thary/nixos-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
nixos-config/hosts/cepheus/synapse.nix

217 lines
6.9 KiB
Nix
Raw Permalink Normal View History

Initial commit
2025-08-20 18:24:02 +03:00
{ lib, config, pkgs, ... }:
let
domain = "nothing.run";
ulid = "01K2FWKJXXG713J0PERVHJ54S3";
in {
environment.systemPackages = with pkgs; [ synapse synadm ];
age.secrets.kanidm-oauth2-mas = lib.mkSecret "kanidm";
services.kanidm.provision = {
groups."matrix.access" = {};
# groups."matrix.admins" = {};
systems.oauth2.matrix = {
displayName = "matrix";
originUrl = "https://mas.nothing.run/upstream/callback/${ulid}";
originLanding = "https://mas.nothing.run/";
basicSecretFile = config.age.secrets.kanidm-oauth2-mas.path;
scopeMaps."matrix.access" = [
"openid"
"email"
"profile"
];
allowInsecureClientDisablePkce = false;
# enableLegacyCrypto = true;
preferShortUsername = true;
# claimMaps.groups = {
# joinType = "array";
# valuesByGroup."matrix.admins" = [ "admins" ];
# };
};
};
# containers.matrix-synapse = {
# autoStart = true;
# bindMounts = {
# "/var/lib/matrix-synapse" = { hostPath = "/nix/persist/services/synapse/data"; isReadOnly = false; };
# "/var/lib/postgresql" = { hostPath = "/nix/persist/services/synapse/db"; isReadOnly = false; };
# "/run/agenix" = { hostPath = "/run/agenix"; isReadOnly = false; };
# };
# hostAddress = "192.168.107.10";
# localAddress = "192.168.107.11";
#
# privateNetwork = true;
#
# config = { ... }: {
systemd.services.matrix-authentication-service =
let config = pkgs.writeText "mas-configuration.json" (builtins.toJSON {
upstream_oauth2.providers = [
{
id = ulid;
issuer = "https://idm.nothing.run/oauth2/openid/matrix";
token_endpoint_auth_method = "client_secret_basic";
human_name = "matrix";
client_id = "matrix";
scope = "openid email profile";
pkce_method = "always";
claims_imports.localpart.action = "require";
claims_imports.displayname.action = "ignore";
claims_imports.email.action = "require";
}
];
http = {
public_base = "https://mas.nothing.run";
listeners = [{
name = "web";
resources = [
{ name = "discovery"; }
{ name = "human"; }
{ name = "oauth"; }
{ name = "compat"; }
{ name = "graphql"; }
{
name = "assets";
path = "${pkgs.matrix-authentication-service}/share/matrix-authentication-service/assets";
} # What is it?
];
binds = [{
host = "127.0.0.1";
port = 8086;
}];
proxy_protocol = false;
}];
};
# database.uri = "postgresql:///matrix-authentication-service?host=/run/postgresql";
database.uri = "postgresql://matrix-authentication-service@127.0.0.1:5432/matrix-authentication-service";
matrix = {
kind = "synapse";
homeserver = "nothing.run";
endpoint = "https://matrix.nothing.run:443";
};
passwords = {
enabled = true;
schemes = [
{
version = 2;
algorithm = "argon2id";
}
{
version = 1;
algorithm = "bcrypt";
unicode_normalization = true;
}
];
minimum_complexity = 8;
};
});
in {
enable = true;
description = "Matrix Authentication Service";
# wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "simple";
ExecStart = "${lib.getExe pkgs.matrix-authentication-service} --config ${config}";
Restart = "on-failure";
RestartSec = "10s";
};
};
services.postgresql = {
ensureDatabases = [ "matrix-authentication-service" ];
ensureUsers = [
{
name = "matrix-authentication-service";
ensureDBOwnership = true;
}
];
};
services.matrix-synapse = {
enable = true;
settings = {
server_name = domain;
enable_metrics = true;
listeners = [
{ port = 8008;
bind_addresses = [ "0.0.0.0" ];
type = "http";
tls = false;
x_forwarded = true;
resources = [ {
names = [ "client" "federation" ];
compress = true;
} ];
}
# { port = 3002; # Metrics
# bind_addresses = [ "0.0.0.0" ];
# # type = "metrics";
# type = "http";
# tls = false;
# x_forwarded = true;
# resources = [ {
# names = [ "metrics" ];
# compress = true;
# } ];
# }
];
database = {
name = "psycopg2";
args = let db = "matrix-synapse"; in {
user = db;
database = db;
};
};
# registration_shared_secret = secrets.matrix.shared_secret;
registration_shared_secret = pkgs.lib.readFile "${pkgs.runCommand "timestamp" {} "echo `cat /dev/random | head -c 50 | base64` > $out"}";
max_upload_size = "20M";
enable_authenticated_media = true;
require_auth_for_profile_requests = true;
enable_registration_captcha = false;
enable_registration = false;
};
# log.root.level = "ERROR";
log.root.level = "INFO";
};
# networking.firewall.allowedTCPPorts = [ 8008 8080 ];
# };
# };
# services.caddy = {
# virtualHosts = {
# "matrix.${domain}".extraConfig = ''
# reverse_proxy /_matrix/* http://192.168.107.11:8008
# reverse_proxy /_synapse/client/* http://192.168.107.11:8008
# reverse_proxy /client/* http://192.168.107.11:8008
# reverse_proxy /_matrix/client/unstable/org.matrix.msc3575/sync/* http://192.168.107.11:8008
# reverse_proxy /_synapse/admin/* http://192.168.107.11:8008
# '';
# # Add `reverse_proxy /_synapse/admin/* http://127.0.0.1:8008` to allow access to the admin API
#
# "mas.${domain}".extraConfig = ''
# reverse_proxy http://192.168.107.11:8080
# '';
# };
# };
services.caddy = {
virtualHosts = {
"matrix.${domain}".extraConfig = ''
reverse_proxy /_matrix/* http://127.0.0.1:8008
reverse_proxy /_synapse/client/* http://127.0.0.1:8008
reverse_proxy /client/* http://127.0.0.1:8008
reverse_proxy /_matrix/client/unstable/org.matrix.msc3575/sync/* http://127.0.0.1:8008
reverse_proxy /_synapse/admin/* http://127.0.0.1:8008
'';
# Add `reverse_proxy /_synapse/admin/* http://127.0.0.1:8008` to allow access to the admin API
"mas.${domain}".extraConfig = ''
reverse_proxy http://127.0.0.1:8086
'';
};
};
}
Reference in New Issue Copy Permalink