move matrix to bicep

2025-12-09 20:17:14 +01:00 · 2023-05-07 10:14:09 +02:00
parent dcbe6871da
commit ee73a964be
11 changed files with 98 additions and 4 deletions
--- a/hosts/bicep/configuration.nix
+++ b/hosts/bicep/configuration.nix
@@ -4,9 +4,11 @@
    ./hardware-configuration.nix

    ../../base.nix
+    ./services/nginx

    ./services/postgres.nix
-    ./services/jokum.nix
+
+    ./services/matrix
  ];

  sops.defaultSopsFile = ../../secrets/bicep/bicep.yaml;
@@ -22,10 +24,10 @@

  systemd.network.networks."30-enp6s0f0" = values.defaultNetworkConfig // {
    matchConfig.Name = "enp6s0f0";
-    address = with values.hosts.bicep; [ (ipv4 + "/25") (ipv6 + "/64") ];
+    address = with values.hosts.bicep; [ (ipv4 + "/25") (ipv6 + "/64") ]
+      ++ (with values.services.turn; [ (ipv4 + "/25") (ipv6 + "/64") ]);
  };
  systemd.network.wait-online = {
-    ignoredInterfaces = [ "enp6s0f1" ];
    anyInterface = true;
  };

--- a/hosts/bicep/services/matrix/coturn.nix
+++ b/hosts/bicep/services/matrix/coturn.nix
@@ -0,0 +1,135 @@
+{ config, lib, pkgs, secrets, ... }:
+
+{
+  sops.secrets."matrix/synapse/turnconfig" = {
+    sopsFile = ../../../../secrets/bicep/matrix.yaml;
+    key = "synapse/turnconfig";
+    owner = config.users.users.matrix-synapse.name;
+    group = config.users.users.matrix-synapse.group;
+  };
+  sops.secrets."matrix/coturn/static-auth-secret" = {
+    sopsFile = ../../../../secrets/bicep/matrix.yaml;
+    key = "coturn/static-auth-secret";
+    owner = config.users.users.turnserver.name;
+    group = config.users.users.turnserver.group;
+  };
+
+  services.matrix-synapse-next = {
+    extraConfigFiles = [
+      config.sops.secrets."matrix/synapse/turnconfig".path
+    ];
+
+    settings = {
+      turn_uris = [
+        "turns:turn.pvv.ntnu.no:443?transport=tcp"
+        "turns:turn.pvv.ntnu.no:443?transport=udp"
+
+        "turns:turn.pvv.ntnu.no:5349?transport=tcp"
+        "turns:turn.pvv.ntnu.no:5349?transport=udp"
+        
+        "turns:turn.pvv.ntnu.no:3478?transport=udp"
+        "turns:turn.pvv.ntnu.no:3478?transport=tcp"
+        "turn:turn.pvv.ntnu.no:3478?transport=udp"
+        "turn:turn.pvv.ntnu.no:3478?transport=tcp"
+
+        "turns:turn.pvv.ntnu.no:3479?transport=tcp"
+        "turns:turn.pvv.ntnu.no:3479?transport=udp"
+        "turn:turn.pvv.ntnu.no:3479?transport=tcp"
+        "turn:turn.pvv.ntnu.no:3479?transport=udp"
+      ];
+    };
+  };
+
+  security.acme.certs.${config.services.coturn.realm} = {
+    email = "drift@pvv.ntnu.no";
+    listenHTTP = "129.241.210.213:80";
+    reloadServices = [ "coturn.service" ];
+  };
+
+  users.users.turnserver.extraGroups = [ "acme" ];
+
+  systemd.services."acme-${config.services.coturn.realm}".serviceConfig = {
+    AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
+  };
+
+  services.coturn = rec {
+    enable = true;
+    realm = "turn.pvv.ntnu.no";
+
+    cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
+    pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
+
+    use-auth-secret = true;
+    # World readable but I  dont think it's that bad
+    static-auth-secret-file = config.sops.secrets."matrix/coturn/static-auth-secret".path;
+
+    secure-stun = true;
+
+    listening-ips = [ "129.241.210.213" "2001:700:300:1900::213" ];
+
+    tls-listening-port = 443;
+    alt-tls-listening-port = 5349;
+ 
+    listening-port = 3478;
+
+    min-port = 49000;
+    max-port = 50000;
+
+    no-tls = false;
+    no-dtls = false;
+
+    no-tcp-relay = false;
+
+    extraConfig = ''
+      verbose
+
+      # ban private IP ranges
+      no-multicast-peers
+      denied-peer-ip=0.0.0.0-0.255.255.255
+      denied-peer-ip=10.0.0.0-10.255.255.255
+      denied-peer-ip=100.64.0.0-100.127.255.255
+      denied-peer-ip=127.0.0.0-127.255.255.255
+      denied-peer-ip=169.254.0.0-169.254.255.255
+      denied-peer-ip=172.16.0.0-172.31.255.255
+      denied-peer-ip=192.0.0.0-192.0.0.255
+      denied-peer-ip=192.0.2.0-192.0.2.255
+      denied-peer-ip=192.88.99.0-192.88.99.255
+      denied-peer-ip=192.168.0.0-192.168.255.255
+      denied-peer-ip=198.18.0.0-198.19.255.255
+      denied-peer-ip=198.51.100.0-198.51.100.255
+      denied-peer-ip=203.0.113.0-203.0.113.255
+      denied-peer-ip=240.0.0.0-255.255.255.255
+      denied-peer-ip=::1
+      denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
+      denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
+      denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
+      denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
+      denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+      denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+      denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+
+      denied-peer-ip=10.0.0.0-10.255.255.255
+      denied-peer-ip=192.168.0.0-192.168.255.255
+      denied-peer-ip=172.16.0.0-172.31.255.255
+
+      #user-quota=120
+      #total-quota=1200
+    '';
+  };
+  
+  networking.firewall = {
+    interfaces.enp6s0f0 = let
+      range = with config.services.coturn; [ {
+      from = min-port;
+      to = max-port;
+    } ];
+    in
+    {
+      allowedUDPPortRanges = range;
+      allowedUDPPorts = [ 443 3478 3479 5349 ];
+      allowedTCPPortRanges = range;
+      allowedTCPPorts = [ 443 3478 3479 5349 ];
+    };
+  };
+
+}
--- a/hosts/bicep/services/matrix/default.nix
+++ b/hosts/bicep/services/matrix/default.nix
@@ -0,0 +1,17 @@
+{ config, ... }:
+
+{
+
+  imports = [
+    ./synapse.nix
+    ./synapse-admin.nix
+    ./element.nix
+    ./coturn.nix
+    ./mjolnir.nix
+
+    ./discord.nix
+  ];
+
+  
+
+}
--- a/hosts/bicep/services/matrix/discord.nix
+++ b/hosts/bicep/services/matrix/discord.nix
@@ -0,0 +1,37 @@
+{ config, lib, ... }:
+
+let
+  cfg = config.services.mx-puppet-discord;
+in
+{
+  users.groups.keys-matrix-registrations = { };
+
+  sops.secrets."matrix/registrations/mx-puppet-discord" = {
+    sopsFile = ../../../../secrets/bicep/matrix.yaml;
+    key = "registrations/mx-puppet-discord";
+    owner = config.users.users.matrix-synapse.name;
+    group = config.users.groups.keys-matrix-registrations.name;
+  };
+
+  systemd.services.mx-puppet-discord = {
+    serviceConfig.SupplementaryGroups = [ config.users.groups.keys-matrix-registrations.name ];
+  };
+
+
+  services.mx-puppet-discord.enable = true;
+  services.mx-puppet-discord.settings = {
+    bridge = {
+      bindAddress = "localhost";
+      domain = "pvv.ntnu.no";
+      homeserverUrl = "https://matrix.pvv.ntnu.no";
+    };
+    provisioning.whitelist = [ "@dandellion:dodsorf\\.as" "@danio:pvv\\.ntnu\\.no"];
+    relay.whitelist = [ ".*" ];
+    selfService.whitelist = [ "@danio:pvv\\.ntnu\\.no" "@dandellion:dodsorf\\.as" ];
+  };
+  services.mx-puppet-discord.serviceDependencies = [ "matrix-synapse.target" "nginx.service" ];
+
+
+  services.matrix-synapse-next.settings.app_service_config_files = [ config.sops.secrets."matrix/registrations/mx-puppet-discord".path ];
+
+}
--- a/hosts/bicep/services/matrix/element.nix
+++ b/hosts/bicep/services/matrix/element.nix
@@ -0,0 +1,51 @@
+{ config, lib, pkgs, ... }:
+let
+  synapse-cfg = config.services.matrix-synapse-next;
+in {
+  services.nginx.virtualHosts."chat.pvv.ntnu.no" = {
+    enableACME = true;
+    forceSSL = true;
+
+    root = pkgs.element-web.override {
+      conf = {
+        default_server_config."m.homeserver" = {
+          base_url = "https://matrix.pvv.ntnu.no";
+          server_name = "pvv.ntnu.no";
+        };
+        disable_3pid_login = true;
+#        integrations_ui_url = "https://dimension.dodsorf.as/riot";
+#        integrations_rest_url = "https://dimension.dodsorf.as/api/v1/scalar";
+#        integrations_widgets_urls = [
+#          "https://dimension.dodsorf.as/widgets"
+#        ];
+#        integration_jitsi_widget_url = "https://dimension.dodsorf.as/widgets/jitsi";
+        defaultCountryCode = "NO";
+        showLabsSettings = true;
+        features = {
+          feature_latex_maths = true;
+          feature_pinning = true;
+          feature_state_counters = true;
+          feature_custom_status = false;
+        };
+        default_theme = "dark";
+        room_directory.servers = [
+          "pvv.ntnu.no"
+          "matrix.omegav.no"
+          "matrix.org"
+          "libera.chat"
+          "gitter.im"
+          "mozilla.org"
+          "kde.org"
+          "t2bot.io"
+          "fosdem.org"
+          "dodsorf.as"
+        ];
+        enable_presence_by_hs_url = {
+          "https://matrix.org" = false;
+          # "https://matrix.dodsorf.as" = false;
+          "${synapse-cfg.settings.public_baseurl}" = synapse-cfg.settings.presence.enabled;
+        };
+      };
+    };
+  };
+}
--- a/hosts/bicep/services/matrix/mjolnir.nix
+++ b/hosts/bicep/services/matrix/mjolnir.nix
@@ -0,0 +1,56 @@
+{ config, lib, ... }:
+
+{
+  sops.secrets."matrix/mjolnir/access_token" = {
+    sopsFile = ../../../../secrets/bicep/matrix.yaml;
+    key = "mjolnir/access_token";
+    owner = config.users.users.mjolnir.name;
+    group = config.users.users.mjolnir.group;
+  };
+
+  services.mjolnir = {
+    enable = true;
+    pantalaimon.enable = false;
+    homeserverUrl = http://127.0.0.1:8008;
+    accessTokenFile = config.sops.secrets."matrix/mjolnir/access_token".path;
+    managementRoom = "!gsdeCoWjvYRBrzuiRq:pvv.ntnu.no";
+    protectedRooms = map (a: "https://matrix.to/#/${a}") [
+      "#pvv:pvv.ntnu.no"
+      "#stand:pvv.ntnu.no"
+      "#music:pvv.ntnu.no"
+      "#arts-and-crafts:pvv.ntnu.no"
+      "#programming:pvv.ntnu.no"
+      "#talks-and-texts:pvv.ntnu.no"
+      "#job-offers:pvv.ntnu.no"
+      "#vaffling:pvv.ntnu.no"
+      "#pvv-fadder:pvv.ntnu.no"
+      "#offsite:pvv.ntnu.no"
+      "#help:pvv.ntnu.no"
+      "#garniske-algoritmer:pvv.ntnu.no"
+      "#bouldering:pvv.ntnu.no"
+      "#filmclub:pvv.ntnu.no"
+      "#video-games:pvv.ntnu.no"
+      "#board-games:pvv.ntnu.no"
+      "#tabletop-rpgs:pvv.ntnu.no"
+      "#anime:pvv.ntnu.no"
+      "#general:pvv.ntnu.no"
+      "#announcements:pvv.ntnu.no"
+      "#memes:pvv.ntnu.no"
+
+      "#drift:pvv.ntnu.no"
+      "#notifikasjoner:pvv.ntnu.no"
+      "#forespoersler:pvv.ntnu.no"
+      "#krisekanalen:pvv.ntnu.no"
+
+      "#styret:pvv.ntnu.no"
+    ];
+
+    settings = {
+      admin.enableMakeRoomAdminCommand = true;
+    };
+
+    # Module wants it even when not using pantalaimon
+    # TODO: Fix upstream module in nixpkgs
+    pantalaimon.username = "bot_admin";
+  };
+}
--- a/hosts/bicep/services/matrix/synapse-admin.nix
+++ b/hosts/bicep/services/matrix/synapse-admin.nix
@@ -0,0 +1,13 @@
+{ config, lib, pkgs, ... }:
+
+
+# This service requires you to have access to endpoints not available over the internet
+# Use an ssh proxy or similar to access this dashboard.
+# Then go into your developer console, storage, and change the baseurl to the local ip for synapse
+
+{
+  services.nginx.virtualHosts."localhost" = {
+    rejectSSL = true;
+    root = pkgs.synapse-admin;
+  };
+}
--- a/hosts/bicep/services/matrix/synapse.nix
+++ b/hosts/bicep/services/matrix/synapse.nix
@@ -0,0 +1,238 @@
+{ config, lib, pkgs, values, inputs, ... }:
+
+let
+  cfg = config.services.matrix-synapse-next;
+
+  matrix-lib = inputs.matrix-next.lib;
+
+  imap0Attrs = with lib; f: set:
+    listToAttrs (imap0 (i: attr: nameValuePair attr (f i attr set.${attr})) (attrNames set));
+in {
+  sops.secrets."matrix/synapse/dbconfig" = {
+    sopsFile = ../../../../secrets/bicep/matrix.yaml;
+    key = "synapse/dbconfig";
+    owner = config.users.users.matrix-synapse.name;
+    group = config.users.users.matrix-synapse.group;
+  };
+
+  sops.secrets."matrix/synapse/signing_key" = {
+    key = "synapse/signing_key";
+    sopsFile = ../../../../secrets/bicep/matrix.yaml;
+    owner = config.users.users.matrix-synapse.name;
+    group = config.users.users.matrix-synapse.group;
+  };
+
+  sops.secrets."matrix/synapse/user_registration" = {
+    sopsFile = ../../../../secrets/bicep/matrix.yaml;
+    key = "synapse/signing_key";
+    owner = config.users.users.matrix-synapse.name;
+    group = config.users.users.matrix-synapse.group;
+  };
+
+  services.matrix-synapse-next = {
+    enable = true;
+
+    dataDir = "/data/synapse";
+
+    workers.federationSenders = 2;
+    workers.federationReceivers = 2;
+    workers.initialSyncers = 1;
+    workers.normalSyncers = 1;
+    workers.eventPersisters = 2;
+    workers.useUserDirectoryWorker = true;
+
+    enableNginx = true;
+
+    extraConfigFiles = [
+      config.sops.secrets."matrix/synapse/dbconfig".path
+      config.sops.secrets."matrix/synapse/user_registration".path
+    ];
+
+    settings = {
+      server_name = "pvv.ntnu.no";
+      public_baseurl = "https://matrix.pvv.ntnu.no";
+
+      signing_key_path = config.sops.secrets."matrix/synapse/signing_key".path;
+
+      media_store_path =  "${cfg.dataDir}/media";
+
+      presence.enabled = false;
+
+      caches = {
+        per_cache_factors = {
+          _event_auth_cache = 2.0;
+        };
+      };
+
+      autocreate_auto_join_rooms = false;
+      auto_join_rooms = [
+        "#pvv:pvv.ntnu.no" # Main space
+        "#announcements:pvv.ntnu.no"
+        "#general:pvv.ntnu.no"
+      ];
+
+      allow_public_rooms_over_federation = true;
+
+      max_upload_size = "150M";
+
+      enable_metrics = true;
+      mau_stats_only = true;
+
+      enable_registration = false;
+
+      password_config.enabled = lib.mkForce false;
+
+      trusted_key_servers = [
+        { server_name = "matrix.org"; }
+        { server_name = "dodsorf.as"; }
+      ];
+
+      url_preview_enabled = true;
+      url_preview_ip_range_blacklist = [
+        # synapse example config
+        "127.0.0.0/8"
+        "10.0.0.0/8"
+        "172.16.0.0/12"
+        "192.168.0.0/16"
+        "100.64.0.0/10"
+        "192.0.0.0/24"
+        "169.254.0.0/16"
+        "192.88.99.0/24"
+        "198.18.0.0/15"
+        "192.0.2.0/24"
+        "198.51.100.0/24"
+        "203.0.113.0/24"
+        "224.0.0.0/4"
+        "::1/128"
+        "fe80::/10"
+        "fc00::/7"
+        "2001:db8::/32"
+        "ff00::/8"
+        "fec0::/10"
+
+        # NTNU
+        "129.241.0.0/16"
+        "2001:700:300::/44"
+      ];
+
+      saml2_config = {
+        sp_config.metadata.remote = [
+          { url = "https://idp.pvv.ntnu.no/simplesaml/saml2/idp/metadata.php"; }
+        ];
+
+        description = [ "Matrix Synapse SP" "en" ];
+        name = [ "Matrix Synapse SP" "en" ];
+
+        ui_info = {
+          display_name = [
+            {
+              lang = "en";
+              text = "PVV Matrix login";
+            }
+          ];
+          description = [
+            {
+              lang = "en";
+              text = "Matrix is a modern free and open federated chat protocol";
+            }
+          ];
+          #information_url = [
+          #  {
+          #    lang = "en";
+          #    text = "";
+          #  };
+          #];
+          #privacy_statement_url = [
+          #  {
+          #    lang = "en";
+          #    text = "";
+          #  };
+          #];
+          keywords = [
+            {
+              lang = "en";
+              text = [ "Matrix" "Element" ];
+            }
+          ];
+          #logo = [
+          #  {
+          #    lang = "en";
+          #    text = "";
+          #    width = "";
+          #    height = "";
+          #  }
+          #];
+        };
+
+        organization = {
+          name = "Programvareverkstedet";
+          display_name = [ "Programvareverkstedet" "en" ];
+          url = "https://www.pvv.ntnu.no";
+        };
+        contact_person = [
+          { given_name = "Drift";
+            sur_name = "King";
+            email_adress = [ "drift@pvv.ntnu.no" ];
+            contact_type = "technical";
+          }
+        ];
+
+        user_mapping_provider = {
+          config = {
+            mxid_source_attribute =  "uid"; # What is this supposed to be?
+            mxid_mapping = "hexencode";
+          };
+        };
+
+        #attribute_requirements = [
+        #  {attribute = "userGroup"; value = "medlem";} # Do we have this?
+        #];
+      };
+    };
+  };
+
+  services.redis.servers."".enable = true;
+  
+  services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [({
+    locations = let
+      connectionInfo = w: matrix-lib.workerConnectionResource "metrics" w;
+      socketAddress = w: let c = connectionInfo w; in "${c.host}:${toString (c.port)}";
+
+      metricsPath = w: "/metrics/${w.type}/${toString w.index}";
+      proxyPath = w: "http://${socketAddress w}/_synapse/metrics";
+    in lib.mapAttrs' (n: v: lib.nameValuePair
+      (metricsPath v) ({
+        proxyPass = proxyPath v;
+        extraConfig = ''
+          allow ${values.hosts.ildkule.ipv4};
+          allow ${values.hosts.ildkule.ipv6};
+          deny all;
+        '';
+      }))
+      cfg.workers.instances;
+  })
+  ({
+    locations."/metrics/master/1" = {
+      proxyPass = "http://127.0.0.1:9000/_synapse/metrics";
+      extraConfig = ''
+        allow ${values.hosts.ildkule.ipv4};
+        allow ${values.hosts.ildkule.ipv6};
+        deny all;
+      '';
+    };
+
+    locations."/metrics/" = let
+      endpoints = lib.pipe cfg.workers.instances [
+        (lib.mapAttrsToList (_: v: v))
+        (map (w: "${w.type}/${toString w.index}"))
+        (map (w: "matrix.pvv.ntnu.no/metrics/${w}"))
+      ] ++ [ "matrix.pvv.ntnu.no/metrics/master/1" ];
+    in {
+      alias = pkgs.writeTextDir "/config.json"
+        (builtins.toJSON [
+          { targets = endpoints;
+            labels = { };
+          }]) + "/";
+    };
+  })];
+}
--- a/hosts/bicep/services/nginx/default.nix
+++ b/hosts/bicep/services/nginx/default.nix
@@ -0,0 +1,29 @@
+{ config, values, ... }:
+{
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "danio@pvv.ntnu.no";
+  };
+
+  services.nginx = {
+    enable = true;
+
+    enableReload = true;
+
+    defaultListenAddresses = [
+      values.hosts.jokum.ipv4
+      "[${values.hosts.jokum.ipv6}]"
+
+      "127.0.0.1"
+      "127.0.0.2"
+      "[::1]"
+    ];
+
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+}