add matrix server vm in hypervisor

2024-12-28 11:49:23 +03:00 · 2024-12-28 11:49:23 +03:00 · 3e26629de7
commit 3e26629de7
parent f228ba0d89
4 changed files with 160 additions and 150 deletions
--- a/machines/Home-Hypervisor/default.nix
+++ b/machines/Home-Hypervisor/default.nix
@ -23,7 +23,7 @@
    # customProfiles.atticd
    # customProfiles.authentik
    # customProfiles.battery-historian
-    # customProfiles.coturn
+    customProfiles.coturn
    # customProfiles.fail2ban
    customProfiles.gitea
    # customProfiles.homepage
@ -41,7 +41,7 @@
    # customProfiles.outline
    customProfiles.radicale
    # customProfiles.spdf
-    # customProfiles.synapse
+    customProfiles.synapse
    customProfiles.tinyproxy
    # customProfiles.vault
    customProfiles.vaultwarden
--- a/profiles/servers/coturn.nix
+++ b/profiles/servers/coturn.nix
@ -1,6 +1,6 @@
 { config, lib, inputs, ... }:
 let
-  external-ip = "91.202.204.123";
+  external-ip = "89.23.180.18";
  coturn-denied-ips = [
    "0.0.0.0-0.255.255.255"
    "10.0.0.0-10.255.255.255"
--- a/profiles/servers/synapse/default.nix
+++ b/profiles/servers/synapse/default.nix
@ -1,6 +1,7 @@
 { config, ... }:
 let
  cert-fqdn = "ataraxiadev.com";
+  guest-ip = "10.10.10.20";
 in {
  virtualisation.libvirt.guests.debian-matrix = {
    autoStart = true;
@ -9,30 +10,9 @@ in {
    xmlFile = ./vm.xml;
  };

-  networking = let
-    libvirt-ifname = "virbr0";
-    guest-ip = "192.168.122.11";
-    synapse-ports = [ 8081 8448 8766 ];
-  in {
-    firewall.allowedTCPPorts = synapse-ports;
-    nat = {
-      enable = true;
-      internalInterfaces = [ "br0" ];
-      externalInterface = libvirt-ifname;
-      forwardPorts = [{
-        sourcePort = 8081;
-        proto = "tcp";
-        destination = "${guest-ip}:8081";
-      } {
-        sourcePort = 8448;
-        proto = "tcp";
-        destination = "${guest-ip}:8448";
-      } {
-        sourcePort = 8766;
-        proto = "tcp";
-        destination = "${guest-ip}:8766";
-      }];
-    };
+  networking.firewall = {
+    allowedTCPPorts = [ 443 8448 ];
+    allowedUDPPorts = [ 443 8448 ];
  };

  services.nginx.virtualHosts = let
@ -48,6 +28,16 @@ in {
      forceSSL = true;
    };
  in {
+    "ataraxiadev.com" = {
+      locations."/.well-known/matrix" = {
+        proxyPass = "http://${guest-ip}:8080";
+        extraConfig = ''
+          proxy_set_header X-Forwarded-For $remote_addr;
+          proxy_set_header X-Forwarded-Proto $scheme;
+          proxy_set_header Host matrix.$host;
+        '';
+      };
+    };
    "matrix:443" = {
      serverAliases = [
        "matrix.ataraxiadev.com"
@ -63,11 +53,25 @@ in {
        ssl = true;
      }];
      locations."/" = {
-        proxyPass = "http://192.168.122.11:8081";
-        extraConfig = ''
+        proxyPass = "http://${guest-ip}:8080";
+        extraConfig = proxySettings + ''
          proxy_set_header X-Real-IP $remote_addr;
-        '' + proxySettings;
+
+          # required for browsers to direct them to quic port
+          add_header Alt-Svc 'h3=":443"; ma=86400';
+        '';
      };
+      locations."/synapse-admin" = {
+        proxyPass = "http://${guest-ip}:8080";
+        extraConfig = proxySettings + ''
+          proxy_set_header X-Real-IP $remote_addr;
+          allow 10.10.10.1/24;
+          allow 100.64.0.1/24;
+          deny all;
+        '';
+      };
+      reuseport = true;
+      quic = true;
    } // default;
    "matrix:8448" = {
      serverAliases = [ "matrix.ataraxiadev.com" ];
@ -81,9 +85,14 @@ in {
        ssl = true;
      }];
      locations."/" = {
-        proxyPass = "http://192.168.122.11:8448";
-        extraConfig = proxySettings;
+        proxyPass = "http://${guest-ip}:8448";
+        extraConfig = proxySettings + ''
+          # required for browsers to direct them to quic port
+          add_header Alt-Svc 'h3=":8448"; ma=86400';
+        '';
      };
+      reuseport = true;
+      quic = true;
    } // default;
  };
 }
--- a/profiles/servers/synapse/vm.xml
+++ b/profiles/servers/synapse/vm.xml
@ -1,169 +1,170 @@
-<domain type="kvm">
+<domain type='kvm'>
  <name>debian-matrix</name>
-  <uuid>897c4bde-c3e2-476f-8ed3-acc491e40f66</uuid>
+  <uuid>76f37579-43b0-49b5-9145-d0c18b791b7c</uuid>
  <metadata>
    <libosinfo:libosinfo xmlns:libosinfo="http://libosinfo.org/xmlns/libvirt/domain/1.0">
      <libosinfo:os id="http://debian.org/debian/12"/>
    </libosinfo:libosinfo>
  </metadata>
-  <memory unit="KiB">1048576</memory>
-  <currentMemory unit="KiB">1048576</currentMemory>
-  <vcpu placement="static">1</vcpu>
+  <memory unit='KiB'>2097152</memory>
+  <currentMemory unit='KiB'>2097152</currentMemory>
+  <vcpu placement='static'>2</vcpu>
  <os>
-    <type arch="x86_64" machine="pc-q35-8.2">hvm</type>
-    <boot dev="hd"/>
+    <type arch='x86_64' machine='pc-q35-9.1'>hvm</type>
+    <boot dev='hd'/>
  </os>
  <features>
    <acpi/>
    <apic/>
  </features>
-  <cpu mode="host-passthrough" check="none" migratable="on"/>
-  <clock offset="utc">
-    <timer name="rtc" tickpolicy="catchup"/>
-    <timer name="pit" tickpolicy="delay"/>
-    <timer name="hpet" present="no"/>
+  <cpu mode='host-passthrough' check='none' migratable='on'/>
+  <clock offset='utc'>
+    <timer name='rtc' tickpolicy='catchup'/>
+    <timer name='pit' tickpolicy='delay'/>
+    <timer name='hpet' present='no'/>
  </clock>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>destroy</on_crash>
  <pm>
-    <suspend-to-mem enabled="no"/>
-    <suspend-to-disk enabled="no"/>
+    <suspend-to-mem enabled='no'/>
+    <suspend-to-disk enabled='no'/>
  </pm>
  <devices>
    <emulator>/run/libvirt/nix-emulators/qemu-system-x86_64</emulator>
-    <disk type="file" device="disk">
-      <driver name="qemu" type="qcow2" discard="unmap"/>
-      <source file="/media/libvirt/images/debian-12-root.qcow2"/>
-      <target dev="vda" bus="virtio"/>
-      <address type="pci" domain="0x0000" bus="0x04" slot="0x00" function="0x0"/>
+    <disk type='file' device='disk'>
+      <driver name='qemu' type='qcow2' discard='unmap'/>
+      <source file='/media/libvirt/images/debian-12-root.qcow2'/>
+      <target dev='vda' bus='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x04' slot='0x00' function='0x0'/>
    </disk>
-    <disk type="file" device="disk">
-      <driver name="qemu" type="qcow2" discard="unmap"/>
-      <source file="/media/libvirt/images/debian-12-synapse.qcow2"/>
-      <target dev="vdb" bus="virtio"/>
-      <address type="pci" domain="0x0000" bus="0x05" slot="0x00" function="0x0"/>
+    <disk type='file' device='disk'>
+      <driver name='qemu' type='qcow2' discard='unmap'/>
+      <source file='/media/libvirt/images/debian-12-synapse.qcow2'/>
+      <target dev='vdb' bus='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x05' slot='0x00' function='0x0'/>
    </disk>
-    <disk type="file" device="disk">
-      <driver name="qemu" type="qcow2" discard="unmap"/>
-      <source file="/media/libvirt/images/debian-12-swap.qcow2"/>
-      <target dev="vdc" bus="virtio"/>
-      <address type="pci" domain="0x0000" bus="0x06" slot="0x00" function="0x0"/>
+    <disk type='file' device='disk'>
+      <driver name='qemu' type='qcow2' discard='unmap'/>
+      <source file='/media/libvirt/images/debian-12-swap.qcow2'/>
+      <target dev='vdc' bus='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x06' slot='0x00' function='0x0'/>
    </disk>
-    <disk type="file" device="cdrom">
-      <driver name="qemu" type="raw"/>
-      <target dev="sda" bus="sata"/>
+    <disk type='file' device='cdrom'>
+      <driver name='qemu' type='raw'/>
+      <target dev='sda' bus='sata'/>
      <readonly/>
-      <address type="drive" controller="0" bus="0" target="0" unit="0"/>
+      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
    </disk>
-    <controller type="usb" index="0" model="qemu-xhci" ports="15">
-      <address type="pci" domain="0x0000" bus="0x02" slot="0x00" function="0x0"/>
+    <controller type='usb' index='0' model='qemu-xhci' ports='15'>
+      <address type='pci' domain='0x0000' bus='0x02' slot='0x00' function='0x0'/>
    </controller>
-    <controller type="pci" index="0" model="pcie-root"/>
-    <controller type="pci" index="1" model="pcie-root-port">
-      <model name="pcie-root-port"/>
-      <target chassis="1" port="0x8"/>
-      <address type="pci" domain="0x0000" bus="0x00" slot="0x01" function="0x0" multifunction="on"/>
+    <controller type='pci' index='0' model='pcie-root'/>
+    <controller type='pci' index='1' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='1' port='0x8'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0' multifunction='on'/>
    </controller>
-    <controller type="pci" index="2" model="pcie-root-port">
-      <model name="pcie-root-port"/>
-      <target chassis="2" port="0x9"/>
-      <address type="pci" domain="0x0000" bus="0x00" slot="0x01" function="0x1"/>
+    <controller type='pci' index='2' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='2' port='0x9'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>
    </controller>
-    <controller type="pci" index="3" model="pcie-root-port">
-      <model name="pcie-root-port"/>
-      <target chassis="3" port="0xa"/>
-      <address type="pci" domain="0x0000" bus="0x00" slot="0x01" function="0x2"/>
+    <controller type='pci' index='3' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='3' port='0xa'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
    </controller>
-    <controller type="pci" index="4" model="pcie-root-port">
-      <model name="pcie-root-port"/>
-      <target chassis="4" port="0xb"/>
-      <address type="pci" domain="0x0000" bus="0x00" slot="0x01" function="0x3"/>
+    <controller type='pci' index='4' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='4' port='0xb'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x3'/>
    </controller>
-    <controller type="pci" index="5" model="pcie-root-port">
-      <model name="pcie-root-port"/>
-      <target chassis="5" port="0xc"/>
-      <address type="pci" domain="0x0000" bus="0x00" slot="0x01" function="0x4"/>
+    <controller type='pci' index='5' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='5' port='0xc'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x4'/>
    </controller>
-    <controller type="pci" index="6" model="pcie-root-port">
-      <model name="pcie-root-port"/>
-      <target chassis="6" port="0xd"/>
-      <address type="pci" domain="0x0000" bus="0x00" slot="0x01" function="0x5"/>
+    <controller type='pci' index='6' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='6' port='0xd'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x5'/>
    </controller>
-    <controller type="pci" index="7" model="pcie-root-port">
-      <model name="pcie-root-port"/>
-      <target chassis="7" port="0xe"/>
-      <address type="pci" domain="0x0000" bus="0x00" slot="0x01" function="0x6"/>
+    <controller type='pci' index='7' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='7' port='0xe'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x6'/>
    </controller>
-    <controller type="pci" index="8" model="pcie-root-port">
-      <model name="pcie-root-port"/>
-      <target chassis="8" port="0xf"/>
-      <address type="pci" domain="0x0000" bus="0x00" slot="0x01" function="0x7"/>
+    <controller type='pci' index='8' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='8' port='0xf'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x7'/>
    </controller>
-    <controller type="pci" index="9" model="pcie-root-port">
-      <model name="pcie-root-port"/>
-      <target chassis="9" port="0x10"/>
-      <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x0" multifunction="on"/>
+    <controller type='pci' index='9' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='9' port='0x10'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0' multifunction='on'/>
    </controller>
-    <controller type="pci" index="10" model="pcie-root-port">
-      <model name="pcie-root-port"/>
-      <target chassis="10" port="0x11"/>
-      <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x1"/>
+    <controller type='pci' index='10' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='10' port='0x11'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x1'/>
    </controller>
-    <controller type="pci" index="11" model="pcie-root-port">
-      <model name="pcie-root-port"/>
-      <target chassis="11" port="0x12"/>
-      <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x2"/>
+    <controller type='pci' index='11' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='11' port='0x12'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x2'/>
    </controller>
-    <controller type="pci" index="12" model="pcie-root-port">
-      <model name="pcie-root-port"/>
-      <target chassis="12" port="0x13"/>
-      <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x3"/>
+    <controller type='pci' index='12' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='12' port='0x13'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x3'/>
    </controller>
-    <controller type="pci" index="13" model="pcie-root-port">
-      <model name="pcie-root-port"/>
-      <target chassis="13" port="0x14"/>
-      <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x4"/>
+    <controller type='pci' index='13' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='13' port='0x14'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x4'/>
    </controller>
-    <controller type="pci" index="14" model="pcie-root-port">
-      <model name="pcie-root-port"/>
-      <target chassis="14" port="0x15"/>
-      <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x5"/>
+    <controller type='pci' index='14' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='14' port='0x15'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x5'/>
    </controller>
-    <controller type="sata" index="0">
-      <address type="pci" domain="0x0000" bus="0x00" slot="0x1f" function="0x2"/>
+    <controller type='sata' index='0'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x1f' function='0x2'/>
    </controller>
-    <controller type="virtio-serial" index="0">
-      <address type="pci" domain="0x0000" bus="0x03" slot="0x00" function="0x0"/>
+    <controller type='virtio-serial' index='0'>
+      <address type='pci' domain='0x0000' bus='0x03' slot='0x00' function='0x0'/>
    </controller>
-    <interface type="network">
-      <mac address="52:54:00:5b:49:bf"/>
-      <source network="default"/>
-      <model type="virtio"/>
-      <address type="pci" domain="0x0000" bus="0x01" slot="0x00" function="0x0"/>
+    <interface type='bridge'>
+      <mac address='52:54:00:5b:49:bf'/>
+      <source bridge='br0'/>
+      <model type='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/>
    </interface>
-    <serial type="pty">
-      <target type="isa-serial" port="0">
-        <model name="isa-serial"/>
+    <serial type='pty'>
+      <target type='isa-serial' port='0'>
+        <model name='isa-serial'/>
      </target>
    </serial>
-    <console type="pty">
-      <target type="serial" port="0"/>
+    <console type='pty'>
+      <target type='serial' port='0'/>
    </console>
-    <channel type="unix">
-      <target type="virtio" name="org.qemu.guest_agent.0"/>
-      <address type="virtio-serial" controller="0" bus="0" port="1"/>
+    <channel type='unix'>
+      <target type='virtio' name='org.qemu.guest_agent.0'/>
+      <address type='virtio-serial' controller='0' bus='0' port='1'/>
    </channel>
-    <input type="mouse" bus="ps2"/>
-    <input type="keyboard" bus="ps2"/>
-    <audio id="1" type="none"/>
-    <watchdog model="itco" action="reset"/>
-    <memballoon model="virtio">
-      <address type="pci" domain="0x0000" bus="0x07" slot="0x00" function="0x0"/>
+    <input type='mouse' bus='ps2'/>
+    <input type='keyboard' bus='ps2'/>
+    <audio id='1' type='none'/>
+    <watchdog model='itco' action='reset'/>
+    <memballoon model='virtio'>
+      <address type='pci' domain='0x0000' bus='0x07' slot='0x00' function='0x0'/>
    </memballoon>
-    <rng model="virtio">
-      <backend model="random">/dev/urandom</backend>
-      <address type="pci" domain="0x0000" bus="0x08" slot="0x00" function="0x0"/>
+    <rng model='virtio'>
+      <backend model='random'>/dev/urandom</backend>
+      <address type='pci' domain='0x0000' bus='0x08' slot='0x00' function='0x0'/>
    </rng>
  </devices>
 </domain>
+