From c7430890c4d937372791b3bd6f5ec985596a83dd Mon Sep 17 00:00:00 2001
From: Jade <jade@schrottkatze.de>
Date: Sun, 19 Feb 2023 01:26:06 +0100
Subject: [PATCH] conduit added

---
 flake.nix                       |  10 ++-
 schrottserver/conduit.nix       | 149 ++++++++++++++++++++++++++++++++
 schrottserver/configuration.nix |   1 +
 3 files changed, 159 insertions(+), 1 deletion(-)
 create mode 100644 schrottserver/conduit.nix

diff --git a/flake.nix b/flake.nix
index ea8fdde..afff189 100644
--- a/flake.nix
+++ b/flake.nix
@@ -18,9 +18,17 @@
     meowsite.url = "git+https://gitlab.com/obsidianical/meowsite.git";
     wordsofgod.url = "git+https://gitlab.com/obsidianical/wordsofgod.git";
     microbin-fork.url = "git+https://gitlab.com/obsidianical/microbin.git";
+    conduit = {
+      url = "gitlab:famedly/conduit";
+
+      # Assuming you have an input for nixpkgs called `nixpkgs`. If you experience
+      # build failures while using this, try commenting/deleting this line. This
+      # will probably also require you to always build from source.
+      inputs.nixpkgs.follows = "nixpkgs-stable";
+    };
   };
 
-  outputs = { self, nixpkgs, nixpkgs-stable, home-manager, nixos-hardware, mac-brcm-fw, ... }@inputs: {
+  outputs = { self, nixpkgs, nixpkgs-stable, home-manager, nixos-hardware, mac-brcm-fw, conduit, ... }@inputs: {
     nixosConfigurations = {
       monosodium-glutamate-g = nixpkgs.lib.nixosSystem {
         specialArgs = {
diff --git a/schrottserver/conduit.nix b/schrottserver/conduit.nix
new file mode 100644
index 0000000..cc8d1c6
--- /dev/null
+++ b/schrottserver/conduit.nix
@@ -0,0 +1,149 @@
+{ config
+, pkgs
+, flake-inputs
+, ...
+}:
+
+let
+  # You'll need to edit these values
+
+  # The hostname that will appear in your user and room IDs
+  server_name = "conduit.schrottkatze.de";
+
+  # The hostname that Conduit actually runs on
+  #
+  # This can be the same as `server_name` if you want. This is only necessary
+  # when Conduit is running on a different machine than the one hosting your
+  # root domain. This configuration also assumes this is all running on a single
+  # machine, some tweaks will need to be made if this is not the case.
+  matrix_hostname = "matrix.${server_name}";
+
+  # An admin email for TLS certificate notifications
+  admin_email = "jade@schrottkatze.de";
+
+  # These ones you can leave alone
+
+  # Build a dervation that stores the content of `${server_name}/.well-known/matrix/server`
+  well_known_server = pkgs.writeText "well-known-matrix-server" ''
+    {
+      "m.server": "${matrix_hostname}"
+    }
+  '';
+
+  # Build a dervation that stores the content of `${server_name}/.well-known/matrix/client`
+  well_known_client = pkgs.writeText "well-known-matrix-client" ''
+    {
+      "m.homeserver": {
+        "base_url": "https://${matrix_hostname}"
+      }
+    }
+  '';
+in
+
+{
+  # Configure Conduit itself
+  services.matrix-conduit = {
+    enable = true;
+
+    # This causes NixOS to use the flake defined in this repository instead of
+    # the build of Conduit built into nixpkgs.
+    package = flake-inputs.conduit.packages.${pkgs.system}.default;
+
+    settings.global = {
+      inherit server_name;
+    };
+  };
+
+  # Configure automated TLS acquisition/renewal
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      email = admin_email;
+    };
+  };
+
+  # ACME data must be readable by the NGINX user
+  users.users.nginx.extraGroups = [
+    "acme"
+  ];
+
+  # Configure NGINX as a reverse proxy
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+
+    virtualHosts = {
+      "${matrix_hostname}" = {
+        forceSSL = true;
+        enableACME = true;
+
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 443;
+            ssl = true;
+          }
+          {
+            addr = "0.0.0.0";
+            port = 8448;
+            ssl = true;
+          }
+        ];
+
+        locations."/_matrix/" = {
+          proxyPass = "http://backend_conduit$request_uri";
+          proxyWebsockets = true;
+          extraConfig = ''
+            proxy_set_header Host $host;
+            proxy_buffering off;
+          '';
+        };
+
+        extraConfig = ''
+          merge_slashes off;
+        '';
+      };
+
+      "${server_name}" = {
+        forceSSL = true;
+        enableACME = true;
+
+        locations."=/.well-known/matrix/server" = {
+          # Use the contents of the derivation built previously
+          alias = "${well_known_server}";
+
+          extraConfig = ''
+            # Set the header since by default NGINX thinks it's just bytes
+            default_type application/json;
+          '';
+        };
+
+        locations."=/.well-known/matrix/client" = {
+          # Use the contents of the derivation built previously
+          alias = "${well_known_client}";
+
+          extraConfig = ''
+            # Set the header since by default NGINX thinks it's just bytes
+            default_type application/json;
+
+            # https://matrix.org/docs/spec/client_server/r0.4.0#web-browser-clients
+            add_header Access-Control-Allow-Origin "*";
+          '';
+        };
+      };
+    };
+
+    upstreams = {
+      "backend_conduit" = {
+        servers = {
+          "localhost:${toString config.services.matrix-conduit.settings.global.port}" = { };
+        };
+      };
+    };
+  };
+
+  # Open firewall ports for HTTP, HTTPS, and Matrix federation
+  networking.firewall.allowedTCPPorts = [ 80 443 8448 ];
+  networking.firewall.allowedUDPPorts = [ 80 443 8448 ];
+}
+
diff --git a/schrottserver/configuration.nix b/schrottserver/configuration.nix
index 3dc949e..c8b3de5 100644
--- a/schrottserver/configuration.nix
+++ b/schrottserver/configuration.nix
@@ -16,6 +16,7 @@
       ./microbin.nix
       ../modules/neovim.nix
       ../modules/zsh.nix
+      ./conduit.nix
     ];
 
   #systemd.services.wordsofgod-bot.enable = true;