2021-03-18 13:01:59 +01:00
{ config , lib , pkgs , . . . }:
let
2022-05-31 14:43:51 +02:00
cfg = config . services . matrix-synapse . settings ;
2021-03-18 13:01:59 +01:00
fqdn = " m a t r i x . s b r u d e r . d e " ;
domain = " s b r u d e r . d e " ;
in
{
2021-03-01 15:27:18 +01:00
sops . secrets = {
synapse-registration-shared-secret = {
owner = " m a t r i x - s y n a p s e " ;
sopsFile = ../../secrets.yaml ;
} ;
synapse-turn-shared-secret = {
owner = " m a t r i x - s y n a p s e " ;
sopsFile = ../../secrets.yaml ;
} ;
2021-03-18 13:01:59 +01:00
} ;
2021-03-01 15:27:18 +01:00
systemd . services . matrix-synapse . serviceConfig . SupplementaryGroups = lib . singleton " k e y s " ;
2021-03-18 13:01:59 +01:00
services . matrix-synapse = {
enable = true ;
2022-05-31 14:43:51 +02:00
settings = {
server_name = domain ;
public_baseurl = " h t t p s : / / ${ fqdn } " ;
listeners = lib . singleton {
port = 8008 ;
bind_addresses = [ " 1 2 7 . 0 . 0 . 1 " ] ;
type = " h t t p " ;
tls = false ;
x_forwarded = true ;
resources = lib . singleton {
names = [ " c l i e n t " " f e d e r a t i o n " " m e t r i c s " ] ;
compress = false ;
} ;
2021-03-18 13:01:59 +01:00
} ;
2022-05-31 14:43:51 +02:00
turn_uris = [
" t u r n s : t u r n . s b r u d e r . d e : 5 3 4 9 ? t r a n s p o r t = u d p "
" t u r n s : t u r n . s b r u d e r . d e : 5 3 4 9 ? t r a n s p o r t = t c p "
" t u r n : t u r n . s b r u d e r . d e : 3 4 7 8 ? t r a n s p o r t = u d p "
" t u r n : t u r n . s b r u d e r . d e : 3 4 7 8 ? t r a n s p o r t = t c p "
] ;
turn_user_lifetime = " 3 6 0 0 0 0 0 " ; # 1h
2021-03-18 13:01:59 +01:00
2022-05-31 14:43:51 +02:00
enable_metrics = true ;
2021-03-18 13:01:59 +01:00
2022-05-31 14:43:51 +02:00
# adapted from https://github.com/NixOS/nixpkgs/blob/7e10bf4327491a6ebccbe1aaa8e6c6c0aca4663a/nixos/modules/services/misc/matrix-synapse-log_config.yaml
# - set root.level to WARNING instead of INFO
2023-01-07 17:02:38 +01:00
log_config = pkgs . writeText " l o g _ c o n f i g . y a m l " ( builtins . toJSON {
2022-05-31 14:43:51 +02:00
version = 1 ;
2021-03-18 13:01:59 +01:00
2022-05-31 14:43:51 +02:00
formatters . journal_fmt . format = " % ( n a m e ) s : [ % ( r e q u e s t ) s ] % ( m e s s a g e ) s " ;
2021-03-18 13:01:59 +01:00
2022-05-31 14:43:51 +02:00
filters . context = {
" ( ) " = " s y n a p s e . u t i l . l o g c o n t e x t . L o g g i n g C o n t e x t F i l t e r " ;
request = " " ;
} ;
2021-03-18 13:01:59 +01:00
2022-05-31 14:43:51 +02:00
handlers . journal = {
class = " s y s t e m d . j o u r n a l . J o u r n a l H a n d l e r " ;
formatter = " j o u r n a l _ f m t " ;
filters = [ " c o n t e x t " ] ;
SYSLOG_IDENTIFIER = " s y n a p s e " ;
} ;
2021-03-18 13:01:59 +01:00
2022-05-31 14:43:51 +02:00
root = {
level = " W A R N I N G " ;
handlers = [ " j o u r n a l " ] ;
} ;
2021-03-18 13:01:59 +01:00
2022-05-31 14:43:51 +02:00
disable_existing_loggers = false ;
2023-01-07 17:02:38 +01:00
} ) ;
2021-03-18 13:01:59 +01:00
2022-05-31 14:43:51 +02:00
max_upload_size = " 5 0 M " ;
2021-09-25 17:18:23 +02:00
2021-03-18 13:01:59 +01:00
# I’ m okay with using matrix.org as trusted key server
2022-05-31 14:43:51 +02:00
suppress_key_server_warning = true ;
2022-07-23 20:01:54 +02:00
# For mautrix-whatsapp backfilling
experimental_features . msc2716_enabled = true ;
2022-05-31 14:43:51 +02:00
} ;
2021-03-18 13:01:59 +01:00
2021-03-01 15:27:18 +01:00
extraConfigFiles = with config . sops . secrets ; [
2021-03-18 13:01:59 +01:00
synapse-registration-shared-secret . path
synapse-turn-shared-secret . path
] ;
} ;
services . postgresql = {
enable = true ;
# synapse requires custom databse configuration:
# CREATE DATABASE "matrix-synapse" TEMPLATE template0 LC_COLLATE "C" LC_CTYPE "C";
2023-12-02 18:54:23 +01:00
# as the databse is not created with NixOS,
# the ownership can’ t be ensured here.
2021-03-18 13:01:59 +01:00
} ;
services . nginx . virtualHosts = {
" ${ fqdn } " = {
enableACME = true ;
forceSSL = true ;
locations . " / " . return = " 3 0 1 h t t p s : / / c h a t . s b r u d e r . d e " ;
locations . " / _ m a t r i x " =
let
listenerCfg = ( lib . elemAt cfg . listeners 0 ) ;
in
{
2022-05-31 14:43:51 +02:00
proxyPass = " h t t p : / / ${ lib . elemAt listenerCfg . bind_addresses 0 } : ${ toString listenerCfg . port } " ;
2021-09-25 17:18:23 +02:00
extraConfig = ''
client_max_body_size $ { cfg . max_upload_size } ;
'' ;
2021-03-18 13:01:59 +01:00
} ;
} ;
" ${ domain } " = {
enableACME = true ;
forceSSL = true ;
locations =
let
# workaround for nginx dropping parent headers
# see https://github.com/yandex/gixy/blob/master/docs/en/plugins/addheaderredefinition.md
parentHeaders = lib . concatStringsSep " \n " ( lib . filter
( lib . hasPrefix " a d d _ h e a d e r " )
( lib . splitString " \n " config . services . nginx . commonHttpConfig ) ) ;
in
{
" = / . w e l l - k n o w n / m a t r i x / s e r v e r " . extraConfig = ''
$ { parentHeaders }
add_header Content-Type application/json ;
return 200 ' $ { builtins . toJSON {
" m . s e r v e r " = " ${ fqdn } : 4 4 3 " ;
} } ' ;
'' ;
" = / . w e l l - k n o w n / m a t r i x / c l i e n t " . extraConfig = ''
$ { parentHeaders }
add_header Content-Type application/json ;
add_header Access-Control-Allow-Origin * ;
return 200 ' $ { builtins . toJSON {
" m . h o m e s e r v e r " . " b a s e _ u r l " = " h t t p s : / / ${ fqdn } " ;
} } ' ;
'' ;
} ;
} ;
} ;
}