matrix: screen registrations by redirecting the activation emails

cfg/services/matrix.nix

@@ -29,8 +29,29 @@
     }
   ];
 
+  # services.matrix-synapse.extraConfig = ''
+  #   registration_requires_token: true
+  #   admin_contact: "admin.matrix@uninsane.org"
+  # '';
+
   services.matrix-synapse.extraConfig = ''
-    registration_requires_token: true
+    admin_contact: "admin.matrix@uninsane.org"
+    registrations_require_3pid:
+      - email
+    email:
+      smtp_host: "mx.uninsane.org"
+      smtp_port: 587
+      smtp_user: "matrix-synapse"
+      smtp_pass: "matrix-synapse-super-secret"
+      require_transport_security: true
+      enable_tls: true
+      notif_from: "%(app)s <notify.matrix@uninsane.org>"
+      app_name: "Uninsane Matrix"
+      enable_notifs: true
+      validation_token_lifetime: 96h
+      invite_client_location: "https://web.matrix.uninsane.org"
+      subjects:
+        email_validation: "[%(server_name)s] Validate your email"
   '';
   services.matrix-synapse.app_service_config_files = [
     "/var/lib/matrix-appservice-irc/registration.yml"  # auto-created by irc appservice

cfg/services/nginx.nix

@@ -33,6 +33,15 @@
         return 200 '${builtins.toJSON client}';
       '';
 
+    # static URLs might not be aware of .well-known (e.g. registration confirmation URLs),
+    # so hack around that.
+    locations."/_matrix" = {
+      proxyPass = "http://127.0.0.1:8008";
+    };
+    locations."/_synapse" = {
+      proxyPass = "http://127.0.0.1:8008";
+    };
+
     # allow ActivityPub clients to discover how to reach @user@uninsane.org
     # TODO: waiting on https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3361/
     # locations."/.well-known/nodeinfo" = {

cfg/services/postfix.nix

@@ -2,17 +2,17 @@
 
 let
   submissionOptions = {
-      smtpd_tls_security_level = "encrypt";
-      smtpd_sasl_auth_enable = "yes";
-      smtpd_sasl_type = "dovecot";
-      smtpd_sasl_path = "/run/dovecot2/auth";
-      smtpd_sasl_security_options = "noanonymous";
-      smtpd_sasl_local_domain = "uninsane.org";
-      smtpd_client_restrictions = "permit_sasl_authenticated,reject";
-      # reuse the virtual map so that sender mapping matches recipient mapping
-      smtpd_sender_login_maps = "hash:/var/lib/postfix/conf/virtual";
-      smtpd_sender_restrictions = "reject_sender_login_mismatch";
-      smtpd_recipient_restrictions = "reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject";
+    smtpd_tls_security_level = "encrypt";
+    smtpd_sasl_auth_enable = "yes";
+    smtpd_sasl_type = "dovecot";
+    smtpd_sasl_path = "/run/dovecot2/auth";
+    smtpd_sasl_security_options = "noanonymous";
+    smtpd_sasl_local_domain = "uninsane.org";
+    smtpd_client_restrictions = "permit_sasl_authenticated,reject";
+    # reuse the virtual map so that sender mapping matches recipient mapping
+    smtpd_sender_login_maps = "hash:/var/lib/postfix/conf/virtual";
+    smtpd_sender_restrictions = "reject_sender_login_mismatch";
+    smtpd_recipient_restrictions = "reject_non_fqdn_recipient,permit_sasl_authenticated,reject";
   };
 in
 {
@@ -24,6 +24,7 @@ in
   services.postfix.sslKey = "/var/lib/acme/mx.uninsane.org/key.pem";
 
   services.postfix.virtual = ''
+    notify.matrix@uninsane.org matrix-synapse
     @uninsane.org colin
   '';
 
@@ -116,6 +117,11 @@ in
       action = "REDIRECT colin@uninsane.org";
       pattern = "/^Subject: Please activate your account/";
     }
+    # intercept Matrix registration confirmations
+    {
+      action = "REDIRECT colin@uninsane.org";
+      pattern = "/^Subject:.*Validate your email/";
+    }
     # XXX postfix only supports performing ONE action per header.
     # {
     #   action = "REPLACE Subject: git application: Please activate your account";

cfg/services/postgres.nix

@@ -12,4 +12,11 @@
   #     LC_COLLATE = "C"
   #     LC_CTYPE = "C";
   # '';
+
+
+  # common admin operations:
+  #   sudo -u postgres psql
+  #   > \l   # lists all databases
+  #   > \du  # lists all roles
+  #   > \q   # exits psql
 }