Cloonar/nixos
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
nixos/hosts/fw/modules/web/matrix.nix

619 lines
20 KiB
Nix
Raw Blame History

{ pkgs, lib, config, ... }:
let
hostname = "matrix";
fqdn = "${hostname}.cloonar.com";
baseUrl = "https://${fqdn}";
clientConfig = {
"m.homeserver".base_url = baseUrl;
# MAS auth issuer discovery (MSC2965)
"org.matrix.msc2965.authentication" = {
issuer = baseUrl + "/";
account = baseUrl + "/account";
};
# MatrixRTC LiveKit focus for Element Call
"org.matrix.msc4143.rtc_foci" = [
{
type = "livekit";
livekit_service_url = "${baseUrl}/livekit/jwt";
}
];
};
serverConfig."m.server" = "${fqdn}:443";
mkWellKnown = data: ''
default_type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON data}';
'';
masUpstreamId = "01KJPRKN397E5N8D0CA2Z3TJ7Y";
elementWebClientId = "01KJPVT5D54NRAY7AJY6PZEN0D";
masPackage = pkgs.matrix-authentication-service;
synapseMasConfig = pkgs.writeText "synapse-mas-config.yaml" ''
matrix_authentication_service:
enabled: true
endpoint: "http://127.0.0.1:8081"
secret_path: ${config.sops.secrets.mas-matrix-secret-synapse.path}
'';
synapseVoipConfig = "/run/matrix-synapse/voip-config.yaml";
doublePuppetRegistration = "/run/matrix-synapse/double-puppet-registration.yaml";
in {
# Secrets for MAS
sops.secrets.mas-encryption-key = { owner = "mas"; };
sops.secrets.mas-matrix-secret = { owner = "mas"; };
sops.secrets.mas-authelia-client-secret = { owner = "mas"; };
sops.secrets.mas-rsa-key = { owner = "mas"; };
# Synapse also needs the shared secret
sops.secrets.mas-matrix-secret-synapse = {
owner = "matrix-synapse";
key = "mas-matrix-secret";
};
# Double puppet appservice tokens (for bridge double puppeting via MAS)
sops.secrets.double-puppet-as-token = { owner = "matrix-synapse"; };
sops.secrets.double-puppet-hs-token = { owner = "matrix-synapse"; };
# TURN shared secret (for Synapse VoIP config)
sops.secrets.coturn-static-secret = {
sopsFile = ./secrets.yaml;
owner = "matrix-synapse";
};
sops.secrets.mautrix-whatsapp-env = { };
sops.secrets.mautrix-signal-env = { };
sops.secrets.mautrix-discord-env = { };
sops.secrets.mautrix-mattermost-env = { };
# MAS system user
users.users.mas = {
isSystemUser = true;
group = "mas";
home = "/var/lib/mas";
};
users.groups.mas = { };
# PostgreSQL databases for Synapse and MAS
services.postgresql = {
enable = true;
# Synapse requires C locale for correct collation behavior
initdbArgs = [ "--lc-collate=C" "--lc-ctype=C" ];
ensureDatabases = [ "matrix-synapse" "mas" ];
ensureUsers = [
{
name = "matrix-synapse";
ensureDBOwnership = true;
}
{
name = "mas";
ensureDBOwnership = true;
}
];
};
services.postgresqlBackup.enable = true;
services.postgresqlBackup.databases = [ "matrix-synapse" "mas" ];
# Matrix Authentication Service (MAS)
systemd.services.matrix-authentication-service = {
description = "Matrix Authentication Service";
after = [ "postgresql.service" "network.target" ];
before = [ "matrix-synapse.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "simple";
User = "mas";
Group = "mas";
RuntimeDirectory = "mas";
RuntimeDirectoryMode = "0755";
StateDirectory = "mas";
StateDirectoryMode = "0750";
ExecStart = "${masPackage}/bin/mas-cli server --config /run/mas/config.yaml";
Restart = "on-failure";
RestartSec = "5s";
};
preStart = ''
# Read secrets from SOPS-managed files
ENCRYPTION_KEY=$(cat ${config.sops.secrets.mas-encryption-key.path})
MATRIX_SECRET=$(cat ${config.sops.secrets.mas-matrix-secret.path})
CLIENT_SECRET=$(cat ${config.sops.secrets.mas-authelia-client-secret.path})
# Write MAS config with secrets interpolated
cat > /run/mas/config.yaml <<MASEOF
http:
public_base: ${baseUrl}/
listeners:
- name: web
resources:
- name: discovery
- name: human
- name: oauth
- name: compat
- name: graphql
- name: assets
binds:
- address: "127.0.0.1:8081"
database:
uri: postgresql:///mas?host=/run/postgresql
matrix:
homeserver: cloonar.com
endpoint: "http://[::1]:8008"
secret: "$MATRIX_SECRET"
upstream_oauth2:
providers:
- id: ${masUpstreamId}
synapse_idp_id: oidc-authelia
human_name: Authelia
issuer: https://auth.cloonar.com
client_id: synapse
client_secret: "$CLIENT_SECRET"
token_endpoint_auth_method: client_secret_post
scope: "openid email profile"
fetch_userinfo: true
claims_imports:
skip_confirmation: true
localpart:
action: require
template: "{{ user.email | replace('@cloonar.com', ''') | replace('@', '_') }}"
displayname:
action: force
template: "{{ user.name }}"
email:
action: require
template: "{{ user.email }}"
set_email_verification: always
clients:
- client_id: ${elementWebClientId}
client_auth_method: none
redirect_uris:
- https://element.cloonar.com/
- https://element.cloonar.com/?no_universal_links=true
passwords:
enabled: true
schemes:
- version: 1
algorithm: bcrypt
secrets:
encryption: "$ENCRYPTION_KEY"
keys:
- kid: mas-rsa-key
key_file: ${config.sops.secrets.mas-rsa-key.path}
telemetry:
tracing:
exporter: none
metrics:
exporter: none
MASEOF
'';
};
# Synapse homeserver
services.matrix-synapse = {
enable = true;
extraConfigFiles = [ "${synapseMasConfig}" synapseVoipConfig ];
settings = {
server_name = "cloonar.com";
public_baseurl = baseUrl;
listeners = [
{
port = 8008;
bind_addresses = [ "::1" ];
type = "http";
tls = false;
x_forwarded = true;
resources = [
{
compress = true;
names = [ "client" "federation" ];
}
];
}
];
database = {
name = "psycopg2";
args = {
host = "/run/postgresql";
database = "matrix-synapse";
user = "matrix-synapse";
};
};
allow_guest_access = false;
# Double puppet appservice registration (bridges use this for m.login.application_service)
app_service_config_files = [ doublePuppetRegistration ];
# MSC4190: device management for appservices (required for encrypted bridges with MAS)
experimental_features = {
msc4190_enabled = true;
msc3202_device_masquerading = true;
# MatrixRTC support
msc3266_enabled = true;
msc4222_enabled = true;
# QR code login (MSC4108) — enables the built-in rendezvous server
msc4108_enabled = true;
};
# MatrixRTC delayed events (MSC4140) — prevents stuck calls
max_event_delay_duration = "24h";
};
};
# Synapse runs inside an isolated microVM, so PrivateUsers provides minimal
# additional security. Disabling it allows Synapse to read bridge registration
# files via SupplementaryGroups (user namespace blocks mapped GIDs otherwise).
# Synapse depends on MAS for auth delegation
systemd.services.matrix-synapse.after = [ "matrix-authentication-service.service" ];
systemd.services.matrix-synapse.wants = [ "matrix-authentication-service.service" ];
systemd.services.matrix-synapse.serviceConfig.PrivateUsers = lib.mkForce false;
systemd.services.matrix-synapse.preStart = lib.mkAfter ''
install -m 0600 /dev/null ${synapseVoipConfig}
TURN_SECRET=$(cat ${config.sops.secrets.coturn-static-secret.path})
cat > ${synapseVoipConfig} <<EOF
turn_uris:
- "turns:turn.cloonar.com?transport=udp"
- "turns:turn.cloonar.com?transport=tcp"
- "turn:turn.cloonar.com?transport=udp"
- "turn:turn.cloonar.com?transport=tcp"
turn_shared_secret: "$TURN_SECRET"
turn_user_lifetime: 86400000
EOF
install -m 0640 /dev/null ${doublePuppetRegistration}
DP_AS=$(cat ${config.sops.secrets.double-puppet-as-token.path})
DP_HS=$(cat ${config.sops.secrets.double-puppet-hs-token.path})
cat > ${doublePuppetRegistration} <<DPEOF
id: double-puppet
as_token: "$DP_AS"
hs_token: "$DP_HS"
url:
sender_localpart: _double-puppet
rate_limited: false
namespaces:
users:
- regex: '@.*:cloonar\.com'
exclusive: false
DPEOF
'';
# Generate env file with double puppet token for bridges
systemd.services.generate-double-puppet-env = {
description = "Generate double puppet environment file";
wantedBy = [ "multi-user.target" ];
before = [
"mautrix-whatsapp.service"
"mautrix-signal.service"
"mautrix-discord-registration.service"
"mautrix-mattermost-registration.service"
];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
echo "DOUBLE_PUPPET_AS_TOKEN=$(cat ${config.sops.secrets.double-puppet-as-token.path})" > /run/double-puppet-env
chmod 0444 /run/double-puppet-env
'';
};
# Append double puppet env file to each bridge's EnvironmentFile
# WhatsApp & Signal: envsubst runs in main service preStart
systemd.services.mautrix-whatsapp.serviceConfig.EnvironmentFile = [ "/run/double-puppet-env" ];
systemd.services.mautrix-signal.serviceConfig.EnvironmentFile = [ "/run/double-puppet-env" ];
# Discord & Mattermost: envsubst runs in registration service script
systemd.services.mautrix-discord-registration.serviceConfig.EnvironmentFile = [ "/run/double-puppet-env" ];
systemd.services.mautrix-mattermost-registration.serviceConfig.EnvironmentFile = [ "/run/double-puppet-env" ];
# Element Web client
services.nginx.virtualHosts."element.cloonar.com" = {
forceSSL = true;
enableACME = true;
acmeRoot = null;
root = pkgs.element-web.override {
conf = {
default_theme = "dark";
default_server_config = {
"m.homeserver" = {
base_url = "https://matrix.cloonar.com";
server_name = "cloonar.com";
};
"org.matrix.msc2965.authentication" = {
issuer = "https://matrix.cloonar.com/";
account = "https://matrix.cloonar.com/account";
};
"org.matrix.msc4143.rtc_foci" = [
{
type = "livekit";
livekit_service_url = "https://matrix.cloonar.com/livekit/jwt";
}
];
};
oidc_static_clients = {
"https://matrix.cloonar.com/" = {
client_id = elementWebClientId;
};
};
disable_custom_urls = true;
disable_3pid_login = true;
default_country_code = "AT";
};
};
};
# Synapse + MAS nginx reverse proxy
services.nginx.virtualHosts."${fqdn}" = {
forceSSL = true;
enableACME = true;
acmeRoot = null;
locations."/".extraConfig = ''
return 404;
'';
locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
# MAS compatibility endpoints (must be before /_matrix catch-all)
locations."~ ^/_matrix/client/(r0|v3)/login$".proxyPass = "http://127.0.0.1:8081";
locations."~ ^/_matrix/client/(r0|v3)/logout$".proxyPass = "http://127.0.0.1:8081";
locations."~ ^/_matrix/client/(r0|v3)/refresh$".proxyPass = "http://127.0.0.1:8081";
# MAS own endpoints
locations."/authorize".proxyPass = "http://127.0.0.1:8081";
locations."/oauth2".proxyPass = "http://127.0.0.1:8081";
locations."/.well-known/openid-configuration".proxyPass = "http://127.0.0.1:8081";
locations."/.well-known/webfinger".proxyPass = "http://127.0.0.1:8081";
locations."/assets".proxyPass = "http://127.0.0.1:8081";
locations."/graphql".proxyPass = "http://127.0.0.1:8081";
locations."/account".proxyPass = "http://127.0.0.1:8081";
locations."/upstream".proxyPass = "http://127.0.0.1:8081";
locations."/register".proxyPass = "http://127.0.0.1:8081";
locations."/consent".proxyPass = "http://127.0.0.1:8081";
locations."/recovery".proxyPass = "http://127.0.0.1:8081";
locations."/login".proxyPass = "http://127.0.0.1:8081";
locations."/change-password".proxyPass = "http://127.0.0.1:8081";
# LiveKit JWT service for MatrixRTC
locations."^~ /livekit/jwt/" = {
proxyPass = "http://127.0.0.1:8082/";
};
# LiveKit SFU WebSocket
locations."^~ /livekit/sfu/" = {
proxyPass = "http://127.0.0.1:7880/";
proxyWebsockets = true;
extraConfig = ''
proxy_send_timeout 120;
proxy_read_timeout 120;
proxy_buffering off;
'';
};
# Synapse endpoints
locations."/_matrix".proxyPass = "http://[::1]:8008";
locations."/_synapse/client".proxyPass = "http://[::1]:8008";
};
# Internal proxy for bridges: routes login/auth to MAS, everything else to Synapse.
# Bridges connect here instead of directly to Synapse, which no longer serves
# /_matrix/client/v3/login when MAS is enabled.
services.nginx.virtualHosts."matrix-internal" = {
listen = [{ addr = "127.0.0.1"; port = 8009; }];
locations."~ ^/_matrix/client/(r0|v3)/login$".proxyPass = "http://127.0.0.1:8081";
locations."~ ^/_matrix/client/(r0|v3)/logout$".proxyPass = "http://127.0.0.1:8081";
locations."~ ^/_matrix/client/(r0|v3)/refresh$".proxyPass = "http://127.0.0.1:8081";
locations."/_matrix".proxyPass = "http://[::1]:8008";
locations."/_synapse/client".proxyPass = "http://[::1]:8008";
};
#
# Mautrix bridges (using NixOS modules)
# Modules handle users, groups, registration files, Synapse integration,
# and service ordering automatically via registerToSynapse.
#
# WhatsApp bridge
services.mautrix-whatsapp = {
enable = true;
registerToSynapse = true;
environmentFile = config.sops.secrets.mautrix-whatsapp-env.path;
settings = {
homeserver = {
address = "http://127.0.0.1:8009";
domain = "cloonar.com";
};
bridge = {
command_prefix = "!wa";
permissions."*" = "relay";
permissions."cloonar.com" = "user";
relay.enabled = true;
};
double_puppet = {
servers."cloonar.com" = "http://127.0.0.1:8009";
secrets."cloonar.com" = "as_token:$DOUBLE_PUPPET_AS_TOKEN";
};
encryption = {
allow = true;
default = true;
require = true;
pickle_key = "$MAUTRIX_WHATSAPP_PICKLE_KEY";
msc4190 = true;
};
};
};
# Signal bridge
services.mautrix-signal = {
enable = true;
registerToSynapse = true;
environmentFile = config.sops.secrets.mautrix-signal-env.path;
settings = {
homeserver = {
address = "http://127.0.0.1:8009";
domain = "cloonar.com";
};
bridge = {
command_prefix = "!signal";
permissions."*" = "relay";
permissions."cloonar.com" = "user";
relay.enabled = true;
};
double_puppet = {
servers."cloonar.com" = "http://127.0.0.1:8009";
secrets."cloonar.com" = "as_token:$DOUBLE_PUPPET_AS_TOKEN";
};
encryption = {
allow = true;
default = true;
require = true;
pickle_key = "$MAUTRIX_SIGNAL_PICKLE_KEY";
msc4190 = true;
};
matrix.sync_direct_chat_list = true;
};
};
# Discord bridge
services.mautrix-discord = {
enable = true;
registerToSynapse = true;
environmentFile = config.sops.secrets.mautrix-discord-env.path;
settings = {
homeserver = {
address = "http://127.0.0.1:8009";
domain = "cloonar.com";
};
bridge = {
command_prefix = "!discord";
permissions."*" = "relay";
permissions."cloonar.com" = "user";
relay.enabled = true;
};
double_puppet = {
servers."cloonar.com" = "http://127.0.0.1:8009";
secrets."cloonar.com" = "as_token:$DOUBLE_PUPPET_AS_TOKEN";
};
# Override token defaults so env var substitution writes real tokens.
# Must include database/address/port since setting appservice replaces the whole default.
appservice = {
address = "http://localhost:29334";
hostname = "0.0.0.0";
port = 29334;
database = {
type = "sqlite3";
uri = "file:/var/lib/mautrix-discord/mautrix-discord.db?_txlock=immediate";
};
id = "discord";
bot.username = "discordbot";
as_token = "$MAUTRIX_DISCORD_AS_TOKEN";
hs_token = "$MAUTRIX_DISCORD_HS_TOKEN";
};
encryption = {
allow = true;
default = true;
require = true;
pickle_key = "$MAUTRIX_DISCORD_PICKLE_KEY";
msc4190 = true;
};
};
};
#
# LiveKit SFU + JWT service for MatrixRTC video/voice calls
#
# LiveKit SFU — handles WebRTC media relay
services.livekit = {
enable = true;
openFirewall = true;
keyFile = "/run/livekit/key";
settings = {
rtc = {
port_range_start = 50000;
port_range_end = 50200;
use_external_ip = true;
};
room.auto_create = false;
};
};
# JWT service — validates Matrix OpenID tokens and issues LiveKit JWTs
services.lk-jwt-service = {
enable = true;
livekitUrl = "wss://${fqdn}/livekit/sfu";
port = 8082;
keyFile = "/run/livekit/key";
};
# Only allow cloonar.com users to create LiveKit rooms
systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = "cloonar.com";
# Generate LiveKit API key on boot
systemd.services.livekit-key-generate = {
description = "Generate LiveKit API key";
before = [ "livekit.service" "lk-jwt-service.service" ];
requiredBy = [ "livekit.service" "lk-jwt-service.service" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
if [ ! -f /run/livekit/key ]; then
mkdir -p /run/livekit
SECRET=$(${pkgs.openssl}/bin/openssl rand -hex 32)
echo "lk-jwt-service: $SECRET" > /run/livekit/key
chmod 0644 /run/livekit/key
fi
'';
};
# Mattermost bridge (bridgev2 — attrs replace entirely, so include all needed fields)
services.mautrix-mattermost = {
enable = true;
registerToSynapse = true;
environmentFile = config.sops.secrets.mautrix-mattermost-env.path;
settings = {
homeserver = {
address = "http://127.0.0.1:8009";
domain = "cloonar.com";
};
bridge = {
command_prefix = "!mm";
permissions."*" = "relay";
permissions."cloonar.com" = "user";
relay.enabled = true;
};
double_puppet = {
servers."cloonar.com" = "http://127.0.0.1:8009";
secrets."cloonar.com" = "as_token:$DOUBLE_PUPPET_AS_TOKEN";
};
appservice = {
address = "http://localhost:29335";
hostname = "0.0.0.0";
port = 29335;
id = "mattermost";
bot.username = "mattermostbot";
ephemeral_events = true;
username_template = "mattermost_{{.}}";
as_token = "$MAUTRIX_MATTERMOST_AS_TOKEN";
hs_token = "$MAUTRIX_MATTERMOST_HS_TOKEN";
};
encryption = {
allow = true;
default = true;
require = true;
pickle_key = "$MAUTRIX_MATTERMOST_PICKLE_KEY";
msc4190 = true;
};
};
};
}
Reference in a new issue View git blame Copy permalink