dotfiles/system/hosts/server/matrix.nix

{ config
, lib
, pkgs
, ... }:

let
  cfg = config.server;
  matrixServerJson = {
    "m.server" = "matrix.${cfg.domainName}:443";
  };
  matrixClientJson = {
    "m.homeserver".base_url = "https://matrix.${cfg.domainName}";
    "m.identity_server".base_url = "https://vector.im";
  };
  matrixServerConfigResponse = ''
    add_header Content-Type application/json;
    return 200 ${builtins.toJSON (builtins.toJSON matrixServerJson)};
  '';
  matrixClientConfigResponse = ''
    add_header Content-Type application/json;
    add_header Access-Control-Allow-Origin *;
    return 200 ${builtins.toJSON (builtins.toJSON matrixClientJson)};
  '';
  matrixAddr = "::1";
  matrixPort = 8008;
in {
  imports = [ ./maubot.nix ];

  networking.firewall.allowedTCPPorts = [ 8008 8448 ];
  systemd.services.matrix-synapse.serviceConfig.TimeoutStartSec = 900;

  services.nginx.virtualHosts."${cfg.domainName}" = {
    locations."= /.well-known/matrix/server".extraConfig = matrixServerConfigResponse;
    locations."= /.well-known/matrix/client".extraConfig = matrixClientConfigResponse;
  };

  services.nginx.virtualHosts."matrix.${cfg.domainName}" = {
    quic = true;
    enableACME = true;
    forceSSL = true;
    locations = {
      "= /.well-known/matrix/server".extraConfig = matrixServerConfigResponse;
      "= /.well-known/matrix/client".extraConfig = matrixClientConfigResponse;
      "/".proxyPass = "http://${lib.quoteListenAddr matrixAddr}:${toString matrixPort}";
    };
  };

  # systemd.services.heisenbridge.wants = [ "matrix-synapse.service" ];
  # systemd.services.heisenbridge.after = [ "matrix-synapse.service" ];
  services.heisenbridge = {
    enable = true;
    homeserver = "http://${lib.quoteListenAddr matrixAddr}:${toString matrixPort}/";
  };

  services.matrix-appservice-discord = {
    enable = true;
    environmentFile = "/secrets/discord-bridge-token";
    settings = {
      auth.usePrivilegedIntents = true;
      database.filename = "";
      bridge = {
        domain = "matrix.${cfg.domainName}";
        homeserverUrl = "https://matrix.${cfg.domainName}";
        enableSelfServiceBridging = true;
        disablePresence = true;
        disablePortalBridging = true;
        disableInviteNotifications = true;
        disableJoinLeaveNotifications = true;
        disableRoomTopicNotifications = true;
      };
    };
  };

  services.matrix-synapse = {
    enable = true;
    extraConfigFiles = [ "/var/lib/matrix-synapse/config.yaml" ];
    settings = {
      app_service_config_files = [
        "/var/lib/heisenbridge/registration.yml"
        "/var/lib/matrix-synapse/discord-registration.yaml"
      ];
      allow_guest_access = true;
      url_preview_enabled = true;
      # tls_certificate_path = config.security.acme.certs."matrix.${cfg.domainName}".directory + "/fullchain.pem";
      # tls_private_key_path = config.security.acme.certs."matrix.${cfg.domainName}".directory + "/key.pem";
      public_baseurl = "https://matrix.${cfg.domainName}/";
      server_name = "matrix.${cfg.domainName}";
      max_upload_size = "100M";
      email = {
        smtp_host = "mail.${cfg.domainName}";
        smtp_port = 587;
        smtp_user = "noreply";
        smtp_password = cfg.unhashedNoreplyPassword;
        notif_from = "${cfg.domainName} matrix homeserver <noreply@${cfg.domainName}>";
        app_name = cfg.domainName;
        notif_for_new_users = false;
        enable_notifs = true;
      };
      listeners = [{
        port = matrixPort;
        bind_addresses = [ matrixAddr ];
        type = "http";
        tls = false;
        x_forwarded = true;
        resources = [{
          names = [ "client" "federation" ];
          compress = false;
        }];
      }];
    };
  };
}
add server config 2023-05-11 05:33:08 +07:00			`{ config`
			`, lib`
server: add discord<->matrix bridge 2024-06-06 23:20:08 +07:00			`, pkgs`
add server config 2023-05-11 05:33:08 +07:00			`, ... }:`

			`let`
			`cfg = config.server;`
			`matrixServerJson = {`
			`"m.server" = "matrix.${cfg.domainName}:443";`
			`};`
			`matrixClientJson = {`
home/hosts/phone: init (wip) 2023-12-24 14:27:43 +07:00			`"m.homeserver".base_url = "https://matrix.${cfg.domainName}";`
			`"m.identity_server".base_url = "https://vector.im";`
add server config 2023-05-11 05:33:08 +07:00			`};`
			`matrixServerConfigResponse = ''`
			`add_header Content-Type application/json;`
home/hosts/phone: init (wip) 2023-12-24 14:27:43 +07:00			`return 200 ${builtins.toJSON (builtins.toJSON matrixServerJson)};`
add server config 2023-05-11 05:33:08 +07:00			`'';`
			`matrixClientConfigResponse = ''`
			`add_header Content-Type application/json;`
			`add_header Access-Control-Allow-Origin *;`
home/hosts/phone: init (wip) 2023-12-24 14:27:43 +07:00			`return 200 ${builtins.toJSON (builtins.toJSON matrixClientJson)};`
add server config 2023-05-11 05:33:08 +07:00			`'';`
			`matrixAddr = "::1";`
			`matrixPort = 8008;`
			`in {`
			`imports = [ ./maubot.nix ];`

			`networking.firewall.allowedTCPPorts = [ 8008 8448 ];`
nix: 2.16->2.15; home/fish/atuin: remove up key binding nix-plugins built for a newer nix versions than pkgs.nix makes using pkgs.nix impossible, and overriding pkgs.nix globally breaks some derivations, so I have to do per-app overrides (couldn't find a way to revert it for a single app for some reason). This reverts a nix-plugins update to 2.16 so I can build it for 2.15 and escape the "symbol not found" hell. also override nixVersions.unstable to be 2.15 as well finally, use custom code for atuin integration because I hate the way it normally hijacks my up key 2023-08-04 08:30:16 +07:00			`systemd.services.matrix-synapse.serviceConfig.TimeoutStartSec = 900;`
add server config 2023-05-11 05:33:08 +07:00
			`services.nginx.virtualHosts."${cfg.domainName}" = {`
			`locations."= /.well-known/matrix/server".extraConfig = matrixServerConfigResponse;`
			`locations."= /.well-known/matrix/client".extraConfig = matrixClientConfigResponse;`
			`};`

			`services.nginx.virtualHosts."matrix.${cfg.domainName}" = {`
server/home: init; router/unbound: fix avahi resolver this has binary cache, hydra, metrics, etc 2023-07-28 09:59:47 +07:00			`quic = true;`
add server config 2023-05-11 05:33:08 +07:00			`enableACME = true;`
			`forceSSL = true;`
			`locations = {`
			`"= /.well-known/matrix/server".extraConfig = matrixServerConfigResponse;`
			`"= /.well-known/matrix/client".extraConfig = matrixClientConfigResponse;`
bikeshedding 2023-05-17 06:29:03 +07:00			`"/".proxyPass = "http://${lib.quoteListenAddr matrixAddr}:${toString matrixPort}";`
add server config 2023-05-11 05:33:08 +07:00			`};`
			`};`

update inputs; bpi-r3: build kernel from source 2023-06-11 21:48:35 +07:00			`# systemd.services.heisenbridge.wants = [ "matrix-synapse.service" ];`
			`# systemd.services.heisenbridge.after = [ "matrix-synapse.service" ];`
add server config 2023-05-11 05:33:08 +07:00			`services.heisenbridge = {`
			`enable = true;`
bikeshedding 2023-05-17 06:29:03 +07:00			`homeserver = "http://${lib.quoteListenAddr matrixAddr}:${toString matrixPort}/";`
add server config 2023-05-11 05:33:08 +07:00			`};`

server: add discord<->matrix bridge 2024-06-06 23:20:08 +07:00			`services.matrix-appservice-discord = {`
			`enable = true;`
			`environmentFile = "/secrets/discord-bridge-token";`
			`settings = {`
			`auth.usePrivilegedIntents = true;`
			`database.filename = "";`
			`bridge = {`
			`domain = "matrix.${cfg.domainName}";`
			`homeserverUrl = "https://matrix.${cfg.domainName}";`
			`enableSelfServiceBridging = true;`
			`disablePresence = true;`
			`disablePortalBridging = true;`
			`disableInviteNotifications = true;`
			`disableJoinLeaveNotifications = true;`
			`disableRoomTopicNotifications = true;`
			`};`
			`};`
			`};`

add server config 2023-05-11 05:33:08 +07:00			`services.matrix-synapse = {`
			`enable = true;`
			`extraConfigFiles = [ "/var/lib/matrix-synapse/config.yaml" ];`
			`settings = {`
			`app_service_config_files = [`
			`"/var/lib/heisenbridge/registration.yml"`
server: add discord<->matrix bridge 2024-06-06 23:20:08 +07:00			`"/var/lib/matrix-synapse/discord-registration.yaml"`
add server config 2023-05-11 05:33:08 +07:00			`];`
			`allow_guest_access = true;`
			`url_preview_enabled = true;`
server/home: init; router/unbound: fix avahi resolver this has binary cache, hydra, metrics, etc 2023-07-28 09:59:47 +07:00			`# tls_certificate_path = config.security.acme.certs."matrix.${cfg.domainName}".directory + "/fullchain.pem";`
			`# tls_private_key_path = config.security.acme.certs."matrix.${cfg.domainName}".directory + "/key.pem";`
add server config 2023-05-11 05:33:08 +07:00			`public_baseurl = "https://matrix.${cfg.domainName}/";`
			`server_name = "matrix.${cfg.domainName}";`
			`max_upload_size = "100M";`
			`email = {`
server: add keycloak 2023-08-28 00:46:51 +07:00			`smtp_host = "mail.${cfg.domainName}";`
add server config 2023-05-11 05:33:08 +07:00			`smtp_port = 587;`
			`smtp_user = "noreply";`
			`smtp_password = cfg.unhashedNoreplyPassword;`
			`notif_from = "${cfg.domainName} matrix homeserver <noreply@${cfg.domainName}>";`
			`app_name = cfg.domainName;`
			`notif_for_new_users = false;`
			`enable_notifs = true;`
			`};`
			`listeners = [{`
			`port = matrixPort;`
			`bind_addresses = [ matrixAddr ];`
			`type = "http";`
			`tls = false;`
			`x_forwarded = true;`
			`resources = [{`
			`names = [ "client" "federation" ];`
			`compress = false;`
			`}];`
			`}];`
			`};`
			`};`
			`}`