public
/
matrix-module
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

initial checkin

This commit is contained in:
niten 2023-09-12 11:49:23 -07:00
commit 8288d3cc88
2 changed files with 151 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
flake.nix Normal file
View File

@ -0,0 +1,12 @@
{
description = "Matrix configuration module.";
inputs = { nixpkgs.url = "nixpkgs/nixos-23.05"; };
outputs = { self, nixpkgs, ... }: {
nixosModules = rec {
default = matrix;
matrix = { ... }: { imports = [ ./matrix-module.nix ]; };
};
};
}

139
matrix-module.nix Normal file
View File

@ -0,0 +1,139 @@
{ config, lib, pkgs, ... }@toplevel:
with lib;
let
cfg = config.fudo.services.matrix;
hostname = config.instance.hostname;
openIdConfig = pkgs.toJSON "matrix-openid.yaml" {
oidc_providers = [{
idp_id = cfg.openid.provider;
idp_name = cfg.openid.provider;
discover = true;
issuer = "https://authentik.fudo.org/application/o/matrix/";
client_id = cfg.openid.client-id;
client_secret = cfg.openid.client-secret;
scopes = [ "openid" "profile" "email" ];
user_mapping_provider.config = {
localpart_template = "{{ user.preferred_username }}";
display_name_template = "{{ user.name | capitalize }}";
};
}];
};
in {
options.fudo.services.matrix = with types; {
enable = mkEnableOption "Enable Matrix server.";
state-directory = mkOption {
type = str;
description = "Directory at which to store server state data.";
};
server-name = mkOption {
type = str;
description = ''
Hostname at which the server can be reached.
Also the tag at the end of the username: @user@my-server.com.
Can be redirected to the actual server. See:
https://nixos.org/manual/nixos/stable/#module-services-matrix-synapse
'';
};
hostname = mkOption {
type = str;
description = "Hostname at which the server can be reached.";
default = toplevel.config.services.matrixContainer.server-name;
};
openid = {
provider = mkOption {
type = str;
description = "Name of the authentication provider.";
};
client-id = mkOption {
type = str;
description = "OpenID Client ID.";
};
client-secret = mkOption {
type = str;
description = "OpenID Client Secret.";
};
};
};
config = {
fudo.secrets.host-secrets."${hostname}".matrixOpenIdConfig = {
source-file = openIdConfig;
target-file = "/run/matrix/openid.cfg";
user = config.systemd.services.matrix-synapse.serviceConfig.User;
};
services = {
matrix-synapse = {
enable = true;
withJemalloc = true;
settings = {
server_name = cfg.server-name;
public_baseurl = "https://${cfg.hostname}";
dynamic_thumbnails = true;
max_upload_size = "100M";
media_store_path = "${cfg.state-directory}/media";
signing_key_path = "${cfg.state-directory}/signing.key";
listeners = [{
port = cfg.port;
bind_addresses = [ "127.0.0.1" "::1" ];
type = "http";
tls = false;
x_forwarded = true;
resources = [{
names = [ "client" "federation" ];
compress = true;
}];
}];
database = {
name = "sqlite3";
args.database = "${cfg.state-directory}/database/data.db";
};
};
extraConfigFile = [ hostSecrets.matrixOpenIdConfig.target-file ];
};
nginx = {
enable = true;
virtualHosts = {
"${cfg.server-name}" = let
mkWellKnown = data: ''
add_header Content-Type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON data}';
'';
in {
enableACME = true;
forceSSL = true;
locations."/.well-known/matrix/server".extraConfig =
mkWellKnown { "m.server" = "https://${cfg.hostname}:443"; };
locations."/.well-known/matrix/client".extraConfig = mkWellKnown {
"m.homeserver".base_url = "https://${cfg.hostname}";
};
};
"${cfg.hostname}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:${toString cfg.port}";
proxyWebsockets = true;
recommendedProxySettings = true;
};
};
};
};
};
};
}