1 { lib, config, pkgs, name, ... }:
4 security.acme.certs."${name}".extraDomainNames = ["synapse.immae.eu"];
8 acmeRoot = config.security.acme.defaults.webroot;
12 locations."~ ^/admin(?:/(.*))?$" = {
14 synapse-admin = pkgs.fetchzip {
15 url = "https://github.com/Awesome-Technologies/synapse-admin/releases/download/0.10.1/synapse-admin-0.10.1.tar.gz";
16 sha256 = "sha256-M2AYNrnpNoDm20ZTH1OZBHVcjOrHAlqyq5iTQ/At/Xk=";
18 sed -i -e 's@"/assets@"./assets@g' $out/index.html
22 "${synapse-admin}/$1";
24 locations."/sliding-sync-client/" = {
25 # some svg urls are hardcoded to /client :shrug:
26 alias = "${pkgs.matrix-sliding-sync.src}/client/";
27 tryFiles = "$uri $uri/ /sliding-sync-client/index.html";
29 locations."~ ^/_matrix/client/unstable/org.matrix.msc3575/sync" = {
30 proxyPass = "http://unix:/run/matrix-synapse/sliding_sync.sock:";
32 locations."~ ^(/_matrix|/_synapse/client|/_synapse/admin)" = {
33 proxyPass = "http://unix:/run/matrix-synapse/main_client_federation.sock:";
35 client_max_body_size 50M;
42 systemd.services.postgresql.postStart = lib.mkAfter ''
43 $PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'matrix-synapse'" | grep -q 1 || $PSQL -tAc "CREATE DATABASE \"matrix-synapse\" LC_COLLATE='C' LC_CTYPE='C' TEMPLATE template0"
44 $PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'matrix-sliding-sync'" | grep -q 1 || $PSQL -tAc "CREATE DATABASE \"matrix-sliding-sync\" LC_COLLATE='C' LC_CTYPE='C' TEMPLATE template0"
45 $PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname='matrix-synapse'" | grep -q 1 || $PSQL -tAc 'CREATE USER "matrix-synapse"'
46 $PSQL -tAc 'ALTER DATABASE "matrix-synapse" OWNER TO "matrix-synapse";'
47 $PSQL -tAc 'ALTER DATABASE "matrix-sliding-sync" OWNER TO "matrix-synapse";'
50 disko.devices.zpool.zfast.datasets."root/persist/var/lib/matrix-sliding-sync" =
51 { type = "zfs_fs"; mountpoint = "/persist/zfast/var/lib/matrix-sliding-sync"; options.mountpoint = "legacy"; };
52 disko.devices.zpool.zfast.datasets."root/persist/var/lib/matrix-synapse" =
53 { type = "zfs_fs"; mountpoint = "/persist/zfast/var/lib/matrix-synapse"; options.mountpoint = "legacy"; };
55 environment.persistence."/persist/zfast".directories = [
57 directory = "/var/lib/matrix-synapse";
58 user = "matrix-synapse";
59 group = "matrix-synapse";
63 directory = "/var/lib/matrix-sliding-sync";
64 user = "matrix-synapse";
65 group = "matrix-synapse";
70 users.users.matrix-synapse.extraGroups = [ "keys" ];
71 users.users.nginx.extraGroups = [ "matrix-synapse" ];
73 services.matrix-synapse = {
75 log.root.level = "WARNING";
77 config.services.matrix-synapse.package.plugins.matrix-synapse-ldap3
80 config.secrets.fullPaths."matrix/homeserver_secrets.yaml"
84 module = "ldap_auth_provider.LdapAuthProviderModule";
87 uri = "ldaps://${config.myEnv.tools.matrix.ldap.host}:636";
89 base = config.myEnv.tools.matrix.ldap.base;
95 bind_dn = config.myEnv.tools.matrix.ldap.dn;
96 bind_password_file = config.secrets.fullPaths."matrix/ldap_password";
97 filter = config.myEnv.tools.matrix.ldap.filter;
101 settings.server_name = "immae.eu";
102 settings.signing_key_path = config.secrets.fullPaths."matrix/signing.key";
103 settings.listeners = [
106 bind_addresses = [ "127.0.0.1" ];
112 names = [ "client" ];
118 path = "/run/matrix-synapse/main_client_federation.sock";
122 names = [ "client" ];
126 names = [ "federation" ];
134 services.matrix-sliding-sync = {
136 createDatabase = false;
137 settings.SYNCV3_SERVER = "/run/matrix-synapse/main_client_federation.sock";
138 settings.SYNCV3_BINDADDR = "/run/matrix-synapse/sliding_sync.sock";
139 environmentFile = config.secrets.fullPaths."matrix/sliding-sync";
142 systemd.services.matrix-synapse = {
145 "persist-zfast-var-lib-matrix\\x2dsynapse.mount"
146 "var-lib-matrix\\x2dsynapse.mount"
150 "var-lib-matrix\\x2dsynapse.mount"
151 "persist-zfast-var-lib-matrix\\x2dsynapse.mount"
154 serviceConfig.SupplementaryGroups = [ "keys" ];
157 systemd.services.matrix-sliding-sync = {
159 DynamicUser = lib.mkForce false;
160 User = "matrix-synapse";
161 Group = "matrix-synapse";
162 RuntimeDirectory = lib.mkForce "matrix-synapse";
163 SupplementaryGroups = [ "keys" ];
167 "persist-zfast-var-lib-matrix\\x2dsliding\\x2dsync.mount"
168 "var-lib-matrix\\x2dsliding\\x2dsync.mount"
170 After = lib.mkForce [
171 "matrix-synapse.service"
173 "var-lib-matrix\\x2dsliding\\x2dsync.mount"
174 "persist-zfast-var-lib-matrix\\x2dsliding\\x2dsync.mount"
178 secrets.keys."matrix/ldap_password" = {
179 permissions = "0400";
180 user = "matrix-synapse";
181 group = "matrix-synapse";
182 text = config.myEnv.tools.matrix.ldap.password;
184 secrets.keys."matrix/signing.key" = {
185 permissions = "0400";
186 user = "matrix-synapse";
187 group = "matrix-synapse";
188 text = "{{ .matrix.signing_key }}";
190 secrets.keys."matrix/homeserver_secrets.yaml" = {
191 permissions = "0400";
192 user = "matrix-synapse";
193 group = "matrix-synapse";
194 # Beware, yaml keys are merged at top level, not deep
198 pepper: "{{ .matrix.password_pepper }}"
199 macaroon_secret_key: "{{ .matrix.macaroon_secret_key }}"
202 secrets.keys."matrix/sliding-sync" = {
203 permissions = "0400";
204 user = "matrix-synapse";
205 group = "matrix-synapse";
207 SYNCV3_SECRET={{ .matrix.sliding_sync_secret }}
projects / perso / Immae / Config / Nix.git / blob