fuuko/matrix/synapse: Init
This commit is contained in:
parent
3b6a9dfc40
commit
0ae96653a5
|
@ -10,6 +10,7 @@
|
||||||
./services/gitea.nix
|
./services/gitea.nix
|
||||||
./services/grafana.nix
|
./services/grafana.nix
|
||||||
./services/hedgedoc.nix
|
./services/hedgedoc.nix
|
||||||
|
./services/matrix
|
||||||
./services/media.nix
|
./services/media.nix
|
||||||
./services/prometheus.nix
|
./services/prometheus.nix
|
||||||
./services/scan.nix
|
./services/scan.nix
|
||||||
|
|
5
machines/fuuko/services/matrix/default.nix
Normal file
5
machines/fuuko/services/matrix/default.nix
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
./synapse.nix
|
||||||
|
];
|
||||||
|
}
|
139
machines/fuuko/services/matrix/synapse.nix
Normal file
139
machines/fuuko/services/matrix/synapse.nix
Normal file
|
@ -0,0 +1,139 @@
|
||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
let
|
||||||
|
cfg = config.services.matrix-synapse;
|
||||||
|
|
||||||
|
fqdn = "matrix.sbruder.de";
|
||||||
|
domain = "sbruder.de";
|
||||||
|
in
|
||||||
|
{
|
||||||
|
krops.secrets = {
|
||||||
|
synapse-registration-shared-secret.group = "matrix-synapse";
|
||||||
|
synapse-turn-shared-secret.group = "matrix-synapse";
|
||||||
|
};
|
||||||
|
users.users.matrix-synapse.extraGroups = [ "keys" ];
|
||||||
|
|
||||||
|
services.matrix-synapse = {
|
||||||
|
enable = true;
|
||||||
|
server_name = domain;
|
||||||
|
public_baseurl = "https://${fqdn}";
|
||||||
|
|
||||||
|
listeners = lib.singleton {
|
||||||
|
port = 8008;
|
||||||
|
bind_address = "127.0.0.1";
|
||||||
|
type = "http";
|
||||||
|
tls = false;
|
||||||
|
x_forwarded = true;
|
||||||
|
resources = lib.singleton {
|
||||||
|
names = [ "client" "federation" "metrics" ];
|
||||||
|
compress = false;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
dataDir = "/data/matrix/synapse";
|
||||||
|
|
||||||
|
turn_uris = [
|
||||||
|
"turns:turn.sbruder.de:5349?transport=udp"
|
||||||
|
"turns:turn.sbruder.de:5349?transport=tcp"
|
||||||
|
];
|
||||||
|
turn_user_lifetime = "3600000"; # 1h
|
||||||
|
|
||||||
|
enable_metrics = true;
|
||||||
|
|
||||||
|
# adapted from https://github.com/NixOS/nixpkgs/blob/7e10bf4327491a6ebccbe1aaa8e6c6c0aca4663a/nixos/modules/services/misc/matrix-synapse-log_config.yaml
|
||||||
|
# - set root.level to WARNING instead of INFO
|
||||||
|
logConfig = builtins.toJSON {
|
||||||
|
version = 1;
|
||||||
|
|
||||||
|
formatters.journal_fmt.format = "%(name)s: [%(request)s] %(message)s";
|
||||||
|
|
||||||
|
filters.context = {
|
||||||
|
"()" = "synapse.util.logcontext.LoggingContextFilter";
|
||||||
|
request = "";
|
||||||
|
};
|
||||||
|
|
||||||
|
handlers.journal = {
|
||||||
|
class = "systemd.journal.JournalHandler";
|
||||||
|
formatter = "journal_fmt";
|
||||||
|
filters = [ "context" ];
|
||||||
|
SYSLOG_IDENTIFIER = "synapse";
|
||||||
|
};
|
||||||
|
|
||||||
|
root = {
|
||||||
|
level = "WARNING";
|
||||||
|
handlers = [ "journal" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
disable_existing_loggers = false;
|
||||||
|
};
|
||||||
|
|
||||||
|
extraConfig = ''
|
||||||
|
# I’m okay with using matrix.org as trusted key server
|
||||||
|
suppress_key_server_warning: true
|
||||||
|
'';
|
||||||
|
|
||||||
|
extraConfigFiles = with config.krops.secrets; [
|
||||||
|
synapse-registration-shared-secret.path
|
||||||
|
synapse-turn-shared-secret.path
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
services.postgresql = {
|
||||||
|
enable = true;
|
||||||
|
# synapse requires custom databse configuration:
|
||||||
|
# CREATE DATABASE "matrix-synapse" TEMPLATE template0 LC_COLLATE "C" LC_CTYPE "C";
|
||||||
|
ensureUsers = lib.singleton {
|
||||||
|
name = "matrix-synapse";
|
||||||
|
ensurePermissions = {
|
||||||
|
"DATABASE \"matrix-synapse\"" = "ALL PRIVILEGES";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.nginx.virtualHosts = {
|
||||||
|
"${fqdn}" = {
|
||||||
|
enableACME = true;
|
||||||
|
forceSSL = true;
|
||||||
|
|
||||||
|
locations."/".return = "301 https://chat.sbruder.de";
|
||||||
|
|
||||||
|
locations."/_matrix" =
|
||||||
|
let
|
||||||
|
listenerCfg = (lib.elemAt cfg.listeners 0);
|
||||||
|
in
|
||||||
|
{
|
||||||
|
proxyPass = "http://${listenerCfg.bind_address}:${toString listenerCfg.port}";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
"${domain}" = {
|
||||||
|
enableACME = true;
|
||||||
|
forceSSL = true;
|
||||||
|
|
||||||
|
locations =
|
||||||
|
let
|
||||||
|
# workaround for nginx dropping parent headers
|
||||||
|
# see https://github.com/yandex/gixy/blob/master/docs/en/plugins/addheaderredefinition.md
|
||||||
|
parentHeaders = lib.concatStringsSep "\n" (lib.filter
|
||||||
|
(lib.hasPrefix "add_header ")
|
||||||
|
(lib.splitString "\n" config.services.nginx.commonHttpConfig));
|
||||||
|
in
|
||||||
|
{
|
||||||
|
"=/.well-known/matrix/server".extraConfig = ''
|
||||||
|
${parentHeaders}
|
||||||
|
add_header Content-Type application/json;
|
||||||
|
return 200 '${builtins.toJSON {
|
||||||
|
"m.server" = "${fqdn}:443";
|
||||||
|
}}';
|
||||||
|
'';
|
||||||
|
"=/.well-known/matrix/client".extraConfig = ''
|
||||||
|
${parentHeaders}
|
||||||
|
add_header Content-Type application/json;
|
||||||
|
add_header Access-Control-Allow-Origin *;
|
||||||
|
return 200 '${builtins.toJSON {
|
||||||
|
"m.homeserver"."base_url" = "https://${fqdn}";
|
||||||
|
}}';
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -82,6 +82,20 @@ in
|
||||||
job_name = "fritzbox";
|
job_name = "fritzbox";
|
||||||
static_configs = mkStaticTarget "127.0.0.1:9133";
|
static_configs = mkStaticTarget "127.0.0.1:9133";
|
||||||
}
|
}
|
||||||
|
(
|
||||||
|
let
|
||||||
|
listenerCfg = (lib.elemAt config.services.matrix-synapse.listeners 0);
|
||||||
|
in
|
||||||
|
{
|
||||||
|
job_name = "synapse";
|
||||||
|
static_configs = mkStaticTarget "${listenerCfg.bind_address}:${toString listenerCfg.port}";
|
||||||
|
metrics_path = "/_synapse/metrics";
|
||||||
|
relabel_configs = lib.singleton {
|
||||||
|
target_label = "instance";
|
||||||
|
replacement = "matrix.sbruder.de";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
)
|
||||||
];
|
];
|
||||||
|
|
||||||
rules =
|
rules =
|
||||||
|
|
Loading…
Reference in a new issue