From 0b041cc94976fdacad7e22afa08d51b6f6927426 Mon Sep 17 00:00:00 2001 From: "Ricardo (XenGi) Band" Date: Sun, 8 Feb 2026 12:37:17 +0100 Subject: [PATCH] improve synapse --- hosts/matrix/default.nix | 5 ++- {services => hosts/matrix}/draupnir.nix | 0 hosts/matrix/nginx.nix | 24 +++++++++++ {services => hosts/matrix}/synapse.nix | 7 +++- services/nginx.nix | 56 +++++++++---------------- 5 files changed, 53 insertions(+), 39 deletions(-) rename {services => hosts/matrix}/draupnir.nix (100%) create mode 100644 hosts/matrix/nginx.nix rename {services => hosts/matrix}/synapse.nix (91%) diff --git a/hosts/matrix/default.nix b/hosts/matrix/default.nix index 9d30fb4..9362d37 100644 --- a/hosts/matrix/default.nix +++ b/hosts/matrix/default.nix @@ -5,9 +5,10 @@ ../common.nix ../../services/openssh.nix ../../services/nginx.nix + ./nginx.nix + ./synapse.nix + ./draupnir.nix ../../services/postgres.nix - ../../services/synapse.nix - ../../services/draupnir.nix ../../services/prometheus.nix ../../services/grafana.nix ]; diff --git a/services/draupnir.nix b/hosts/matrix/draupnir.nix similarity index 100% rename from services/draupnir.nix rename to hosts/matrix/draupnir.nix diff --git a/hosts/matrix/nginx.nix b/hosts/matrix/nginx.nix new file mode 100644 index 0000000..7fd4abc --- /dev/null +++ b/hosts/matrix/nginx.nix @@ -0,0 +1,24 @@ +{ config, pkgs, ... }: + +{ + services.nginx.virtualHosts."matrix.berlin.ccc.de" = { + default = true; + quic = true; + kTLS = true; + forceSSL = true; + enableACME = true; + locations = { + #"/.well-known/acme-challenge".root = config.security.acme.defaults.webroot; + "/".return = "418 \"🫖\""; + "~ ^(/_matrix|/_synapse/client)" = { + recommendedProxySettings = true; + proxyPass = "http://[::1]:8008"; + extraConfig = '' + client_max_body_size 64M; + proxy_set_header X-Request-ID $request_id; + proxy_http_version 1.1; + ''; + }; + }; + }; +} diff --git a/services/synapse.nix b/hosts/matrix/synapse.nix similarity index 91% rename from services/synapse.nix rename to hosts/matrix/synapse.nix index e0fa15e..97242b0 100644 --- a/services/synapse.nix +++ b/hosts/matrix/synapse.nix @@ -4,6 +4,11 @@ let domain = "berlin.ccc.de"; in { + networking.firewall.extraInputRules = '' + ip saddr 195.160.173.14 tcp dport 9009 accept + ip6 saddr 2001:678:760:cccb::14 tcp dport 9009 accept + ''; + services = { matrix-synapse = { enable = true; @@ -42,7 +47,7 @@ in type = "metrics"; tls = false; port = 9009; - bind_addresses = [ "::1" ]; + bind_addresses = ["::" "0.0.0.0"]; resources = [ { compress = false; diff --git a/services/nginx.nix b/services/nginx.nix index eff02e6..b7a4bd4 100644 --- a/services/nginx.nix +++ b/services/nginx.nix @@ -1,44 +1,28 @@ { config, pkgs, ... }: -let - fqdn = "matrix.berlin.ccc.de"; -in { users.users.nginx.extraGroups = [ "acme" ]; - services.nginx = { - enable = true; - resolver.addresses = [ - "[2606:4700:4700::1111]" - "[2620:fe::fe]" - "1.1.1.1" - "9.9.9.9" - ]; - statusPage = true; # http://127.0.0.1/nginx_status - sslProtocols = "TLSv1.3"; - recommendedTlsSettings = true; - recommendedOptimisation = true; - recommendedGzipSettings = true; - recommendedBrotliSettings = true; - virtualHosts."${fqdn}" = { - default = true; - quic = true; - kTLS = true; - forceSSL = true; - enableACME = true; - locations = { - #"/.well-known/acme-challenge".root = config.security.acme.defaults.webroot; - "/".return = "418 \"🫖\""; - "~ ^(/_matrix|/_synapse/client)" = { - recommendedProxySettings = true; - proxyPass = "http://[::1]:8008"; - extraConfig = '' - client_max_body_size 64M; - proxy_set_header X-Request-ID $request_id; - proxy_http_version 1.1; - ''; - }; - }; + services = { + nginx = { + enable = true; + resolver.addresses = [ + "[2606:4700:4700::1111]" + "[2620:fe::fe]" + "1.1.1.1" + "9.9.9.9" + ]; + statusPage = true; # http://127.0.0.1/nginx_status + sslProtocols = "TLSv1.3"; + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedBrotliSettings = true; + }; + prometheus.exporters.nginx = { + enable = true; + firewallRules = config.services.prometheus.exporters.node.firewallRules; + openFirewall = true; }; }; }