diff options
Diffstat (limited to 'modules')
-rw-r--r-- | modules/services/matrix-homeserver.nix | 216 |
1 files changed, 90 insertions, 126 deletions
diff --git a/modules/services/matrix-homeserver.nix b/modules/services/matrix-homeserver.nix index 6af8f7f..6089b12 100644 --- a/modules/services/matrix-homeserver.nix +++ b/modules/services/matrix-homeserver.nix @@ -1,15 +1,12 @@ -{ config, lib, ... }: +{ config, lib, pkgs, ... }: with lib; let cfg = config.modules.services.matrix-homeserver; - database = { - connection_string = "postgres:///dendrite?host=/run/postgresql"; - max_open_conns = 100; - max_idle_conns = 5; - conn_max_lifetime = -1; - }; + httpPort = 8008; + slidingSyncPort = 8009; + metricsPort = 8010; in { imports = [ @@ -28,148 +25,116 @@ in }; secrets = { matrix-server-key = mkOption { type = types.str; description = "path to the server key"; }; + matrix-shared-secret = mkOption { type = types.str; description = "path to the registration shared secret"; }; dendrite-envs = mkOption { type = types.nullOr types.str; description = "path for the environment file to source"; }; + extra-config-path = mkOption { type = types.nullOr types.str; description = "path to the extra configuration file to source"; }; sliding-sync-secret = mkOption { type = types.nullOr types.str; description = "path to the sliding sync secret"; }; }; }; config = mkIf cfg.enable { - # Adapted from Mic92/dotfiles, (C) 2021 Jörg Thalheim (MIT) - services.dendrite = { + services.matrix-synapse = { enable = true; + withJemalloc = true; + dataDir = "/var/lib/matrix-synapse"; settings = { - global = { - server_name = cfg.domain; - # `private_key` has the type `path` - # prefix a `/` to make `path` happy - private_key = "/$CREDENTIALS_DIRECTORY/matrix-server-key"; - jetstream.storage_path = "/var/lib/dendrite/jetstream"; - trusted_third_party_id_servers = [ - "matrix.org" - "vector.im" - ]; - metrics.enabled = true; + server_name = cfg.domain; + public_baseurl = "https://${cfg.realHost}"; + + signing_key_path = cfg.secrets.matrix-server-key; + + allow_guest_access = false; + enable_registration = false; + # registration_requires_token = true; + registration_shared_secret_path = cfg.secrets.matrix-shared-secret; + + enable_metrics = true; + url_preview_enabled = true; + + database = { + name = "psycopg2"; + args.password = "synapse"; }; - logging = [ + + listeners = [ + { + port = httpPort; + resources = [ + { + compress = true; + names = [ "client" ]; + } + { + compress = false; + names = [ "federation" ]; + } + ]; + type = "http"; + tls = false; + x_forwarded = true; + } { - type = "std"; - level = "info"; # "warn" on public release + port = metricsPort; + resources = [{ + compress = false; + names = [ "metrics" ]; + }]; + type = "metrics"; + tls = false; } ]; - app_service_api = { - inherit database; - config_files = [ ]; - }; - client_api = { - registration_disabled = true; - rate_limiting.enabled = false; - rate_limiting.exempt_user_ids = [ - "@abuse:${cfg.domain}" - ]; - # registration_shared_secret = ""; # Initially set this option to configure the admin user. - } // optionalAttrs cfg.turn.enable { - turn = { - turn_user_lifetime = "24h"; - turn_uris = [ - "turns:${cfg.turn.domain}?transport=udp" - "turns:${cfg.turn.domain}?transport=tcp" - "turn:${cfg.turn.domain}?transport=udp" - "turn:${cfg.turn.domain}?transport=tcp" - ]; - turn_shared_secret = cfg.turn.shared_secret; + + trusted_key_servers = [{ + server_name = "matrix.org"; + verify_keys = { + "ed25519:auto" = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"; }; + }]; + # Yes, we want to use matrix.org as our trusted key server + suppress_key_server_warning = true; + } // optionalAttrs (cfg.turn.enable) { + turn_uris = [ + "turns:${cfg.turn.domain}?transport=udp" + "turns:${cfg.turn.domain}?transport=tcp" + "turn:${cfg.turn.domain}?transport=udp" + "turn:${cfg.turn.domain}?transport=tcp" + ]; + }; + + sliding-sync = { + enable = true; + createDatabase = true; + settings = { + SYNCV3_SERVER = "https://${cfg.realHost}"; + SYNCV3_BINDADDR = "[::1]:${toString slidingSyncPort}"; }; - media_api = { - inherit database; - dynamic_thumbnails = true; - }; - room_server = { - inherit database; - }; - push_server = { - inherit database; - }; - mscs = { - inherit database; - mscs = [ "msc2836" "msc2946" ]; - }; - sync_api = { - inherit database; - real_ip_header = "X-Real-IP"; - # The NixOS option is 'enable', which doesn't exist in Dendrite. - search.enabled = true; - }; - key_server = { - inherit database; - }; - federation_api = { - inherit database; - key_perspectives = [ - { - server_name = "matrix.org"; - keys = [ - { - key_id = "ed25519:auto"; - public_key = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"; - } - { - key_id = "ed25519:a_RXGa"; - public_key = "l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ"; - } - ]; - } - ]; - prefer_direct_fetch = false; - }; - user_api = { - account_database = database; - device_database = database; - }; + environmentFile = cfg.secrets.sliding-sync-secret; }; - loadCredential = [ "matrix-server-key:${cfg.secrets.matrix-server-key}" ]; - } // optionalAttrs (cfg.secrets.dendrite-envs != null) { - environmentFile = cfg.secrets.dendrite-envs; }; - + ###################################### SYNAPSE END ############################## + # Adapted from Mic92/dotfiles, (C) 2021 Jörg Thalheim (MIT) services.prometheus.scrapeConfigs = [ { - job_name = "dendrite"; + job_name = "synapse"; + metrics_path = "/_synapse/metrics"; static_configs = [{ - targets = [ "127.0.0.1:${toString config.services.dendrite.httpPort}" ]; + targets = [ "127.0.0.1:${toString metricsPort}" ]; }]; } ]; - systemd.services.dendrite = { - after = [ "postgresql.service" ]; - }; - environment.persistence."/persist".directories = [ - "/var/lib/private/dendrite" + "/var/lib/matrix-synapse" ]; - services.sliding-sync = { - enable = true; - server = "https://${cfg.realHost}"; - bindAddr = "[::1]:8009"; - db = "postgres:///syncv3?host=/run/postgresql"; - secret = cfg.secrets.sliding-sync-secret; - after = [ "dendrite.service" ]; - }; - services.postgresql.enable = true; - services.postgresql.ensureDatabases = [ "dendrite" "syncv3" ]; - services.postgresql.ensureUsers = [ - { - name = "dendrite"; - ensurePermissions."DATABASE dendrite" = "ALL PRIVILEGES"; - } - { - name = "sliding-sync"; - ensurePermissions."DATABASE syncv3" = "ALL PRIVILEGES"; - } - ]; - + services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" '' + CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; + CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + ''; services.nginx.virtualHosts.${cfg.realHost} = { forceSSL = true; useACMEHost = cfg.domain; @@ -186,9 +151,8 @@ in proxy_read_timeout 600; client_max_body_size 50M; ''; - locations."/_matrix".proxyPass = "http://[::1]:${toString config.services.dendrite.httpPort}"; - locations."/_dendrite".proxyPass = "http://[::1]:${toString config.services.dendrite.httpPort}"; - locations."/_synapse".proxyPass = "http://[::1]:${toString config.services.dendrite.httpPort}"; + locations."/_matrix".proxyPass = "http://[::1]:${toString httpPort}"; + locations."/_synapse".proxyPass = "http://[::1]:${toString httpPort}"; }; services.nginx.virtualHosts.${cfg.domain} = @@ -223,7 +187,7 @@ in services.nginx.virtualHosts.${cfg.slidingSyncHost} = { forceSSL = true; useACMEHost = cfg.domain; - locations."/".proxyPass = "http://${config.services.sliding-sync.bindAddr}"; + locations."/".proxyPass = "http://${config.services.matrix-synapse.sliding-sync.settings.SYNCV3_BINDADDR}"; }; networking.firewall.allowedTCPPorts = [ 443 8448 ]; |