NixOS-Config/nixos/server/package-configs/conduit/default.nix

154 lines
4 KiB
Nix
Raw Normal View History

2024-01-21 22:58:18 +01:00
{
config,
pkgs,
inputs,
2024-03-14 15:41:41 +01:00
lib,
2024-01-21 22:58:18 +01:00
...
}: let
# You'll need to edit these values
# The hostname that will appear in your user and room IDs
server_name = "matrix.gladtherescake.eu";
# An admin email for TLS certificate notifications
admin_email = "letsencrypt@gladtherescake.eu";
# These ones you can leave alone
# Build a dervation that stores the content of `${server_name}/.well-known/matrix/server`
well_known_server = pkgs.writeText "well-known-matrix-server" ''
{
2024-03-14 13:57:06 +01:00
"m.server": "${server_name}"
}
'';
# Build a dervation that stores the content of `${server_name}/.well-known/matrix/client`
well_known_client = pkgs.writeText "well-known-matrix-client" ''
{
"m.homeserver": {
2024-03-14 13:57:06 +01:00
"base_url": "https://${server_name}"
}
}
'';
in {
# Configure Conduit itself
2024-01-21 22:58:18 +01:00
services.matrix-conduit = {
enable = true;
# This causes NixOS to use the flake defined in this repository instead of
# the build of Conduit built into nixpkgs.
package = inputs.conduwuit.packages.${pkgs.system}.default;
2024-01-21 22:58:18 +01:00
settings.global = {
inherit server_name;
2024-03-24 22:02:19 +01:00
database_backend = "rocksdb";
2024-03-24 22:22:00 +01:00
allow_registration = false;
2024-03-24 22:53:32 +01:00
turn_uris = ["turn:turn.gladtherescake.eu.url?transport=udp" "turn:turn.gladtherescake.eu?transport=tcp"];
turn_secret = "cPKWEn4Fo5TAJoE7iX3xeVOaMVE4afeRN1iRGWYfbkWbkaZMxTpnmazHyH6c6yXT";
2024-01-21 22:58:18 +01:00
};
};
# Configure automated TLS acquisition/renewal
security.acme = {
acceptTerms = true;
defaults = {
email = admin_email;
};
};
# ACME data must be readable by the NGINX user
users.users.nginx.extraGroups = [
"acme"
];
# Configure NGINX as a reverse proxy
2024-01-21 22:58:18 +01:00
services.nginx = {
enable = true;
2024-01-21 22:58:18 +01:00
virtualHosts = {
2024-03-14 13:57:06 +01:00
"${server_name}" = {
2024-01-21 22:58:18 +01:00
forceSSL = true;
enableACME = true;
listen = [
{
addr = "0.0.0.0";
port = 443;
ssl = true;
}
{
addr = "[::]";
port = 443;
ssl = true;
}
{
addr = "0.0.0.0";
port = 8448;
ssl = true;
}
{
addr = "[::]";
port = 8448;
ssl = true;
}
];
locations."/_matrix/" = {
proxyPass = "http://backend_conduit";
proxyWebsockets = true;
extraConfig = ''
proxy_set_header Host $host;
proxy_buffering off;
'';
};
locations."=/.well-known/matrix/server" = {
# Use the contents of the derivation built previously
alias = "${well_known_server}";
extraConfig = ''
# Set the header since by default NGINX thinks it's just bytes
default_type application/json;
'';
};
locations."=/.well-known/matrix/client" = {
# Use the contents of the derivation built previously
alias = "${well_known_client}";
extraConfig = ''
# Set the header since by default NGINX thinks it's just bytes
default_type application/json;
# https://matrix.org/docs/spec/client_server/r0.4.0#web-browser-clients
add_header Access-Control-Allow-Origin "*";
'';
};
2024-05-10 00:25:11 +02:00
locations."/_matrix/client/unstable/org.matrix.msc3575/sync" = {
proxyPass = "http://backend_conduit/client/unstable/org.matrix.msc3575/sync";
proxyWebsockets = true;
2024-05-10 00:27:22 +02:00
recommendedProxySettings = false;
extraConfig = ''
proxy_set_header Host $host;
proxy_buffering off;
'';
};
extraConfig = ''
merge_slashes off;
'';
};
};
upstreams = {
"backend_conduit" = {
servers = {
"[::1]:${toString config.services.matrix-conduit.settings.global.port}" = {};
};
2024-01-21 22:58:18 +01:00
};
};
};
# Open firewall ports for HTTP, HTTPS, and Matrix federation
networking.firewall.allowedTCPPorts = [80 443 8448];
networking.firewall.allowedUDPPorts = [80 443 8448];
}