Lillian-Violet/NixOS-Config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

start refactoring shared code into modules, update the lock, do some other minor fixes

Browse source
This commit is contained in:
Lillian Violet 2026-03-12 14:26:14 +01:00
parent c2780184c2
commit 5527f50a3b
43 changed files with 2348 additions and 51 deletions
Download patch file Download diff file Expand all files Collapse all files

153
modules/nixos/shared-packages/server-settings/conduit/default.nix Normal file
View file

@ -0,0 +1,153 @@
{
config,
pkgs,
...
}: let
# You'll need to edit these values
# The hostname that will appear in your user and room IDs
server_name = "matrix.gladtherescake.eu";
# An admin email for TLS certificate notifications
admin_email = "letsencrypt@gladtherescake.eu";
# These ones you can leave alone
# Build a dervation that stores the content of `${server_name}/.well-known/matrix/server`
well_known_server = pkgs.writeText "well-known-matrix-server" ''
{
"m.server": "${server_name}"
}
'';
# Build a dervation that stores the content of `${server_name}/.well-known/matrix/client`
well_known_client = pkgs.writeText "well-known-matrix-client" ''
{
"m.homeserver": {
"base_url": "https://${server_name}"
}
}
'';
in {
# Configure continuwuity itself
services.matrix-continuwuity = {
enable = true;
settings.global = {
inherit server_name;
allow_registration = false;
# emergency_password = "testpassword";
turn_uris = ["turn:turn.gladtherescake.eu.url?transport=udp" "turn:turn.gladtherescake.eu?transport=tcp"];
turn_secret = "cPKWEn4Fo5TAJoE7iX3xeVOaMVE4afeRN1iRGWYfbkWbkaZMxTpnmazHyH6c6yXT";
well_known = {
server = "matrix.gladtherescake.eu:443";
client = "https://matrix.gladtherescake.eu";
};
};
};
# Configure automated TLS acquisition/renewal
security.acme = {
acceptTerms = true;
defaults = {
email = admin_email;
};
};
# ACME data must be readable by the NGINX user
users.users.nginx.extraGroups = [
"acme"
];
# Configure NGINX as a reverse proxy
services.nginx = {
enable = true;
virtualHosts = {
"${server_name}" = {
forceSSL = true;
enableACME = true;
listen = [
{
addr = "0.0.0.0";
port = 443;
ssl = true;
}
{
addr = "[::]";
port = 443;
ssl = true;
}
{
addr = "0.0.0.0";
port = 8448;
ssl = true;
}
{
addr = "[::]";
port = 8448;
ssl = true;
}
];
locations."/_matrix/" = {
proxyPass = "http://backend_continuwuity";
proxyWebsockets = true;
extraConfig = ''
proxy_set_header Host $host;
proxy_buffering off;
'';
};
locations."=/.well-known/matrix/server" = {
# Use the contents of the derivation built previously
alias = "${well_known_server}";
extraConfig = ''
# Set the header since by default NGINX thinks it's just bytes
default_type application/json;
'';
};
locations."=/.well-known/matrix/client" = {
# Use the contents of the derivation built previously
alias = "${well_known_client}";
return = "200 '{\"m.homeserver\": {\"base_url\": \"https://${server_name}\"}, \"org.matrix.msc3575.proxy\": {\"url\": \"https://${server_name}\"}}'";
extraConfig = ''
# Set the header since by default NGINX thinks it's just bytes
default_type application/json;
# https://matrix.org/docs/spec/client_server/r0.4.0#web-browser-clients
add_header Access-Control-Allow-Origin "*";
'';
};
locations."/_matrix/client/unstable/org.matrix.msc3575/sync" = {
proxyPass = "http://matrix.gladtherescake.eu/client/unstable/org.matrix.msc3575/sync";
proxyWebsockets = true;
recommendedProxySettings = false;
return = "200 '{\"contacts\": [{\"matrix_id\": \"@admin:server.name\", \"email_address\": \"admin@server.name\", \"role\": \"m.role.admin\"}]}'";
extraConfig = ''
proxy_set_header Host $host;
proxy_buffering off;
'';
};
extraConfig = ''
merge_slashes off;
'';
};
};
upstreams = {
"backend_continuwuity" = {
servers = {
"[::1]:${toString config.services.matrix-continuwuity.settings.global.port}" = {};
};
};
};
};
# Open firewall ports for HTTP, HTTPS, and Matrix federation
networking.firewall.allowedTCPPorts = [80 443 8448];
networking.firewall.allowedUDPPorts = [80 443 8448];
}