(deployment systems aisaka): implement initial reverse proxy for Matrix

author: Marek Paśnikowski <marek@marekpasnikowski.pl> 2026-03-20 08:39:45 +0100
committer: Marek Paśnikowski <marek@marekpasnikowski.pl> 2026-03-21 09:20:30 +0100
commit: e31455f02e81e11bf7b0385adb6b9b45fa07978c (patch)
tree: 9fee34b43cacd71e192ead4f2ce8692060e08bce /deployment/systems
parent: ca5dee05f66a930a3ba19f3b0a93b034de12a80f (diff)
1 files changed, 29 insertions, 4 deletions
diff --git a/deployment/systems/aisaka.scm b/deployment/systems/aisaka.scm
index 5174e61..6dab453 100644
--- a/deployment/systems/aisaka.scm
+++ b/deployment/systems/aisaka.scm
@@ -51,6 +51,8 @@
                 #:prefix gnu:system:shadow:)
   #:use-module ((nongnu packages linux)
                 #:prefix nongnu:packages:linux:)
+  #:use-module ((gnu packages matrix)
+                #:prefix gnu:packages:matrix:)
   #:use-module ((nongnu system linux-initrd)
                 #:prefix nongnu:system:linux-initrd:)
   #:use-module ((sovereign devices)
@@ -99,6 +101,7 @@
  ("dkim._domainkey" ttl "IN" "TXT"   "\"v=DKIM1; d=marekpasnikowski.pl; t=s; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo/b/WV5EUxqAhBgJ4v5K3sP8QI+IwziRJ/F9SDO3p3QOMjZd9AGVt2/AztZ4EmcOJnTlbQnLE/DKCOq4HAdxSZjIqj5AXyMddvWiO78+ugdame/flV0tjdDGNflx65Twap3qgJ9jzhvJfZ1BDuh2WC06fn2pyFl1TCETEGp6ZDkI41FW5GH8l9Jk7hhCmr+Mau0EpE7V42lBdireItOA1e7jQcub50584QATme4rYxA7WR4AeIsknOkUo4q8vkVrssoP11nSg/sNM9RGn1QDfVMJRX0twtgGnJ8N5QE4Ia9DvXL4Y0PNMC0/frp13pB6m1VQP/Z4jfDy+TQzEdSRaQIDAQAB\"")
  ("git"             ttl "IN" "CNAME" "www")
  ("guix"            ttl "IN" "CNAME" "www")
+ ("matrix"          ttl "IN" "CNAME" "www")
  ("radicale"        ttl "IN" "CNAME" "www")
  ("schron"          ttl "IN" "CNAME" "www")
  ("sejf"            ttl "IN" "CNAME" "www")
@@ -110,7 +113,7 @@
    (origin  "marekpasnikowski.pl")
    (ns      "ns1.marekpasnikowski.pl.")
    (mail    "marek.marekpasnikowski.pl.")
-   (serial  2026031700)))
+   (serial  2026032000)))
 
 (define master-zone
   (gnu:services:dns:knot-zone-configuration
@@ -225,6 +228,14 @@
                "proxy_pass_header Authorization ;"))
    (uri  "/")))
 
+(define nginx-location-proxy-matrix
+  (gnu:services:web:nginx-location-configuration
+   (body (list "proxy_pass http://localhost:8008 ;"
+               "proxy_set_header X-Forwarded-For $remote_addr ;"
+               "proxy_set_header X-Forwarded-Proto $scheme ;"
+               "proxy_set_header Host $host:$server_port ;"))
+   (uri  "~ ^(/_matrix|/_synapse/client)")))
+
 (define nginx-location-proxy-radicale
   (gnu:services:web:nginx-location-configuration
    (body (list "proxy_pass http://localhost:8080/ ;"
@@ -264,9 +275,20 @@
 
 (define nginx-server-guix
   (gnu:services:web:nginx-server-configuration
-   (locations   (list nginx-location-proxy-guix))
-   (listen      (list "192.168.10.2:443 ssl"))
-   (server-name (list "guix.marekpasnikowski.pl"))))
+   (locations           (list nginx-location-proxy-guix))
+   (listen              (list "192.168.10.2:443 ssl"))
+   (server-name         (list "guix.marekpasnikowski.pl"))
+   (ssl-certificate     "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem")
+   (ssl-certificate-key "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem")))
+
+(define nginx-server-matrix
+  (gnu:services:web:nginx-server-configuration
+   (locations           (list nginx-location-proxy-matrix))
+   (listen              (list "192.168.10.2:443 ssl"))
+   (root                gnu:packages:matrix:synapse)
+   (server-name         (list "matrix.marekpasnikowski.pl"))
+   (ssl-certificate     "/etc/letsencrypt/live/marekpasnikowski.pl/fullchain.pem")
+   (ssl-certificate-key "/etc/letsencrypt/live/marekpasnikowski.pl/privkey.pem")))
 
 (define nginx-server-portal
   (gnu:services:web:nginx-server-configuration
@@ -338,6 +360,7 @@
    (server-blocks        (list nginx-server-portal
                                nginx-server-www
                                nginx-server-guix
+                               nginx-server-matrix
                                nginx-server-test
                                nginx-server-schron
                                nginx-server-sejf
@@ -378,6 +401,7 @@
    (domains     (list "marekpasnikowski.pl"
                       "git.marekpasnikowski.pl"
                       "guix.marekpasnikowski.pl"
+                      "matrix.marekpasnikowski.pl"
                       "radicale.marekpasnikowski.pl"
                       "schron.marekpasnikowski.pl"
                       "sejf.marekpasnikowski.pl"
@@ -684,6 +708,7 @@
                                 gnu:system:shadow:%base-groups))
      (packages           (cons* sovereign:packages:jekyll:custom-jekyll
                                 gnu:packages:tls:openssl
+                                gnu:packages:matrix:synapse
                                 gnu:system:%base-packages))
      (timezone           "Europe/Warsaw")
      (locale             sovereign:systems:pl-locale)
author	Marek Paśnikowski <marek@marekpasnikowski.pl>	2026-03-20 08:39:45 +0100
committer	Marek Paśnikowski <marek@marekpasnikowski.pl>	2026-03-21 09:20:30 +0100
commit	e31455f02e81e11bf7b0385adb6b9b45fa07978c (patch)
tree	9fee34b43cacd71e192ead4f2ce8692060e08bce /deployment/systems
parent	ca5dee05f66a930a3ba19f3b0a93b034de12a80f (diff)