plumjam/nixos - Change SUJ7TKWXHFZCEEQFGLRT4PZ4TYAXFLNDZVE57SN2AHXTLEPX7WXAC

matrix: switch to element client and harden

Created by James Plummer on September 6, 2025

SUJ7TKWXHFZCEEQFGLRT4PZ4TYAXFLNDZVE57SN2AHXTLEPX7WXAC

Dependencies

In channels

main

Change contents

File deletion: cinny.nix

BF:BFD[3.2] → [2.5192:5225]

BF:BFD[2.5225] → [2.3950:3950]

B:BD[2.3950] → [2.3951:5191]

{ self, config, lib, pkgs, ... }: let
  inherit (config.networking) domain;
  inherit (lib) enabled;
  fqdn = "chat.${domain}";
in {
  imports = [
    (self + /modules/nginx.nix)
  ];
  # cinny web client configuration
  services.nginx.virtualHosts.${fqdn} = lib.merge config.services.nginx.sslTemplate {
    root = pkgs.cinny;
    # serve custom config.json
    locations."= /config.json".extraConfig = ''
      default_type application/json;
      return 200 '${builtins.toJSON {
        defaultHomeserver = 0;
        homeserverList = [ "matrix.${domain}" ];
        allowCustomHomeservers = false;
        hashRouter = {
          enabled = false;
        };
      }}';
    '';
    extraConfig = /* nginx */ ''
      rewrite ^/config.json$ /config.json break;
      rewrite ^/manifest.json$ /manifest.json break;
      rewrite ^/sw.js$ /sw.js break;
      rewrite ^/pdf.worker.min.js$ /pdf.worker.min.js break;
      rewrite ^/public/(.*)$ /public/$1 break;
      rewrite ^/assets/(.*)$ /assets/$1 break;
      rewrite ^(.+)$ /index.html break;
    '';
    # static assets caching
    locations."~* \\.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$" = {
      extraConfig = ''
        expires 1y;
      '';
    };
  };
}

Replacement in modules/nginx.nix at line 5 [4.3]
B:BD[4.118] → [4.118:156]
```
  imports = [(self + /modules/acme)];
```
[4.118]
[4.156]
```
  imports = [ (self + /modules/acme) ];
```

Replacement in modules/nginx.nix at line 28 [4.3]

B:BD[4.884] → [4.884:1062]

    add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval' ${domain} *.${domain}; object-src 'self' ${domain} *.${domain}; base-uri 'self';" always;

[4.884]

[4.1062]

    add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval' ${domain} *.${domain}; object-src 'self' ${domain} *.${domain}; base-uri 'self'; frame-ancestors 'self';" always;

Insertion in modules/nginx.nix at line 35 [4.3]

[4.1237]


    # SECURITY: Additional 2024 security headers
    proxy_hide_header X-Content-Type-Options;
    add_header X-Content-Type-Options nosniff always;
    proxy_hide_header X-XSS-Protection;
    add_header X-XSS-Protection "1; mode=block" always;
    proxy_hide_header Permissions-Policy;
    add_header Permissions-Policy "camera=(), geolocation=(), payment=(), usb=()" always;

Replacement in modules/nginx.nix at line 90 [4.3]
B:BD[4.2317] → [4.2317:2318]
```
}
```
[4.2317]
```
}
```

Replacement in modules/matrix.nix at line 8 [2.560]

B:BD[2.714] → [2.714:765]

  imports = [
    (self + /modules/nginx.nix)
  ];

[2.714]

[2.765]

  imports = [ (self + /modules/nginx.nix) ];

Deletion in modules/matrix.nix at line 10 [2.560]
B:BD[2.766] → [2.766:789]
```
  # secrets for matrix
```

Replacement in modules/matrix.nix at line 11 [2.560]

B:BD[2.824] → [2.824:873]

    file = ../hosts/plum/matrix-signing-key.age;

[2.824]

[2.873]

    file  = ../hosts/plum/matrix-signing-key.age;

Replacement in modules/matrix.nix at line 17 [2.560]

B:BD[2.982] → [2.982:1039]

    file = ../hosts/plum/matrix-registration-secret.age;

[2.982]

[2.1039]

    file  = ../hosts/plum/matrix-registration-secret.age;

Deletion in modules/matrix.nix at line 22 [2.560]
B:BD[2.1105] → [2.1105:1159]
```
  # backup configuration for sqlite database and data
```

Replacement in modules/matrix.nix at line 24 [2.560]

B:BD[2.1249] → [2.1249:1308]

    after = [ "matrix-synapse.service" ];
    script = ''

[2.1249]

[2.1308]

    after       = [ "matrix-synapse.service" ];
    script      = ''

Replacement in modules/matrix.nix at line 33 [2.560]

B:BD[2.1527] → [2.1527:1611]

    serviceConfig = {
      Type = "oneshot";
      User = "matrix-synapse";
    };

[2.1527]

[2.1611]

    serviceConfig.Type = "oneshot";
		serviceConfig.User = "matrix-synapse";

Replacement in modules/matrix.nix at line 39 [2.560]
B:BD[2.1697] → [2.1697:1733]
```
    wantedBy = [ "timers.target" ];
```
[2.1697]
[2.1733]
```
    wantedBy    = [ "timers.target" ];
```

Replacement in modules/matrix.nix at line 41 [2.560]

B:BD[2.1734] → [2.1734:1814]

    timerConfig = {
      OnCalendar = "daily";
      Persistent = true;
    };

[2.1734]

[2.1814]

    timerConfig.OnCalendar = "daily";
		timerConfig.Persistent = true;
  };
  systemd.services.matrix-synapse.serviceConfig = {
    # sandboxing
    PrivateTmp    = true;
    ProtectSystem = "strict";
    ProtectHome   = true;
    # fs restrictions
    ReadWritePaths = [ "/var/lib/matrix-synapse" ];
    # network restrictions
    RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
    # misc
    NoNewPrivileges  = true;
    RestrictSUIDSGID = true;

Insertion in modules/matrix.nix at line 64 [2.560]
[2.1883]
[2.1883]
Replacement in modules/matrix.nix at line 73 [2.560]
B:BD[2.2041] → [2.2041:2062]
```
        port = port;
```
[2.2041]
[2.2062]
```
        port           = port;
```

Replacement in modules/matrix.nix at line 75 [2.560]

B:BD[2.2098] → [2.2098:2262]

        type = "http";
        tls = false;
        x_forwarded = true; # behind reverse proxy
        resources = [{
          names = [ "client" "federation" ];

[2.2098]

[2.2262]

        type           = "http";
        tls            = false;
        x_forwarded    = true; # behind reverse proxy
        resources      = [{
          names    = [ "client" "federation" ];

Replacement in modules/matrix.nix at line 84 [2.560]

B:BD[2.2313] → [2.2313:2482]

      # database configuration - SQLite (default)
      database = {
        name = "sqlite3";
        args.database = "/var/lib/matrix-synapse/homeserver.db";
      };

[2.2313]

[2.2482]

      database.name          = "sqlite3";
			database.args.database = "/var/lib/matrix-synapse/homeserver.db";

Replacement in modules/matrix.nix at line 87 [2.560]

B:BD[2.2483] → [2.2483:2538]

      log_config = "/var/lib/matrix-synapse/log.yaml";

[2.2483]

[2.2538]

      log_config     = "/var/lib/matrix-synapse/log.yaml";
			log.root.level = "WARNING";

Replacement in modules/matrix.nix at line 90 [2.560]

B:BD[2.2539] → [2.2539:2600]

      enable_registration = true; # admin-managed users only

[2.2539]

[2.2600]

      enable_registration         = true;

Replacement in modules/matrix.nix at line 95 [2.560]

B:BD[2.2686] → [2.2686:2761]

      # redis integration
      redis = {
        enabled = true;
      };

[2.2686]

[2.2761]

      redis.enabled = true;

Deletion in modules/matrix.nix at line 98 [2.560]

B:BD[2.2794] → [2.2794:2896]


      # signing key configuration
      signing_key_path = config.age.secrets.matrixSigningKey.path;

Replacement in modules/matrix.nix at line 99 [2.560]

B:BD[2.2897] → [2.2897:2925]

      # registration secret

[2.2897]

[2.2925]

      signing_key_path           = config.age.secrets.matrixSigningKey.path;

Deletion in modules/matrix.nix at line 108 [2.560]
B:BD[2.3105] → [2.3105:3143]
```
  # nginx reverse proxy configuration
```

Replacement in modules/matrix.nix at line 109 [2.560]

B:BD[2.3229] → [2.3229:3299]

    locations."/_matrix".proxyPass = "http://[::1]:${toString port}";

[2.3229]

[2.3299]

    locations."/_matrix".proxyPass         = "http://[::1]:${toString port}";

Replacement in modules/matrix.nix at line 111 [2.560]

B:BD[2.3377] → [2.3377:3454]

    locations."/_synapse/admin".proxyPass = "http://[::1]:${toString port}";

[2.3377]

[2.3454]

    locations."/_synapse/admin".proxyPass  = "http://[::1]:${toString port}";

Deletion in modules/matrix.nix at line 114 [2.560]
B:BD[2.3460] → [2.3460:3520]
```
  # well-known endpoints for Matrix client/server discovery
```

Replacement in modules/matrix.nix at line 115 [2.560]

B:BD[2.3608] → [2.3608:3767]

    locations."/.well-known/matrix/client" = {
      extraConfig = ''
        return 200 '{"m.homeserver": {"base_url": "https://${fqdn}"}}';
      '';
    };

[2.3608]

[2.3767]

    locations."/.well-known/matrix/client".extraConfig = ''
			return 200 '{"m.homeserver": {"base_url": "https://${fqdn}"}}';
		'';

Replacement in modules/matrix.nix at line 119 [2.560]

B:BD[2.3768] → [2.3768:3905]

    locations."/.well-known/matrix/server" = {
      extraConfig = ''
        return 200 '{"m.server": "${fqdn}:443"}';
      '';
    };

[2.3768]

[2.3905]

    locations."/.well-known/matrix/server".extraConfig = ''
			return 200 '{"m.server": "${fqdn}:443"}';
		'';

File addition: element.nix (----------)

[3.2]

{ self, config, lib, pkgs, ... }: let
  inherit (config.networking) domain;
  fqdn = "chat.${domain}";
in {
  imports = [ (self + /modules/nginx.nix) ];
  services.nginx.virtualHosts.${fqdn} = lib.merge config.services.nginx.sslTemplate {
    root = pkgs.element-web;
    locations."= /config.json".extraConfig = ''
      default_type application/json;
      return 200 '${builtins.toJSON {
        default_server_config."m.homeserver" = {
					base_url    = "https://matrix.${domain}";
					server_name = domain;
				};
        brand = "chat.plumj.am";
        disable_3pid_login              = true;
        disable_login_language_selector = true;
				disable_guests                  = true;
        bug_report_endpoint_url = null;
        show_labs_settings = true;
        features           = {
          feature_pinning        = "labs";
          feature_custom_status  = "labs";
          feature_custom_tags    = "labs";
          feature_state_counters = "labs";
        };
        default_federate = true;
        default_theme = "light";
        room_directory.servers = [ domain "matrix.org" ];
        enable_presence_by_hs_url = {
          "https://matrix.org"               = false;
          "https://matrix-client.matrix.org" = false;
        };
        setting_defaults.breadcrumbs = true;
      }}';
    '';
    # spa routing serves index.html for all routes
    locations."/".tryFiles = "$uri $uri/ /index.html";
    # static assets caching
    locations."~* \\.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$".extraConfig = ''
			expires 1y;
		'';
  };
}

Replacement in hosts/plum/configuration.nix at line 15 [5.1247]
B:BD[2.6150] → [2.6150:6176]
```
		../../modules/cinny.nix
```
[2.6150]
[5.1407]
```
		../../modules/element.nix
```