From 06517138e1544992dcd5dc1f5c3084f782e74f7d Mon Sep 17 00:00:00 2001 From: Atridad Lahiji Date: Tue, 10 Feb 2026 23:16:32 -0700 Subject: [PATCH] Try this now --- configuration.nix | 1 + modules/matrix.nix | 114 +++++++++++++++++++++++++++++++++++++++++++++ modules/nginx.nix | 101 ++++++++++++++++++++++++++++++++++++++- 3 files changed, 215 insertions(+), 1 deletion(-) create mode 100644 modules/matrix.nix diff --git a/configuration.nix b/configuration.nix index 04265ae..5d4036d 100644 --- a/configuration.nix +++ b/configuration.nix @@ -10,6 +10,7 @@ ./modules/hardware.nix ./modules/services.nix ./modules/nginx.nix + ./modules/matrix.nix ]; nix.settings.experimental-features = [ "nix-command" "flakes" ]; diff --git a/modules/matrix.nix b/modules/matrix.nix new file mode 100644 index 0000000..83ef471 --- /dev/null +++ b/modules/matrix.nix @@ -0,0 +1,114 @@ +{ config, pkgs, lib, ... }: + +let + livekitKeyFile = "/run/livekit.key"; + serverName = "atri.dad"; + matrixDomain = "chat.atri.dad"; + matrixRtcDomain = "matrixrtc.atri.dad"; +in +{ + services.matrix-synapse = { + enable = true; + settings = { + server_name = serverName; + public_baseurl = "https://${matrixDomain}"; + + listeners = [ + { + port = 8008; + bind_addresses = [ "::1" "127.0.0.1" ]; + type = "http"; + tls = false; + x_forwarded = true; + resources = [ + { + names = [ "client" "federation" ]; + compress = true; + } + ]; + } + ]; + + database = { + name = "psycopg2"; + args = { + database = "matrix-synapse"; + user = "matrix-synapse"; + host = "/run/postgresql"; + }; + }; + + max_upload_size = "100M"; + + url_preview_enabled = true; + url_preview_ip_range_blacklist = [ + "127.0.0.0/8" + "10.0.0.0/8" + "172.16.0.0/12" + "192.168.0.0/16" + "100.64.0.0/10" + "192.0.0.0/24" + "169.254.0.0/16" + "198.18.0.0/15" + "::1/128" + "fe80::/10" + "fc00::/7" + ]; + + enable_registration = false; + }; + }; + + services.postgresql = { + enable = true; + ensureDatabases = [ "matrix-synapse" ]; + ensureUsers = [ + { + name = "matrix-synapse"; + ensureDBOwnership = true; + } + ]; + }; + + services.livekit = { + enable = true; + openFirewall = true; + settings = { + port = 7880; + rtc = { + port_range_start = 50000; + port_range_end = 60000; + use_external_ip = true; + }; + room.auto_create = false; + }; + keyFile = livekitKeyFile; + }; + + services.lk-jwt-service = { + enable = true; + livekitUrl = "wss://${matrixDomain}/livekit/sfu"; + keyFile = livekitKeyFile; + }; + + systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = serverName; + + systemd.services.livekit-key = { + before = [ "lk-jwt-service.service" "livekit.service" ]; + wantedBy = [ "multi-user.target" ]; + path = with pkgs; [ livekit coreutils gawk ]; + script = '' + echo "Key missing, generating key" + echo "lk-jwt-service: $(livekit-server generate-keys | tail -1 | awk '{print $3}')" > "${livekitKeyFile}" + ''; + serviceConfig.Type = "oneshot"; + unitConfig.ConditionPathExists = "!${livekitKeyFile}"; + }; + + networking.firewall = { + allowedTCPPorts = [ 7880 7881 ]; + allowedUDPPortRanges = [ + { from = 50000; to = 60000; } + ]; + }; +} diff --git a/modules/nginx.nix b/modules/nginx.nix index 8a6e4d4..f109564 100644 --- a/modules/nginx.nix +++ b/modules/nginx.nix @@ -1,5 +1,30 @@ -{ config, pkgs, ... }: +{ config, pkgs, lib, ... }: +let + serverName = "atri.dad"; + matrixDomain = "chat.atri.dad"; + + # .well-known/matrix/client JSON + wellKnownClient = builtins.toJSON { + "m.homeserver" = { + base_url = "https://${matrixDomain}"; + }; + "org.matrix.msc3575.proxy" = { + url = "https://${matrixDomain}"; + }; + "org.matrix.msc4143.rtc_foci" = [ + { + type = "livekit"; + livekit_service_url = "https://${matrixDomain}/livekit/jwt"; + } + ]; + }; + + # .well-known/matrix/server JSON + wellKnownServer = builtins.toJSON { + "m.server" = "${matrixDomain}:443"; + }; +in { services.nginx = { enable = true; @@ -119,6 +144,19 @@ proxyPass = "http://lloyd.tadpole-pain.ts.net:3000"; extraConfig = "if ($fuckai) { return 444; }"; }; + locations."= /.well-known/matrix/server" = { + extraConfig = '' + default_type application/json; + return 200 '${wellKnownServer}'; + ''; + }; + locations."= /.well-known/matrix/client" = { + extraConfig = '' + default_type application/json; + add_header Access-Control-Allow-Origin "*"; + return 200 '${wellKnownClient}'; + ''; + }; }; "analytics.atri.dad" = { enableACME = true; @@ -337,6 +375,67 @@ }; }; + # Matrix + "chat.atri.dad" = { + enableACME = true; + forceSSL = true; + + locations."/" = { + proxyPass = "http://[::1]:8008"; + proxyWebsockets = true; + extraConfig = '' + client_max_body_size 100M; + ''; + }; + + locations."^~ /livekit/jwt/" = { + priority = 400; + proxyPass = "http://[::1]:${toString config.services.lk-jwt-service.port}/"; + }; + + locations."^~ /livekit/sfu/" = { + priority = 400; + proxyPass = "http://[::1]:${toString config.services.livekit.settings.port}/"; + proxyWebsockets = true; + extraConfig = '' + proxy_send_timeout 120; + proxy_read_timeout 120; + proxy_buffering off; + proxy_set_header Accept-Encoding gzip; + ''; + }; + + locations."= /.well-known/matrix/server" = { + extraConfig = '' + default_type application/json; + return 200 '${wellKnownServer}'; + ''; + }; + locations."= /.well-known/matrix/client" = { + extraConfig = '' + default_type application/json; + add_header Access-Control-Allow-Origin "*"; + return 200 '${wellKnownClient}'; + ''; + }; + }; + + # LiveKit WebRTC signaling domain + "matrixrtc.atri.dad" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://[::1]:${toString config.services.livekit.settings.port}"; + proxyWebsockets = true; + extraConfig = '' + proxy_send_timeout 120; + proxy_read_timeout 120; + proxy_buffering off; + proxy_set_header Accept-Encoding gzip; + ''; + }; + }; + # atash.dev hosts "atash.dev" = { enableACME = true;