Fork of https://github.com/MaxwellDPS/synapstnix

Find a file

Cloud Flayer e968840b5b Moar aliases :D .		2026-03-04 11:15:47 -06:00
.github	Initial commit: Matrix Synapse NixOS configuration	2025-12-11 19:09:59 -08:00
configurations	Moar aliases :D .	2026-03-04 11:15:47 -06:00
modules	Update readme. Other small tweaks to nix.	2026-03-04 09:15:09 -06:00
packages	Initial commit: Matrix Synapse NixOS configuration	2025-12-11 19:09:59 -08:00
flake.lock	First commit where coturn server will start!	2026-03-04 01:03:38 -06:00
flake.nix	First commit where coturn server will start!	2026-03-04 01:03:38 -06:00
original_flake.nix	first commit that builds - worked through updates and fixed path traversal vuln.	2026-02-28 11:49:11 -06:00
README.md	Update readme	2026-03-04 09:21:22 -06:00

README.md

Fork of: https://github.com/MaxwellDPS/synapstnix

Matrix Synapse - NixOS Configuration

A complete, production-ready Matrix Synapse homeserver as a NixOS flake with enterprise security features.

Features

Core Services

Matrix Synapse - Homeserver
Element Web - Web client
PostgreSQL - Database
Redis - Caching
Nginx - Reverse proxy with rate limiting

Optional Services

Authelia - SSO/OIDC identity provider
Coturn - TURN/STUN server for VoIP
Prometheus + Grafana - Monitoring
~~- Cloudflared - Cloudflare tunnel~~
(I haven't taken that out yet but fukk cloudflare)

Security Features

~~- Falco - Runtime security monitoring with custom Matrix rules~~
Fail2ban - Brute force protection
System hardening - Kernel parameters, audit logging
Rate limiting - Nginx-based protection

Quick Start

Build an Image

# Clone the repository
git clone https://git.cyberia.club/symys/symysynapstnix
cd symysynapstnix

# Build a QCOW2 image for QEMU/KVM
nix build .#nixosConfigurations.localdev.config.system.build.vm --show-trace

### Configure

Edit `configurations/server.nix`:

```nix
services.matrix-stack = {
  enable = true;
  domain = "matrix.example.com";  # Your domain
  adminEmail = "admin@example.com";
  
  # Features
  enableAuthelia = true;
  enableCoturn = true;
  enableMonitoring = true;
  
};

3. Deploy

# Build and test in VM
nixos-rebuild build-vm --flake .#matrix-server
./result/bin/run-matrix-server-vm

# Deploy to existing NixOS system
nixos-rebuild switch --flake .#matrix-server --target-host root@your-server

# Or use the ISO installer

Configuration Options

Basic Options

Option	Type	Default	Description
`domain`	string	required	Matrix server domain
`serverName`	string	domain	Matrix server name
`adminEmail`	string	admin@domain	Admin contact
`enableAuthelia`	bool	true	Enable SSO/OIDC
`enableCoturn`	bool	true	Enable TURN server
`enableMonitoring`	bool	false	Enable Prometheus/Grafana
`enableFederation`	bool	true	Enable federation
`enableRegistration`	bool	false	Allow registration

Security Options

Option	Type	Default	Description
`security.enableHardening`	bool	true	System hardening
`security.trustedProxies`	list	["127.0.0.1"]	Trusted proxy IPs

Resource Options

Option	Type	Default	Description
`resources.synapse.maxUploadSize`	string	"100M"	Max file upload
`resources.synapse.cacheMemory`	string	"512M"	Cache memory target
`redis.maxMemory`	string	"256mb"	Redis memory limit

Image Formats

Format	Command	Use Case
`qcow2-image`	`nix build .#qcow2-image`	QEMU/KVM/Proxmox
`raw-image`	`nix build .#raw-image`	Direct disk write

Post-Installation

Create Users

# Create SSO user (if Authelia enabled)
authelia-create-user admin admin@example.com

# Create Matrix admin
matrix-admin create-admin admin

# Create registration tokens
matrix-admin create-token 5  # 5 uses

Admin Interface

The admin interface is only accessible from localhost:

# SSH tunnel
ssh -L 8443:localhost:8443 root@your-server

# Open browser
open https://localhost:8443

Security Monitoring


# Security status
matrix-admin security-status

# Full health check
matrix-admin health

Directory Structure

matrix-nixos/
├── flake.nix                    # Flake entry point
├── modules/
│   ├── matrix-stack.nix         # Main module
│   ├── matrix-synapse.nix       # Synapse configuration
│   ├── matrix-nginx.nix         # Nginx + Element
│   ├── matrix-authelia.nix      # SSO/OIDC
│   ├── matrix-coturn.nix        # TURN server
│   ├── matrix-monitoring.nix    # Prometheus/Grafana
│   ├── matrix-security.nix      # Falco + hardening
│   └── matrix-cloudflared.nix   # Cloudflare tunnel
├── configurations/
│   ├── server.nix               # Full server config
│   ├── minimal.nix              # Testing config
│   ├── container.nix            # Container/VM config
│   ├── installer.nix            # ISO installer
│   ├── hardware-configuration.nix
│   └── cloud/
│       ├── aws.nix
│       ├── gcp.nix
│       └── azure.nix
└── packages/
    └── admin-tools.nix          # Admin CLI

Secrets Management

Secrets are auto-generated on first boot to /var/lib/matrix/secrets/.

For production, use sops-nix or agenix:

# Example with sops-nix
sops.secrets."matrix/registration_secret" = {};
sops.secrets."matrix/turn_secret" = {};

services.matrix-stack.secrets = {
  registrationSharedSecret = config.sops.secrets."matrix/registration_secret".path;
  turnSecret = config.sops.secrets."matrix/turn_secret".path;
};

Cloudflare Tunnel Setup

# Run setup script
matrix-tunnel-setup

# Or manual setup:
# 1. Create tunnel: cloudflared tunnel create matrix
# 2. Add DNS: cloudflared tunnel route dns matrix matrix.example.com
# 3. Update config with tunnel ID and credentials path
# 4. Rebuild NixOS

Firewall Ports

Port	Protocol	Purpose
443	TCP	HTTPS
8448	TCP	Federation
3478	TCP/UDP	TURN
5349	TCP/UDP	TURNS
49152-65535	UDP	TURN relay

Maintenance

Backup

matrix-admin backup

Update

# Update flake inputs
nix flake update

# Rebuild
nixos-rebuild switch --flake .#matrix-server

Logs

matrix-admin logs synapse
matrix-admin logs nginx
matrix-admin logs authelia

Troubleshooting

Services Not Starting

systemctl status matrix-synapse
journalctl -u matrix-synapse -f

Database Issues

sudo -u postgres psql -c "SELECT 1"
systemctl status postgresql

Federation Test

curl https://federationtester.matrix.org/api/report?server_name=YOUR_DOMAIN

License

MIT