From 08f8ad9816eb309ca5f099c5b0f6f207c707b4a6 Mon Sep 17 00:00:00 2001 From: Craige McWhirter Date: Mon, 30 Mar 2020 13:37:09 +1000 Subject: [PATCH] Finalised initial server configuration --- roles/matrix.nix | 53 ++++++++++++++++++++++++++++++++---------------- 1 file changed, 35 insertions(+), 18 deletions(-) diff --git a/roles/matrix.nix b/roles/matrix.nix index d556860..28b3271 100644 --- a/roles/matrix.nix +++ b/roles/matrix.nix @@ -7,15 +7,15 @@ services = { matrix-synapse = { - enable = true; # Enable the synapse server - server_name = "mcwhirter.io"; # Server's public domain name - public_baseurl = "https://mcwhirter.io:443/"; # Matrix target URL - web_client = true; # Whether to serve a web client - create_local_database = true; # Whether to create a local database - enable_registration = true; # Toggle user registration + enable = true; # Enable the synapse server + server_name = "mcwhirter.io"; # Server's public domain name + public_baseurl = "https://synapse.mcwhirter.io:443/"; # Matrix target URL + web_client = true; # Whether to serve a web client + create_local_database = true; # Whether to create a local database + enable_registration = true; # Toggle user registration listeners = [ { - bind_address = "::1"; # Listen on localhost only - port = 8008; # Port to listen on + bind_address = "::1"; # Listen on localhost only + port = 8008; # Port to listen on resources = [ { compress = true; @@ -28,8 +28,11 @@ type = "http"; x_forwarded = true; } ]; - tls_certificate_path = "/var/lib/acme/mcwhirter.io/fullchain.pem"; - tls_private_key_path = "/var/lib/acme/mcwhirter.io/key.pem"; + tls_certificate_path = "/var/lib/acme/synapse.mcwhirter.io/fullchain.pem"; + tls_private_key_path = "/var/lib/acme/synapse.mcwhirter.io/key.pem"; + extraConfig = '' + max_upload_size: "100M" + ''; }; nginx = { @@ -39,13 +42,9 @@ recommendedGzipSettings = true; recommendedProxySettings = true; virtualHosts = { - "mcwhirter.io" = { + "synapse.mcwhirter.io" = { forceSSL = true; enableACME = true; - serverAliases = [ - "chat.mcwhirter.io" - ]; - root = pkgs.riot-web; # Install RIOT web in the nginx root locations = { "/_matrix" = { proxyPass = "https://[::1]:8008"; @@ -54,7 +53,7 @@ let # use 443 instead of the default 8448 port to unite # the client-server and server-server port for simplicity - server = { "m.server" = "mcwhirter.io:443"; }; + server = { "m.server" = "synapse.mcwhirter.io:443"; }; in '' add_header Content-Type application/json; return 200 '${builtins.toJSON server}'; @@ -62,7 +61,7 @@ "= /.well-known/matrix/client".extraConfig = let client = { - "m.homeserver" = { "base_url" = "https://mcwhirter.io"; }; + "m.homeserver" = { "base_url" = "https://synapse.mcwhirter.io"; }; "m.identity_server" = { "base_url" = "https://vector.im"; }; }; # ACAO required to allow riot-web on any URL to request this json file @@ -73,12 +72,30 @@ ''; }; }; + "chat.mcwhirter.io" = { + forceSSL = true; + enableACME = true; + serverAliases = [ + "chat.${config.networking.domain}" + ]; + root = pkgs.riot-web; # Install RIOT web in the nginx root + }; }; }; + + postgresql = { + enable = true; + }; }; security.acme.certs = { - "mcwhirter.io" = { + "chat.mcwhirter.io" = { + group = "matrix-synapse"; + allowKeysForGroup = true; + postRun = "systemctl reload nginx.service"; + email = "acme@mcwhirter.io"; + }; + "synapse.mcwhirter.io" = { group = "matrix-synapse"; allowKeysForGroup = true; postRun = "systemctl reload nginx.service; systemctl restart matrix-synapse.service";