feat: samc

hosts/hitsugibune/immich.nix

@@ -36,7 +36,23 @@ in
     locations."/" = {
       proxyPass = "http://localhost:2283";
       proxyWebsockets = true;
-      extraConfig = "client_max_body_size 50000M;";  # for large video uploads
+      # https://docs.immich.app/administration/reverse-proxy/
+      extraConfig = ''
+          # allow large file uploads
+          client_max_body_size 50000M;
+
+          # disable buffering uploads to prevent OOM on reverse proxy server and make uploads twice as fast (no pause)
+          proxy_request_buffering off;
+
+          # increase body buffer to avoid limiting upload speed
+          client_body_buffer_size 1024k;
+
+          # Set headers
+          proxy_set_header Host              $host;
+          proxy_set_header X-Real-IP         $remote_addr;
+          proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+          proxy_set_header X-Forwarded-Proto $scheme;
+    '';
     };
   };
 }

hosts/hitsugibune/matrix.nix

@@ -22,13 +22,19 @@ in {
     group = "matrix-synapse";
   };
 
+  age.secrets.matrix-oidc = {
+    file = ../../secrets/matrix-oidc.age;
+    owner = "matrix-synapse";
+    group = "matrix-synapse";
+  };
+
   age.secrets.mautrix-signal = {
     file = ../../secrets/mautrix-signal.age;
     owner = "mautrix-signal";
     group = "mautrix-signal";
   };
   age.secrets.mautrix-signal-puppeting = {
-    file = ../../secrets/mautrix-signal-puppeting.yaml.age; # your encrypted YAML
+    file = ../../secrets/mautrix-signal-puppeting.yaml.age;
     owner = "mautrix-signal";
     group = "mautrix-signal";
     mode = "0640";
@@ -176,34 +182,41 @@ in {
 
   services.matrix-synapse = {
     enable = true;
-    settings.server_name = config.networking.domain;
+    extras = [ "oidc" ];
     # The public base URL value must match the `base_url` value set in `clientConfig` above.
     # The default value here is based on `server_name`, so if your `server_name` is different
     # from the value of `fqdn` above, you will likely run into some mismatched domain names
     # in client applications.
-    settings.public_baseurl = baseUrl;
+    settings = {
-    settings.enable_registration = false;
+      server_name = config.networking.domain;
-    enableRegistrationScript = true;
+      public_baseurl = baseUrl;
-    settings.listeners = [
+      enable_registration = false;
-      {
+      enableRegistrationScript = true;
-        port = 8008;
+      listeners = [
-        bind_addresses = ["::1"];
+        {
-        type = "http";
+          port = 8008;
-        tls = false;
+          bind_addresses = ["::1"];
-        x_forwarded = true;
+          type = "http";
-        resources = [
+          tls = false;
-          {
+          x_forwarded = true;
-            names = ["client" "federation"];
+          resources = [
-            compress = true;
+            {
-          }
+              names = ["client" "federation"];
-        ];
+              compress = true;
-      }
+            }
-    ];
+          ];
+        }
+      ];
+      log_level = "DEBUG";
+    };
     settings.app_service_config_files = [
       "/var/lib/mautrix-signal/double-puppeting.yaml"
     ];
 
-    extraConfigFiles = [config.age.secrets.matrix.path];
+    extraConfigFiles = [
+      config.age.secrets.matrix.path
+      config.age.secrets.matrix-oidc.path
+    ];
     settings.turn_uris = ["turn:${turn.realm}:3478?transport=udp" "turn:${turn.realm}:3478?transport=tcp"];
     settings.turn_user_lifetime = "1h";
   };

secrets/matrix-oidc.age

@@ -0,0 +1,16 @@
+age-encryption.org/v1
+-> ssh-ed25519 7PLkJg XYa7BZNJcLeaFg9P0jVzv/OsvPw5WZhAnIJYdqwGNG0
+HQfQNXNFK1Q9nHBQddY+kOu91gn+1my2jsSO2iEWpAA
+-> ssh-rsa LgF3EQ
+ph+gT+EolN+nBl989531YlE+toiafZ9CUuJgjjBimMh9d3WXe4ZAYLwG8xMnziPZ
+wATCLDU1RnC1twwDLOj5O17DdvofDJgf1b5FO5oxOvMyqdebGsxDiJQSnslbF7lK
+rAIaUqbW/T/RfpMSZM39UrW/K3JeATaOh2dynKZZWEQLdnXt3UU/LJ/YZCQAwtLk
+/EvBQvgmke7dW2yYX0Sc9QZveTJWtTRNtYjE2vgC53ytl+JIpKdIPW/rj+vdj5Ed
+IWUax99IpMdHAlHB5AKwZKmLeOpbFMhJKC0q+O3MFlUdmFKIYnwtVu2m5ZW+pZb+
+IXp9SdjQ4Dt89cT686tHgE+gHyvhwZiHmNDbJKL/35yCXwJIdKEWjcO3j1KvRi/H
+O0msPNnpYycqlg4C1H0psiuZ3g7U/PYhkAPTKBajafPOcddKbOJeLZo9u07gQZEb
+xeNxPivEH7R54+eQQAX/dOHqjgelBB1fBNNWZ0Pu/gQT1nYxRRWoqjdTdgGNuucQ
+
+--- GjXC5GUW8+bfp5Jb2+hzi2AZNuffI0TwUeyLaUQAUww
+ÚŮt±#ĄËaĘŇ40­çCë<14>¶™cA0÷aü0ĆĹü<C4B9>„<EFBFBD>»ž.ó5ś¦€łYňČž«•đlyň<79>u˘
ľkŞFśŐ­Ĺ§y!g¸¸?˙ŮŤWk‘$¬Ln
Ś€ŚĐf‡tłŁ…;+˛çиT	/śŘ‚îUUC
§$'—I»&ęÄ&ˇäjě(ëŚg(W–× 6ż`ŽZ¦ Îq<C38E>bŹĎ’mJĆ}ĹĚľěč¦ěKŰ÷Ă0AS®PˇuŐęL÷<4C>đżi^:Ű<>Ő=ŚÓ&ü-@oB(wX¬ţS®ĚhRł1äňöÔ'´¨í$ťXÎ$i«–®tÔG˛_2ď’‘"Ľ5[‰O€‚‹VeŢ:łyÍqťŘ‹<Xc•ŕ«‡ËjN†„ÓË/ľěI<>¬ÖŢŮ5®
+‰6„“ÝěÂYzXŞÜFz(6ÖÖ
[Ďbs°. .gb¸SĽGš]Ź<>|b§O‡ęčBˇˇ@Ć÷´k·3Ć^<5E>Ö˛€M%#D;ŽA<˙s8äOŘď+eL‚¶ýĂęc|d-%V'C"a}»¶?Í{ęęáĽřkTŔńÇiĎŠöô`Îe.z°?ÖçE
Ů+˙Ěů=fZ<66>f(óŐďĎqČ<71>×L-‚/I3¤>•ý űéÜŤ˝|Ű>gźÇ·`ü˘”D°ÖµY><3E>Édă«í–$‹Ń¦žKkBŐSú ÝmĎׄ?a„ZŇ%Śj0w‰›«Éľ˝Qź$Ü‹pűÓČfľth
ć-	‰«3[A2ěś…”ű:Ls( áUÓ‡é
ű+
:÷YęÓ

secrets/secrets.nix

@@ -12,6 +12,7 @@ in {
   "speedtest-tracker.age".publicKeys = [saberofxebec key];
   "homarr.age".publicKeys = [saberofxebec key];
   "matrix.age".publicKeys = [hitsugibune key];
+  "matrix-oidc.age".publicKeys = [hitsugibune key];
   "mautrix-signal.age".publicKeys = [hitsugibune key];
   "mautrix-signal-puppeting.yaml.age".publicKeys = [hitsugibune key];
   "mautrix-whatsapp.age".publicKeys = [hitsugibune key];