From 106698b53ed9464715ffc9969cce05c3cbdbcba9 Mon Sep 17 00:00:00 2001
From: Jack O'Sullivan <jackos1998@gmail.com>
Date: Sat, 11 Jun 2022 01:20:32 +0100
Subject: [PATCH] nixos/middleman: Working Matrix

---
 nixos/boxes/colony/vms/estuary/default.nix    |   6 +-
 .../vms/shill/containers/chatterbox.nix       |   4 +-
 .../shill/containers/middleman/default.nix    |   2 +-
 .../vms/shill/containers/middleman/vhosts.nix |  59 +++++++++++++++++-
 secrets/synapse.yaml.age                      | Bin 539 -> 657 bytes
 5 files changed, 65 insertions(+), 6 deletions(-)

diff --git a/nixos/boxes/colony/vms/estuary/default.nix b/nixos/boxes/colony/vms/estuary/default.nix
index c9f9033..10577a0 100644
--- a/nixos/boxes/colony/vms/estuary/default.nix
+++ b/nixos/boxes/colony/vms/estuary/default.nix
@@ -154,6 +154,10 @@
                       port = "https";
                       dst = allAssignments.middleman.internal.ipv4.address + ":https";
                     }
+                    {
+                      port = 8448;
+                      dst = allAssignments.middleman.internal.ipv4.address + ":8448";
+                    }
                   ];
                 };
                 extraRules =
@@ -170,7 +174,7 @@
                       # Safe enough to allow all SSH
                       tcp dport ssh accept
 
-                      ${matchInet "tcp dport { http, https } accept" "middleman"}
+                      ${matchInet "tcp dport { http, https, 8448 } accept" "middleman"}
 
                       return
                     }
diff --git a/nixos/boxes/colony/vms/shill/containers/chatterbox.nix b/nixos/boxes/colony/vms/shill/containers/chatterbox.nix
index ecb5d39..2352c9a 100644
--- a/nixos/boxes/colony/vms/shill/containers/chatterbox.nix
+++ b/nixos/boxes/colony/vms/shill/containers/chatterbox.nix
@@ -58,6 +58,8 @@
 
                 listeners = [
                   {
+                    # Covers both IPv4 and IPv6
+                    bind_addresses = [ "::" ];
                     port = 8008;
                     type = "http";
                     tls = false;
@@ -70,8 +72,8 @@
                     ];
                   }
                   {
-                    port = 9000;
                     bind_addresses = [ "127.0.0.1" "::1" ];
+                    port = 9000;
                     type = "manhole";
 
                     # The NixOS module has defaults for these that we need to override since they don't make sense here
diff --git a/nixos/boxes/colony/vms/shill/containers/middleman/default.nix b/nixos/boxes/colony/vms/shill/containers/middleman/default.nix
index 94111ac..aa27779 100644
--- a/nixos/boxes/colony/vms/shill/containers/middleman/default.nix
+++ b/nixos/boxes/colony/vms/shill/containers/middleman/default.nix
@@ -49,7 +49,7 @@
             };
 
             firewall = {
-              tcp.allowed = [ "http" "https" ];
+              tcp.allowed = [ "http" "https" 8448 ];
             };
           };
 
diff --git a/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix b/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix
index 28ce388..b136644 100644
--- a/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix
+++ b/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix
@@ -1,7 +1,37 @@
 { lib, pkgs, config, ... }:
 let
-  inherit (builtins) mapAttrs;
-  inherit (lib) mkMerge mkDefault genAttrs;
+  inherit (builtins) mapAttrs toJSON;
+  inherit (lib) mkMerge mkDefault genAttrs flatten;
+
+  dualStackListen' = l: map (addr: l // { inherit addr; }) [ "0.0.0.0" "[::]" ];
+  dualStackListen = ll: flatten (map dualStackListen' ll);
+
+  mkWellKnown = type: content: pkgs.writeTextFile {
+    name = "well-known-${type}";
+    destination = "/${type}";
+    text = content;
+  };
+  wellKnownRoot = pkgs.symlinkJoin {
+    name = "http-wellknown";
+    paths = [
+      # For federation
+      (mkWellKnown "matrix/server" (toJSON {
+        "m.server" = "matrix.nul.ie:443";
+      }))
+      # For clients
+      (mkWellKnown "matrix/client" (toJSON {
+        "m.homeserver".base_url = "https://matrix.nul.ie";
+      }))
+    ];
+  };
+  wellKnown = {
+    "/.well-known/" = {
+      alias = "${wellKnownRoot}/";
+      extraConfig = ''
+        autoindex on;
+      '';
+    };
+  };
 in
 {
   services.nginx.virtualHosts =
@@ -11,6 +41,10 @@ in
         default = true;
         forceSSL = true;
         onlySSL = false;
+        locations = mkMerge [
+          { }
+          wellKnown
+        ];
       };
 
       "pass.nul.ie" =
@@ -30,9 +64,28 @@ in
       };
 
       "matrix.nul.ie" = {
-        globalRedirect = "element.nul.ie";
+        listen = dualStackListen [
+          {
+            port = 443;
+            ssl = true;
+          }
+          {
+            # Matrix federation
+            port = 8448;
+            ssl = true;
+            extraParameters = [ "default_server" ];
+          }
+        ];
+        locations = mkMerge [
+          {
+            "/".proxyPass = "http://chatterbox-ctr.${config.networking.domain}:8008";
+            "= /".return = "301 https://element.nul.ie";
+          }
+          wellKnown
+        ];
         useACMEHost = lib.my.pubDomain;
       };
+
       "element.nul.ie" =
       let
         headers = ''
diff --git a/secrets/synapse.yaml.age b/secrets/synapse.yaml.age
index 401ac7b261fbbd56077bbd15de112f54297c70e8..30e33178e367b628836fed28f2cfc5b34e6e228e 100644
GIT binary patch
delta 624
zcmV-$0+0Qh1d#=hEPpFxVR$)ES~PNMPEmI=LTEEKY<75dLq=IsH(4-dbY(?2Z*Ws=
zNl8*fcM4Q=O-*P@QDH$dbuUy)P)BSpOG|PycxhBQa!q(ib4hD$Z)jvRXHisaX9_Jo
zAXqXrH8D9LNm6E0NJUakaB(<uWKl+McVu!gMN?!rVQX)BL4PtcW?D{6Z8dK=Q+hE)
z3Sv1*R#!)HG)iu5H8)yMO=?LoYHKz~Q#ocZHa28*NH;hzW^+kbV@6X|3N1b$N^n1V
zY<p>FEoX9NVRL05GB;IRODqaCWkgg(S8O(PMRRO%VP;iPXIVH|b#G&JXl*evMKCx)
zR(V=gD@`&{L4Pl3cWh&1GIVA)Y-@NoI8QZfb~JBg3T<sdWN0u&N^Uc3cQH0IZ%{RP
zY;Jl{WpgxhPD5~LST-<kRxo6CR#aA3K~83NbwPJ&bX7xfMr3nJYcWGmO9~1tEiE83
zd1+5|H*RfZQ&2*7V_A4eaz=4=RB9_^H)&&1LoZ28bANI%NpedtXi!xOYcva4(BrN4
zWdMacB-?WY^qrbv{o$KhA|zA@O9OP}2M&(kHaeG78>s=dh*PJJ|1&lofjeXZ^;ETB
zlYiz1y+;s);ouO`P9loB9$5WBOP%QTwVnabkOQ7zm&&;93H)`+2SplR1<gCeM&T5;
z50mUPjcIk&H;PEG%(#P<QC`%{oGaKT3g&HXW9%a#J8OoJ+zM_!7;>|FU)g~)sKq;M
z4@LUhg`Rezsio@@f=Pj7LRS5&vs^}D=9ib;s0c_Va<f@4{L^UQ7ls|YL{rHjmo}YN
K)%ziM@T++wHtk#h

delta 505
zcmV<V0S5k&1)BtrEPpXjIaN<HFIjFdZ*xyES2TKfZ8lS9Yf5)VSz&Q`Sw~efI8ks;
zbWSsFO$tX^V{=(GGF4e~bxKu5K}Jk8YBXzjRx&{{L^NqrG)hrLIcZN*T1ZW9Gzu*~
zAXqXrH8D9LX>LPWb#!TGcx7WwMn-5%ZZ<1WPE<%_cWyIQOn+`tH&jVwMMg1FPjFII
z3N$lJYiD<GN^g2mSVC1RZ9;BpIZ;<Kbv8kHGE7f!a#=|=L2NR1HcU=y3N1b$Gg&QX
za%Ew2WePS%ZaGLbFG6leQD{s>XhB&+N-uLtGH5w3GC4wabU8v)MRiw3Hcc=$F;_WR
zM=NJBLriBuaDPrSWLGqBMr&*eZ&YPrMmcz8O;C0(cVt3WQh8cxVrL31EiE8aLrHQq
zc{Ex%byr$tctlV%YGN^OGHWkrHgaSyH%~HENNP}cPGMAPZ7>RW!)B|4z_mGKXU}Nz
zmDFHPwmYF_)^cF4`UUFu4u&MG{i4(Rn9-k4p-}CaJ92=4y0#1Eijnyl?GDW1`9axq
z>Z!5vX>7Dq9!ujTg`JSuO_lM=4?6jX$d1o1*83;4lr;z~v#WST2Ta=JY<WQU!3oGt
v!$=q}8Lwkvc`$3WgjH3v5L4-u5*w(Dgd%*_-xfjZgFW^t?xEYVdK|zmcl5ym