From: Ismaƫl Bouya Date: Sun, 16 Jun 2024 09:59:09 +0000 (+0200) Subject: Reimport synapse configuration X-Git-Url: https://git.immae.eu/?a=commitdiff_plain;h=9c0cd0922a84ec9945072bd8fbd0e72bf3c3fa65;p=perso%2FImmae%2FConfig%2FNix.git Reimport synapse configuration --- diff --git a/deploy/flake.lock b/deploy/flake.lock index 153f0c6..40b7302 100644 --- a/deploy/flake.lock +++ b/deploy/flake.lock @@ -2783,7 +2783,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-Nw6nhvfCOJvSiqgkq/iJDA+ex5mllZxRSqAuO2bZCVc=", + "narHash": "sha256-FnlsOOyTYqmGYWT4+ZTG92NOdVuWTpYLkyfyNFwKNYQ=", "path": "../flakes", "type": "path" }, @@ -3903,7 +3903,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-/2ewPhp/ETtRESC/RG6PXCsh16cCWK+GtGNPEnk6sEs=", + "narHash": "sha256-716InHQU0Gd7XR6AN3//P5kjwV0mQAT4bg83lVIqghk=", "path": "../systems/eldiron", "type": "path" }, @@ -3974,7 +3974,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-JlmfWvZWdpG8URsDmCRaWmLo1pUxKf0yxwcLF2OwzTo=", + "narHash": "sha256-9qnPvun+A27xK5GmR9NU6Jd8UC5lAWcqpGJ9IMF6IhQ=", "path": "../systems/zoldene", "type": "path" }, @@ -8888,11 +8888,11 @@ "nixpkgs": "nixpkgs_106" }, "locked": { - "lastModified": 1718015850, - "narHash": "sha256-svUAfD+aIaS9T9UtepEGlIdxcZyu3YJcrGOmjuwgplE=", + "lastModified": 1718531880, + "narHash": "sha256-BqLfVL7N6dO2oWB8Xo89uvO5cG8oDCRBgsk/TUnpcYs=", "ref": "master", - "rev": "71fbb32c4b3195982c0f03c90714c959b5ce2251", - "revCount": 735, + "rev": "b0236017d9da46b98017f348d7031a69526c0aeb", + "revCount": 738, "type": "git", "url": "git+ssh://gitolite@git.immae.eu/perso/Immae/Config/Nix/Nixops/Secrets" }, diff --git a/flake.lock b/flake.lock index b7403fa..adc46ab 100644 --- a/flake.lock +++ b/flake.lock @@ -2664,7 +2664,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-Nw6nhvfCOJvSiqgkq/iJDA+ex5mllZxRSqAuO2bZCVc=", + "narHash": "sha256-FnlsOOyTYqmGYWT4+ZTG92NOdVuWTpYLkyfyNFwKNYQ=", "path": "./flakes", "type": "path" }, @@ -3919,7 +3919,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-/2ewPhp/ETtRESC/RG6PXCsh16cCWK+GtGNPEnk6sEs=", + "narHash": "sha256-716InHQU0Gd7XR6AN3//P5kjwV0mQAT4bg83lVIqghk=", "path": "../systems/eldiron", "type": "path" }, @@ -3990,7 +3990,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-JlmfWvZWdpG8URsDmCRaWmLo1pUxKf0yxwcLF2OwzTo=", + "narHash": "sha256-9qnPvun+A27xK5GmR9NU6Jd8UC5lAWcqpGJ9IMF6IhQ=", "path": "../systems/zoldene", "type": "path" }, diff --git a/flakes/flake.lock b/flakes/flake.lock index 1aa828e..2e49cab 100644 --- a/flakes/flake.lock +++ b/flakes/flake.lock @@ -3824,7 +3824,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-/2ewPhp/ETtRESC/RG6PXCsh16cCWK+GtGNPEnk6sEs=", + "narHash": "sha256-716InHQU0Gd7XR6AN3//P5kjwV0mQAT4bg83lVIqghk=", "path": "../systems/eldiron", "type": "path" }, @@ -3895,7 +3895,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-JlmfWvZWdpG8URsDmCRaWmLo1pUxKf0yxwcLF2OwzTo=", + "narHash": "sha256-9qnPvun+A27xK5GmR9NU6Jd8UC5lAWcqpGJ9IMF6IhQ=", "path": "../systems/zoldene", "type": "path" }, diff --git a/systems/eldiron/websites/tools/default.nix b/systems/eldiron/websites/tools/default.nix index 46e6a9f..7d8bf5e 100644 --- a/systems/eldiron/websites/tools/default.nix +++ b/systems/eldiron/websites/tools/default.nix @@ -108,6 +108,7 @@ in { mailSend (ips servers.eldiron.ips.main) ]; + synapse = ips servers.zoldene.ips.main; }; services.borgBackup.profiles.global.ignoredPaths = [ diff --git a/systems/zoldene/base.nix b/systems/zoldene/base.nix index 617cd82..1b42a52 100644 --- a/systems/zoldene/base.nix +++ b/systems/zoldene/base.nix @@ -13,6 +13,7 @@ in secrets.nixosModules.users-config-zoldene ./virtualisation.nix ./certificates.nix + ./synapse.nix ]; services.openssh = { diff --git a/systems/zoldene/synapse.nix b/systems/zoldene/synapse.nix new file mode 100644 index 0000000..1d892a7 --- /dev/null +++ b/systems/zoldene/synapse.nix @@ -0,0 +1,182 @@ +{ lib, config, pkgs, name, ... }: +{ + config = { + security.acme.certs."${name}".extraDomainNames = ["synapse.immae.eu"]; + services.nginx = { + virtualHosts = { + "synapse.immae.eu" = { + acmeRoot = config.security.acme.defaults.webroot; + useACMEHost = name; + forceSSL = true; + + locations."~ ^/admin(?:/(.*))?$" = { + alias = let + synapse-admin = pkgs.fetchzip { + url = "https://github.com/Awesome-Technologies/synapse-admin/releases/download/0.10.1/synapse-admin-0.10.1.tar.gz"; + sha256 = "sha256-M2AYNrnpNoDm20ZTH1OZBHVcjOrHAlqyq5iTQ/At/Xk="; + postFetch = '' + sed -i -e 's@"/assets@"./assets@g' $out/index.html + ''; + }; + in + "${synapse-admin}/$1"; + }; + locations."/sliding-sync-client/" = { + # some svg urls are hardcoded to /client :shrug: + alias = "${pkgs.matrix-sliding-sync.src}/client/"; + tryFiles = "$uri $uri/ /sliding-sync-client/index.html"; + }; + locations."~ ^/_matrix/client/unstable/org.matrix.msc3575/sync" = { + proxyPass = "http://unix:/run/matrix-synapse/sliding_sync.sock:"; + }; + locations."~ ^(/_matrix|/_synapse/client|/_synapse/admin)" = { + proxyPass = "http://unix:/run/matrix-synapse/main_client_federation.sock:"; + extraConfig = '' + client_max_body_size 50M; + ''; + }; + }; + }; + }; + + systemd.services.postgresql.postStart = lib.mkAfter '' + $PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'matrix-synapse'" | grep -q 1 || $PSQL -tAc "CREATE DATABASE \"matrix-synapse\" LC_COLLATE='C' LC_CTYPE='C' TEMPLATE template0" + $PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'matrix-sliding-sync'" | grep -q 1 || $PSQL -tAc "CREATE DATABASE \"matrix-sliding-sync\" LC_COLLATE='C' LC_CTYPE='C' TEMPLATE template0" + $PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname='matrix-synapse'" | grep -q 1 || $PSQL -tAc 'CREATE USER "matrix-synapse"' + $PSQL -tAc 'ALTER DATABASE "matrix-synapse" OWNER TO "matrix-synapse";' + $PSQL -tAc 'ALTER DATABASE "matrix-sliding-sync" OWNER TO "matrix-synapse";' + ''; + + disko.devices.zpool.zfast.datasets."root/persist/var/lib/matrix-sliding-sync" = + { type = "zfs_fs"; mountpoint = "/persist/zfast/var/lib/matrix-sliding-sync"; options.mountpoint = "legacy"; }; + disko.devices.zpool.zfast.datasets."root/persist/var/lib/matrix-synapse" = + { type = "zfs_fs"; mountpoint = "/persist/zfast/var/lib/matrix-synapse"; options.mountpoint = "legacy"; }; + + environment.persistence."/persist/zfast".directories = [ + { + directory = "/var/lib/matrix-synapse"; + user = "matrix-synapse"; + group = "matrix-synapse"; + mode = "0700"; + } + { + directory = "/var/lib/matrix-sliding-sync"; + user = "matrix-synapse"; + group = "matrix-synapse"; + mode = "0700"; + } + ]; + + users.users.matrix-synapse.extraGroups = [ "keys" ]; + users.users.nginx.extraGroups = [ "matrix-synapse" ]; + + services.matrix-synapse = { + enable = true; + extraConfigFiles = [ + config.secrets.fullPaths."matrix/homeserver_secrets.yaml" + ]; + settings.server_name = "immae.eu"; + settings.signing_key_path = config.secrets.fullPaths."matrix/signing.key"; + settings.listeners = [ + { + port = 8008; + bind_addresses = [ "127.0.0.1" ]; + type = "http"; + tls = false; + x_forwarded = true; + resources = [ + { + names = [ "client" ]; + compress = true; + } + ]; + } + { + path = "/run/matrix-synapse/main_client_federation.sock"; + resources = [ + { + compress = true; + names = [ "client" ]; + } + { + compress = false; + names = [ "federation" ]; + } + ]; + type = "http"; + x_forwarded = true; + } + ]; + }; + services.matrix-sliding-sync = { + enable = true; + createDatabase = false; + settings.SYNCV3_SERVER = "/run/matrix-synapse/main_client_federation.sock"; + settings.SYNCV3_BINDADDR = "/run/matrix-synapse/sliding_sync.sock"; + environmentFile = config.secrets.fullPaths."matrix/sliding-sync"; + }; + + systemd.services.matrix-synapse = { + after = [ + "postgresql.service" + "persist-zfast-var-lib-matrix\\x2dsynapse.mount" + "var-lib-matrix\\x2dsynapse.mount" + ]; + unitConfig = { + BindsTo = [ + "var-lib-matrix\\x2dsynapse.mount" + "persist-zfast-var-lib-matrix\\x2dsynapse.mount" + ]; + }; + serviceConfig.SupplementaryGroups = [ "keys" ]; + }; + + systemd.services.matrix-sliding-sync = { + serviceConfig = { + DynamicUser = lib.mkForce false; + User = "matrix-synapse"; + Group = "matrix-synapse"; + RuntimeDirectory = "matrix-synapse"; + SupplementaryGroups = [ "keys" ]; + }; + unitConfig = { + BindsTo = [ + "persist-zfast-var-lib-matrix\\x2dsliding\\x2dsync.mount" + "var-lib-matrix\\x2dsliding\\x2dsync.mount" + ]; + After = lib.mkForce [ + "matrix-synapse.service" + "postgresql.service" + "var-lib-matrix\\x2dsliding\\x2dsync.mount" + "persist-zfast-var-lib-matrix\\x2dsliding\\x2dsync.mount" + ]; + }; + }; + secrets.keys."matrix/signing.key" = { + permissions = "0400"; + user = "matrix-synapse"; + group = "matrix-synapse"; + text = "{{ .matrix.signing_key }}"; + }; + secrets.keys."matrix/homeserver_secrets.yaml" = { + permissions = "0400"; + user = "matrix-synapse"; + group = "matrix-synapse"; + # Beware, yaml keys are merged at top level, not deep + text = '' + password_config: + enabled: true + pepper: "{{ .matrix.password_pepper }}" + macaroon_secret_key: "{{ .matrix.macaroon_secret_key }}" + ''; + }; + secrets.keys."matrix/sliding-sync" = { + permissions = "0400"; + user = "matrix-synapse"; + group = "matrix-synapse"; + text = '' + SYNCV3_SECRET={{ .matrix.sliding_sync_secret }} + ''; + }; + }; +}