diff --git a/nixos/system/bfs.poland.xray/bfs.poland.xray.nix b/nixos/system/bfs.poland.xray/bfs.poland.xray.nix index b4d7dfc..0a54508 100644 --- a/nixos/system/bfs.poland.xray/bfs.poland.xray.nix +++ b/nixos/system/bfs.poland.xray/bfs.poland.xray.nix @@ -8,7 +8,17 @@ modulesPath, config, ... -}: { +}: let + matrixBackend = "https://128.140.75.58"; + matrixHost = "accord.tube"; + elementEntryDomain = "element.bfs.band"; + polandEntryDomain = "bfs.band"; + backendProxyConfig = '' + proxy_ssl_server_name on; + proxy_ssl_name ${matrixHost}; + proxy_set_header Host ${matrixHost}; + ''; +in { imports = [ self.nixosModules.xray-system self.nixosModules.matrix-cluster @@ -35,12 +45,122 @@ passwordFile = config.sops.secrets."matrix/postgres-replication-password".path; }; acme = { - enable = true; + enable = false; porkbunApiKeyFile = config.sops.secrets."matrix/porkbun-api-key".path; porkbunSecretApiKeyFile = config.sops.secrets."matrix/porkbun-secret-api-key".path; }; }; + security.acme = { + acceptTerms = true; + defaults.email = "security@bfs.band"; + }; + + services.nginx = { + enable = true; + + virtualHosts.${polandEntryDomain} = { + enableACME = true; + forceSSL = true; + + locations."/".return = "302 https://${elementEntryDomain}"; + + locations."=/.well-known/matrix/client" = { + extraConfig = '' + default_type application/json; + add_header Access-Control-Allow-Origin *; + add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"; + add_header Access-Control-Allow-Headers "X-Requested-With, Content-Type, Authorization"; + ''; + return = ''200 '{ + "m.homeserver": { + "base_url": "https://${polandEntryDomain}" + }, + "m.identity_server": { + "base_url": "https://vector.im" + }, + "org.matrix.msc3575.proxy": { + "url": "https://${polandEntryDomain}" + }, + "org.matrix.msc4143.rtc_foci": [ + { + "type": "livekit", + "livekit_service_url": "https://${polandEntryDomain}/livekit/jwt" + } + ] + }' ''; + }; + + locations."= /livekit/jwt" = { + proxyPass = "${matrixBackend}/livekit/jwt"; + extraConfig = backendProxyConfig; + }; + + locations."^~ /livekit/jwt/" = { + proxyPass = "${matrixBackend}/livekit/jwt/"; + extraConfig = backendProxyConfig; + }; + + locations."= /livekit/sfu" = { + proxyPass = "${matrixBackend}/livekit/sfu"; + proxyWebsockets = true; + extraConfig = backendProxyConfig + '' + proxy_send_timeout 120; + proxy_read_timeout 120; + proxy_buffering off; + proxy_set_header Accept-Encoding gzip; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + ''; + }; + + locations."^~ /livekit/sfu/" = { + proxyPass = "${matrixBackend}/livekit/sfu/"; + proxyWebsockets = true; + extraConfig = backendProxyConfig + '' + proxy_send_timeout 120; + proxy_read_timeout 120; + proxy_buffering off; + proxy_set_header Accept-Encoding gzip; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + ''; + }; + + locations."^~ /_matrix/" = { + proxyPass = "${matrixBackend}/_matrix/"; + extraConfig = backendProxyConfig; + }; + + locations."^~ /_synapse/client/" = { + proxyPass = "${matrixBackend}/_synapse/client/"; + extraConfig = backendProxyConfig; + }; + }; + + virtualHosts.${elementEntryDomain} = { + enableACME = true; + forceSSL = true; + + locations."= /config.${elementEntryDomain}.json".return = "302 /config.json"; + + root = pkgs.element-web.override { + conf = { + default_server_config = { + "m.homeserver".base_url = "https://${polandEntryDomain}"; + "m.homeserver".server_name = matrixHost; + "m.identity_server".base_url = "https://vector.im"; + }; + + room_directory.servers = [ matrixHost ]; + + default_theme = "dark"; + show_labs_settings = true; + }; + }; + }; + }; + sops.secrets."matrix/signing-key" = { key = "matrix/signing-key"; owner = "matrix-synapse";