From 8c2d625042c3497893702a6d3538330bb8148959 Mon Sep 17 00:00:00 2001 From: sefidel Date: Sun, 5 Nov 2023 12:50:11 +0900 Subject: chore(modules)!: dendrite -> matrix-homeserver This commit removes direct references to dendrite in system configuration to provide a base to switch to other homeservers. --- modules/services/dendrite.nix | 231 --------------------------------- modules/services/matrix-homeserver.nix | 231 +++++++++++++++++++++++++++++++++ systems/cobalt/default.nix | 2 +- 3 files changed, 232 insertions(+), 232 deletions(-) delete mode 100644 modules/services/dendrite.nix create mode 100644 modules/services/matrix-homeserver.nix diff --git a/modules/services/dendrite.nix b/modules/services/dendrite.nix deleted file mode 100644 index fe19e11..0000000 --- a/modules/services/dendrite.nix +++ /dev/null @@ -1,231 +0,0 @@ -{ config, lib, ... }: - -with lib; -let - cfg = config.modules.services.dendrite; - - database = { - connection_string = "postgres:///dendrite?host=/run/postgresql"; - max_open_conns = 100; - max_idle_conns = 5; - conn_max_lifetime = -1; - }; -in -{ - imports = [ - ../../overlays/sliding-sync-module.nix - ]; - - options.modules.services.dendrite = { - enable = mkEnableOption "dendrite instance"; - domain = mkOption { type = types.str; }; - realHost = mkOption { type = types.str; default = "matrix.${cfg.domain}"; }; - slidingSyncHost = mkOption { type = types.str; default = "slidingsync.${cfg.domain}"; }; - turn = { - enable = mkEnableOption "VOIP suing TURN"; - domain = mkOption { type = types.str; default = "turn.${cfg.domain}"; }; - shared_secret = mkOption { type = types.str; }; - }; - secrets = { - matrix-server-key = mkOption { type = types.str; description = "path to the server key"; }; - dendrite-envs = mkOption { type = types.nullOr types.str; description = "path for the environment file to source"; }; - sliding-sync-secret = mkOption { type = types.nullOr types.str; description = "path to the sliding sync secret"; }; - }; - }; - - config = mkIf cfg.enable { - # Adapted from Mic92/dotfiles, (C) 2021 Jörg Thalheim (MIT) - services.dendrite = { - enable = true; - settings = { - global = { - server_name = cfg.domain; - # `private_key` has the type `path` - # prefix a `/` to make `path` happy - private_key = "/$CREDENTIALS_DIRECTORY/matrix-server-key"; - jetstream.storage_path = "/var/lib/dendrite/jetstream"; - trusted_third_party_id_servers = [ - "matrix.org" - "vector.im" - ]; - metrics.enabled = true; - }; - logging = [ - { - type = "std"; - level = "info"; # "warn" on public release - } - ]; - app_service_api = { - inherit database; - config_files = [ ]; - }; - client_api = { - registration_disabled = true; - rate_limiting.enabled = false; - rate_limiting.exempt_user_ids = [ - "@abuse:${cfg.domain}" - ]; - # registration_shared_secret = ""; # Initially set this option to configure the admin user. - } // optionalAttrs cfg.turn.enable { - turn = { - turn_user_lifetime = "24h"; - turn_uris = [ - "turns:${cfg.turn.domain}?transport=udp" - "turns:${cfg.turn.domain}?transport=tcp" - "turn:${cfg.turn.domain}?transport=udp" - "turn:${cfg.turn.domain}?transport=tcp" - ]; - turn_shared_secret = cfg.turn.shared_secret; - }; - }; - media_api = { - inherit database; - dynamic_thumbnails = true; - }; - room_server = { - inherit database; - }; - push_server = { - inherit database; - }; - mscs = { - inherit database; - mscs = [ "msc2836" "msc2946" ]; - }; - sync_api = { - inherit database; - real_ip_header = "X-Real-IP"; - # The NixOS option is 'enable', which doesn't exist in Dendrite. - search.enabled = true; - }; - key_server = { - inherit database; - }; - federation_api = { - inherit database; - key_perspectives = [ - { - server_name = "matrix.org"; - keys = [ - { - key_id = "ed25519:auto"; - public_key = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"; - } - { - key_id = "ed25519:a_RXGa"; - public_key = "l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ"; - } - ]; - } - ]; - prefer_direct_fetch = false; - }; - user_api = { - account_database = database; - device_database = database; - }; - }; - loadCredential = [ "matrix-server-key:${cfg.secrets.matrix-server-key}" ]; - } // optionalAttrs (cfg.secrets.dendrite-envs != null) { - environmentFile = cfg.secrets.dendrite-envs; - }; - - services.prometheus.scrapeConfigs = [ - { - job_name = "dendrite"; - static_configs = [{ - targets = [ "127.0.0.1:${toString config.services.dendrite.httpPort}" ]; - }]; - } - ]; - - systemd.services.dendrite = { - after = [ "postgresql.service" ]; - }; - - environment.persistence."/persist".directories = [ - "/var/lib/private/dendrite" - ]; - - services.sliding-sync = { - enable = true; - server = "https://${cfg.realHost}"; - bindAddr = "[::1]:8009"; - db = "postgres:///syncv3?host=/run/postgresql"; - secret = cfg.secrets.sliding-sync-secret; - after = [ "dendrite.service" ]; - }; - - services.postgresql.enable = true; - services.postgresql.ensureDatabases = [ "dendrite" "syncv3" ]; - services.postgresql.ensureUsers = [ - { - name = "dendrite"; - ensurePermissions."DATABASE dendrite" = "ALL PRIVILEGES"; - } - { - name = "sliding-sync"; - ensurePermissions."DATABASE syncv3" = "ALL PRIVILEGES"; - } - ]; - - services.nginx.virtualHosts.${cfg.realHost} = { - forceSSL = true; - useACMEHost = cfg.domain; - listen = [ - { addr = "0.0.0.0"; port = 443; ssl = true; } - { addr = "[::]"; port = 443; ssl = true; } - { addr = "0.0.0.0"; port = 8448; ssl = true; } - { addr = "[::]"; port = 8448; ssl = true; } - - ]; - extraConfig = '' - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_read_timeout 600; - client_max_body_size 50M; - ''; - locations."/_matrix".proxyPass = "http://[::1]:${toString config.services.dendrite.httpPort}"; - locations."/_dendrite".proxyPass = "http://[::1]:${toString config.services.dendrite.httpPort}"; - locations."/_synapse".proxyPass = "http://[::1]:${toString config.services.dendrite.httpPort}"; - }; - - services.nginx.virtualHosts.${cfg.domain} = - let - server-hello = { "m.server" = "${cfg.realHost}:443"; }; - client-hello = { - "m.homeserver"."base_url" = "https://${cfg.realHost}"; - "m.identity_server"."base_url" = "https://vector.im"; - "org.matrix.msc3575.proxy"."url" = "https://${cfg.slidingSyncHost}"; - }; - in - { - forceSSL = true; - useACMEHost = cfg.domain; - locations = { - "/.well-known/matrix/server" = { - extraConfig = '' - add_header Content-Type application/json; - return 200 '${builtins.toJSON server-hello}'; - ''; - }; - "/.well-known/matrix/client" = { - extraConfig = '' - add_header Content-Type application/json; - add_header Access-Control-Allow-Origin *; - return 200 '${builtins.toJSON client-hello}'; - ''; - }; - }; - }; - - services.nginx.virtualHosts.${cfg.slidingSyncHost} = { - forceSSL = true; - useACMEHost = cfg.domain; - locations."/".proxyPass = "http://${config.services.sliding-sync.bindAddr}"; - }; - - networking.firewall.allowedTCPPorts = [ 443 8448 ]; - }; -} diff --git a/modules/services/matrix-homeserver.nix b/modules/services/matrix-homeserver.nix new file mode 100644 index 0000000..6af8f7f --- /dev/null +++ b/modules/services/matrix-homeserver.nix @@ -0,0 +1,231 @@ +{ config, lib, ... }: + +with lib; +let + cfg = config.modules.services.matrix-homeserver; + + database = { + connection_string = "postgres:///dendrite?host=/run/postgresql"; + max_open_conns = 100; + max_idle_conns = 5; + conn_max_lifetime = -1; + }; +in +{ + imports = [ + ../../overlays/sliding-sync-module.nix + ]; + + options.modules.services.matrix-homeserver = { + enable = mkEnableOption "matrix homeserver instance"; + domain = mkOption { type = types.str; }; + realHost = mkOption { type = types.str; default = "matrix.${cfg.domain}"; }; + slidingSyncHost = mkOption { type = types.str; default = "slidingsync.${cfg.domain}"; }; + turn = { + enable = mkEnableOption "VOIP using TURN"; + domain = mkOption { type = types.str; default = "turn.${cfg.domain}"; }; + shared_secret = mkOption { type = types.str; }; + }; + secrets = { + matrix-server-key = mkOption { type = types.str; description = "path to the server key"; }; + dendrite-envs = mkOption { type = types.nullOr types.str; description = "path for the environment file to source"; }; + sliding-sync-secret = mkOption { type = types.nullOr types.str; description = "path to the sliding sync secret"; }; + }; + }; + + config = mkIf cfg.enable { + # Adapted from Mic92/dotfiles, (C) 2021 Jörg Thalheim (MIT) + services.dendrite = { + enable = true; + settings = { + global = { + server_name = cfg.domain; + # `private_key` has the type `path` + # prefix a `/` to make `path` happy + private_key = "/$CREDENTIALS_DIRECTORY/matrix-server-key"; + jetstream.storage_path = "/var/lib/dendrite/jetstream"; + trusted_third_party_id_servers = [ + "matrix.org" + "vector.im" + ]; + metrics.enabled = true; + }; + logging = [ + { + type = "std"; + level = "info"; # "warn" on public release + } + ]; + app_service_api = { + inherit database; + config_files = [ ]; + }; + client_api = { + registration_disabled = true; + rate_limiting.enabled = false; + rate_limiting.exempt_user_ids = [ + "@abuse:${cfg.domain}" + ]; + # registration_shared_secret = ""; # Initially set this option to configure the admin user. + } // optionalAttrs cfg.turn.enable { + turn = { + turn_user_lifetime = "24h"; + turn_uris = [ + "turns:${cfg.turn.domain}?transport=udp" + "turns:${cfg.turn.domain}?transport=tcp" + "turn:${cfg.turn.domain}?transport=udp" + "turn:${cfg.turn.domain}?transport=tcp" + ]; + turn_shared_secret = cfg.turn.shared_secret; + }; + }; + media_api = { + inherit database; + dynamic_thumbnails = true; + }; + room_server = { + inherit database; + }; + push_server = { + inherit database; + }; + mscs = { + inherit database; + mscs = [ "msc2836" "msc2946" ]; + }; + sync_api = { + inherit database; + real_ip_header = "X-Real-IP"; + # The NixOS option is 'enable', which doesn't exist in Dendrite. + search.enabled = true; + }; + key_server = { + inherit database; + }; + federation_api = { + inherit database; + key_perspectives = [ + { + server_name = "matrix.org"; + keys = [ + { + key_id = "ed25519:auto"; + public_key = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"; + } + { + key_id = "ed25519:a_RXGa"; + public_key = "l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ"; + } + ]; + } + ]; + prefer_direct_fetch = false; + }; + user_api = { + account_database = database; + device_database = database; + }; + }; + loadCredential = [ "matrix-server-key:${cfg.secrets.matrix-server-key}" ]; + } // optionalAttrs (cfg.secrets.dendrite-envs != null) { + environmentFile = cfg.secrets.dendrite-envs; + }; + + services.prometheus.scrapeConfigs = [ + { + job_name = "dendrite"; + static_configs = [{ + targets = [ "127.0.0.1:${toString config.services.dendrite.httpPort}" ]; + }]; + } + ]; + + systemd.services.dendrite = { + after = [ "postgresql.service" ]; + }; + + environment.persistence."/persist".directories = [ + "/var/lib/private/dendrite" + ]; + + services.sliding-sync = { + enable = true; + server = "https://${cfg.realHost}"; + bindAddr = "[::1]:8009"; + db = "postgres:///syncv3?host=/run/postgresql"; + secret = cfg.secrets.sliding-sync-secret; + after = [ "dendrite.service" ]; + }; + + services.postgresql.enable = true; + services.postgresql.ensureDatabases = [ "dendrite" "syncv3" ]; + services.postgresql.ensureUsers = [ + { + name = "dendrite"; + ensurePermissions."DATABASE dendrite" = "ALL PRIVILEGES"; + } + { + name = "sliding-sync"; + ensurePermissions."DATABASE syncv3" = "ALL PRIVILEGES"; + } + ]; + + services.nginx.virtualHosts.${cfg.realHost} = { + forceSSL = true; + useACMEHost = cfg.domain; + listen = [ + { addr = "0.0.0.0"; port = 443; ssl = true; } + { addr = "[::]"; port = 443; ssl = true; } + { addr = "0.0.0.0"; port = 8448; ssl = true; } + { addr = "[::]"; port = 8448; ssl = true; } + + ]; + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_read_timeout 600; + client_max_body_size 50M; + ''; + locations."/_matrix".proxyPass = "http://[::1]:${toString config.services.dendrite.httpPort}"; + locations."/_dendrite".proxyPass = "http://[::1]:${toString config.services.dendrite.httpPort}"; + locations."/_synapse".proxyPass = "http://[::1]:${toString config.services.dendrite.httpPort}"; + }; + + services.nginx.virtualHosts.${cfg.domain} = + let + server-hello = { "m.server" = "${cfg.realHost}:443"; }; + client-hello = { + "m.homeserver"."base_url" = "https://${cfg.realHost}"; + "m.identity_server"."base_url" = "https://vector.im"; + "org.matrix.msc3575.proxy"."url" = "https://${cfg.slidingSyncHost}"; + }; + in + { + forceSSL = true; + useACMEHost = cfg.domain; + locations = { + "/.well-known/matrix/server" = { + extraConfig = '' + add_header Content-Type application/json; + return 200 '${builtins.toJSON server-hello}'; + ''; + }; + "/.well-known/matrix/client" = { + extraConfig = '' + add_header Content-Type application/json; + add_header Access-Control-Allow-Origin *; + return 200 '${builtins.toJSON client-hello}'; + ''; + }; + }; + }; + + services.nginx.virtualHosts.${cfg.slidingSyncHost} = { + forceSSL = true; + useACMEHost = cfg.domain; + locations."/".proxyPass = "http://${config.services.sliding-sync.bindAddr}"; + }; + + networking.firewall.allowedTCPPorts = [ 443 8448 ]; + }; +} diff --git a/systems/cobalt/default.nix b/systems/cobalt/default.nix index a663385..bbd5261 100644 --- a/systems/cobalt/default.nix +++ b/systems/cobalt/default.nix @@ -254,7 +254,7 @@ in }; services.fail2ban.enable = true; services.postgresql.enable = true; - services.dendrite = { + services.matrix-homeserver = { enable = true; domain = "exotic.sh"; realHost = "matrix.exotic.sh"; -- cgit 1.4.1