138 lines
3.5 KiB
Nix
138 lines
3.5 KiB
Nix
{ config, pkgs, my, secrets, ... }:
|
|
|
|
let
|
|
conduitSettings = config.services.matrix-conduit.settings;
|
|
serverName = "c8h4.io";
|
|
matrixHost = "matrix.${serverName}";
|
|
in {
|
|
services.matrix-conduit = {
|
|
enable = true;
|
|
settings.global = {
|
|
server_name = serverName;
|
|
address = "::1";
|
|
port = 6167;
|
|
allow_encryption = true;
|
|
allow_federation = true;
|
|
allow_registration = false;
|
|
database_backend = "sqlite";
|
|
trusted_servers = [ "matrix.org" ];
|
|
max_request_size = 32 * 1024 * 1024; # 32 MiB
|
|
};
|
|
};
|
|
|
|
services.nginx.virtualHosts = {
|
|
${matrixHost} = {
|
|
forceSSL = true;
|
|
useACMEHost = serverName;
|
|
kTLS = true;
|
|
listen = [
|
|
{
|
|
addr = "0.0.0.0";
|
|
port = 443;
|
|
ssl = true;
|
|
}
|
|
{
|
|
addr = " [::0]";
|
|
port = 443;
|
|
ssl = true;
|
|
}
|
|
{
|
|
addr = "0.0.0.0";
|
|
port = 8448;
|
|
ssl = true;
|
|
}
|
|
{
|
|
addr = " [::0]";
|
|
port = 8448;
|
|
ssl = true;
|
|
}
|
|
];
|
|
locations."/_matrix/" = {
|
|
proxyPass = "http://[${conduitSettings.global.address}]:${
|
|
toString conduitSettings.global.port
|
|
}";
|
|
proxyWebsockets = true;
|
|
extraConfig = ''
|
|
proxy_set_header Host $host;
|
|
client_max_body_size 32M;
|
|
'';
|
|
};
|
|
locations."/".return = "301 https://${serverName}";
|
|
extraConfig = ''
|
|
merge_slashes off;
|
|
'';
|
|
};
|
|
${serverName} = {
|
|
locations."= /.well-known/matrix/server" = let
|
|
contents = pkgs.writeText "well-known-matrix-server" ''
|
|
{
|
|
"m.server": "${matrixHost}"
|
|
}
|
|
'';
|
|
in {
|
|
alias = "${contents}";
|
|
extraConfig = ''
|
|
default_type application/json;
|
|
'';
|
|
};
|
|
locations."= /.well-known/matrix/client" = let
|
|
contents = pkgs.writeText "well-known-matrix-server" ''
|
|
{
|
|
"m.homeserver": {
|
|
"base_url": "https://${matrixHost}"
|
|
}
|
|
}
|
|
'';
|
|
in {
|
|
alias = "${contents}";
|
|
extraConfig = ''
|
|
default_type application/json;
|
|
|
|
# https://matrix.org/docs/spec/client_server/r0.4.0#web-browser-clients
|
|
add_header Access-Control-Allow-Origin "*";
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
|
|
networking.firewall = {
|
|
allowedTCPPorts = [ 8448 ];
|
|
allowedUDPPorts = [ 8448 ];
|
|
};
|
|
|
|
systemd.tmpfiles.settings."50-var-backup-matrix-conduit" = {
|
|
"/var/backup/matrix-conduit".d = {
|
|
user = "root";
|
|
group = "root";
|
|
mode = "0700";
|
|
};
|
|
};
|
|
|
|
services.restic.backups.matrix-conduit = {
|
|
environmentFile = secrets."restic/rest-env".path;
|
|
initialize = true;
|
|
repository =
|
|
"${my.homelab.services.restic.repositoryBase}/${config.networking.hostName}";
|
|
passwordFile = secrets."restic/repo-password".path;
|
|
paths = [
|
|
"/var/backup/matrix-conduit/conduit.db.zst"
|
|
"/var/lib/matrix-conduit/media"
|
|
];
|
|
timerConfig.OnCalendar = "*-*-* 4:05:00"; # daily at 04:05
|
|
backupPrepareCommand = ''
|
|
set -euo pipefail
|
|
umask 0077
|
|
f=$(mktemp)
|
|
|
|
# consistency is provided by the internal locking of sqlite
|
|
${pkgs.sqlite}/bin/sqlite3 /var/lib/matrix-conduit/conduit.db ".backup $f"
|
|
${pkgs.zstd}/bin/zstd --compress -9 --rm --force \
|
|
-o /var/backup/matrix-conduit/conduit.db.zst $f
|
|
'';
|
|
backupCleanupCommand = my.mkResticBackupNotificationCmd {
|
|
name = "matrix-conduit";
|
|
inherit pkgs secrets;
|
|
};
|
|
};
|
|
}
|