Simon Bruder
10b8d432d5
This applies the REUSE specification to the repository, so the licensing information can be tracked for every file individually.
156 lines
4.4 KiB
Nix
156 lines
4.4 KiB
Nix
# SPDX-FileCopyrightText: 2021-2023 Simon Bruder <simon@sbruder.de>
|
||
#
|
||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||
|
||
{ config, lib, pkgs, ... }:
|
||
let
|
||
cfg = config.services.matrix-synapse.settings;
|
||
|
||
fqdn = "matrix.sbruder.de";
|
||
domain = "sbruder.de";
|
||
in
|
||
{
|
||
sops.secrets = {
|
||
synapse-registration-shared-secret = {
|
||
owner = "matrix-synapse";
|
||
sopsFile = ../../secrets.yaml;
|
||
};
|
||
synapse-turn-shared-secret = {
|
||
owner = "matrix-synapse";
|
||
sopsFile = ../../secrets.yaml;
|
||
};
|
||
};
|
||
systemd.services.matrix-synapse.serviceConfig.SupplementaryGroups = lib.singleton "keys";
|
||
|
||
services.matrix-synapse = {
|
||
enable = true;
|
||
|
||
settings = {
|
||
server_name = domain;
|
||
public_baseurl = "https://${fqdn}";
|
||
|
||
listeners = lib.singleton {
|
||
port = 8008;
|
||
bind_addresses = [ "127.0.0.1" ];
|
||
type = "http";
|
||
tls = false;
|
||
x_forwarded = true;
|
||
resources = lib.singleton {
|
||
names = [ "client" "federation" "metrics" ];
|
||
compress = false;
|
||
};
|
||
};
|
||
|
||
turn_uris = [
|
||
"turns:turn.sbruder.de:5349?transport=udp"
|
||
"turns:turn.sbruder.de:5349?transport=tcp"
|
||
"turn:turn.sbruder.de:3478?transport=udp"
|
||
"turn:turn.sbruder.de:3478?transport=tcp"
|
||
];
|
||
turn_user_lifetime = "3600000"; # 1h
|
||
|
||
enable_metrics = true;
|
||
|
||
# adapted from https://github.com/NixOS/nixpkgs/blob/7e10bf4327491a6ebccbe1aaa8e6c6c0aca4663a/nixos/modules/services/misc/matrix-synapse-log_config.yaml
|
||
# - set root.level to WARNING instead of INFO
|
||
log_config = pkgs.writeText "log_config.yaml" (builtins.toJSON {
|
||
version = 1;
|
||
|
||
formatters.journal_fmt.format = "%(name)s: [%(request)s] %(message)s";
|
||
|
||
filters.context = {
|
||
"()" = "synapse.util.logcontext.LoggingContextFilter";
|
||
request = "";
|
||
};
|
||
|
||
handlers.journal = {
|
||
class = "systemd.journal.JournalHandler";
|
||
formatter = "journal_fmt";
|
||
filters = [ "context" ];
|
||
SYSLOG_IDENTIFIER = "synapse";
|
||
};
|
||
|
||
root = {
|
||
level = "WARNING";
|
||
handlers = [ "journal" ];
|
||
};
|
||
|
||
disable_existing_loggers = false;
|
||
});
|
||
|
||
max_upload_size = "50M";
|
||
|
||
# I’m okay with using matrix.org as trusted key server
|
||
suppress_key_server_warning = true;
|
||
|
||
# For mautrix-whatsapp backfilling
|
||
experimental_features.msc2716_enabled = true;
|
||
};
|
||
|
||
extraConfigFiles = with config.sops.secrets; [
|
||
synapse-registration-shared-secret.path
|
||
synapse-turn-shared-secret.path
|
||
];
|
||
};
|
||
|
||
services.postgresql = {
|
||
enable = true;
|
||
# synapse requires custom databse configuration:
|
||
# CREATE DATABASE "matrix-synapse" TEMPLATE template0 LC_COLLATE "C" LC_CTYPE "C";
|
||
# as the databse is not created with NixOS,
|
||
# the ownership can’t be ensured here.
|
||
};
|
||
|
||
services.nginx.virtualHosts = {
|
||
"${fqdn}" = {
|
||
enableACME = true;
|
||
forceSSL = true;
|
||
|
||
locations."/".return = "301 https://chat.sbruder.de";
|
||
|
||
locations."/_matrix" =
|
||
let
|
||
listenerCfg = (lib.elemAt cfg.listeners 0);
|
||
in
|
||
{
|
||
proxyPass = "http://${lib.elemAt listenerCfg.bind_addresses 0}:${toString listenerCfg.port}";
|
||
|
||
extraConfig = ''
|
||
client_max_body_size ${cfg.max_upload_size};
|
||
'';
|
||
};
|
||
};
|
||
|
||
"${domain}" = {
|
||
enableACME = true;
|
||
forceSSL = true;
|
||
|
||
locations =
|
||
let
|
||
# workaround for nginx dropping parent headers
|
||
# see https://github.com/yandex/gixy/blob/master/docs/en/plugins/addheaderredefinition.md
|
||
parentHeaders = lib.concatStringsSep "\n" (lib.filter
|
||
(lib.hasPrefix "add_header ")
|
||
(lib.splitString "\n" config.services.nginx.commonHttpConfig));
|
||
in
|
||
{
|
||
"=/.well-known/matrix/server".extraConfig = ''
|
||
${parentHeaders}
|
||
add_header Content-Type application/json;
|
||
return 200 '${builtins.toJSON {
|
||
"m.server" = "${fqdn}:443";
|
||
}}';
|
||
'';
|
||
"=/.well-known/matrix/client".extraConfig = ''
|
||
${parentHeaders}
|
||
add_header Content-Type application/json;
|
||
add_header Access-Control-Allow-Origin *;
|
||
return 200 '${builtins.toJSON {
|
||
"m.homeserver"."base_url" = "https://${fqdn}";
|
||
}}';
|
||
'';
|
||
};
|
||
};
|
||
};
|
||
}
|