thary/nixos-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Thary
2025-08-20 18:24:02 +03:00
commit 2dec42d487
116 changed files with 6591 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
hosts/cepheus/caddy.nix Normal file
View File

@@ -0,0 +1,17 @@
{ inputs, ... }: {
services.caddy = {
enable = true;
virtualHosts."nothing.run, www.nothing.run".extraConfig = ''
header /.well-known/matrix/* Content-Type application/json
header /.well-known/matrix/* Access-Control-Allow-Origin *
respond /.well-known/matrix/server `{"m.server": "matrix.nothing.run:443"}`
respond /.well-known/matrix/client `{"m.homeserver":{"base_url":"https://matrix.nothing.run"},"org.matrix.msc3575.proxy":{"url":"https://matrix.nothing.run"}}`
root * ${inputs.website.website}
file_server
'';
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
}

37
hosts/cepheus/couchdb.nix Normal file
View File

@@ -0,0 +1,37 @@
{ pkgs, lib, ... }: {
containers.couchdb = {
autoStart = true;
bindMounts = {
"/var/lib/couchdb" = { hostPath = "/nix/persist/services/couchdb"; isReadOnly = false; };
};
hostAddress = "192.168.105.10";
localAddress = "192.168.105.11";
privateNetwork = true;
config = { ... }: {
services.couchdb = {
enable = true;
bindAddress = "192.168.105.11";
port = 5984;
databaseDir = "/var/lib/couchdb";
viewIndexDir = "/var/lib/couchdb";
adminUser = lib.removeSuffix "\n" ("admin_" + pkgs.lib.readFile "${pkgs.runCommand "timestamp" {} "echo `head -c 12 /dev/urandom | base64 | sed 's/[+=\\/A-Z]//g'` > $out"}");
adminPass = pkgs.lib.readFile "${pkgs.runCommand "timestamp" {} "echo `head -c 32 /dev/urandom | base64 | sed 's/[+=\\/A-Z]//g'` > $out"}";
};
networking.firewall = {
enable = true;
allowedTCPPorts = [ 5984 ];
};
system.stateVersion = "25.05";
};
};
services.caddy.virtualHosts = {
"couchdb.nothing.run".extraConfig = ''
reverse_proxy http://192.168.105.11:5984
'';
};
}

37
hosts/cepheus/default.nix Normal file
View File

@@ -0,0 +1,37 @@
{ lib, config, ... }: {
nixpkgs.hostPlatform = "x86_64-linux";
hardware.enableRedistributableFirmware = true;
boot.initrd.availableKernelModules = [
"nvme"
"xhci_pci"
"usb_storage"
"sd_mod"
"ata_piix"
"virtio_pci"
"virtio_scsi"
"sr_mod"
];
age.secrets.cepheus_userhjkl_password = {
rekeyFile = ./secrets/password.age;
owner = "userhjkl";
group = "users";
mode = "0400";
};
n.host = {
hardware.cpu = "virt";
bootloader = "grub";
domain = "nothing.run";
hostId = "0b6ce634";
users."userhjkl" = lib.mkUser config.age.secrets.cepheus_userhjkl_password.path true;
defaultUser = "userhjkl";
types = [ "server" ];
};
imports = [
(lib.fs.ext4 "/" "/dev/disk/by-uuid/8c2eee33-ab23-42b5-b22c-777fbede1ccf" null)
(lib.fs.vfat "/boot" "/dev/disk/by-uuid/8B83-5678" null)
];
}

195
hosts/cepheus/gitea.nix Normal file
View File

@@ -0,0 +1,195 @@
{ config, pkgs, lib, ... }: {
age.secrets.kanidm-oauth2-gitea = lib.mkSecret "kanidm";
services.kanidm.provision = {
groups."gitea.access" = {};
groups."gitea.admins" = {};
systems.oauth2.gitea = {
displayName = "gitea";
originUrl = "https://tea.nothing.run/user/oauth2/kanidm/callback";
originLanding = "https://tea.nothing.run/";
basicSecretFile = config.age.secrets.kanidm-oauth2-gitea.path;
scopeMaps."gitea.access" = [
"openid"
"email"
"profile"
];
allowInsecureClientDisablePkce = true;
preferShortUsername = true;
claimMaps.groups = {
joinType = "array";
valuesByGroup."gitea.admins" = [ "admins" ];
};
};
};
containers.gitea = let host-config = config; in {
autoStart = true;
bindMounts = {
"/var/lib/gitea" = { hostPath = "/nix/persist/services/gitea"; isReadOnly = false; };
# "${config.age.secretsDir}" = { hostPath = config.age.secretsDir; isReadOnly = true; };
"/run/agenix" = { hostPath = "/run/agenix"; isReadOnly = false; };
};
# tmpfs = [ "/" ];
hostAddress = "192.168.102.10";
localAddress = "192.168.102.11";
# forwardPorts = [
# {
# containerPort = 22;
# hostPort = 9922;
# protocol = "tcp";
# }
# ];
privateNetwork = true;
config = { lib, config, ... }: {
imports = [
../../modules/global/dnscrypt-proxy.nix
];
users.groups.kanidm = {};
users.groups.git = { };
users.users.git = {
isSystemUser = true;
useDefaultShell = true;
group = "git";
extraGroups = [ "kanidm" ];
home = config.services.gitea.stateDir;
openssh.authorizedKeys.keys = lib.mkForce host-config.users.users.root.openssh.authorizedKeys.keys;
};
services.openssh = {
enable = true;
# settings = {
# PasswordAuthentication = false;
# KbdInteractiveAuthentication = false;
# PermitRootLogin = "prohibit-password";
# };
# openFirewall = true;
# ports = [ 22 ];
# settings.AcceptEnv = "GIT_PROTOCOL";
};
services.gitea = {
enable = true;
package = pkgs.gitea;
user = "git";
group = "git";
settings = {
DEFAULT.APP_NAME = "Hollow Tea";
mailer.ENABLED = false;
metrics.ENABLED = false;
oauth2_client = {
ACCOUNT_LINKING = "login";
USERNAME = "nickname";
ENABLE_AUTO_REGISTRATION = false;
REGISTER_EMAIL_CONFIRM = false;
UPDATE_AVATAR = true;
};
repository = {
DEFAULT_PRIVATE = "private";
ENABLE_PUSH_CREATE_USER = true;
ENABLE_PUSH_CREATE_ORG = true;
};
server = {
HTTP_ADDR = "0.0.0.0";
HTTP_PORT = 3000;
DOMAIN = "tea.nothing.run";
ROOT_URL = "https://tea.nothing.run";
LANDING_PAGE = "login";
SSH_PORT = 9922;
SSH_USER = "git";
};
service = {
DISABLE_REGISTRATION = false;
ALLOW_ONLY_INTERNAL_REGISTRATION = false;
ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
SHOW_REGISTRATION_BUTTON = false;
REGISTER_EMAIL_CONFIRM = false;
ENABLE_NOTIFY_MAIL = false;
};
"service.explore" = {
REQUIRE_SIGNIN_VIEW = true;
DISABLE_USERS_PAGE = false;
DISABLE_ORGANIZATIONS_PAGE = true;
DISABLE_CODE_PAGE = true;
};
admin.DISABLE_REGULAR_ORG_CREATION = true; # Prohibit creation of organizations by non-admin users
session.COOKIE_SECURE = true;
};
};
systemd.services.gitea = {
enable = true;
wantedBy = [ "multi-user.target" ];
serviceConfig.RestartSec = "60"; # Retry every minute
preStart =
let
exe = lib.getExe config.services.gitea.package;
providerName = "kanidm";
clientId = "gitea";
args = lib.escapeShellArgs (
lib.concatLists [
[
"--name"
providerName
]
[
"--provider"
"openidConnect"
]
[
"--key"
clientId
]
[
"--auto-discover-url"
"https://idm.nothing.run/oauth2/openid/${clientId}/.well-known/openid-configuration"
]
[
"--scopes"
"email"
]
[
"--scopes"
"profile"
]
[
"--group-claim-name"
"groups"
]
[
"--admin-group"
"admin"
]
[ "--skip-local-2fa" ]
]
);
in
lib.mkAfter ''
provider_id=$(${exe} admin auth list | ${pkgs.gnugrep}/bin/grep -w '${providerName}' | cut -f1)
SECRET="$(< ${host-config.age.secrets.kanidm-oauth2-gitea.path})"
if [[ -z "$provider_id" ]]; then
${exe} admin auth add-oauth ${args} --secret "$SECRET"
else
${exe} admin auth update-oauth --id "$provider_id" ${args} --secret "$SECRET"
fi
'';
};
networking.firewall = {
enable = true;
allowedTCPPorts = [ 3000 22 ];
};
system.stateVersion = "25.05";
};
};
networking.firewall.allowedTCPPorts = [ 9922 ];
services.caddy.virtualHosts = {
"tea.nothing.run".extraConfig = ''
reverse_proxy http://192.168.102.11:3000
'';
};
}

36
hosts/cepheus/hedgedoc.nix Executable file
View File

@@ -0,0 +1,36 @@
{ config, ... }:
let
inherit (config.networking) domain;
service_port = 8259;
db = "hedgedoc";
in {
services.hedgedoc = {
# enable = true; # TODO
enable = false;
settings = {
# TODO: kanidm auth
port = service_port;
protocolUseSSL = true;
domain = "pad.${domain}";
host = "127.0.0.1";
allowGravatar = false;
allowPDFExport = true;
dbURL = "postgres://${db}:${db}@localhost:${toString config.services.postgresql.settings.port}/${db}";
allowEmailRegister = false;
allowAnonymous = false;
loglevel = "none";
};
};
imp.dirs = [
{ directory = "/var/lib/hedgedoc"; user = "hedgedoc"; group = "hedgedoc"; mode = "u=rwx,g=rx,o="; }
];
services.caddy.virtualHosts = {
"pad.${domain}".extraConfig = ''
reverse_proxy http://127.0.0.1:${toString service_port}
'';
};
}

107
hosts/cepheus/kanidm.nix Normal file
View File

@@ -0,0 +1,107 @@
{ config, pkgs, lib, ... }:
let
kanidmPort = 1888;
in {
age.secrets.kanidm-admin-password = lib.mkSecret "kanidm";
age.secrets.kanidm-idm-admin-password = lib.mkSecret "kanidm";
users.groups.kanidm = {};
users.users.kanidm.group = "kanidm";
users.users.kanidm.isSystemUser = true;
containers.kanidm = {
autoStart = true;
bindMounts = {
"/certs" = { hostPath = "/nix/persist/services/kanidm/certs"; isReadOnly = false; };
"/var/lib/kanidm" = { hostPath = "/nix/persist/services/kanidm/db"; isReadOnly = false; };
# "${config.age.secretsDir}" = { hostPath = config.age.secretsDir; isReadOnly = true; };
"/run/agenix" = { hostPath = "/run/agenix"; isReadOnly = false; };
};
# tmpfs = [ "/" ];
hostAddress = "192.168.101.10";
localAddress = "192.168.101.11";
privateNetwork = true;
# privateNetwork = false;
config = { lib, ... }: {
imports = [
# ../../modules/global/nix.nix
../../modules/global/dnscrypt-proxy.nix
];
services.kanidm = {
enableServer = true;
package = pkgs.kanidmWithSecretProvisioning;
enableClient = true;
serverSettings = {
domain = "idm.nothing.run";
origin = "https://idm.nothing.run";
# bindaddress = "127.0.0.1:${toString kanidmPort}";
bindaddress = "0.0.0.0:${toString kanidmPort}";
log_level = "trace";
trust_x_forward_for = true;
tls_chain = "/certs/chain.pem";
tls_key = "/certs/key.pem";
};
clientSettings = {
uri = "https://127.0.0.1:${toString kanidmPort}";
verify_ca = false;
verify_hostnames = false;
};
provision = lib.mkMerge [
{ enable = lib.mkForce true; }
config.services.kanidm.provision
];
};
networking.firewall = {
enable = true;
allowedTCPPorts = [ kanidmPort ];
};
system.stateVersion = "25.05";
};
};
services.kanidm.provision = {
acceptInvalidCerts = true;
instanceUrl = "https://127.0.0.1:${toString kanidmPort}";
adminPasswordFile = config.age.secrets.kanidm-admin-password.path;
idmAdminPasswordFile = config.age.secrets.kanidm-idm-admin-password.path;
groups.admins = {};
persons = {
"thary" = {
"displayName" = "Thary";
"mailAddresses" = [
"thary@riseup.net"
"thary@nothing.run"
];
groups = [
"gitea.access" "gitea.admins"
"miniflux.access"
];
};
};
};
imp.home.dirs = [ ".cache/kanidm_tokens" ];
services.kanidm.enableClient = true;
services.kanidm.clientSettings = {
uri = "https://idm.nothing.run";
verify_ca = true;
verify_hostnames = true;
};
services.caddy.virtualHosts = {
"idm.nothing.run".extraConfig = ''
reverse_proxy https://192.168.101.11:${toString kanidmPort} {
transport http {
tls
tls_insecure_skip_verify
}
}
'';
};
}

34
hosts/cepheus/matrix-web-clients.nix Normal file
View File

@@ -0,0 +1,34 @@
{ pkgs, ... }: {
services.caddy = {
enable = true;
virtualHosts."cinny.nothing.run".extraConfig = ''
root * ${pkgs.cinny.override {conf = {
defaultHomeserver = 0;
homeserverList = [ "matrix.nothing.run" "matrix.inex.rocks" ];
allowCustomHomeservers = false;
};}}
file_server
'';
virtualHosts."element.nothing.run".extraConfig = ''
root * ${pkgs.element-web.override {
conf = {
default_server_config = {
"m.homeserver".base_url = "https://nothing.run";
"m.identity_server" = {};
};
disable_custom_urls = true;
brand = "Nothing Chat";
default_theme = "dark";
jitsi.preferred_domain = "https://jitsi.inex.rocks"; # TODO: host jitsi
};}}
file_server
'';
virtualHosts."riot.nothing.run".extraConfig = ''
redir https://element.nothing.run
'';
# TODO: schildichat-web (there is no package in nixpkgs)
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
}

76
hosts/cepheus/miniflux.nix Normal file
View File

@@ -0,0 +1,76 @@
{ config, pkgs, lib, ... }: {
age.secrets.kanidm-oauth2-miniflux = lib.mkSecret "kanidm";
services.kanidm.provision = {
groups."miniflux.access" = {};
systems.oauth2.miniflux = {
displayName = "miniflux";
originUrl = "https://rss.nothing.run/oauth2/oidc/callback";
originLanding = "https://rss.nothing.run/";
basicSecretFile = config.age.secrets.kanidm-oauth2-miniflux.path;
scopeMaps."miniflux.access" = [
"openid"
"email"
"profile"
];
allowInsecureClientDisablePkce = true;
preferShortUsername = true;
};
};
age.secrets.miniflux-admin-credentials = {
generator.script = _: ''
echo "ADMIN_USERNAME = 'admin_fmA4ei32f'"
echo "ADMIN_PASSWORD = '$(head -c 32 /dev/urandom | base64)'"
'';
group = "kanidm";
mode = "444";
};
containers.miniflux = {
autoStart = true;
bindMounts = {
"/run/postgresql" = { hostPath = "/nix/persist/services/miniflux"; isReadOnly = false; };
"/run/agenix" = { hostPath = "/run/agenix"; isReadOnly = false; };
};
hostAddress = "192.168.103.10";
localAddress = "192.168.103.11";
privateNetwork = true;
config = { ... }: {
imports = [ ../../modules/global/dnscrypt-proxy.nix ];
users.groups.kanidm = {};
users.users.postgres.extraGroups = [ "kanidm" ];
services.miniflux = {
enable = true;
createDatabaseLocally = true;
adminCredentialsFile = config.age.secrets.miniflux-admin-credentials.path;
config = {
LISTEN_ADDR = "192.168.103.11:8080";
CREATE_ADMIN = 1;
OAUTH2_PROVIDER = "oidc";
OAUTH2_CLIENT_ID = "miniflux";
OAUTH2_CLIENT_SECRET = config.age.secrets.kanidm-oauth2-miniflux.path;
OAUTH2_REDIRECT_URL = "https://rss.nothing.run/oauth2/oidc/callback";
OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://idm.nothing.run/oauth2/openid/miniflux";
OAUTH2_USER_CREATION = 1;
};
};
networking.firewall = {
enable = true;
allowedTCPPorts = [ 8080 ];
};
system.stateVersion = "25.05";
};
};
services.caddy.virtualHosts = {
"rss.nothing.run".extraConfig = ''
reverse_proxy http://192.168.103.11:8080
'';
};
}

4
hosts/cepheus/postgres.nix Normal file
View File

@@ -0,0 +1,4 @@
{ ... }: {
services.postgresql.enable = true;
imp.dirs = [ "/var/lib/postgresql" ];
}

8
hosts/cepheus/secrets/matrix_admin_api_token.age Normal file
View File

@@ -0,0 +1,8 @@
age-encryption.org/v1
-> ssh-ed25519 8IT6eg yX9WPef2jwkv9rsWS1Zz37qNwP/7AXVwwR3y7sy5/0k
d6IIsuuPi+ZZA/HDyDYgbjL7AiFtEEx+Ez3IWeVYo5Y
-> d6L4.Y&D-grease *z=Q"@Cb f{ VN
3IcbB/YPlZaTqaKIYjkvYmxlLVSBkOnLPMm3uPQrzA2i9bTNH6tjGVG0c64jYif4
GXbSIKn1wkTmkYBX3FQAPsPwBQ
--- u4kYHCN4Flk12expFXLzogEmv0LleaTExylppjkLdJg
<EFBFBD>k6<>\<5C>Z,<2C><>o<EFBFBD>V<>OOh<4F><68><15>+<2B><14>"<22><1F><><EFBFBD><EFBFBD> \<5C><>N)&M8<><38>&x1g&Zxn<78><6E><EFBFBD>!<21><02><>Aȅ,\<5C><>飩-<2D>o<EFBFBD><6F><EFBFBD>m<EFBFBD>r<EFBFBD>iD1<>D<EFBFBD>e<EFBFBD>_4

7
hosts/cepheus/secrets/password.age Normal file
View File

@@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 8IT6eg OGouWD06nC1BworHWu+bhrnwb5Q4skSrOKU703Rqr2E
/T0+bnhxRzgry7nVdlHFoYGEXc/6Q3dIxtvlATMl/3s
-> `-grease
+LfEGtXt+5BOYK5njRUFRhQix/yPMIs
--- Hxczp2zWnEqT0MQYjPc3O7Dva8r9pUOXkXHuv2DuIP4
<EFBFBD>`<60>FF<46><46>#<67>t<EFBFBD> <0B>Ŗ<EFBFBD><C596><EFBFBD>K:)<29>g\<5C>gC<67>R3*0 <0B><>V<EFBFBD>vt<76><74>:t70w<19>ND<01><><EFBFBD>)x<><78><><D79E>IP<49><50><EFBFBD>u<1F><>6<><36><EFBFBD>@<40>hf<68>ag[<5B> <0C>ܺ<EFBFBD><DCBA><EFBFBD><EFBFBD>

9
hosts/cepheus/synapse-admin.nix Executable file
View File

@@ -0,0 +1,9 @@
{ pkgs, config, ... }: {
services.caddy = {
virtualHosts."synapse-admin.${config.networking.domain}".extraConfig = ''
encode zstd gzip
root * ${pkgs.synapse-admin-etkecc}
file_server
'';
};
}

37
hosts/cepheus/synapse-revitalization.nix Normal file
View File

@@ -0,0 +1,37 @@
{ pkgs, config, ... }: {
age.secrets.matrix_admin_api_token = {
rekeyFile = ./secrets/matrix_admin_api_token.age;
owner = "matrix-synapse";
group = "matrix-synapse";
mode = "0400";
};
systemd.services."synapse-revitalization" =
let pkg = "${pkgs.synapse-revitalization}/bin/synapse-revitalization";
script = pkgs.writeShellScript "synapse-revitalization-script" ''
journalctl -f -u matrix-synapse -o cat |
while read -r line; do
echo "$line" | grep "as we're not in the room" && ${pkg} "$line" &
echo "$line" | grep "Ignoring PDU for unknown room_id" && ${pkg} "$line" &
done
'';
in {
enable = true;
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "simple";
# User = "matrix-synapse";
# Group = "matrix-synapse";
User = "root";
Group = "root";
ExecStart = script;
Restart = "always";
};
environment = {
"SYNAPSE_REVITALIZATION_ADMIN_AUTH_TOKEN_FILE" = config.age.secrets.matrix_admin_api_token.path;
"SYNAPSE_REVITALIZATION_SERVER_KEY_FILE" = "/var/lib/matrix-synapse/homeserver.signing.key";
"SYNAPSE_REVITALIZATION_SERVER_NAME" = "nothing.run";
"SYNAPSE_REVITALIZATION_SERVER_ADDRESS" = "matrix.nothing.run";
};
};
}

216
hosts/cepheus/synapse.nix Executable file
View File

@@ -0,0 +1,216 @@
{ lib, config, pkgs, ... }:
let
domain = "nothing.run";
ulid = "01K2FWKJXXG713J0PERVHJ54S3";
in {
environment.systemPackages = with pkgs; [ synapse synadm ];
age.secrets.kanidm-oauth2-mas = lib.mkSecret "kanidm";
services.kanidm.provision = {
groups."matrix.access" = {};
# groups."matrix.admins" = {};
systems.oauth2.matrix = {
displayName = "matrix";
originUrl = "https://mas.nothing.run/upstream/callback/${ulid}";
originLanding = "https://mas.nothing.run/";
basicSecretFile = config.age.secrets.kanidm-oauth2-mas.path;
scopeMaps."matrix.access" = [
"openid"
"email"
"profile"
];
allowInsecureClientDisablePkce = false;
# enableLegacyCrypto = true;
preferShortUsername = true;
# claimMaps.groups = {
# joinType = "array";
# valuesByGroup."matrix.admins" = [ "admins" ];
# };
};
};
# containers.matrix-synapse = {
# autoStart = true;
# bindMounts = {
# "/var/lib/matrix-synapse" = { hostPath = "/nix/persist/services/synapse/data"; isReadOnly = false; };
# "/var/lib/postgresql" = { hostPath = "/nix/persist/services/synapse/db"; isReadOnly = false; };
# "/run/agenix" = { hostPath = "/run/agenix"; isReadOnly = false; };
# };
# hostAddress = "192.168.107.10";
# localAddress = "192.168.107.11";
#
# privateNetwork = true;
#
# config = { ... }: {
systemd.services.matrix-authentication-service =
let config = pkgs.writeText "mas-configuration.json" (builtins.toJSON {
upstream_oauth2.providers = [
{
id = ulid;
issuer = "https://idm.nothing.run/oauth2/openid/matrix";
token_endpoint_auth_method = "client_secret_basic";
human_name = "matrix";
client_id = "matrix";
scope = "openid email profile";
pkce_method = "always";
claims_imports.localpart.action = "require";
claims_imports.displayname.action = "ignore";
claims_imports.email.action = "require";
}
];
http = {
public_base = "https://mas.nothing.run";
listeners = [{
name = "web";
resources = [
{ name = "discovery"; }
{ name = "human"; }
{ name = "oauth"; }
{ name = "compat"; }
{ name = "graphql"; }
{
name = "assets";
path = "${pkgs.matrix-authentication-service}/share/matrix-authentication-service/assets";
} # What is it?
];
binds = [{
host = "127.0.0.1";
port = 8086;
}];
proxy_protocol = false;
}];
};
# database.uri = "postgresql:///matrix-authentication-service?host=/run/postgresql";
database.uri = "postgresql://matrix-authentication-service@127.0.0.1:5432/matrix-authentication-service";
matrix = {
kind = "synapse";
homeserver = "nothing.run";
endpoint = "https://matrix.nothing.run:443";
};
passwords = {
enabled = true;
schemes = [
{
version = 2;
algorithm = "argon2id";
}
{
version = 1;
algorithm = "bcrypt";
unicode_normalization = true;
}
];
minimum_complexity = 8;
};
});
in {
enable = true;
description = "Matrix Authentication Service";
# wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "simple";
ExecStart = "${lib.getExe pkgs.matrix-authentication-service} --config ${config}";
Restart = "on-failure";
RestartSec = "10s";
};
};
services.postgresql = {
ensureDatabases = [ "matrix-authentication-service" ];
ensureUsers = [
{
name = "matrix-authentication-service";
ensureDBOwnership = true;
}
];
};
services.matrix-synapse = {
enable = true;
settings = {
server_name = domain;
enable_metrics = true;
listeners = [
{ port = 8008;
bind_addresses = [ "0.0.0.0" ];
type = "http";
tls = false;
x_forwarded = true;
resources = [ {
names = [ "client" "federation" ];
compress = true;
} ];
}
# { port = 3002; # Metrics
# bind_addresses = [ "0.0.0.0" ];
# # type = "metrics";
# type = "http";
# tls = false;
# x_forwarded = true;
# resources = [ {
# names = [ "metrics" ];
# compress = true;
# } ];
# }
];
database = {
name = "psycopg2";
args = let db = "matrix-synapse"; in {
user = db;
database = db;
};
};
# registration_shared_secret = secrets.matrix.shared_secret;
registration_shared_secret = pkgs.lib.readFile "${pkgs.runCommand "timestamp" {} "echo `cat /dev/random | head -c 50 | base64` > $out"}";
max_upload_size = "20M";
enable_authenticated_media = true;
require_auth_for_profile_requests = true;
enable_registration_captcha = false;
enable_registration = false;
};
# log.root.level = "ERROR";
log.root.level = "INFO";
};
# networking.firewall.allowedTCPPorts = [ 8008 8080 ];
# };
# };
# services.caddy = {
# virtualHosts = {
# "matrix.${domain}".extraConfig = ''
# reverse_proxy /_matrix/* http://192.168.107.11:8008
# reverse_proxy /_synapse/client/* http://192.168.107.11:8008
# reverse_proxy /client/* http://192.168.107.11:8008
# reverse_proxy /_matrix/client/unstable/org.matrix.msc3575/sync/* http://192.168.107.11:8008
# reverse_proxy /_synapse/admin/* http://192.168.107.11:8008
# '';
# # Add `reverse_proxy /_synapse/admin/* http://127.0.0.1:8008` to allow access to the admin API
#
# "mas.${domain}".extraConfig = ''
# reverse_proxy http://192.168.107.11:8080
# '';
# };
# };
services.caddy = {
virtualHosts = {
"matrix.${domain}".extraConfig = ''
reverse_proxy /_matrix/* http://127.0.0.1:8008
reverse_proxy /_synapse/client/* http://127.0.0.1:8008
reverse_proxy /client/* http://127.0.0.1:8008
reverse_proxy /_matrix/client/unstable/org.matrix.msc3575/sync/* http://127.0.0.1:8008
reverse_proxy /_synapse/admin/* http://127.0.0.1:8008
'';
# Add `reverse_proxy /_synapse/admin/* http://127.0.0.1:8008` to allow access to the admin API
"mas.${domain}".extraConfig = ''
reverse_proxy http://127.0.0.1:8086
'';
};
};
}