Self host matrixy-synapse on sisko

2024-02-11 14:09:04 +01:00 · 2024-02-11 14:09:04 +01:00 · 40573a4477
commit 40573a4477
parent 231a662dc8
7 changed files with 114 additions and 1 deletions
--- a/hosts/default.nix
+++ b/hosts/default.nix
@ -142,6 +142,8 @@
          "restic-hetzner-password" = {};
          "minio-credentials".owner = "minio";
          "aws-credentials".owner = "hercules-ci-agent";
          "hass-ssh-key".owner = "hass";
          "matrix-registration-shared-secret".owner = "matrix-synapse";
        };
      };
    };
--- a/hosts/sisko/default.nix
+++ b/hosts/sisko/default.nix
@ -28,6 +28,7 @@
      "restic"
      "syncthing"
      "minio"
      "matrix"
    ]
    ++ [
      ./disko.nix
--- a/modules/cloudflare-dyndns/default.nix
+++ b/modules/cloudflare-dyndns/default.nix
@ -4,13 +4,15 @@
    ipv4 = true;
    ipv6 = false; # not anymore 😭
    domains = [
-      # "sevenofnix.aciceri.dev"
+      "aciceri.dev"
      "git.aciceri.dev"
      "home.aciceri.dev"
      "torrent.aciceri.dev"
      "search.aciceri.dev"
      "invidious.aciceri.dev"
      "vpn.aciceri.dev"
      "cache.aciceri.dev"
      "matrix.aciceri.dev"
    ];
    apiTokenFile = config.age.secrets.cloudflare-dyndns-api-token.path;
  };
--- a/modules/matrix/default.nix
+++ b/modules/matrix/default.nix
@ -0,0 +1,77 @@
 {
  config,
  lib,
  pkgs,
  ...
 }: let
  clientConfig."m.homeserver".base_url = "https://matrix.aciceri.dev";
  serverConfig."m.server" = "matrix.aciceri.dev:443";
  mkWellKnown = data: ''
    default_type application/json;
    add_header Access-Control-Allow-Origin *;
    return 200 '${builtins.toJSON data}';
  '';
 in {
  imports = [../nginx-base];
  services.nginx.virtualHosts = {
    "aciceri.dev" = {
      enableACME = true;
      forceSSL = true;
      locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
      locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
    };
    "matrix.aciceri.dev" = {
      forceSSL = true;
      enableACME = true;
      locations."/".proxyPass = "http://127.0.0.1:${builtins.toString (lib.head config.services.matrix-synapse.settings.listeners).port}";
      locations."/_matrix".proxyPass = "http://localhost:8008";
      locations."/_synapse/client".proxyPass = "http://localhost:8008";
    };
  };
  services.postgresql = {
    enable = true;
    initialScript = pkgs.writeText "synapse-init.sql" ''
           CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
           CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
             TEMPLATE template0
      LC_COLLATE = "C"
             LC_CTYPE = "C";
    '';
  };
  services.matrix-synapse = {
    enable = true;
    settings = {
      server_name = "aciceri.dev";
      public_baseurl = "https://matrix.aciceri.dev";
      listeners = [
        {
          port = 8008;
          bind_addresses = ["127.0.0.1"];
          type = "http";
          tls = false;
          x_forwarded = true;
          resources = [
            {
              names = ["client" "federation"];
              compress = true;
            }
          ];
        }
      ];
    };
    extraConfigFiles = [config.age.secrets.matrix-registration-shared-secret.path];
  };
  backup.paths = [
    "/var/lib/matrix-synapse"
    "/var/backup/postgresql/matrix-synapse.sql.gz"
  ];
  services.postgresqlBackup = {
    enable = true;
    databases = ["matrix-synapse"];
  };
 }
--- a/secrets/hass-ssh-key.age
+++ b/secrets/hass-ssh-key.age
--- a/secrets/matrix-registration-shared-secret.age
+++ b/secrets/matrix-registration-shared-secret.age
@ -0,0 +1,29 @@
 age-encryption.org/v1
 -> ssh-rsa /AagBw
 UlR5iCI7jZnIqgfUm7fHrwgJroFYlqA+F8aZudS/i/RjJ6b8ldqdZnefydc+XY9i
 PeAAqAdEVpC0Dae5q4BoWFb0uS5PQPOBmnYqnSm0NMEcGizzpnF+XJL1wPLur/J9
 TRUHHA9MRvVF5QoXrm2wsqQxstnUPZU4ObA+JgnXArMw31aTPOc8KmZWTQKPg2YM
 PyH1Q2Vc3HHKi4CyY2rl18e8JaJGiifrIATl0+/hsfJnOT8o54HcT11b096hiRqU
 NEdH92y4x+hF0dStTPBIEwzLiM2CVght5lR89Lvh3ZP7b10yswB+EKkH1kwcziyn
 3Hq7RM0+jNKbedyViCAuVeis5PezQlFe3yf9eR9YMJdSjhgflLU2KQ3NnXHYoJJ/
 A1XitzFOwKTSEQqHQs2yjTNa3XcoyNDxH49q/svECHmYZamPsc1Ac8cIJOeFf+Id
 xoa0zKJhSZOBwIz5+PrbNN4lYD88sbT6wspQoJwFOvqCx87kwb3HouG0rwDq57BN
 QxybvD7Vz7JPr6D15uWGhNldabvhr+pMt+17wS+DmdjO08iHrwxTrzyvvc86vxhg
 9IvAF3mhIQvBuV9yLSTGE+J8ngp3f6PUfj0CHZTpLpsBvmr83b1gqjVIpxnmJwIW
 MZpPv/x3o81kxyibFA75T+PhGlOPOybZpleRwmLazy4
 -> ssh-rsa QHr3/A
 HjOVYJ5qow3EL+ccqD/8azBdhynKeoSYDMOf9etmemrnBLigJzpoFFjlqyMmfFVj
 vjGvVok/iPO6rrmA27UpEiU6arW8IO1N0IUTulpMYNoDUEWPUHdCQv0pHfArEMi0
 KN37mpm22nusOL3bm8goIcyVFzqP83wGsQXamVjwYLI34XlD2d4ugxWtejoYK/rR
 4xbpgnQv3KuyWuxa5eehBuSPZVcBTwzF3sE9/7UFWZxSeHIpV+S8qoj/kfezqVUl
 lUoXC1uupwT5iNYs7NJ3WZZxWjYdpZdR01K8Z8GAh2BDsVXBBZfxmPZwcr+Ri7Gk
 Ai3AGyw7JyO7YeVXeiGze52fkxzxZmCuN8fKoxi5fgrt3sJMUurXnsCTOAPPj9oE
 FCUT9eGO3mxf213XHEySfhS1C0yEruCtJnmclr3bkFNKVFyM71ABOp8sQwsNuBeB
 3WeufPGCXliV7w+NuNBfa0NAemqDOWmTqZHQEv/D3gLBAiUxtm3Rd5wVkcY0Qy3X
 nq0VyMU+LEcC5h9HvJNnEbUzADR0bab/5jbKfbTrJVimCr6fQmkd8+ua6oGa++Jh
 7BrHauQnVKp5tKnvgUaMWfOp40pjMxUzb1JQMkVD5+uKqD+aUD2SDKODC/FKOLC0
 wNoSoE4m5vNy3SLjY66cVT2Mh80fs6GULqE05k2r5SQ
 -> ssh-ed25519 OgJHCw OjjSmtLRB+pMtn+5NfDQ1FGMgQttjkoN04gs0aIuRHM
 vRwkDC8EewSDLTbB3ZNZO1d3TjulShkeDjjrAFpu2Cc
 --- 4q2bfImq0xXD0apHMUgoP+oNRg9Yr8t1SXpHYtCW0ZE
 [jlE<6C>泠;
Co訰婞窌&l侾<6C>5Z>t苐 h/掠遫烌~r3<72>+縆Lg9P厯 萳▼#F揘駕7顃Sg鉀+躖)靕餿
T╁>p<><70>
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -20,6 +20,8 @@ in
    "chatgpt-token.age".publicKeys = [ccr-ssh ccr-gpg kirk mothership picard];
    "cloudflare-dyndns-api-token.age".publicKeys = [ccr-ssh ccr-gpg sisko];
    "restic-hetzner-password.age".publicKeys = [ccr-ssh ccr-gpg picard sisko kirk];
    "hass-ssh-key.age".publicKeys = [ccr-ssh ccr-gpg sisko];
    "matrix-registration-shared-secret.age".publicKeys = [ccr-ssh ccr-gpg sisko];
    # WireGuard
    "picard-wireguard-private-key.age".publicKeys = [ccr-ssh ccr-gpg picard];