dump

2025-11-24 19:37:52 +01:00 · 2025-11-24 19:37:52 +01:00 · 9dd5d2ef2e
commit 9dd5d2ef2e
parent 7597938a1e
11 changed files with 503 additions and 38 deletions
--- a/services/nginx.nix
+++ b/services/nginx.nix
@ -0,0 +1,44 @@
+{ config, pkgs, ... }:
+
+let
+  fqdn = "matrix.berlin.ccc.de";
+in
+{
+  services.nginx = {
+    enable = true;
+    package = pkgs.nginxQuic;
+    resolver.addresses = ["[2606:4700:4700::1111]" "[2620:fe::fe]" "1.1.1.1" "9.9.9.9"];
+    statusPage = true; # http://127.0.0.1/nginx_status
+    sslProtocols = "TLSv1.3";
+    recommendedTlsSettings = true;
+    recommendedOptimisation = true;
+    recommendedZstdSettings = true;
+    recommendedGzipSettings = true;
+    recommendedBrotliSettings = true;
+    virtualHosts."${fqdn}" = {
+      quic = true;
+      kTLS = true;
+      forceSSL = true;
+      useACMEHost = fqdn;
+      locations = {
+        "/.well-known/matrix/client" = {
+          return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.berlin.ccc.de\"}}'";
+          extraConfig = ''
+            default_type application/json;
+            add_header Access-Control-Allow-Origin "*";
+          '';
+        };
+        "/" = {
+          recommendedProxySettings = true;
+          proxyPass = "unix:/run/matrix-synapse.sock";
+        };
+      };
+      extraConfig = ''
+      '';      
+    };
+  };
+
+  security.acme.certs."${fqdn}" = {
+    reloadServices = ["nginx"];
+  };
+}
--- a/services/postgres.nix
+++ b/services/postgres.nix
@ -0,0 +1,15 @@
+{ config, ... }:
+
+{
+  services.postgresql = {
+    enable = true;
+    enableJIT = true;
+    ensureUsers = [
+      {
+        name = config.services.matrix-synapse.settings.database.args.user;
+        ensureDBOwnership = true;
+      }
+    ];
+    ensureDatabases = [ config.services.matrix-synapse.settings.database.args.database ];
+  };
+}
--- a/services/synapse.nix
+++ b/services/synapse.nix
@ -0,0 +1,48 @@
+{ config, ... }:
+
+let
+  domain = "berlin.ccc.de";
+in
+{
+  services.matrix-synapse = {
+    enable = false;
+    settings = {
+      server_name = domain;
+      public_baseurl = "https://matrix.${domain}:443/";
+      #signing_key_path = config.age.secrets.signing_key.path; # "/var/lib/matrix-synapse/homeserver.signing.key"
+      database.name = "psycopg2";
+      listeners = [
+        {
+          path = "/run/matrix-synapse.sock";
+          x_forwarded = true;
+          resources = [
+            {
+              compress = false;
+              names = [
+                "client"
+                "federation"
+              ];
+            }
+          ];
+        }
+      ];
+      dynamic_thumbnails = true;
+      max_upload_size = "128M";
+      max_image_pixels = "64M";
+
+      retention = {
+        enabled = true;
+        default_policy = {
+          min_lifetime = "1d";
+          max_lifetime = "1y";
+        };
+        allowed_lifetime_min = "1d";
+        allowed_lifetime_max = "1y";
+      };
+    };
+    extraConfigFiles = [
+      config.age.secrets.matrix-registration-shared-secret.path
+    ];
+    enableRegistrationScript = true;
+  };
+}