nixos: services: matrix: simplify listeners
This commit is contained in:
parent
0792e8c7cb
commit
bd019258cb
1 changed files with 30 additions and 63 deletions
|
|
@ -10,13 +10,11 @@
|
||||||
let
|
let
|
||||||
cfg = config.my.services.matrix;
|
cfg = config.my.services.matrix;
|
||||||
|
|
||||||
federationPort = { public = 8448; private = 11338; };
|
|
||||||
clientPort = { public = 443; private = 11339; };
|
|
||||||
domain = config.networking.domain;
|
domain = config.networking.domain;
|
||||||
matrixDomain = "matrix.${domain}";
|
matrixDomain = "matrix.${domain}";
|
||||||
|
|
||||||
serverConfig = {
|
serverConfig = {
|
||||||
"m.server" = "${matrixDomain}:${toString federationPort.public}";
|
"m.server" = "${matrixDomain}:443";
|
||||||
};
|
};
|
||||||
clientConfig = {
|
clientConfig = {
|
||||||
"m.homeserver" = {
|
"m.homeserver" = {
|
||||||
|
|
@ -39,6 +37,13 @@ in
|
||||||
options.my.services.matrix = with lib; {
|
options.my.services.matrix = with lib; {
|
||||||
enable = mkEnableOption "Matrix Synapse";
|
enable = mkEnableOption "Matrix Synapse";
|
||||||
|
|
||||||
|
port = mkOption {
|
||||||
|
type = types.port;
|
||||||
|
default = 8448;
|
||||||
|
example = 8008;
|
||||||
|
description = "Internal port for listeners";
|
||||||
|
};
|
||||||
|
|
||||||
secretFile = mkOption {
|
secretFile = mkOption {
|
||||||
type = with types; nullOr str;
|
type = with types; nullOr str;
|
||||||
default = null;
|
default = null;
|
||||||
|
|
@ -78,22 +83,22 @@ in
|
||||||
enable_registration = false;
|
enable_registration = false;
|
||||||
|
|
||||||
listeners = [
|
listeners = [
|
||||||
# Federation
|
|
||||||
{
|
{
|
||||||
|
inherit (cfg) port;
|
||||||
bind_addresses = [ "::1" ];
|
bind_addresses = [ "::1" ];
|
||||||
port = federationPort.private;
|
type = "http";
|
||||||
tls = false; # Terminated by nginx.
|
tls = false;
|
||||||
x_forwarded = true;
|
x_forwarded = true;
|
||||||
resources = [{ names = [ "federation" ]; compress = false; }];
|
resources = [
|
||||||
}
|
{
|
||||||
|
names = [ "client" ];
|
||||||
# Client
|
compress = true;
|
||||||
{
|
}
|
||||||
bind_addresses = [ "::1" ];
|
{
|
||||||
port = clientPort.private;
|
names = [ "federation" ];
|
||||||
tls = false; # Terminated by nginx.
|
compress = false;
|
||||||
x_forwarded = true;
|
}
|
||||||
resources = [{ names = [ "client" ]; compress = false; }];
|
];
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
|
||||||
|
|
@ -130,11 +135,8 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
# Dummy VHosts for port collision detection
|
# Dummy VHosts for port collision detection
|
||||||
matrix-federation = {
|
matrix-dummy = {
|
||||||
port = federationPort.private;
|
inherit (cfg) port;
|
||||||
};
|
|
||||||
matrix-client = {
|
|
||||||
port = clientPort.private;
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
@ -144,45 +146,15 @@ in
|
||||||
onlySSL = true;
|
onlySSL = true;
|
||||||
useACMEHost = domain;
|
useACMEHost = domain;
|
||||||
|
|
||||||
locations =
|
locations = {
|
||||||
let
|
# Or do a redirect instead of the 404, or whatever is appropriate
|
||||||
proxyToClientPort = {
|
# for you. But do not put a Matrix Web client here! See the
|
||||||
proxyPass = "http://[::1]:${toString clientPort.private}";
|
# Element web section below.
|
||||||
};
|
"/".return = "404";
|
||||||
in
|
|
||||||
{
|
|
||||||
# Or do a redirect instead of the 404, or whatever is appropriate
|
|
||||||
# for you. But do not put a Matrix Web client here! See the
|
|
||||||
# Element web section below.
|
|
||||||
"/".return = "404";
|
|
||||||
|
|
||||||
"/_matrix" = proxyToClientPort;
|
"/_matrix".proxyPass = "http://[::1]:${toString cfg.port}";
|
||||||
"/_synapse/client" = proxyToClientPort;
|
"/_synapse/client".proxyPass = "http://[::1]:${toString cfg.port}";
|
||||||
};
|
|
||||||
|
|
||||||
listen = [
|
|
||||||
{ addr = "0.0.0.0"; port = clientPort.public; ssl = true; }
|
|
||||||
{ addr = "[::]"; port = clientPort.public; ssl = true; }
|
|
||||||
];
|
|
||||||
|
|
||||||
};
|
|
||||||
|
|
||||||
# same as above, but listening on the federation port
|
|
||||||
"${matrixDomain}_federation" = {
|
|
||||||
onlySSL = true;
|
|
||||||
serverName = matrixDomain;
|
|
||||||
useACMEHost = domain;
|
|
||||||
|
|
||||||
locations."/".return = "404";
|
|
||||||
|
|
||||||
locations."/_matrix" = {
|
|
||||||
proxyPass = "http://[::1]:${toString federationPort.private}";
|
|
||||||
};
|
};
|
||||||
|
|
||||||
listen = [
|
|
||||||
{ addr = "0.0.0.0"; port = federationPort.public; ssl = true; }
|
|
||||||
{ addr = "[::]"; port = federationPort.public; ssl = true; }
|
|
||||||
];
|
|
||||||
};
|
};
|
||||||
|
|
||||||
"${domain}" = {
|
"${domain}" = {
|
||||||
|
|
@ -197,11 +169,6 @@ in
|
||||||
# For administration tools.
|
# For administration tools.
|
||||||
environment.systemPackages = [ pkgs.matrix-synapse ];
|
environment.systemPackages = [ pkgs.matrix-synapse ];
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [
|
|
||||||
clientPort.public
|
|
||||||
federationPort.public
|
|
||||||
];
|
|
||||||
|
|
||||||
my.services.backup = {
|
my.services.backup = {
|
||||||
paths = [
|
paths = [
|
||||||
config.services.matrix-synapse.dataDir
|
config.services.matrix-synapse.dataDir
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue