diff --git a/Makefile b/Makefile index bafc2dd..82bfe1d 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -.PHONY: help certs matrix-user switch +.PHONY: help certs switch help: @grep -E '^[a-zA-Z_-]+:.*##' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*## "}; {printf " \033[36m%-20s\033[0m %s\n", $$1, $$2}' @@ -16,8 +16,3 @@ certs: done; \ wait; \ echo "Done. Check status with: systemctl list-units 'acme-order-renew-*' --all --state=failed" - -matrix-user: - @nix shell nixpkgs#matrix-synapse -c register_new_matrix_user \ - -k "$$(sudo cat /var/lib/matrix-synapse/registration_shared_secret)" \ - http://localhost:8008 diff --git a/modules/matrix.nix b/modules/matrix.nix index ac9772f..c5bf985 100644 --- a/modules/matrix.nix +++ b/modules/matrix.nix @@ -3,76 +3,50 @@ let livekitKeyFile = "/run/livekit.key"; serverName = "atri.dad"; - matrixDomain = "chat.atri.dad"; + matrixDomain = "matrix.atri.dad"; matrixRtcDomain = "matrixrtc.atri.dad"; in { - services.matrix-synapse = { + services.matrix-tuwunel = { enable = true; settings = { - server_name = serverName; - public_baseurl = "https://${matrixDomain}"; + global = { + server_name = serverName; + address = [ "127.0.0.1" "::1" ]; + port = [ 6167 ]; + max_request_size = 104857600; # 100MB in bytes + allow_registration = false; + allow_encryption = true; + allow_federation = true; + trusted_servers = [ "matrix.org" ]; + ip_range_denylist = [ + "127.0.0.0/8" + "10.0.0.0/8" + "172.16.0.0/12" + "192.168.0.0/16" + "100.64.0.0/10" + "192.0.0.0/24" + "169.254.0.0/16" + "198.18.0.0/15" + "::1/128" + "fe80::/10" + "fc00::/7" + ]; - listeners = [ - { - port = 8008; - bind_addresses = [ "::1" "127.0.0.1" ]; - type = "http"; - tls = false; - x_forwarded = true; - resources = [ + well_known = { + server = "${matrixDomain}:443"; + client = "https://${matrixDomain}"; + rtc_transports = [ { - names = [ "client" "federation" ]; - compress = true; + type = "livekit"; + livekit_service_url = "https://${matrixRtcDomain}"; } ]; - } - ]; - - database = { - name = "psycopg2"; - args = { - database = "matrix-synapse"; - user = "matrix-synapse"; - host = "/run/postgresql"; }; }; - - max_upload_size = "100M"; - - url_preview_enabled = true; - url_preview_ip_range_blacklist = [ - "127.0.0.0/8" - "10.0.0.0/8" - "172.16.0.0/12" - "192.168.0.0/16" - "100.64.0.0/10" - "192.0.0.0/24" - "169.254.0.0/16" - "198.18.0.0/15" - "::1/128" - "fe80::/10" - "fc00::/7" - ]; - - enable_registration = false; - registration_shared_secret_path = "/var/lib/matrix-synapse/registration_shared_secret"; }; }; - services.postgresql = { - enable = true; - initialScript = pkgs.writeText "synapse-init.sql" '' - CREATE ROLE "matrix-synapse" WITH LOGIN; - CREATE DATABASE "matrix-synapse" - OWNER "matrix-synapse" - TEMPLATE template0 - LC_COLLATE = 'C' - LC_CTYPE = 'C' - ENCODING = 'UTF8'; - ''; - }; - services.livekit = { enable = true; openFirewall = true; @@ -90,7 +64,7 @@ in services.lk-jwt-service = { enable = true; - livekitUrl = "wss://${matrixDomain}/livekit/sfu"; + livekitUrl = "wss://${matrixRtcDomain}"; keyFile = livekitKeyFile; }; diff --git a/modules/nginx.nix b/modules/nginx.nix index 696d48b..0b3b390 100644 --- a/modules/nginx.nix +++ b/modules/nginx.nix @@ -2,27 +2,18 @@ let serverName = "atri.dad"; - matrixDomain = "chat.atri.dad"; + matrixDomain = "matrix.atri.dad"; - # .well-known/matrix/client JSON + # .well-known/matrix/server JSON (served from atri.dad for delegation) + wellKnownServer = builtins.toJSON { + "m.server" = "${matrixDomain}:443"; + }; + + # .well-known/matrix/client JSON (served from atri.dad for delegation) wellKnownClient = builtins.toJSON { "m.homeserver" = { base_url = "https://${matrixDomain}"; }; - "org.matrix.msc3575.proxy" = { - url = "https://${matrixDomain}"; - }; - "org.matrix.msc4143.rtc_foci" = [ - { - type = "livekit"; - livekit_service_url = "https://${matrixDomain}/livekit/jwt"; - } - ]; - }; - - # .well-known/matrix/server JSON - wellKnownServer = builtins.toJSON { - "m.server" = "${matrixDomain}:443"; }; in { @@ -383,54 +374,36 @@ in }; # Matrix - "chat.atri.dad" = { + "matrix.atri.dad" = { enableACME = true; forceSSL = true; locations."/" = { - proxyPass = "http://[::1]:8008"; + proxyPass = "http://[::1]:6167"; proxyWebsockets = true; extraConfig = '' client_max_body_size 100M; ''; }; - - locations."^~ /livekit/jwt/" = { - priority = 400; - proxyPass = "http://[::1]:${toString config.services.lk-jwt-service.port}/"; - }; - - locations."^~ /livekit/sfu/" = { - priority = 400; - proxyPass = "http://[::1]:${toString config.services.livekit.settings.port}/"; - proxyWebsockets = true; - extraConfig = '' - proxy_send_timeout 120; - proxy_read_timeout 120; - proxy_buffering off; - proxy_set_header Accept-Encoding gzip; - ''; - }; - - locations."= /.well-known/matrix/server" = { - extraConfig = '' - default_type application/json; - return 200 '${wellKnownServer}'; - ''; - }; - locations."= /.well-known/matrix/client" = { - extraConfig = '' - default_type application/json; - add_header Access-Control-Allow-Origin "*"; - return 200 '${wellKnownClient}'; - ''; - }; }; - # LiveKit WebRTC signaling domain + # LiveKit WebRTC signaling domain (MatrixRTC) "matrixrtc.atri.dad" = { enableACME = true; forceSSL = true; + + # lk-jwt-service + locations."~ ^(/sfu/get|/healthz)" = { + priority = 400; + proxyPass = "http://[::1]:${toString config.services.lk-jwt-service.port}"; + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + ''; + }; + + # livekit locations."/" = { proxyPass = "http://[::1]:${toString config.services.livekit.settings.port}"; proxyWebsockets = true;