init

1 files changed, 142 insertions, 0 deletions

diff --git a/modules/matrix/conduit.nix b/modules/matrix/conduit.nix
new file mode 100644
index 0000000..10612b9
--- /dev/null
+++ b/modules/matrix/conduit.nix
@@ -0,0 +1,142 @@
+{ config, lib, pkgs, ... }:
+
+
+let
+  cfg = config.services.matrix;
+
+  # Build a dervation that stores the content of `${server_name}/.well-known/matrix/server`
+  well_known_server = pkgs.writeText "well-known-matrix-server" ''
+    {
+      "m.server": "${cfg.matrix_hostname}"
+    }
+  '';
+
+  # Build a dervation that stores the content of `${server_name}/.well-known/matrix/client`
+  well_known_client = pkgs.writeText "well-known-matrix-client" ''
+    {
+      "m.homeserver": {
+        "base_url": "https://${cfg.matrix_hostname}"
+      }
+    }
+  '';
+in
+{
+  # Configure Conduit itself
+  services.matrix-conduit = {
+    enable = true;
+
+    # This causes NixOS to use the flake defined in this repository instead of
+    # the build of Conduit built into nixpkgs.
+    package = pkgs.unstable.matrix-conduit;
+
+    settings.global = {
+      inherit (cfg) server_name;
+
+      allow_registration = true;
+      allow_federation = true;
+      trusted_servers = [ "matrix.org" ];
+      enable_lightning_bolt = false;
+    };
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      email = cfg.admin_email;
+    };
+  };
+
+  # ACME data must be readable by the NGINX user
+  users.users.nginx.extraGroups = [
+    "acme"
+  ];
+
+  # Configure NGINX as a reverse proxy
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+
+    virtualHosts = {
+      "${cfg.matrix_hostname}" = {
+        forceSSL = true;
+        enableACME = true;
+
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 443;
+            ssl = true;
+          }
+          {
+            addr = "0.0.0.0";
+            port = 8448;
+            ssl = true;
+          }
+          {
+            addr = "[::0]";
+            port = 443;
+            ssl = true;
+          }
+          {
+            addr = "[::0]";
+            port = 8448;
+            ssl = true;
+          }
+        ];
+
+        locations."/_matrix/" = {
+          proxyPass = "http://backend_conduit$request_uri";
+          proxyWebsockets = true;
+          extraConfig = ''
+            proxy_set_header Host $host;
+            proxy_buffering off;
+          '';
+        };
+
+        extraConfig = ''
+          merge_slashes off;
+        '';
+      };
+
+      "${cfg.server_name}" = {
+        forceSSL = true;
+        enableACME = true;
+
+        locations."=/.well-known/matrix/server" = {
+          # Use the contents of the derivation built previously
+          alias = "${well_known_server}";
+
+          extraConfig = ''
+            # Set the header since by default NGINX thinks it's just bytes
+            default_type application/json;
+          '';
+        };
+
+        locations."=/.well-known/matrix/client" = {
+          # Use the contents of the derivation built previously
+          alias = "${well_known_client}";
+
+          extraConfig = ''
+            # Set the header since by default NGINX thinks it's just bytes
+            default_type application/json;
+
+            # https://matrix.org/docs/spec/client_server/r0.4.0#web-browser-clients
+            add_header Access-Control-Allow-Origin "*";
+          '';
+        };
+      };
+    };
+
+    upstreams = {
+      "backend_conduit" = {
+        servers = {
+          "localhost:${toString config.services.matrix-conduit.settings.global.port}" = { };
+        };
+      };
+    };
+  };
+
+  # Open firewall ports for HTTP, HTTPS, and Matrix federation
+  networking.firewall.allowedTCPPorts = [ 80 443 8448 ];
+  networking.firewall.allowedUDPPorts = [ 80 443 8448 ];
+}