]>
Commit | Line | Data |
---|---|---|
9c0cd092 IB |
1 | { lib, config, pkgs, name, ... }: |
2 | { | |
3 | config = { | |
4 | security.acme.certs."${name}".extraDomainNames = ["synapse.immae.eu"]; | |
5 | services.nginx = { | |
6 | virtualHosts = { | |
7 | "synapse.immae.eu" = { | |
8 | acmeRoot = config.security.acme.defaults.webroot; | |
9 | useACMEHost = name; | |
10 | forceSSL = true; | |
11 | ||
12 | locations."~ ^/admin(?:/(.*))?$" = { | |
13 | alias = let | |
14 | synapse-admin = pkgs.fetchzip { | |
15 | url = "https://github.com/Awesome-Technologies/synapse-admin/releases/download/0.10.1/synapse-admin-0.10.1.tar.gz"; | |
16 | sha256 = "sha256-M2AYNrnpNoDm20ZTH1OZBHVcjOrHAlqyq5iTQ/At/Xk="; | |
17 | postFetch = '' | |
18 | sed -i -e 's@"/assets@"./assets@g' $out/index.html | |
19 | ''; | |
20 | }; | |
21 | in | |
22 | "${synapse-admin}/$1"; | |
23 | }; | |
24 | locations."/sliding-sync-client/" = { | |
25 | # some svg urls are hardcoded to /client :shrug: | |
26 | alias = "${pkgs.matrix-sliding-sync.src}/client/"; | |
27 | tryFiles = "$uri $uri/ /sliding-sync-client/index.html"; | |
28 | }; | |
29 | locations."~ ^/_matrix/client/unstable/org.matrix.msc3575/sync" = { | |
30 | proxyPass = "http://unix:/run/matrix-synapse/sliding_sync.sock:"; | |
31 | }; | |
32 | locations."~ ^(/_matrix|/_synapse/client|/_synapse/admin)" = { | |
33 | proxyPass = "http://unix:/run/matrix-synapse/main_client_federation.sock:"; | |
34 | extraConfig = '' | |
35 | client_max_body_size 50M; | |
36 | ''; | |
37 | }; | |
38 | }; | |
39 | }; | |
40 | }; | |
41 | ||
42 | systemd.services.postgresql.postStart = lib.mkAfter '' | |
43 | $PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'matrix-synapse'" | grep -q 1 || $PSQL -tAc "CREATE DATABASE \"matrix-synapse\" LC_COLLATE='C' LC_CTYPE='C' TEMPLATE template0" | |
44 | $PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'matrix-sliding-sync'" | grep -q 1 || $PSQL -tAc "CREATE DATABASE \"matrix-sliding-sync\" LC_COLLATE='C' LC_CTYPE='C' TEMPLATE template0" | |
45 | $PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname='matrix-synapse'" | grep -q 1 || $PSQL -tAc 'CREATE USER "matrix-synapse"' | |
46 | $PSQL -tAc 'ALTER DATABASE "matrix-synapse" OWNER TO "matrix-synapse";' | |
47 | $PSQL -tAc 'ALTER DATABASE "matrix-sliding-sync" OWNER TO "matrix-synapse";' | |
48 | ''; | |
49 | ||
50 | disko.devices.zpool.zfast.datasets."root/persist/var/lib/matrix-sliding-sync" = | |
51 | { type = "zfs_fs"; mountpoint = "/persist/zfast/var/lib/matrix-sliding-sync"; options.mountpoint = "legacy"; }; | |
52 | disko.devices.zpool.zfast.datasets."root/persist/var/lib/matrix-synapse" = | |
53 | { type = "zfs_fs"; mountpoint = "/persist/zfast/var/lib/matrix-synapse"; options.mountpoint = "legacy"; }; | |
54 | ||
55 | environment.persistence."/persist/zfast".directories = [ | |
56 | { | |
57 | directory = "/var/lib/matrix-synapse"; | |
58 | user = "matrix-synapse"; | |
59 | group = "matrix-synapse"; | |
60 | mode = "0700"; | |
61 | } | |
62 | { | |
63 | directory = "/var/lib/matrix-sliding-sync"; | |
64 | user = "matrix-synapse"; | |
65 | group = "matrix-synapse"; | |
66 | mode = "0700"; | |
67 | } | |
68 | ]; | |
69 | ||
70 | users.users.matrix-synapse.extraGroups = [ "keys" ]; | |
71 | users.users.nginx.extraGroups = [ "matrix-synapse" ]; | |
72 | ||
73 | services.matrix-synapse = { | |
74 | enable = true; | |
75 | extraConfigFiles = [ | |
76 | config.secrets.fullPaths."matrix/homeserver_secrets.yaml" | |
77 | ]; | |
78 | settings.server_name = "immae.eu"; | |
79 | settings.signing_key_path = config.secrets.fullPaths."matrix/signing.key"; | |
80 | settings.listeners = [ | |
81 | { | |
82 | port = 8008; | |
83 | bind_addresses = [ "127.0.0.1" ]; | |
84 | type = "http"; | |
85 | tls = false; | |
86 | x_forwarded = true; | |
87 | resources = [ | |
88 | { | |
89 | names = [ "client" ]; | |
90 | compress = true; | |
91 | } | |
92 | ]; | |
93 | } | |
94 | { | |
95 | path = "/run/matrix-synapse/main_client_federation.sock"; | |
96 | resources = [ | |
97 | { | |
98 | compress = true; | |
99 | names = [ "client" ]; | |
100 | } | |
101 | { | |
102 | compress = false; | |
103 | names = [ "federation" ]; | |
104 | } | |
105 | ]; | |
106 | type = "http"; | |
107 | x_forwarded = true; | |
108 | } | |
109 | ]; | |
110 | }; | |
111 | services.matrix-sliding-sync = { | |
112 | enable = true; | |
113 | createDatabase = false; | |
114 | settings.SYNCV3_SERVER = "/run/matrix-synapse/main_client_federation.sock"; | |
115 | settings.SYNCV3_BINDADDR = "/run/matrix-synapse/sliding_sync.sock"; | |
116 | environmentFile = config.secrets.fullPaths."matrix/sliding-sync"; | |
117 | }; | |
118 | ||
119 | systemd.services.matrix-synapse = { | |
120 | after = [ | |
121 | "postgresql.service" | |
122 | "persist-zfast-var-lib-matrix\\x2dsynapse.mount" | |
123 | "var-lib-matrix\\x2dsynapse.mount" | |
124 | ]; | |
125 | unitConfig = { | |
126 | BindsTo = [ | |
127 | "var-lib-matrix\\x2dsynapse.mount" | |
128 | "persist-zfast-var-lib-matrix\\x2dsynapse.mount" | |
129 | ]; | |
130 | }; | |
131 | serviceConfig.SupplementaryGroups = [ "keys" ]; | |
132 | }; | |
133 | ||
134 | systemd.services.matrix-sliding-sync = { | |
135 | serviceConfig = { | |
136 | DynamicUser = lib.mkForce false; | |
137 | User = "matrix-synapse"; | |
138 | Group = "matrix-synapse"; | |
139 | RuntimeDirectory = "matrix-synapse"; | |
140 | SupplementaryGroups = [ "keys" ]; | |
141 | }; | |
142 | unitConfig = { | |
143 | BindsTo = [ | |
144 | "persist-zfast-var-lib-matrix\\x2dsliding\\x2dsync.mount" | |
145 | "var-lib-matrix\\x2dsliding\\x2dsync.mount" | |
146 | ]; | |
147 | After = lib.mkForce [ | |
148 | "matrix-synapse.service" | |
149 | "postgresql.service" | |
150 | "var-lib-matrix\\x2dsliding\\x2dsync.mount" | |
151 | "persist-zfast-var-lib-matrix\\x2dsliding\\x2dsync.mount" | |
152 | ]; | |
153 | }; | |
154 | }; | |
155 | secrets.keys."matrix/signing.key" = { | |
156 | permissions = "0400"; | |
157 | user = "matrix-synapse"; | |
158 | group = "matrix-synapse"; | |
159 | text = "{{ .matrix.signing_key }}"; | |
160 | }; | |
161 | secrets.keys."matrix/homeserver_secrets.yaml" = { | |
162 | permissions = "0400"; | |
163 | user = "matrix-synapse"; | |
164 | group = "matrix-synapse"; | |
165 | # Beware, yaml keys are merged at top level, not deep | |
166 | text = '' | |
167 | password_config: | |
168 | enabled: true | |
169 | pepper: "{{ .matrix.password_pepper }}" | |
170 | macaroon_secret_key: "{{ .matrix.macaroon_secret_key }}" | |
171 | ''; | |
172 | }; | |
173 | secrets.keys."matrix/sliding-sync" = { | |
174 | permissions = "0400"; | |
175 | user = "matrix-synapse"; | |
176 | group = "matrix-synapse"; | |
177 | text = '' | |
178 | SYNCV3_SECRET={{ .matrix.sliding_sync_secret }} | |
179 | ''; | |
180 | }; | |
181 | }; | |
182 | } |