naimi/matrix-btw
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

updating files for lxc container and ipv6

Browse Source
This commit is contained in:
Kibi Kelburton
2026-02-18 18:43:48 +01:00
parent d82cd7ae26
commit 3120984bbd
2 changed files with 73 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
matrix.nix
View File

@@ -28,7 +28,7 @@ in {
listeners = [
{
port = 8008;
bind_addresses = ["127.0.0.1"];
bind_addresses = ["::1"];
type = "http";
tls = false;
x_forwarded = true;
@@ -56,6 +56,20 @@ in {
enable_registration = false;
enable_metrics = false;
registration_shared_secret_path = "/var/lib/matrix-synapse/registration_secret";
# Allow others to view the public room list
allow_public_rooms_without_auth = true;
allow_public_rooms_over_federation = true;
room_list_publication_rules = [
{
action = "allow";
user_id = "*";
room_id = "*";
alias = "*";
require_admin = true;
}
];
trusted_key_servers = [
{
@@ -76,18 +90,48 @@ in {
];
};
services.nginx.enable = true;
system.activationScripts.generate-matrix-certs = {
text = ''
mkdir -p /var/lib/matrix-certs
# Ensure permissions on the directory itself
chown nginx:nginx /var/lib/matrix-certs
chmod 750 /var/lib/matrix-certs
if [ ! -f /var/lib/matrix-certs/matrix.key ]; then
${pkgs.openssl}/bin/openssl req -x509 -newkey rsa:4096 -keyout /var/lib/matrix-certs/matrix.key -out /var/lib/matrix-certs/matrix.crt -days 3650 -nodes -subj "/CN=${matrixDomain}"
fi
# Force permissions on files every time
chown nginx:nginx /var/lib/matrix-certs/matrix.*
chmod 640 /var/lib/matrix-certs/matrix.key
chmod 644 /var/lib/matrix-certs/matrix.crt
# Ensure log directory exists and is writable
mkdir -p /var/log/nginx
chown -R nginx:nginx /var/log/nginx
chmod 750 /var/log/nginx
'';
deps = ["users"];
};
services.nginx.virtualHosts.${domain} = {
enableACME = true;
sslCertificate = "/var/lib/matrix-certs/matrix.crt";
sslCertificateKey = "/var/lib/matrix-certs/matrix.key";
forceSSL = true;
locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
};
services.nginx.virtualHosts.${matrixDomain} = {
enableACME = true;
sslCertificate = "/var/lib/matrix-certs/matrix.crt";
sslCertificateKey = "/var/lib/matrix-certs/matrix.key";
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8008";
proxyPass = "http://[::1]:8008";
extraConfig = ''
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
@@ -97,5 +141,5 @@ in {
};
};
networking.firewall.allowedTCPPorts = [8448];
networking.firewall.allowedTCPPorts = [443];
}