about summary refs log tree commit diff
path: root/modules
diff options
context:
space:
mode:
authorsefidel <contact@sefidel.net>2023-11-05 18:12:18 +0900
committersefidel <contact@sefidel.net>2023-11-12 17:12:53 +0900
commitdc94b6cd1d99bf20d66c6fbc55ff4c2024cfbda3 (patch)
tree2ee6842746a6f922b475d25cbce40b574f705f9f /modules
parent8c2d625042c3497893702a6d3538330bb8148959 (diff)
downloadinfra-dc94b6cd1d99bf20d66c6fbc55ff4c2024cfbda3.tar.gz
infra-dc94b6cd1d99bf20d66c6fbc55ff4c2024cfbda3.zip
feat(modules/matrix-homeserver)!: dendrite -> synapse
Diffstat (limited to 'modules')
-rw-r--r--modules/services/matrix-homeserver.nix216
1 files changed, 90 insertions, 126 deletions
diff --git a/modules/services/matrix-homeserver.nix b/modules/services/matrix-homeserver.nix
index 6af8f7f..6089b12 100644
--- a/modules/services/matrix-homeserver.nix
+++ b/modules/services/matrix-homeserver.nix
@@ -1,15 +1,12 @@
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 
 with lib;
 let
   cfg = config.modules.services.matrix-homeserver;
 
-  database = {
-    connection_string = "postgres:///dendrite?host=/run/postgresql";
-    max_open_conns = 100;
-    max_idle_conns = 5;
-    conn_max_lifetime = -1;
-  };
+  httpPort = 8008;
+  slidingSyncPort = 8009;
+  metricsPort = 8010;
 in
 {
   imports = [
@@ -28,148 +25,116 @@ in
     };
     secrets = {
       matrix-server-key = mkOption { type = types.str; description = "path to the server key"; };
+      matrix-shared-secret = mkOption { type = types.str; description = "path to the registration shared secret"; };
       dendrite-envs = mkOption { type = types.nullOr types.str; description = "path for the environment file to source"; };
+      extra-config-path = mkOption { type = types.nullOr types.str; description = "path to the extra configuration file to source"; };
       sliding-sync-secret = mkOption { type = types.nullOr types.str; description = "path to the sliding sync secret"; };
     };
   };
 
   config = mkIf cfg.enable {
-    # Adapted from Mic92/dotfiles, (C) 2021 Jörg Thalheim (MIT)
-    services.dendrite = {
+    services.matrix-synapse = {
       enable = true;
+      withJemalloc = true;
+      dataDir = "/var/lib/matrix-synapse";
       settings = {
-        global = {
-          server_name = cfg.domain;
-          # `private_key` has the type `path`
-          # prefix a `/` to make `path` happy
-          private_key = "/$CREDENTIALS_DIRECTORY/matrix-server-key";
-          jetstream.storage_path = "/var/lib/dendrite/jetstream";
-          trusted_third_party_id_servers = [
-            "matrix.org"
-            "vector.im"
-          ];
-          metrics.enabled = true;
+        server_name = cfg.domain;
+        public_baseurl = "https://${cfg.realHost}";
+
+        signing_key_path = cfg.secrets.matrix-server-key;
+
+        allow_guest_access = false;
+        enable_registration = false;
+        # registration_requires_token = true;
+        registration_shared_secret_path = cfg.secrets.matrix-shared-secret;
+
+        enable_metrics = true;
+        url_preview_enabled = true;
+
+        database = {
+          name = "psycopg2";
+          args.password = "synapse";
         };
-        logging = [
+
+        listeners = [
+          {
+            port = httpPort;
+            resources = [
+              {
+                compress = true;
+                names = [ "client" ];
+              }
+              {
+                compress = false;
+                names = [ "federation" ];
+              }
+            ];
+            type = "http";
+            tls = false;
+            x_forwarded = true;
+          }
           {
-            type = "std";
-            level = "info"; # "warn" on public release
+            port = metricsPort;
+            resources = [{
+              compress = false;
+              names = [ "metrics" ];
+            }];
+            type = "metrics";
+            tls = false;
           }
         ];
-        app_service_api = {
-          inherit database;
-          config_files = [ ];
-        };
-        client_api = {
-          registration_disabled = true;
-          rate_limiting.enabled = false;
-          rate_limiting.exempt_user_ids = [
-            "@abuse:${cfg.domain}"
-          ];
-          # registration_shared_secret = ""; # Initially set this option to configure the admin user.
-        } // optionalAttrs cfg.turn.enable {
-          turn = {
-            turn_user_lifetime = "24h";
-            turn_uris = [
-              "turns:${cfg.turn.domain}?transport=udp"
-              "turns:${cfg.turn.domain}?transport=tcp"
-              "turn:${cfg.turn.domain}?transport=udp"
-              "turn:${cfg.turn.domain}?transport=tcp"
-            ];
-            turn_shared_secret = cfg.turn.shared_secret;
+
+        trusted_key_servers = [{
+          server_name = "matrix.org";
+          verify_keys = {
+            "ed25519:auto" = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw";
           };
+        }];
+        # Yes, we want to use matrix.org as our trusted key server
+        suppress_key_server_warning = true;
+      } // optionalAttrs (cfg.turn.enable) {
+        turn_uris = [
+          "turns:${cfg.turn.domain}?transport=udp"
+          "turns:${cfg.turn.domain}?transport=tcp"
+          "turn:${cfg.turn.domain}?transport=udp"
+          "turn:${cfg.turn.domain}?transport=tcp"
+        ];
+      };
+
+      sliding-sync = {
+        enable = true;
+        createDatabase = true;
+        settings = {
+          SYNCV3_SERVER = "https://${cfg.realHost}";
+          SYNCV3_BINDADDR = "[::1]:${toString slidingSyncPort}";
         };
-        media_api = {
-          inherit database;
-          dynamic_thumbnails = true;
-        };
-        room_server = {
-          inherit database;
-        };
-        push_server = {
-          inherit database;
-        };
-        mscs = {
-          inherit database;
-          mscs = [ "msc2836" "msc2946" ];
-        };
-        sync_api = {
-          inherit database;
-          real_ip_header = "X-Real-IP";
-          # The NixOS option is 'enable', which doesn't exist in Dendrite.
-          search.enabled = true;
-        };
-        key_server = {
-          inherit database;
-        };
-        federation_api = {
-          inherit database;
-          key_perspectives = [
-            {
-              server_name = "matrix.org";
-              keys = [
-                {
-                  key_id = "ed25519:auto";
-                  public_key = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw";
-                }
-                {
-                  key_id = "ed25519:a_RXGa";
-                  public_key = "l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ";
-                }
-              ];
-            }
-          ];
-          prefer_direct_fetch = false;
-        };
-        user_api = {
-          account_database = database;
-          device_database = database;
-        };
+        environmentFile = cfg.secrets.sliding-sync-secret;
       };
-      loadCredential = [ "matrix-server-key:${cfg.secrets.matrix-server-key}" ];
-    } // optionalAttrs (cfg.secrets.dendrite-envs != null) {
-      environmentFile = cfg.secrets.dendrite-envs;
     };
-
+    ###################################### SYNAPSE END ##############################
+    # Adapted from Mic92/dotfiles, (C) 2021 Jörg Thalheim (MIT)
     services.prometheus.scrapeConfigs = [
       {
-        job_name = "dendrite";
+        job_name = "synapse";
+        metrics_path = "/_synapse/metrics";
         static_configs = [{
-          targets = [ "127.0.0.1:${toString config.services.dendrite.httpPort}" ];
+          targets = [ "127.0.0.1:${toString metricsPort}" ];
         }];
       }
     ];
 
-    systemd.services.dendrite = {
-      after = [ "postgresql.service" ];
-    };
-
     environment.persistence."/persist".directories = [
-      "/var/lib/private/dendrite"
+      "/var/lib/matrix-synapse"
     ];
 
-    services.sliding-sync = {
-      enable = true;
-      server = "https://${cfg.realHost}";
-      bindAddr = "[::1]:8009";
-      db = "postgres:///syncv3?host=/run/postgresql";
-      secret = cfg.secrets.sliding-sync-secret;
-      after = [ "dendrite.service" ];
-    };
-
     services.postgresql.enable = true;
-    services.postgresql.ensureDatabases = [ "dendrite" "syncv3" ];
-    services.postgresql.ensureUsers = [
-      {
-        name = "dendrite";
-        ensurePermissions."DATABASE dendrite" = "ALL PRIVILEGES";
-      }
-      {
-        name = "sliding-sync";
-        ensurePermissions."DATABASE syncv3" = "ALL PRIVILEGES";
-      }
-    ];
-
+    services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" ''
+      CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
+      CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
+       TEMPLATE template0
+       LC_COLLATE = "C"
+       LC_CTYPE = "C";
+    '';
     services.nginx.virtualHosts.${cfg.realHost} = {
       forceSSL = true;
       useACMEHost = cfg.domain;
@@ -186,9 +151,8 @@ in
         proxy_read_timeout 600;
         client_max_body_size 50M;
       '';
-      locations."/_matrix".proxyPass = "http://[::1]:${toString config.services.dendrite.httpPort}";
-      locations."/_dendrite".proxyPass = "http://[::1]:${toString config.services.dendrite.httpPort}";
-      locations."/_synapse".proxyPass = "http://[::1]:${toString config.services.dendrite.httpPort}";
+      locations."/_matrix".proxyPass = "http://[::1]:${toString httpPort}";
+      locations."/_synapse".proxyPass = "http://[::1]:${toString httpPort}";
     };
 
     services.nginx.virtualHosts.${cfg.domain} =
@@ -223,7 +187,7 @@ in
     services.nginx.virtualHosts.${cfg.slidingSyncHost} = {
       forceSSL = true;
       useACMEHost = cfg.domain;
-      locations."/".proxyPass = "http://${config.services.sliding-sync.bindAddr}";
+      locations."/".proxyPass = "http://${config.services.matrix-synapse.sliding-sync.settings.SYNCV3_BINDADDR}";
     };
 
     networking.firewall.allowedTCPPorts = [ 443 8448 ];