diff --git a/machines/lasting-integrity/default.nix b/machines/lasting-integrity/default.nix index 7af77976..fdda475d 100644 --- a/machines/lasting-integrity/default.nix +++ b/machines/lasting-integrity/default.nix @@ -31,6 +31,7 @@ }; games.tetris.server = true; services = { + matrix.enable = true; nextcloud.enable = true; syncthing.enable = true; }; diff --git a/machines/lasting-integrity/secret.nix b/machines/lasting-integrity/secret.nix index d488b5e1..f82c9782 100644 Binary files a/machines/lasting-integrity/secret.nix and b/machines/lasting-integrity/secret.nix differ diff --git a/modules/services/default.nix b/modules/services/default.nix index 5e67c97e..3c333283 100644 --- a/modules/services/default.nix +++ b/modules/services/default.nix @@ -6,6 +6,7 @@ ./containers ./data-access ./deluge + ./matrix ./nextcloud ./nginx ./syncthing diff --git a/modules/services/matrix/default.nix b/modules/services/matrix/default.nix new file mode 100644 index 00000000..a1679d57 --- /dev/null +++ b/modules/services/matrix/default.nix @@ -0,0 +1,168 @@ +{ config, lib, pkgs, ... }: + +{ + options.chvp.services.matrix.enable = lib.mkOption { + default = false; + example = true; + }; + + config = lib.mkIf config.chvp.services.matrix.enable { + chvp.services.nginx.hosts = [{ + fqdn = "matrix.vanpetegem.me"; + options.locations = { + "/" = { + proxyPass = "http://127.0.0.1:8448"; + extraConfig = '' + proxy_set_header X-Forwarded-Ssl on; + proxy_read_timeout 600; + client_max_body_size 10M; + ''; + }; + "/_slack" = { + proxyPass = "http://127.0.0.1:9898"; + extraConfig = '' + proxy_set_header X-Forwarded-Ssl on; + ''; + }; + }; + }]; + + services = { + matrix-synapse = { + enable = true; + server_name = "vanpetegem.me"; + public_baseurl = "https://vanpetegem.me"; + listeners = [{ + port = 8448; + bind_address = "localhost"; + type = "http"; + tls = false; + x_forwarded = true; + resources = [ + { names = ["client" "webclient"]; compress = true; } + { names = ["federation"]; compress = false; } + ]; + }]; + url_preview_enabled = true; + enable_metrics = false; + enable_registration = false; + report_stats = false; + allow_guest_access = false; + app_service_config_files = [ + config.age.secrets."files/services/matrix-synapse/whatsapp-registration.yml".path + config.age.secrets."files/services/matrix-synapse/slack-registration.yml".path + ]; + extraConfigFiles = [ + config.age.secrets."files/services/matrix-synapse/config.yml".path + ]; + dataDir = "${config.chvp.dataPrefix}/var/lib/matrix-synapse"; + }; + postgresql = { + enable = true; + dataDir = "${config.chvp.dataPrefix}/var/lib/postgresql/${config.services.postgresql.package.psqlSchema}"; + ensureDatabases = [ + "matrix-synapse" + "matrix_appservice_slack" + "mautrix_whatsapp" + ]; + ensureUsers = [ + { + name = "matrix_appservice_slack"; + ensurePermissions = { + "DATABASE matrix_appservice_slack" = "ALL PRIVILEGES"; + }; + } + { + name = "mautrix_whatsapp"; + ensurePermissions = { + "DATABASE mautrix_whatsapp" = "ALL PRIVILEGES"; + }; + } + { + name = "matrix-synapse"; + ensurePermissions = { + "DATABASE \"matrix-synapse\"" = "ALL PRIVILEGES"; + }; + } + ]; + }; + }; + + systemd.services = { + matrix-appservice-slack = { + description = "Matrix <-> Slack bridge"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + requires = [ "postgresql.service" "matrix-synapse.service" ]; + script = "${pkgs.matrix-appservice-slack}/bin/matrix-appservice-slack --config ${config.age.secrets."files/services/matrix-appservice-slack/config.yml".path} --file ${config.age.secrets."files/services/matrix-appservice-slack/registration.yml".path}"; + serviceConfig = { + User = "matrix_appservice_slack"; + Group = "matrix_appservice_slack"; + }; + }; + matrix-synapse = { + requires = [ "postgresql.service" ]; + }; + mautrix-whatsapp = { + description = "Matrix <-> WhatsApp bridge"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + requires = [ "postgresql.service" "matrix-synapse.service" ]; + script = "${pkgs.mautrix-whatsapp}/bin/mautrix-whatsapp --config ${config.age.secrets."files/services/mautrix-whatsapp/config.yml".path}"; + serviceConfig = { + User = "mautrix_whatsapp"; + Group = "mautrix_whatsapp"; + }; + }; + }; + systemd.tmpfiles.rules = [ + "d /var/log/mautrix-whatsapp - mautrix_whatsapp mautrix_whatsapp" + ]; + + users = { + users = { + matrix_appservice_slack = { + group = "matrix_appservice_slack"; + isSystemUser = true; + }; + mautrix_whatsapp = { + group = "mautrix_whatsapp"; + isSystemUser = true; + }; + }; + groups = { + matrix_appservice_slack = {}; + mautrix_whatsapp = {}; + }; + }; + + age.secrets."files/services/matrix-appservice-slack/config.yml" = { + file = ../../../secrets/files/services/matrix-appservice-slack/config.yml.age; + owner = "matrix_appservice_slack"; + }; + age.secrets."files/services/matrix-appservice-slack/registration.yml" = { + file = ../../../secrets/files/services/matrix-appservice-slack/registration.yml.age; + owner = "matrix_appservice_slack"; + }; + age.secrets."files/services/mautrix-whatsapp/config.yml" = { + file = ../../../secrets/files/services/mautrix-whatsapp/config.yml.age; + owner = "mautrix_whatsapp"; + }; + age.secrets."files/services/mautrix-whatsapp/registration.yml" = { + file = ../../../secrets/files/services/mautrix-whatsapp/registration.yml.age; + owner = "mautrix_whatsapp"; + }; + age.secrets."files/services/matrix-synapse/config.yml" = { + file = ../../../secrets/files/services/matrix-synapse/config.yml.age; + owner = "matrix-synapse"; + }; + age.secrets."files/services/matrix-synapse/slack-registration.yml" = { + file = ../../../secrets/files/services/matrix-appservice-slack/registration.yml.age; + owner = "matrix-synapse"; + }; + age.secrets."files/services/matrix-synapse/whatsapp-registration.yml" = { + file = ../../../secrets/files/services/mautrix-whatsapp/registration.yml.age; + owner = "matrix-synapse"; + }; + }; +} diff --git a/secrets.nix b/secrets.nix index fc17e8b0..4a3b2330 100644 --- a/secrets.nix +++ b/secrets.nix @@ -46,6 +46,12 @@ in "secrets/passwords/services/data-basic-auth.age".publicKeys = [ urithiru ] ++ users; + "secrets/files/services/matrix-appservice-slack/config.yml.age".publicKeys = [ lasting-integrity ] ++ users; + "secrets/files/services/matrix-appservice-slack/registration.yml.age".publicKeys = [ lasting-integrity ] ++ users; + "secrets/files/services/matrix-synapse/config.yml.age".publicKeys = [ lasting-integrity ] ++ users; + "secrets/files/services/mautrix-whatsapp/config.yml.age".publicKeys = [ lasting-integrity ] ++ users; + "secrets/files/services/mautrix-whatsapp/registration.yml.age".publicKeys = [ lasting-integrity ] ++ users; + "secrets/data-access/ssh_host_rsa_key.age".publicKeys = [ urithiru ] ++ users; "secrets/data-access/ssh_host_rsa_key.pub.age".publicKeys = [ urithiru ] ++ users; "secrets/data-access/ssh_host_ed25519_key.age".publicKeys = [ urithiru ] ++ users; diff --git a/secrets/files/services/matrix-appservice-slack/config.yml.age b/secrets/files/services/matrix-appservice-slack/config.yml.age new file mode 100644 index 00000000..9ac40acd Binary files /dev/null and b/secrets/files/services/matrix-appservice-slack/config.yml.age differ diff --git a/secrets/files/services/matrix-appservice-slack/registration.yml.age b/secrets/files/services/matrix-appservice-slack/registration.yml.age new file mode 100644 index 00000000..4741f630 Binary files /dev/null and b/secrets/files/services/matrix-appservice-slack/registration.yml.age differ diff --git a/secrets/files/services/matrix-synapse/config.yml.age b/secrets/files/services/matrix-synapse/config.yml.age new file mode 100644 index 00000000..c66ee06c --- /dev/null +++ b/secrets/files/services/matrix-synapse/config.yml.age @@ -0,0 +1,13 @@ +age-encryption.org/v1 +-> ssh-ed25519 hKAFvQ 8smxRyefvJCc5vKEGHaepQMT8bow/DNCoM+JLnCCtDc +Hf32K1yhV4oVnW/oCmAVeIM5cuGWE+Yn7gYI8EmVV/E +-> ssh-ed25519 s9rb8g rUwHvPZ6imYJGruQEp3CJqVt7QG/9je39cOyGAK6Kgc +asUG1z+XJgbK5WLFUo1RyUhjbBpfN+4bklzIgnjRCOY +-> ssh-ed25519 yad4VQ MY6hLbI5APbve6XZQmCSdYiKp2XeqQmE8IkIjq+I3DI +1ts+jW41Hi+OzMJZka8BhvfpcL3F1fMDoUtqAIEEHU8 +-> M[#DV(x>-grease k!'J+ 8b48w@ IyA8fZS Mm!wBM +efJSJLAjOg +--- qH7jsRJxviBS797tKOHqZ+8Dw9TUW77Kxh+FzXe2wrU +ʘiz`/lK̓X +Bu$T5*!!pp<[94C' 2Jڨ kdsGB&L5*oY"_%Tf QL^@A˷[2 )4l^r&?d.:ϊ!r(lN`5s A0 j1jM6Ax+ kb4!n<|pӪ::9RVt%Oh3 m僙P8 8jt%Z-PMA,@z'h䲚` +j MyX{" y'ՖY5dۣ,JStmSR{<[ʓo diff --git a/secrets/files/services/mautrix-whatsapp/config.yml.age b/secrets/files/services/mautrix-whatsapp/config.yml.age new file mode 100644 index 00000000..736af720 Binary files /dev/null and b/secrets/files/services/mautrix-whatsapp/config.yml.age differ diff --git a/secrets/files/services/mautrix-whatsapp/registration.yml.age b/secrets/files/services/mautrix-whatsapp/registration.yml.age new file mode 100644 index 00000000..8366cf4c --- /dev/null +++ b/secrets/files/services/mautrix-whatsapp/registration.yml.age @@ -0,0 +1,13 @@ +age-encryption.org/v1 +-> ssh-ed25519 hKAFvQ 86VloTluhamQNdKHRUAxq/vIOIofC3bZ9hWebD7k00A +2NwKLN+uxE7uk/C9qbP18wnnhxxgaZgO3lEBTyI4hRU +-> ssh-ed25519 s9rb8g iTwdPsRGqXYX8v7rE1AhYQ3WertuPXeMkIUZyWCYdyQ +nFtFK8dCYHEOvbGOxOoDFQihPgUJcHs7GEdcKDFdQuA +-> ssh-ed25519 yad4VQ 40+mwVfKKnI/7Hn6kUZ6b4FzUSsc94muTCsmnbwy6R8 +bN5uXoRq6W69YEqYeHYOOOvhk8YOBeWG/mPC3LTTpOg +-> "~~w-grease \.L) j)?:q_F ]J_GYI`w +fmjAIxkdBwk+aehXvYQ3qORkUU835c89sGnKHhJlr0Fh+g962TjT8t6iJUDaG52m +BTfwzyNDyXlMoeyOcscjVrbSzHTBJ7OakmP4bAfhHAR4zimyfLOhhMl+ +--- DroKHvz6niysIke4xiNwhuiP7OmU3GNd5acA9kcqkik +?qAՌ(JЙQ<';Q6Ku€,$i߫H(ڪ8&-7-/,@F pWJPN =N^kEtҥ"G zXD*8^y>{N|c%'{h'@آq'uH pA>4ֽg"΋ud"@5t,MHS<:ck>>ݨNPsشkF +tC3|8=Q vBh;}`;~WHob*NKa)d#iTKK$^W~bqG~ʄ)>-h&wH$*&cT^GTkz 1sX-$̝Bx?sYnL\d-nyw+HF9ݍpN_wٻ \ No newline at end of file