From 92abf4d0df687792559032e741164bcc2dc47211 Mon Sep 17 00:00:00 2001
From: Dmitriy Kholkin <ataraxiadev@ataraxiadev.com>
Date: Tue, 25 Apr 2023 17:24:01 +0300
Subject: [PATCH] add matrix server

---
 machines/Home-Hypervisor/boot.nix    |   1 +
 machines/Home-Hypervisor/default.nix |   1 +
 profiles/boot.nix                    |   1 +
 profiles/servers/mailserver.nix      |   5 ++
 profiles/servers/matrix.nix          |  19 +++++
 profiles/servers/nginx.nix           | 118 +++++++++++++--------------
 6 files changed, 86 insertions(+), 59 deletions(-)
 create mode 100644 profiles/servers/matrix.nix

diff --git a/machines/Home-Hypervisor/boot.nix b/machines/Home-Hypervisor/boot.nix
index e76bd80..863ad4d 100644
--- a/machines/Home-Hypervisor/boot.nix
+++ b/machines/Home-Hypervisor/boot.nix
@@ -74,6 +74,7 @@ in {
       "pti=off"
       "spectre_v2=off"
       "kvm.ignore_msrs=1"
+      "kvm.report_ignored_msrs=0"
       "rd.systemd.show_status=auto"
       "rd.udev.log_priority=3"
     ];
diff --git a/machines/Home-Hypervisor/default.nix b/machines/Home-Hypervisor/default.nix
index b9fe035..451c0bd 100644
--- a/machines/Home-Hypervisor/default.nix
+++ b/machines/Home-Hypervisor/default.nix
@@ -35,6 +35,7 @@ in {
     nixosProfiles.yandex-db
     nixosProfiles.it-tools
     nixosProfiles.homepage
+    nixosProfiles.matrix
   ];
 
   deviceSpecific.devInfo = {
diff --git a/profiles/boot.nix b/profiles/boot.nix
index fa16939..f03cfca 100644
--- a/profiles/boot.nix
+++ b/profiles/boot.nix
@@ -42,6 +42,7 @@ with config.deviceSpecific; {
         "pti=off"
         "spectre_v2=off"
         "kvm.ignore_msrs=1"
+        "kvm.report_ignored_msrs=0"
       ];
 
     kernelPackages = lib.mkDefault pkgs.linuxPackages_lqx;
diff --git a/profiles/servers/mailserver.nix b/profiles/servers/mailserver.nix
index c8d8ae0..564d456 100644
--- a/profiles/servers/mailserver.nix
+++ b/profiles/servers/mailserver.nix
@@ -15,6 +15,7 @@ in {
   secrets.mailserver-gitea = secrets-default;
   secrets.mailserver-authentik = secrets-default;
   secrets.mailserver-kavita = secrets-default;
+  secrets.mailserver-synapse = secrets-default;
 
   security.acme.certs."mail.ataraxiadev.com" = {
     webroot = "/var/lib/acme/acme-challenge";
@@ -94,6 +95,10 @@ in {
         aliases = [ "seafile" ];
         hashedPasswordFile = config.secrets.mailserver-seafile.decrypted;
       };
+      "matrix@ataraxiadev.com" = {
+        aliases = [ "matrix" ];
+        hashedPasswordFile = config.secrets.mailserver-synapse.decrypted;
+      };
     };
     hierarchySeparator = "/";
     localDnsResolver = false;
diff --git a/profiles/servers/matrix.nix b/profiles/servers/matrix.nix
new file mode 100644
index 0000000..07b91ee
--- /dev/null
+++ b/profiles/servers/matrix.nix
@@ -0,0 +1,19 @@
+{ config, lib, pkgs, ... }: {
+  virtualisation.libvirt.guests.arch-matrix = {
+    user = config.mainuser;
+    group = "libvirtd";
+    autoStart = true;
+    memory = 2 * 1024;
+    cpu = {
+      sockets = 1; cores = 1; threads = 1;
+    };
+    devices = {
+      disks = [ { diskFile = "/media/nas/libvirt/images/matrix-server.qcow2"; } ];
+      network = {
+        macAddress = "00:16:3e:5b:49:bf";
+        interfaceType = "bridge";
+        sourceDev = "br0";
+      };
+    };
+  };
+}
\ No newline at end of file
diff --git a/profiles/servers/nginx.nix b/profiles/servers/nginx.nix
index b4bd78b..a8f9012 100644
--- a/profiles/servers/nginx.nix
+++ b/profiles/servers/nginx.nix
@@ -75,6 +75,13 @@ in {
         "cocalc.ataraxiadev.com"
         "kavita.ataraxiadev.com"
         "tools.ataraxiadev.com"
+        "home.ataraxiadev.com"
+
+        "matrix.ataraxiadev.com"
+        "cinny.ataraxiadev.com"
+        "dimension.ataraxiadev.com"
+        "stats.ataraxiadev.com"
+        "element.ataraxiadev.com"
       ];
     };
   };
@@ -130,70 +137,63 @@ in {
       # };
       "ataraxiadev.com" = {
         locations."/" = {
-          proxyPass = "http://127.0.0.1:3000";
-          extraConfig = proxySettings;
+          root = "/srv/http/ataraxiadev.com/docroot";
+          extraConfig = ''
+            try_files $uri $uri/ =404;
+          '';
+        };
+        locations."/.well-known/matrix" = {
+          proxyPass = "https://matrix.ataraxiadev.com/.well-known/matrix";
+          extraConfig = ''
+            proxy_set_header X-Forwarded-For $remote_addr;
+          '';
         };
       } // default;
-      # "ataraxiadev.com" = {
-      #   locations."/" = {
-      #     root = "/srv/http/ataraxiadev.com/";
-      #     extraConfig = ''
-      #       try_files $uri $uri/ =404;
-      #     '';
-      #   };
-      #   # locations."/.well-known/matrix" = {
-      #   #   proxyPass = "https://matrix.ataraxiadev.com/.well-known/matrix";
-      #   #   extraConfig = ''
-      #   #     proxy_set_header X-Forwarded-For $remote_addr;
-      #   #   '';
-      #   # };
-      # } // default;
-      # "matrix:443" = {
-      #   serverAliases = [
-      #     "matrix.ataraxiadev.com"
-      #     "cinny.ataraxiadev.com"
-      #     "dimension.ataraxiadev.com"
-      #     "element.ataraxiadev.com"
-      #     "goneb.ataraxiadev.com"
-      #     "jitsi.ataraxiadev.com"
-      #     "stats.ataraxiadev.com"
-      #   ];
-      #   listen = [{
-      #     addr = "0.0.0.0";
-      #     port = 443;
-      #     ssl = true;
-      #   }];
-      #   locations."/" = {
-      #     proxyPass = "http://matrix.pve:81";
-      #     extraConfig = ''
-      #       proxy_hide_header Content-Security-Policy;
-      #     '' + proxySettings;
-      #   };
-      # } // default;
-      # "matrix:8448" = let
-      #   certName = default.useACMEHost;
-      # in with config.security.acme; {
-      #   onlySSL = true;
-      #   sslCertificate = "${certs.${certName}.directory}/fullchain.pem";
-      #   sslCertificateKey = "${certs.${certName}.directory}/key.pem";
-      #   sslTrustedCertificate = "${certs.${certName}.directory}/chain.pem";
-      #   serverAliases = [ "matrix.ataraxiadev.com" ];
-      #   listen = [{
-      #     addr = "0.0.0.0";
-      #     port = 8448;
-      #     ssl = true;
-      #   }];
-      #   locations."/" = {
-      #     proxyPass = "http://matrix.pve:8449";
-      #     extraConfig = proxySettings;
-      #   };
-      # };
-      "startpage.ataraxiadev.com" = {
+      "matrix:443" = {
+        serverAliases = [
+          "matrix.ataraxiadev.com"
+          "cinny.ataraxiadev.com"
+          "dimension.ataraxiadev.com"
+          "element.ataraxiadev.com"
+          "stats.ataraxiadev.com"
+        ];
+        listen = [{
+          addr = "0.0.0.0";
+          port = 443;
+          ssl = true;
+        }];
         locations."/" = {
-          root = "/srv/http/startpage.ataraxiadev.com/";
-          # extraConfig = hardened;
+          proxyPass = "http://matrix.pve:81";
+          extraConfig = ''
+            # proxy_hide_header Content-Security-Policy;
+            proxy_set_header X-Forwarded-For $remote_addr;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            client_max_body_size 50M;
+          '';
         };
       } // default;
+      "matrix:8448" = with config.security.acme; {
+        serverAliases = [ "matrix.ataraxiadev.com" ];
+        listen = [{
+          addr = "0.0.0.0";
+          port = 8448;
+          ssl = true;
+        }];
+        locations."/" = {
+          proxyPass = "http://matrix.pve:8449";
+          extraConfig = ''
+            proxy_set_header X-Forwarded-For $remote_addr;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header Host $host;
+            client_max_body_size 50M;
+          '';
+        };
+      } // default;
+      "home.ataraxiadev.com" = default // authentik {
+        root = { proxyPass = "http://127.0.0.1:3000"; };
+      };
       "vw.ataraxiadev.com" = {
         locations."/" = {
           proxyPass = "http://127.0.0.1:8812";