DerGrumpf/cyper-nix
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Matrix Stack working!

Browse Source
This commit is contained in:
DerGrumpf
2026-05-06 23:45:13 +02:00
parent 870ead1994
commit a32a2800f7
8 changed files with 210 additions and 62 deletions
Download Patch File Download Diff File Expand all files Collapse all files
nixos/roles/matrix/coturn.nix
+95
View File
@@ -0,0 +1,95 @@
{ config, lib, ... }:
{
sops.secrets = {
coturn_static_auth_secret = {
owner = "turnserver";
group = "turnserver";
};
coturn_static_auth_secret_synapse = {
owner = "matrix-synapse";
group = "matrix-synapse";
key = "coturn_static_auth_secret";
};
};
services = {
coturn = rec {
enable = true;
no-cli = true;
no-tcp-relay = true;
min-port = 49000;
max-port = 50000;
use-auth-secret = true;
static-auth-secret-file = config.sops.secrets.coturn_static_auth_secret.path;
realm = "turn.cyperpunk.de";
cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
extraConfig = ''
no-multicast-peers
denied-peer-ip=0.0.0.0-0.255.255.255
denied-peer-ip=10.0.0.0-10.255.255.255
denied-peer-ip=100.64.0.0-100.127.255.255
denied-peer-ip=127.0.0.0-127.255.255.255
denied-peer-ip=169.254.0.0-169.254.255.255
denied-peer-ip=172.16.0.0-172.31.255.255
denied-peer-ip=192.0.0.0-192.0.0.255
denied-peer-ip=192.0.2.0-192.0.2.255
denied-peer-ip=192.88.99.0-192.88.99.255
denied-peer-ip=192.168.0.0-192.168.255.255
denied-peer-ip=198.18.0.0-198.19.255.255
denied-peer-ip=198.51.100.0-198.51.100.255
denied-peer-ip=203.0.113.0-203.0.113.255
denied-peer-ip=240.0.0.0-255.255.255.255
denied-peer-ip=::1
denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
'';
relay-ips = [ "178.254.8.35" ];
};
nginx.virtualHosts."turn.cyperpunk.de" = {
forceSSL = true;
enableACME = true;
};
matrix-synapse.settings = with config.services.coturn; {
turn_uris = [
"turn:${realm}:3478?transport=udp"
"turn:${realm}:3478?transport=tcp"
];
turn_shared_secret_path = config.sops.secrets.coturn_static_auth_secret_synapse.path;
turn_user_lifetime = "1h";
};
};
security.acme.certs."turn.cyperpunk.de".group = "nginx";
users.users.turnserver.extraGroups = [ "nginx" ];
networking.firewall.interfaces.ens3 =
let
range =
with config.services.coturn;
lib.singleton {
from = min-port;
to = max-port;
};
in
{
allowedUDPPortRanges = range;
allowedUDPPorts = [
3478
5349
];
allowedTCPPorts = [
3478
5349
];
};
}
nixos/roles/matrix/default.nix
+4 -1
View File
@@ -5,7 +5,10 @@
imports = [
./synapse.nix
#./lk-jwt.nix
#./livekit.nix
./livekit.nix
./clients.nix
./mjolnir.nix
./coturn.nix
#./maubot.nix # known security risk
];
}
nixos/roles/matrix/livekit.nix
+9 -54
View File
@@ -1,64 +1,19 @@
{ config, lib, ... }:
{ config, ... }:
{
# Shared key file — same secret used by lk-jwt-service (see lk-jwt.nix)
sops.secrets.livekit_key = { };
sops.secrets.livekit_key_file = { };
services.livekit = {
enable = true;
openFirewall = true;
keyFile = config.sops.secrets.livekit_key.path;
settings = {
rtc = {
tcp_port = 7881;
port_range_start = 50000;
port_range_end = 60000;
use_external_ip = true;
node_ip = "178.254.8.35";
};
room = {
# Must be false — rooms are created by the JWT service on demand
auto_create = false;
enabled_codecs = [
{ mime = "video/VP8"; }
{ mime = "video/VP9"; }
{ mime = "video/H264"; }
{ mime = "audio/opus"; }
];
enable_remote_unmute = true;
};
};
settings.room.auto_create = false;
keyFile = config.sops.secrets.livekit_key_file.path;
};
networking.firewall = {
allowedTCPPorts = [ 7881 ];
# WebRTC media relay — must be open or calls connect then immediately drop
allowedUDPPortRanges = [
{
from = 50000;
to = 60000;
}
];
services.lk-jwt-service = {
enable = true;
livekitUrl = "wss://cyperpunk.de/livekit/sfu";
keyFile = config.sops.secrets.livekit_key_file.path;
};
systemd.services.livekit.serviceConfig = {
PrivateUsers = lib.mkForce false;
DynamicUser = lib.mkForce false;
User = "livekit";
Group = "livekit";
RestrictAddressFamilies = lib.mkForce [
"AF_INET"
"AF_INET6"
"AF_NETLINK"
"AF_UNIX"
];
SystemCallFilter = lib.mkForce [ "@system-service" ];
};
users = {
users.livekit = {
isSystemUser = true;
group = "livekit";
};
groups.livekit = { };
};
systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = "cyperpunk.de";
}
nixos/roles/matrix/maubot.nix
+22
View File
@@ -0,0 +1,22 @@
{ config, ... }:
{
services = {
maubot = {
enable = true;
settings = {
database = "postgresql://maubot@localhost/maubot";
server = {
public_url = "matrix.cyperpunk.de";
#ui_base_path = "/another/base/path";
};
};
};
nginx.virtualHosts."matrix.cyperpunk.de".locations = {
"/_matrix/maubot/" = {
proxyPass = "http://127.0.0.1:${toString config.services.maubot.settings.server.port}";
proxyWebsockets = true;
};
};
};
}
nixos/roles/matrix/mjolnir.nix
+17
View File
@@ -0,0 +1,17 @@
{ config, ... }:
{
sops.secrets.mjolnir_access_token = { };
services.draupnir = {
enable = true;
secrets.accessToken = config.sops.secrets.mjolnir_access_token.path;
settings = {
homeserverUrl = "https://matrix.cyperpunk.de";
managementRoom = "!eErCimyDjLSebHjpJA:cyperpunk.de";
};
};
}
#curl -X POST https://matrix.cyperpunk.de/_matrix/client/v3/login \
# -H "Content-Type: application/json" \
# -d '{"type":"m.login.password ","user":"mjolnir","password":"i318HXBRkt)Lh$nOPwq#6n9z&<W[XJ&2c4$Zf>7jV}-uQCE{<plwk;LZ)10*N<~1"}'
nixos/roles/matrix/synapse.nix
+30 -4
View File
@@ -9,7 +9,7 @@ let
extraConfig = ''
default_type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '{"m.homeserver":{"base_url":"https://matrix.cyperpunk.de"}}';
return 200 '{"m.homeserver":{"base_url":"https://matrix.cyperpunk.de"},"org.matrix.msc4143.rtc_foci":[{"type":"livekit","livekit_service_url":"https://cyperpunk.de/livekit/jwt/"}]}';
'';
};
"= /.well-known/matrix/server" = {
@@ -46,7 +46,15 @@ in
suppress_key_server_warning = true;
registration_shared_secret_path = config.sops.secrets.matrix_registration_secret.path;
macaroon_secret_key = "$__file{${config.sops.secrets.matrix_macaroon_secret.path}}";
matrix_rtc = {
enabled = true;
transports = [
{
type = "livekit";
livekit_service_url = "https://cyperpunk.de/livekit/jwt/";
}
];
};
#experimental_features = {
# msc3266_enabled = true;
# msc3779_enabled = true;
@@ -99,6 +107,7 @@ in
locations = wellKnownMatrix // {
"/_matrix".proxyPass = "http://127.0.0.1:8008";
"/_synapse/client".proxyPass = "http://127.0.0.1:8008";
"/_synapse/admin".proxyPass = "http://127.0.0.1:8008";
"/metrics" = {
proxyPass = "http://127.0.0.1:9009";
extraConfig = ''
@@ -107,8 +116,25 @@ in
'';
};
"/admin/" = {
root = "${synapseAdmin}";
#tryFiles = "$uri $uri/ /index.html";
alias = "${synapseAdmin}/";
tryFiles = "$uri $uri/ /admin/index.html";
};
"^~ /livekit/jwt/" = {
priority = 400;
proxyPass = "http://127.0.0.1:${toString config.services.lk-jwt-service.port}/";
};
"^~ /livekit/sfu/" = {
priority = 400;
proxyPass = "http://127.0.0.1:${toString config.services.livekit.settings.port}/";
proxyWebsockets = true;
extraConfig = ''
proxy_send_timeout 120;
proxy_read_timeout 120;
proxy_buffering off;
proxy_set_header Accept-Encoding gzip;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
'';
};
};
};