Matrix Stack working!

2026-05-06 23:45:13 +02:00
parent 870ead1994
commit a32a2800f7
8 changed files with 210 additions and 62 deletions
@@ -0,0 +1,28 @@
+{ config, ... }:
+{
+  services = {
+    nginx.virtualHosts."www.cyperpunk.de".locations."/cloak" = {
+      proxyPass = "http://localhost:${toString config.services.keycloak.settings.http-port}/cloak/";
+    };
+
+    keycloak = {
+      enable = true;
+
+      database = {
+        type = "postgresql";
+        createLocally = true;
+
+        username = "keycloak";
+        passwordFile = "/etc/nixos/secrets/keycloak_psql_pass";
+      };
+
+      settings = {
+        hostname = "cyperpunk.de";
+        http-relative-path = "/cloak";
+        http-port = 38080;
+        proxy = "passthrough";
+        http-enabled = true;
+      };
+    };
+  };
+}
@@ -0,0 +1,95 @@
+{ config, lib, ... }:
+{
+  sops.secrets = {
+    coturn_static_auth_secret = {
+      owner = "turnserver";
+      group = "turnserver";
+    };
+
+    coturn_static_auth_secret_synapse = {
+      owner = "matrix-synapse";
+      group = "matrix-synapse";
+      key = "coturn_static_auth_secret";
+    };
+  };
+
+  services = {
+    coturn = rec {
+      enable = true;
+      no-cli = true;
+      no-tcp-relay = true;
+      min-port = 49000;
+      max-port = 50000;
+      use-auth-secret = true;
+      static-auth-secret-file = config.sops.secrets.coturn_static_auth_secret.path;
+      realm = "turn.cyperpunk.de";
+      cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
+      pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
+      extraConfig = ''
+        no-multicast-peers
+        denied-peer-ip=0.0.0.0-0.255.255.255
+        denied-peer-ip=10.0.0.0-10.255.255.255
+        denied-peer-ip=100.64.0.0-100.127.255.255
+        denied-peer-ip=127.0.0.0-127.255.255.255
+        denied-peer-ip=169.254.0.0-169.254.255.255
+        denied-peer-ip=172.16.0.0-172.31.255.255
+        denied-peer-ip=192.0.0.0-192.0.0.255
+        denied-peer-ip=192.0.2.0-192.0.2.255
+        denied-peer-ip=192.88.99.0-192.88.99.255
+        denied-peer-ip=192.168.0.0-192.168.255.255
+        denied-peer-ip=198.18.0.0-198.19.255.255
+        denied-peer-ip=198.51.100.0-198.51.100.255
+        denied-peer-ip=203.0.113.0-203.0.113.255
+        denied-peer-ip=240.0.0.0-255.255.255.255
+        denied-peer-ip=::1
+        denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
+        denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
+        denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
+        denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
+        denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+        denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+        denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+      '';
+      relay-ips = [ "178.254.8.35" ];
+    };
+
+    nginx.virtualHosts."turn.cyperpunk.de" = {
+      forceSSL = true;
+      enableACME = true;
+    };
+
+    matrix-synapse.settings = with config.services.coturn; {
+      turn_uris = [
+        "turn:${realm}:3478?transport=udp"
+        "turn:${realm}:3478?transport=tcp"
+      ];
+      turn_shared_secret_path = config.sops.secrets.coturn_static_auth_secret_synapse.path;
+      turn_user_lifetime = "1h";
+    };
+  };
+
+  security.acme.certs."turn.cyperpunk.de".group = "nginx";
+
+  users.users.turnserver.extraGroups = [ "nginx" ];
+
+  networking.firewall.interfaces.ens3 =
+    let
+      range =
+        with config.services.coturn;
+        lib.singleton {
+          from = min-port;
+          to = max-port;
+        };
+    in
+    {
+      allowedUDPPortRanges = range;
+      allowedUDPPorts = [
+        3478
+        5349
+      ];
+      allowedTCPPorts = [
+        3478
+        5349
+      ];
+    };
+}
@@ -5,7 +5,10 @@
  imports = [
    ./synapse.nix
    #./lk-jwt.nix
-    #./livekit.nix
+    ./livekit.nix
    ./clients.nix
+    ./mjolnir.nix
+    ./coturn.nix
+    #./maubot.nix # known security risk
  ];
 }
@@ -1,64 +1,19 @@
-{ config, lib, ... }:
+{ config, ... }:
 {
-  # Shared key file — same secret used by lk-jwt-service (see lk-jwt.nix)
-  sops.secrets.livekit_key = { };
+  sops.secrets.livekit_key_file = { };

  services.livekit = {
    enable = true;
    openFirewall = true;
-    keyFile = config.sops.secrets.livekit_key.path;
-    settings = {
-      rtc = {
-        tcp_port = 7881;
-        port_range_start = 50000;
-        port_range_end = 60000;
-        use_external_ip = true;
-        node_ip = "178.254.8.35";
-      };
-      room = {
-        # Must be false — rooms are created by the JWT service on demand
-        auto_create = false;
-        enabled_codecs = [
-          { mime = "video/VP8"; }
-          { mime = "video/VP9"; }
-          { mime = "video/H264"; }
-          { mime = "audio/opus"; }
-        ];
-        enable_remote_unmute = true;
-      };
-    };
+    settings.room.auto_create = false;
+    keyFile = config.sops.secrets.livekit_key_file.path;
  };

-  networking.firewall = {
-    allowedTCPPorts = [ 7881 ];
-    # WebRTC media relay — must be open or calls connect then immediately drop
-    allowedUDPPortRanges = [
-      {
-        from = 50000;
-        to = 60000;
-      }
-    ];
-  };
-
-  systemd.services.livekit.serviceConfig = {
-    PrivateUsers = lib.mkForce false;
-    DynamicUser = lib.mkForce false;
-    User = "livekit";
-    Group = "livekit";
-    RestrictAddressFamilies = lib.mkForce [
-      "AF_INET"
-      "AF_INET6"
-      "AF_NETLINK"
-      "AF_UNIX"
-    ];
-    SystemCallFilter = lib.mkForce [ "@system-service" ];
-  };
-
-  users = {
-    users.livekit = {
-      isSystemUser = true;
-      group = "livekit";
-    };
-    groups.livekit = { };
-  };
+  services.lk-jwt-service = {
+    enable = true;
+    livekitUrl = "wss://cyperpunk.de/livekit/sfu";
+    keyFile = config.sops.secrets.livekit_key_file.path;
+  };
+
+  systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = "cyperpunk.de";
 }
@@ -0,0 +1,22 @@
+{ config, ... }:
+{
+  services = {
+    maubot = {
+      enable = true;
+      settings = {
+        database = "postgresql://maubot@localhost/maubot";
+        server = {
+          public_url = "matrix.cyperpunk.de";
+          #ui_base_path = "/another/base/path";
+        };
+      };
+    };
+
+    nginx.virtualHosts."matrix.cyperpunk.de".locations = {
+      "/_matrix/maubot/" = {
+        proxyPass = "http://127.0.0.1:${toString config.services.maubot.settings.server.port}";
+        proxyWebsockets = true;
+      };
+    };
+  };
+}
@@ -0,0 +1,17 @@
+{ config, ... }:
+{
+  sops.secrets.mjolnir_access_token = { };
+
+  services.draupnir = {
+    enable = true;
+    secrets.accessToken = config.sops.secrets.mjolnir_access_token.path;
+    settings = {
+      homeserverUrl = "https://matrix.cyperpunk.de";
+      managementRoom = "!eErCimyDjLSebHjpJA:cyperpunk.de";
+    };
+  };
+}
+
+#curl -X POST https://matrix.cyperpunk.de/_matrix/client/v3/login \
+#  -H "Content-Type: application/json" \
+#  -d '{"type":"m.login.password ","user":"mjolnir","password":"i318HXBRkt)Lh$nOPwq#6n9z&<W[XJ&2c4$Zf>7jV}-uQCE{<plwk;LZ)10*N<~1"}'
@@ -9,7 +9,7 @@ let
      extraConfig = ''
        default_type application/json;
        add_header Access-Control-Allow-Origin *;
-        return 200 '{"m.homeserver":{"base_url":"https://matrix.cyperpunk.de"}}';
+        return 200 '{"m.homeserver":{"base_url":"https://matrix.cyperpunk.de"},"org.matrix.msc4143.rtc_foci":[{"type":"livekit","livekit_service_url":"https://cyperpunk.de/livekit/jwt/"}]}';
      '';
    };
    "= /.well-known/matrix/server" = {
@@ -46,7 +46,15 @@ in
        suppress_key_server_warning = true;
        registration_shared_secret_path = config.sops.secrets.matrix_registration_secret.path;
        macaroon_secret_key = "$__file{${config.sops.secrets.matrix_macaroon_secret.path}}";
-
+        matrix_rtc = {
+          enabled = true;
+          transports = [
+            {
+              type = "livekit";
+              livekit_service_url = "https://cyperpunk.de/livekit/jwt/";
+            }
+          ];
+        };
        #experimental_features = {
        #  msc3266_enabled = true;
        #  msc3779_enabled = true;
@@ -99,6 +107,7 @@ in
        locations = wellKnownMatrix // {
          "/_matrix".proxyPass = "http://127.0.0.1:8008";
          "/_synapse/client".proxyPass = "http://127.0.0.1:8008";
+          "/_synapse/admin".proxyPass = "http://127.0.0.1:8008";
          "/metrics" = {
            proxyPass = "http://127.0.0.1:9009";
            extraConfig = ''
@@ -107,8 +116,25 @@ in
            '';
          };
          "/admin/" = {
-            root = "${synapseAdmin}";
-            #tryFiles = "$uri $uri/ /index.html";
+            alias = "${synapseAdmin}/";
+            tryFiles = "$uri $uri/ /admin/index.html";
+          };
+          "^~ /livekit/jwt/" = {
+            priority = 400;
+            proxyPass = "http://127.0.0.1:${toString config.services.lk-jwt-service.port}/";
+          };
+          "^~ /livekit/sfu/" = {
+            priority = 400;
+            proxyPass = "http://127.0.0.1:${toString config.services.livekit.settings.port}/";
+            proxyWebsockets = true;
+            extraConfig = ''
+              proxy_send_timeout 120;
+              proxy_read_timeout 120;
+              proxy_buffering off;
+              proxy_set_header Accept-Encoding gzip;
+              proxy_set_header Upgrade $http_upgrade;
+              proxy_set_header Connection "upgrade";
+            '';
          };
        };
      };
@@ -8,7 +8,9 @@ vaultwarden_admin_token: ENC[AES256_GCM,data:yoBs4CaIEJXB5b3PEwTpXFgxpX39hR9A4r9
 flame_phil_password: ENC[AES256_GCM,data:Xy2ixMeRlnzC2gjKGrjfSbz/ee4=,iv:WFuBS8jn7WYRxEDG3XBzCMnm4eNkHQpSs5+GUwq/dcg=,tag:1zzj0eB9/4KrmYAqcxJMlg==,type:str]
 flame_calvin_password: ENC[AES256_GCM,data:P5ppyqTjAJ1TL4hXtx5WyoS9a+g=,iv:sq98P3Oqud2FXfqsD76YS/p5NEF2xlN0MfG+ukCB9B0=,tag:AeKnu4Hg4xQ3tII0y6oNpQ==,type:str]
 paperless_admin: ENC[AES256_GCM,data:sVvlMQ3dDE2XsDfpwpCTbzPCEKdUMNTFtRXDIuBbgyf1gd6oiJzE23Ytc57plNUGg5h5aEtgxZ7NXeuK5vrhQw==,iv:x+QNAzY9k9t23UYlM9GcAke0urEA5jlV0VzHaBQkm7M=,tag:D/bMtjuwrX6pquZfJLwdkQ==,type:str]
-livekit_key: ENC[AES256_GCM,data:CXsX4ZePcfIwqjk0EuFQFh6ozS68KOej2csG8pFvZ3K5MMIcm9ezD65+pUJmwvDqRqH0kmFMTE5PCJMN6kPfOGAlJ8d1iiLBJg==,iv:jQkmc8v7bQ2Y+CaBzEKR3HfTbXTsvPGM756xnac5qek=,tag:oKzRniBg55LYz3iebNjoAg==,type:str]
+livekit_key_file: ENC[AES256_GCM,data:wOtJhwDtZNEY+QjHyLL1FTOtkmzkNA5BoTsx0+ZMij9uUaKC28uFIkMAq2ZzIU7Nyvk8+4YjbK/Rrsoy,iv:UTDuItr0XsG+/4HFkEHDpxXy41QiVgPCisHeMMY2dQo=,tag:SkoeLWClO9I/V2sn27Y2uw==,type:str]
+mjolnir_access_token: ENC[AES256_GCM,data:vvrAY9CAkEIGEzah+TQiwa6PahGuXVvU7wzBpTnqeSLqe3mqtw120GRj,iv:J+/VJ40BsImr832eGUHShhDVWYC7KsEwQUH9AE6Rs9c=,tag:n+y0flxfqY47rB4yv9TnBw==,type:str]
+coturn_static_auth_secret: ENC[AES256_GCM,data:7AI0E8Hu4WxI5q4j1GqBMSQ+evE006uPMtwIfGn4eFz+XB2JA6fhhiGMPPxSkqOyK+3eZJ5ahiG05JpmBmmAbw==,iv:hQJQQDVo43U7lvV754PC1THeFCpZZEyag+BslXyoDos=,tag:Vkm+IXr1h8ZNpah6UYaKng==,type:str]
 gitea:
    dbPassword: ENC[AES256_GCM,data:S6VvRgkdYk1AzXljyQEEq68UJ9zrFy6+INBMIAspXNcqcM6o+es19o0mcXA=,iv:/pHYpkZZq+9Md+75uSCb2YXfSvaDzUh6mMfH53wb7eg=,tag:ZnbyCQwrK2JnbO5HFqgJYw==,type:str]
    internalToken: ENC[AES256_GCM,data:7N8TkPNb1YdCk2uAcCvVd2pKRVOf85//DYxAvz0UCg1E8ccEI5630xVyKafDFiSTM4ER7xiYelartzXL0jLWSf3QNOjSHUP8TIAz4bJRAZUJPxO917bURSLGGe7WEOfONzqy3Ts5QhrJ,iv:DiIs1ytlwLvqD/Ejep6m2fmpSqdFZkxBcgLNt6+29jY=,tag:8jsEcOkH0p+1mP9cnVjiDQ==,type:str]
@@ -27,7 +29,7 @@ sops:
            N3I5dzUwc3JtYzczMUhyT04vSHlZamMKT+FzYcDLmlEFYxm/XoBpJb8XaZzBH1v9
            6fuez+zApathZfl14w41kAUojPWBznnxDqYtNvzVVLXwnpp3BMx+7w==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-05-05T10:30:02Z"
-    mac: ENC[AES256_GCM,data:4fBPLtCVtGZ02sAkEGNZF9bDSobiMHd2WBVd2dXv47B9qdlMROvaEj00+nm+TrVWnCZqKatwMWLBPwYV9/Ie5juQUCiyvUpIS2iebve01sbSZ0trN4QHXAZ6MAG9paFs8g5W2683msp/VDKFTDeYrZHvKbowY7E+EKceWQx5enA=,iv:v+VvMsZAR746UNRdtFj76GRyZwh4RMpUyNZdXI2WtTE=,tag:ucnXpGEWt6vs7kty4gw3eg==,type:str]
+    lastmodified: "2026-05-06T21:16:11Z"
+    mac: ENC[AES256_GCM,data:Dl9FbobKAg5T6H5nQr7VL7LAyk5DgzJDWzlHa1GqhqqbFV8InJtwVc+H3iqiBbsLNW2D4TowqmKMae2aZQ3CLN1YCtScMci9fO0+V0+dEWDismTk/Gd4jJzKAIei3ewXkqiWpIg9yt9LvQAp0Jbg5/vP/2UsBBqXmFbRxbME0NY=,iv:i13Wya8uUsUVPE7ZBxNDgH2kg0OwGysfC/qHoJEmYhg=,tag:kiosVeWZNhKEwCVrg3t/ow==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.12.2