``^%KX=1pruod{*rtX1*J)ed*^<+*eE#c$
zd!IhB^O4<GSMNEx?%4(VnPa0J<u%B;4+{6M92$Q#eeSCAtB0<h{nxJj`0qasestY!
zEBD?I-YK@f<gD)a>+fD=|9Nu{y!FcM&FZ`RKLoeYf4Tnkm)^SLleHKAo`esq|LN6R
z@omQTfP4DDsfWJ1`L1#Kwcx(q9sfA~=8HEPi>o_MpE`5-<*f&Iyt$?H#SnX~`}1ed
zT;lG1{d?z*>^%0=?ppud^$#wre_)%$bdBlS+nNWyLmhih1&?gMWmEm|&3DN+ZeEM4
zg%huQ`{>Dw*jIl0=hI)_J9uf!^&4;5`1R9gUi{;?s9oEc%by+J^Qicfh0FY!&7Zwp
zEq-(L;H!tum(nYD5AWXa;15sQTh`rI-g#=SJh|cGpRW7r!yo+kiIqL<O4i%G;gj?I
X@wvlWpXxrhN?kaAL_hn+frbA9@Hy$c

literal 0
HcmV?d00001

diff --git a/secrets/matrix-registration-shared-secret.age b/secrets/matrix-registration-shared-secret.age
new file mode 100644
index 0000000..cd63cd9
--- /dev/null
+++ b/secrets/matrix-registration-shared-secret.age
@@ -0,0 +1,29 @@
+age-encryption.org/v1
+-> ssh-rsa /AagBw
+UlR5iCI7jZnIqgfUm7fHrwgJroFYlqA+F8aZudS/i/RjJ6b8ldqdZnefydc+XY9i
+PeAAqAdEVpC0Dae5q4BoWFb0uS5PQPOBmnYqnSm0NMEcGizzpnF+XJL1wPLur/J9
+TRUHHA9MRvVF5QoXrm2wsqQxstnUPZU4ObA+JgnXArMw31aTPOc8KmZWTQKPg2YM
+PyH1Q2Vc3HHKi4CyY2rl18e8JaJGiifrIATl0+/hsfJnOT8o54HcT11b096hiRqU
+NEdH92y4x+hF0dStTPBIEwzLiM2CVght5lR89Lvh3ZP7b10yswB+EKkH1kwcziyn
+3Hq7RM0+jNKbedyViCAuVeis5PezQlFe3yf9eR9YMJdSjhgflLU2KQ3NnXHYoJJ/
+A1XitzFOwKTSEQqHQs2yjTNa3XcoyNDxH49q/svECHmYZamPsc1Ac8cIJOeFf+Id
+xoa0zKJhSZOBwIz5+PrbNN4lYD88sbT6wspQoJwFOvqCx87kwb3HouG0rwDq57BN
+QxybvD7Vz7JPr6D15uWGhNldabvhr+pMt+17wS+DmdjO08iHrwxTrzyvvc86vxhg
+9IvAF3mhIQvBuV9yLSTGE+J8ngp3f6PUfj0CHZTpLpsBvmr83b1gqjVIpxnmJwIW
+MZpPv/x3o81kxyibFA75T+PhGlOPOybZpleRwmLazy4
+-> ssh-rsa QHr3/A
+HjOVYJ5qow3EL+ccqD/8azBdhynKeoSYDMOf9etmemrnBLigJzpoFFjlqyMmfFVj
+vjGvVok/iPO6rrmA27UpEiU6arW8IO1N0IUTulpMYNoDUEWPUHdCQv0pHfArEMi0
+KN37mpm22nusOL3bm8goIcyVFzqP83wGsQXamVjwYLI34XlD2d4ugxWtejoYK/rR
+4xbpgnQv3KuyWuxa5eehBuSPZVcBTwzF3sE9/7UFWZxSeHIpV+S8qoj/kfezqVUl
+lUoXC1uupwT5iNYs7NJ3WZZxWjYdpZdR01K8Z8GAh2BDsVXBBZfxmPZwcr+Ri7Gk
+Ai3AGyw7JyO7YeVXeiGze52fkxzxZmCuN8fKoxi5fgrt3sJMUurXnsCTOAPPj9oE
+FCUT9eGO3mxf213XHEySfhS1C0yEruCtJnmclr3bkFNKVFyM71ABOp8sQwsNuBeB
+3WeufPGCXliV7w+NuNBfa0NAemqDOWmTqZHQEv/D3gLBAiUxtm3Rd5wVkcY0Qy3X
+nq0VyMU+LEcC5h9HvJNnEbUzADR0bab/5jbKfbTrJVimCr6fQmkd8+ua6oGa++Jh
+7BrHauQnVKp5tKnvgUaMWfOp40pjMxUzb1JQMkVD5+uKqD+aUD2SDKODC/FKOLC0
+wNoSoE4m5vNy3SLjY66cVT2Mh80fs6GULqE05k2r5SQ
+-> ssh-ed25519 OgJHCw OjjSmtLRB+pMtn+5NfDQ1FGMgQttjkoN04gs0aIuRHM
+vRwkDC8EewSDLTbB3ZNZO1d3TjulShkeDjjrAFpu2Cc
+--- 4q2bfImq0xXD0apHMUgoP+oNRg9Yr8t1SXpHYtCW0ZE
+[jlE����;
Co�R����&l�P�o5Z>t�l h/���o��~r3�+�KLg9P�� �l��#F�N�{7�tSg�+�Y)�k�t
T��>p���
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index d0162d1..1c7a8ca 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -20,6 +20,8 @@ in
     "chatgpt-token.age".publicKeys = [ccr-ssh ccr-gpg kirk mothership picard];
     "cloudflare-dyndns-api-token.age".publicKeys = [ccr-ssh ccr-gpg sisko];
     "restic-hetzner-password.age".publicKeys = [ccr-ssh ccr-gpg picard sisko kirk];
+    "hass-ssh-key.age".publicKeys = [ccr-ssh ccr-gpg sisko];
+    "matrix-registration-shared-secret.age".publicKeys = [ccr-ssh ccr-gpg sisko];
 
     # WireGuard
     "picard-wireguard-private-key.age".publicKeys = [ccr-ssh ccr-gpg picard];