diff options
author | Wael M. Nasreddine <wael.nasreddine@gmail.com> | 2019-03-21 21:01:25 -0700 |
---|---|---|
committer | Wael M. Nasreddine <wael.nasreddine@gmail.com> | 2019-03-21 21:01:25 -0700 |
commit | 5af0780492827a0c9525e255371f9e7df0f3bb1d (patch) | |
tree | 14bebf201b7402984908f1e5c889d8bedbfc0561 /nixos/doc | |
parent | 7957a93520d458727c19532c607f6d7176f78207 (diff) | |
parent | 52dae14f0c763dd48572058f0f0906166da14c31 (diff) | |
download | nixlib-5af0780492827a0c9525e255371f9e7df0f3bb1d.tar nixlib-5af0780492827a0c9525e255371f9e7df0f3bb1d.tar.gz nixlib-5af0780492827a0c9525e255371f9e7df0f3bb1d.tar.bz2 nixlib-5af0780492827a0c9525e255371f9e7df0f3bb1d.tar.lz nixlib-5af0780492827a0c9525e255371f9e7df0f3bb1d.tar.xz nixlib-5af0780492827a0c9525e255371f9e7df0f3bb1d.tar.zst nixlib-5af0780492827a0c9525e255371f9e7df0f3bb1d.zip |
Merge remote-tracking branch 'origin/master' into staging
* origin/master: (693 commits) buildGoModule: use go_1_12 instead of go_1_11 (#58103) gitAndTools.lab: 0.15.2 -> 0.15.3 (#58091) signal-desktop: 1.22.0 -> 1.23.0 added missing semicolon to documentation terminus_font_ttf: 4.46.0 -> 4.47.0 buildGoModule: remove SSL env vars in favor of cacert in buildInputs (#58071) dav1d: init at 0.2.1 dropbox-cli: 2018.11.28 -> 2019.02.14 atlassian-confluence: 6.14.1 -> 6.14.2 maintainers: update email for dywedir python.pkgs.hglib: use patch to specify hg path (#57926) chkrootkit: 0.52 -> 0.53 radare2-cutter: 1.7.2 -> 1.8.0 autorandr: 1.7 -> 1.8 pythonPackages.pyhepmc: fix build llvm-polly/clang-polly: use latest llvm apulse: 0.1.11.1 -> 0.1.12, cleanup factorio: experimental 0.17.14 → 0.17.16 (#58000) sequeler: 0.6.7 -> 0.6.8 nasc: 0.5.1 -> 0.5.2 ...
Diffstat (limited to 'nixos/doc')
-rw-r--r-- | nixos/doc/manual/configuration/configuration.xml | 1 | ||||
-rw-r--r-- | nixos/doc/manual/configuration/matrix.xml | 197 | ||||
-rw-r--r-- | nixos/doc/manual/configuration/wireless.xml | 2 | ||||
-rw-r--r-- | nixos/doc/manual/development/option-types.xml | 4 | ||||
-rw-r--r-- | nixos/doc/manual/release-notes/rl-1903.xml | 11 |
5 files changed, 212 insertions, 3 deletions
diff --git a/nixos/doc/manual/configuration/configuration.xml b/nixos/doc/manual/configuration/configuration.xml index 507d28814ead..5961209bc13a 100644 --- a/nixos/doc/manual/configuration/configuration.xml +++ b/nixos/doc/manual/configuration/configuration.xml @@ -21,6 +21,7 @@ <xi:include href="xfce.xml" /> <xi:include href="networking.xml" /> <xi:include href="linux-kernel.xml" /> + <xi:include href="matrix.xml" /> <xi:include href="../generated/modules.xml" xpointer="xpointer(//section[@id='modules']/*)" /> <xi:include href="profiles.xml" /> <xi:include href="kubernetes.xml" /> diff --git a/nixos/doc/manual/configuration/matrix.xml b/nixos/doc/manual/configuration/matrix.xml new file mode 100644 index 000000000000..a9a5d6de1f1d --- /dev/null +++ b/nixos/doc/manual/configuration/matrix.xml @@ -0,0 +1,197 @@ +<chapter xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="module-services-matrix"> + <title>Matrix</title> + <para> + <link xlink:href="https://matrix.org/">Matrix</link> + is an open standard for interoperable, decentralised, real-time communication over IP. + It can be used to power Instant Messaging, VoIP/WebRTC signalling, Internet of Things communication - + or anywhere you need a standard HTTP API for publishing and subscribing to data whilst tracking the conversation history. + </para> + <para> + This chapter will show you how to set up your own, self-hosted Matrix homeserver using the Synapse reference homeserver, + and how to serve your own copy of the Riot web client. + See the <link xlink:href="https://matrix.org/docs/projects/try-matrix-now.html">Try Matrix Now!</link> + overview page for links to Riot Apps for Android and iOS, desktop clients, + as well as bridges to other networks and other projects around Matrix. + </para> + + <section xml:id="module-services-matrix-synapse"> + <title>Synapse Homeserver</title> + <para> + <link xlink:href="https://github.com/matrix-org/synapse">Synapse</link> + is the reference homeserver implementation of Matrix from the core development team at matrix.org. + The following configuration example will set up a synapse server for the <literal>example.org</literal> + domain, served from the host <literal>myhostname.example.org</literal>. + For more information, please refer to the + <link xlink:href="https://github.com/matrix-org/synapse#synapse-installation"> + installation instructions of Synapse + </link>. + <programlisting> + let + fqdn = + let + join = hostName: domain: hostName + optionalString (domain != null) ".${domain}"; + in join config.networking.hostName config.networking.domain; + in { + networking = { + hostName = "myhostname"; + domain = "example.org"; + }; + networking.firewall.allowedTCPPorts = [ 80 443 ]; + + services.nginx = { + enable = true; + # only recommendedProxySettings and recommendedGzipSettings are strictly required, + # but the rest make sense as well + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + + virtualHosts = { + # This host section can be placed on a different host than the rest, + # i.e. to delegate from the host being accessible as ${config.networking.domain} + # to another host actually running the Matrix homeserver. + "${config.networking.domain}" = { + locations."= /.well-known/matrix/server".extraConfig = + let + # use 443 instead of the default 8448 port to unite + # the client-server and server-server port for simplicity + server = { "m.server" = "${fqdn}:443"; }; + in '' + add_header Content-Type application/json; + return 200 '${builtins.toJSON server}'; + ''; + locations."= /.well-known/matrix/client".extraConfig = + let + client = { + "m.homeserver" = { "base_url" = "https://${fqdn}"; }; + "m.identity_server" = { "base_url" = "https://vector.im"; }; + }; + # ACAO required to allow riot-web on any URL to request this json file + in '' + add_header Content-Type application/json; + add_header Access-Control-Allow-Origin *; + return 200 '${builtins.toJSON client}'; + ''; + }; + + # Reverse proxy for Matrix client-server and server-server communication + ${fqdn} = { + enableACME = true; + forceSSL = true; + + # Or do a redirect instead of the 404, or whatever is appropriate for you. + # But do not put a Matrix Web client here! See the Riot Web section below. + locations."/".extraConfig = '' + return 404; + ''; + + # forward all Matrix API calls to the synapse Matrix homeserver + locations."/_matrix" = { + proxyPass = "http://[::1]:8008"; + }; + }; + }; + }; + services.matrix-synapse = { + enable = true; + server_name = config.networking.domain; + listeners = [ + { + port = 8008; + bind_address = "::1"; + type = "http"; + tls = false; + x_forwarded = true; + resources = [ + { names = [ "client" "federation" ]; compress = false; } + ]; + } + ]; + }; + }; + </programlisting> + </para> + <para> + If the <code>A</code> and <code>AAAA</code> DNS records on <literal>example.org</literal> + do not point on the same host as the records for <code>myhostname.example.org</code>, + you can easily move the <code>/.well-known</code> virtualHost section of the code + to the host that is serving <literal>example.org</literal>, + while the rest stays on <literal>myhostname.example.org</literal> + with no other changes required. + This pattern also allows to seamlessly move the homeserver from <literal>myhostname.example.org</literal> + to <literal>myotherhost.example.org</literal> by only changing the <code>/.well-known</code> redirection target. + </para> + + <para> + If you want to run a server with public registration by anybody, + you can then enable + <option>services.matrix-synapse.enable_registration = true;</option>. + Otherwise, or you can generate a registration secret with <command>pwgen -s 64 1</command> + and set it with + <option>services.matrix-synapse.registration_shared_secret</option>. + To create a new user or admin, + run the following after you have set the secret and have rebuilt NixOS: + + <programlisting> + $ nix run nixpkgs.matrix-synapse + $ register_new_matrix_user -k <your-registration-shared-secret> http://localhost:8008 + New user localpart: <your-username> + Password: + Confirm password: + Make admin [no]: + Success! + </programlisting> + In the example, this would create a user with the Matrix Identifier + <literal>@your-username:example.org</literal>. + Note that the registration secret ends up in the nix store and therefore is world-readable + by any user on your machine, so it makes sense to only temporarily activate the + <option>registration_shared_secret</option> option until a better solution for NixOS is in place. + </para> + </section> + + <section xml:id="module-services-matrix-riot-web"> + <title>Riot Web Client</title> + <para> + <link xlink:href="https://github.com/vector-im/riot-web/">Riot Web</link> + is the reference web client for Matrix and developed by the core team at matrix.org. + The following snippet can be optionally added to the code before to complete the synapse + installation with a web client served at + <code>https://riot.myhostname.example.org</code> and <code>https://riot.example.org</code>. + Alternatively, you can use the hosted copy at + <link xlink:href="https://riot.im/app">https://riot.im/app</link>, + or use other web clients or native client applications. + Due to the <literal>/.well-known</literal> urls set up done above, + many clients should fill in the required connection details automatically + when you enter your Matrix Identifier. + See <link xlink:href="https://matrix.org/docs/projects/try-matrix-now.html">Try Matrix Now!</link> + for a list of existing clients and their supported featureset. + + <programlisting> + services.nginx.virtualHosts."riot.${fqdn}" = { + enableACME = true; + forceSSL = true; + serverAliases = [ + "riot.${config.networking.domain}" + ]; + + root = pkgs.riot-web; + }; + </programlisting> + </para> + <para> + Note that the Riot developers do not recommend running Riot and your Matrix homeserver + on the same fully-qualified domain name for security reasons. + In the example, this means that you should not reuse the <literal>myhostname.example.org</literal> + virtualHost to also serve Riot, but instead serve it on a different subdomain, + like <literal>riot.example.org</literal> in the example. + See the + <link xlink:href="https://github.com/vector-im/riot-web#important-security-note">Riot Important Security Notes</link> + for more information on this subject. + </para> + </section> +</chapter> diff --git a/nixos/doc/manual/configuration/wireless.xml b/nixos/doc/manual/configuration/wireless.xml index dda2193dd93a..96b0a44f840a 100644 --- a/nixos/doc/manual/configuration/wireless.xml +++ b/nixos/doc/manual/configuration/wireless.xml @@ -23,7 +23,7 @@ psk = "abcdefgh"; }; "free.wifi" = {}; -} +}; </programlisting> Be aware that keys will be written to the nix store in plaintext! When no networks are set, it will default to using a configuration file at diff --git a/nixos/doc/manual/development/option-types.xml b/nixos/doc/manual/development/option-types.xml index d993e47bc914..069cc36573d8 100644 --- a/nixos/doc/manual/development/option-types.xml +++ b/nixos/doc/manual/development/option-types.xml @@ -512,7 +512,7 @@ config.mod.two = { foo = 2; bar = "two"; };</screen> The function to type check the value. Takes a value as parameter and return a boolean. It is possible to extend a type check with the <literal>addCheck</literal> function - (<xref + (<xref linkend='ex-extending-type-check-1' />), or to fully override the check function (<xref linkend='ex-extending-type-check-2' />). @@ -522,7 +522,7 @@ config.mod.two = { foo = 2; bar = "two"; };</screen> <screen> byte = mkOption { description = "An integer between 0 and 255."; - type = addCheck types.int (x: x >= 0 && x <= 255); + type = types.addCheck types.int (x: x >= 0 && x <= 255); };</screen> </example> <example xml:id='ex-extending-type-check-2'> diff --git a/nixos/doc/manual/release-notes/rl-1903.xml b/nixos/doc/manual/release-notes/rl-1903.xml index 931c3be5913b..fab5b5aecb94 100644 --- a/nixos/doc/manual/release-notes/rl-1903.xml +++ b/nixos/doc/manual/release-notes/rl-1903.xml @@ -476,6 +476,8 @@ and will be <link xlink:href="https://matrix.org/blog/2019/02/05/synapse-0-99-0/">the last version to accept self-signed certificates</link>. As such, it is now recommended to use a proper certificate verified by a root CA (for example Let's Encrypt). + The new <link linkend="module-services-matrix">manual chapter on Matrix</link> contains a working example of using nginx as a reverse proxy + in front of <literal>matrix-synapse</literal>, using Let's Encrypt certificates. </para> </listitem> <listitem> @@ -561,6 +563,15 @@ </para> </listitem> <listitem> + <para> + The manual gained a + <link linkend="module-services-matrix"> + new chapter on self-hosting <literal>matrix-synapse</literal> and <literal>riot-web</literal> + </link>, the most prevalent server and client implementations for the + <link xlink:href="https://matrix.org/">Matrix</link> federated communication network. + </para> + </listitem> + <listitem> <para> The astah-community package was removed from nixpkgs due to it being discontinued and the downloads not being available anymore. </para> |