2019-03-02 15:03:38 +00:00
|
|
|
{ config, ... }:
|
|
|
|
let
|
|
|
|
hostName = "matrix.maralorn.de";
|
|
|
|
inherit (config.m-0) hosts;
|
2019-08-02 03:17:00 +00:00
|
|
|
inherit (../../lib) unstable;
|
2019-07-31 21:56:52 +00:00
|
|
|
in {
|
|
|
|
networking.firewall.allowedTCPPorts = [ 3478 8448 ];
|
2019-03-02 15:03:38 +00:00
|
|
|
|
2019-07-31 21:56:52 +00:00
|
|
|
m-0.monitoring = [
|
|
|
|
{
|
|
|
|
name = "matrix";
|
|
|
|
host = "matrix:9100";
|
|
|
|
}
|
|
|
|
{
|
|
|
|
name = "matrix-nginx";
|
|
|
|
host = "matrix:9113";
|
|
|
|
}
|
|
|
|
];
|
2019-03-07 23:37:39 +00:00
|
|
|
|
2019-07-31 21:56:52 +00:00
|
|
|
services.coturn = {
|
|
|
|
enable = true;
|
|
|
|
pkey = "/var/lib/acme/hera.m-0.eu/key.pem";
|
|
|
|
cert = "/var/lib/acme/hera.m-0.eu/fullchain.pem";
|
|
|
|
no-tcp = true;
|
|
|
|
static-auth-secret = config.m-0.private.turn_secret;
|
|
|
|
realm = "maralorn.de";
|
|
|
|
use-auth-secret = true;
|
|
|
|
};
|
2019-03-02 15:03:38 +00:00
|
|
|
|
2019-07-31 21:56:52 +00:00
|
|
|
containers.matrix = {
|
|
|
|
autoStart = true;
|
|
|
|
privateNetwork = true;
|
|
|
|
hostBridge = "bridge";
|
|
|
|
config = { pkgs, lib, ... }: {
|
|
|
|
imports = [ ../../system ];
|
|
|
|
networking = {
|
|
|
|
interfaces.eth0 = {
|
|
|
|
ipv6.addresses = [{
|
|
|
|
address = hosts.matrix;
|
|
|
|
prefixLength = 112;
|
|
|
|
}];
|
|
|
|
ipv4.addresses = [{
|
|
|
|
address = hosts.matrix-intern-v4;
|
|
|
|
prefixLength = 24;
|
|
|
|
}];
|
2019-03-02 15:03:38 +00:00
|
|
|
};
|
2019-07-31 21:56:52 +00:00
|
|
|
inherit (config.networking) nameservers;
|
|
|
|
defaultGateway6 = {
|
|
|
|
address = hosts.hera-intern;
|
|
|
|
interface = "eth0";
|
2019-03-02 15:03:38 +00:00
|
|
|
};
|
2019-07-31 21:56:52 +00:00
|
|
|
defaultGateway = {
|
|
|
|
address = hosts.hera-intern-v4;
|
|
|
|
interface = "eth0";
|
2019-03-02 15:03:38 +00:00
|
|
|
};
|
2019-07-31 21:56:52 +00:00
|
|
|
firewall.allowedTCPPorts = [ 80 443 8448 ];
|
2019-03-02 15:03:38 +00:00
|
|
|
};
|
2019-07-31 21:56:52 +00:00
|
|
|
m-0.riot = {
|
2019-03-02 15:03:38 +00:00
|
|
|
enable = true;
|
2019-07-31 21:56:52 +00:00
|
|
|
hostname = "riot.maralorn.de";
|
|
|
|
config = {
|
|
|
|
default_hs_url = "https://matrix.maralorn.de";
|
|
|
|
default_is_url = "https://vector.im";
|
|
|
|
integrations_ui_url = "";
|
|
|
|
integrations_rest_url = "";
|
|
|
|
integrations_widgets_urls = [ ];
|
|
|
|
bug_report_endpoint_url = "https://riot.im/bugreports/submit";
|
|
|
|
welcomeUserId = "@riot-bot:matrix.org";
|
|
|
|
piwik = false;
|
|
|
|
features = {
|
|
|
|
feature_lazyloading = "enable";
|
|
|
|
feature_room_breadcrumbs = "enable";
|
|
|
|
};
|
|
|
|
roomDirectory = { servers = [ "matrix.org" "maralorn.de" ]; };
|
|
|
|
branding = {
|
|
|
|
welcomeBackgroundUrl =
|
|
|
|
"https://cloud.maralorn.de/apps/theming/image/background";
|
2019-03-02 15:03:38 +00:00
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
2019-07-31 21:56:52 +00:00
|
|
|
services = {
|
|
|
|
nginx = {
|
|
|
|
enable = true;
|
|
|
|
virtualHosts."${hostName}" = {
|
|
|
|
forceSSL = true;
|
|
|
|
enableACME = true;
|
|
|
|
locations = {
|
|
|
|
"/" = {
|
|
|
|
proxyPass = "http://[::1]:8008";
|
|
|
|
extraConfig = ''
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
2019-03-02 15:03:38 +00:00
|
|
|
|
2019-07-31 21:56:52 +00:00
|
|
|
# Postgres
|
|
|
|
postgresql = { enable = true; };
|
2019-03-02 15:03:38 +00:00
|
|
|
|
2019-07-31 21:56:52 +00:00
|
|
|
# Synapse
|
|
|
|
matrix-synapse = {
|
|
|
|
enable = true;
|
|
|
|
enable_metrics = true;
|
|
|
|
server_name = "maralorn.de";
|
|
|
|
public_baseurl = "https://${hostName}";
|
|
|
|
url_preview_enabled = true;
|
|
|
|
database_type = "psycopg2";
|
|
|
|
max_upload_size = "30M";
|
|
|
|
create_local_database = false;
|
|
|
|
dynamic_thumbnails = true;
|
|
|
|
macaroon_secret_key = config.m-0.private.macaroon_secret;
|
|
|
|
turn_uris = [ "turn:hera.m-0.eu:3478?transport=udp" ];
|
|
|
|
turn_shared_secret = config.m-0.private.turn_secret;
|
|
|
|
turn_user_lifetime = "5h";
|
|
|
|
allow_guest_access = true;
|
|
|
|
logConfig = ''
|
|
|
|
version: 1
|
2019-03-02 15:03:38 +00:00
|
|
|
|
2019-07-31 21:56:52 +00:00
|
|
|
formatters:
|
|
|
|
journal_fmt:
|
|
|
|
format: '%(name)s: [%(request)s] %(message)s'
|
2019-03-02 15:03:38 +00:00
|
|
|
|
2019-07-31 21:56:52 +00:00
|
|
|
filters:
|
|
|
|
context:
|
|
|
|
(): synapse.util.logcontext.LoggingContextFilter
|
|
|
|
request: ""
|
2019-03-02 15:03:38 +00:00
|
|
|
|
2019-07-31 21:56:52 +00:00
|
|
|
handlers:
|
|
|
|
journal:
|
|
|
|
class: systemd.journal.JournalHandler
|
|
|
|
formatter: journal_fmt
|
|
|
|
filters: [context]
|
|
|
|
SYSLOG_IDENTIFIER: synapse
|
2019-03-02 15:03:38 +00:00
|
|
|
|
2019-07-31 21:56:52 +00:00
|
|
|
disable_existing_loggers: True
|
2019-03-02 15:03:38 +00:00
|
|
|
|
2019-07-31 21:56:52 +00:00
|
|
|
loggers:
|
|
|
|
synapse:
|
|
|
|
level: WARN
|
|
|
|
synapse.storage.SQL:
|
|
|
|
level: WARN
|
2019-03-02 15:03:38 +00:00
|
|
|
|
2019-07-31 21:56:52 +00:00
|
|
|
root:
|
|
|
|
level: WARN
|
|
|
|
handlers: [journal]
|
|
|
|
'';
|
|
|
|
database_args = {
|
|
|
|
user = "matrix-synapse";
|
|
|
|
database = "matrix-synapse";
|
|
|
|
cp_min = 5;
|
|
|
|
cp_max = 10;
|
|
|
|
};
|
|
|
|
report_stats = true;
|
|
|
|
tls_certificate_path = "/var/lib/acme/${hostName}/fullchain.pem";
|
|
|
|
tls_private_key_path = "/var/lib/acme/${hostName}/key.pem";
|
|
|
|
listeners = [
|
|
|
|
{
|
|
|
|
port = 8448;
|
|
|
|
bind_address = "::";
|
|
|
|
resources = [
|
|
|
|
{
|
|
|
|
compress = true;
|
|
|
|
names = [ "client" ];
|
|
|
|
}
|
|
|
|
{
|
|
|
|
compress = false;
|
|
|
|
names = [ "federation" ];
|
|
|
|
}
|
|
|
|
];
|
|
|
|
x_forwarded = false;
|
|
|
|
}
|
|
|
|
{
|
|
|
|
port = 8008;
|
|
|
|
bind_address = "::1";
|
|
|
|
resources = [
|
|
|
|
{
|
|
|
|
compress = false;
|
|
|
|
names = [ "client" ];
|
|
|
|
}
|
|
|
|
{
|
|
|
|
compress = false;
|
|
|
|
names = [ "federation" ];
|
|
|
|
}
|
|
|
|
];
|
|
|
|
x_forwarded = true;
|
|
|
|
tls = false;
|
|
|
|
}
|
|
|
|
];
|
2019-03-02 15:03:38 +00:00
|
|
|
};
|
|
|
|
};
|
2019-07-31 21:56:52 +00:00
|
|
|
security.acme.certs = {
|
|
|
|
"${hostName}" = {
|
|
|
|
group = "matrix-synapse";
|
|
|
|
allowKeysForGroup = true;
|
|
|
|
postRun =
|
|
|
|
"systemctl reload nginx.service; systemctl restart matrix-synapse.service";
|
|
|
|
};
|
2019-03-02 15:03:38 +00:00
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
}
|