diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2024-06-16 11:59:09 +0200 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2024-06-16 12:01:32 +0200 |
commit | 9c0cd0922a84ec9945072bd8fbd0e72bf3c3fa65 (patch) | |
tree | 7318ce064220bde61eb8f00f1900dd942c43f406 | |
parent | 0f691603b4ed60e7afefa85cf5da3327e4c18366 (diff) | |
download | Nix-9c0cd0922a84ec9945072bd8fbd0e72bf3c3fa65.tar.gz Nix-9c0cd0922a84ec9945072bd8fbd0e72bf3c3fa65.tar.zst Nix-9c0cd0922a84ec9945072bd8fbd0e72bf3c3fa65.zip |
Reimport synapse configuration
-rw-r--r-- | deploy/flake.lock | 14 | ||||
-rw-r--r-- | flake.lock | 6 | ||||
-rw-r--r-- | flakes/flake.lock | 4 | ||||
-rw-r--r-- | systems/eldiron/websites/tools/default.nix | 1 | ||||
-rw-r--r-- | systems/zoldene/base.nix | 1 | ||||
-rw-r--r-- | systems/zoldene/synapse.nix | 182 |
6 files changed, 196 insertions, 12 deletions
diff --git a/deploy/flake.lock b/deploy/flake.lock index 153f0c6..40b7302 100644 --- a/deploy/flake.lock +++ b/deploy/flake.lock | |||
@@ -2783,7 +2783,7 @@ | |||
2783 | }, | 2783 | }, |
2784 | "locked": { | 2784 | "locked": { |
2785 | "lastModified": 1, | 2785 | "lastModified": 1, |
2786 | "narHash": "sha256-Nw6nhvfCOJvSiqgkq/iJDA+ex5mllZxRSqAuO2bZCVc=", | 2786 | "narHash": "sha256-FnlsOOyTYqmGYWT4+ZTG92NOdVuWTpYLkyfyNFwKNYQ=", |
2787 | "path": "../flakes", | 2787 | "path": "../flakes", |
2788 | "type": "path" | 2788 | "type": "path" |
2789 | }, | 2789 | }, |
@@ -3903,7 +3903,7 @@ | |||
3903 | }, | 3903 | }, |
3904 | "locked": { | 3904 | "locked": { |
3905 | "lastModified": 1, | 3905 | "lastModified": 1, |
3906 | "narHash": "sha256-/2ewPhp/ETtRESC/RG6PXCsh16cCWK+GtGNPEnk6sEs=", | 3906 | "narHash": "sha256-716InHQU0Gd7XR6AN3//P5kjwV0mQAT4bg83lVIqghk=", |
3907 | "path": "../systems/eldiron", | 3907 | "path": "../systems/eldiron", |
3908 | "type": "path" | 3908 | "type": "path" |
3909 | }, | 3909 | }, |
@@ -3974,7 +3974,7 @@ | |||
3974 | }, | 3974 | }, |
3975 | "locked": { | 3975 | "locked": { |
3976 | "lastModified": 1, | 3976 | "lastModified": 1, |
3977 | "narHash": "sha256-JlmfWvZWdpG8URsDmCRaWmLo1pUxKf0yxwcLF2OwzTo=", | 3977 | "narHash": "sha256-9qnPvun+A27xK5GmR9NU6Jd8UC5lAWcqpGJ9IMF6IhQ=", |
3978 | "path": "../systems/zoldene", | 3978 | "path": "../systems/zoldene", |
3979 | "type": "path" | 3979 | "type": "path" |
3980 | }, | 3980 | }, |
@@ -8888,11 +8888,11 @@ | |||
8888 | "nixpkgs": "nixpkgs_106" | 8888 | "nixpkgs": "nixpkgs_106" |
8889 | }, | 8889 | }, |
8890 | "locked": { | 8890 | "locked": { |
8891 | "lastModified": 1718015850, | 8891 | "lastModified": 1718531880, |
8892 | "narHash": "sha256-svUAfD+aIaS9T9UtepEGlIdxcZyu3YJcrGOmjuwgplE=", | 8892 | "narHash": "sha256-BqLfVL7N6dO2oWB8Xo89uvO5cG8oDCRBgsk/TUnpcYs=", |
8893 | "ref": "master", | 8893 | "ref": "master", |
8894 | "rev": "71fbb32c4b3195982c0f03c90714c959b5ce2251", | 8894 | "rev": "b0236017d9da46b98017f348d7031a69526c0aeb", |
8895 | "revCount": 735, | 8895 | "revCount": 738, |
8896 | "type": "git", | 8896 | "type": "git", |
8897 | "url": "git+ssh://gitolite@git.immae.eu/perso/Immae/Config/Nix/Nixops/Secrets" | 8897 | "url": "git+ssh://gitolite@git.immae.eu/perso/Immae/Config/Nix/Nixops/Secrets" |
8898 | }, | 8898 | }, |
@@ -2664,7 +2664,7 @@ | |||
2664 | }, | 2664 | }, |
2665 | "locked": { | 2665 | "locked": { |
2666 | "lastModified": 1, | 2666 | "lastModified": 1, |
2667 | "narHash": "sha256-Nw6nhvfCOJvSiqgkq/iJDA+ex5mllZxRSqAuO2bZCVc=", | 2667 | "narHash": "sha256-FnlsOOyTYqmGYWT4+ZTG92NOdVuWTpYLkyfyNFwKNYQ=", |
2668 | "path": "./flakes", | 2668 | "path": "./flakes", |
2669 | "type": "path" | 2669 | "type": "path" |
2670 | }, | 2670 | }, |
@@ -3919,7 +3919,7 @@ | |||
3919 | }, | 3919 | }, |
3920 | "locked": { | 3920 | "locked": { |
3921 | "lastModified": 1, | 3921 | "lastModified": 1, |
3922 | "narHash": "sha256-/2ewPhp/ETtRESC/RG6PXCsh16cCWK+GtGNPEnk6sEs=", | 3922 | "narHash": "sha256-716InHQU0Gd7XR6AN3//P5kjwV0mQAT4bg83lVIqghk=", |
3923 | "path": "../systems/eldiron", | 3923 | "path": "../systems/eldiron", |
3924 | "type": "path" | 3924 | "type": "path" |
3925 | }, | 3925 | }, |
@@ -3990,7 +3990,7 @@ | |||
3990 | }, | 3990 | }, |
3991 | "locked": { | 3991 | "locked": { |
3992 | "lastModified": 1, | 3992 | "lastModified": 1, |
3993 | "narHash": "sha256-JlmfWvZWdpG8URsDmCRaWmLo1pUxKf0yxwcLF2OwzTo=", | 3993 | "narHash": "sha256-9qnPvun+A27xK5GmR9NU6Jd8UC5lAWcqpGJ9IMF6IhQ=", |
3994 | "path": "../systems/zoldene", | 3994 | "path": "../systems/zoldene", |
3995 | "type": "path" | 3995 | "type": "path" |
3996 | }, | 3996 | }, |
diff --git a/flakes/flake.lock b/flakes/flake.lock index 1aa828e..2e49cab 100644 --- a/flakes/flake.lock +++ b/flakes/flake.lock | |||
@@ -3824,7 +3824,7 @@ | |||
3824 | }, | 3824 | }, |
3825 | "locked": { | 3825 | "locked": { |
3826 | "lastModified": 1, | 3826 | "lastModified": 1, |
3827 | "narHash": "sha256-/2ewPhp/ETtRESC/RG6PXCsh16cCWK+GtGNPEnk6sEs=", | 3827 | "narHash": "sha256-716InHQU0Gd7XR6AN3//P5kjwV0mQAT4bg83lVIqghk=", |
3828 | "path": "../systems/eldiron", | 3828 | "path": "../systems/eldiron", |
3829 | "type": "path" | 3829 | "type": "path" |
3830 | }, | 3830 | }, |
@@ -3895,7 +3895,7 @@ | |||
3895 | }, | 3895 | }, |
3896 | "locked": { | 3896 | "locked": { |
3897 | "lastModified": 1, | 3897 | "lastModified": 1, |
3898 | "narHash": "sha256-JlmfWvZWdpG8URsDmCRaWmLo1pUxKf0yxwcLF2OwzTo=", | 3898 | "narHash": "sha256-9qnPvun+A27xK5GmR9NU6Jd8UC5lAWcqpGJ9IMF6IhQ=", |
3899 | "path": "../systems/zoldene", | 3899 | "path": "../systems/zoldene", |
3900 | "type": "path" | 3900 | "type": "path" |
3901 | }, | 3901 | }, |
diff --git a/systems/eldiron/websites/tools/default.nix b/systems/eldiron/websites/tools/default.nix index 46e6a9f..7d8bf5e 100644 --- a/systems/eldiron/websites/tools/default.nix +++ b/systems/eldiron/websites/tools/default.nix | |||
@@ -108,6 +108,7 @@ in { | |||
108 | mailSend | 108 | mailSend |
109 | (ips servers.eldiron.ips.main) | 109 | (ips servers.eldiron.ips.main) |
110 | ]; | 110 | ]; |
111 | synapse = ips servers.zoldene.ips.main; | ||
111 | }; | 112 | }; |
112 | 113 | ||
113 | services.borgBackup.profiles.global.ignoredPaths = [ | 114 | services.borgBackup.profiles.global.ignoredPaths = [ |
diff --git a/systems/zoldene/base.nix b/systems/zoldene/base.nix index 617cd82..1b42a52 100644 --- a/systems/zoldene/base.nix +++ b/systems/zoldene/base.nix | |||
@@ -13,6 +13,7 @@ in | |||
13 | secrets.nixosModules.users-config-zoldene | 13 | secrets.nixosModules.users-config-zoldene |
14 | ./virtualisation.nix | 14 | ./virtualisation.nix |
15 | ./certificates.nix | 15 | ./certificates.nix |
16 | ./synapse.nix | ||
16 | ]; | 17 | ]; |
17 | 18 | ||
18 | services.openssh = { | 19 | services.openssh = { |
diff --git a/systems/zoldene/synapse.nix b/systems/zoldene/synapse.nix new file mode 100644 index 0000000..1d892a7 --- /dev/null +++ b/systems/zoldene/synapse.nix | |||
@@ -0,0 +1,182 @@ | |||
1 | { lib, config, pkgs, name, ... }: | ||
2 | { | ||
3 | config = { | ||
4 | security.acme.certs."${name}".extraDomainNames = ["synapse.immae.eu"]; | ||
5 | services.nginx = { | ||
6 | virtualHosts = { | ||
7 | "synapse.immae.eu" = { | ||
8 | acmeRoot = config.security.acme.defaults.webroot; | ||
9 | useACMEHost = name; | ||
10 | forceSSL = true; | ||
11 | |||
12 | locations."~ ^/admin(?:/(.*))?$" = { | ||
13 | alias = let | ||
14 | synapse-admin = pkgs.fetchzip { | ||
15 | url = "https://github.com/Awesome-Technologies/synapse-admin/releases/download/0.10.1/synapse-admin-0.10.1.tar.gz"; | ||
16 | sha256 = "sha256-M2AYNrnpNoDm20ZTH1OZBHVcjOrHAlqyq5iTQ/At/Xk="; | ||
17 | postFetch = '' | ||
18 | sed -i -e 's@"/assets@"./assets@g' $out/index.html | ||
19 | ''; | ||
20 | }; | ||
21 | in | ||
22 | "${synapse-admin}/$1"; | ||
23 | }; | ||
24 | locations."/sliding-sync-client/" = { | ||
25 | # some svg urls are hardcoded to /client :shrug: | ||
26 | alias = "${pkgs.matrix-sliding-sync.src}/client/"; | ||
27 | tryFiles = "$uri $uri/ /sliding-sync-client/index.html"; | ||
28 | }; | ||
29 | locations."~ ^/_matrix/client/unstable/org.matrix.msc3575/sync" = { | ||
30 | proxyPass = "http://unix:/run/matrix-synapse/sliding_sync.sock:"; | ||
31 | }; | ||
32 | locations."~ ^(/_matrix|/_synapse/client|/_synapse/admin)" = { | ||
33 | proxyPass = "http://unix:/run/matrix-synapse/main_client_federation.sock:"; | ||
34 | extraConfig = '' | ||
35 | client_max_body_size 50M; | ||
36 | ''; | ||
37 | }; | ||
38 | }; | ||
39 | }; | ||
40 | }; | ||
41 | |||
42 | systemd.services.postgresql.postStart = lib.mkAfter '' | ||
43 | $PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'matrix-synapse'" | grep -q 1 || $PSQL -tAc "CREATE DATABASE \"matrix-synapse\" LC_COLLATE='C' LC_CTYPE='C' TEMPLATE template0" | ||
44 | $PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'matrix-sliding-sync'" | grep -q 1 || $PSQL -tAc "CREATE DATABASE \"matrix-sliding-sync\" LC_COLLATE='C' LC_CTYPE='C' TEMPLATE template0" | ||
45 | $PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname='matrix-synapse'" | grep -q 1 || $PSQL -tAc 'CREATE USER "matrix-synapse"' | ||
46 | $PSQL -tAc 'ALTER DATABASE "matrix-synapse" OWNER TO "matrix-synapse";' | ||
47 | $PSQL -tAc 'ALTER DATABASE "matrix-sliding-sync" OWNER TO "matrix-synapse";' | ||
48 | ''; | ||
49 | |||
50 | disko.devices.zpool.zfast.datasets."root/persist/var/lib/matrix-sliding-sync" = | ||
51 | { type = "zfs_fs"; mountpoint = "/persist/zfast/var/lib/matrix-sliding-sync"; options.mountpoint = "legacy"; }; | ||
52 | disko.devices.zpool.zfast.datasets."root/persist/var/lib/matrix-synapse" = | ||
53 | { type = "zfs_fs"; mountpoint = "/persist/zfast/var/lib/matrix-synapse"; options.mountpoint = "legacy"; }; | ||
54 | |||
55 | environment.persistence."/persist/zfast".directories = [ | ||
56 | { | ||
57 | directory = "/var/lib/matrix-synapse"; | ||
58 | user = "matrix-synapse"; | ||
59 | group = "matrix-synapse"; | ||
60 | mode = "0700"; | ||
61 | } | ||
62 | { | ||
63 | directory = "/var/lib/matrix-sliding-sync"; | ||
64 | user = "matrix-synapse"; | ||
65 | group = "matrix-synapse"; | ||
66 | mode = "0700"; | ||
67 | } | ||
68 | ]; | ||
69 | |||
70 | users.users.matrix-synapse.extraGroups = [ "keys" ]; | ||
71 | users.users.nginx.extraGroups = [ "matrix-synapse" ]; | ||
72 | |||
73 | services.matrix-synapse = { | ||
74 | enable = true; | ||
75 | extraConfigFiles = [ | ||
76 | config.secrets.fullPaths."matrix/homeserver_secrets.yaml" | ||
77 | ]; | ||
78 | settings.server_name = "immae.eu"; | ||
79 | settings.signing_key_path = config.secrets.fullPaths."matrix/signing.key"; | ||
80 | settings.listeners = [ | ||
81 | { | ||
82 | port = 8008; | ||
83 | bind_addresses = [ "127.0.0.1" ]; | ||
84 | type = "http"; | ||
85 | tls = false; | ||
86 | x_forwarded = true; | ||
87 | resources = [ | ||
88 | { | ||
89 | names = [ "client" ]; | ||
90 | compress = true; | ||
91 | } | ||
92 | ]; | ||
93 | } | ||
94 | { | ||
95 | path = "/run/matrix-synapse/main_client_federation.sock"; | ||
96 | resources = [ | ||
97 | { | ||
98 | compress = true; | ||
99 | names = [ "client" ]; | ||
100 | } | ||
101 | { | ||
102 | compress = false; | ||
103 | names = [ "federation" ]; | ||
104 | } | ||
105 | ]; | ||
106 | type = "http"; | ||
107 | x_forwarded = true; | ||
108 | } | ||
109 | ]; | ||
110 | }; | ||
111 | services.matrix-sliding-sync = { | ||
112 | enable = true; | ||
113 | createDatabase = false; | ||
114 | settings.SYNCV3_SERVER = "/run/matrix-synapse/main_client_federation.sock"; | ||
115 | settings.SYNCV3_BINDADDR = "/run/matrix-synapse/sliding_sync.sock"; | ||
116 | environmentFile = config.secrets.fullPaths."matrix/sliding-sync"; | ||
117 | }; | ||
118 | |||
119 | systemd.services.matrix-synapse = { | ||
120 | after = [ | ||
121 | "postgresql.service" | ||
122 | "persist-zfast-var-lib-matrix\\x2dsynapse.mount" | ||
123 | "var-lib-matrix\\x2dsynapse.mount" | ||
124 | ]; | ||
125 | unitConfig = { | ||
126 | BindsTo = [ | ||
127 | "var-lib-matrix\\x2dsynapse.mount" | ||
128 | "persist-zfast-var-lib-matrix\\x2dsynapse.mount" | ||
129 | ]; | ||
130 | }; | ||
131 | serviceConfig.SupplementaryGroups = [ "keys" ]; | ||
132 | }; | ||
133 | |||
134 | systemd.services.matrix-sliding-sync = { | ||
135 | serviceConfig = { | ||
136 | DynamicUser = lib.mkForce false; | ||
137 | User = "matrix-synapse"; | ||
138 | Group = "matrix-synapse"; | ||
139 | RuntimeDirectory = "matrix-synapse"; | ||
140 | SupplementaryGroups = [ "keys" ]; | ||
141 | }; | ||
142 | unitConfig = { | ||
143 | BindsTo = [ | ||
144 | "persist-zfast-var-lib-matrix\\x2dsliding\\x2dsync.mount" | ||
145 | "var-lib-matrix\\x2dsliding\\x2dsync.mount" | ||
146 | ]; | ||
147 | After = lib.mkForce [ | ||
148 | "matrix-synapse.service" | ||
149 | "postgresql.service" | ||
150 | "var-lib-matrix\\x2dsliding\\x2dsync.mount" | ||
151 | "persist-zfast-var-lib-matrix\\x2dsliding\\x2dsync.mount" | ||
152 | ]; | ||
153 | }; | ||
154 | }; | ||
155 | secrets.keys."matrix/signing.key" = { | ||
156 | permissions = "0400"; | ||
157 | user = "matrix-synapse"; | ||
158 | group = "matrix-synapse"; | ||
159 | text = "{{ .matrix.signing_key }}"; | ||
160 | }; | ||
161 | secrets.keys."matrix/homeserver_secrets.yaml" = { | ||
162 | permissions = "0400"; | ||
163 | user = "matrix-synapse"; | ||
164 | group = "matrix-synapse"; | ||
165 | # Beware, yaml keys are merged at top level, not deep | ||
166 | text = '' | ||
167 | password_config: | ||
168 | enabled: true | ||
169 | pepper: "{{ .matrix.password_pepper }}" | ||
170 | macaroon_secret_key: "{{ .matrix.macaroon_secret_key }}" | ||
171 | ''; | ||
172 | }; | ||
173 | secrets.keys."matrix/sliding-sync" = { | ||
174 | permissions = "0400"; | ||
175 | user = "matrix-synapse"; | ||
176 | group = "matrix-synapse"; | ||
177 | text = '' | ||
178 | SYNCV3_SECRET={{ .matrix.sliding_sync_secret }} | ||
179 | ''; | ||
180 | }; | ||
181 | }; | ||
182 | } | ||