3 files changed, 184 insertions, 0 deletions

diff --git a/systems/eldiron/websites/tools/default.nix b/systems/eldiron/websites/tools/default.nix
index 46e6a9f..7d8bf5e 100644
--- a/systems/eldiron/websites/tools/default.nix
+++ b/systems/eldiron/websites/tools/default.nix
@@ -108,6 +108,7 @@ in {
           mailSend
           (ips servers.eldiron.ips.main)
         ];
+        synapse = ips servers.zoldene.ips.main;
       };
 
     services.borgBackup.profiles.global.ignoredPaths = [
diff --git a/systems/zoldene/base.nix b/systems/zoldene/base.nix
index 617cd82..1b42a52 100644
--- a/systems/zoldene/base.nix
+++ b/systems/zoldene/base.nix
@@ -13,6 +13,7 @@ in
     secrets.nixosModules.users-config-zoldene
     ./virtualisation.nix
     ./certificates.nix
+    ./synapse.nix
   ];
 
   services.openssh = {
diff --git a/systems/zoldene/synapse.nix b/systems/zoldene/synapse.nix
new file mode 100644
index 0000000..1d892a7
--- /dev/null
+++ b/systems/zoldene/synapse.nix
@@ -0,0 +1,182 @@
+{ lib, config, pkgs, name, ... }:
+{
+  config = {
+    security.acme.certs."${name}".extraDomainNames = ["synapse.immae.eu"];
+    services.nginx = {
+      virtualHosts = {
+        "synapse.immae.eu" = {
+          acmeRoot = config.security.acme.defaults.webroot;
+          useACMEHost = name;
+          forceSSL = true;
+
+          locations."~ ^/admin(?:/(.*))?$" = {
+            alias = let
+              synapse-admin = pkgs.fetchzip {
+                url = "https://github.com/Awesome-Technologies/synapse-admin/releases/download/0.10.1/synapse-admin-0.10.1.tar.gz";
+                sha256 = "sha256-M2AYNrnpNoDm20ZTH1OZBHVcjOrHAlqyq5iTQ/At/Xk=";
+                postFetch = ''
+                  sed -i -e 's@"/assets@"./assets@g' $out/index.html
+                '';
+              };
+            in
+              "${synapse-admin}/$1";
+          };
+          locations."/sliding-sync-client/" = {
+            # some svg urls are hardcoded to /client :shrug:
+            alias = "${pkgs.matrix-sliding-sync.src}/client/";
+            tryFiles = "$uri $uri/ /sliding-sync-client/index.html";
+          };
+          locations."~ ^/_matrix/client/unstable/org.matrix.msc3575/sync" = {
+            proxyPass = "http://unix:/run/matrix-synapse/sliding_sync.sock:";
+          };
+          locations."~ ^(/_matrix|/_synapse/client|/_synapse/admin)" = {
+            proxyPass = "http://unix:/run/matrix-synapse/main_client_federation.sock:";
+            extraConfig = ''
+              client_max_body_size 50M;
+            '';
+          };
+        };
+      };
+    };
+
+    systemd.services.postgresql.postStart = lib.mkAfter ''
+      $PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'matrix-synapse'" | grep -q 1 || $PSQL -tAc "CREATE DATABASE \"matrix-synapse\" LC_COLLATE='C' LC_CTYPE='C' TEMPLATE template0"
+      $PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'matrix-sliding-sync'" | grep -q 1 || $PSQL -tAc "CREATE DATABASE \"matrix-sliding-sync\" LC_COLLATE='C' LC_CTYPE='C' TEMPLATE template0"
+      $PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname='matrix-synapse'" | grep -q 1 || $PSQL -tAc 'CREATE USER "matrix-synapse"'
+      $PSQL -tAc 'ALTER DATABASE "matrix-synapse" OWNER TO "matrix-synapse";'
+      $PSQL -tAc 'ALTER DATABASE "matrix-sliding-sync" OWNER TO "matrix-synapse";'
+    '';
+
+    disko.devices.zpool.zfast.datasets."root/persist/var/lib/matrix-sliding-sync" =
+      { type = "zfs_fs"; mountpoint = "/persist/zfast/var/lib/matrix-sliding-sync"; options.mountpoint = "legacy"; };
+    disko.devices.zpool.zfast.datasets."root/persist/var/lib/matrix-synapse" =
+      { type = "zfs_fs"; mountpoint = "/persist/zfast/var/lib/matrix-synapse"; options.mountpoint = "legacy"; };
+
+    environment.persistence."/persist/zfast".directories = [
+      {
+        directory = "/var/lib/matrix-synapse";
+        user = "matrix-synapse";
+        group = "matrix-synapse";
+        mode = "0700";
+      }
+      {
+        directory = "/var/lib/matrix-sliding-sync";
+        user = "matrix-synapse";
+        group = "matrix-synapse";
+        mode = "0700";
+      }
+    ];
+
+    users.users.matrix-synapse.extraGroups = [ "keys" ];
+    users.users.nginx.extraGroups = [ "matrix-synapse" ];
+
+    services.matrix-synapse = {
+      enable = true;
+      extraConfigFiles = [
+        config.secrets.fullPaths."matrix/homeserver_secrets.yaml"
+      ];
+      settings.server_name = "immae.eu";
+      settings.signing_key_path = config.secrets.fullPaths."matrix/signing.key";
+      settings.listeners = [
+        {
+          port = 8008;
+          bind_addresses = [ "127.0.0.1" ];
+          type = "http";
+          tls = false;
+          x_forwarded = true;
+          resources = [
+            {
+              names = [ "client" ];
+              compress = true;
+            }
+          ];
+        }
+        {
+          path = "/run/matrix-synapse/main_client_federation.sock";
+          resources = [
+            {
+              compress = true;
+              names = [ "client" ];
+            }
+            {
+              compress = false;
+              names = [ "federation" ];
+            }
+          ];
+          type = "http";
+          x_forwarded = true;
+        }
+      ];
+    };
+    services.matrix-sliding-sync = {
+      enable = true;
+      createDatabase = false;
+      settings.SYNCV3_SERVER = "/run/matrix-synapse/main_client_federation.sock";
+      settings.SYNCV3_BINDADDR = "/run/matrix-synapse/sliding_sync.sock";
+      environmentFile = config.secrets.fullPaths."matrix/sliding-sync";
+    };
+
+    systemd.services.matrix-synapse = {
+      after = [
+        "postgresql.service"
+        "persist-zfast-var-lib-matrix\\x2dsynapse.mount"
+        "var-lib-matrix\\x2dsynapse.mount"
+      ];
+      unitConfig = {
+        BindsTo = [
+          "var-lib-matrix\\x2dsynapse.mount"
+          "persist-zfast-var-lib-matrix\\x2dsynapse.mount"
+        ];
+      };
+      serviceConfig.SupplementaryGroups = [ "keys" ];
+    };
+
+    systemd.services.matrix-sliding-sync = {
+      serviceConfig = {
+        DynamicUser = lib.mkForce false;
+        User = "matrix-synapse";
+        Group = "matrix-synapse";
+        RuntimeDirectory = "matrix-synapse";
+        SupplementaryGroups = [ "keys" ];
+      };
+      unitConfig = {
+        BindsTo = [
+          "persist-zfast-var-lib-matrix\\x2dsliding\\x2dsync.mount"
+          "var-lib-matrix\\x2dsliding\\x2dsync.mount"
+        ];
+        After = lib.mkForce [
+          "matrix-synapse.service"
+          "postgresql.service"
+          "var-lib-matrix\\x2dsliding\\x2dsync.mount"
+          "persist-zfast-var-lib-matrix\\x2dsliding\\x2dsync.mount"
+        ];
+      };
+    };
+    secrets.keys."matrix/signing.key" = {
+      permissions = "0400";
+      user = "matrix-synapse";
+      group = "matrix-synapse";
+      text = "{{ .matrix.signing_key }}";
+    };
+    secrets.keys."matrix/homeserver_secrets.yaml" = {
+      permissions = "0400";
+      user = "matrix-synapse";
+      group = "matrix-synapse";
+      # Beware, yaml keys are merged at top level, not deep
+      text = ''
+        password_config:
+            enabled: true
+            pepper: "{{ .matrix.password_pepper }}"
+        macaroon_secret_key: "{{ .matrix.macaroon_secret_key }}"
+      '';
+    };
+    secrets.keys."matrix/sliding-sync" = {
+      permissions = "0400";
+      user = "matrix-synapse";
+      group = "matrix-synapse";
+      text = ''
+        SYNCV3_SECRET={{ .matrix.sliding_sync_secret }}
+      '';
+    };
+  };
+}