add matrix server

2023-04-25 17:24:01 +03:00 · 2023-04-25 17:24:01 +03:00 · 92abf4d0df
commit 92abf4d0df
parent 26219a7381
6 changed files with 86 additions and 59 deletions
--- a/machines/Home-Hypervisor/boot.nix
+++ b/machines/Home-Hypervisor/boot.nix
@ -74,6 +74,7 @@ in {
      "pti=off"
      "spectre_v2=off"
      "kvm.ignore_msrs=1"
+      "kvm.report_ignored_msrs=0"
      "rd.systemd.show_status=auto"
      "rd.udev.log_priority=3"
    ];
--- a/machines/Home-Hypervisor/default.nix
+++ b/machines/Home-Hypervisor/default.nix
@ -35,6 +35,7 @@ in {
    nixosProfiles.yandex-db
    nixosProfiles.it-tools
    nixosProfiles.homepage
+    nixosProfiles.matrix
  ];

  deviceSpecific.devInfo = {
--- a/profiles/boot.nix
+++ b/profiles/boot.nix
@ -42,6 +42,7 @@ with config.deviceSpecific; {
        "pti=off"
        "spectre_v2=off"
        "kvm.ignore_msrs=1"
+        "kvm.report_ignored_msrs=0"
      ];

    kernelPackages = lib.mkDefault pkgs.linuxPackages_lqx;
--- a/profiles/servers/mailserver.nix
+++ b/profiles/servers/mailserver.nix
@ -15,6 +15,7 @@ in {
  secrets.mailserver-gitea = secrets-default;
  secrets.mailserver-authentik = secrets-default;
  secrets.mailserver-kavita = secrets-default;
+  secrets.mailserver-synapse = secrets-default;

  security.acme.certs."mail.ataraxiadev.com" = {
    webroot = "/var/lib/acme/acme-challenge";
@ -94,6 +95,10 @@ in {
        aliases = [ "seafile" ];
        hashedPasswordFile = config.secrets.mailserver-seafile.decrypted;
      };
+      "matrix@ataraxiadev.com" = {
+        aliases = [ "matrix" ];
+        hashedPasswordFile = config.secrets.mailserver-synapse.decrypted;
+      };
    };
    hierarchySeparator = "/";
    localDnsResolver = false;
--- a/profiles/servers/matrix.nix
+++ b/profiles/servers/matrix.nix
@ -0,0 +1,19 @@
+{ config, lib, pkgs, ... }: {
+  virtualisation.libvirt.guests.arch-matrix = {
+    user = config.mainuser;
+    group = "libvirtd";
+    autoStart = true;
+    memory = 2 * 1024;
+    cpu = {
+      sockets = 1; cores = 1; threads = 1;
+    };
+    devices = {
+      disks = [ { diskFile = "/media/nas/libvirt/images/matrix-server.qcow2"; } ];
+      network = {
+        macAddress = "00:16:3e:5b:49:bf";
+        interfaceType = "bridge";
+        sourceDev = "br0";
+      };
+    };
+  };
+}
--- a/profiles/servers/nginx.nix
+++ b/profiles/servers/nginx.nix
@ -75,6 +75,13 @@ in {
        "cocalc.ataraxiadev.com"
        "kavita.ataraxiadev.com"
        "tools.ataraxiadev.com"
+        "home.ataraxiadev.com"
+
+        "matrix.ataraxiadev.com"
+        "cinny.ataraxiadev.com"
+        "dimension.ataraxiadev.com"
+        "stats.ataraxiadev.com"
+        "element.ataraxiadev.com"
      ];
    };
  };
@ -130,70 +137,63 @@ in {
      # };
      "ataraxiadev.com" = {
        locations."/" = {
-          proxyPass = "http://127.0.0.1:3000";
-          extraConfig = proxySettings;
+          root = "/srv/http/ataraxiadev.com/docroot";
+          extraConfig = ''
+            try_files $uri $uri/ =404;
+          '';
+        };
+        locations."/.well-known/matrix" = {
+          proxyPass = "https://matrix.ataraxiadev.com/.well-known/matrix";
+          extraConfig = ''
+            proxy_set_header X-Forwarded-For $remote_addr;
+          '';
        };
      } // default;
-      # "ataraxiadev.com" = {
-      #   locations."/" = {
-      #     root = "/srv/http/ataraxiadev.com/";
-      #     extraConfig = ''
-      #       try_files $uri $uri/ =404;
-      #     '';
-      #   };
-      #   # locations."/.well-known/matrix" = {
-      #   #   proxyPass = "https://matrix.ataraxiadev.com/.well-known/matrix";
-      #   #   extraConfig = ''
-      #   #     proxy_set_header X-Forwarded-For $remote_addr;
-      #   #   '';
-      #   # };
-      # } // default;
-      # "matrix:443" = {
-      #   serverAliases = [
-      #     "matrix.ataraxiadev.com"
-      #     "cinny.ataraxiadev.com"
-      #     "dimension.ataraxiadev.com"
-      #     "element.ataraxiadev.com"
-      #     "goneb.ataraxiadev.com"
-      #     "jitsi.ataraxiadev.com"
-      #     "stats.ataraxiadev.com"
-      #   ];
-      #   listen = [{
-      #     addr = "0.0.0.0";
-      #     port = 443;
-      #     ssl = true;
-      #   }];
-      #   locations."/" = {
-      #     proxyPass = "http://matrix.pve:81";
-      #     extraConfig = ''
-      #       proxy_hide_header Content-Security-Policy;
-      #     '' + proxySettings;
-      #   };
-      # } // default;
-      # "matrix:8448" = let
-      #   certName = default.useACMEHost;
-      # in with config.security.acme; {
-      #   onlySSL = true;
-      #   sslCertificate = "${certs.${certName}.directory}/fullchain.pem";
-      #   sslCertificateKey = "${certs.${certName}.directory}/key.pem";
-      #   sslTrustedCertificate = "${certs.${certName}.directory}/chain.pem";
-      #   serverAliases = [ "matrix.ataraxiadev.com" ];
-      #   listen = [{
-      #     addr = "0.0.0.0";
-      #     port = 8448;
-      #     ssl = true;
-      #   }];
-      #   locations."/" = {
-      #     proxyPass = "http://matrix.pve:8449";
-      #     extraConfig = proxySettings;
-      #   };
-      # };
-      "startpage.ataraxiadev.com" = {
+      "matrix:443" = {
+        serverAliases = [
+          "matrix.ataraxiadev.com"
+          "cinny.ataraxiadev.com"
+          "dimension.ataraxiadev.com"
+          "element.ataraxiadev.com"
+          "stats.ataraxiadev.com"
+        ];
+        listen = [{
+          addr = "0.0.0.0";
+          port = 443;
+          ssl = true;
+        }];
        locations."/" = {
-          root = "/srv/http/startpage.ataraxiadev.com/";
-          # extraConfig = hardened;
+          proxyPass = "http://matrix.pve:81";
+          extraConfig = ''
+            # proxy_hide_header Content-Security-Policy;
+            proxy_set_header X-Forwarded-For $remote_addr;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            client_max_body_size 50M;
+          '';
        };
      } // default;
+      "matrix:8448" = with config.security.acme; {
+        serverAliases = [ "matrix.ataraxiadev.com" ];
+        listen = [{
+          addr = "0.0.0.0";
+          port = 8448;
+          ssl = true;
+        }];
+        locations."/" = {
+          proxyPass = "http://matrix.pve:8449";
+          extraConfig = ''
+            proxy_set_header X-Forwarded-For $remote_addr;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header Host $host;
+            client_max_body_size 50M;
+          '';
+        };
+      } // default;
+      "home.ataraxiadev.com" = default // authentik {
+        root = { proxyPass = "http://127.0.0.1:3000"; };
+      };
      "vw.ataraxiadev.com" = {
        locations."/" = {
          proxyPass = "http://127.0.0.1:8812";