From f72f22b250ecf22657ffc9e6082086377031ea8a Mon Sep 17 00:00:00 2001
From: tzlil <tzlils@protonmail.com>
Date: Sun, 30 Jul 2023 13:19:39 +0300
Subject: clean up a bit

---
 hosts/vps/services/matrix.nix | 159 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 159 insertions(+)
 create mode 100644 hosts/vps/services/matrix.nix

(limited to 'hosts/vps/services/matrix.nix')

diff --git a/hosts/vps/services/matrix.nix b/hosts/vps/services/matrix.nix
new file mode 100644
index 0000000..e2aa1a5
--- /dev/null
+++ b/hosts/vps/services/matrix.nix
@@ -0,0 +1,159 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}: {
+  config = {
+    # services.matrix-synapse = {
+    #   enable = true;
+    #   settings.server_name = config.networking.domain;
+    #   settings.listeners = [
+    #     {
+    #       port = 8008;
+    #       bind_addresses = ["::1"];
+    #       type = "http";
+    #       tls = false;
+    #       x_forwarded = true;
+    #       resources = [
+    #         {
+    #           names = ["client" "federation"];
+    #           compress = true;
+    #         }
+    #       ];
+    #     }
+    #   ];
+    # };
+    # networking.firewall.allowedTCPPorts = [80 443];
+
+    age.secrets.matrix = {
+      file = ../../secrets/matrix.age;
+      mode = "600";
+      owner = "root";
+      group = "root";
+    };
+
+    services.dendrite = let
+      database_config = {
+        connection_string = "postgresql:///dendrite?host=/run/postgresql";
+        max_open_conns = 10;
+        max_idle_conns = 5;
+      };
+    in {
+      enable = true;
+
+      loadCredential = ["private_key:${config.age.secrets.matrix.path}" "tlsCert:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tzlil.net/tzlil.net.crt" "tlsKey:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tzlil.net/tzlil.net.key"];
+
+      # tlsCert = "$CREDENTIALS_DIRECTORY/tlsCert";
+      # tlsKey = "$CREDENTIALS_DIRECTORY/tlsKey";
+
+      # httpPort = null;
+      # httpsPort = 8448;
+
+      settings = {
+        global = {
+          server_name = "tzlil.net";
+          private_key = "$CREDENTIALS_DIRECTORY/private_key";
+
+          # preserve across restarts
+          jetstream.storage_path = "/var/lib/dendrite/";
+
+          dns_cache = {
+            enabled = true;
+            cache_size = 4096;
+            cache_lifetime = "600s";
+          };
+
+          presence = {
+            enable_inbound = true;
+            enable_outbound = true;
+          };
+
+          cache.max_size_estimated = "16gb";
+        };
+        federation_api.key_perspectives = [
+          {
+            server_name = "matrix.org";
+            keys = [
+              {
+                key_id = "ed25519:auto";
+                public_key = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw";
+              }
+              {
+                key_id = "ed25519:a_RXGa";
+                public_key = "l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ";
+              }
+            ];
+          }
+        ];
+
+        app_service_api.database = database_config;
+        federation_api.database = database_config;
+        key_server.database = database_config;
+        media_api.database = database_config;
+        mscs.database = database_config;
+        room_server.database = database_config;
+        sync_api.database = database_config;
+        user_api.account_database = database_config;
+        user_api.device_database = database_config;
+      };
+    };
+
+    systemd.services.dendrite.serviceConfig.ExecStart = lib.mkForce (lib.strings.concatStringsSep " " [
+      "${pkgs.dendrite}/bin/dendrite"
+      "--config /run/dendrite/dendrite.yaml"
+      "--http-bind-address :8008"
+      "--https-bind-address :8448"
+      "--tls-cert $CREDENTIALS_DIRECTORY/tlsCert"
+      "--tls-key $CREDENTIALS_DIRECTORY/tlsKey"
+    ]);
+
+    services.postgresql = {
+      enable = true;
+      ensureUsers = [
+        {
+          name = "dendrite";
+          ensurePermissions = {
+            "DATABASE dendrite" = "ALL PRIVILEGES";
+          };
+        }
+      ];
+
+      ensureDatabases = ["dendrite"];
+    };
+
+    # not needed if i use /var/lib/private , DynamicUser can remap the permissions for the service
+    # systemd.services.dendrite.serviceConfig.User = "dendrite";
+    # systemd.services.dendrite.serviceConfig.Group = "dendrite";
+    environment.persistence."/nix/persist".directories = [
+      {
+        directory = "/var/lib/postgresql/${config.services.postgresql.package.psqlSchema}";
+        user = "postgres";
+        group = "postgres";
+      }
+
+      {
+        directory = "/var/lib/private/dendrite";
+        user = "root";
+        group = "root";
+      }
+    ];
+
+    systemd.services.dendrite.after = ["postgresql.service"];
+
+    services.caddy = {
+      # for federation
+      virtualHosts."tzlil.net:8448".extraConfig = ''
+        reverse_proxy /_matrix/* localhost:8008
+      '';
+      # for clients
+      virtualHosts."tzlil.net".extraConfig = ''
+        reverse_proxy /_matrix/* localhost:8008
+        header /.well-known/matrix/* Content-Type application/json
+        header /.well-known/matrix/* Access-Control-Allow-Origin *
+        respond /.well-known/matrix/server `{"m.server": "tzlil.net"}`
+      '';
+    };
+    networking.firewall.allowedTCPPorts = [8448];
+  };
+}
-- 
cgit 1.4.1