From ba741af134ecacfabe5c733ce2b6b4b7e2fe25a7 Mon Sep 17 00:00:00 2001
From: "Jill \"oatmealine\" Monoids" <oatmealine@disroot.org>
Date: Sat, 23 Sep 2023 12:02:09 +0200
Subject: [PATCH] dendrite stuff

---
 hosts/lucent-firepit/default.nix |   5 ++
 modules/services/dendrite.nix    | 102 +++++++++++++++++++++++++++++++
 2 files changed, 107 insertions(+)
 create mode 100644 modules/services/dendrite.nix

diff --git a/hosts/lucent-firepit/default.nix b/hosts/lucent-firepit/default.nix
index f2d8a9b..7a86d10 100644
--- a/hosts/lucent-firepit/default.nix
+++ b/hosts/lucent-firepit/default.nix
@@ -158,6 +158,11 @@ in {
         interfaces."wg0" = import ./wireguardInterface.nix;
       };
 
+      dendrite = {
+        enable = true;
+        hostDomain = "dark-firepit.cloud";
+      };
+
       terraria = {
         enable = false;
         port = 7777; # port-forwarded
diff --git a/modules/services/dendrite.nix b/modules/services/dendrite.nix
new file mode 100644
index 0000000..2018bc6
--- /dev/null
+++ b/modules/services/dendrite.nix
@@ -0,0 +1,102 @@
+{ pkgs, config, lib, options, ... }:
+
+with lib;
+let
+	cfg = config.modules.services.dendrite;
+	fullDomain = "matrix." + cfg.hostDomain;
+  maxUploadMegabytes = 600;
+in {
+	options.modules.services.dendrite = {
+		enable = mkOption {
+			type = types.bool;
+			default = false;
+		};
+
+		hostDomain = mkOption {
+			type = types.str;
+			default = null;
+		};
+
+		port = mkOption {
+			type = types.port;
+			default = 8008;
+		};
+	};
+
+	config = mkIf cfg.enable {
+		assertions = [
+			{ assertion = cfg.hostDomain != null;
+				description = "@config.modules.services.dendrite.hostDomain@ must not equal null";
+			}
+		];
+
+		services.dendrite = {
+			enable = true;
+			httpPort = cfg.port;
+			# httpsPort = cfg.port;
+			tlsCert = "/var/lib/dendrite_keys/server.cert";
+			tlsKey = "/var/lib/dendrite_keys/server.key";
+			loadCredential = [ "private_key:/var/lib/dendrite_keys/private/private_key.pem" ];
+			environmentFile = "/var/lib/dendrite_keys/registration_secret";
+			settings = {
+			  global = {
+				  server_name = cfg.hostDomain;
+				  private_key = "/var/lib/dendrite_keys/private/private_key.pem";
+				  presence = {
+				    enable_inbound = true;
+				    enable_outbound = true;
+				  };
+				};
+				client_api = {
+				  registration_shared_secret = "$REGISTRATION_SHARED_SECRET";
+				};
+				media_api = {
+				  max_file_size_bytes = maxUploadMegabytes;
+				  dynamic_thumbnails = true;
+				};
+			};
+
+		};
+
+		services.nginx.virtualHosts."${fullDomain}" = {
+			forceSSL = true;
+			enableACME = true;
+
+			listen = [
+				{ addr = "0.0.0.0";
+					port = 443;
+					ssl = true;
+				}
+				{ addr = "[::]";
+					port = 443;
+					ssl = true;
+				}
+			];
+
+			locations."/_matrix".proxyPass = "http://127.0.0.1:${toString cfg.port}";
+
+			extraConfig = ''
+				proxy_set_header Host $host;
+				proxy_set_header X-RealIP $remote_addr;
+				proxy_read_timeout 600;
+				client_max_body_size ${toString maxUploadMegabytes}M;
+			'';
+		};
+
+		services.nginx.virtualHosts."${cfg.hostDomain}" = {
+			forceSSL = true;
+			enableACME = true;
+
+			locations."/.well-known/matrix/server".return = "200 '{ \"m.server\": \"${fullDomain}:443\"}'";
+
+			# locations."/.well-known/matrix/client".return = "200 '{ \"m.homserver\": { \"base_url\": \"https://${cfg.hostDomain}\"} }'";
+			locations."/.well-known/matrix/client".extraConfig = ''
+				add_header Access-Control-Allow-Origin '*';
+				return 200 '{ \"m.homserver\": { \"base_url\": \"https://${cfg.hostDomain}\"} }';
+			'';
+		};
+
+		networking.firewall.allowedTCPPorts = [ 80 443 ];
+		networking.firewall.allowedUDPPorts = [ 80 443 ];
+	};
+}