fuuko/matrix/synapse: Init

This commit is contained in:
Simon Bruder 2021-03-18 13:01:59 +01:00
parent 3b6a9dfc40
commit 0ae96653a5
Signed by: simon
GPG key ID: 8D3C82F9F309F8EC
4 changed files with 159 additions and 0 deletions

View file

@ -10,6 +10,7 @@
./services/gitea.nix
./services/grafana.nix
./services/hedgedoc.nix
./services/matrix
./services/media.nix
./services/prometheus.nix
./services/scan.nix

View file

@ -0,0 +1,5 @@
{
imports = [
./synapse.nix
];
}

View file

@ -0,0 +1,139 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.matrix-synapse;
fqdn = "matrix.sbruder.de";
domain = "sbruder.de";
in
{
krops.secrets = {
synapse-registration-shared-secret.group = "matrix-synapse";
synapse-turn-shared-secret.group = "matrix-synapse";
};
users.users.matrix-synapse.extraGroups = [ "keys" ];
services.matrix-synapse = {
enable = true;
server_name = domain;
public_baseurl = "https://${fqdn}";
listeners = lib.singleton {
port = 8008;
bind_address = "127.0.0.1";
type = "http";
tls = false;
x_forwarded = true;
resources = lib.singleton {
names = [ "client" "federation" "metrics" ];
compress = false;
};
};
dataDir = "/data/matrix/synapse";
turn_uris = [
"turns:turn.sbruder.de:5349?transport=udp"
"turns:turn.sbruder.de:5349?transport=tcp"
];
turn_user_lifetime = "3600000"; # 1h
enable_metrics = true;
# adapted from https://github.com/NixOS/nixpkgs/blob/7e10bf4327491a6ebccbe1aaa8e6c6c0aca4663a/nixos/modules/services/misc/matrix-synapse-log_config.yaml
# - set root.level to WARNING instead of INFO
logConfig = builtins.toJSON {
version = 1;
formatters.journal_fmt.format = "%(name)s: [%(request)s] %(message)s";
filters.context = {
"()" = "synapse.util.logcontext.LoggingContextFilter";
request = "";
};
handlers.journal = {
class = "systemd.journal.JournalHandler";
formatter = "journal_fmt";
filters = [ "context" ];
SYSLOG_IDENTIFIER = "synapse";
};
root = {
level = "WARNING";
handlers = [ "journal" ];
};
disable_existing_loggers = false;
};
extraConfig = ''
# Im okay with using matrix.org as trusted key server
suppress_key_server_warning: true
'';
extraConfigFiles = with config.krops.secrets; [
synapse-registration-shared-secret.path
synapse-turn-shared-secret.path
];
};
services.postgresql = {
enable = true;
# synapse requires custom databse configuration:
# CREATE DATABASE "matrix-synapse" TEMPLATE template0 LC_COLLATE "C" LC_CTYPE "C";
ensureUsers = lib.singleton {
name = "matrix-synapse";
ensurePermissions = {
"DATABASE \"matrix-synapse\"" = "ALL PRIVILEGES";
};
};
};
services.nginx.virtualHosts = {
"${fqdn}" = {
enableACME = true;
forceSSL = true;
locations."/".return = "301 https://chat.sbruder.de";
locations."/_matrix" =
let
listenerCfg = (lib.elemAt cfg.listeners 0);
in
{
proxyPass = "http://${listenerCfg.bind_address}:${toString listenerCfg.port}";
};
};
"${domain}" = {
enableACME = true;
forceSSL = true;
locations =
let
# workaround for nginx dropping parent headers
# see https://github.com/yandex/gixy/blob/master/docs/en/plugins/addheaderredefinition.md
parentHeaders = lib.concatStringsSep "\n" (lib.filter
(lib.hasPrefix "add_header ")
(lib.splitString "\n" config.services.nginx.commonHttpConfig));
in
{
"=/.well-known/matrix/server".extraConfig = ''
${parentHeaders}
add_header Content-Type application/json;
return 200 '${builtins.toJSON {
"m.server" = "${fqdn}:443";
}}';
'';
"=/.well-known/matrix/client".extraConfig = ''
${parentHeaders}
add_header Content-Type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON {
"m.homeserver"."base_url" = "https://${fqdn}";
}}';
'';
};
};
};
}

View file

@ -82,6 +82,20 @@ in
job_name = "fritzbox";
static_configs = mkStaticTarget "127.0.0.1:9133";
}
(
let
listenerCfg = (lib.elemAt config.services.matrix-synapse.listeners 0);
in
{
job_name = "synapse";
static_configs = mkStaticTarget "${listenerCfg.bind_address}:${toString listenerCfg.port}";
metrics_path = "/_synapse/metrics";
relabel_configs = lib.singleton {
target_label = "instance";
replacement = "matrix.sbruder.de";
};
}
)
];
rules =