|
|
|
@ -33,91 +33,91 @@ |
|
|
|
|
<link xlink:href="https://github.com/matrix-org/synapse#synapse-installation"> |
|
|
|
|
installation instructions of Synapse </link>. |
|
|
|
|
<programlisting> |
|
|
|
|
let |
|
|
|
|
fqdn = |
|
|
|
|
let |
|
|
|
|
fqdn = |
|
|
|
|
let |
|
|
|
|
join = hostName: domain: hostName + optionalString (domain != null) ".${domain}"; |
|
|
|
|
in join config.networking.hostName config.networking.domain; |
|
|
|
|
in { |
|
|
|
|
networking = { |
|
|
|
|
hostName = "myhostname"; |
|
|
|
|
domain = "example.org"; |
|
|
|
|
}; |
|
|
|
|
networking.firewall.allowedTCPPorts = [ 80 443 ]; |
|
|
|
|
join = hostName: domain: hostName + optionalString (domain != null) ".${domain}"; |
|
|
|
|
in join config.networking.hostName config.networking.domain; |
|
|
|
|
in { |
|
|
|
|
networking = { |
|
|
|
|
hostName = "myhostname"; |
|
|
|
|
domain = "example.org"; |
|
|
|
|
}; |
|
|
|
|
networking.firewall.allowedTCPPorts = [ 80 443 ]; |
|
|
|
|
|
|
|
|
|
services.nginx = { |
|
|
|
|
enable = true; |
|
|
|
|
# only recommendedProxySettings and recommendedGzipSettings are strictly required, |
|
|
|
|
# but the rest make sense as well |
|
|
|
|
recommendedTlsSettings = true; |
|
|
|
|
recommendedOptimisation = true; |
|
|
|
|
recommendedGzipSettings = true; |
|
|
|
|
recommendedProxySettings = true; |
|
|
|
|
services.nginx = { |
|
|
|
|
enable = true; |
|
|
|
|
# only recommendedProxySettings and recommendedGzipSettings are strictly required, |
|
|
|
|
# but the rest make sense as well |
|
|
|
|
recommendedTlsSettings = true; |
|
|
|
|
recommendedOptimisation = true; |
|
|
|
|
recommendedGzipSettings = true; |
|
|
|
|
recommendedProxySettings = true; |
|
|
|
|
|
|
|
|
|
virtualHosts = { |
|
|
|
|
# This host section can be placed on a different host than the rest, |
|
|
|
|
# i.e. to delegate from the host being accessible as ${config.networking.domain} |
|
|
|
|
# to another host actually running the Matrix homeserver. |
|
|
|
|
"${config.networking.domain}" = { |
|
|
|
|
locations."= /.well-known/matrix/server".extraConfig = |
|
|
|
|
let |
|
|
|
|
# use 443 instead of the default 8448 port to unite |
|
|
|
|
# the client-server and server-server port for simplicity |
|
|
|
|
server = { "m.server" = "${fqdn}:443"; }; |
|
|
|
|
in '' |
|
|
|
|
add_header Content-Type application/json; |
|
|
|
|
return 200 '${builtins.toJSON server}'; |
|
|
|
|
''; |
|
|
|
|
locations."= /.well-known/matrix/client".extraConfig = |
|
|
|
|
let |
|
|
|
|
client = { |
|
|
|
|
"m.homeserver" = { "base_url" = "https://${fqdn}"; }; |
|
|
|
|
"m.identity_server" = { "base_url" = "https://vector.im"; }; |
|
|
|
|
}; |
|
|
|
|
# ACAO required to allow riot-web on any URL to request this json file |
|
|
|
|
in '' |
|
|
|
|
add_header Content-Type application/json; |
|
|
|
|
add_header Access-Control-Allow-Origin *; |
|
|
|
|
return 200 '${builtins.toJSON client}'; |
|
|
|
|
''; |
|
|
|
|
}; |
|
|
|
|
virtualHosts = { |
|
|
|
|
# This host section can be placed on a different host than the rest, |
|
|
|
|
# i.e. to delegate from the host being accessible as ${config.networking.domain} |
|
|
|
|
# to another host actually running the Matrix homeserver. |
|
|
|
|
"${config.networking.domain}" = { |
|
|
|
|
locations."= /.well-known/matrix/server".extraConfig = |
|
|
|
|
let |
|
|
|
|
# use 443 instead of the default 8448 port to unite |
|
|
|
|
# the client-server and server-server port for simplicity |
|
|
|
|
server = { "m.server" = "${fqdn}:443"; }; |
|
|
|
|
in '' |
|
|
|
|
add_header Content-Type application/json; |
|
|
|
|
return 200 '${builtins.toJSON server}'; |
|
|
|
|
''; |
|
|
|
|
locations."= /.well-known/matrix/client".extraConfig = |
|
|
|
|
let |
|
|
|
|
client = { |
|
|
|
|
"m.homeserver" = { "base_url" = "https://${fqdn}"; }; |
|
|
|
|
"m.identity_server" = { "base_url" = "https://vector.im"; }; |
|
|
|
|
}; |
|
|
|
|
# ACAO required to allow riot-web on any URL to request this json file |
|
|
|
|
in '' |
|
|
|
|
add_header Content-Type application/json; |
|
|
|
|
add_header Access-Control-Allow-Origin *; |
|
|
|
|
return 200 '${builtins.toJSON client}'; |
|
|
|
|
''; |
|
|
|
|
}; |
|
|
|
|
|
|
|
|
|
# Reverse proxy for Matrix client-server and server-server communication |
|
|
|
|
${fqdn} = { |
|
|
|
|
enableACME = true; |
|
|
|
|
forceSSL = true; |
|
|
|
|
# Reverse proxy for Matrix client-server and server-server communication |
|
|
|
|
${fqdn} = { |
|
|
|
|
enableACME = true; |
|
|
|
|
forceSSL = true; |
|
|
|
|
|
|
|
|
|
# Or do a redirect instead of the 404, or whatever is appropriate for you. |
|
|
|
|
# But do not put a Matrix Web client here! See the Riot Web section below. |
|
|
|
|
locations."/".extraConfig = '' |
|
|
|
|
return 404; |
|
|
|
|
''; |
|
|
|
|
# Or do a redirect instead of the 404, or whatever is appropriate for you. |
|
|
|
|
# But do not put a Matrix Web client here! See the Riot Web section below. |
|
|
|
|
locations."/".extraConfig = '' |
|
|
|
|
return 404; |
|
|
|
|
''; |
|
|
|
|
|
|
|
|
|
# forward all Matrix API calls to the synapse Matrix homeserver |
|
|
|
|
locations."/_matrix" = { |
|
|
|
|
proxyPass = "http://[::1]:8008"; |
|
|
|
|
}; |
|
|
|
|
}; |
|
|
|
|
# forward all Matrix API calls to the synapse Matrix homeserver |
|
|
|
|
locations."/_matrix" = { |
|
|
|
|
proxyPass = "http://[::1]:8008"; |
|
|
|
|
}; |
|
|
|
|
}; |
|
|
|
|
services.matrix-synapse = { |
|
|
|
|
enable = true; |
|
|
|
|
server_name = config.networking.domain; |
|
|
|
|
listeners = [ |
|
|
|
|
{ |
|
|
|
|
port = 8008; |
|
|
|
|
bind_address = "::1"; |
|
|
|
|
type = "http"; |
|
|
|
|
tls = false; |
|
|
|
|
x_forwarded = true; |
|
|
|
|
resources = [ |
|
|
|
|
{ names = [ "client" "federation" ]; compress = false; } |
|
|
|
|
]; |
|
|
|
|
} |
|
|
|
|
]; |
|
|
|
|
}; |
|
|
|
|
}; |
|
|
|
|
</programlisting> |
|
|
|
|
}; |
|
|
|
|
services.matrix-synapse = { |
|
|
|
|
enable = true; |
|
|
|
|
server_name = config.networking.domain; |
|
|
|
|
listeners = [ |
|
|
|
|
{ |
|
|
|
|
port = 8008; |
|
|
|
|
bind_address = "::1"; |
|
|
|
|
type = "http"; |
|
|
|
|
tls = false; |
|
|
|
|
x_forwarded = true; |
|
|
|
|
resources = [ |
|
|
|
|
{ names = [ "client" "federation" ]; compress = false; } |
|
|
|
|
]; |
|
|
|
|
} |
|
|
|
|
]; |
|
|
|
|
}; |
|
|
|
|
}; |
|
|
|
|
</programlisting> |
|
|
|
|
</para> |
|
|
|
|
|
|
|
|
|
<para> |
|
|
|
@ -142,14 +142,14 @@ |
|
|
|
|
create a new user or admin, run the following after you have set the secret |
|
|
|
|
and have rebuilt NixOS: |
|
|
|
|
<programlisting> |
|
|
|
|
$ nix run nixpkgs.matrix-synapse |
|
|
|
|
$ register_new_matrix_user -k <your-registration-shared-secret> http://localhost:8008 |
|
|
|
|
New user localpart: <your-username> |
|
|
|
|
Password: |
|
|
|
|
Confirm password: |
|
|
|
|
Make admin [no]: |
|
|
|
|
Success! |
|
|
|
|
</programlisting> |
|
|
|
|
$ nix run nixpkgs.matrix-synapse |
|
|
|
|
$ register_new_matrix_user -k <your-registration-shared-secret> http://localhost:8008 |
|
|
|
|
New user localpart: <your-username> |
|
|
|
|
Password: |
|
|
|
|
Confirm password: |
|
|
|
|
Make admin [no]: |
|
|
|
|
Success! |
|
|
|
|
</programlisting> |
|
|
|
|
In the example, this would create a user with the Matrix Identifier |
|
|
|
|
<literal>@your-username:example.org</literal>. Note that the registration |
|
|
|
|
secret ends up in the nix store and therefore is world-readable by any user |
|
|
|
@ -177,16 +177,16 @@ |
|
|
|
|
Matrix Now!</link> for a list of existing clients and their supported |
|
|
|
|
featureset. |
|
|
|
|
<programlisting> |
|
|
|
|
services.nginx.virtualHosts."riot.${fqdn}" = { |
|
|
|
|
enableACME = true; |
|
|
|
|
forceSSL = true; |
|
|
|
|
serverAliases = [ |
|
|
|
|
"riot.${config.networking.domain}" |
|
|
|
|
]; |
|
|
|
|
services.nginx.virtualHosts."riot.${fqdn}" = { |
|
|
|
|
enableACME = true; |
|
|
|
|
forceSSL = true; |
|
|
|
|
serverAliases = [ |
|
|
|
|
"riot.${config.networking.domain}" |
|
|
|
|
]; |
|
|
|
|
|
|
|
|
|
root = pkgs.riot-web; |
|
|
|
|
}; |
|
|
|
|
</programlisting> |
|
|
|
|
root = pkgs.riot-web; |
|
|
|
|
}; |
|
|
|
|
</programlisting> |
|
|
|
|
</para> |
|
|
|
|
|
|
|
|
|
<para> |
|
|
|
|