2023-09-12 11:49:23 -07:00
|
|
|
{ config, lib, pkgs, ... }@toplevel:
|
|
|
|
|
|
|
|
with lib;
|
|
|
|
let
|
|
|
|
cfg = config.fudo.services.matrix;
|
|
|
|
|
|
|
|
hostname = config.instance.hostname;
|
|
|
|
|
2023-09-12 15:43:24 -07:00
|
|
|
hostSecrets = config.fudo.secrets.host-secrets."${hostname}";
|
|
|
|
|
2023-09-12 15:58:57 -07:00
|
|
|
openIdConfig = pkgs.writeText "matrix-openid.yaml" (builtins.toJSON {
|
2023-09-12 11:49:23 -07:00
|
|
|
oidc_providers = [{
|
|
|
|
idp_id = cfg.openid.provider;
|
2023-09-13 11:04:47 -07:00
|
|
|
idp_name = cfg.openid.provider-name;
|
2023-09-12 11:49:23 -07:00
|
|
|
discover = true;
|
2023-09-13 10:54:24 -07:00
|
|
|
issuer = cfg.openid.issuer;
|
2023-09-12 11:49:23 -07:00
|
|
|
client_id = cfg.openid.client-id;
|
|
|
|
client_secret = cfg.openid.client-secret;
|
|
|
|
scopes = [ "openid" "profile" "email" ];
|
|
|
|
user_mapping_provider.config = {
|
|
|
|
localpart_template = "{{ user.preferred_username }}";
|
2023-09-13 10:54:24 -07:00
|
|
|
display_name_template = "{{ user.name|capitalize }}";
|
2023-09-12 11:49:23 -07:00
|
|
|
};
|
|
|
|
}];
|
2023-09-12 15:58:57 -07:00
|
|
|
});
|
2023-09-12 11:49:23 -07:00
|
|
|
|
|
|
|
in {
|
|
|
|
options.fudo.services.matrix = with types; {
|
|
|
|
enable = mkEnableOption "Enable Matrix server.";
|
|
|
|
|
|
|
|
state-directory = mkOption {
|
|
|
|
type = str;
|
|
|
|
description = "Directory at which to store server state data.";
|
|
|
|
};
|
|
|
|
|
|
|
|
server-name = mkOption {
|
|
|
|
type = str;
|
|
|
|
description = ''
|
|
|
|
Hostname at which the server can be reached.
|
|
|
|
|
|
|
|
Also the tag at the end of the username: @user@my-server.com.
|
|
|
|
|
|
|
|
Can be redirected to the actual server. See:
|
|
|
|
|
|
|
|
https://nixos.org/manual/nixos/stable/#module-services-matrix-synapse
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
hostname = mkOption {
|
|
|
|
type = str;
|
|
|
|
description = "Hostname at which the server can be reached.";
|
2023-09-17 23:44:42 -07:00
|
|
|
default = toplevel.config.fudo.services.matrix.server-name;
|
2023-09-12 11:49:23 -07:00
|
|
|
};
|
|
|
|
|
2023-09-12 15:53:00 -07:00
|
|
|
port = mkOption {
|
|
|
|
type = port;
|
|
|
|
description = "Local port to use for Matrix.";
|
|
|
|
default = 7520;
|
|
|
|
};
|
|
|
|
|
2023-09-12 11:49:23 -07:00
|
|
|
openid = {
|
|
|
|
provider = mkOption {
|
2023-09-13 11:04:47 -07:00
|
|
|
type = str;
|
|
|
|
description = "Name/ID of the authentication provider.";
|
|
|
|
};
|
|
|
|
|
|
|
|
provider-name = mkOption {
|
2023-09-12 11:49:23 -07:00
|
|
|
type = str;
|
|
|
|
description = "Name of the authentication provider.";
|
|
|
|
};
|
|
|
|
|
|
|
|
client-id = mkOption {
|
|
|
|
type = str;
|
|
|
|
description = "OpenID Client ID.";
|
|
|
|
};
|
|
|
|
|
|
|
|
client-secret = mkOption {
|
|
|
|
type = str;
|
|
|
|
description = "OpenID Client Secret.";
|
|
|
|
};
|
2023-09-13 10:54:24 -07:00
|
|
|
|
|
|
|
issuer = mkOption {
|
|
|
|
type = str;
|
|
|
|
description = "OpenID issuer URL.";
|
|
|
|
};
|
2024-02-13 15:01:27 -08:00
|
|
|
|
|
|
|
jwt-secret = mkOption {
|
|
|
|
type = nullOr str;
|
|
|
|
description = "JWT secret, for decoding requests";
|
|
|
|
default = null;
|
|
|
|
};
|
2023-09-12 11:49:23 -07:00
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2023-09-17 23:46:00 -07:00
|
|
|
config = mkIf cfg.enable {
|
2023-09-12 11:49:23 -07:00
|
|
|
fudo.secrets.host-secrets."${hostname}".matrixOpenIdConfig = {
|
|
|
|
source-file = openIdConfig;
|
|
|
|
target-file = "/run/matrix/openid.cfg";
|
|
|
|
user = config.systemd.services.matrix-synapse.serviceConfig.User;
|
|
|
|
};
|
|
|
|
|
2023-09-12 20:06:53 -07:00
|
|
|
systemd = {
|
|
|
|
tmpfiles.rules =
|
|
|
|
let user = config.systemd.services.matrix-synapse.serviceConfig.User;
|
2023-09-12 20:57:31 -07:00
|
|
|
in [
|
|
|
|
"d ${cfg.state-directory}/secrets 0700 ${user} root - -"
|
|
|
|
"d ${cfg.state-directory}/database 0700 ${user} root - -"
|
|
|
|
"d ${cfg.state-directory}/media 0700 ${user} root - -"
|
|
|
|
];
|
2023-09-12 20:06:53 -07:00
|
|
|
services.matrix-synapse.serviceConfig.ReadWritePaths =
|
|
|
|
[ cfg.state-directory ];
|
|
|
|
};
|
2023-09-12 16:23:05 -07:00
|
|
|
|
2023-09-13 15:16:33 -07:00
|
|
|
networking.firewall.allowedTCPPorts = [ 8008 8448 ];
|
|
|
|
|
2023-09-12 11:49:23 -07:00
|
|
|
services = {
|
|
|
|
matrix-synapse = {
|
|
|
|
enable = true;
|
|
|
|
withJemalloc = true;
|
|
|
|
settings = {
|
|
|
|
server_name = cfg.server-name;
|
|
|
|
public_baseurl = "https://${cfg.hostname}";
|
|
|
|
dynamic_thumbnails = true;
|
|
|
|
max_upload_size = "100M";
|
|
|
|
media_store_path = "${cfg.state-directory}/media";
|
2023-09-12 20:57:31 -07:00
|
|
|
signing_key_path = "${cfg.state-directory}/secrets/signing.key";
|
2024-01-16 10:42:31 -08:00
|
|
|
# Only to trigger the inclusion of oidc deps, actual config is elsewhere
|
|
|
|
oidc_providers = [ ];
|
2024-02-13 15:01:27 -08:00
|
|
|
jwt_config = mkIf (cfg.openid.jwt-secret != null) {
|
2024-02-13 10:13:30 -08:00
|
|
|
enabled = true;
|
2024-02-13 16:18:02 -08:00
|
|
|
algorithm = "RS256";
|
2024-02-13 15:01:27 -08:00
|
|
|
secret = cfg.openid.jwt-secret;
|
2024-02-14 23:02:25 -08:00
|
|
|
audiences = [ cfg.openid.client-id ];
|
2024-02-13 10:13:30 -08:00
|
|
|
};
|
2023-09-12 11:49:23 -07:00
|
|
|
listeners = [{
|
|
|
|
port = cfg.port;
|
2024-01-16 12:19:07 -08:00
|
|
|
bind_addresses = [ "127.0.0.1" ];
|
2023-09-12 11:49:23 -07:00
|
|
|
type = "http";
|
|
|
|
tls = false;
|
|
|
|
x_forwarded = true;
|
|
|
|
resources = [{
|
|
|
|
names = [ "client" "federation" ];
|
|
|
|
compress = true;
|
|
|
|
}];
|
|
|
|
}];
|
|
|
|
database = {
|
|
|
|
name = "sqlite3";
|
|
|
|
args.database = "${cfg.state-directory}/database/data.db";
|
|
|
|
};
|
|
|
|
};
|
2024-02-13 15:01:27 -08:00
|
|
|
extras = [ "url-preview" ]
|
|
|
|
++ (optional (cfg.openid.jwt-secret != null) "jwt");
|
2023-09-12 15:48:24 -07:00
|
|
|
extraConfigFiles = [ hostSecrets.matrixOpenIdConfig.target-file ];
|
2024-02-13 09:30:58 -08:00
|
|
|
configureRedisLocally = true;
|
2023-09-12 11:49:23 -07:00
|
|
|
};
|
|
|
|
|
|
|
|
nginx = {
|
|
|
|
enable = true;
|
|
|
|
virtualHosts = {
|
|
|
|
"${cfg.hostname}" = {
|
|
|
|
enableACME = true;
|
|
|
|
forceSSL = true;
|
2023-09-13 15:00:47 -07:00
|
|
|
listen = [
|
|
|
|
{
|
|
|
|
addr = "0.0.0.0";
|
|
|
|
port = 80;
|
|
|
|
ssl = false;
|
|
|
|
}
|
|
|
|
{
|
|
|
|
addr = "0.0.0.0";
|
|
|
|
port = 443;
|
|
|
|
ssl = true;
|
|
|
|
}
|
|
|
|
{
|
|
|
|
addr = "0.0.0.0";
|
|
|
|
port = 8008;
|
|
|
|
ssl = false;
|
|
|
|
}
|
|
|
|
{
|
|
|
|
addr = "0.0.0.0";
|
|
|
|
port = 8448;
|
|
|
|
ssl = true;
|
|
|
|
}
|
|
|
|
];
|
2023-09-13 15:48:38 -07:00
|
|
|
locations."/".extraConfig = "return 404;";
|
|
|
|
locations."/_matrix" = {
|
2023-09-17 23:41:39 -07:00
|
|
|
proxyPass = "http://127.0.0.1:${toString cfg.port}";
|
2023-09-13 15:48:38 -07:00
|
|
|
recommendedProxySettings = true;
|
2023-09-12 11:49:23 -07:00
|
|
|
proxyWebsockets = true;
|
2023-09-13 15:48:38 -07:00
|
|
|
};
|
|
|
|
locations."/_synapse/client" = {
|
2023-09-17 23:41:39 -07:00
|
|
|
proxyPass = "http://127.0.0.1:${toString cfg.port}";
|
2023-09-12 11:49:23 -07:00
|
|
|
recommendedProxySettings = true;
|
2023-09-13 15:48:38 -07:00
|
|
|
proxyWebsockets = true;
|
2023-09-12 11:49:23 -07:00
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|