fix: use synapse and nfty for matrix and federation

README.md

@@ -17,6 +17,7 @@ This repository uses **untracked secrets**, so you must build the system locally
 ### 1. Setup Secrets
 1.  `cp secrets/secrets.nix.example secrets/secrets.nix`
 2.  Fill in the values (generate random keys, etc).
+    - `openssl rand -base64 32` is a good way to make a new key
     - `tailscaleKey` must be a **Reusable** key from the Tailscale admin console.
 
 ### 2. Verify Configuration Locally

configuration.nix

@@ -9,6 +9,7 @@
     ./modules/searx.nix
     ./modules/matrix.nix
     ./modules/monitoring.nix
+    ./modules/ntfy.nix
     ./secrets/secrets-scheme.nix
     # Impure Secrets
     ./secrets/secrets.nix

modules/caddy.nix

@@ -22,6 +22,11 @@
             header Content-Type "application/json"
             respond `{"m.homeserver": {"base_url": "https://matrix.extremist.software"}}`
           }
+          handle /.well-known/matrix/support {
+            header Access-Control-Allow-Origin "*"
+            header Content-Type "application/json"
+            respond `{"admins": [{"matrix_id": "@jet:extremist.software","role": "admin"}]}`
+          }
           handle {
             redir https://jetpham.com{uri}
           }
@@ -59,6 +64,12 @@
         '';
       };
 
+      "ntfy.extremist.software" = {
+        extraConfig = ''
+          reverse_proxy localhost:2586
+        '';
+      };
+
       "matrix.extremist.software" = {
         extraConfig = ''
           reverse_proxy /_matrix/* 127.0.0.1:8008

modules/matrix.nix

@@ -23,7 +23,30 @@
         }
       ];
       
-      enable_registration = true;
+      enable_registration = false;
+      registration_shared_secret = "extremist_software_admin_creation";
+      macaroon_secret_key = config.mySecrets.matrixMacaroon;
+      database = {
+        name = "psycopg2";
+        allow_unsafe_locale = true;
+        args = {
+          user = "matrix-synapse";
+          database = "matrix-synapse";
+          host = "/run/postgresql";
+          cp_min = 5;
+          cp_max = 10;
         };
       };
+    };
+  };
+
+  services.postgresql = {
+    enable = true;
+    ensureDatabases = [ "matrix-synapse" ];
+    ensureUsers = [{
+      name = "matrix-synapse";
+      ensureDBOwnership = true;
+    }];
+  };
 }
+

modules/ntfy.nix

@@ -0,0 +1,21 @@
+{ config, pkgs, ... }:
+
+{
+  services.ntfy-sh = {
+    enable = true;
+    settings = {
+      base-url = "https://ntfy.extremist.software";
+      listen-http = ":2586";
+      behind-proxy = true;
+      auth-file = "/var/lib/ntfy-sh/user.db";
+      auth-default-access = "deny-all";
+      enable-login = true;
+      auth-users = [
+        "jet:${config.mySecrets.ntfyAdminHash}:admin"
+      ];
+      auth-access = [
+        "*:up*:write-only"
+      ];
+    };
+  };
+}

secrets/secrets-scheme.nix

@@ -29,5 +29,13 @@ with lib;
       type = types.str;
       description = "Grafana Secret Key for security";
     };
+    matrixMacaroon = mkOption {
+      type = types.str;
+      description = "Macaroon Secret Key for Matrix Synapse";
+    };
+    ntfyAdminHash = mkOption {
+      type = types.str;
+      description = "Bcrypt hash for ntfy admin user";
+    };
   };
 }

secrets/secrets.nix.example

@@ -9,5 +9,7 @@
     minecraftRcon = "changeme_rcon";
     tailscaleKey = "tskey-auth-PLACEHOLDER";
     sshPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAA...";
+    matrixMacaroon = "changeme_matrix_macaroon_secret_key";
+    ntfyAdminHash = "changeme_bcrypt_hash_from_ntfy_user_hash";
   };
 }