diff --git a/configuration/default.nix b/configuration/default.nix index f81357b..eb9d05e 100644 --- a/configuration/default.nix +++ b/configuration/default.nix @@ -8,6 +8,7 @@ "${modulesPath}/profiles/headless.nix" (import ../modules) + ./services/conduit.nix ./services/gitea.nix ./services/nextcloud.nix ./services/webserver.nix @@ -49,7 +50,17 @@ useDHCP = false; interfaces.eth0.useDHCP = true; - firewall.allowedTCPPorts = [80 443 2222 21025]; + firewall.allowedTCPPorts = [ + # http + 80 + 443 + # ssh + 2222 + # matrix + 8448 + # starbound + 21025 + ]; }; time.timeZone = "Europe/London"; diff --git a/configuration/services/conduit.nix b/configuration/services/conduit.nix new file mode 100644 index 0000000..e8bbb6e --- /dev/null +++ b/configuration/services/conduit.nix @@ -0,0 +1,53 @@ +{config, ...}: let + cfg = config.services.matrix-conduit; + domain = "matrix.${config.services.nginx.domain}"; +in { + services.matrix-conduit = { + enable = true; + settings.global = { + address = "127.0.0.1"; + server_name = domain; + database_backend = "rocksdb"; + }; + }; + + services.nginx.virtualHosts."${domain}" = { + enableACME = true; + + listen = [ + { + addr = "0.0.0.0"; + port = 443; + ssl = true; + } + { + addr = "[::0]"; + port = 443; + ssl = true; + } + { + addr = "0.0.0.0"; + port = 8448; + ssl = true; + } + { + addr = "[::0]"; + port = 8488; + ssl = true; + } + ]; + + addSSL = true; + extraConfig = '' + merge_slashes off; + ''; + + locations."/_matrix" = { + proxyPass = "http://${cfg.settings.global.address}:${toString cfg.settings.global.port}"; + # Recommended by conduit + extraConfig = '' + proxy_buffering off; + ''; + }; + }; +} diff --git a/flake.lock b/flake.lock index a5fc6e4..126fb51 100644 --- a/flake.lock +++ b/flake.lock @@ -289,6 +289,22 @@ "type": "github" } }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1666424192, + "narHash": "sha256-rb/a7Kg9s31jqkvdOQHFrUc5ig5kB+O2ZKB8mjU2kW8=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "4f8287f3d597c73b0d706cfad028c2d51821f64d", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs_2": { "locked": { "lastModified": 1665466769, @@ -390,6 +406,7 @@ "inputs": { "deploy-rs": "deploy-rs", "nixpkgs": "nixpkgs_2", + "nixpkgs-unstable": "nixpkgs-unstable", "nvfetcher": "nvfetcher", "sops-nix": "sops-nix", "tlaternet-webserver": "tlaternet-webserver" diff --git a/flake.nix b/flake.nix index 1d6828b..f190d89 100644 --- a/flake.nix +++ b/flake.nix @@ -3,6 +3,7 @@ inputs = { nixpkgs.url = "github:nixos/nixpkgs/nixos-22.05"; + nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; deploy-rs.url = "github:serokell/deploy-rs"; sops-nix = { url = "github:Mic92/sops-nix"; @@ -21,6 +22,7 @@ outputs = { self, nixpkgs, + nixpkgs-unstable, sops-nix, nvfetcher, deploy-rs, @@ -66,7 +68,7 @@ # Helper functions # #################### lib = import ./lib { - inherit nixpkgs sops-nix tlaternet-webserver; + inherit nixpkgs nixpkgs-unstable sops-nix tlaternet-webserver; lib = nixpkgs.lib; }; @@ -86,6 +88,7 @@ "2222" = "2222"; "3080" = "80"; "3443" = "443"; + "8448" = "8448"; # Matrix "21025" = "21025"; # Starbound }; in { diff --git a/lib/default.nix b/lib/default.nix index 5f6b68f..da4031f 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -1,6 +1,7 @@ { lib, nixpkgs, + nixpkgs-unstable, sops-nix, tlaternet-webserver, }: let @@ -24,6 +25,13 @@ in { sops-nix.nixosModules.sops tlaternet-webserver.nixosModules.default (import ../configuration) + { + nixpkgs.overlays = [ + (self: super: { + matrix-conduit = nixpkgs-unstable.legacyPackages.${system}.matrix-conduit; + }) + ]; + } ] ++ extraModules; };