diff --git a/cfg/services/matrix.nix b/cfg/services/matrix.nix index 1bf9487d..62779409 100644 --- a/cfg/services/matrix.nix +++ b/cfg/services/matrix.nix @@ -29,8 +29,29 @@ } ]; + # services.matrix-synapse.extraConfig = '' + # registration_requires_token: true + # admin_contact: "admin.matrix@uninsane.org" + # ''; + services.matrix-synapse.extraConfig = '' - registration_requires_token: true + admin_contact: "admin.matrix@uninsane.org" + registrations_require_3pid: + - email + email: + smtp_host: "mx.uninsane.org" + smtp_port: 587 + smtp_user: "matrix-synapse" + smtp_pass: "matrix-synapse-super-secret" + require_transport_security: true + enable_tls: true + notif_from: "%(app)s " + app_name: "Uninsane Matrix" + enable_notifs: true + validation_token_lifetime: 96h + invite_client_location: "https://web.matrix.uninsane.org" + subjects: + email_validation: "[%(server_name)s] Validate your email" ''; services.matrix-synapse.app_service_config_files = [ "/var/lib/matrix-appservice-irc/registration.yml" # auto-created by irc appservice diff --git a/cfg/services/nginx.nix b/cfg/services/nginx.nix index d49fd5d9..96f46061 100644 --- a/cfg/services/nginx.nix +++ b/cfg/services/nginx.nix @@ -33,6 +33,15 @@ return 200 '${builtins.toJSON client}'; ''; + # static URLs might not be aware of .well-known (e.g. registration confirmation URLs), + # so hack around that. + locations."/_matrix" = { + proxyPass = "http://127.0.0.1:8008"; + }; + locations."/_synapse" = { + proxyPass = "http://127.0.0.1:8008"; + }; + # allow ActivityPub clients to discover how to reach @user@uninsane.org # TODO: waiting on https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3361/ # locations."/.well-known/nodeinfo" = { diff --git a/cfg/services/postfix.nix b/cfg/services/postfix.nix index 352ef998..cd7d095e 100644 --- a/cfg/services/postfix.nix +++ b/cfg/services/postfix.nix @@ -2,17 +2,17 @@ let submissionOptions = { - smtpd_tls_security_level = "encrypt"; - smtpd_sasl_auth_enable = "yes"; - smtpd_sasl_type = "dovecot"; - smtpd_sasl_path = "/run/dovecot2/auth"; - smtpd_sasl_security_options = "noanonymous"; - smtpd_sasl_local_domain = "uninsane.org"; - smtpd_client_restrictions = "permit_sasl_authenticated,reject"; - # reuse the virtual map so that sender mapping matches recipient mapping - smtpd_sender_login_maps = "hash:/var/lib/postfix/conf/virtual"; - smtpd_sender_restrictions = "reject_sender_login_mismatch"; - smtpd_recipient_restrictions = "reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject"; + smtpd_tls_security_level = "encrypt"; + smtpd_sasl_auth_enable = "yes"; + smtpd_sasl_type = "dovecot"; + smtpd_sasl_path = "/run/dovecot2/auth"; + smtpd_sasl_security_options = "noanonymous"; + smtpd_sasl_local_domain = "uninsane.org"; + smtpd_client_restrictions = "permit_sasl_authenticated,reject"; + # reuse the virtual map so that sender mapping matches recipient mapping + smtpd_sender_login_maps = "hash:/var/lib/postfix/conf/virtual"; + smtpd_sender_restrictions = "reject_sender_login_mismatch"; + smtpd_recipient_restrictions = "reject_non_fqdn_recipient,permit_sasl_authenticated,reject"; }; in { @@ -24,6 +24,7 @@ in services.postfix.sslKey = "/var/lib/acme/mx.uninsane.org/key.pem"; services.postfix.virtual = '' + notify.matrix@uninsane.org matrix-synapse @uninsane.org colin ''; @@ -116,6 +117,11 @@ in action = "REDIRECT colin@uninsane.org"; pattern = "/^Subject: Please activate your account/"; } + # intercept Matrix registration confirmations + { + action = "REDIRECT colin@uninsane.org"; + pattern = "/^Subject:.*Validate your email/"; + } # XXX postfix only supports performing ONE action per header. # { # action = "REPLACE Subject: git application: Please activate your account"; diff --git a/cfg/services/postgres.nix b/cfg/services/postgres.nix index bdfed12a..456f6dcd 100644 --- a/cfg/services/postgres.nix +++ b/cfg/services/postgres.nix @@ -12,4 +12,11 @@ # LC_COLLATE = "C" # LC_CTYPE = "C"; # ''; + + + # common admin operations: + # sudo -u postgres psql + # > \l # lists all databases + # > \du # lists all roles + # > \q # exits psql }