maxwell/matrix.nix

{ config, lib, pkgs, ... }:

let
  domain = "eurofusion.eu";
in

{
  ### Reverse proxy locations

  # Setup for well-known on the bare domain
  services.nginx.virtualHosts.${domain} =
    let
      client =
        { "m.homeserver"      =  { "base_url" = "https://${config.var.hostname}"; };
          "m.identity_server" =  { "base_url" = "https://matrix.org";  };
        };
      server = { "m.server" = "${config.var.hostname}:443"; };
    in
  {
    enableACME = true;
    forceSSL = true;

    # Needed for matrix federation
    locations."/.well-known/matrix/server".extraConfig = ''
      add_header Content-Type application/json;
      return 200 '${builtins.toJSON server}';
    '';

    # Needed for automatic homeserver
    # setup of matrix clients
    locations."/.well-known/matrix/client".extraConfig = ''
      add_header Content-Type application/json;
      add_header Access-Control-Allow-Origin *;
      return 200 '${builtins.toJSON client}';
    '';
  };

  # Forward matrix/admin API calls to synapse
  services.nginx.virtualHosts.${config.var.hostname} =
    { locations."/_matrix".proxyPass = "http://localhost:8448";
      locations."/_synapse".proxyPass = "http://localhost:8448";
    };


  ### Homeserver
  services.matrix-synapse.enable = true;
  services.matrix-synapse.settings = {
    server_name = domain;
    public_baseurl = "https://${config.var.hostname}/";

    # Bind on localhost and used a reverse proxy
    listeners = [
      { bind_addresses = [ "localhost" ];
        port = 8448;
        type = "http";
        tls  = false;
        resources = [
          { compress = true;  names = [ "client" ] ; }
          { compress = false; names = [ "federation" ]; }
        ];
        x_forwarded = true;
      }
    ];

    # Connect to Postrges
    database_type = "psycopg2";
    database_args =
      { user     = "matrix-synapse";
        database = "matrix-synapse";
      };

    # Make logging less verbose
    log_config = pkgs.writeText "synapse-log.yml" ''
       version: 1
       formatters:
         journal_fmt:
           format: '%(name)s: [%(request)s] %(message)s'
       filters:
         context:
           (): synapse.util.logcontext.LoggingContextFilter
           request: ""
       handlers:
         journal:
           class: systemd.journal.JournalHandler
           formatter: journal_fmt
           filters: [context]
           SYSLOG_IDENTIFIER: synapse
       root:
         level: WARN
         handlers: [journal]
       disable_existing_loggers: False
    '';

    allow_guest_access  = true;
    expire_access_token = true;
    event_cache_size    = "2K";
    max_upload_size     = "1000M";
    dynamic_thumbnails  = true;
  };

  # Secrets
  services.matrix-synapse.extraConfigFiles =
    [
      # Password reset via email
      # Note: can't be put here, see NixOS/nixpkgs#158605
      config.secrets.matrix.email.conf

      # Needed by the register_new_matrix_user script
      config.secrets.matrix.registration
    ];


  ### Database
  services.postgresql.enable = true;

  # Create databases on the first run
  services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" ''
    CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
    CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
      TEMPLATE template0
      LC_COLLATE = "C"
      LC_CTYPE = "C";

    CREATE ROLE "mautrix-whatsapp" WITH LOGIN PASSWORD 'whatsapp';
    CREATE DATABASE "mautrix-whatsapp" WITH OWNER "mautrix-whatsapp"
      TEMPLATE template0
      LC_COLLATE = "C"
      LC_CTYPE = "C";
  '';

  ### Whatsapp bridge

  # allow synapse to read the shared secrets
  users.users.matrix-synapse.extraGroups = [ "mautrix-whatsapp" ];

  # Allow olm for mautrix-whatsapp
  nixpkgs.config.permittedInsecurePackages = [ "olm-3.2.16" ];

  services.mautrix-whatsapp =
    {
      enable = true;
      serviceDependencies = [ "postgresql.service" ];
      settings.appservice =
        { database.type = "postgres";
          database.uri = "postgresql:///mautrix-whatsapp?host=/run/postgresql";
        };
      settings.bridge =
        { encryption =
            { allow = true;
              default = true;
              require = true;
            };
          permissions =
            { "eurofusion.eu" = "user";
              "@rnhmjoj:eurofusion.eu" = "admin";
            };
          relay.enabled = false;
          mute_bridging = true;
        };
    };

}
initial commit 2020-10-20 01:11:28 +02:00			`{ config, lib, pkgs, ... }:`

			`let`
migrate matrix to new domain 2024-10-22 23:54:45 +02:00			`domain = "eurofusion.eu";`
initial commit 2020-10-20 01:11:28 +02:00			`in`

			`{`
			`### Reverse proxy locations`
migrate matrix to new domain 2024-10-22 23:54:45 +02:00
			`# Setup for well-known on the bare domain`
			`services.nginx.virtualHosts.${domain} =`
initial commit 2020-10-20 01:11:28 +02:00			`let`
			`client =`
migrate matrix to new domain 2024-10-22 23:54:45 +02:00			`{ "m.homeserver" = { "base_url" = "https://${config.var.hostname}"; };`
initial commit 2020-10-20 01:11:28 +02:00			`"m.identity_server" = { "base_url" = "https://matrix.org"; };`
			`};`
migrate matrix to new domain 2024-10-22 23:54:45 +02:00			`server = { "m.server" = "${config.var.hostname}:443"; };`
initial commit 2020-10-20 01:11:28 +02:00			`in`
			`{`
migrate everyhing possible to eurofusion.eu 2024-10-12 20:08:33 +02:00			`enableACME = true;`
			`forceSSL = true;`

initial commit 2020-10-20 01:11:28 +02:00			`# Needed for matrix federation`
			`locations."/.well-known/matrix/server".extraConfig = ''`
			`add_header Content-Type application/json;`
			`return 200 '${builtins.toJSON server}';`
			`'';`

			`# Needed for automatic homeserver`
			`# setup of matrix clients`
			`locations."/.well-known/matrix/client".extraConfig = ''`
			`add_header Content-Type application/json;`
			`add_header Access-Control-Allow-Origin *;`
			`return 200 '${builtins.toJSON client}';`
			`'';`
			`};`

migrate matrix to new domain 2024-10-22 23:54:45 +02:00			`# Forward matrix/admin API calls to synapse`
			`services.nginx.virtualHosts.${config.var.hostname} =`
			`{ locations."/_matrix".proxyPass = "http://localhost:8448";`
			`locations."/_synapse".proxyPass = "http://localhost:8448";`
			`};`
initial commit 2020-10-20 01:11:28 +02:00

			`### Homeserver`
update to NixOS 22.05 2022-08-10 05:04:54 +02:00			`services.matrix-synapse.enable = true;`
			`services.matrix-synapse.settings = {`
migrate matrix to new domain 2024-10-22 23:54:45 +02:00			`server_name = domain;`
			`public_baseurl = "https://${config.var.hostname}/";`
initial commit 2020-10-20 01:11:28 +02:00
			`# Bind on localhost and used a reverse proxy`
			`listeners = [`
update to NixOS 22.05 2022-08-10 05:04:54 +02:00			`{ bind_addresses = [ "localhost" ];`
initial commit 2020-10-20 01:11:28 +02:00			`port = 8448;`
			`type = "http";`
			`tls = false;`
			`resources = [`
			`{ compress = true; names = [ "client" ] ; }`
			`{ compress = false; names = [ "federation" ]; }`
			`];`
			`x_forwarded = true;`
			`}`
			`];`

			`# Connect to Postrges`
			`database_type = "psycopg2";`
matrix: add email support 2022-08-11 00:02:33 +02:00			`database_args =`
			`{ user = "matrix-synapse";`
			`database = "matrix-synapse";`
			`};`
initial commit 2020-10-20 01:11:28 +02:00
			`# Make logging less verbose`
update to NixOS 22.05 2022-08-10 05:04:54 +02:00			`log_config = pkgs.writeText "synapse-log.yml" ''`
initial commit 2020-10-20 01:11:28 +02:00			`version: 1`
			`formatters:`
update to NixOS 22.05 2022-08-10 05:04:54 +02:00			`journal_fmt:`
			`format: '%(name)s: [%(request)s] %(message)s'`
initial commit 2020-10-20 01:11:28 +02:00			`filters:`
update to NixOS 22.05 2022-08-10 05:04:54 +02:00			`context:`
			`(): synapse.util.logcontext.LoggingContextFilter`
			`request: ""`
initial commit 2020-10-20 01:11:28 +02:00			`handlers:`
update to NixOS 22.05 2022-08-10 05:04:54 +02:00			`journal:`
			`class: systemd.journal.JournalHandler`
			`formatter: journal_fmt`
			`filters: [context]`
			`SYSLOG_IDENTIFIER: synapse`
initial commit 2020-10-20 01:11:28 +02:00			`root:`
update to NixOS 22.05 2022-08-10 05:04:54 +02:00			`level: WARN`
			`handlers: [journal]`
initial commit 2020-10-20 01:11:28 +02:00			`disable_existing_loggers: False`
			`'';`

			`allow_guest_access = true;`
			`expire_access_token = true;`
			`event_cache_size = "2K";`
			`max_upload_size = "1000M";`
migrate matrix to new domain 2024-10-22 23:54:45 +02:00			`dynamic_thumbnails = true;`
initial commit 2020-10-20 01:11:28 +02:00			`};`
matrix: add whatsapp bridge 2023-09-03 02:13:13 +02:00
matrix: add email support 2022-08-11 00:02:33 +02:00			`# Secrets`
matrix: move secrets to extra YAML files 2022-08-10 11:42:58 +02:00			`services.matrix-synapse.extraConfigFiles =`
			`[`
matrix: add email support 2022-08-11 00:02:33 +02:00			`# Password reset via email`
			`# Note: can't be put here, see NixOS/nixpkgs#158605`
			`config.secrets.matrix.email.conf`

matrix: move secrets to extra YAML files 2022-08-10 11:42:58 +02:00			`# Needed by the register_new_matrix_user script`
			`config.secrets.matrix.registration`
			`];`
initial commit 2020-10-20 01:11:28 +02:00

matrix: initialise DB if missing 2020-10-26 00:48:10 +01:00			`### Database`
initial commit 2020-10-20 01:11:28 +02:00			`services.postgresql.enable = true;`

matrix: add whatsapp bridge 2023-09-03 02:13:13 +02:00			`# Create databases on the first run`
matrix: initialise DB if missing 2020-10-26 00:48:10 +01:00			`services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" ''`
			`CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';`
			`CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"`
			`TEMPLATE template0`
			`LC_COLLATE = "C"`
			`LC_CTYPE = "C";`
matrix: add whatsapp bridge 2023-09-03 02:13:13 +02:00
			`CREATE ROLE "mautrix-whatsapp" WITH LOGIN PASSWORD 'whatsapp';`
			`CREATE DATABASE "mautrix-whatsapp" WITH OWNER "mautrix-whatsapp"`
			`TEMPLATE template0`
			`LC_COLLATE = "C"`
			`LC_CTYPE = "C";`
matrix: initialise DB if missing 2020-10-26 00:48:10 +01:00			`'';`

matrix: add whatsapp bridge 2023-09-03 02:13:13 +02:00			`### Whatsapp bridge`

			`# allow synapse to read the shared secrets`
			`users.users.matrix-synapse.extraGroups = [ "mautrix-whatsapp" ];`

update nixpkgs 2024-10-12 22:43:18 +02:00			`# Allow olm for mautrix-whatsapp`
			`nixpkgs.config.permittedInsecurePackages = [ "olm-3.2.16" ];`

matrix: add whatsapp bridge 2023-09-03 02:13:13 +02:00			`services.mautrix-whatsapp =`
			`{`
			`enable = true;`
			`serviceDependencies = [ "postgresql.service" ];`
			`settings.appservice =`
			`{ database.type = "postgres";`
			`database.uri = "postgresql:///mautrix-whatsapp?host=/run/postgresql";`
			`};`
			`settings.bridge =`
			`{ encryption =`
			`{ allow = true;`
			`default = true;`
			`require = true;`
			`};`
			`permissions =`
migrate matrix to new domain 2024-10-22 23:54:45 +02:00			`{ "eurofusion.eu" = "user";`
			`"@rnhmjoj:eurofusion.eu" = "admin";`
matrix: add whatsapp bridge 2023-09-03 02:13:13 +02:00			`};`
			`relay.enabled = false;`
			`mute_bridging = true;`
			`};`
			`};`

initial commit 2020-10-20 01:11:28 +02:00			`}`