summary refs log tree commit diff
diff options
context:
space:
mode:
-rwxr-xr-xhost/Rory-discordbots/configuration.nix3
-rwxr-xr-xhost/Rory-nginx/hosts/rory.gay/matrix.nix6
-rwxr-xr-xhost/Rory-nginx/hosts/rory.gay/root.nix17
-rwxr-xr-xhost/Rory-synapse/configuration.nix100
4 files changed, 124 insertions, 2 deletions
diff --git a/host/Rory-discordbots/configuration.nix b/host/Rory-discordbots/configuration.nix
index 36e7a1f..958ae5c 100755
--- a/host/Rory-discordbots/configuration.nix
+++ b/host/Rory-discordbots/configuration.nix
@@ -24,5 +24,4 @@
   };
 
   system.stateVersion = "22.11"; # DO NOT EDIT!
-}
-
+}
\ No newline at end of file
diff --git a/host/Rory-nginx/hosts/rory.gay/matrix.nix b/host/Rory-nginx/hosts/rory.gay/matrix.nix
new file mode 100755
index 0000000..6a638c3
--- /dev/null
+++ b/host/Rory-nginx/hosts/rory.gay/matrix.nix
@@ -0,0 +1,6 @@
+{
+  enableACME = true;
+  addSSL = true;
+  locations."/_matrix".proxyPass = "http://192.168.1.5:8008"; 
+  locations."/_synapse/client".proxyPass = "http://192.168.1.5:8008";   
+}
diff --git a/host/Rory-nginx/hosts/rory.gay/root.nix b/host/Rory-nginx/hosts/rory.gay/root.nix
index 4307cf4..c3dfb2f 100755
--- a/host/Rory-nginx/hosts/rory.gay/root.nix
+++ b/host/Rory-nginx/hosts/rory.gay/root.nix
@@ -4,4 +4,21 @@
   addSSL = true;
   extraConfig = ''
     autoindex on;'';
+
+  locations."= /.well-known/matrix/server".extraConfig = ''
+    add_header Content-Type application/json;
+    add_header Access-Control-Allow-Origin *;
+    return 200 '${builtins.toJSON {
+      "m.server" = "matrix.rory.gay:443";
+    }}}';
+  ''; 
+  locations."= /.well-known/matrix/client".extraConfig = ''
+    add_header Content-Type application/json;
+    add_header Access-Control-Allow-Origin *;
+    return 200 '${builtins.toJSON {
+      "m.homeserver".base_url = "https://matrix.rory.gay";
+      "m.identity_server" = {};
+    }
+    }';
+  ''; 
 }
diff --git a/host/Rory-synapse/configuration.nix b/host/Rory-synapse/configuration.nix
new file mode 100755
index 0000000..24a0692
--- /dev/null
+++ b/host/Rory-synapse/configuration.nix
@@ -0,0 +1,100 @@
+{ config, pkgs, lib, ... }:
+
+{
+  imports =
+    [
+      ../../modules/base-server.nix
+    ];
+
+  networking = {
+    hostName = "Rory-synapse";
+    interfaces.ens18.ipv4.addresses = [ { 
+      address = "192.168.1.5";
+      prefixLength = 24;
+    } ];
+    interfaces.ens19.ipv4.addresses = [ {
+      address = "10.10.10.5";
+      prefixLength = 16;
+    } ];
+  };
+
+  # coturn (WebRTC)
+  services.coturn = rec {
+    enable = false; # Alicia - figure out secret first...
+    no-cli = true;
+    no-tcp-relay = true;
+    min-port = 49000;
+    max-port = 50000;
+    use-auth-secret = true;
+    static-auth-secret = "will be world readable for local users :(";
+    realm = "turn.example.com";
+    # Alicia - figure out how to get this to work, since nginx runs on separate machine...
+    #cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
+    #pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
+    extraConfig = ''
+      # for debugging
+      verbose
+      # ban private IP ranges
+      no-multicast-peers
+      denied-peer-ip=0.0.0.0-0.255.255.255
+      denied-peer-ip=10.0.0.0-10.255.255.255
+      denied-peer-ip=100.64.0.0-100.127.255.255
+      denied-peer-ip=127.0.0.0-127.255.255.255
+      denied-peer-ip=169.254.0.0-169.254.255.255
+      denied-peer-ip=172.16.0.0-172.31.255.255
+      denied-peer-ip=192.0.0.0-192.0.0.255
+      denied-peer-ip=192.0.2.0-192.0.2.255
+      denied-peer-ip=192.88.99.0-192.88.99.255
+      denied-peer-ip=192.168.0.0-192.168.255.255
+      denied-peer-ip=198.18.0.0-198.19.255.255
+      denied-peer-ip=198.51.100.0-198.51.100.255
+      denied-peer-ip=203.0.113.0-203.0.113.255
+      denied-peer-ip=240.0.0.0-255.255.255.255
+      denied-peer-ip=::1
+      denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
+      denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
+      denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
+      denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
+      denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+      denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+      denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+    '';
+  };
+
+  #services.matrix-synapse = with config.services.coturn; {
+  #  turn_uris = ["turn:${realm}:3478?transport=udp" "turn:${realm}:3478?transport=tcp"];
+  #  turn_shared_secret = static-auth-secret;
+  #  turn_user_lifetime = "1h";
+  #};
+
+  # Discord bridge
+   services.matrix-appservice-discord = {
+    enable = false; # Alicia - figure out secret first...
+    environmentFile = /etc/keyring/matrix-appservice-discord/tokens.env;
+    # The appservice is pre-configured to use SQLite by default.
+    # It's also possible to use PostgreSQL.
+    settings = {
+      bridge = {
+        domain = "rory.gay";
+        homeserverUrl = "https://matrix.rory.gay";
+      };
+
+      # The service uses SQLite by default, but it's also possible to use
+      # PostgreSQL instead:
+      database = {
+        #  filename = ""; # empty value to disable sqlite
+        connString = "postgres://postgres@192.168.1.3/matrix-appservice-discord";
+      };
+    };
+
+  services.matrix-synapse = {
+    enable = true;
+    app_service_config_files = [
+      #"/etc/matrix-synapse/appservice-registration.yaml"
+    ];
+    
+  }
+
+  system.stateVersion = "22.11"; # DO NOT EDIT!
+}
+