aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorIsmaël Bouya <ismael.bouya@normalesup.org>2024-06-16 11:59:09 +0200
committerIsmaël Bouya <ismael.bouya@normalesup.org>2024-06-16 12:01:32 +0200
commit9c0cd0922a84ec9945072bd8fbd0e72bf3c3fa65 (patch)
tree7318ce064220bde61eb8f00f1900dd942c43f406
parent0f691603b4ed60e7afefa85cf5da3327e4c18366 (diff)
downloadNix-9c0cd0922a84ec9945072bd8fbd0e72bf3c3fa65.tar.gz
Nix-9c0cd0922a84ec9945072bd8fbd0e72bf3c3fa65.tar.zst
Nix-9c0cd0922a84ec9945072bd8fbd0e72bf3c3fa65.zip
Reimport synapse configuration
-rw-r--r--deploy/flake.lock14
-rw-r--r--flake.lock6
-rw-r--r--flakes/flake.lock4
-rw-r--r--systems/eldiron/websites/tools/default.nix1
-rw-r--r--systems/zoldene/base.nix1
-rw-r--r--systems/zoldene/synapse.nix182
6 files changed, 196 insertions, 12 deletions
diff --git a/deploy/flake.lock b/deploy/flake.lock
index 153f0c6..40b7302 100644
--- a/deploy/flake.lock
+++ b/deploy/flake.lock
@@ -2783,7 +2783,7 @@
2783 }, 2783 },
2784 "locked": { 2784 "locked": {
2785 "lastModified": 1, 2785 "lastModified": 1,
2786 "narHash": "sha256-Nw6nhvfCOJvSiqgkq/iJDA+ex5mllZxRSqAuO2bZCVc=", 2786 "narHash": "sha256-FnlsOOyTYqmGYWT4+ZTG92NOdVuWTpYLkyfyNFwKNYQ=",
2787 "path": "../flakes", 2787 "path": "../flakes",
2788 "type": "path" 2788 "type": "path"
2789 }, 2789 },
@@ -3903,7 +3903,7 @@
3903 }, 3903 },
3904 "locked": { 3904 "locked": {
3905 "lastModified": 1, 3905 "lastModified": 1,
3906 "narHash": "sha256-/2ewPhp/ETtRESC/RG6PXCsh16cCWK+GtGNPEnk6sEs=", 3906 "narHash": "sha256-716InHQU0Gd7XR6AN3//P5kjwV0mQAT4bg83lVIqghk=",
3907 "path": "../systems/eldiron", 3907 "path": "../systems/eldiron",
3908 "type": "path" 3908 "type": "path"
3909 }, 3909 },
@@ -3974,7 +3974,7 @@
3974 }, 3974 },
3975 "locked": { 3975 "locked": {
3976 "lastModified": 1, 3976 "lastModified": 1,
3977 "narHash": "sha256-JlmfWvZWdpG8URsDmCRaWmLo1pUxKf0yxwcLF2OwzTo=", 3977 "narHash": "sha256-9qnPvun+A27xK5GmR9NU6Jd8UC5lAWcqpGJ9IMF6IhQ=",
3978 "path": "../systems/zoldene", 3978 "path": "../systems/zoldene",
3979 "type": "path" 3979 "type": "path"
3980 }, 3980 },
@@ -8888,11 +8888,11 @@
8888 "nixpkgs": "nixpkgs_106" 8888 "nixpkgs": "nixpkgs_106"
8889 }, 8889 },
8890 "locked": { 8890 "locked": {
8891 "lastModified": 1718015850, 8891 "lastModified": 1718531880,
8892 "narHash": "sha256-svUAfD+aIaS9T9UtepEGlIdxcZyu3YJcrGOmjuwgplE=", 8892 "narHash": "sha256-BqLfVL7N6dO2oWB8Xo89uvO5cG8oDCRBgsk/TUnpcYs=",
8893 "ref": "master", 8893 "ref": "master",
8894 "rev": "71fbb32c4b3195982c0f03c90714c959b5ce2251", 8894 "rev": "b0236017d9da46b98017f348d7031a69526c0aeb",
8895 "revCount": 735, 8895 "revCount": 738,
8896 "type": "git", 8896 "type": "git",
8897 "url": "git+ssh://gitolite@git.immae.eu/perso/Immae/Config/Nix/Nixops/Secrets" 8897 "url": "git+ssh://gitolite@git.immae.eu/perso/Immae/Config/Nix/Nixops/Secrets"
8898 }, 8898 },
diff --git a/flake.lock b/flake.lock
index b7403fa..adc46ab 100644
--- a/flake.lock
+++ b/flake.lock
@@ -2664,7 +2664,7 @@
2664 }, 2664 },
2665 "locked": { 2665 "locked": {
2666 "lastModified": 1, 2666 "lastModified": 1,
2667 "narHash": "sha256-Nw6nhvfCOJvSiqgkq/iJDA+ex5mllZxRSqAuO2bZCVc=", 2667 "narHash": "sha256-FnlsOOyTYqmGYWT4+ZTG92NOdVuWTpYLkyfyNFwKNYQ=",
2668 "path": "./flakes", 2668 "path": "./flakes",
2669 "type": "path" 2669 "type": "path"
2670 }, 2670 },
@@ -3919,7 +3919,7 @@
3919 }, 3919 },
3920 "locked": { 3920 "locked": {
3921 "lastModified": 1, 3921 "lastModified": 1,
3922 "narHash": "sha256-/2ewPhp/ETtRESC/RG6PXCsh16cCWK+GtGNPEnk6sEs=", 3922 "narHash": "sha256-716InHQU0Gd7XR6AN3//P5kjwV0mQAT4bg83lVIqghk=",
3923 "path": "../systems/eldiron", 3923 "path": "../systems/eldiron",
3924 "type": "path" 3924 "type": "path"
3925 }, 3925 },
@@ -3990,7 +3990,7 @@
3990 }, 3990 },
3991 "locked": { 3991 "locked": {
3992 "lastModified": 1, 3992 "lastModified": 1,
3993 "narHash": "sha256-JlmfWvZWdpG8URsDmCRaWmLo1pUxKf0yxwcLF2OwzTo=", 3993 "narHash": "sha256-9qnPvun+A27xK5GmR9NU6Jd8UC5lAWcqpGJ9IMF6IhQ=",
3994 "path": "../systems/zoldene", 3994 "path": "../systems/zoldene",
3995 "type": "path" 3995 "type": "path"
3996 }, 3996 },
diff --git a/flakes/flake.lock b/flakes/flake.lock
index 1aa828e..2e49cab 100644
--- a/flakes/flake.lock
+++ b/flakes/flake.lock
@@ -3824,7 +3824,7 @@
3824 }, 3824 },
3825 "locked": { 3825 "locked": {
3826 "lastModified": 1, 3826 "lastModified": 1,
3827 "narHash": "sha256-/2ewPhp/ETtRESC/RG6PXCsh16cCWK+GtGNPEnk6sEs=", 3827 "narHash": "sha256-716InHQU0Gd7XR6AN3//P5kjwV0mQAT4bg83lVIqghk=",
3828 "path": "../systems/eldiron", 3828 "path": "../systems/eldiron",
3829 "type": "path" 3829 "type": "path"
3830 }, 3830 },
@@ -3895,7 +3895,7 @@
3895 }, 3895 },
3896 "locked": { 3896 "locked": {
3897 "lastModified": 1, 3897 "lastModified": 1,
3898 "narHash": "sha256-JlmfWvZWdpG8URsDmCRaWmLo1pUxKf0yxwcLF2OwzTo=", 3898 "narHash": "sha256-9qnPvun+A27xK5GmR9NU6Jd8UC5lAWcqpGJ9IMF6IhQ=",
3899 "path": "../systems/zoldene", 3899 "path": "../systems/zoldene",
3900 "type": "path" 3900 "type": "path"
3901 }, 3901 },
diff --git a/systems/eldiron/websites/tools/default.nix b/systems/eldiron/websites/tools/default.nix
index 46e6a9f..7d8bf5e 100644
--- a/systems/eldiron/websites/tools/default.nix
+++ b/systems/eldiron/websites/tools/default.nix
@@ -108,6 +108,7 @@ in {
108 mailSend 108 mailSend
109 (ips servers.eldiron.ips.main) 109 (ips servers.eldiron.ips.main)
110 ]; 110 ];
111 synapse = ips servers.zoldene.ips.main;
111 }; 112 };
112 113
113 services.borgBackup.profiles.global.ignoredPaths = [ 114 services.borgBackup.profiles.global.ignoredPaths = [
diff --git a/systems/zoldene/base.nix b/systems/zoldene/base.nix
index 617cd82..1b42a52 100644
--- a/systems/zoldene/base.nix
+++ b/systems/zoldene/base.nix
@@ -13,6 +13,7 @@ in
13 secrets.nixosModules.users-config-zoldene 13 secrets.nixosModules.users-config-zoldene
14 ./virtualisation.nix 14 ./virtualisation.nix
15 ./certificates.nix 15 ./certificates.nix
16 ./synapse.nix
16 ]; 17 ];
17 18
18 services.openssh = { 19 services.openssh = {
diff --git a/systems/zoldene/synapse.nix b/systems/zoldene/synapse.nix
new file mode 100644
index 0000000..1d892a7
--- /dev/null
+++ b/systems/zoldene/synapse.nix
@@ -0,0 +1,182 @@
1{ lib, config, pkgs, name, ... }:
2{
3 config = {
4 security.acme.certs."${name}".extraDomainNames = ["synapse.immae.eu"];
5 services.nginx = {
6 virtualHosts = {
7 "synapse.immae.eu" = {
8 acmeRoot = config.security.acme.defaults.webroot;
9 useACMEHost = name;
10 forceSSL = true;
11
12 locations."~ ^/admin(?:/(.*))?$" = {
13 alias = let
14 synapse-admin = pkgs.fetchzip {
15 url = "https://github.com/Awesome-Technologies/synapse-admin/releases/download/0.10.1/synapse-admin-0.10.1.tar.gz";
16 sha256 = "sha256-M2AYNrnpNoDm20ZTH1OZBHVcjOrHAlqyq5iTQ/At/Xk=";
17 postFetch = ''
18 sed -i -e 's@"/assets@"./assets@g' $out/index.html
19 '';
20 };
21 in
22 "${synapse-admin}/$1";
23 };
24 locations."/sliding-sync-client/" = {
25 # some svg urls are hardcoded to /client :shrug:
26 alias = "${pkgs.matrix-sliding-sync.src}/client/";
27 tryFiles = "$uri $uri/ /sliding-sync-client/index.html";
28 };
29 locations."~ ^/_matrix/client/unstable/org.matrix.msc3575/sync" = {
30 proxyPass = "http://unix:/run/matrix-synapse/sliding_sync.sock:";
31 };
32 locations."~ ^(/_matrix|/_synapse/client|/_synapse/admin)" = {
33 proxyPass = "http://unix:/run/matrix-synapse/main_client_federation.sock:";
34 extraConfig = ''
35 client_max_body_size 50M;
36 '';
37 };
38 };
39 };
40 };
41
42 systemd.services.postgresql.postStart = lib.mkAfter ''
43 $PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'matrix-synapse'" | grep -q 1 || $PSQL -tAc "CREATE DATABASE \"matrix-synapse\" LC_COLLATE='C' LC_CTYPE='C' TEMPLATE template0"
44 $PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'matrix-sliding-sync'" | grep -q 1 || $PSQL -tAc "CREATE DATABASE \"matrix-sliding-sync\" LC_COLLATE='C' LC_CTYPE='C' TEMPLATE template0"
45 $PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname='matrix-synapse'" | grep -q 1 || $PSQL -tAc 'CREATE USER "matrix-synapse"'
46 $PSQL -tAc 'ALTER DATABASE "matrix-synapse" OWNER TO "matrix-synapse";'
47 $PSQL -tAc 'ALTER DATABASE "matrix-sliding-sync" OWNER TO "matrix-synapse";'
48 '';
49
50 disko.devices.zpool.zfast.datasets."root/persist/var/lib/matrix-sliding-sync" =
51 { type = "zfs_fs"; mountpoint = "/persist/zfast/var/lib/matrix-sliding-sync"; options.mountpoint = "legacy"; };
52 disko.devices.zpool.zfast.datasets."root/persist/var/lib/matrix-synapse" =
53 { type = "zfs_fs"; mountpoint = "/persist/zfast/var/lib/matrix-synapse"; options.mountpoint = "legacy"; };
54
55 environment.persistence."/persist/zfast".directories = [
56 {
57 directory = "/var/lib/matrix-synapse";
58 user = "matrix-synapse";
59 group = "matrix-synapse";
60 mode = "0700";
61 }
62 {
63 directory = "/var/lib/matrix-sliding-sync";
64 user = "matrix-synapse";
65 group = "matrix-synapse";
66 mode = "0700";
67 }
68 ];
69
70 users.users.matrix-synapse.extraGroups = [ "keys" ];
71 users.users.nginx.extraGroups = [ "matrix-synapse" ];
72
73 services.matrix-synapse = {
74 enable = true;
75 extraConfigFiles = [
76 config.secrets.fullPaths."matrix/homeserver_secrets.yaml"
77 ];
78 settings.server_name = "immae.eu";
79 settings.signing_key_path = config.secrets.fullPaths."matrix/signing.key";
80 settings.listeners = [
81 {
82 port = 8008;
83 bind_addresses = [ "127.0.0.1" ];
84 type = "http";
85 tls = false;
86 x_forwarded = true;
87 resources = [
88 {
89 names = [ "client" ];
90 compress = true;
91 }
92 ];
93 }
94 {
95 path = "/run/matrix-synapse/main_client_federation.sock";
96 resources = [
97 {
98 compress = true;
99 names = [ "client" ];
100 }
101 {
102 compress = false;
103 names = [ "federation" ];
104 }
105 ];
106 type = "http";
107 x_forwarded = true;
108 }
109 ];
110 };
111 services.matrix-sliding-sync = {
112 enable = true;
113 createDatabase = false;
114 settings.SYNCV3_SERVER = "/run/matrix-synapse/main_client_federation.sock";
115 settings.SYNCV3_BINDADDR = "/run/matrix-synapse/sliding_sync.sock";
116 environmentFile = config.secrets.fullPaths."matrix/sliding-sync";
117 };
118
119 systemd.services.matrix-synapse = {
120 after = [
121 "postgresql.service"
122 "persist-zfast-var-lib-matrix\\x2dsynapse.mount"
123 "var-lib-matrix\\x2dsynapse.mount"
124 ];
125 unitConfig = {
126 BindsTo = [
127 "var-lib-matrix\\x2dsynapse.mount"
128 "persist-zfast-var-lib-matrix\\x2dsynapse.mount"
129 ];
130 };
131 serviceConfig.SupplementaryGroups = [ "keys" ];
132 };
133
134 systemd.services.matrix-sliding-sync = {
135 serviceConfig = {
136 DynamicUser = lib.mkForce false;
137 User = "matrix-synapse";
138 Group = "matrix-synapse";
139 RuntimeDirectory = "matrix-synapse";
140 SupplementaryGroups = [ "keys" ];
141 };
142 unitConfig = {
143 BindsTo = [
144 "persist-zfast-var-lib-matrix\\x2dsliding\\x2dsync.mount"
145 "var-lib-matrix\\x2dsliding\\x2dsync.mount"
146 ];
147 After = lib.mkForce [
148 "matrix-synapse.service"
149 "postgresql.service"
150 "var-lib-matrix\\x2dsliding\\x2dsync.mount"
151 "persist-zfast-var-lib-matrix\\x2dsliding\\x2dsync.mount"
152 ];
153 };
154 };
155 secrets.keys."matrix/signing.key" = {
156 permissions = "0400";
157 user = "matrix-synapse";
158 group = "matrix-synapse";
159 text = "{{ .matrix.signing_key }}";
160 };
161 secrets.keys."matrix/homeserver_secrets.yaml" = {
162 permissions = "0400";
163 user = "matrix-synapse";
164 group = "matrix-synapse";
165 # Beware, yaml keys are merged at top level, not deep
166 text = ''
167 password_config:
168 enabled: true
169 pepper: "{{ .matrix.password_pepper }}"
170 macaroon_secret_key: "{{ .matrix.macaroon_secret_key }}"
171 '';
172 };
173 secrets.keys."matrix/sliding-sync" = {
174 permissions = "0400";
175 user = "matrix-synapse";
176 group = "matrix-synapse";
177 text = ''
178 SYNCV3_SECRET={{ .matrix.sliding_sync_secret }}
179 '';
180 };
181 };
182}