diff --git a/nixos/boxes/colony/vms/estuary/default.nix b/nixos/boxes/colony/vms/estuary/default.nix index c9f9033..10577a0 100644 --- a/nixos/boxes/colony/vms/estuary/default.nix +++ b/nixos/boxes/colony/vms/estuary/default.nix @@ -154,6 +154,10 @@ port = "https"; dst = allAssignments.middleman.internal.ipv4.address + ":https"; } + { + port = 8448; + dst = allAssignments.middleman.internal.ipv4.address + ":8448"; + } ]; }; extraRules = @@ -170,7 +174,7 @@ # Safe enough to allow all SSH tcp dport ssh accept - ${matchInet "tcp dport { http, https } accept" "middleman"} + ${matchInet "tcp dport { http, https, 8448 } accept" "middleman"} return } diff --git a/nixos/boxes/colony/vms/shill/containers/chatterbox.nix b/nixos/boxes/colony/vms/shill/containers/chatterbox.nix index ecb5d39..2352c9a 100644 --- a/nixos/boxes/colony/vms/shill/containers/chatterbox.nix +++ b/nixos/boxes/colony/vms/shill/containers/chatterbox.nix @@ -58,6 +58,8 @@ listeners = [ { + # Covers both IPv4 and IPv6 + bind_addresses = [ "::" ]; port = 8008; type = "http"; tls = false; @@ -70,8 +72,8 @@ ]; } { - port = 9000; bind_addresses = [ "127.0.0.1" "::1" ]; + port = 9000; type = "manhole"; # The NixOS module has defaults for these that we need to override since they don't make sense here diff --git a/nixos/boxes/colony/vms/shill/containers/middleman/default.nix b/nixos/boxes/colony/vms/shill/containers/middleman/default.nix index 94111ac..aa27779 100644 --- a/nixos/boxes/colony/vms/shill/containers/middleman/default.nix +++ b/nixos/boxes/colony/vms/shill/containers/middleman/default.nix @@ -49,7 +49,7 @@ }; firewall = { - tcp.allowed = [ "http" "https" ]; + tcp.allowed = [ "http" "https" 8448 ]; }; }; diff --git a/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix b/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix index 28ce388..b136644 100644 --- a/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix +++ b/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix @@ -1,7 +1,37 @@ { lib, pkgs, config, ... }: let - inherit (builtins) mapAttrs; - inherit (lib) mkMerge mkDefault genAttrs; + inherit (builtins) mapAttrs toJSON; + inherit (lib) mkMerge mkDefault genAttrs flatten; + + dualStackListen' = l: map (addr: l // { inherit addr; }) [ "0.0.0.0" "[::]" ]; + dualStackListen = ll: flatten (map dualStackListen' ll); + + mkWellKnown = type: content: pkgs.writeTextFile { + name = "well-known-${type}"; + destination = "/${type}"; + text = content; + }; + wellKnownRoot = pkgs.symlinkJoin { + name = "http-wellknown"; + paths = [ + # For federation + (mkWellKnown "matrix/server" (toJSON { + "m.server" = "matrix.nul.ie:443"; + })) + # For clients + (mkWellKnown "matrix/client" (toJSON { + "m.homeserver".base_url = "https://matrix.nul.ie"; + })) + ]; + }; + wellKnown = { + "/.well-known/" = { + alias = "${wellKnownRoot}/"; + extraConfig = '' + autoindex on; + ''; + }; + }; in { services.nginx.virtualHosts = @@ -11,6 +41,10 @@ in default = true; forceSSL = true; onlySSL = false; + locations = mkMerge [ + { } + wellKnown + ]; }; "pass.nul.ie" = @@ -30,9 +64,28 @@ in }; "matrix.nul.ie" = { - globalRedirect = "element.nul.ie"; + listen = dualStackListen [ + { + port = 443; + ssl = true; + } + { + # Matrix federation + port = 8448; + ssl = true; + extraParameters = [ "default_server" ]; + } + ]; + locations = mkMerge [ + { + "/".proxyPass = "http://chatterbox-ctr.${config.networking.domain}:8008"; + "= /".return = "301 https://element.nul.ie"; + } + wellKnown + ]; useACMEHost = lib.my.pubDomain; }; + "element.nul.ie" = let headers = '' diff --git a/secrets/synapse.yaml.age b/secrets/synapse.yaml.age index 401ac7b..30e3317 100644 Binary files a/secrets/synapse.yaml.age and b/secrets/synapse.yaml.age differ