commit ff623a5f0b2c154dfda86d877ead4a81f5935a65
parent 102da60e7ddfb136a46dc63015c2b63b3eaf4403
Author: Katja (ctucx) <git@ctu.cx>
Date: Fri, 21 Mar 2025 16:03:01 +0100
parent 102da60e7ddfb136a46dc63015c2b63b3eaf4403
Author: Katja (ctucx) <git@ctu.cx>
Date: Fri, 21 Mar 2025 16:03:01 +0100
configurations/nixos/websites: add `matrix.ctu.cx` (conduwuit matrix-server), also enable on node `hector`
3 files changed, 91 insertions(+), 0 deletions(-)
A
|
78
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
diff --git a/configurations/nixos/websites/matrix.ctu.cx.nix b/configurations/nixos/websites/matrix.ctu.cx.nix @@ -0,0 +1,78 @@ +{ inputs, secrets, pkgs, lib, config, ... }: + +{ + + dns.zones."ctu.cx".subdomains.matrix.CNAME = [ "${config.networking.fqdn}." ]; + + age.secrets.resticConduwuit.file = secrets."${config.networking.hostName}".restic.conduwuit; + + restic-backups.conduwuit = { + passwordFile = config.age.secrets.resticConduwuit.path; + paths = [ + "/var/lib/conduwuit/databaseBackup" + "/var/lib/conduwuit/media" + ]; + }; + + systemd.services.conduwuit.onFailure = [ "email-notify@%i.service" ]; + systemd.services.conduwuit.serviceConfig.ExecStart = lib.mkForce "${config.services.conduwuit.package}/bin/conduwuit"; + + services.conduwuit = { + enable = true; + package = inputs.conduwuit.packages."${config.nixpkgs.system}".default; + settings.global = { + server_name = "ctu.cx"; + address = [ "::1" ]; + port = [ 6167 ]; + allow_registration = false; + registration_token = "foobar123"; + database_backup_path = "/var/lib/conduwuit/databaseBackup"; + database_backups_to_keep = 1; + query_trusted_key_servers_first = false; + }; + }; + + services.nginx = { + enable = true; + virtualHosts = let + matrixServerConfig = { "m.server" = "matrix.ctu.cx:443"; }; + matrixClientConfig = { "m.homeserver".base_url = "https://matrix.ctu.cx/"; }; + in { + "${config.services.conduwuit.settings.global.server_name}" = { + useACMEHost = "${config.networking.fqdn}"; + forceSSL = true; + kTLS = true; + locations = { + "/.well-known/matrix/server".extraConfig = '' + add_header Content-Type application/json; + return 200 '${builtins.toJSON matrixServerConfig}'; + ''; + "/.well-known/matrix/client".extraConfig = '' + add_header Content-Type application/json; + return 200 '${builtins.toJSON matrixClientConfig}'; + ''; + }; + }; + "matrix.ctu.cx" = { + useACMEHost = "${config.networking.fqdn}"; + forceSSL = true; + kTLS = true; + locations = { + "/_matrix" = { + proxyPass = "http://[${lib.last config.services.conduwuit.settings.global.address}]:${toString (lib.last config.services.conduwuit.settings.global.port)}"; + proxyWebsockets = true; + }; + "/".root = pkgs.cinny.override { + conf = { + defaultHomeserver = 0; + homeserverList = [ config.services.conduwuit.settings.global.server_name ]; + hashRouter.enabled = true; + allowCustomHomesevrers = false; + }; + }; + }; + }; + }; + }; + +}
diff --git a/nodes/hector/default.nix b/nodes/hector/default.nix @@ -52,6 +52,8 @@ # mailserver ctucxConfig.services.mailserver + # matrix server + ctucxConfig.websites."matrix.ctu.cx" ]; dns.zones."ctu.cx".subdomains."${config.networking.hostName}" = dnsNix.combinators.host node.ip4Address node.ip6Address;
diff --git a/secrets/hector/restic/conduwuit.age b/secrets/hector/restic/conduwuit.age @@ -0,0 +1,11 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqK0JhWkRUZkd0M25yN1RI +NGIvOW1Odk94N1Z6WEZZUVc2UkRPZDVXdzAwCk5rbEFIR2lNUWtScmRFMU42aUxj +bVh6KzRGMU5NQ0c1aTVUdTM2TGVDMzAKLT4gc3NoLWVkMjU1MTkgeWFMSFNRIFBv +S1pIdlZkUXFTQW9FVnhaaUFiLzlEdytoU2RKOGFtc2gwWVkyQW9SazgKR1VadW1K +OTB2U2lLSFQ4MlFrbTAyM2hISDYyVjlOa0ZHV3NFVUpKaXYyMAotPiBzSC1ncmVh +c2UKcXhON3ZKVWV1VWJXQXJPaW5PNmpMVVFBazdUTllYUisvZlhtZGxqOThiWVpO +L0hFODA3UHkzK3AKLS0tIHprMjQvaVVHeTJjZlRGZkw1bmEveVZSaU1tQlptRk93 +a2hWZ3hEUVF5Y2cKp9Gx/P9QqSxRiCRot7//uuRpEvKZkDZPADr3mmdy+vpvLopH +N3r6GzzYGOKbWN8ilz/eJpC0I031NywV +-----END AGE ENCRYPTED FILE-----