Simon Bruder
ba843ac8c0
Flake lock file updates: • Updated input 'bang-evaluator': 'git+https://git.sbruder.de/simon/bangs?ref=refs/heads/master&rev=7fc3d5019c907566abbad8f84ba9555a5786bd01' (2021-08-01) → 'git+https://git.sbruder.de/simon/bangs?ref=refs/heads/master&rev=a06c68c44862f74757a203e2df41ea83c33722d9' (2023-12-02) • Updated input 'home-manager': 'github:nix-community/home-manager/04bac349d585c9df38d78e0285b780a140dc74a4' (2023-11-12) → 'github:nix-community/home-manager/aeb2232d7a32530d3448318790534d196bf9427a' (2023-11-24) • Updated input 'home-manager-unstable': 'github:nix-community/home-manager/9a4725afa67db35cdf7be89f30527d745194cafa' (2023-11-19) → 'github:nix-community/home-manager/4a8545f5e737a6338814a4676dc8e18c7f43fc57' (2023-12-01) • Updated input 'nix-pre-commit-hooks': 'github:cachix/pre-commit-hooks.nix/e558068cba67b23b4fbc5537173dbb43748a17e8' (2023-11-15) → 'github:cachix/pre-commit-hooks.nix/e5ee5c5f3844550c01d2131096c7271cec5e9b78' (2023-11-25) • Updated input 'nixos-hardware': 'github:nixos/nixos-hardware/1721da31f9b30cbf4460c4ec5068b3b6174a4694' (2023-11-18) → 'github:nixos/nixos-hardware/8772491ed75f150f02552c60694e1beff9f46013' (2023-11-29) • Updated input 'nixpkgs': 'github:nixos/nixpkgs/9fb122519e9cd465d532f736a98c1e1eb541ef6f' (2023-11-16) → 'github:nixos/nixpkgs/5de0b32be6e85dc1a9404c75131316e4ffbc634c' (2023-12-01) • Updated input 'nixpkgs-overlay': 'git+https://git.sbruder.de/simon/nixpkgs-overlay?ref=refs/heads/master&rev=c8a17806a75733dec2ecdd8f0021c70d1f9dfc43' (2023-10-04) → 'git+https://git.sbruder.de/simon/nixpkgs-overlay?ref=refs/heads/master&rev=37f80d1593ab856372cc0da199f49565f3b05c71' (2023-12-02) • Updated input 'nixpkgs-overlay/poetry2nix': 'github:nix-community/poetry2nix/093383b3d7fdd36846a7d84e128ca11865800538' (2023-09-22) → 'github:nix-community/poetry2nix/7acb78166a659d6afe9b043bb6fe5cb5e86bb75e' (2023-12-01) • Updated input 'nixpkgs-overlay/poetry2nix/nix-github-actions': 'github:nix-community/nix-github-actions/165b1650b753316aa7f1787f3005a8d2da0f5301' (2023-07-09) → 'github:nix-community/nix-github-actions/4bb5e752616262457bc7ca5882192a564c0472d2' (2023-11-03) • Added input 'nixpkgs-overlay/poetry2nix/systems': 'github:nix-systems/default/da67096a3b9bf56a91d16901293e51ba5b49a27e' (2023-04-09) • Added input 'nixpkgs-overlay/poetry2nix/treefmt-nix': 'github:numtide/treefmt-nix/e82f32aa7f06bbbd56d7b12186d555223dc399d1' (2023-11-12) • Added input 'nixpkgs-overlay/poetry2nix/treefmt-nix/nixpkgs': follows 'nixpkgs-overlay/poetry2nix/nixpkgs' • Updated input 'nixpkgs-unstable': 'github:nixos/nixpkgs/c757e9bd77b16ca2e03c89bf8bc9ecb28e0c06ad' (2023-11-17) → 'github:nixos/nixpkgs/e92039b55bcd58469325ded85d4f58dd5a4eaf58' (2023-11-29) • Updated input 'sops-nix': 'github:Mic92/sops-nix/49a87c6c827ccd21c225531e30745a9a6464775c' (2023-11-19) → 'github:Mic92/sops-nix/e19071f9958c8da4f4347d3d78790d97e98ba22f' (2023-12-02) • Updated input 'sops-nix/nixpkgs-stable': 'github:NixOS/nixpkgs/decdf666c833a325cb4417041a90681499e06a41' (2023-11-18) → 'github:NixOS/nixpkgs/dfb95385d21475da10b63da74ae96d89ab352431' (2023-11-25)
152 lines
4.3 KiB
Nix
152 lines
4.3 KiB
Nix
{ config, lib, pkgs, ... }:
|
||
let
|
||
cfg = config.services.matrix-synapse.settings;
|
||
|
||
fqdn = "matrix.sbruder.de";
|
||
domain = "sbruder.de";
|
||
in
|
||
{
|
||
sops.secrets = {
|
||
synapse-registration-shared-secret = {
|
||
owner = "matrix-synapse";
|
||
sopsFile = ../../secrets.yaml;
|
||
};
|
||
synapse-turn-shared-secret = {
|
||
owner = "matrix-synapse";
|
||
sopsFile = ../../secrets.yaml;
|
||
};
|
||
};
|
||
systemd.services.matrix-synapse.serviceConfig.SupplementaryGroups = lib.singleton "keys";
|
||
|
||
services.matrix-synapse = {
|
||
enable = true;
|
||
|
||
settings = {
|
||
server_name = domain;
|
||
public_baseurl = "https://${fqdn}";
|
||
|
||
listeners = lib.singleton {
|
||
port = 8008;
|
||
bind_addresses = [ "127.0.0.1" ];
|
||
type = "http";
|
||
tls = false;
|
||
x_forwarded = true;
|
||
resources = lib.singleton {
|
||
names = [ "client" "federation" "metrics" ];
|
||
compress = false;
|
||
};
|
||
};
|
||
|
||
turn_uris = [
|
||
"turns:turn.sbruder.de:5349?transport=udp"
|
||
"turns:turn.sbruder.de:5349?transport=tcp"
|
||
"turn:turn.sbruder.de:3478?transport=udp"
|
||
"turn:turn.sbruder.de:3478?transport=tcp"
|
||
];
|
||
turn_user_lifetime = "3600000"; # 1h
|
||
|
||
enable_metrics = true;
|
||
|
||
# adapted from https://github.com/NixOS/nixpkgs/blob/7e10bf4327491a6ebccbe1aaa8e6c6c0aca4663a/nixos/modules/services/misc/matrix-synapse-log_config.yaml
|
||
# - set root.level to WARNING instead of INFO
|
||
log_config = pkgs.writeText "log_config.yaml" (builtins.toJSON {
|
||
version = 1;
|
||
|
||
formatters.journal_fmt.format = "%(name)s: [%(request)s] %(message)s";
|
||
|
||
filters.context = {
|
||
"()" = "synapse.util.logcontext.LoggingContextFilter";
|
||
request = "";
|
||
};
|
||
|
||
handlers.journal = {
|
||
class = "systemd.journal.JournalHandler";
|
||
formatter = "journal_fmt";
|
||
filters = [ "context" ];
|
||
SYSLOG_IDENTIFIER = "synapse";
|
||
};
|
||
|
||
root = {
|
||
level = "WARNING";
|
||
handlers = [ "journal" ];
|
||
};
|
||
|
||
disable_existing_loggers = false;
|
||
});
|
||
|
||
max_upload_size = "50M";
|
||
|
||
# I’m okay with using matrix.org as trusted key server
|
||
suppress_key_server_warning = true;
|
||
|
||
# For mautrix-whatsapp backfilling
|
||
experimental_features.msc2716_enabled = true;
|
||
};
|
||
|
||
extraConfigFiles = with config.sops.secrets; [
|
||
synapse-registration-shared-secret.path
|
||
synapse-turn-shared-secret.path
|
||
];
|
||
};
|
||
|
||
services.postgresql = {
|
||
enable = true;
|
||
# synapse requires custom databse configuration:
|
||
# CREATE DATABASE "matrix-synapse" TEMPLATE template0 LC_COLLATE "C" LC_CTYPE "C";
|
||
# as the databse is not created with NixOS,
|
||
# the ownership can’t be ensured here.
|
||
};
|
||
|
||
services.nginx.virtualHosts = {
|
||
"${fqdn}" = {
|
||
enableACME = true;
|
||
forceSSL = true;
|
||
|
||
locations."/".return = "301 https://chat.sbruder.de";
|
||
|
||
locations."/_matrix" =
|
||
let
|
||
listenerCfg = (lib.elemAt cfg.listeners 0);
|
||
in
|
||
{
|
||
proxyPass = "http://${lib.elemAt listenerCfg.bind_addresses 0}:${toString listenerCfg.port}";
|
||
|
||
extraConfig = ''
|
||
client_max_body_size ${cfg.max_upload_size};
|
||
'';
|
||
};
|
||
};
|
||
|
||
"${domain}" = {
|
||
enableACME = true;
|
||
forceSSL = true;
|
||
|
||
locations =
|
||
let
|
||
# workaround for nginx dropping parent headers
|
||
# see https://github.com/yandex/gixy/blob/master/docs/en/plugins/addheaderredefinition.md
|
||
parentHeaders = lib.concatStringsSep "\n" (lib.filter
|
||
(lib.hasPrefix "add_header ")
|
||
(lib.splitString "\n" config.services.nginx.commonHttpConfig));
|
||
in
|
||
{
|
||
"=/.well-known/matrix/server".extraConfig = ''
|
||
${parentHeaders}
|
||
add_header Content-Type application/json;
|
||
return 200 '${builtins.toJSON {
|
||
"m.server" = "${fqdn}:443";
|
||
}}';
|
||
'';
|
||
"=/.well-known/matrix/client".extraConfig = ''
|
||
${parentHeaders}
|
||
add_header Content-Type application/json;
|
||
add_header Access-Control-Allow-Origin *;
|
||
return 200 '${builtins.toJSON {
|
||
"m.homeserver"."base_url" = "https://${fqdn}";
|
||
}}';
|
||
'';
|
||
};
|
||
};
|
||
};
|
||
}
|