diff --git a/nixos/module/hectic/service/element-rtc.nix b/nixos/module/hectic/service/element-rtc.nix index 2a4f152..867182e 100644 --- a/nixos/module/hectic/service/element-rtc.nix +++ b/nixos/module/hectic/service/element-rtc.nix @@ -47,14 +47,13 @@ in { virtualHosts.${cfg.matrixDomain} = { forceSSL = true; enableACME = true; - locations."/" = { - proxyPass = "http://127.0.0.1:8008"; - }; locations."=/.well-known/matrix/client" = { extraConfig = '' default_type application/json; add_header Access-Control-Allow-Origin *; + add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"; + add_header Access-Control-Allow-Headers "X-Requested-With, Content-Type, Authorization"; ''; return = ''200 '{ "m.homeserver": { diff --git a/nixos/module/hectic/service/matrix.nix b/nixos/module/hectic/service/matrix.nix index faff1a0..5e1c0fa 100644 --- a/nixos/module/hectic/service/matrix.nix +++ b/nixos/module/hectic/service/matrix.nix @@ -54,26 +54,41 @@ in { config = lib.mkIf cfg.enable { services.matrix-synapse = { enable = true; - settings = { - server_name = cfg.matrixDomain; - public_baseurl = "https://${cfg.matrixDomain}"; - listeners = [ - { - port = 8008; - bind_addresses = [ "0.0.0.0" ]; - type = "http"; + settings = { + server_name = cfg.matrixDomain; + public_baseurl = "https://${cfg.matrixDomain}"; + experimental_features = { + msc3266_enabled = true; + msc4140_enabled = true; + msc4143_enabled = true; + msc4222_enabled = true; + }; + matrix_rtc = { + transports = [ + { + type = "livekit"; + livekit_service_url = "https://${cfg.matrixDomain}/livekit/jwt"; + } + ]; + }; + listeners = [ + { + port = 8008; + bind_addresses = [ "0.0.0.0" ]; + type = "http"; tls = false; resources = [ { - names = [ - "client" - # Ability speak between different matrix servers and get - # global id, requires .well-known - "federation" - ]; - compress = false; - } - ]; + names = [ + "client" + # Ability speak between different matrix servers and get + # global id, requires .well-known + "federation" + "openid" + ]; + compress = false; + } + ]; } ]; @@ -100,7 +115,7 @@ in { ]; enableTCPIP = true; - port = cfg.postgresql.port; + settings.port = cfg.postgresql.port; authentication = builtins.concatStringsSep "\n" [ "local all all trust" "host sameuser all 127.0.0.1/32 scram-sha-256" @@ -153,6 +168,8 @@ in { extraConfig = '' default_type application/json; add_header Access-Control-Allow-Origin *; + add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"; + add_header Access-Control-Allow-Headers "X-Requested-With, Content-Type, Authorization"; ''; return = "200 '{\"m.server\": \"${cfg.matrixDomain}:443\"}'"; }; diff --git a/nixos/module/hectic/service/voice-tune.nix b/nixos/module/hectic/service/voice-tune.nix index 671aea5..0d314f4 100644 --- a/nixos/module/hectic/service/voice-tune.nix +++ b/nixos/module/hectic/service/voice-tune.nix @@ -61,7 +61,11 @@ in { turn_uris = [ "turn:${cfg.matrixDomain}:3478?transport=udp" "turn:${cfg.matrixDomain}:3478?transport=tcp" + "turns:${cfg.matrixDomain}:5349?transport=udp" + "turns:${cfg.matrixDomain}:5349?transport=tcp" ]; + turn_user_lifetime = 86400000; + turn_allow_guests = true; }; }; } diff --git a/nixos/system/hectic-lab/hectic-lab.nix b/nixos/system/hectic-lab/hectic-lab.nix index 465a824..e10cec6 100644 --- a/nixos/system/hectic-lab/hectic-lab.nix +++ b/nixos/system/hectic-lab/hectic-lab.nix @@ -15,6 +15,7 @@ with builtins; with lib; let domain = "hectic-lab.com"; + matrixDomain = "accord.tube"; sslOpts = { sslCertificate = config.sops.secrets."ssl/porkbun/${domain}/domain.cert.pem".path; sslCertificateKey = config.sops.secrets."ssl/porkbun/${domain}/private.key.pem".path; @@ -53,6 +54,17 @@ in { ipv4 = "128.140.75.58"; ipv6 = "2a01:4f8:c2c:d54a"; }; + services.matrix = { + enable = true; + secretsFile = config.sops.secrets."matrix/secrets".path; + turnSecretFile = config.sops.secrets."matrix/turn-secret".path; + publicIp = "128.140.75.58"; + postgresql = { + port = 5432; + initialEnvFile = config.sops.secrets."init-postgresql".path; + }; + inherit matrixDomain; + }; }; # NOTE(yukkop): disk was provisioned by Hetzner rescue image, disko was never @@ -120,6 +132,18 @@ in { sops.secrets."mailserver/snuff/hashedPassword" = {}; sops.secrets."mailserver/antoshka/hashedPassword" = {}; sops.secrets."mailserver/founders/hashedPassword" = {}; + sops.secrets."init-postgresql" = { + key = "init-postgresql"; + }; + sops.secrets."matrix/secrets" = { + key = "matrix/secrets"; + }; + sops.secrets."matrix/turn-secret" = { + key = "matrix/turn-secret"; + owner = "turnserver"; + group = "turnserver"; + mode = "0400"; + }; services.mailserver = { enable = true; @@ -160,6 +184,7 @@ in { networking.firewall = { allowedTCPPorts = [ + 80 443 3306 # mysql 25565 diff --git a/sus/hectic-lab.yaml b/sus/hectic-lab.yaml index 129fa25..3f8a8be 100644 --- a/sus/hectic-lab.yaml +++ b/sus/hectic-lab.yaml @@ -11,6 +11,10 @@ mailserver: hashedPassword: ENC[AES256_GCM,data:Dv0vhe5LEFbAi/hadztQUTrRbPENSTxxOSTM7iwosH5kO28FCK56ZkKD8p/CLva6v97Cp2sWAXwd0fS6,iv:nUF4deb/8iF1mS5h+Z6oDE16YVQZ6ArfSnXG9DzqzLE=,tag:rKKlkYOl5oABbnzEjTOSVQ==,type:str] antoshka: hashedPassword: ENC[AES256_GCM,data:6Rgj4JIrEF9ZRRRwGpV4yCdS7cw81xKLfavuii1cHqZK3JDlD2HOAVYgrrl+fWD6rNxUPAXpVuAIgxCu,iv:Y67je0qtEpnbwhiYXL2FJUAedPlKdTTb6wGeSVVEaPQ=,tag:Thvt+gsebEjoIjwOmNgBGQ==,type:str] +init-postgresql: ENC[AES256_GCM,data:Iw8M2P1QoqPVaEdM8Zo0qlHrYgop0iknDY4NtgDo,iv:RWj9AFnh4/KWCm3UH4RoCdM2lzsXGY7A7qko8xCxjp8=,tag:l8acSq8+NBXB4L1rVzG6kw==,type:str] +matrix: + secrets: ENC[AES256_GCM,data:ivXp2YSiMI4hgL6122Ex+fGW0lsZvGD6XmiRvNgFgvzLH5yDv9uLsYcGCTYfQSL3X5VyIMGvsdRF+4pbIjBZMuQKrjvXv74E7aFBLQ2Qk98N3IIrznUFR3KXbHR6xXy5ILd7Bmw5JI/ZHULbmITahXUBt2kEJvfh4eAtqShNA4vsJrabHX9A8Q+2Ddp16w0cWftV5++WXzlNpvIc2Py6BwvfroNAjpSaO+ILYDOIL7XjPvF83fTt64pxZ9nsi3hCzcDtBgGkqc8=,iv:wvt9V2uYQUwivSwEIYZwcHjXr5WwMw19lgFDIa1CcVw=,tag:/22UZvp7+1hLbt+kV+wokQ==,type:str] + turn-secret: ENC[AES256_GCM,data:2RerKgYNFXEVM/YVmXt2l+t3BqduS+FlmjBWTA==,iv:6odb0HB9mntsceNaJtU2kwEVAiF0O88u47eDPLZVJbs=,tag:BJXAvK8abcnCLi96Kra5zA==,type:str] wg-bfs: private-key: ENC[AES256_GCM,data:/J02asiesrQcsO7Xbq66HQIQeSPmFEMkM2q/z+9Y42K8SYEQP0OYQz+8fXI=,iv:PdGhPWgGxhe0a7C6CaVM/ePKABT+y8HRFOAPzNwQk+c=,tag:9AI30JFh6uyaXXVjMBJ1zg==,type:str] ss-bfs: @@ -72,7 +76,7 @@ sops: Yk43ZmlTc09aNFV1VjdjN2RWQlFWTDQKcYSvA2lHP8GS0lkYY19Tm8RXmFHQX5Ck qV2Fn22Fic4M5FVKDEMfaO6WmeXgki9a8dGeO9LlC+Phf16SOq7eLw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-04-26T15:09:14Z" - mac: ENC[AES256_GCM,data:xDzKY+rn12ORC3HZHmMs3orTcg3kZiLwZYip/0ZZ7UJLJxoO98TIWvB1rxl8aAOjJCJ54LWRYkhMACn+4tdUhiy+RlsqVcL0jG9Vb1jpfVtPKy6tschoyVmWYOrc9dMHrnP3OEyYzqlAOdZ5tY9GubWx5hkdFOp17CtlCJV9faI=,iv:OXMlQ/ssDqiL9Lwv0EQefIIlv/VFBMwTSZ0WE3746k0=,tag:M3Oic7tiR/n71xEZrTa9tw==,type:str] + lastmodified: "2026-05-22T20:03:30Z" + mac: ENC[AES256_GCM,data:L59emZfOoFtisno0/yYVRtutaJAClIDStt6aWUzCI+WPU2g4XX5/pKGr3Lhd5bhyq7v+GWQJ6D94AfmeyVIIr2aJVQNlPlRKc+1Tn7VKDdqP2Seb4erkMmmxrmG6b7qCTTR7llF6zaqXXsnRav1JrTX1B5GFSgRjmIaVpM2Ik64=,iv:3u+LMlOdTYgXgqnFMamwlAJhqixB+P/cvyYyPlzqjjs=,tag:WyGkpArTk4r/nq+WA2vgPQ==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2