diff --git a/flake.lock b/flake.lock index 2b125ff..6572b2d 100644 --- a/flake.lock +++ b/flake.lock @@ -44,9 +44,7 @@ "conduit": { "inputs": { "d2n": "d2n", - "nixpkgs": [ - "nixpkgs-stable" - ], + "nixpkgs": "nixpkgs", "parts": "parts", "rust-overlay": "rust-overlay" }, @@ -133,7 +131,7 @@ "inputs": { "flake-utils": "flake-utils_2", "naersk": "naersk", - "nixpkgs": "nixpkgs_2" + "nixpkgs": "nixpkgs_3" }, "locked": { "lastModified": 1662552013, @@ -350,7 +348,7 @@ "meowsite": { "inputs": { "flake-utils": "flake-utils_3", - "nixpkgs": "nixpkgs_3" + "nixpkgs": "nixpkgs_4" }, "locked": { "lastModified": 1676235149, @@ -369,7 +367,7 @@ "microbin-fork": { "inputs": { "naersk": "naersk_2", - "nixpkgs": "nixpkgs_5", + "nixpkgs": "nixpkgs_6", "utils": "utils_2" }, "locked": { @@ -388,7 +386,7 @@ }, "naersk": { "inputs": { - "nixpkgs": "nixpkgs" + "nixpkgs": "nixpkgs_2" }, "locked": { "lastModified": 1655042882, @@ -406,7 +404,7 @@ }, "naersk_2": { "inputs": { - "nixpkgs": "nixpkgs_4" + "nixpkgs": "nixpkgs_5" }, "locked": { "lastModified": 1671096816, @@ -425,7 +423,7 @@ }, "naersk_3": { "inputs": { - "nixpkgs": "nixpkgs_7" + "nixpkgs": "nixpkgs_8" }, "locked": { "lastModified": 1671096816, @@ -475,16 +473,18 @@ }, "nixpkgs": { "locked": { - "lastModified": 1656755932, - "narHash": "sha256-TGThfOxr+HjFK464+UoUE6rClp2cwxjiKvHcBVdIGSQ=", - "owner": "NixOS", + "lastModified": 1676659111, + "narHash": "sha256-nj3GONWv33Zr/ahm6ATep2qhtuu1mH5e4I4fuKdSVzU=", + "owner": "nixos", "repo": "nixpkgs", - "rev": "660ac43ff9ab1f12e28bfb31d4719795777fe152", + "rev": "958dbd6c08c7e276451704409ebc7cb0d8bc94c7", "type": "github" }, "original": { - "id": "nixpkgs", - "type": "indirect" + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" } }, "nixpkgs-lib": { @@ -553,6 +553,20 @@ } }, "nixpkgs_3": { + "locked": { + "lastModified": 1656755932, + "narHash": "sha256-TGThfOxr+HjFK464+UoUE6rClp2cwxjiKvHcBVdIGSQ=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "660ac43ff9ab1f12e28bfb31d4719795777fe152", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "type": "indirect" + } + }, + "nixpkgs_4": { "locked": { "lastModified": 1674407282, "narHash": "sha256-2qwc8mrPINSFdWffPK+ji6nQ9aGnnZyHSItVcYDZDlk=", @@ -568,7 +582,7 @@ "type": "github" } }, - "nixpkgs_4": { + "nixpkgs_5": { "locked": { "lastModified": 1676549890, "narHash": "sha256-sq/WcOEAl7gWrrfGkWdnyYazRyTf+enEim/o6LOQzI8=", @@ -582,7 +596,7 @@ "type": "indirect" } }, - "nixpkgs_5": { + "nixpkgs_6": { "locked": { "lastModified": 1676549890, "narHash": "sha256-sq/WcOEAl7gWrrfGkWdnyYazRyTf+enEim/o6LOQzI8=", @@ -598,7 +612,7 @@ "type": "github" } }, - "nixpkgs_6": { + "nixpkgs_7": { "locked": { "lastModified": 1676659111, "narHash": "sha256-nj3GONWv33Zr/ahm6ATep2qhtuu1mH5e4I4fuKdSVzU=", @@ -614,7 +628,7 @@ "type": "github" } }, - "nixpkgs_7": { + "nixpkgs_8": { "locked": { "lastModified": 1675614288, "narHash": "sha256-i3Rc/ENnz62BcrSloeVmAyPicEh4WsrEEYR+INs9TYw=", @@ -628,7 +642,7 @@ "type": "indirect" } }, - "nixpkgs_8": { + "nixpkgs_9": { "locked": { "lastModified": 1675614288, "narHash": "sha256-i3Rc/ENnz62BcrSloeVmAyPicEh4WsrEEYR+INs9TYw=", @@ -715,7 +729,7 @@ "meowsite": "meowsite", "microbin-fork": "microbin-fork", "nixos-hardware": "nixos-hardware", - "nixpkgs": "nixpkgs_6", + "nixpkgs": "nixpkgs_7", "nixpkgs-stable": "nixpkgs-stable", "wordsofgod": "wordsofgod" } @@ -807,7 +821,7 @@ "wordsofgod": { "inputs": { "naersk": "naersk_3", - "nixpkgs": "nixpkgs_8", + "nixpkgs": "nixpkgs_9", "utils": "utils_3" }, "locked": { diff --git a/flake.nix b/flake.nix index afff189..ea8fdde 100644 --- a/flake.nix +++ b/flake.nix @@ -18,17 +18,9 @@ meowsite.url = "git+https://gitlab.com/obsidianical/meowsite.git"; wordsofgod.url = "git+https://gitlab.com/obsidianical/wordsofgod.git"; microbin-fork.url = "git+https://gitlab.com/obsidianical/microbin.git"; - conduit = { - url = "gitlab:famedly/conduit"; - - # Assuming you have an input for nixpkgs called `nixpkgs`. If you experience - # build failures while using this, try commenting/deleting this line. This - # will probably also require you to always build from source. - inputs.nixpkgs.follows = "nixpkgs-stable"; - }; }; - outputs = { self, nixpkgs, nixpkgs-stable, home-manager, nixos-hardware, mac-brcm-fw, conduit, ... }@inputs: { + outputs = { self, nixpkgs, nixpkgs-stable, home-manager, nixos-hardware, mac-brcm-fw, ... }@inputs: { nixosConfigurations = { monosodium-glutamate-g = nixpkgs.lib.nixosSystem { specialArgs = { diff --git a/schrottserver/conduit.nix b/schrottserver/conduit.nix deleted file mode 100644 index cc8d1c6..0000000 --- a/schrottserver/conduit.nix +++ /dev/null @@ -1,149 +0,0 @@ -{ config -, pkgs -, flake-inputs -, ... -}: - -let - # You'll need to edit these values - - # The hostname that will appear in your user and room IDs - server_name = "conduit.schrottkatze.de"; - - # The hostname that Conduit actually runs on - # - # This can be the same as `server_name` if you want. This is only necessary - # when Conduit is running on a different machine than the one hosting your - # root domain. This configuration also assumes this is all running on a single - # machine, some tweaks will need to be made if this is not the case. - matrix_hostname = "matrix.${server_name}"; - - # An admin email for TLS certificate notifications - admin_email = "jade@schrottkatze.de"; - - # These ones you can leave alone - - # Build a dervation that stores the content of `${server_name}/.well-known/matrix/server` - well_known_server = pkgs.writeText "well-known-matrix-server" '' - { - "m.server": "${matrix_hostname}" - } - ''; - - # Build a dervation that stores the content of `${server_name}/.well-known/matrix/client` - well_known_client = pkgs.writeText "well-known-matrix-client" '' - { - "m.homeserver": { - "base_url": "https://${matrix_hostname}" - } - } - ''; -in - -{ - # Configure Conduit itself - services.matrix-conduit = { - enable = true; - - # This causes NixOS to use the flake defined in this repository instead of - # the build of Conduit built into nixpkgs. - package = flake-inputs.conduit.packages.${pkgs.system}.default; - - settings.global = { - inherit server_name; - }; - }; - - # Configure automated TLS acquisition/renewal - security.acme = { - acceptTerms = true; - defaults = { - email = admin_email; - }; - }; - - # ACME data must be readable by the NGINX user - users.users.nginx.extraGroups = [ - "acme" - ]; - - # Configure NGINX as a reverse proxy - services.nginx = { - enable = true; - recommendedProxySettings = true; - - virtualHosts = { - "${matrix_hostname}" = { - forceSSL = true; - enableACME = true; - - listen = [ - { - addr = "0.0.0.0"; - port = 443; - ssl = true; - } - { - addr = "0.0.0.0"; - port = 8448; - ssl = true; - } - ]; - - locations."/_matrix/" = { - proxyPass = "http://backend_conduit$request_uri"; - proxyWebsockets = true; - extraConfig = '' - proxy_set_header Host $host; - proxy_buffering off; - ''; - }; - - extraConfig = '' - merge_slashes off; - ''; - }; - - "${server_name}" = { - forceSSL = true; - enableACME = true; - - locations."=/.well-known/matrix/server" = { - # Use the contents of the derivation built previously - alias = "${well_known_server}"; - - extraConfig = '' - # Set the header since by default NGINX thinks it's just bytes - default_type application/json; - ''; - }; - - locations."=/.well-known/matrix/client" = { - # Use the contents of the derivation built previously - alias = "${well_known_client}"; - - extraConfig = '' - # Set the header since by default NGINX thinks it's just bytes - default_type application/json; - - # https://matrix.org/docs/spec/client_server/r0.4.0#web-browser-clients - add_header Access-Control-Allow-Origin "*"; - ''; - }; - }; - }; - - upstreams = { - "backend_conduit" = { - servers = { - "localhost:${toString config.services.matrix-conduit.settings.global.port}" = { }; - }; - }; - }; - }; - - # Open firewall ports for HTTP, HTTPS, and Matrix federation - networking.firewall.allowedTCPPorts = [ 80 443 8448 ]; - networking.firewall.allowedUDPPorts = [ 80 443 8448 ]; -} - diff --git a/schrottserver/configuration.nix b/schrottserver/configuration.nix index c8b3de5..4839d87 100644 --- a/schrottserver/configuration.nix +++ b/schrottserver/configuration.nix @@ -16,7 +16,7 @@ ./microbin.nix ../modules/neovim.nix ../modules/zsh.nix - ./conduit.nix + ./synapse.nix ]; #systemd.services.wordsofgod-bot.enable = true; diff --git a/schrottserver/proxy.nix b/schrottserver/proxy.nix index 7043031..da1458c 100644 --- a/schrottserver/proxy.nix +++ b/schrottserver/proxy.nix @@ -20,6 +20,10 @@ group = "nginx"; keyType = "rsa2048"; }; + "synapse.schrottkatze.de" = { + group = "nginx"; + keyType = "rsa2048"; + } }; }; @@ -66,6 +70,34 @@ proxyPass = "http://127.0.0.1:8080$request_uri"; }; }; + "synapse.schrottkatze.de" = { + forceSSL = true; + enableACME = true; + http2 = true; + listen = [ + { + port = 443; + ssl = true; + } + { + port = 8448; + ssl = true; + } + ]; + locations."~ ^(/_matrix|/_synapse/client)" { + proxyPass = "http://localhost:8008"; + extraConfig = [ + "proxy_pass http://localhost:8008;" + "proxy_set_header X-Forwarded-For $remote_addr;" + "proxy_set_header X-Forwarded-Proto $scheme;" + "proxy_set_header Host $host;" + "client_max_body_size 2G;" + ]; + }; + extraConfig = [ + "proxy_http_version 1.1;" + ]; + }; }; }; } diff --git a/schrottserver/synapse.nix b/schrottserver/synapse.nix new file mode 100644 index 0000000..9d96080 --- /dev/null +++ b/schrottserver/synapse.nix @@ -0,0 +1,10 @@ +{ pkgs, ... }: +{ + services.matrix-synapse = { + enable = true; + settings = { + server_name = "synapse.schrottkatze.de"; + max_upload_size = "2G"; + }; + }; +}