From f3ea5021794455d9aa03a5fea8515081c5c5e92a Mon Sep 17 00:00:00 2001
From: Lu Wang <rebmit@rebmit.moe>
Date: Wed, 18 Dec 2024 16:36:47 +0800
Subject: [PATCH] services/matrix-synapse: init

---
 nixos/hosts/suwako-vie0/default.nix           |   1 +
 nixos/modules/networking/ports.nix            |   1 +
 .../services/matrix-synapse/default.nix       | 110 ++++++++++++++++++
 secrets/hosts/suwako-vie0.yaml                |  32 +++++
 zones/rebmit.moe.nix                          |   1 +
 5 files changed, 145 insertions(+)
 create mode 100644 nixos/profiles/services/matrix-synapse/default.nix
 create mode 100644 secrets/hosts/suwako-vie0.yaml

diff --git a/nixos/hosts/suwako-vie0/default.nix b/nixos/hosts/suwako-vie0/default.nix
index 0f3003b..9351238 100644
--- a/nixos/hosts/suwako-vie0/default.nix
+++ b/nixos/hosts/suwako-vie0/default.nix
@@ -11,6 +11,7 @@
       services.caddy
       services.keycloak
       services.knot.secondary
+      services.matrix-synapse
       services.miniflux
       services.ntfy
       services.postgresql
diff --git a/nixos/modules/networking/ports.nix b/nixos/modules/networking/ports.nix
index aee5c7b..09e6ac0 100644
--- a/nixos/modules/networking/ports.nix
+++ b/nixos/modules/networking/ports.nix
@@ -19,6 +19,7 @@ in
       ntfy = 4000;
       keycloak = 4010;
       miniflux = 4020;
+      matrix-synapse = 4030;
 
       # public ports
       enthalpy-ipsec = 13000;
diff --git a/nixos/profiles/services/matrix-synapse/default.nix b/nixos/profiles/services/matrix-synapse/default.nix
new file mode 100644
index 0000000..3bab6bf
--- /dev/null
+++ b/nixos/profiles/services/matrix-synapse/default.nix
@@ -0,0 +1,110 @@
+# Portions of this file are sourced from
+# https://github.com/NickCao/flakes/blob/3b03efb676ea602575c916b2b8bc9d9cd13b0d85/nixos/hcloud/hio0/matrix.nix
+# https://github.com/linyinfeng/dotfiles/blob/b618b0fd16fb9c79ab7199ed51c4c0f98a392cea/nixos/profiles/services/matrix/default.nix
+{ config, pkgs, ... }:
+{
+  sops.secrets."synapse/signing-key" = {
+    sopsFile = config.sops.secretFiles.get "hosts/suwako-vie0.yaml";
+    owner = config.systemd.services.matrix-synapse.serviceConfig.User;
+  };
+
+  sops.secrets."synapse/oidc-client-secret" = {
+    sopsFile = config.sops.secretFiles.get "hosts/suwako-vie0.yaml";
+    owner = config.systemd.services.matrix-synapse.serviceConfig.User;
+  };
+
+  services.matrix-synapse = {
+    enable = true;
+    withJemalloc = true;
+    settings = {
+      server_name = "rebmit.moe";
+      public_baseurl = "https://matrix.rebmit.moe";
+
+      dynamic_thumbnails = true;
+      enable_registration = true;
+      registration_requires_token = true;
+
+      signing_key_path = config.sops.secrets."synapse/signing-key".path;
+
+      listeners = [
+        {
+          bind_addresses = [ "127.0.0.1" ];
+          port = config.networking.ports.matrix-synapse;
+          tls = false;
+          type = "http";
+          x_forwarded = true;
+          resources = [
+            {
+              compress = true;
+              names = [
+                "client"
+                "federation"
+              ];
+            }
+          ];
+        }
+      ];
+
+      oidc_providers = [
+        {
+          idp_id = "keycloak";
+          idp_name = "keycloak.rebmit.moe";
+          issuer = "https://keycloak.rebmit.moe/realms/rebmit";
+          client_id = "synapse";
+          client_secret_path = config.sops.secrets."synapse/oidc-client-secret".path;
+          scopes = [
+            "openid"
+            "profile"
+          ];
+          allow_existing_users = true;
+          backchannel_logout_enabled = true;
+          user_mapping_provider.config = {
+            confirm_localpart = true;
+            localpart_template = "{{ user.preferred_username }}";
+            display_name_template = "{{ user.name }}";
+          };
+        }
+      ];
+
+      media_retention = {
+        remote_media_lifetime = "14d";
+      };
+    };
+  };
+
+  services.caddy.virtualHosts."matrix.rebmit.moe" = {
+    extraConfig = ''
+      reverse_proxy /_matrix/* 127.0.0.1:${toString config.networking.ports.matrix-synapse}
+      reverse_proxy /_synapse/* 127.0.0.1:${toString config.networking.ports.matrix-synapse}
+
+      header {
+        X-Frame-Options SAMEORIGIN
+        X-Content-Type-Options nosniff
+        X-XSS-Protection "1; mode=block"
+        Content-Security-Policy "frame-ancestors 'self'"
+      }
+
+      file_server
+      root * "${
+        pkgs.element-web.override {
+          conf = {
+            default_server_config = {
+              "m.homeserver" = {
+                base_url = config.services.matrix-synapse.settings.public_baseurl;
+                server_name = config.services.matrix-synapse.settings.server_name;
+              };
+            };
+            show_labs_settings = true;
+          };
+        }
+      }"
+    '';
+  };
+
+  services.caddy.virtualHosts."synapse-admin.rebmit.moe" = {
+    extraConfig = ''
+      file_server
+      root * "${pkgs.synapse-admin}"
+    '';
+  };
+}
diff --git a/secrets/hosts/suwako-vie0.yaml b/secrets/hosts/suwako-vie0.yaml
new file mode 100644
index 0000000..fa94de3
--- /dev/null
+++ b/secrets/hosts/suwako-vie0.yaml
@@ -0,0 +1,32 @@
+synapse:
+  signing-key: ENC[AES256_GCM,data:yFxwWDpdQvHetThkK02a/GN3lcw4GNb7BItutO5zisKptG6qB+BdWwHB34oK81J5Rbt3MGLwMwVpa0w=,iv:pQMDF4wSyzLvlRj3jMVbjyx16G76gj7e2ZvEHTB2VUU=,tag:dl1Onm5LNzH2aHZNfnRPbg==,type:str]
+  oidc-client-secret: ENC[AES256_GCM,data:1zUxCuFyTWFvcu7W0dJ70RKyPWW0WY9fJwlaQkYRzok=,iv:8+3w1kz81CfTvzYv8thd/EaEUn2A/OdL8Uw4n0o69tE=,tag:qGTZodnQwOsI/cyXK6X09Q==,type:str]
+sops:
+  kms: []
+  gcp_kms: []
+  azure_kv: []
+  hc_vault: []
+  age:
+    - recipient: age1sfnct03u4cvfj98x4yjrcrrnu5gg8qgxrwk4uqq8w4e6wveeaedq97rn44
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUOHhiRE9Mc3BEblpUbWtq
+        SDhmbm9OblhhRS84NE9JM3hNOHA3WUVRV2lRClRMUW9kUlB2THc0aHZDb1FDTWtq
+        SkJIT1dLUkpBTkNreGhKMDJBSGQ2WHMKLS0tIEpqQnFZVW9uT3dFczFnVHFpTkpV
+        VTlSdEh3VklQZENHcVIxdEdnNjdYejQK2DbiOlJQLUW4cmtMlZbKObCFafPPv8hn
+        J59qSri05wvns83jXm52gGIRBCOIjZfQUr1kXFKWUotvGlaW9Gb11g==
+        -----END AGE ENCRYPTED FILE-----
+    - recipient: age1p9xzkzc3zxasgxtd75html0pvrtd6fzvmhz6n388vtjg36d3zffsvma0j0
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxb2RvTEU2Wk0xUVRvWVA3
+        TytqSUJ6aUhEWEE0S3dTV3N4ZFlid3hIRGhBCktpemZIQ2R2ZUN4U1FrVThFZ2ZH
+        YVJla3JzMjV1KzhEQk1kT2Y1am0veGMKLS0tIG1kVVVhYjY0L3FJTk9wRU1lVFE2
+        ZjQyOG1ZVDVnTGxBNWR0RGs3d082aGsKqqIdYDPsnvCa5+YFWCqdwAi5vgWuMazv
+        sZF1K96MHFgxgqgGonu2wZN3uj2mGttDRC8ZZmMPEftY1na6VLl40A==
+        -----END AGE ENCRYPTED FILE-----
+  lastmodified: "2024-12-18T07:21:22Z"
+  mac: ENC[AES256_GCM,data:TTOlCeSubkpp4CEI+sJ9k0yMoozeSSTWdWPMmRiTGpMNPLI4E9cA0jsTqcHZt06AIFNCRLnRVz9Vjq3oSUbImR/DKb/Ox7u0CVguIpMJW40aU9Jw3whSwehY8EageUqBHgPhuB1GTUF8nTx2WBxpkd9A70foPuvVy4UHqtIrH+I=,iv:uwkl3jbk9jSQQdhPV2CS1BkHfyIcR1SKDpoXsp2xLBI=,tag:wpFL4ir9bs2mNe3TFYY9nQ==,type:str]
+  pgp: []
+  unencrypted_suffix: _unencrypted
+  version: 3.9.1
diff --git a/zones/rebmit.moe.nix b/zones/rebmit.moe.nix
index 54364b1..b64404d 100644
--- a/zones/rebmit.moe.nix
+++ b/zones/rebmit.moe.nix
@@ -25,5 +25,6 @@ dns.lib.toString "rebmit.moe" {
     matrix.CNAME = [ "suwako-vie0.rebmit.link." ];
     miniflux.CNAME = [ "suwako-vie0.rebmit.link." ];
     ntfy.CNAME = [ "suwako-vie0.rebmit.link." ];
+    synapse-admin.CNAME = [ "suwako-vie0.rebmit.link." ];
   };
 }