From e69958f4c3664c7478de648c275799f1b85624f4 Mon Sep 17 00:00:00 2001
From: Dmitriy Kholkin <alukard.develop@gmail.com>
Date: Wed, 27 Oct 2021 14:25:26 +0300
Subject: [PATCH] setup matrix-synapse with telegram bridge

---
 profiles/servers/coturn.nix         |  66 ++++++++++++
 profiles/servers/matrix-synapse.nix | 157 +++++++++++++++++++++++++++-
 profiles/servers/nginx.nix          |  12 ++-
 roles/server.nix                    |   1 +
 4 files changed, 230 insertions(+), 6 deletions(-)
 create mode 100644 profiles/servers/coturn.nix

diff --git a/profiles/servers/coturn.nix b/profiles/servers/coturn.nix
new file mode 100644
index 0000000..6ee0d96
--- /dev/null
+++ b/profiles/servers/coturn.nix
@@ -0,0 +1,66 @@
+{ config, pkgs, lib, ... }: {
+  secrets-envsubst.turn-shared-secret = {
+    directory = "mautrix-telegram";
+    owner = "turnserver";
+    secrets = [ "turn_shared_secret" ];
+    template = "$turn_shared_secret";
+  };
+  # enable coturn
+  services.coturn = rec {
+    enable = true;
+    no-cli = true;
+    no-tcp-relay = true;
+    min-port = 49000;
+    max-port = 50000;
+    use-auth-secret = true;
+    static-auth-secret-file = config.secrets-envsubst.turn-shared-secret.substituted;
+    realm = "turn.ataraxiadev.com";
+    cert = config.secrets."ataraxiadev.com.pem".decrypted;
+    pkey = config.secrets."ataraxiadev.com.key".decrypted;
+    extraConfig = ''
+      user-quota=20
+      total-quota=600
+      # for debugging
+      verbose
+      # ban private IP ranges
+      no-multicast-peers
+      denied-peer-ip=0.0.0.0-0.255.255.255
+      denied-peer-ip=10.0.0.0-10.255.255.255
+      denied-peer-ip=100.64.0.0-100.127.255.255
+      denied-peer-ip=127.0.0.0-127.255.255.255
+      denied-peer-ip=169.254.0.0-169.254.255.255
+      denied-peer-ip=172.16.0.0-172.31.255.255
+      denied-peer-ip=192.0.0.0-192.0.0.255
+      denied-peer-ip=192.0.2.0-192.0.2.255
+      denied-peer-ip=192.88.99.0-192.88.99.255
+      denied-peer-ip=192.168.0.0-192.168.255.255
+      denied-peer-ip=198.18.0.0-198.19.255.255
+      denied-peer-ip=198.51.100.0-198.51.100.255
+      denied-peer-ip=203.0.113.0-203.0.113.255
+      denied-peer-ip=240.0.0.0-255.255.255.255
+      denied-peer-ip=::1
+      denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
+      denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
+      denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
+      denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
+      denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+      denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+      denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+    '';
+  };
+
+  networking.firewall = {
+    interfaces.enp0s3 = let
+      range = with config.services.coturn; [ {
+      from = min-port;
+      to = max-port;
+    } ];
+    in
+    {
+      allowedUDPPortRanges = range;
+      allowedUDPPorts = [ 3478 ];
+      allowedTCPPortRanges = range;
+      allowedTCPPorts = [ 3478 ];
+    };
+  };
+}
\ No newline at end of file
diff --git a/profiles/servers/matrix-synapse.nix b/profiles/servers/matrix-synapse.nix
index fdfe912..08d6c2d 100644
--- a/profiles/servers/matrix-synapse.nix
+++ b/profiles/servers/matrix-synapse.nix
@@ -1,7 +1,21 @@
-{ pkgs, config, lib, ... }: {
-  services.matrix-synapse = {
+{ pkgs, config, lib, options, ... }: {
+  services.postgresql.enable = true;
+  services.postgresqlBackup = {
+    enable = true;
+    location = config.users.users.alukard.home + "/matrix-backup";
+    startAt = "*-*-* 07:00:00";
+  };
+
+  services.matrix-synapse = with config.services.coturn; {
     enable = true;
     allow_guest_access = true;
+    app_service_config_files = [ config.secrets-envsubst.mautrix-telegram-registration.substituted ];
+    extraConfigFiles = [ config.secrets-envsubst.matrix-shared-secret.substituted ];
+    logConfig = options.services.matrix-synapse.logConfig.default + ''
+      loggers:
+          shared_secret_authenticator:
+              level: INFO
+    '';
     listeners = [{
       bind_address = "0.0.0.0";
       port = 13748;
@@ -19,11 +33,148 @@
       tls = false;
       x_forwarded = true;
     }];
+    plugins = with pkgs.matrix-synapse-plugins; [ matrix-synapse-shared-secret-auth ];
     public_baseurl = "https://ataraxiadev.com";
     server_name = "ataraxiadev.com";
+    turn_uris = [ "turn:${realm}:3478?transport=udp" "turn:${realm}:3478?transport=tcp" ];
+    turn_user_lifetime = "12h";
   };
 
-  services.postgresql.enable = true;
+  secrets-envsubst.matrix-shared-secret = {
+    directory = "mautrix-telegram";
+    owner = "matrix-synapse";
+    secrets = [ "shared_secret" "reg_shared_secret" "turn_shared_secret" ];
+    template = ''
+      registration_shared_secret: $reg_shared_secret
+      turn_allow_guests: False
+      turn_shared_secret: $turn_shared_secret
+      password_providers:
+        - module: "shared_secret_authenticator.SharedSecretAuthenticator"
+          config:
+            sharedSecret: "$shared_secret"
+    '';
+  };
+
+  services.mautrix-telegram = {
+    enable = true;
+    environmentFile = toString config.secrets-envsubst.mautrix-telegram;
+    settings = {
+      appservice = {
+        address = "http://localhost:29317";
+        bot_avatar = "mxc://maunium.net/tJCRmUyJDsgRNgqhOgoiHWbX";
+        database = "postgresql://mautrix-telegram:$MATRIX_PASS@localhost/mautrix-telegram";
+        id = "telegram";
+        max_body_size = 1;
+        port = 29317;
+        public = {
+          enabled = true;
+          prefix = "/mautrix-telegram";
+          external = "https://matrix.ataraxiadev.com/mautrix-telegram";
+        };
+        provisioning.enabled = false;
+      };
+      bridge = {
+        alias_template = "tg_{groupname}";
+        allow_matrix_login = false;
+        animated_sticker = {
+          target = "gif";
+          args = {
+            width = 128;
+            height = 128;
+            fps = 30;
+            background = "15191E";
+          };
+        };
+        bot_messages_as_notices = true;
+        catch_up = true;
+        command_prefix = "!tg";
+        encryption = {
+          allow = true;
+          default = true;
+        };
+        filter = {
+          mode = "whitelist";
+          list = [ ];
+        };
+        image_as_file_size = 10;
+        login_shared_secret_map."ataraxiadev.com" = "$SHARED_SECRET_AUTH";
+        max_document_size = 100;
+        max_initial_member_sync = -1;
+        max_telegram_delete = 10;
+        permissions = {
+          "*" = "relaybot";
+          "@ataraxiadev:ataraxiadev.com" = "admin";
+          "@kpoxa:ataraxiadev.com" = "full";
+        };
+        plaintext_highlights = true;
+        startup_sync = false;
+        sync_direct_chat_list = true;
+        sync_direct_chats = false;
+        username_template = "tg_{userid}";
+      };
+      homeserver = {
+        address = "https://matrix.ataraxiadev.com";
+        asmux = true;
+        domain = "ataraxiadev.com";
+        verify_ssl = true;
+      };
+      telegram = { bot_token = "disabled"; };
+    };
+  };
+
+  secrets-envsubst.mautrix-telegram = {
+    secrets = [ "as_token" "hs_token" "api_id" "api_hash" "matrix_pass" "shared_secret" ];
+    template = ''
+      MAUTRIX_TELEGRAM_APPSERVICE_AS_TOKEN=$as_token
+      MAUTRIX_TELEGRAM_APPSERVICE_HS_TOKEN=$hs_token
+      MAUTRIX_TELEGRAM_TELEGRAM_API_ID=$api_id
+      MAUTRIX_TELEGRAM_TELEGRAM_API_HASH=$api_hash
+      MATRIX_PASS=$matrix_pass
+      SHARED_SECRET_AUTH=$shared_secret
+    '';
+  };
+
+  secrets-envsubst.mautrix-telegram-registration = {
+    directory = "mautrix-telegram";
+    secrets = [ "as_token" "hs_token" "sender_localpart" ];
+    owner = "matrix-synapse";
+    template = builtins.toJSON {
+      as_token = "$as_token";
+      hs_token = "$hs_token";
+      id = "telegram";
+      namespaces = {
+        aliases = [{
+          exclusive = true;
+          regex = "#tg_.+:ataraxiadev.com";
+        }];
+        users = [{
+          exclusive = true;
+          regex = "@tg_.+:ataraxiadev.com";
+        } {
+          exclusive = true;
+          regex = "@telegrambot:ataraxiadev.com";
+        }];
+      };
+      rate_limited = false;
+      sender_localpart = "$sender_localpart";
+      url = "http://localhost:29317";
+    };
+  };
+
+  systemd.services.mautrix-telegram = {
+    path = with pkgs; [ lottieconverter ];
+    serviceConfig = {
+      DynamicUser = lib.mkForce false;
+      User = "mautrix-telegram";
+    };
+  };
+
+  users.users.mautrix-telegram = {
+    group = "mautrix-telegram";
+    isSystemUser = true;
+  };
+
+  users.groups.mautrix-telegram = {};
 
   users.users.matrix-synapse.name = lib.mkForce "matrix-synapse";
 }
\ No newline at end of file
diff --git a/profiles/servers/nginx.nix b/profiles/servers/nginx.nix
index dded3a4..5d72c8b 100644
--- a/profiles/servers/nginx.nix
+++ b/profiles/servers/nginx.nix
@@ -1,12 +1,15 @@
 { pkgs, config, lib, ... }: {
   secrets."ataraxiadev.com.pem" = {
-    owner = "nginx:nginx";
+    owner = "nginx:turnserver";
+    permissions = "440";
   };
   secrets."ataraxiadev.com.key" = {
-    owner = "nginx:nginx";
+    owner = "nginx:turnserver";
+    permissions = "440";
   };
   secrets."origin-pull-ca.pem" = {
-    owner = "nginx:nginx";
+    owner = "nginx:turnserver";
+    permissions = "440";
   };
   ## DNS-over-TLS
   services.stubby = {
@@ -79,6 +82,9 @@
         locations."/" = {
           proxyPass = "http://localhost:13748";
         };
+        locations."/mautrix-telegram/" = {
+          proxyPass = "http://localhost:29317";
+        };
       } // default;
     };
   };
diff --git a/roles/server.nix b/roles/server.nix
index 5596527..3490994 100644
--- a/roles/server.nix
+++ b/roles/server.nix
@@ -24,6 +24,7 @@
     direnv
     kitty
 
+    coturn
     matrix-synapse
     nginx
   ];