VEGAS: add matrix service

Provides the following:
- Synapse homeserver
- Element web client
- Federation support

hosts/VEGAS/services/matrix/default.nix

@@ -0,0 +1,108 @@
+{ config, lib, pkgs, tools, ... }:
+let
+  inherit (tools.meta) domain;
+  listener = {
+    port = 8008;
+    bind_address = "127.0.0.1";
+    type = "http";
+    tls = false;
+    x_forwarded = true;
+    resources = lib.singleton {
+      names = [ "client" "federation" ];
+      compress = false;
+    };
+  };
+  clientConfig = {
+    "m.homeserver".base_url = "https://matrix.${domain}:443";
+    "m.integrations".managers = [{
+      api_url = "https://dimension.t2bot.io/api/v1/scalar";
+      ui_url = "https://dimension.t2bot.io/riot";
+    }];
+  } // lib.optionalAttrs config.services.jitsi-meet.enable {
+    "im.vector.riot.jitsi".preferredDomain = config.services.jitsi-meet.hostName;
+  };
+  clientConfigJSON = pkgs.writeText "matrix-client-config.json" (builtins.toJSON clientConfig);
+  extraConfig = {
+    experimental_features.spaces_enabled = true;
+    federation_ip_range_blacklist = cfg.url_preview_ip_range_blacklist;
+    admin_contact = "mailto:admins@${domain}";
+    max_upload_size = "32M";
+    max_spider_size = "10M";
+    emable_registration = true;
+    allow_guest_access = true;
+    push.include_content = true;
+    group_creation_prefix = "unofficial/";
+    app_service_config_files =  [
+      "/etc/synapse/discord-registration.yaml"
+    ];
+    turn_uris = let
+      combinations = lib.cartesianProductOfSets {
+        proto = [ "udp" "tcp" ];
+        scheme = [ "turns" "turn" ];
+      };
+      makeTurnServer = x: "${x.scheme}:turn.${domain}?transport=${x.proto}";
+    in map makeTurnServer combinations;
+  };
+  cfg = config.services.matrix-synapse;
+in {
+  imports = [
+    ./federation.nix
+    ./web-client.nix
+  ];
+
+  age.secrets = {
+    synapse-ldap = {
+      file = ../../../../secrets/synapse-ldap.age;
+      owner = "matrix-synapse";
+      group = "matrix-synapse";
+      mode = "0400";
+    };
+    synapse-db = {
+      file = ../../../../secrets/synapse-db.age;
+      owner = "matrix-synapse";
+      group = "matrix-synapse";
+      mode = "0400";
+    };
+    synapse-turn = {
+      file = ../../../../secrets/synapse-turn.age;
+      owner = "matrix-synapse";
+      group = "matrix-synapse";
+      mode = "0400";
+    };
+    synapse-keys = {
+      file = ../../../../secrets/synapse-keys.age;
+      owner = "matrix-synapse";
+      group = "matrix-synapse";
+      mode = "0400";
+    };
+  };
+  services.matrix-synapse = {
+    enable = true;
+    plugins = [ pkgs.matrix-synapse-plugins.matrix-synapse-ldap3 ];
+
+    server_name = domain;
+    listeners = lib.singleton listener;
+
+    url_preview_enabled = true;
+
+    extraConfigFiles = [
+      (pkgs.writeText "synapse-extra-config.yaml" (builtins.toJSON extraConfig))
+    ] ++ (map (x: config.age.secrets.${x}.path) [
+      "synapse-ldap"
+      "synapse-db"
+      "synapse-turn"
+      "synapse-keys"
+    ]); 
+  };
+
+  services.nginx.virtualHosts = tools.nginx.mappers.mapSubdomains {
+    matrix = tools.nginx.vhosts.basic // {
+      locations."/".return = "204";
+      locations."/_matrix" = {
+        proxyPass = with listener; "${type}://${bind_address}:${builtins.toString port}";
+        extraConfig = "client_max_body_size ${extraConfig.max_upload_size};";
+      };
+      locations."= /.well-known/matrix/client".alias = clientConfigJSON;
+    };
+  };
+}

hosts/VEGAS/services/matrix/federation.nix

@@ -0,0 +1,13 @@
+{ config, pkgs, tools, ... }:
+let
+  inherit (tools.meta) domain;
+  federation = pkgs.writeText "matrix-federation.json" (builtins.toJSON {
+    "m.server" = "matrix.${domain}:443";
+  });
+in
+{
+  services.nginx.virtualHosts."top-level.${domain}".locations = {
+    "= /.well-known/matrix/server".alias = federation;
+    inherit (config.services.nginx.virtualHosts."matrix.${domain}".locations) "= /.well-known/matrix/client";
+  };
+}

hosts/VEGAS/services/matrix/web-client.nix

@@ -0,0 +1,34 @@
+{ lib, pkgs, tools, ... }:
+let
+  inherit (tools.nginx) domain vhosts;
+in
+{
+  services.nginx.virtualHosts."chat.${domain}" = vhosts.static (pkgs.element-web.override {
+    conf = {
+      default_server_config."m.homeserver" = {
+        base_url = "https://matrix.${domain}:443";
+        server_name = tools.meta.domain;
+      };
+      disable_3pid_login = true;
+      disable_custom_urls = true;
+
+      brand = "Private Void Chat";
+      # TODO: integrations
+      enableLabs = true;
+      showLabsSettings = true;
+      features = with lib; flip genAttrs (_: "labs") [
+        "feature_custom_status"
+        "feature_custom_tags"
+        "feature_many_integration_managers"
+        "feature_new_spinner"
+        "feature_pinning"
+        "feature_state_counters"
+      ];
+      default_federate = true;
+      default_theme = "dark";
+      roomDirectory.servers = [ domain "matrix.org" ];
+      piwik = false;
+      jitsi.preferredDomain = "meet.${domain}";
+    };
+  });
+}

hosts/VEGAS/system.nix

@@ -26,6 +26,7 @@
       ./services/jokes
       ./services/nfs
       ./services/mail
+      ./services/matrix
       ./services/warehouse
       ./services/websites
     ]

secrets/secrets.nix

@@ -9,7 +9,12 @@ in with hosts;
   "gitea-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "hydra-db-credentials.age".publicKeys = max ++ map systemKeys [ styx ];
   "hydra-s3.age".publicKeys = max ++ map systemKeys [ styx ];
+  "matrix-appservice-discord-token.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "oauth2_proxy-secrets.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "postfix-ldap-mailboxes.age".publicKeys = max ++ map systemKeys [ VEGAS ];
+  "synapse-db.age".publicKeys = max ++ map systemKeys [ VEGAS ];
+  "synapse-keys.age".publicKeys = max ++ map systemKeys [ VEGAS ];
+  "synapse-ldap.age".publicKeys = max ++ map systemKeys [ VEGAS ];
+  "synapse-turn.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "wireguard-key-wgautobahn.age".publicKeys = max ++ map systemKeys [ VEGAS ];
 }

secrets/synapse-db.age

@@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> ssh-ed25519 NO562A z3CK5DY5HpHg3ACVxLrz0YF/Yn114CZeaOWbBUiDbXA
+WvWSEpovH2fVJuOCk2OpzgyONyHEaQb+Koafmfz0FRM
+-> ssh-ed25519 5/zT0w /FNqwfZgpihWRHg7tGH42Ak31FAC2sGtyPD20BrFuVI
+GTMAwKTosLe/3xjPIrKhkQT0yKI7YaFNRNMxUOh8Rh4
+-> ssh-ed25519 d3WGuA UA4tVfhoqb0nHOXw2Z94KsnsxXtyHd3Zoowcbh7/pk0
+nIfnGT2AtUxZX/GFptH8RgN8kMoEf5/TYM8TH38CI7Y
+-> ~0K&gN-grease u
+J1bL/6N3ZA
+--- LhSYtzwk6JfYCX5Ae7ldAsCwDg1Bg2W8BMM1oQvl9m8
+Ŕ1›Ą$ě]ĺľΞZPeÇúSśNám
+[çd:ˇý2Y)YŤ^i=Řř<C598>ÎĆă7sĘľ´`°M‘¶]ŚX@®Ű+¦©—Cz˘<0B>•ŽŔS!đNi<>ăwö;s–”ČĆéŰőR9drí
+LĆWśqYűđdéŁ0kxe!c\˸¶ŤĺÉ$o1 kGľáibÜŰ4‚ĺMa××{˝°hOǶŐu»µ:P#Ň–tÜ7
e_3