nix dotfiles

2026-04-10 18:50:25 +03:00 · 2026-04-10 18:50:25 +03:00 · 7b8005c867
commit 7b8005c867
27 changed files with 1728 additions and 0 deletions
--- a/server/matrix.nix
+++ b/server/matrix.nix
@ -0,0 +1,195 @@
+{
+  config,
+  pkgs,
+  ...
+}: let
+  domain = "itamar.site";
+  matrixDomain = "matrix.${domain}";
+in {
+  networking.firewall = {
+    allowedTCPPorts = [80 443 8448];
+    allowedUDPPorts = [3478 5349];
+    allowedUDPPortRanges = [
+      {
+        from = 49152;
+        to = 65535;
+      }
+    ];
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "admin@${domain}";
+    certs = {
+      "${domain}" = {};
+      "${matrixDomain}" = {};
+    };
+  };
+
+  services.postgresql = {
+    enable = true;
+    ensureDatabases = ["matrix-synapse" "mautrix-whatsapp"];
+    ensureUsers = [
+      {
+        name = "matrix-synapse";
+        ensureDBOwnership = true;
+      }
+      {
+        name = "mautrix-whatsapp";
+        ensureDBOwnership = true;
+      }
+    ];
+  };
+
+  services.matrix-synapse = {
+    enable = true;
+    settings = {
+      server_name = domain;
+      suppress_key_server_warning = true;
+      database = {
+        name = "psycopg2";
+        allow_unsafe_locale = true;
+        args = {
+          database = "matrix-synapse";
+          user = "matrix-synapse";
+          host = "/run/postgresql";
+        };
+      };
+      enable_registration = false;
+      registration_shared_secret_path = "/var/lib/matrix-synapse/registration_secret";
+      turn_uris = [
+        "turns:${domain}:5349?transport=udp"
+        "turns:${domain}:5349?transport=tcp"
+        "turn:${domain}:3478?transport=udp"
+        "turn:${domain}:3478?transport=tcp"
+      ];
+      turn_shared_secret_path = "/var/lib/matrix-synapse/turn_secret";
+      turn_user_lifetime = "1d";
+      listeners = [
+        {
+          port = 8008;
+          bind_addresses = ["127.0.0.1" "::1"];
+          type = "http";
+          tls = false;
+          x_forwarded = true;
+          resources = [
+            {
+              names = ["client" "federation"];
+              compress = false;
+            }
+          ];
+        }
+      ];
+    };
+  };
+
+  services.mautrix-whatsapp = {
+    enable = true;
+    registerToSynapse = true;
+    settings = {
+      homeserver = {
+        address = "http://localhost:8008";
+        domain = domain;
+      };
+      appservice = {
+        id = "whatsapp";
+        bot = {
+          username = "whatsappbot";
+          displayname = "WhatsApp Bridge Bot";
+        };
+      };
+      database = {
+        type = "postgres";
+        uri = "postgres://mautrix-whatsapp@/mautrix-whatsapp?host=/run/postgresql";
+      };
+      bridge = {
+        permissions = {
+          "*" = "relay";
+          "*@${domain}" = "user";
+          "@itamar:${domain}" = "admin";
+        };
+        encryption.allow = true;
+        private_chat_portal_meta = true;
+      };
+      encryption = {
+        pickle_key = "$ENCRYPTION_PICKLE_KEY";
+      };
+      provisioning.shared_secret = "disable";
+    };
+    environmentFile = "/var/lib/mautrix-whatsapp/secrets.env";
+  };
+
+  services.nginx = {
+    enable = true;
+    recommendedTlsSettings = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+    recommendedProxySettings = true;
+
+    virtualHosts = {
+      "${domain}" = {
+        enableACME = true;
+        forceSSL = true;
+        root = "/var/www/${domain}";
+        locations."= /.well-known/matrix/server".extraConfig = ''
+          add_header Content-Type application/json;
+          return 200 '{"m.server": "${matrixDomain}:443"}';
+        '';
+        locations."= /.well-known/matrix/client".extraConfig = ''
+          add_header Content-Type application/json;
+          add_header Access-Control-Allow-Origin *;
+          return 200 '{"m.homeserver":{"base_url":"https://${matrixDomain}"},"m.identity_server":{"base_url":"https://vector.im"}}';
+        '';
+      };
+
+      "${matrixDomain}" = {
+        enableACME = true;
+        forceSSL = true;
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 443;
+            ssl = true;
+          }
+          {
+            addr = "0.0.0.0";
+            port = 8448;
+            ssl = true;
+          }
+        ];
+        locations."/_matrix" = {
+          proxyPass = "http://[::1]:8008";
+          proxyWebsockets = true;
+        };
+        locations."/_synapse/client" = {
+          proxyPass = "http://[::1]:8008";
+          proxyWebsockets = true;
+        };
+        locations."/".extraConfig = "return 404;";
+      };
+    };
+  };
+
+  services.coturn = {
+    enable = true;
+    realm = domain;
+    listening-ips = ["0.0.0.0"];
+    listening-port = 3478;
+    tls-listening-port = 5349;
+    min-port = 49152;
+    max-port = 65535;
+    lt-cred-mech = true;
+    use-auth-secret = true;
+    static-auth-secret-file = "/var/lib/coturn/static-auth-secret";
+    cert = "/var/lib/acme/${domain}/fullchain.pem";
+    pkey = "/var/lib/acme/${domain}/key.pem";
+    no-cli = true;
+    no-tcp-relay = true;
+    secure-stun = true;
+  };
+
+  systemd.tmpfiles.rules = [
+    "d /var/lib/matrix-synapse 0750 matrix-synapse matrix-synapse -"
+    "d /var/lib/coturn 0750 turnserver turnserver -"
+  ];
+}