diff options
| -rw-r--r-- | sys/conduit/default.nix | 39 | ||||
| -rw-r--r-- | sys/default.nix | 1 | ||||
| -rw-r--r-- | sys/nspawn/dmz.nix | 24 | ||||
| -rw-r--r-- | sys/web/sites/default.nix | 1 | ||||
| -rw-r--r-- | sys/web/sites/matrix.nix | 66 | ||||
| -rw-r--r-- | sys/web/sites/portal.nix | 18 |
6 files changed, 139 insertions, 10 deletions
diff --git a/sys/conduit/default.nix b/sys/conduit/default.nix new file mode 100644 index 0000000..b3a03c4 --- /dev/null +++ b/sys/conduit/default.nix @@ -0,0 +1,39 @@ +{ config, lib, ... }: +with lib; let + cfg = config.local.conduit; + + inherit (config.local.domains.matrix.passthru) serverName; +in +{ + options.local.conduit = { + enable = mkEnableOption "conduit Matrix homeserver"; + + listenAddress = mkOption { + type = types.str; + default = "127.0.0.1"; + }; + + listenPort = mkOption { + type = types.port; + default = 6167; + }; + }; + + config = mkIf cfg.enable { + services.matrix-conduit = { + enable = true; + + settings.global = { + port = cfg.listenPort; + address = cfg.listenAddress; + server_name = serverName; + + database_backend = "sqlite"; + + allow_encryption = true; + allow_federation = true; + allow_registration = false; + }; + }; + }; +} diff --git a/sys/default.nix b/sys/default.nix index e3d1b11..800b6be 100644 --- a/sys/default.nix +++ b/sys/default.nix @@ -11,6 +11,7 @@ with lib; { ./baseline ./boot ./btrfs + ./conduit ./env ./gitea ./hardware diff --git a/sys/nspawn/dmz.nix b/sys/nspawn/dmz.nix index 0192333..73302d4 100644 --- a/sys/nspawn/dmz.nix +++ b/sys/nspawn/dmz.nix @@ -5,6 +5,9 @@ with lib; let hassPort = config.services.home-assistant.config.http.server_port; hassEnable = config.local.home-assistant.enable; + + conduitPort = config.local.conduit.listenPort; + conduitEnable = config.local.conduit.enable; in { options.local.nspawn.dmz = { @@ -54,6 +57,7 @@ in config = mkIf cfg.enable { local = { mailHost.mdaListen = cfg.hostAddr; + conduit.listenAddress = mkIf conduitEnable cfg.hostAddr; nspawn.dmz = let @@ -93,9 +97,16 @@ in inherit (mailHost) saslPort lmtpPort; }; - web.sites.home = { - enable = hassEnable; - proxyUrl = "http://${cfg.hostAddr}:${toString hassPort}"; + web.sites = { + home = { + enable = hassEnable; + proxyUrl = "http://${cfg.hostAddr}:${toString hassPort}"; + }; + + matrix = { + enable = conduitEnable; + proxyUrl = "http://${cfg.hostAddr}:${toString conduitPort}"; + }; }; }; @@ -120,7 +131,7 @@ in }; services = { - home-assistant.config.http = { + home-assistant.config.http = mkIf hassEnable { server_host = [ cfg.hostAddr ]; trusted_proxies = [ cfg.dmzAddr ]; use_x_forwarded_for = true; @@ -187,7 +198,10 @@ in allowedTCPPorts = [ 25 80 443 ]; interfaces.ve-dmz = { - allowedTCPPorts = [ mailHost.saslPort mailHost.lmtpPort ] ++ optional hassEnable hassPort; + allowedTCPPorts = [ mailHost.saslPort mailHost.lmtpPort ] + ++ optional hassEnable hassPort + ++ optional conduitEnable conduitPort; + allowedUDPPorts = [ 67 ]; # DHCP }; }; diff --git a/sys/web/sites/default.nix b/sys/web/sites/default.nix index a131aaf..15957c0 100644 --- a/sys/web/sites/default.nix +++ b/sys/web/sites/default.nix @@ -1,6 +1,7 @@ { imports = [ ./home.nix + ./matrix.nix ./portal.nix ]; } diff --git a/sys/web/sites/matrix.nix b/sys/web/sites/matrix.nix new file mode 100644 index 0000000..d27c00c --- /dev/null +++ b/sys/web/sites/matrix.nix @@ -0,0 +1,66 @@ +{ config, lib, ... }: +with lib; let + cfg = config.local.web.sites.matrix; + inherit (config.local) domains; +in +{ + options.local.web.sites.matrix = { + enable = mkEnableOption "matrix proxy site"; + + proxyUrl = mkOption { + type = types.str; + }; + }; + + config = mkIf cfg.enable { + local.web = { + enable = mkDefault true; + ownedCerts = [ "matrix" ]; + + sites.portal.enable = true; + }; + + services.nginx.virtualHosts = { + ${domains.exdev.www}.locations = + let + serverConfig."m.server" = "${domains.matrix.main}:443"; + clientConfig."m.homeserver".base_url = "https://${domains.matrix.main}"; + + mkWellKnown = data: '' + default_type application/json; + add_header Access-Control-Allow-Origin *; + return 200 '${builtins.toJSON data}'; + ''; + in + { + "= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig; + "= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig; + }; + + ${domains.matrix.main} = { + forceSSL = true; + useACMEHost = domains.matrix.main; + + locations = + let + proxyLocation = + throwIf (hasSuffix "/" cfg.proxyUrl) + "matrix site: a trailing slash *must not* be used here" + cfg.proxyUrl; + in + { + "/".extraConfig = '' + return 403; + ''; + + # Forward all Matrix API calls to the synapse Matrix homeserver. A trailing slash + # *must not* be used here. + "/_matrix".proxyPass = proxyLocation; + + # Forward requests for e.g. SSO and password-resets. + "/_synapse/client".proxyPass = proxyLocation; + }; + }; + }; + }; +} diff --git a/sys/web/sites/portal.nix b/sys/web/sites/portal.nix index c95e2ea..679a1da 100644 --- a/sys/web/sites/portal.nix +++ b/sys/web/sites/portal.nix @@ -11,14 +11,22 @@ in config = mkIf cfg.enable { local.web = { enable = mkDefault true; - ownedCerts = [ "host" ]; + ownedCerts = [ "host" "exdev" ]; defaultACMEHost = domains.host.main; }; - services.nginx.virtualHosts.${domains.host.www} = { - forceSSL = true; - useACMEHost = domains.host.main; - serverAliases = [ domains.host.main ]; + services.nginx.virtualHosts = { + ${domains.host.www} = { + forceSSL = true; + useACMEHost = domains.host.main; + serverAliases = [ domains.host.main ]; + }; + + ${domains.exdev.www} = { + forceSSL = true; + useACMEHost = domains.exdev.main; + serverAliases = [ domains.exdev.main ]; + }; }; }; } |