fix matrix login on grimmauld.de instead of matrix.grimmauld.de (both should work now)

configuration.nix

@@ -11,17 +11,102 @@ let
 
   gitea_host = "git.${root_host}";
   gitea_port = 8081;
+
+  matrix_host = "matrix.${root_host}";
 in {
   imports = [
     ./hardware-configuration.nix    
   ];
 
+  services.postgresql = {
+    enable = true;
+    # CREATE DATABASE synapse ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' template=template0 OWNER synapse;
+    ensureDatabases = [ "synapse" ];
+    package = pkgs.postgresql_15;
+    ensureUsers = [
+      {
+        name = "synapse";
+        ensureDBOwnership = true;
+      }
+    ];
+    authentication = pkgs.lib.mkOverride 10 ''
+      #type database  DBuser  auth-method
+local   all             postgres                                peer
+local   all             all                                     peer
+host    all             all             127.0.0.1/32            md5
+host    synapse         matrix-synapse         ::1/128                 md5
+host    all             all             ::1/128                 md5
+local   replication     all                                     peer
+host    replication     all             127.0.0.1/32            md5
+host    replication     all             ::1/128                 md5
+    '';
+    identMap = ''
+    # ArbitraryMapName systemUser DBUser
+       superuser_map      root      postgres
+       superuser_map      matrix-synapse synapse
+       superuser_map      postgres  postgres
+       # Let other names login as themselves
+       superuser_map      /^(.*)$   \1
+  '';
+  };
+
+  systemd.services.postgresql.postStart = let
+    password_file_path = config.age.secrets.synapse_db_pass.path;
+  in ''
+    $PSQL -tA <<'EOF'
+      DO $$
+      DECLARE password TEXT;
+      BEGIN
+        password := trim(both from replace(pg_read_file('${password_file_path}'), E'\n', '''));
+        EXECUTE format('ALTER ROLE synapse WITH PASSWORD '''%s''';', password);
+      END $$;
+    EOF
+  '';
+
+  services.matrix-synapse-next = {
+    enable = true;
+
+    workers.federationSenders = 1;
+    workers.federationReceivers = 1;
+    workers.initialSyncers = 1;
+    workers.normalSyncers = 1;
+    workers.eventPersisters = 2;
+    workers.useUserDirectoryWorker = true;
+
+    enableNginx = true;
+    enableSlidingSync = false;
+
+    settings = {
+      server_name = root_host;
+      public_baseurl = "https://${root_host}";
+      enable_registration = false;
+      enable_registration_without_verification = true;
+
+#      registrations_require_3pid = [ "email" ];
+      database = {
+        name = "psycopg2";
+        args = {
+          host = "localhost";
+          port = 5432;
+          dbname = "synapse";
+          user = "synapse";
+          cp_min = 5;
+          cp_max = 10;
+          client_encoding = "auto";
+          passfile = config.age.secrets.synapse_db_pass_prepared.path;
+        };
+      };
+    };  
+  };
+  services.redis.servers."".enable = true;
+
   services.gitea = {
     enable = true;
     settings = {
       service.DISABLE_REGISTRATION = true;
       server = {
         HTTP_PORT = gitea_port;
+        ROOT_URL = "https://${gitea_host}/";
         DISABLE_SSH = true;
       };
 #      log.LEVEL = "Debug";
@@ -30,7 +115,17 @@ in {
   };
 
   age.secrets = {
-    duckdns_token.file = ./secrets/duckdns_token.age;
+    synapse_db_pass = {
+      file = ./secrets/synapse_db_pass.age;
+      owner = "postgres";
+      group = "postgres";
+    };
+    synapse_db_pass_prepared = {
+      file = ./secrets/synapse_db_pass_prepared.age;
+      owner = "matrix-synapse";
+      group = "matrix-synapse";
+      mode = "0600";
+    };
   };
 
   users.users.grimmauld = {
@@ -69,16 +164,6 @@ in {
     pypy3
   ];
 
-  systemd.services = {
-    dynamic-dns-updater = {
-      path = [
-        pkgs.curl
-      ];
-      script = ''curl "https://www.duckdns.org/update?domains=grimmauld&token=$(<${config.age.secrets.duckdns_token.path})&ip="'';
-      startAt = "hourly";
-    };
-  };
-
   security.acme = {
     acceptTerms = true;
     defaults.email = root_email;
@@ -97,7 +182,7 @@ in {
 
   networking.firewall = {
     enable = true;
-    allowedTCPPorts = [ 80 443 puffer_sftp_port 25565 ];
+    allowedTCPPorts = [ 80 443 puffer_sftp_port 25565 8448 8008 ];
     allowPing = true;
     allowedUDPPortRanges = [
 #      { from = 4000; to = 4007; }
@@ -130,9 +215,59 @@ in {
 
     virtualHosts."${root_host}" = {
       forceSSL = true;
+      enableACME = lib.mkForce false; # use the cert above, not some weird one that matrix-synapse module supplies
       useACMEHost = root_host;
+      locations."/" = {
           root = "/var/www/grimmauld.duckdns.org"; 
       };
+      locations."/.well-known/matrix/server" = {
+        return = "200 '{\"m.server\":\"${matrix_host}:443\"}'";
+        extraConfig = ''
+default_type application/json;
+add_header Access-Control-Allow-Origin *;
+add_header Accept-Ranges bytes;'';
+      };
+      locations."/.well-known/matrix/client" = {
+        return = "200 '{\"m.homeserver\": {\"base_url\": \"https://${matrix_host}\"}}'";
+        extraConfig = ''
+add_header Access-Control-Allow-Origin *;
+default_type application/json;
+'';
+      };
+      locations."/_matrix" = {
+        proxyPass = "http://$synapse_backend";
+        extraConfig = ''
+          add_header X-debug-backend $synapse_backend;
+          add_header X-debug-group $synapse_uri_group;
+          client_max_body_size ${config.services.matrix-synapse-next.settings.max_upload_size};
+          proxy_read_timeout 10m;
+        '';
+      };
+      locations."~ ^/_matrix/client/(r0|v3)/sync$" = {
+        proxyPass = "http://$synapse_backend";
+        extraConfig = ''
+          proxy_read_timeout 1h;
+        '';
+      };
+      locations."~ ^/_matrix/client/(api/v1|r0|v3)/initialSync$" = {
+        proxyPass = "http://synapse_worker_initial_sync";
+        extraConfig = ''
+          proxy_read_timeout 1h;
+        '';
+      };
+      locations."~ ^/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$" = {
+        proxyPass = "http://synapse_worker_initial_sync";
+        extraConfig = ''
+          proxy_read_timeout 1h;
+        '';
+      };
+      locations."/_synapse/client" = {
+        proxyPass = "http://$synapse_backend";
+      };
+      locations."/.well-known/matrix" = {
+        proxyPass = "http://$synapse_backend";
+      };
+    };
 
     virtualHosts."${puffer_host}" = {
       serverName = puffer_host;

flake.lock

@@ -64,6 +64,26 @@
         "type": "github"
       }
     },
+    "nixos-matrix-modules": {
+      "inputs": {
+        "nixpkgs-lib": "nixpkgs-lib"
+      },
+      "locked": {
+        "lastModified": 1701507532,
+        "narHash": "sha256-Zzv8OFB7iilzDGe6z2t/j8qRtR23TN3N8LssGsvRWEA=",
+        "ref": "refs/heads/master",
+        "rev": "046194cdadc50d81255a9c57789381ed1153e2b1",
+        "revCount": 56,
+        "submodules": true,
+        "type": "git",
+        "url": "https://github.com/dali99/nixos-matrix-modules"
+      },
+      "original": {
+        "submodules": true,
+        "type": "git",
+        "url": "https://github.com/dali99/nixos-matrix-modules"
+      }
+    },
     "nixpkgs": {
       "locked": {
         "lastModified": 1703013332,
@@ -80,6 +100,21 @@
         "type": "github"
       }
     },
+    "nixpkgs-lib": {
+      "locked": {
+        "lastModified": 1673743903,
+        "narHash": "sha256-sloY6KYyVOozJ1CkbgJPpZ99TKIjIvM+04V48C04sMQ=",
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "rev": "7555e2dfcbac1533f047021f1744ac8871150f9f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "type": "github"
+      }
+    },
     "nixpkgs_2": {
       "locked": {
         "lastModified": 1703255338,
@@ -99,6 +134,7 @@
     "root": {
       "inputs": {
         "agenix": "agenix",
+        "nixos-matrix-modules": "nixos-matrix-modules",
         "nixpkgs": "nixpkgs_2"
       }
     },

flake.nix

@@ -7,9 +7,13 @@
     nixpkgs = {
       url = "github:NixOS/nixpkgs/nixos-unstable";
     };
+    nixos-matrix-modules = {
+      url = "git+https://github.com/dali99/nixos-matrix-modules?submodules=1";
+      flake = true;
+    };
   };
 
-  outputs = { self, nixpkgs, agenix }: let
+  outputs = { nixos-matrix-modules, self, nixpkgs, agenix }: let
     system = "x86_64-linux";
   in {
     nixosConfigurations = {
@@ -18,6 +22,7 @@
         modules = [
           ./configuration.nix
           agenix.nixosModules.default
+          nixos-matrix-modules.nixosModules.default
           { environment.systemPackages = [ agenix.packages.${system}.default ]; }
         ];
       };

result

@@ -1 +1 @@
-/nix/store/xgpf9yaqayh48k3fa25dzck2xlnvcxdd-nixos-system-grimmauld-nixos-server-24.05.20231222.6df37dc
+/nix/store/wf6nyixk6236i1h6ws7yn3lnq7plhyd8-nixos-system-grimmauld-nixos-server-24.05.20231222.6df37dc

secrets/duckdns_token.age

@@ -1,16 +0,0 @@
-age-encryption.org/v1
--> ssh-rsa jWbwAg
-qN28qDzdvyx8S8xv1P9nFb1TK14sDnJhF56LVY0G3h6Q8nB02kw3bSJxYBzBs1qO
-US2Ci80+IvxKztMAVsI7Hd5u7nKNahxDRCDUZiszETXNZukCLFFWK9ouy7YBRgaI
-is44FImbdlua7kq1a9Lpuro04DfWhuG7X0/0ZBiPikI5fWRNAMMoP1ZRQqqlBVPj
-fWWSbKa7C0jdBvfzOXSImtU0uuNjCshxsOF4sF7YLY6qlxc8xZdZnyIFRgm6XO7Z
-qyeKNkMe1ufssrmquQI9ZgC1LGc+k9VhRtHoSxq1sFNeBBNF1AL4Lh4CReUr0gC1
-NKSiCMq57hBlhLr8jlEG/p6MQe9vfgyxE9xKvknrdo2ou0N7zPQcWTOuL7EKY8w3
-ZC+1UolK5qzu0MvN77RBTPY72jIG9h6YSLOfDKduOsvWFG9kBJ/QEzuwhdXjd9jy
-nyvGcNKQoWl7ASGB3W0jP3Iv5ED4Qxd2O8F3bgwndhU9tBkej+KL9uK6YEXJcsNz
-5k+J72pdMVtMp4K+XHkdz9fQXedp6M91+gdbEWmvOWUZx67GRq+8aL07nVenJKM6
-ZyOI3F3fjLLC0DmhEyPVD+nq/W6Ljwx/O7fq1uJjQLPRJPNqYcRaokVmpjXiO23w
-qT8yVaQxExD26Rn1CIHQQ4piprHVK25oUaJxkO0NYic
---- dLuM11zSUY2zLMW30ftenkZdhD//0BW4YSJEDEb0XfA
-<EFBFBD>Ü•ùa’‡
-Æÿ&Ú‡äÛ¢^vÝAf°V‰
ãÁ;µ ½ìÿÑCαÝêÝ¢D`ÙÛÓ’'‚7ÜîðÖm<C396>Ø泶Á“

secrets/secrets.nix

@@ -3,5 +3,7 @@ let
   contabo_nix_pub = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCCsCsjhJleQCBm0gwnUj5R7zewC0SoRvth1qhXtUCeWM3KHkX+CjiHvVaHs+ftYE9uCe5jwVMB+b4UPkNU8EfQeL99iOYtkcn+fEQqjUJe/x/Pn0NxfS1DCvFpI6s3485ysDmagi640XN9S+eIiiMZIqWTsIlUtkEwGF0wuv+xqzbBOlUtIkL2AMpMeFCFovOcpu2JwEAIpDUiW+FanAFImw6rvNmpAtaaFGheYOGJwnpVfdaIeRPqEN3fqtIRBIQVgxt25BGYX83vaIH3Y/OaEKMGUa/4Fe/PRpGJyhCtdae6kcVfx57hs0e7/HezjgfS90HTu2cy6BrJOvGUspCjCbdElddfboE9wtBeNYsgjUOdU926m2M1tTn7Ex6ZMOQRKRlVFac6Yo+CedRTe4u6lkrWcsDdmnajel7uxoW8VMEre/CBCtK+ZlGaDwJjIVNCn7J3KZBKeaB/t/1iSr7/buaXYh5VV1Q0gv0mtvx+D7YLngaTv3sLFpLV8Wk1mgXt9R2hHxcRBKGJYx5RWa8aMHK62RP1GRc5yCzREj2Mc5qUJyd8oirnQYms/BsaDybUJde9IL4REeMzIBYyi/MG/+OAIUSAtdYygABWco+Swv4jP52UODHikcmyejHdFhRngsb4IYzGZXbS5pobkCyqCMJ20v5BG3WNFmujAlXRw==";
 in
 {
-  "duckdns_token.age".publicKeys = [ contabo_nix_pub ];
+  # "duckdns_token.age".publicKeys = [ contabo_nix_pub ];
+  "synapse_db_pass.age".publicKeys = [ contabo_nix_pub ];
+  "synapse_db_pass_prepared.age".publicKeys = [ contabo_nix_pub ];
 }

secrets/synapse_db_pass.age

@@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> ssh-rsa jWbwAg
+uphSCXWnsU8Ffn8E3G3cQFlU+Op480vwqkDZKcvwGo/7aPeSKvcxpDkkvZbBSpeJ
+agOsx9umGm2xJd38ss7vUYiTGZFyXVRVR0ECRLUSjmt4U1fbdIXM1JijKPJBNPFf
+rZWc/+6uXXHFwv0633SyM6swuytmo6jKbdExclY1Q5bwYHfTAUvHaeUW1AFWd24d
+HWJCLXEY3VK7WvcH3nvpzeNvRMbkaOBrcPnt7rqWmKH0F92tFP3mNiOtbHRZgSe8
+aJodlNU390gLqED/BOqKjLxCYvfiVSSRu6ziP/h3VKqmC8HDD8e+nSQwS7qMlgXi
+4i6kgZQr+is1rsU5GMLe+H7jw/ZI+hOxNyutGXi1wd1qgrM1qbCfJmUS8tYUP2kw
+NsD4+h1xz2Hkop+6MKursOPsD6Vw/TFuNKDXyQstbrz8jU8rP5jvkIn6o7PT4rVm
+HyJ4sHlabnmqufyVCtjfZz84fyOjHqeoqeS0ST5zH1VcjGh9pEJiMOK0FoiJlDaQ
+hyzKhREJ/iAlb1EJ9IRu+rVgO9hamj4ZyqE4kFrTfp9/bb5HbH04km+WZByzcenA
+G8aOVUwk/IvC77jjMBKwn8i09DgBbjz5RHD6hXZwHOnPPQctBO8TDRIreQ9IHBsv
+xIpQuRIf1GAiGwbVdGxffwsS38Aw6h2EDzX436NFJmc
+--- AK4cj1yXlOGE07/jrzEfZ1RRwYnabyglA78+X54ON2E
+þå/ɳò¤bæåîŠðm/Õ¨ï(N¸]Mc©Ãð<>$àïžÚ5²ô&†Ú¬xf¿Áp*Ȥq<C2A4>ôælÂåt¿¾‚–æœ<C3A6>1¤64‘ÎË›oƒ„(±¬,*ü