public
/
matrix-module
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
matrix-module/matrix-module.nix

141 lines
3.8 KiB
Nix
Raw Normal View History

initial checkin
2023-09-12 11:49:23 -07:00
{ config, lib, pkgs, ... }@toplevel:
with lib;
let
cfg = config.fudo.services.matrix;
hostname = config.instance.hostname;
Define hostSecrets
2023-09-12 15:43:24 -07:00
hostSecrets = config.fudo.secrets.host-secrets."${hostname}";
toJSON gives a string, not a file
2023-09-12 15:58:57 -07:00
openIdConfig = pkgs.writeText "matrix-openid.yaml" (builtins.toJSON {
initial checkin
2023-09-12 11:49:23 -07:00
oidc_providers = [{
idp_id = cfg.openid.provider;
idp_name = cfg.openid.provider;
discover = true;
issuer = "https://authentik.fudo.org/application/o/matrix/";
client_id = cfg.openid.client-id;
client_secret = cfg.openid.client-secret;
scopes = [ "openid" "profile" "email" ];
user_mapping_provider.config = {
localpart_template = "{{ user.preferred_username }}";
display_name_template = "{{ user.name | capitalize }}";
};
}];
toJSON gives a string, not a file
2023-09-12 15:58:57 -07:00
});
initial checkin
2023-09-12 11:49:23 -07:00
in {
options.fudo.services.matrix = with types; {
enable = mkEnableOption "Enable Matrix server.";
state-directory = mkOption {
type = str;
description = "Directory at which to store server state data.";
};
server-name = mkOption {
type = str;
description = ''
Hostname at which the server can be reached.
Also the tag at the end of the username: @user@my-server.com.
Can be redirected to the actual server. See:
https://nixos.org/manual/nixos/stable/#module-services-matrix-synapse
'';
};
hostname = mkOption {
type = str;
description = "Hostname at which the server can be reached.";
default = toplevel.config.services.matrixContainer.server-name;
};
Define port option
2023-09-12 15:53:00 -07:00
port = mkOption {
type = port;
description = "Local port to use for Matrix.";
default = 7520;
};
initial checkin
2023-09-12 11:49:23 -07:00
openid = {
provider = mkOption {
type = str;
description = "Name of the authentication provider.";
};
client-id = mkOption {
type = str;
description = "OpenID Client ID.";
};
client-secret = mkOption {
type = str;
description = "OpenID Client Secret.";
};
};
};
config = {
fudo.secrets.host-secrets."${hostname}".matrixOpenIdConfig = {
source-file = openIdConfig;
target-file = "/run/matrix/openid.cfg";
user = config.systemd.services.matrix-synapse.serviceConfig.User;
};
Make state-directory a read/write path
2023-09-12 20:06:53 -07:00
systemd = {
tmpfiles.rules =
let user = config.systemd.services.matrix-synapse.serviceConfig.User;
in [ "d ${cfg.state-directory} 0700 ${user} root - -" ];
services.matrix-synapse.serviceConfig.ReadWritePaths =
[ cfg.state-directory ];
};
Ensure directory exists
2023-09-12 16:23:05 -07:00
initial checkin
2023-09-12 11:49:23 -07:00
services = {
matrix-synapse = {
enable = true;
withJemalloc = true;
settings = {
server_name = cfg.server-name;
public_baseurl = "https://${cfg.hostname}";
dynamic_thumbnails = true;
max_upload_size = "100M";
media_store_path = "${cfg.state-directory}/media";
signing_key_path = "${cfg.state-directory}/signing.key";
listeners = [{
port = cfg.port;
bind_addresses = [ "127.0.0.1" "::1" ];
type = "http";
tls = false;
x_forwarded = true;
resources = [{
names = [ "client" "federation" ];
compress = true;
}];
}];
database = {
name = "sqlite3";
args.database = "${cfg.state-directory}/database/data.db";
};
};
extraConfigFile -> extraConfigFiles
2023-09-12 15:48:24 -07:00
extraConfigFiles = [ hostSecrets.matrixOpenIdConfig.target-file ];
initial checkin
2023-09-12 11:49:23 -07:00
};
nginx = {
enable = true;
virtualHosts = {
"${cfg.hostname}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:${toString cfg.port}";
proxyWebsockets = true;
recommendedProxySettings = true;
};
};
};
};
};
};
}