zuigon/matrix-and-jitsi.nix

## matrix-and-jitsi.nix
{pkgs, ...}:
{
  nixpkgs.overlays = [
    (self: super: {
      riot-web = super.riot-web.override {
        conf = {
          default_server_config = {
            "m.homeserver" = {
              "base_url" = "https://matrix.bkr.st";
              "server_name" = "bkr.st";
            };
            "m.identity_server" = {
              "base_url" = "https://vector.im";
            };
          };

          jitsi.preferredDomain = "jitsi.bkr.st";
        };
      };
    })
  ];

  environment.systemPackages = with pkgs; [ vim riot-web ];

  networking.firewall = {
    allowedUDPPorts = [ 5349 5350 ];
    allowedTCPPorts = [ 22 80 443 3478 3479 ];
  };

  services.nginx = {
    enable = true;
    virtualHosts = {

      "matrix.bkr.st" = {
        forceSSL = true;
        enableACME = true;
        locations."/" = {
          proxyPass = "http://localhost:8008";
        };
      };

      "riot.bkr.st" = {
        forceSSL = true;
        enableACME = true;
        locations."/" = {
          root = pkgs.riot-web;
        };
      };

      # "jitsi.bkr.st" = {
      #   enableACME = true;
      #   forceSSL = true;
      # };
    };

    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedTlsSettings = true;
  };

  services.matrix-synapse = {
    enable = true;
    server_name = "bkr.st";
    enable_metrics = true;
    enable_registration = true;
    database_type = "psycopg2";

    database_args = {
      password = "synapse";
    };

    listeners = [
      {
        port = 8008;
        tls = false;
        resources = [
          {
            compress = true;
            names = ["client" "webclient" "federation"];
          }
        ];
      }
    ];

    turn_uris = [
      "turn:turn.bkr.st:3478?transport=udp"
      "turn:turn.bkr.st:3478?transport=tcp"
    ];
    turn_shared_secret = "redacted";
  };

  services.postgresql = {
    enable = true;

    initialScript = pkgs.writeText "synapse-init.sql" ''
      CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
      CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
        TEMPLATE template0
        LC_COLLATE = "C"
        LC_CTYPE = "C";
    '';
  };

  # services.jitsi-meet = {
  #   enable = true;
  #   hostName = "jitsi.bkr.st";
  #   videobridge.openFirewall = true;
  # };

  services.coturn = {
    enable = true;
    use-auth-secret = true;
    # XXX: nix-shell -p pwgen --command "pwgen -s 64 1"
    static-auth-secret = "redacted";
    realm = "turn.bkr.st";
    no-tcp-relay = true;
    no-tls = true;
    no-dtls = true;
    extraConfig = ''
      user-quota=12
      total-quota=1200
      denied-peer-ip=10.0.0.0-10.255.255.255
      denied-peer-ip=192.168.0.0-192.168.255.255
      denied-peer-ip=172.16.0.0-172.31.255.255

      allowed-peer-ip=192.168.123.123
    '';
  };

  security.acme.email = "redacted@gmail.com";
  security.acme.acceptTerms = true;
}
	{pkgs, ...}:
	{
	nixpkgs.overlays = [
	(self: super: {
	riot-web = super.riot-web.override {
	conf = {
	default_server_config = {
	"m.homeserver" = {
	"base_url" = "https://matrix.bkr.st";
	"server_name" = "bkr.st";
	};
	"m.identity_server" = {
	"base_url" = "https://vector.im";
	};
	};

	jitsi.preferredDomain = "jitsi.bkr.st";
	};
	};
	})
	];

	environment.systemPackages = with pkgs; [ vim riot-web ];

	networking.firewall = {
	allowedUDPPorts = [ 5349 5350 ];
	allowedTCPPorts = [ 22 80 443 3478 3479 ];
	};

	services.nginx = {
	enable = true;
	virtualHosts = {

	"matrix.bkr.st" = {
	forceSSL = true;
	enableACME = true;
	locations."/" = {
	proxyPass = "http://localhost:8008";
	};
	};

	"riot.bkr.st" = {
	forceSSL = true;
	enableACME = true;
	locations."/" = {
	root = pkgs.riot-web;
	};
	};

	# "jitsi.bkr.st" = {
	# enableACME = true;
	# forceSSL = true;
	# };
	};

	recommendedGzipSettings = true;
	recommendedOptimisation = true;
	recommendedTlsSettings = true;
	};

	services.matrix-synapse = {
	enable = true;
	server_name = "bkr.st";
	enable_metrics = true;
	enable_registration = true;
	database_type = "psycopg2";

	database_args = {
	password = "synapse";
	};

	listeners = [
	{
	port = 8008;
	tls = false;
	resources = [
	{
	compress = true;
	names = ["client" "webclient" "federation"];
	}
	];
	}
	];

	turn_uris = [
	"turn:turn.bkr.st:3478?transport=udp"
	"turn:turn.bkr.st:3478?transport=tcp"
	];
	turn_shared_secret = "redacted";
	};

	services.postgresql = {
	enable = true;

	initialScript = pkgs.writeText "synapse-init.sql" ''
	CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
	CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
	TEMPLATE template0
	LC_COLLATE = "C"
	LC_CTYPE = "C";
	'';
	};

	# services.jitsi-meet = {
	# enable = true;
	# hostName = "jitsi.bkr.st";
	# videobridge.openFirewall = true;
	# };

	services.coturn = {
	enable = true;
	use-auth-secret = true;
	# XXX: nix-shell -p pwgen --command "pwgen -s 64 1"
	static-auth-secret = "redacted";
	realm = "turn.bkr.st";
	no-tcp-relay = true;
	no-tls = true;
	no-dtls = true;
	extraConfig = ''
	user-quota=12
	total-quota=1200
	denied-peer-ip=10.0.0.0-10.255.255.255
	denied-peer-ip=192.168.0.0-192.168.255.255
	denied-peer-ip=172.16.0.0-172.31.255.255

	allowed-peer-ip=192.168.123.123
	'';
	};

	security.acme.email = "redacted@gmail.com";
	security.acme.acceptTerms = true;
	}