sprechtl/dotfiles
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: matrix works now trust me bro

Browse source
This commit is contained in:
s-prechtl 2025-07-14 17:11:11 +02:00
parent 24cc3b5329
commit 44fc904ae6
1 changed files with 80 additions and 73 deletions
Download patch file Download diff file Expand all files Collapse all files

151
hosts/hitsugibune/matrix.nix
View file

@ -1,78 +1,85 @@
{ { pkgs, lib, config, ... }:
config, let
pkgs, fqdn = "matrix.sprechtl.me";
lib, baseUrl = "https://${fqdn}";
... clientConfig."m.homeserver".base_url = baseUrl;
}: { serverConfig."m.server" = "${fqdn}:443";
# enable coturn mkWellKnown = data: ''
services.coturn = rec { default_type application/json;
enable = true; add_header Access-Control-Allow-Origin *;
no-cli = true; return 200 '${builtins.toJSON data}';
no-tcp-relay = true;
min-port = 49000;
max-port = 50000;
use-auth-secret = true;
static-auth-secret = "samc";
realm = "sprechtl.ddns.net";
cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
extraConfig = ''
# for debugging
verbose
# ban private IP ranges
no-multicast-peers
denied-peer-ip=0.0.0.0-0.255.255.255
denied-peer-ip=10.0.0.0-10.255.255.255
denied-peer-ip=100.64.0.0-100.127.255.255
denied-peer-ip=127.0.0.0-127.255.255.255
denied-peer-ip=169.254.0.0-169.254.255.255
denied-peer-ip=172.16.0.0-172.31.255.255
denied-peer-ip=192.0.0.0-192.0.0.255
denied-peer-ip=192.0.2.0-192.0.2.255
denied-peer-ip=192.88.99.0-192.88.99.255
denied-peer-ip=192.168.0.0-192.168.255.255
denied-peer-ip=198.18.0.0-198.19.255.255
denied-peer-ip=198.51.100.0-198.51.100.255
denied-peer-ip=203.0.113.0-203.0.113.255
denied-peer-ip=240.0.0.0-255.255.255.255
denied-peer-ip=::1
denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
''; '';
in {
config.networking.domain = "sprechtl.me";
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.postgresql.enable = true;
services.nginx = {
enable = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
virtualHosts = {
# If the A and AAAA DNS records on example.org do not point on the same host as the
# records for myhostname.example.org, you can easily move the /.well-known
# virtualHost section of the code to the host that is serving example.org, while
# the rest stays on myhostname.example.org with no other changes required.
# This pattern also allows to seamlessly move the homeserver from
# myhostname.example.org to myotherhost.example.org by only changing the
# /.well-known redirection target.
"${config.networking.domain}" = {
enableACME = true;
forceSSL = true;
# This section is not needed if the server_name of matrix-synapse is equal to
# the domain (i.e. example.org from @foo:example.org) and the federation port
# is 8448.
# Further reference can be found in the docs about delegation under
# https://element-hq.github.io/synapse/latest/delegate.html
locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
# This is usually needed for homeserver discovery (from e.g. other Matrix clients).
# Further reference can be found in the upstream docs at
# https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixclient
locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
}; };
# open the firewall "${fqdn}" = {
networking.firewall = { enableACME = true;
interfaces.enp2s0 = let forceSSL = true;
range = with config.services.coturn; [ # It's also possible to do a redirect here or something else, this vhost is not
{ # needed for Matrix. It's recommended though to *not put* element
from = min-port; # here, see also the section about Element.
to = max-port; locations."/".extraConfig = ''
return 404;
'';
# Forward all Matrix API calls to the synapse Matrix homeserver. A trailing slash
# *must not* be used here.
locations."/_matrix".proxyPass = "http://[::1]:8008";
# Forward requests for e.g. SSO and password-resets.
locations."/_synapse/client".proxyPass = "http://[::1]:8008";
};
};
};
services.matrix-synapse = {
enable = true;
settings.server_name = config.networking.domain;
# The public base URL value must match the `base_url` value set in `clientConfig` above.
# The default value here is based on `server_name`, so if your `server_name` is different
# from the value of `fqdn` above, you will likely run into some mismatched domain names
# in client applications.
settings.public_baseurl = baseUrl;
settings.listeners = [
{ port = 8008;
bind_addresses = [ "::1" ];
type = "http";
tls = false;
x_forwarded = true;
resources = [ {
names = [ "client" "federation" ];
compress = true;
} ];
} }
]; ];
in {
allowedUDPPortRanges = range;
allowedUDPPorts = [3478 5349];
allowedTCPPortRanges = [];
allowedTCPPorts = [80 3478 5349];
};
};
# get a certificate
security.acme.defaults.email = "stefan@tague.at";
security.acme.acceptTerms = true;
security.acme.certs.${config.services.coturn.realm} = {
listenHTTP = "0.0.0.0:80";
postRun = "systemctl restart coturn.service";
group = "turnserver";
};
# configure synapse to point users to coturn
services.matrix-synapse.settings = with config.services.coturn; {
turn_uris = ["turn:${realm}:3478?transport=udp" "turn:${realm}:3478?transport=tcp"];
turn_shared_secret = static-auth-secret;
turn_user_lifetime = "1h";
}; };
} }