summary refs log tree commit diff stats
path: root/system/services/matrix
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--system/services/matrix/conduit/default.nix125
-rw-r--r--system/services/matrix/default.nix5
2 files changed, 130 insertions, 0 deletions
diff --git a/system/services/matrix/conduit/default.nix b/system/services/matrix/conduit/default.nix
new file mode 100644
index 0000000..e583ca4
--- /dev/null
+++ b/system/services/matrix/conduit/default.nix
@@ -0,0 +1,125 @@
+# vim: ts=2
+{
+  config,
+  pkgs,
+  flake-inputs,
+  ...
+}: let
+  server_name = "vhack.eu";
+
+  matrix_hostname = "matrix.${server_name}";
+
+  well_known_server = pkgs.writeText "well-known-matrix-server" ''
+    {
+      "m.server": "${matrix_hostname}"
+    }
+  '';
+
+  well_known_client = pkgs.writeText "well-known-matrix-client" ''
+    {
+      "m.homeserver": {
+        "base_url": "https://${matrix_hostname}"
+      }
+    }
+  '';
+in {
+  services.matrix-conduit = {
+    enable = true;
+
+    settings.global = {
+      inherit server_name;
+      database_backend = "rocksdb";
+      trusted_servers = ["matrix.org" "sils.li" "asra.gr"];
+      allow_registration = false;
+    };
+  };
+
+  # Configure NGINX as a reverse proxy
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+
+    virtualHosts = {
+      "${matrix_hostname}" = {
+        forceSSL = true;
+        enableACME = true;
+
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 443;
+            ssl = true;
+          }
+          {
+            addr = "0.0.0.0";
+            port = 8448;
+            ssl = true;
+          }
+          {
+            addr = "::0";
+            port = 443;
+            ssl = true;
+          }
+          {
+            addr = "::0";
+            port = 8448;
+            ssl = true;
+          }
+        ];
+
+        locations."/_matrix/" = {
+          proxyPass = "http://backend_conduit$request_uri";
+          proxyWebsockets = true;
+          extraConfig = ''
+            proxy_set_header Host $host;
+            proxy_buffering off;
+          '';
+        };
+
+        extraConfig = ''
+          merge_slashes off;
+        '';
+      };
+
+      "${server_name}" = {
+        forceSSL = true;
+        enableACME = true;
+
+        locations."=/.well-known/matrix/server" = {
+          # Use the contents of the derivation built previously
+          alias = "${well_known_server}";
+
+          extraConfig = ''
+            # Set the header since by default NGINX thinks it's just bytes
+            default_type application/json;
+          '';
+        };
+
+        locations."=/.well-known/matrix/client" = {
+          # Use the contents of the derivation built previously
+          alias = "${well_known_client}";
+
+          extraConfig = ''
+            # Set the header since by default NGINX thinks it's just bytes
+            default_type application/json;
+
+            # https://matrix.org/docs/spec/client_server/r0.4.0#web-browser-clients
+            add_header Access-Control-Allow-Origin "*";
+          '';
+        };
+      };
+    };
+
+    upstreams = {
+      "backend_conduit" = {
+        servers = {
+          "localhost:${toString config.services.matrix-conduit.settings.global.port}" = {};
+        };
+      };
+    };
+  };
+
+  # Open firewall ports for HTTP, HTTPS, and Matrix federation
+  networking.firewall.allowedTCPPorts = [80 443 8448];
+  networking.firewall.allowedUDPPorts = [80 443 8448];
+}
diff --git a/system/services/matrix/default.nix b/system/services/matrix/default.nix
new file mode 100644
index 0000000..7f2a357
--- /dev/null
+++ b/system/services/matrix/default.nix
@@ -0,0 +1,5 @@
+{config, ...}: {
+  imports = [
+    ./conduit
+  ];
+}