about summary refs log tree commit diff
path: root/modules/nixos/matrix
diff options
context:
space:
mode:
Diffstat (limited to 'modules/nixos/matrix')
-rw-r--r--modules/nixos/matrix/default.nix6
-rw-r--r--modules/nixos/matrix/dendrite.nix238
-rw-r--r--modules/nixos/matrix/element.nix62
3 files changed, 0 insertions, 306 deletions
diff --git a/modules/nixos/matrix/default.nix b/modules/nixos/matrix/default.nix
deleted file mode 100644
index e7d5a02..0000000
--- a/modules/nixos/matrix/default.nix
+++ /dev/null
@@ -1,6 +0,0 @@
-_: {
-  imports = [
-    ./dendrite.nix
-    ./element.nix
-  ];
-}
diff --git a/modules/nixos/matrix/dendrite.nix b/modules/nixos/matrix/dendrite.nix
deleted file mode 100644
index 5e8a7e4..0000000
--- a/modules/nixos/matrix/dendrite.nix
+++ /dev/null
@@ -1,238 +0,0 @@
-{
-  config,
-  lib,
-  inputs,
-  pkgs,
-  ...
-}:
-with lib;
-let
-  cfg = config.nixfiles.modules.matrix.dendrite;
-in
-{
-  options.nixfiles.modules.matrix.dendrite = {
-    enable = mkEnableOption "Dendrite Matrix server";
-
-    port = mkOption {
-      description = "Port.";
-      type = with types; port;
-      default = 8008;
-    };
-
-    domain = mkOption {
-      type = types.str;
-      default = config.networking.domain;
-      description = "Domain name sans protocol scheme.";
-    };
-  };
-
-  config =
-    let
-      db = "dendrite";
-    in
-    mkIf cfg.enable {
-      ark.directories = [
-        "/var/lib/dendrite"
-        "/var/lib/private/dendrite"
-      ];
-
-      # FIXME Use systemd secrets/environment for this.
-      secrets.dendrite-private-key = {
-        file = "${inputs.self}/secrets/dendrite-private-key";
-        mode = "0444";
-      };
-      secrets.dendrite-environment-file = {
-        file = "${inputs.self}/secrets/dendrite-environment-file";
-        mode = "0444";
-      };
-
-      nixfiles.modules = {
-        nginx = {
-          enable = true;
-          upstreams.dendrite.servers."127.0.0.1:${toString config.services.dendrite.httpPort}" = { };
-          virtualHosts.${cfg.domain}.locations = {
-            "/_matrix".proxyPass = "http://dendrite";
-            "= /.well-known/matrix/server" = {
-              extraConfig = ''
-                add_header Content-Type application/json;
-              '';
-              return = "200 '${generators.toJSON { } { "m.server" = "${cfg.domain}:443"; }}'";
-            };
-            "= /.well-known/matrix/client" = {
-              extraConfig = ''
-                add_header Content-Type application/json;
-                add_header Access-Control-Allow-Origin *;
-              '';
-              return = "200 '${generators.toJSON { } { "m.homeserver".base_url = "https://${cfg.domain}"; }}'";
-            };
-          };
-        };
-
-        postgresql = {
-          enable = true;
-          extraPostStart = [
-            ''
-              $PSQL "${db}" -tAc 'GRANT ALL ON SCHEMA "public" TO "${db}"'
-            ''
-          ];
-        };
-
-        promtail.filters = [
-          {
-            match = {
-              selector = ''{syslog_identifier="dendrite"} |~ ".*Failed to fetch key for server.*"'';
-              action = "drop";
-            };
-          }
-          {
-            match = {
-              selector = ''{syslog_identifier="dendrite"} |~ ".*could not download key for.*"'';
-              action = "drop";
-            };
-          }
-        ];
-      };
-
-      services.postgresql = {
-        ensureDatabases = [ db ];
-        ensureUsers = [
-          {
-            name = db;
-            ensureDBOwnership = true;
-          }
-        ];
-      };
-
-      systemd.services.dendrite = {
-        description = "Dendrite Matrix homeserver";
-        wantedBy = [ "multi-user.target" ];
-        requires = [
-          "network.target"
-          "postgresql.service"
-        ];
-        after = [
-          "network.target"
-          "postgresql.service"
-        ];
-        serviceConfig =
-          let
-            needsPrivileges = cfg.port < 1024;
-            capabilities = [ "" ] ++ optionals needsPrivileges [ "CAP_NET_BIND_SERVICE" ];
-          in
-          {
-            Restart = "on-failure";
-            ExecStartPre =
-              let
-                settings = {
-                  version = 2;
-                  global = {
-                    server_name = cfg.domain;
-                    private_key = config.secrets.dendrite-private-key.path;
-                    database = {
-                      connection_string = "postgresql://${db}@/${db}?host=/run/postgresql";
-                      max_open_conns = 64;
-                      max_idle_connections = 8;
-                    };
-                    cache = {
-                      max_size_estimated = "1gb";
-                      max_age = "1h";
-                    };
-                    trusted_third_party_id_servers = [
-                      "matrix.org"
-                      "nixos.org"
-                      "vector.im"
-                    ];
-                    presence = {
-                      enable_inbound = false;
-                      enable_outbound = false;
-                    };
-                  };
-                  client_api = {
-                    registration_disabled = true;
-                    guests_disabled = true;
-                    registration_shared_secret = "$REGISTRATION_SHARED_SECRET";
-                  };
-                  media_api = {
-                    base_path = "/var/lib/dendrite/media_store";
-                    max_file_size_bytes = 0;
-                    dynamic_thumbnails = true;
-                    max_thumbnail_generators = 8;
-                    thumbnail_sizes = [
-                      {
-                        width = 32;
-                        height = 32;
-                        method = "crop";
-                      }
-                      {
-                        width = 96;
-                        height = 96;
-                        method = "crop";
-                      }
-                      {
-                        width = 640;
-                        height = 480;
-                        method = "scale";
-                      }
-                    ];
-                  };
-                  logging = [
-                    {
-                      type = "std";
-                      level = "warn";
-                    }
-                  ];
-                };
-              in
-              concatStringsSep " " [
-                (getExe pkgs.envsubst)
-                "-i ${(pkgs.formats.yaml { }).generate "dendrite.yaml" settings}"
-                "-o /run/dendrite/dendrite.yaml"
-              ];
-            ExecStart = concatStringsSep " " [
-              (getExe' pkgs.dendrite "dendrite")
-              "--config /run/dendrite/dendrite.yaml"
-              "--http-bind-address 127.0.0.1:${toString cfg.port}"
-            ];
-            ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
-            EnvironmentFile = config.secrets.dendrite-environment-file.path;
-            DynamicUser = true;
-            StateDirectory = "dendrite";
-            RuntimeDirectory = "dendrite";
-            RuntimeDirectoryMode = "0700";
-            AmbientCapabilities = capabilities;
-            CapabilityBoundingSet = capabilities;
-            UMask = "0077";
-            LockPersonality = true;
-            MemoryDenyWriteExecute = true;
-            NoNewPrivileges = true;
-            PrivateDevices = true;
-            PrivateTmp = true;
-            PrivateUsers = !needsPrivileges;
-            ProtectClock = true;
-            ProtectControlGroups = true;
-            ProtectHome = true;
-            ProtectHostname = true;
-            ProtectKernelLogs = true;
-            ProtectKernelModules = true;
-            ProtectKernelTunables = true;
-            ProtectSystem = "strict";
-            ProtectProc = "noaccess";
-            ProcSubset = "pid";
-            RemoveIPC = true;
-            RestrictAddressFamilies = [
-              "AF_UNIX"
-              "AF_INET"
-              "AF_INET6"
-            ];
-            RestrictNamespaces = true;
-            RestrictRealtime = true;
-            RestrictSUIDSGID = true;
-            SystemCallArchitectures = "native";
-            SystemCallFilter = [
-              "@system-service"
-              "~@privileged"
-            ];
-          };
-      };
-    };
-}
diff --git a/modules/nixos/matrix/element.nix b/modules/nixos/matrix/element.nix
deleted file mode 100644
index 92a2927..0000000
--- a/modules/nixos/matrix/element.nix
+++ /dev/null
@@ -1,62 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}:
-with lib;
-let
-  cfg = config.nixfiles.modules.matrix.element;
-in
-{
-  options.nixfiles.modules.matrix.element = {
-    enable = mkEnableOption "Element, a Matrix web interface";
-
-    domain = mkOption {
-      description = "Domain name sans protocol scheme.";
-      type = with types; nullOr str;
-      default = "element.${config.networking.domain}";
-    };
-
-    homeserver = mkOption {
-      description = "Default Matrix homeserver.";
-      type = with types; str;
-      default = my.domain.azahi;
-    };
-  };
-
-  config = mkIf cfg.enable {
-    assertions = [
-      {
-        assertion =
-          with config.nixfiles.modules.matrix;
-          (synapse.enable || dendrite.enable) && !(!synapse.enable && !dendrite.enable);
-        message = "Synapse or Dendrite must be enabled";
-      }
-    ];
-
-    nixfiles.modules.nginx = with cfg; {
-      enable = true;
-      virtualHosts.${domain}.locations."/".root = pkgs.element-web.override {
-        conf = {
-          default_server_config."m.homeserver" = {
-            base_url = "https://${homeserver}";
-            server_name = homeserver;
-          };
-          disable_custom_urls = true;
-          disable_guests = true;
-          disable_login_language_selector = true;
-          disable_3pid_login = true;
-          brand = homeserver;
-          branding.authFooterLinks = [
-            {
-              text = "Hosted on NixOS";
-              url = "https://nixos.org";
-            }
-          ];
-          default_theme = "dark";
-        };
-      };
-    };
-  };
-}

Consider giving Nix/NixOS a try! <3