[perso/Immae/Config/Nix.git] / systems / zoldene / synapse.nix

{ lib, config, pkgs, name, ... }:
{
  config = {
    security.acme.certs."${name}".extraDomainNames = ["synapse.immae.eu"];
    services.nginx = {
      virtualHosts = {
        "synapse.immae.eu" = {
          acmeRoot = config.security.acme.defaults.webroot;
          useACMEHost = name;
          forceSSL = true;

          locations."~ ^/admin(?:/(.*))?$" = {
            alias = let
              synapse-admin = pkgs.fetchzip {
                url = "https://github.com/Awesome-Technologies/synapse-admin/releases/download/0.10.1/synapse-admin-0.10.1.tar.gz";
                sha256 = "sha256-M2AYNrnpNoDm20ZTH1OZBHVcjOrHAlqyq5iTQ/At/Xk=";
                postFetch = ''
                  sed -i -e 's@"/assets@"./assets@g' $out/index.html
                '';
              };
            in
              "${synapse-admin}/$1";
          };
          locations."/sliding-sync-client/" = {
            # some svg urls are hardcoded to /client :shrug:
            alias = "${pkgs.matrix-sliding-sync.src}/client/";
            tryFiles = "$uri $uri/ /sliding-sync-client/index.html";
          };
          locations."~ ^/_matrix/client/unstable/org.matrix.msc3575/sync" = {
            proxyPass = "http://unix:/run/matrix-synapse/sliding_sync.sock:";
          };
          locations."~ ^(/_matrix|/_synapse/client|/_synapse/admin)" = {
            proxyPass = "http://unix:/run/matrix-synapse/main_client_federation.sock:";
            extraConfig = ''
              client_max_body_size 50M;
            '';
          };
        };
      };
    };

    systemd.services.postgresql.postStart = lib.mkAfter ''
      $PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'matrix-synapse'" | grep -q 1 || $PSQL -tAc "CREATE DATABASE \"matrix-synapse\" LC_COLLATE='C' LC_CTYPE='C' TEMPLATE template0"
      $PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'matrix-sliding-sync'" | grep -q 1 || $PSQL -tAc "CREATE DATABASE \"matrix-sliding-sync\" LC_COLLATE='C' LC_CTYPE='C' TEMPLATE template0"
      $PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname='matrix-synapse'" | grep -q 1 || $PSQL -tAc 'CREATE USER "matrix-synapse"'
      $PSQL -tAc 'ALTER DATABASE "matrix-synapse" OWNER TO "matrix-synapse";'
      $PSQL -tAc 'ALTER DATABASE "matrix-sliding-sync" OWNER TO "matrix-synapse";'
    '';

    disko.devices.zpool.zfast.datasets."root/persist/var/lib/matrix-sliding-sync" =
      { type = "zfs_fs"; mountpoint = "/persist/zfast/var/lib/matrix-sliding-sync"; options.mountpoint = "legacy"; };
    disko.devices.zpool.zfast.datasets."root/persist/var/lib/matrix-synapse" =
      { type = "zfs_fs"; mountpoint = "/persist/zfast/var/lib/matrix-synapse"; options.mountpoint = "legacy"; };

    environment.persistence."/persist/zfast".directories = [
      {
        directory = "/var/lib/matrix-synapse";
        user = "matrix-synapse";
        group = "matrix-synapse";
        mode = "0700";
      }
      {
        directory = "/var/lib/matrix-sliding-sync";
        user = "matrix-synapse";
        group = "matrix-synapse";
        mode = "0700";
      }
    ];

    users.users.matrix-synapse.extraGroups = [ "keys" ];
    users.users.nginx.extraGroups = [ "matrix-synapse" ];

    services.matrix-synapse = {
      enable = true;
      extraConfigFiles = [
        config.secrets.fullPaths."matrix/homeserver_secrets.yaml"
      ];
      settings.server_name = "immae.eu";
      settings.signing_key_path = config.secrets.fullPaths."matrix/signing.key";
      settings.listeners = [
        {
          port = 8008;
          bind_addresses = [ "127.0.0.1" ];
          type = "http";
          tls = false;
          x_forwarded = true;
          resources = [
            {
              names = [ "client" ];
              compress = true;
            }
          ];
        }
        {
          path = "/run/matrix-synapse/main_client_federation.sock";
          resources = [
            {
              compress = true;
              names = [ "client" ];
            }
            {
              compress = false;
              names = [ "federation" ];
            }
          ];
          type = "http";
          x_forwarded = true;
        }
      ];
    };
    services.matrix-sliding-sync = {
      enable = true;
      createDatabase = false;
      settings.SYNCV3_SERVER = "/run/matrix-synapse/main_client_federation.sock";
      settings.SYNCV3_BINDADDR = "/run/matrix-synapse/sliding_sync.sock";
      environmentFile = config.secrets.fullPaths."matrix/sliding-sync";
    };

    systemd.services.matrix-synapse = {
      after = [
        "postgresql.service"
        "persist-zfast-var-lib-matrix\\x2dsynapse.mount"
        "var-lib-matrix\\x2dsynapse.mount"
      ];
      unitConfig = {
        BindsTo = [
          "var-lib-matrix\\x2dsynapse.mount"
          "persist-zfast-var-lib-matrix\\x2dsynapse.mount"
        ];
      };
      serviceConfig.SupplementaryGroups = [ "keys" ];
    };

    systemd.services.matrix-sliding-sync = {
      serviceConfig = {
        DynamicUser = lib.mkForce false;
        User = "matrix-synapse";
        Group = "matrix-synapse";
        RuntimeDirectory = "matrix-synapse";
        SupplementaryGroups = [ "keys" ];
      };
      unitConfig = {
        BindsTo = [
          "persist-zfast-var-lib-matrix\\x2dsliding\\x2dsync.mount"
          "var-lib-matrix\\x2dsliding\\x2dsync.mount"
        ];
        After = lib.mkForce [
          "matrix-synapse.service"
          "postgresql.service"
          "var-lib-matrix\\x2dsliding\\x2dsync.mount"
          "persist-zfast-var-lib-matrix\\x2dsliding\\x2dsync.mount"
        ];
      };
    };
    secrets.keys."matrix/signing.key" = {
      permissions = "0400";
      user = "matrix-synapse";
      group = "matrix-synapse";
      text = "{{ .matrix.signing_key }}";
    };
    secrets.keys."matrix/homeserver_secrets.yaml" = {
      permissions = "0400";
      user = "matrix-synapse";
      group = "matrix-synapse";
      # Beware, yaml keys are merged at top level, not deep
      text = ''
        password_config:
            enabled: true
            pepper: "{{ .matrix.password_pepper }}"
        macaroon_secret_key: "{{ .matrix.macaroon_secret_key }}"
      '';
    };
    secrets.keys."matrix/sliding-sync" = {
      permissions = "0400";
      user = "matrix-synapse";
      group = "matrix-synapse";
      text = ''
        SYNCV3_SECRET={{ .matrix.sliding_sync_secret }}
      '';
    };
  };
}
Commit	Line	Data
9c0cd092 IB	1	{ lib, config, pkgs, name, ... }:
	2	{
	3	config = {
	4	security.acme.certs."${name}".extraDomainNames = ["synapse.immae.eu"];
	5	services.nginx = {
	6	virtualHosts = {
	7	"synapse.immae.eu" = {
	8	acmeRoot = config.security.acme.defaults.webroot;
	9	useACMEHost = name;
	10	forceSSL = true;
	11
	12	locations."~ ^/admin(?:/(.*))?$" = {
	13	alias = let
	14	synapse-admin = pkgs.fetchzip {
	15	url = "https://github.com/Awesome-Technologies/synapse-admin/releases/download/0.10.1/synapse-admin-0.10.1.tar.gz";
	16	sha256 = "sha256-M2AYNrnpNoDm20ZTH1OZBHVcjOrHAlqyq5iTQ/At/Xk=";
	17	postFetch = ''
	18	sed -i -e 's@"/assets@"./assets@g' $out/index.html
	19	'';
	20	};
	21	in
	22	"${synapse-admin}/$1";
	23	};
	24	locations."/sliding-sync-client/" = {
	25	# some svg urls are hardcoded to /client :shrug:
	26	alias = "${pkgs.matrix-sliding-sync.src}/client/";
	27	tryFiles = "$uri $uri/ /sliding-sync-client/index.html";
	28	};
	29	locations."~ ^/_matrix/client/unstable/org.matrix.msc3575/sync" = {
	30	proxyPass = "http://unix:/run/matrix-synapse/sliding_sync.sock:";
	31	};
	32	locations."~ ^(/_matrix\|/_synapse/client\|/_synapse/admin)" = {
	33	proxyPass = "http://unix:/run/matrix-synapse/main_client_federation.sock:";
	34	extraConfig = ''
	35	client_max_body_size 50M;
	36	'';
	37	};
	38	};
	39	};
	40	};
	41
	42	systemd.services.postgresql.postStart = lib.mkAfter ''
	43	$PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'matrix-synapse'" \| grep -q 1 \|\| $PSQL -tAc "CREATE DATABASE \"matrix-synapse\" LC_COLLATE='C' LC_CTYPE='C' TEMPLATE template0"
	44	$PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'matrix-sliding-sync'" \| grep -q 1 \|\| $PSQL -tAc "CREATE DATABASE \"matrix-sliding-sync\" LC_COLLATE='C' LC_CTYPE='C' TEMPLATE template0"
	45	$PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname='matrix-synapse'" \| grep -q 1 \|\| $PSQL -tAc 'CREATE USER "matrix-synapse"'
	46	$PSQL -tAc 'ALTER DATABASE "matrix-synapse" OWNER TO "matrix-synapse";'
	47	$PSQL -tAc 'ALTER DATABASE "matrix-sliding-sync" OWNER TO "matrix-synapse";'
	48	'';
	49
	50	disko.devices.zpool.zfast.datasets."root/persist/var/lib/matrix-sliding-sync" =
	51	{ type = "zfs_fs"; mountpoint = "/persist/zfast/var/lib/matrix-sliding-sync"; options.mountpoint = "legacy"; };
	52	disko.devices.zpool.zfast.datasets."root/persist/var/lib/matrix-synapse" =
	53	{ type = "zfs_fs"; mountpoint = "/persist/zfast/var/lib/matrix-synapse"; options.mountpoint = "legacy"; };
	54
	55	environment.persistence."/persist/zfast".directories = [
	56	{
	57	directory = "/var/lib/matrix-synapse";
	58	user = "matrix-synapse";
	59	group = "matrix-synapse";
	60	mode = "0700";
	61	}
	62	{
	63	directory = "/var/lib/matrix-sliding-sync";
	64	user = "matrix-synapse";
65	group = "matrix-synapse";
66	mode = "0700";
67	}
68	];
69
70	users.users.matrix-synapse.extraGroups = [ "keys" ];
71	users.users.nginx.extraGroups = [ "matrix-synapse" ];
72
73	services.matrix-synapse = {
74	enable = true;
75	extraConfigFiles = [
76	config.secrets.fullPaths."matrix/homeserver_secrets.yaml"
77	];
78	settings.server_name = "immae.eu";
79	settings.signing_key_path = config.secrets.fullPaths."matrix/signing.key";
80	settings.listeners = [
81	{
82	port = 8008;
83	bind_addresses = [ "127.0.0.1" ];
84	type = "http";
85	tls = false;
86	x_forwarded = true;
87	resources = [
88	{
89	names = [ "client" ];
90	compress = true;
91	}
92	];
93	}
94	{
95	path = "/run/matrix-synapse/main_client_federation.sock";
96	resources = [
97	{
98	compress = true;
99	names = [ "client" ];
100	}
101	{
102	compress = false;
103	names = [ "federation" ];
104	}
105	];
106	type = "http";
107	x_forwarded = true;
108	}
109	];
110	};
111	services.matrix-sliding-sync = {
112	enable = true;
113	createDatabase = false;
114	settings.SYNCV3_SERVER = "/run/matrix-synapse/main_client_federation.sock";
115	settings.SYNCV3_BINDADDR = "/run/matrix-synapse/sliding_sync.sock";
116	environmentFile = config.secrets.fullPaths."matrix/sliding-sync";
117	};
118
119	systemd.services.matrix-synapse = {
120	after = [
121	"postgresql.service"
122	"persist-zfast-var-lib-matrix\\x2dsynapse.mount"
123	"var-lib-matrix\\x2dsynapse.mount"
124	];
125	unitConfig = {
126	BindsTo = [
127	"var-lib-matrix\\x2dsynapse.mount"
128	"persist-zfast-var-lib-matrix\\x2dsynapse.mount"
129	];
130	};
131	serviceConfig.SupplementaryGroups = [ "keys" ];
132	};
133
134	systemd.services.matrix-sliding-sync = {
135	serviceConfig = {
136	DynamicUser = lib.mkForce false;
137	User = "matrix-synapse";
138	Group = "matrix-synapse";
139	RuntimeDirectory = "matrix-synapse";
140	SupplementaryGroups = [ "keys" ];
141	};
142	unitConfig = {
143	BindsTo = [
144	"persist-zfast-var-lib-matrix\\x2dsliding\\x2dsync.mount"
145	"var-lib-matrix\\x2dsliding\\x2dsync.mount"
146	];
147	After = lib.mkForce [
148	"matrix-synapse.service"
149	"postgresql.service"
150	"var-lib-matrix\\x2dsliding\\x2dsync.mount"
151	"persist-zfast-var-lib-matrix\\x2dsliding\\x2dsync.mount"
152	];
153	};
154	};
155	secrets.keys."matrix/signing.key" = {
156	permissions = "0400";
157	user = "matrix-synapse";
158	group = "matrix-synapse";
159	text = "{{ .matrix.signing_key }}";
160	};
161	secrets.keys."matrix/homeserver_secrets.yaml" = {
162	permissions = "0400";
163	user = "matrix-synapse";
164	group = "matrix-synapse";
165	# Beware, yaml keys are merged at top level, not deep
166	text = ''
167	password_config:
168	enabled: true
169	pepper: "{{ .matrix.password_pepper }}"
170	macaroon_secret_key: "{{ .matrix.macaroon_secret_key }}"
171	'';
172	};
173	secrets.keys."matrix/sliding-sync" = {
174	permissions = "0400";
175	user = "matrix-synapse";
176	group = "matrix-synapse";
177	text = ''
178	SYNCV3_SECRET={{ .matrix.sliding_sync_secret }}
179	'';
180	};
181	};
182	}