diff --git a/configuration.nix b/configuration.nix index 6aa588a..08a8792 100644 --- a/configuration.nix +++ b/configuration.nix @@ -1,39 +1,37 @@ +{ config, modulesPath, pkgs, lib, ... }: { - config, - lib, - pkgs, - ... -}: { imports = [ - ./hardware-configuration.nix + (modulesPath + "/virtualisation/proxmox-lxc.nix") ./matrix.nix ]; + nix.settings = { sandbox = false; }; + proxmoxLXC = { + manageNetwork = false; + privileged = true; + }; - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; + # Disable /sys/kernel/debug mount which fails in LXC + systemd.mounts = [{ + where = "/sys/kernel/debug"; + enable = false; + }]; - networking.hostName = "nixos-matrix"; - networking.networkmanager.enable = true; + services.fstrim.enable = false; # Let Proxmox host handle fstrim + networking.firewall.enable = false; + services.openssh = { + enable = true; + openFirewall = true; + settings = { + PermitRootLogin = "yes"; + PasswordAuthentication = true; + PermitEmptyPasswords = "yes"; + }; + }; - time.timeZone = "America/Los_Angeles"; - - users.users.tony = { + users.users.w0bm = { isNormalUser = true; extraGroups = ["wheel"]; }; - services.openssh.enable = true; - services.nginx.enable = true; - - security.acme = { - acceptTerms = true; - defaults.email = "your-email@example.com"; - }; - - environment.systemPackages = with pkgs; [ - vim - git - ]; - system.stateVersion = "25.11"; } diff --git a/matrix.nix b/matrix.nix index 6554d2c..3cab74e 100644 --- a/matrix.nix +++ b/matrix.nix @@ -28,7 +28,7 @@ in { listeners = [ { port = 8008; - bind_addresses = ["127.0.0.1"]; + bind_addresses = ["::1"]; type = "http"; tls = false; x_forwarded = true; @@ -56,6 +56,20 @@ in { enable_registration = false; enable_metrics = false; registration_shared_secret_path = "/var/lib/matrix-synapse/registration_secret"; + + # Allow others to view the public room list + allow_public_rooms_without_auth = true; + allow_public_rooms_over_federation = true; + + room_list_publication_rules = [ + { + action = "allow"; + user_id = "*"; + room_id = "*"; + alias = "*"; + require_admin = true; + } + ]; trusted_key_servers = [ { @@ -76,18 +90,48 @@ in { ]; }; + services.nginx.enable = true; + + system.activationScripts.generate-matrix-certs = { + text = '' + mkdir -p /var/lib/matrix-certs + # Ensure permissions on the directory itself + chown nginx:nginx /var/lib/matrix-certs + chmod 750 /var/lib/matrix-certs + + if [ ! -f /var/lib/matrix-certs/matrix.key ]; then + ${pkgs.openssl}/bin/openssl req -x509 -newkey rsa:4096 -keyout /var/lib/matrix-certs/matrix.key -out /var/lib/matrix-certs/matrix.crt -days 3650 -nodes -subj "/CN=${matrixDomain}" + fi + + # Force permissions on files every time + chown nginx:nginx /var/lib/matrix-certs/matrix.* + chmod 640 /var/lib/matrix-certs/matrix.key + chmod 644 /var/lib/matrix-certs/matrix.crt + + # Ensure log directory exists and is writable + mkdir -p /var/log/nginx + chown -R nginx:nginx /var/log/nginx + chmod 750 /var/log/nginx + ''; + deps = ["users"]; + }; + + + services.nginx.virtualHosts.${domain} = { - enableACME = true; + sslCertificate = "/var/lib/matrix-certs/matrix.crt"; + sslCertificateKey = "/var/lib/matrix-certs/matrix.key"; forceSSL = true; locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig; locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig; }; services.nginx.virtualHosts.${matrixDomain} = { - enableACME = true; + sslCertificate = "/var/lib/matrix-certs/matrix.crt"; + sslCertificateKey = "/var/lib/matrix-certs/matrix.key"; forceSSL = true; locations."/" = { - proxyPass = "http://127.0.0.1:8008"; + proxyPass = "http://[::1]:8008"; extraConfig = '' proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; @@ -97,5 +141,5 @@ in { }; }; - networking.firewall.allowedTCPPorts = [8448]; + networking.firewall.allowedTCPPorts = [443]; }