{ lib, config, pkgs, ... }: let domain = "nothing.run"; ulid = "01K2FWKJXXG713J0PERVHJ54S3"; in { environment.systemPackages = with pkgs; [ synapse synadm ]; age.secrets.kanidm-oauth2-mas = lib.mkSecret "kanidm"; services.kanidm.provision = { groups."matrix.access" = {}; # groups."matrix.admins" = {}; systems.oauth2.matrix = { displayName = "matrix"; originUrl = "https://mas.nothing.run/upstream/callback/${ulid}"; originLanding = "https://mas.nothing.run/"; basicSecretFile = config.age.secrets.kanidm-oauth2-mas.path; scopeMaps."matrix.access" = [ "openid" "email" "profile" ]; allowInsecureClientDisablePkce = false; # enableLegacyCrypto = true; preferShortUsername = true; # claimMaps.groups = { # joinType = "array"; # valuesByGroup."matrix.admins" = [ "admins" ]; # }; }; }; # containers.matrix-synapse = { # autoStart = true; # bindMounts = { # "/var/lib/matrix-synapse" = { hostPath = "/nix/persist/services/synapse/data"; isReadOnly = false; }; # "/var/lib/postgresql" = { hostPath = "/nix/persist/services/synapse/db"; isReadOnly = false; }; # "/run/agenix" = { hostPath = "/run/agenix"; isReadOnly = false; }; # }; # hostAddress = "192.168.107.10"; # localAddress = "192.168.107.11"; # # privateNetwork = true; # # config = { ... }: { systemd.services.matrix-authentication-service = let config = pkgs.writeText "mas-configuration.json" (builtins.toJSON { upstream_oauth2.providers = [ { id = ulid; issuer = "https://idm.nothing.run/oauth2/openid/matrix"; token_endpoint_auth_method = "client_secret_basic"; human_name = "matrix"; client_id = "matrix"; scope = "openid email profile"; pkce_method = "always"; claims_imports.localpart.action = "require"; claims_imports.displayname.action = "ignore"; claims_imports.email.action = "require"; } ]; http = { public_base = "https://mas.nothing.run"; listeners = [{ name = "web"; resources = [ { name = "discovery"; } { name = "human"; } { name = "oauth"; } { name = "compat"; } { name = "graphql"; } { name = "assets"; path = "${pkgs.matrix-authentication-service}/share/matrix-authentication-service/assets"; } # What is it? ]; binds = [{ host = "127.0.0.1"; port = 8086; }]; proxy_protocol = false; }]; }; # database.uri = "postgresql:///matrix-authentication-service?host=/run/postgresql"; database.uri = "postgresql://matrix-authentication-service@127.0.0.1:5432/matrix-authentication-service"; matrix = { kind = "synapse"; homeserver = "nothing.run"; endpoint = "https://matrix.nothing.run:443"; }; passwords = { enabled = true; schemes = [ { version = 2; algorithm = "argon2id"; } { version = 1; algorithm = "bcrypt"; unicode_normalization = true; } ]; minimum_complexity = 8; }; }); in { enable = true; description = "Matrix Authentication Service"; # wantedBy = [ "multi-user.target" ]; serviceConfig = { Type = "simple"; ExecStart = "${lib.getExe pkgs.matrix-authentication-service} --config ${config}"; Restart = "on-failure"; RestartSec = "10s"; }; }; services.postgresql = { ensureDatabases = [ "matrix-authentication-service" ]; ensureUsers = [ { name = "matrix-authentication-service"; ensureDBOwnership = true; } ]; }; services.matrix-synapse = { enable = true; settings = { server_name = domain; enable_metrics = true; listeners = [ { port = 8008; bind_addresses = [ "0.0.0.0" ]; type = "http"; tls = false; x_forwarded = true; resources = [ { names = [ "client" "federation" ]; compress = true; } ]; } # { port = 3002; # Metrics # bind_addresses = [ "0.0.0.0" ]; # # type = "metrics"; # type = "http"; # tls = false; # x_forwarded = true; # resources = [ { # names = [ "metrics" ]; # compress = true; # } ]; # } ]; database = { name = "psycopg2"; args = let db = "matrix-synapse"; in { user = db; database = db; }; }; # registration_shared_secret = secrets.matrix.shared_secret; registration_shared_secret = pkgs.lib.readFile "${pkgs.runCommand "timestamp" {} "echo `cat /dev/random | head -c 50 | base64` > $out"}"; max_upload_size = "20M"; enable_authenticated_media = true; require_auth_for_profile_requests = true; enable_registration_captcha = false; enable_registration = false; }; # log.root.level = "ERROR"; log.root.level = "INFO"; }; # networking.firewall.allowedTCPPorts = [ 8008 8080 ]; # }; # }; # services.caddy = { # virtualHosts = { # "matrix.${domain}".extraConfig = '' # reverse_proxy /_matrix/* http://192.168.107.11:8008 # reverse_proxy /_synapse/client/* http://192.168.107.11:8008 # reverse_proxy /client/* http://192.168.107.11:8008 # reverse_proxy /_matrix/client/unstable/org.matrix.msc3575/sync/* http://192.168.107.11:8008 # reverse_proxy /_synapse/admin/* http://192.168.107.11:8008 # ''; # # Add `reverse_proxy /_synapse/admin/* http://127.0.0.1:8008` to allow access to the admin API # # "mas.${domain}".extraConfig = '' # reverse_proxy http://192.168.107.11:8080 # ''; # }; # }; services.caddy = { virtualHosts = { "matrix.${domain}".extraConfig = '' reverse_proxy /_matrix/* http://127.0.0.1:8008 reverse_proxy /_synapse/client/* http://127.0.0.1:8008 reverse_proxy /client/* http://127.0.0.1:8008 reverse_proxy /_matrix/client/unstable/org.matrix.msc3575/sync/* http://127.0.0.1:8008 reverse_proxy /_synapse/admin/* http://127.0.0.1:8008 ''; # Add `reverse_proxy /_synapse/admin/* http://127.0.0.1:8008` to allow access to the admin API "mas.${domain}".extraConfig = '' reverse_proxy http://127.0.0.1:8086 ''; }; }; }