6 files changed, 196 insertions, 12 deletions
diff --git a/deploy/flake.lock b/deploy/flake.lock
index 153f0c6..40b7302 100644
--- a/deploy/flake.lock
+++ b/deploy/flake.lock
@@ -2783,7 +2783,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-Nw6nhvfCOJvSiqgkq/iJDA+ex5mllZxRSqAuO2bZCVc=",
+        "narHash": "sha256-FnlsOOyTYqmGYWT4+ZTG92NOdVuWTpYLkyfyNFwKNYQ=",
        "path": "../flakes",
        "type": "path"
      },
@@ -3903,7 +3903,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-/2ewPhp/ETtRESC/RG6PXCsh16cCWK+GtGNPEnk6sEs=",
+        "narHash": "sha256-716InHQU0Gd7XR6AN3//P5kjwV0mQAT4bg83lVIqghk=",
        "path": "../systems/eldiron",
        "type": "path"
      },
@@ -3974,7 +3974,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-JlmfWvZWdpG8URsDmCRaWmLo1pUxKf0yxwcLF2OwzTo=",
+        "narHash": "sha256-9qnPvun+A27xK5GmR9NU6Jd8UC5lAWcqpGJ9IMF6IhQ=",
        "path": "../systems/zoldene",
        "type": "path"
      },
@@ -8888,11 +8888,11 @@
        "nixpkgs": "nixpkgs_106"
      },
      "locked": {
-        "lastModified": 1718015850,
+        "lastModified": 1718531880,
-        "narHash": "sha256-svUAfD+aIaS9T9UtepEGlIdxcZyu3YJcrGOmjuwgplE=",
+        "narHash": "sha256-BqLfVL7N6dO2oWB8Xo89uvO5cG8oDCRBgsk/TUnpcYs=",
        "ref": "master",
-        "rev": "71fbb32c4b3195982c0f03c90714c959b5ce2251",
+        "rev": "b0236017d9da46b98017f348d7031a69526c0aeb",
-        "revCount": 735,
+        "revCount": 738,
        "type": "git",
        "url": "git+ssh://gitolite@git.immae.eu/perso/Immae/Config/Nix/Nixops/Secrets"
      },
diff --git a/flake.lock b/flake.lock
index b7403fa..adc46ab 100644
--- a/flake.lock
+++ b/flake.lock
@@ -2664,7 +2664,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-Nw6nhvfCOJvSiqgkq/iJDA+ex5mllZxRSqAuO2bZCVc=",
+        "narHash": "sha256-FnlsOOyTYqmGYWT4+ZTG92NOdVuWTpYLkyfyNFwKNYQ=",
        "path": "./flakes",
        "type": "path"
      },
@@ -3919,7 +3919,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-/2ewPhp/ETtRESC/RG6PXCsh16cCWK+GtGNPEnk6sEs=",
+        "narHash": "sha256-716InHQU0Gd7XR6AN3//P5kjwV0mQAT4bg83lVIqghk=",
        "path": "../systems/eldiron",
        "type": "path"
      },
@@ -3990,7 +3990,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-JlmfWvZWdpG8URsDmCRaWmLo1pUxKf0yxwcLF2OwzTo=",
+        "narHash": "sha256-9qnPvun+A27xK5GmR9NU6Jd8UC5lAWcqpGJ9IMF6IhQ=",
        "path": "../systems/zoldene",
        "type": "path"
      },
diff --git a/flakes/flake.lock b/flakes/flake.lock
index 1aa828e..2e49cab 100644
--- a/flakes/flake.lock
+++ b/flakes/flake.lock
@@ -3824,7 +3824,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-/2ewPhp/ETtRESC/RG6PXCsh16cCWK+GtGNPEnk6sEs=",
+        "narHash": "sha256-716InHQU0Gd7XR6AN3//P5kjwV0mQAT4bg83lVIqghk=",
        "path": "../systems/eldiron",
        "type": "path"
      },
@@ -3895,7 +3895,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-JlmfWvZWdpG8URsDmCRaWmLo1pUxKf0yxwcLF2OwzTo=",
+        "narHash": "sha256-9qnPvun+A27xK5GmR9NU6Jd8UC5lAWcqpGJ9IMF6IhQ=",
        "path": "../systems/zoldene",
        "type": "path"
      },
diff --git a/systems/eldiron/websites/tools/default.nix b/systems/eldiron/websites/tools/default.nix
index 46e6a9f..7d8bf5e 100644
--- a/systems/eldiron/websites/tools/default.nix
+++ b/systems/eldiron/websites/tools/default.nix
@@ -108,6 +108,7 @@ in {
          mailSend
          (ips servers.eldiron.ips.main)
        ];
+        synapse = ips servers.zoldene.ips.main;
      };
    services.borgBackup.profiles.global.ignoredPaths = [
diff --git a/systems/zoldene/base.nix b/systems/zoldene/base.nix
index 617cd82..1b42a52 100644
--- a/systems/zoldene/base.nix
+++ b/systems/zoldene/base.nix
@@ -13,6 +13,7 @@ in
    secrets.nixosModules.users-config-zoldene
    ./virtualisation.nix
    ./certificates.nix
+    ./synapse.nix
  ];
  services.openssh = {
diff --git a/systems/zoldene/synapse.nix b/systems/zoldene/synapse.nix
new file mode 100644
index 0000000..1d892a7
--- /dev/null
+++ b/systems/zoldene/synapse.nix
@@ -0,0 +1,182 @@
+{ lib, config, pkgs, name, ... }:
+{
+  config = {
+    security.acme.certs."${name}".extraDomainNames = ["synapse.immae.eu"];
+    services.nginx = {
+      virtualHosts = {
+        "synapse.immae.eu" = {
+          acmeRoot = config.security.acme.defaults.webroot;
+          useACMEHost = name;
+          forceSSL = true;
+          locations."~ ^/admin(?:/(.*))?$" = {
+            alias = let
+              synapse-admin = pkgs.fetchzip {
+                url = "https://github.com/Awesome-Technologies/synapse-admin/releases/download/0.10.1/synapse-admin-0.10.1.tar.gz";
+                sha256 = "sha256-M2AYNrnpNoDm20ZTH1OZBHVcjOrHAlqyq5iTQ/At/Xk=";
+                postFetch = ''
+                  sed -i -e 's@"/assets@"./assets@g' $out/index.html
+                '';
+              };
+            in
+              "${synapse-admin}/$1";
+          };
+          locations."/sliding-sync-client/" = {
+            # some svg urls are hardcoded to /client :shrug:
+            alias = "${pkgs.matrix-sliding-sync.src}/client/";
+            tryFiles = "$uri $uri/ /sliding-sync-client/index.html";
+          };
+          locations."~ ^/_matrix/client/unstable/org.matrix.msc3575/sync" = {
+            proxyPass = "http://unix:/run/matrix-synapse/sliding_sync.sock:";
+          };
+          locations."~ ^(/_matrix|/_synapse/client|/_synapse/admin)" = {
+            proxyPass = "http://unix:/run/matrix-synapse/main_client_federation.sock:";
+            extraConfig = ''
+              client_max_body_size 50M;
+            '';
+          };
+        };
+      };
+    };
+    systemd.services.postgresql.postStart = lib.mkAfter ''
+      $PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'matrix-synapse'" | grep -q 1 || $PSQL -tAc "CREATE DATABASE \"matrix-synapse\" LC_COLLATE='C' LC_CTYPE='C' TEMPLATE template0"
+      $PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'matrix-sliding-sync'" | grep -q 1 || $PSQL -tAc "CREATE DATABASE \"matrix-sliding-sync\" LC_COLLATE='C' LC_CTYPE='C' TEMPLATE template0"
+      $PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname='matrix-synapse'" | grep -q 1 || $PSQL -tAc 'CREATE USER "matrix-synapse"'
+      $PSQL -tAc 'ALTER DATABASE "matrix-synapse" OWNER TO "matrix-synapse";'
+      $PSQL -tAc 'ALTER DATABASE "matrix-sliding-sync" OWNER TO "matrix-synapse";'
+    '';
+    disko.devices.zpool.zfast.datasets."root/persist/var/lib/matrix-sliding-sync" =
+      { type = "zfs_fs"; mountpoint = "/persist/zfast/var/lib/matrix-sliding-sync"; options.mountpoint = "legacy"; };
+    disko.devices.zpool.zfast.datasets."root/persist/var/lib/matrix-synapse" =
+      { type = "zfs_fs"; mountpoint = "/persist/zfast/var/lib/matrix-synapse"; options.mountpoint = "legacy"; };
+    environment.persistence."/persist/zfast".directories = [
+      {
+        directory = "/var/lib/matrix-synapse";
+        user = "matrix-synapse";
+        group = "matrix-synapse";
+        mode = "0700";
+      }
+      {
+        directory = "/var/lib/matrix-sliding-sync";
+        user = "matrix-synapse";
+        group = "matrix-synapse";
+        mode = "0700";
+      }
+    ];
+    users.users.matrix-synapse.extraGroups = [ "keys" ];
+    users.users.nginx.extraGroups = [ "matrix-synapse" ];
+    services.matrix-synapse = {
+      enable = true;
+      extraConfigFiles = [
+        config.secrets.fullPaths."matrix/homeserver_secrets.yaml"
+      ];
+      settings.server_name = "immae.eu";
+      settings.signing_key_path = config.secrets.fullPaths."matrix/signing.key";
+      settings.listeners = [
+        {
+          port = 8008;
+          bind_addresses = [ "127.0.0.1" ];
+          type = "http";
+          tls = false;
+          x_forwarded = true;
+          resources = [
+            {
+              names = [ "client" ];
+              compress = true;
+            }
+          ];
+        }
+        {
+          path = "/run/matrix-synapse/main_client_federation.sock";
+          resources = [
+            {
+              compress = true;
+              names = [ "client" ];
+            }
+            {
+              compress = false;
+              names = [ "federation" ];
+            }
+          ];
+          type = "http";
+          x_forwarded = true;
+        }
+      ];
+    };
+    services.matrix-sliding-sync = {
+      enable = true;
+      createDatabase = false;
+      settings.SYNCV3_SERVER = "/run/matrix-synapse/main_client_federation.sock";
+      settings.SYNCV3_BINDADDR = "/run/matrix-synapse/sliding_sync.sock";
+      environmentFile = config.secrets.fullPaths."matrix/sliding-sync";
+    };
+    systemd.services.matrix-synapse = {
+      after = [
+        "postgresql.service"
+        "persist-zfast-var-lib-matrix\\x2dsynapse.mount"
+        "var-lib-matrix\\x2dsynapse.mount"
+      ];
+      unitConfig = {
+        BindsTo = [
+          "var-lib-matrix\\x2dsynapse.mount"
+          "persist-zfast-var-lib-matrix\\x2dsynapse.mount"
+        ];
+      };
+      serviceConfig.SupplementaryGroups = [ "keys" ];
+    };
+    systemd.services.matrix-sliding-sync = {
+      serviceConfig = {
+        DynamicUser = lib.mkForce false;
+        User = "matrix-synapse";
+        Group = "matrix-synapse";
+        RuntimeDirectory = "matrix-synapse";
+        SupplementaryGroups = [ "keys" ];
+      };
+      unitConfig = {
+        BindsTo = [
+          "persist-zfast-var-lib-matrix\\x2dsliding\\x2dsync.mount"
+          "var-lib-matrix\\x2dsliding\\x2dsync.mount"
+        ];
+        After = lib.mkForce [
+          "matrix-synapse.service"
+          "postgresql.service"
+          "var-lib-matrix\\x2dsliding\\x2dsync.mount"
+          "persist-zfast-var-lib-matrix\\x2dsliding\\x2dsync.mount"
+        ];
+      };
+    };
+    secrets.keys."matrix/signing.key" = {
+      permissions = "0400";
+      user = "matrix-synapse";
+      group = "matrix-synapse";
+      text = "{{ .matrix.signing_key }}";
+    };
+    secrets.keys."matrix/homeserver_secrets.yaml" = {
+      permissions = "0400";
+      user = "matrix-synapse";
+      group = "matrix-synapse";
+      # Beware, yaml keys are merged at top level, not deep
+      text = ''
+        password_config:
+            enabled: true
+            pepper: "{{ .matrix.password_pepper }}"
+        macaroon_secret_key: "{{ .matrix.macaroon_secret_key }}"
+      '';
+    };
+    secrets.keys."matrix/sliding-sync" = {
+      permissions = "0400";
+      user = "matrix-synapse";
+      group = "matrix-synapse";
+      text = ''
+        SYNCV3_SECRET={{ .matrix.sliding_sync_secret }}
+      '';
+    };
+  };
+}

diff --git a/deploy/flake.lock b/deploy/flake.lock index 153f0c6..40b7302 100644 --- a/deploy/flake.lock +++ b/deploy/flake.lock
@@ -2783,7 +2783,7 @@
2783	},	2783	},
2784	"locked": {	2784	"locked": {
2785	"lastModified": 1,	2785	"lastModified": 1,
2786	"narHash": "sha256-Nw6nhvfCOJvSiqgkq/iJDA+ex5mllZxRSqAuO2bZCVc=",	2786	"narHash": "sha256-FnlsOOyTYqmGYWT4+ZTG92NOdVuWTpYLkyfyNFwKNYQ=",
2787	"path": "../flakes",	2787	"path": "../flakes",
2788	"type": "path"	2788	"type": "path"
2789	},	2789	},
@@ -3903,7 +3903,7 @@
3903	},	3903	},
3904	"locked": {	3904	"locked": {
3905	"lastModified": 1,	3905	"lastModified": 1,
3906	"narHash": "sha256-/2ewPhp/ETtRESC/RG6PXCsh16cCWK+GtGNPEnk6sEs=",	3906	"narHash": "sha256-716InHQU0Gd7XR6AN3//P5kjwV0mQAT4bg83lVIqghk=",
3907	"path": "../systems/eldiron",	3907	"path": "../systems/eldiron",
3908	"type": "path"	3908	"type": "path"
3909	},	3909	},
@@ -3974,7 +3974,7 @@
3974	},	3974	},
3975	"locked": {	3975	"locked": {
3976	"lastModified": 1,	3976	"lastModified": 1,
3977	"narHash": "sha256-JlmfWvZWdpG8URsDmCRaWmLo1pUxKf0yxwcLF2OwzTo=",	3977	"narHash": "sha256-9qnPvun+A27xK5GmR9NU6Jd8UC5lAWcqpGJ9IMF6IhQ=",
3978	"path": "../systems/zoldene",	3978	"path": "../systems/zoldene",
3979	"type": "path"	3979	"type": "path"
3980	},	3980	},
@@ -8888,11 +8888,11 @@
8888	"nixpkgs": "nixpkgs_106"	8888	"nixpkgs": "nixpkgs_106"
8889	},	8889	},
8890	"locked": {	8890	"locked": {
8891	"lastModified": 1718015850,	8891	"lastModified": 1718531880,
8892	"narHash": "sha256-svUAfD+aIaS9T9UtepEGlIdxcZyu3YJcrGOmjuwgplE=",	8892	"narHash": "sha256-BqLfVL7N6dO2oWB8Xo89uvO5cG8oDCRBgsk/TUnpcYs=",
8893	"ref": "master",	8893	"ref": "master",
8894	"rev": "71fbb32c4b3195982c0f03c90714c959b5ce2251",	8894	"rev": "b0236017d9da46b98017f348d7031a69526c0aeb",
8895	"revCount": 735,	8895	"revCount": 738,
8896	"type": "git",	8896	"type": "git",
8897	"url": "git+ssh://gitolite@git.immae.eu/perso/Immae/Config/Nix/Nixops/Secrets"	8897	"url": "git+ssh://gitolite@git.immae.eu/perso/Immae/Config/Nix/Nixops/Secrets"
8898	},	8898	},


diff --git a/flake.lock b/flake.lock index b7403fa..adc46ab 100644 --- a/flake.lock +++ b/flake.lock
@@ -2664,7 +2664,7 @@
2664	},	2664	},
2665	"locked": {	2665	"locked": {
2666	"lastModified": 1,	2666	"lastModified": 1,
2667	"narHash": "sha256-Nw6nhvfCOJvSiqgkq/iJDA+ex5mllZxRSqAuO2bZCVc=",	2667	"narHash": "sha256-FnlsOOyTYqmGYWT4+ZTG92NOdVuWTpYLkyfyNFwKNYQ=",
2668	"path": "./flakes",	2668	"path": "./flakes",
2669	"type": "path"	2669	"type": "path"
2670	},	2670	},
@@ -3919,7 +3919,7 @@
3919	},	3919	},
3920	"locked": {	3920	"locked": {
3921	"lastModified": 1,	3921	"lastModified": 1,
3922	"narHash": "sha256-/2ewPhp/ETtRESC/RG6PXCsh16cCWK+GtGNPEnk6sEs=",	3922	"narHash": "sha256-716InHQU0Gd7XR6AN3//P5kjwV0mQAT4bg83lVIqghk=",
3923	"path": "../systems/eldiron",	3923	"path": "../systems/eldiron",
3924	"type": "path"	3924	"type": "path"
3925	},	3925	},
@@ -3990,7 +3990,7 @@
3990	},	3990	},
3991	"locked": {	3991	"locked": {
3992	"lastModified": 1,	3992	"lastModified": 1,
3993	"narHash": "sha256-JlmfWvZWdpG8URsDmCRaWmLo1pUxKf0yxwcLF2OwzTo=",	3993	"narHash": "sha256-9qnPvun+A27xK5GmR9NU6Jd8UC5lAWcqpGJ9IMF6IhQ=",
3994	"path": "../systems/zoldene",	3994	"path": "../systems/zoldene",
3995	"type": "path"	3995	"type": "path"
3996	},	3996	},


diff --git a/flakes/flake.lock b/flakes/flake.lock index 1aa828e..2e49cab 100644 --- a/flakes/flake.lock +++ b/flakes/flake.lock
@@ -3824,7 +3824,7 @@
3824	},	3824	},
3825	"locked": {	3825	"locked": {
3826	"lastModified": 1,	3826	"lastModified": 1,
3827	"narHash": "sha256-/2ewPhp/ETtRESC/RG6PXCsh16cCWK+GtGNPEnk6sEs=",	3827	"narHash": "sha256-716InHQU0Gd7XR6AN3//P5kjwV0mQAT4bg83lVIqghk=",
3828	"path": "../systems/eldiron",	3828	"path": "../systems/eldiron",
3829	"type": "path"	3829	"type": "path"
3830	},	3830	},
@@ -3895,7 +3895,7 @@
3895	},	3895	},
3896	"locked": {	3896	"locked": {
3897	"lastModified": 1,	3897	"lastModified": 1,
3898	"narHash": "sha256-JlmfWvZWdpG8URsDmCRaWmLo1pUxKf0yxwcLF2OwzTo=",	3898	"narHash": "sha256-9qnPvun+A27xK5GmR9NU6Jd8UC5lAWcqpGJ9IMF6IhQ=",
3899	"path": "../systems/zoldene",	3899	"path": "../systems/zoldene",
3900	"type": "path"	3900	"type": "path"
3901	},	3901	},


diff --git a/systems/eldiron/websites/tools/default.nix b/systems/eldiron/websites/tools/default.nix index 46e6a9f..7d8bf5e 100644 --- a/systems/eldiron/websites/tools/default.nix +++ b/systems/eldiron/websites/tools/default.nix
@@ -108,6 +108,7 @@ in {
108	mailSend	108	mailSend
109	(ips servers.eldiron.ips.main)	109	(ips servers.eldiron.ips.main)
110	];	110	];
		111	synapse = ips servers.zoldene.ips.main;
111	};	112	};
112		113
113	services.borgBackup.profiles.global.ignoredPaths = [	114	services.borgBackup.profiles.global.ignoredPaths = [


diff --git a/systems/zoldene/base.nix b/systems/zoldene/base.nix index 617cd82..1b42a52 100644 --- a/systems/zoldene/base.nix +++ b/systems/zoldene/base.nix
@@ -13,6 +13,7 @@ in
13	secrets.nixosModules.users-config-zoldene	13	secrets.nixosModules.users-config-zoldene
14	./virtualisation.nix	14	./virtualisation.nix
15	./certificates.nix	15	./certificates.nix
		16	./synapse.nix
16	];	17	];
17		18
18	services.openssh = {	19	services.openssh = {


diff --git a/systems/zoldene/synapse.nix b/systems/zoldene/synapse.nix new file mode 100644 index 0000000..1d892a7 --- /dev/null +++ b/systems/zoldene/synapse.nix
@@ -0,0 +1,182 @@
		1	{ lib, config, pkgs, name, ... }:
		2	{
		3	config = {
		4	security.acme.certs."${name}".extraDomainNames = ["synapse.immae.eu"];
		5	services.nginx = {
		6	virtualHosts = {
		7	"synapse.immae.eu" = {
		8	acmeRoot = config.security.acme.defaults.webroot;
		9	useACMEHost = name;
		10	forceSSL = true;
		11
		12	locations."~ ^/admin(?:/(.*))?$" = {
		13	alias = let
		14	synapse-admin = pkgs.fetchzip {
		15	url = "https://github.com/Awesome-Technologies/synapse-admin/releases/download/0.10.1/synapse-admin-0.10.1.tar.gz";
		16	sha256 = "sha256-M2AYNrnpNoDm20ZTH1OZBHVcjOrHAlqyq5iTQ/At/Xk=";
		17	postFetch = ''
		18	sed -i -e 's@"/assets@"./assets@g' $out/index.html
		19	'';
		20	};
		21	in
		22	"${synapse-admin}/$1";
		23	};
		24	locations."/sliding-sync-client/" = {
		25	# some svg urls are hardcoded to /client :shrug:
		26	alias = "${pkgs.matrix-sliding-sync.src}/client/";
		27	tryFiles = "$uri $uri/ /sliding-sync-client/index.html";
		28	};
		29	locations."~ ^/_matrix/client/unstable/org.matrix.msc3575/sync" = {
		30	proxyPass = "http://unix:/run/matrix-synapse/sliding_sync.sock:";
		31	};
		32	locations."~ ^(/_matrix\|/_synapse/client\|/_synapse/admin)" = {
		33	proxyPass = "http://unix:/run/matrix-synapse/main_client_federation.sock:";
		34	extraConfig = ''
		35	client_max_body_size 50M;
		36	'';
		37	};
		38	};
		39	};
		40	};
		41
		42	systemd.services.postgresql.postStart = lib.mkAfter ''
		43	$PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'matrix-synapse'" \| grep -q 1 \|\| $PSQL -tAc "CREATE DATABASE \"matrix-synapse\" LC_COLLATE='C' LC_CTYPE='C' TEMPLATE template0"
		44	$PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'matrix-sliding-sync'" \| grep -q 1 \|\| $PSQL -tAc "CREATE DATABASE \"matrix-sliding-sync\" LC_COLLATE='C' LC_CTYPE='C' TEMPLATE template0"
		45	$PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname='matrix-synapse'" \| grep -q 1 \|\| $PSQL -tAc 'CREATE USER "matrix-synapse"'
		46	$PSQL -tAc 'ALTER DATABASE "matrix-synapse" OWNER TO "matrix-synapse";'
		47	$PSQL -tAc 'ALTER DATABASE "matrix-sliding-sync" OWNER TO "matrix-synapse";'
		48	'';
		49
		50	disko.devices.zpool.zfast.datasets."root/persist/var/lib/matrix-sliding-sync" =
		51	{ type = "zfs_fs"; mountpoint = "/persist/zfast/var/lib/matrix-sliding-sync"; options.mountpoint = "legacy"; };
		52	disko.devices.zpool.zfast.datasets."root/persist/var/lib/matrix-synapse" =
		53	{ type = "zfs_fs"; mountpoint = "/persist/zfast/var/lib/matrix-synapse"; options.mountpoint = "legacy"; };
		54
		55	environment.persistence."/persist/zfast".directories = [
		56	{
		57	directory = "/var/lib/matrix-synapse";
		58	user = "matrix-synapse";
		59	group = "matrix-synapse";
		60	mode = "0700";
		61	}
		62	{
		63	directory = "/var/lib/matrix-sliding-sync";
		64	user = "matrix-synapse";
		65	group = "matrix-synapse";
		66	mode = "0700";
		67	}
		68	];
		69
		70	users.users.matrix-synapse.extraGroups = [ "keys" ];
		71	users.users.nginx.extraGroups = [ "matrix-synapse" ];
		72
		73	services.matrix-synapse = {
		74	enable = true;
		75	extraConfigFiles = [
		76	config.secrets.fullPaths."matrix/homeserver_secrets.yaml"
		77	];
		78	settings.server_name = "immae.eu";
		79	settings.signing_key_path = config.secrets.fullPaths."matrix/signing.key";
		80	settings.listeners = [
		81	{
		82	port = 8008;
		83	bind_addresses = [ "127.0.0.1" ];
		84	type = "http";
		85	tls = false;
		86	x_forwarded = true;
		87	resources = [
		88	{
		89	names = [ "client" ];
		90	compress = true;
		91	}
		92	];
		93	}
		94	{
		95	path = "/run/matrix-synapse/main_client_federation.sock";
		96	resources = [
		97	{
		98	compress = true;
		99	names = [ "client" ];
		100	}
		101	{
		102	compress = false;
		103	names = [ "federation" ];
		104	}
		105	];
		106	type = "http";
		107	x_forwarded = true;
		108	}
		109	];
		110	};
		111	services.matrix-sliding-sync = {
		112	enable = true;
		113	createDatabase = false;
		114	settings.SYNCV3_SERVER = "/run/matrix-synapse/main_client_federation.sock";
		115	settings.SYNCV3_BINDADDR = "/run/matrix-synapse/sliding_sync.sock";
		116	environmentFile = config.secrets.fullPaths."matrix/sliding-sync";
		117	};
		118
		119	systemd.services.matrix-synapse = {
		120	after = [
		121	"postgresql.service"
		122	"persist-zfast-var-lib-matrix\\x2dsynapse.mount"
		123	"var-lib-matrix\\x2dsynapse.mount"
		124	];
		125	unitConfig = {
		126	BindsTo = [
		127	"var-lib-matrix\\x2dsynapse.mount"
		128	"persist-zfast-var-lib-matrix\\x2dsynapse.mount"
		129	];
		130	};
		131	serviceConfig.SupplementaryGroups = [ "keys" ];
		132	};
		133
		134	systemd.services.matrix-sliding-sync = {
		135	serviceConfig = {
		136	DynamicUser = lib.mkForce false;
		137	User = "matrix-synapse";
		138	Group = "matrix-synapse";
		139	RuntimeDirectory = "matrix-synapse";
		140	SupplementaryGroups = [ "keys" ];
		141	};
		142	unitConfig = {
		143	BindsTo = [
		144	"persist-zfast-var-lib-matrix\\x2dsliding\\x2dsync.mount"
		145	"var-lib-matrix\\x2dsliding\\x2dsync.mount"
		146	];
		147	After = lib.mkForce [
		148	"matrix-synapse.service"
		149	"postgresql.service"
		150	"var-lib-matrix\\x2dsliding\\x2dsync.mount"
		151	"persist-zfast-var-lib-matrix\\x2dsliding\\x2dsync.mount"
		152	];
		153	};
		154	};
		155	secrets.keys."matrix/signing.key" = {
		156	permissions = "0400";
		157	user = "matrix-synapse";
		158	group = "matrix-synapse";
		159	text = "{{ .matrix.signing_key }}";
		160	};
		161	secrets.keys."matrix/homeserver_secrets.yaml" = {
		162	permissions = "0400";
		163	user = "matrix-synapse";
		164	group = "matrix-synapse";
		165	# Beware, yaml keys are merged at top level, not deep
		166	text = ''
		167	password_config:
		168	enabled: true
		169	pepper: "{{ .matrix.password_pepper }}"
		170	macaroon_secret_key: "{{ .matrix.macaroon_secret_key }}"
		171	'';
		172	};
		173	secrets.keys."matrix/sliding-sync" = {
		174	permissions = "0400";
		175	user = "matrix-synapse";
		176	group = "matrix-synapse";
		177	text = ''
		178	SYNCV3_SECRET={{ .matrix.sliding_sync_secret }}
		179	'';
		180	};
		181	};
		182	}