From 7b9045586f10429b8cfe5a2829c1b91d2798ec19 Mon Sep 17 00:00:00 2001 From: Jack O'Sullivan Date: Tue, 7 Nov 2023 19:20:27 +0000 Subject: [PATCH] nixos/chatterbox: Add Matrix sliding sync proxy Also fix nginx upstream definitions --- lib/constants.nix | 9 +++++ .../vms/shill/containers/chatterbox.nix | 39 ++++++++++++++++++- .../vms/shill/containers/middleman/vhosts.nix | 34 +++++++++------- secrets/chatterbox/syncv3.env.age | 16 ++++++++ 4 files changed, 82 insertions(+), 16 deletions(-) create mode 100644 secrets/chatterbox/syncv3.env.age diff --git a/lib/constants.nix b/lib/constants.nix index 31492d5..5d70ae9 100644 --- a/lib/constants.nix +++ b/lib/constants.nix @@ -1,4 +1,13 @@ { lib }: rec { + ids = { + uids = { + matrix-syncv3 = 400; + }; + gids = { + matrix-syncv3 = 400; + }; + }; + nginx = { proxyHeaders = '' # Setting any proxy_header in a child (e.g. location) will nuke the parents... diff --git a/nixos/boxes/colony/vms/shill/containers/chatterbox.nix b/nixos/boxes/colony/vms/shill/containers/chatterbox.nix index 713b2df..2833419 100644 --- a/nixos/boxes/colony/vms/shill/containers/chatterbox.nix +++ b/nixos/boxes/colony/vms/shill/containers/chatterbox.nix @@ -22,7 +22,7 @@ in configuration = { lib, pkgs, config, assignments, allAssignments, ... }: let - inherit (lib) mkMerge mkIf; + inherit (lib) mkMerge mkIf mkForce; inherit (lib.my) networkdAssignment; in { @@ -43,16 +43,41 @@ in owner = "matrix-synapse"; group = "matrix-synapse"; }; + "chatterbox/syncv3.env" = { + owner = "matrix-syncv3"; + group = "matrix-syncv3"; + }; }; }; firewall = { - tcp.allowed = [ 19999 8008 ]; + tcp.allowed = [ 19999 8008 8009 ]; + }; + }; + + users = with lib.my.c.ids; { + users = { + matrix-syncv3 = { + isSystemUser = true; + uid = uids.matrix-syncv3; + group = "matrix-syncv3"; + }; + }; + groups = { + matrix-syncv3.gid = gids.matrix-syncv3; }; }; systemd = { network.networks."80-container-host0" = networkdAssignment "host0" assignments.internal; + services = { + matrix-sliding-sync.serviceConfig = { + # Needs to be able to read its secrets + DynamicUser = mkForce false; + User = "matrix-syncv3"; + Group = "matrix-syncv3"; + }; + }; }; services = { @@ -142,6 +167,16 @@ in "/var/lib/heisenbridge/registration.yml" ]; }; + + sliding-sync = { + enable = true; + createDatabase = false; + environmentFile = config.age.secrets."chatterbox/syncv3.env".path; + settings = { + SYNCV3_BINDADDR = "[::]:8009"; + SYNCV3_SERVER = "http://localhost:8008"; + }; + }; }; heisenbridge = { diff --git a/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix b/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix index 241ecb5..bc69715 100644 --- a/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix +++ b/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix @@ -4,6 +4,7 @@ let inherit (lib) mkMerge mkDefault genAttrs flatten concatStringsSep; inherit (lib.my.c) pubDomain; inherit (lib.my.c.nginx) proxyHeaders; + inherit (config.networking) domain; dualStackListen' = l: map (addr: l // { inherit addr; }) [ "0.0.0.0" "[::]" ]; dualStackListen = ll: flatten (map dualStackListen' ll); @@ -34,6 +35,7 @@ let # For clients (mkWellKnown "matrix/client" (toJSON { "m.homeserver".base_url = "https://matrix.nul.ie"; + "org.matrix.msc3575.proxy".url = "https://matrix-syncv3.nul.ie"; })) ]; }; @@ -121,7 +123,7 @@ in "~ /(?${matchHosts})$".return = "301 https://$host/$behost/"; "~ /(?${matchHosts})/(?.*)" = mkMerge [ { - proxyPass = "http://$behost.${config.networking.pubDomain}:19999/$ndpath$is_args$args"; + proxyPass = "http://$behost.${domain}:19999/$ndpath$is_args$args"; extraConfig = '' proxy_pass_request_headers on; ${proxyHeaders} @@ -143,7 +145,7 @@ in "pass.${pubDomain}" = let - upstream = "http://vaultwarden-ctr.${config.networking.pubDomain}"; + upstream = "http://vaultwarden-ctr.${domain}"; in { locations = { @@ -173,13 +175,17 @@ in ]; locations = mkMerge [ { - "/".proxyPass = "http://chatterbox-ctr.${config.networking.pubDomain}:8008"; + "/".proxyPass = "http://chatterbox-ctr.${domain}:8008"; "= /".return = "301 https://element.${pubDomain}"; } wellKnown ]; useACMEHost = pubDomain; }; + "matrix-syncv3.${pubDomain}" = { + locations."/".proxyPass = "http://chatterbox-ctr.${domain}:8009"; + useACMEHost = pubDomain; + }; "element.${pubDomain}" = let @@ -233,7 +239,7 @@ in { locations."/" = mkMerge [ { - proxyPass = "http://jackflix-ctr.${config.networking.pubDomain}:9091"; + proxyPass = "http://jackflix-ctr.${domain}:9091"; } (ssoLoc "generic") ]; @@ -246,7 +252,7 @@ in { locations."/" = mkMerge [ { - proxyPass = "http://jackflix-ctr.${config.networking.pubDomain}:9117"; + proxyPass = "http://jackflix-ctr.${domain}:9117"; } (ssoLoc "generic") ]; @@ -258,7 +264,7 @@ in { locations."/" = mkMerge [ { - proxyPass = "http://jackflix-ctr.${config.networking.pubDomain}:7878"; + proxyPass = "http://jackflix-ctr.${domain}:7878"; proxyWebsockets = true; extraConfig = proxyHeaders; } @@ -272,7 +278,7 @@ in { locations."/" = mkMerge [ { - proxyPass = "http://jackflix-ctr.${config.networking.pubDomain}:8989"; + proxyPass = "http://jackflix-ctr.${domain}:8989"; proxyWebsockets = true; extraConfig = proxyHeaders; } @@ -285,7 +291,7 @@ in "jackflix.${pubDomain}" = let - upstream = "http://jackflix-ctr.${config.networking.pubDomain}:8096"; + upstream = "http://jackflix-ctr.${domain}:8096"; in { extraConfig = '' @@ -335,17 +341,17 @@ in "/".tryFiles = "$uri @proxy"; "^~ /api/v1/streaming" = { - proxyPass = "http://toot-ctr.${config.networking.pubDomain}:55000"; + proxyPass = "http://toot-ctr.${domain}:55000"; proxyWebsockets = true; extraConfig = '' ${proxyHeaders} proxy_set_header Proxy ""; - add_header Strict-Transport-Security "max-age=63072000; includeSubpubDomains"; + add_header Strict-Transport-Security "max-age=63072000; includeSubdomains"; ''; }; "@proxy" = { - proxyPass = "http://toot-ctr.${config.networking.pubDomain}:55001"; + proxyPass = "http://toot-ctr.${domain}:55001"; proxyWebsockets = true; extraConfig = '' ${proxyHeaders} @@ -366,7 +372,7 @@ in "share.${pubDomain}" = { locations."/" = { - proxyPass = "http://object-ctr.${config.networking.pubDomain}:9090"; + proxyPass = "http://object-ctr.${domain}:9090"; proxyWebsockets = true; extraConfig = proxyHeaders; }; @@ -388,7 +394,7 @@ in minio = let - host = "object-ctr.${config.networking.pubDomain}"; + host = "object-ctr.${domain}"; s3Upstream = "http://${host}:9000"; extraConfig = '' chunked_transfer_encoding off; @@ -443,7 +449,7 @@ in defaultsFor = mapAttrs (n: _: { onlySSL = mkDefault true; - useACMEHost = mkDefault "${config.networking.pubDomain}"; + useACMEHost = mkDefault "${domain}"; kTLS = mkDefault true; http2 = mkDefault true; }); diff --git a/secrets/chatterbox/syncv3.env.age b/secrets/chatterbox/syncv3.env.age new file mode 100644 index 0000000..e450fbf --- /dev/null +++ b/secrets/chatterbox/syncv3.env.age @@ -0,0 +1,16 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFpCM2U2USBYUTlr +Mm1ubFFPTHhhb3NERHJPaXoxamt5bUtqQmRkUTFGZCsvaUtyZGdrCmVNUEtrSTVQ +MkdHWnd1OTNSN3lOaFdrdWsxUHM2S0VZVlNRWGt4R0FyZ0UKLT4gWDI1NTE5IFNZ +QUhpVU04WWpEZThEaE82WDJvT3NVVWxNRVFEZjluVW8rbGhOQ0Rua0kKOWlZYlFh +RjduNDAwS0NJa0lPNmx6dmIvdmFtcXJyaG5FQ2hVU01qby9sTQotPiBVJjEhLWdy +ZWFzZSBOYyllZE4KV0lYMmErd3RvUWp1UVRvdlpKTUZWWlJHK1laN2FoZGh2aVlM +dTdLbWZsVkozVTBwb2JyeGpFMy9FcjR0eDhxQQpUL05uT2ZSUytNV01wMjFYRWZL +NTRkSmlkcUl4LzJYTDQwMm43cVJVeTdkY0dxdkI1ZjA3Z2NoU3NBCi0tLSB4Y3lV +UVphTEtIWFhVQ1h4MUZzNDYzSEhDUFpMcE1ZdFNtd1A2Rk5lMUhRCp/F11nGICQA +L5uInKKk8jVGzpG93U4Kz3zut6jGF/is4cVuvkRHZLKiUVC4kILirdinnbxlJY2Y +Gkpef0zthmNhfFhsgjj5Tmxyiu1L+6GkY0z2GlKR8uRUG4bXsDQzDkZQm8Wcmrrt +9lG04SI0Dj7Gc2HJEwjl7ZPBi9qnFU49on+/Y5DIpzTllgE7luduFLjLM2Q+kNGK +cU8cF+gvrpyAFytiUZ3jhATtXsqC0dzsugjj8pmT1WQzZd6iqVJ84G2pMg+boVyn +aVLGrcn3qOnIIJLKrYEjyxSYMGs= +-----END AGE ENCRYPTED FILE-----