WIP: Add conduit

configuration/default.nix

@@ -8,6 +8,7 @@
     "${modulesPath}/profiles/headless.nix"
     (import ../modules)
 
+    ./services/conduit.nix
     ./services/gitea.nix
     ./services/nextcloud.nix
     ./services/webserver.nix
@@ -49,7 +50,17 @@
     useDHCP = false;
     interfaces.eth0.useDHCP = true;
 
-    firewall.allowedTCPPorts = [80 443 2222 21025];
+    firewall.allowedTCPPorts = [
+      # http
+      80
+      443
+      # ssh
+      2222
+      # matrix
+      8448
+      # starbound
+      21025
+    ];
   };
 
   time.timeZone = "Europe/London";

configuration/services/conduit.nix

@@ -0,0 +1,53 @@
+{config, ...}: let
+  cfg = config.services.matrix-conduit;
+  domain = "matrix.${config.services.nginx.domain}";
+in {
+  services.matrix-conduit = {
+    enable = true;
+    settings.global = {
+      address = "127.0.0.1";
+      server_name = domain;
+      database_backend = "rocksdb";
+    };
+  };
+
+  services.nginx.virtualHosts."${domain}" = {
+    enableACME = true;
+
+    listen = [
+      {
+        addr = "0.0.0.0";
+        port = 443;
+        ssl = true;
+      }
+      {
+        addr = "[::0]";
+        port = 443;
+        ssl = true;
+      }
+      {
+        addr = "0.0.0.0";
+        port = 8448;
+        ssl = true;
+      }
+      {
+        addr = "[::0]";
+        port = 8488;
+        ssl = true;
+      }
+    ];
+
+    addSSL = true;
+    extraConfig = ''
+      merge_slashes off;
+    '';
+
+    locations."/_matrix" = {
+      proxyPass = "http://${cfg.settings.global.address}:${toString cfg.settings.global.port}";
+      # Recommended by conduit
+      extraConfig = ''
+        proxy_buffering off;
+      '';
+    };
+  };
+}

flake.nix

@@ -86,6 +86,7 @@
           "2222" = "2222";
           "3080" = "80";
           "3443" = "443";
+          "8448" = "8448"; # Matrix
           "21025" = "21025"; # Starbound
         };
       in {