feat: module: ~matrix

nixos/module/hectic/service/element-rtc.nix

@@ -47,14 +47,13 @@ in {
       virtualHosts.${cfg.matrixDomain} = {
         forceSSL = true;
         enableACME = true;
-        locations."/" = {
-          proxyPass = "http://127.0.0.1:8008";
-        };
 
         locations."=/.well-known/matrix/client" = {
           extraConfig = ''
             default_type application/json;
             add_header Access-Control-Allow-Origin *;
+            add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
+            add_header Access-Control-Allow-Headers "X-Requested-With, Content-Type, Authorization";
           '';
           return = ''200 '{
             "m.homeserver": {

nixos/module/hectic/service/matrix.nix

@@ -54,26 +54,41 @@ in {
   config = lib.mkIf cfg.enable {
     services.matrix-synapse = {
       enable = true;
-      settings = {
-        server_name = cfg.matrixDomain;
-        public_baseurl = "https://${cfg.matrixDomain}";
-        listeners = [
-          {
-            port = 8008;
-            bind_addresses = [ "0.0.0.0" ];
-            type = "http";
+       settings = {
+         server_name = cfg.matrixDomain;
+         public_baseurl = "https://${cfg.matrixDomain}";
+         experimental_features = {
+           msc3266_enabled = true;
+           msc4140_enabled = true;
+           msc4143_enabled = true;
+           msc4222_enabled = true;
+         };
+         matrix_rtc = {
+           transports = [
+             {
+               type = "livekit";
+               livekit_service_url = "https://${cfg.matrixDomain}/livekit/jwt";
+             }
+           ];
+         };
+         listeners = [
+           {
+             port = 8008;
+             bind_addresses = [ "0.0.0.0" ];
+             type = "http";
             tls = false;
             resources = [
               {
-                names = [
-                  "client"
-                  # Ability speak between different matrix servers and get
-                  # global id, requires .well-known
-                  "federation"
-                ];
-                compress = false;
-              }
-            ];
+                 names = [
+                   "client"
+                   # Ability speak between different matrix servers and get
+                   # global id, requires .well-known
+                   "federation"
+                   "openid"
+                 ];
+                 compress = false;
+               }
+             ];
           }
         ];
 
@@ -100,7 +115,7 @@ in {
       ];
 
       enableTCPIP = true;
-      port = cfg.postgresql.port;
+      settings.port = cfg.postgresql.port;
       authentication = builtins.concatStringsSep "\n" [
         "local all         all           trust"
         "host  sameuser    all           127.0.0.1/32 scram-sha-256"
@@ -153,6 +168,8 @@ in {
           extraConfig = ''
             default_type application/json;
             add_header Access-Control-Allow-Origin *;
+            add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
+            add_header Access-Control-Allow-Headers "X-Requested-With, Content-Type, Authorization";
           '';
           return = "200 '{\"m.server\": \"${cfg.matrixDomain}:443\"}'";
         };

nixos/module/hectic/service/voice-tune.nix

@@ -61,7 +61,11 @@ in {
       turn_uris = [
         "turn:${cfg.matrixDomain}:3478?transport=udp"
         "turn:${cfg.matrixDomain}:3478?transport=tcp"
+        "turns:${cfg.matrixDomain}:5349?transport=udp"
+        "turns:${cfg.matrixDomain}:5349?transport=tcp"
       ];
+      turn_user_lifetime = 86400000;
+      turn_allow_guests = true;
     };
   };
 }

nixos/system/hectic-lab/hectic-lab.nix

@@ -15,6 +15,7 @@ with builtins;
 with lib;
 let
   domain = "hectic-lab.com";
+  matrixDomain = "accord.tube";
   sslOpts = {
     sslCertificate    = config.sops.secrets."ssl/porkbun/${domain}/domain.cert.pem".path;
     sslCertificateKey = config.sops.secrets."ssl/porkbun/${domain}/private.key.pem".path;
@@ -53,6 +54,17 @@ in {
       ipv4                   = "128.140.75.58";
       ipv6                   = "2a01:4f8:c2c:d54a";
     };
+    services.matrix = {
+      enable         = true;
+      secretsFile    = config.sops.secrets."matrix/secrets".path;
+      turnSecretFile = config.sops.secrets."matrix/turn-secret".path;
+      publicIp       = "128.140.75.58";
+      postgresql = {
+        port           = 5432;
+        initialEnvFile = config.sops.secrets."init-postgresql".path;
+      };
+      inherit matrixDomain;
+    };
   };
 
   # NOTE(yukkop): disk was provisioned by Hetzner rescue image, disko was never
@@ -120,6 +132,18 @@ in {
   sops.secrets."mailserver/snuff/hashedPassword"         = {};
   sops.secrets."mailserver/antoshka/hashedPassword"      = {};
   sops.secrets."mailserver/founders/hashedPassword"      = {};
+  sops.secrets."init-postgresql" = {
+    key = "init-postgresql";
+  };
+  sops.secrets."matrix/secrets" = {
+    key = "matrix/secrets";
+  };
+  sops.secrets."matrix/turn-secret" = {
+    key   = "matrix/turn-secret";
+    owner = "turnserver";
+    group = "turnserver";
+    mode  = "0400";
+  };
 
   services.mailserver = {
     enable = true;
@@ -160,6 +184,7 @@ in {
 
   networking.firewall = {
     allowedTCPPorts = [
+      80
       443
       3306  # mysql
       25565