diff options
-rwxr-xr-x | host/Rory-discordbots/configuration.nix | 3 | ||||
-rwxr-xr-x | host/Rory-nginx/hosts/rory.gay/matrix.nix | 6 | ||||
-rwxr-xr-x | host/Rory-nginx/hosts/rory.gay/root.nix | 17 | ||||
-rwxr-xr-x | host/Rory-synapse/configuration.nix | 100 |
4 files changed, 124 insertions, 2 deletions
diff --git a/host/Rory-discordbots/configuration.nix b/host/Rory-discordbots/configuration.nix index 36e7a1f..958ae5c 100755 --- a/host/Rory-discordbots/configuration.nix +++ b/host/Rory-discordbots/configuration.nix @@ -24,5 +24,4 @@ }; system.stateVersion = "22.11"; # DO NOT EDIT! -} - +} \ No newline at end of file diff --git a/host/Rory-nginx/hosts/rory.gay/matrix.nix b/host/Rory-nginx/hosts/rory.gay/matrix.nix new file mode 100755 index 0000000..6a638c3 --- /dev/null +++ b/host/Rory-nginx/hosts/rory.gay/matrix.nix @@ -0,0 +1,6 @@ +{ + enableACME = true; + addSSL = true; + locations."/_matrix".proxyPass = "http://192.168.1.5:8008"; + locations."/_synapse/client".proxyPass = "http://192.168.1.5:8008"; +} diff --git a/host/Rory-nginx/hosts/rory.gay/root.nix b/host/Rory-nginx/hosts/rory.gay/root.nix index 4307cf4..c3dfb2f 100755 --- a/host/Rory-nginx/hosts/rory.gay/root.nix +++ b/host/Rory-nginx/hosts/rory.gay/root.nix @@ -4,4 +4,21 @@ addSSL = true; extraConfig = '' autoindex on;''; + + locations."= /.well-known/matrix/server".extraConfig = '' + add_header Content-Type application/json; + add_header Access-Control-Allow-Origin *; + return 200 '${builtins.toJSON { + "m.server" = "matrix.rory.gay:443"; + }}}'; + ''; + locations."= /.well-known/matrix/client".extraConfig = '' + add_header Content-Type application/json; + add_header Access-Control-Allow-Origin *; + return 200 '${builtins.toJSON { + "m.homeserver".base_url = "https://matrix.rory.gay"; + "m.identity_server" = {}; + } + }'; + ''; } diff --git a/host/Rory-synapse/configuration.nix b/host/Rory-synapse/configuration.nix new file mode 100755 index 0000000..24a0692 --- /dev/null +++ b/host/Rory-synapse/configuration.nix @@ -0,0 +1,100 @@ +{ config, pkgs, lib, ... }: + +{ + imports = + [ + ../../modules/base-server.nix + ]; + + networking = { + hostName = "Rory-synapse"; + interfaces.ens18.ipv4.addresses = [ { + address = "192.168.1.5"; + prefixLength = 24; + } ]; + interfaces.ens19.ipv4.addresses = [ { + address = "10.10.10.5"; + prefixLength = 16; + } ]; + }; + + # coturn (WebRTC) + services.coturn = rec { + enable = false; # Alicia - figure out secret first... + no-cli = true; + no-tcp-relay = true; + min-port = 49000; + max-port = 50000; + use-auth-secret = true; + static-auth-secret = "will be world readable for local users :("; + realm = "turn.example.com"; + # Alicia - figure out how to get this to work, since nginx runs on separate machine... + #cert = "${config.security.acme.certs.${realm}.directory}/full.pem"; + #pkey = "${config.security.acme.certs.${realm}.directory}/key.pem"; + extraConfig = '' + # for debugging + verbose + # ban private IP ranges + no-multicast-peers + denied-peer-ip=0.0.0.0-0.255.255.255 + denied-peer-ip=10.0.0.0-10.255.255.255 + denied-peer-ip=100.64.0.0-100.127.255.255 + denied-peer-ip=127.0.0.0-127.255.255.255 + denied-peer-ip=169.254.0.0-169.254.255.255 + denied-peer-ip=172.16.0.0-172.31.255.255 + denied-peer-ip=192.0.0.0-192.0.0.255 + denied-peer-ip=192.0.2.0-192.0.2.255 + denied-peer-ip=192.88.99.0-192.88.99.255 + denied-peer-ip=192.168.0.0-192.168.255.255 + denied-peer-ip=198.18.0.0-198.19.255.255 + denied-peer-ip=198.51.100.0-198.51.100.255 + denied-peer-ip=203.0.113.0-203.0.113.255 + denied-peer-ip=240.0.0.0-255.255.255.255 + denied-peer-ip=::1 + denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff + denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255 + denied-peer-ip=100::-100::ffff:ffff:ffff:ffff + denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff + denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff + denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff + denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff + ''; + }; + + #services.matrix-synapse = with config.services.coturn; { + # turn_uris = ["turn:${realm}:3478?transport=udp" "turn:${realm}:3478?transport=tcp"]; + # turn_shared_secret = static-auth-secret; + # turn_user_lifetime = "1h"; + #}; + + # Discord bridge + services.matrix-appservice-discord = { + enable = false; # Alicia - figure out secret first... + environmentFile = /etc/keyring/matrix-appservice-discord/tokens.env; + # The appservice is pre-configured to use SQLite by default. + # It's also possible to use PostgreSQL. + settings = { + bridge = { + domain = "rory.gay"; + homeserverUrl = "https://matrix.rory.gay"; + }; + + # The service uses SQLite by default, but it's also possible to use + # PostgreSQL instead: + database = { + # filename = ""; # empty value to disable sqlite + connString = "postgres://postgres@192.168.1.3/matrix-appservice-discord"; + }; + }; + + services.matrix-synapse = { + enable = true; + app_service_config_files = [ + #"/etc/matrix-synapse/appservice-registration.yaml" + ]; + + } + + system.stateVersion = "22.11"; # DO NOT EDIT! +} + |