2022-06-12 15:39:15 +00:00
|
|
|
{
|
|
|
|
nix-packages,
|
|
|
|
system,
|
|
|
|
config,
|
|
|
|
pkgs,
|
|
|
|
lib,
|
|
|
|
...
|
|
|
|
}: let
|
2022-06-12 15:42:42 +00:00
|
|
|
inherit (nix-packages.packages.${system}) matrix-media-repo;
|
2022-06-12 15:39:15 +00:00
|
|
|
config-yml = pkgs.writeText "matrix-media-repo.yaml" (lib.generators.toYAML {} {
|
2022-04-29 16:34:08 +00:00
|
|
|
repo = {
|
|
|
|
bindAddress = "127.0.0.1";
|
|
|
|
port = 8008;
|
2022-05-27 17:58:46 +00:00
|
|
|
logDirectory = "-";
|
2022-04-29 16:34:08 +00:00
|
|
|
};
|
2022-04-29 20:11:01 +00:00
|
|
|
database.postgres = "postgresql:///matrix_media_repo?sslmode=disable&host=/run/postgresql";
|
2022-06-12 15:39:15 +00:00
|
|
|
homeservers = [
|
|
|
|
{
|
|
|
|
name = "matrix.chir.rs";
|
|
|
|
csApi = "https://matrix.chir.rs";
|
|
|
|
}
|
2022-08-26 06:30:59 +00:00
|
|
|
{
|
|
|
|
name = "matrix.int.chir.rs";
|
|
|
|
csApi = "https://matrix.chir.rs";
|
|
|
|
}
|
2022-06-12 15:39:15 +00:00
|
|
|
];
|
|
|
|
admins = ["@lotte:chir.rs"];
|
|
|
|
datastores = [
|
|
|
|
{
|
|
|
|
type = "s3";
|
2023-05-23 04:55:27 +00:00
|
|
|
id = "b003babbb86fecf56bb9ba6571f9adb0bd1e71c8";
|
2022-06-12 15:39:15 +00:00
|
|
|
enabled = true;
|
|
|
|
forKinds = ["all"];
|
|
|
|
opts = {
|
|
|
|
tempPath = "/tmp/mediarepo_s3_upload";
|
|
|
|
endpoint = "s3.us-west-000.backblazeb2.com";
|
|
|
|
accessKeyId = "#ACCESS_KEY_ID#";
|
|
|
|
accessSecret = "#SECRET_ACCESS_KEY#";
|
|
|
|
ssl = true;
|
|
|
|
bucketName = "matrix-chir-rs";
|
|
|
|
region = "us-west-000";
|
|
|
|
};
|
|
|
|
}
|
|
|
|
];
|
2022-05-03 09:31:27 +00:00
|
|
|
metrics = {
|
|
|
|
enabled = true;
|
2022-05-03 15:11:04 +00:00
|
|
|
bindAddress = "::";
|
2022-05-03 09:31:27 +00:00
|
|
|
port = 9000;
|
|
|
|
};
|
2022-05-27 14:27:16 +00:00
|
|
|
urlPreviews = {
|
|
|
|
enabled = true;
|
|
|
|
numWorkers = 10;
|
|
|
|
oEmbed = true;
|
2022-08-20 13:18:18 +00:00
|
|
|
allowedNetworks = [
|
|
|
|
"0.0.0.0/0"
|
|
|
|
"::/0"
|
|
|
|
];
|
2022-05-27 14:27:16 +00:00
|
|
|
disallowedNetworks = [
|
|
|
|
"127.0.0.1/8"
|
|
|
|
"10.0.0.0/8"
|
|
|
|
"172.16.0.0/12"
|
|
|
|
"192.168.0.0/16"
|
|
|
|
"::1/128"
|
|
|
|
"fe80::/64"
|
|
|
|
"fc00::/7"
|
|
|
|
];
|
2022-08-17 15:06:08 +00:00
|
|
|
userAgent = "TelegramBot (like TwitterBot)"; # to make it work with fxtwitter/vxtwitter
|
2022-05-27 14:27:16 +00:00
|
|
|
};
|
2022-05-27 17:56:39 +00:00
|
|
|
downloads = {
|
|
|
|
expireAfterDays = 7;
|
|
|
|
};
|
2022-05-28 07:38:51 +00:00
|
|
|
featureSupport = {
|
|
|
|
MSC2448.enabled = true;
|
|
|
|
MSC2246 = {
|
|
|
|
enabled = true;
|
|
|
|
asyncUploadExpirySecs = 120;
|
|
|
|
};
|
|
|
|
};
|
2022-05-28 07:43:59 +00:00
|
|
|
sentry = {
|
|
|
|
enable = true;
|
|
|
|
dsn = "https://18e36e6f16b5490c83364101717cddba@o253952.ingest.sentry.io/6449283";
|
|
|
|
};
|
2022-08-25 15:44:57 +00:00
|
|
|
thumbnails = {
|
|
|
|
maxSourceBytes = 0;
|
|
|
|
maxPixels = 102000000;
|
|
|
|
types = [
|
|
|
|
"image/jpeg"
|
|
|
|
"image/jpg"
|
|
|
|
"image/png"
|
|
|
|
"image/apng"
|
|
|
|
"image/gif"
|
|
|
|
"image/heif"
|
|
|
|
"image/webp"
|
|
|
|
"image/svg+xml"
|
2022-08-26 09:47:45 +00:00
|
|
|
"image/jxl"
|
2022-08-25 15:44:57 +00:00
|
|
|
"audio/mpeg"
|
|
|
|
"audio/ogg"
|
|
|
|
"audio/wav"
|
|
|
|
"audio/flac"
|
|
|
|
"video/mp4"
|
|
|
|
"video/webm"
|
|
|
|
"video/x-matroska"
|
|
|
|
"video/quicktime"
|
|
|
|
];
|
|
|
|
};
|
2022-04-29 16:34:08 +00:00
|
|
|
});
|
2022-06-12 15:39:15 +00:00
|
|
|
in {
|
|
|
|
networking.firewall.interfaces."wg0".allowedTCPPorts = [9000];
|
2022-04-29 16:34:08 +00:00
|
|
|
systemd.services.matrix-media-repo = {
|
|
|
|
description = "Matrix Media Repo";
|
2022-06-12 15:39:15 +00:00
|
|
|
after = ["network.target"];
|
|
|
|
wantedBy = ["multi-user.target"];
|
2022-08-25 15:44:57 +00:00
|
|
|
path = [matrix-media-repo pkgs.ffmpeg pkgs.imagemagick];
|
2022-04-29 16:34:08 +00:00
|
|
|
preStart = ''
|
|
|
|
akid=$(cat ${config.sops.secrets."services/matrix-media-repo/access-key-id".path})
|
2022-04-30 08:15:58 +00:00
|
|
|
sak=$(cat ${config.sops.secrets."services/matrix-media-repo/secret-access-key".path})
|
2022-04-29 16:42:18 +00:00
|
|
|
cat ${config-yml} > /var/lib/matrix-media-repo/config.yml
|
2022-04-29 16:46:43 +00:00
|
|
|
sed -i "s|#ACCESS_KEY_ID#|$akid|g" /var/lib/matrix-media-repo/config.yml
|
|
|
|
sed -i "s|#SECRET_ACCESS_KEY#|$sak|g" /var/lib/matrix-media-repo/config.yml
|
2022-04-29 16:34:08 +00:00
|
|
|
'';
|
|
|
|
serviceConfig = {
|
|
|
|
Type = "simple";
|
|
|
|
User = "matrix-media-repo";
|
|
|
|
Group = "matrix-media-repo";
|
|
|
|
Restart = "always";
|
|
|
|
ExecStart = "${matrix-media-repo}/bin/media_repo -config /var/lib/matrix-media-repo/config.yml";
|
|
|
|
};
|
|
|
|
};
|
2022-11-20 14:54:52 +00:00
|
|
|
systemd.services.purge-old-media = {
|
2022-11-21 13:27:43 +00:00
|
|
|
path = [pkgs.curl];
|
2022-11-20 14:54:52 +00:00
|
|
|
description = "Purge unused media";
|
|
|
|
script = ''
|
|
|
|
export MATRIX_TOKEN=$(cat ${config.sops.secrets."services/matrix-media-repo/matrix-token".path})
|
|
|
|
for i in $(seq 1000); do
|
|
|
|
curl -H "Authorization: Bearer $MATRIX_TOKEN" -X POST https://matrix.chir.rs/_matrix/media/unstable/admin/purge/old\?before_ts=$(date -d "3 months ago" +%s%3N)\&include_local=true && exit 0
|
|
|
|
done
|
|
|
|
'';
|
2022-11-23 17:07:49 +00:00
|
|
|
|
2022-11-20 14:54:52 +00:00
|
|
|
serviceConfig = {
|
|
|
|
Type = "oneshot";
|
|
|
|
User = "matrix-media-repo";
|
|
|
|
Group = "matrix-media-repo";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
systemd.timers.purge-old-media = {
|
|
|
|
description = "Purge unused media";
|
|
|
|
after = ["network.target" "matrix-media-repo.service"];
|
|
|
|
requires = ["purge-old-media.service"];
|
|
|
|
wantedBy = ["multi-user.target"];
|
|
|
|
timerConfig = {
|
|
|
|
OnUnitInactiveSec = 300;
|
|
|
|
RandomizedDelaySec = 300;
|
|
|
|
};
|
|
|
|
};
|
2022-04-29 16:34:08 +00:00
|
|
|
sops.secrets."services/matrix-media-repo/access-key-id".owner = "matrix-media-repo";
|
|
|
|
sops.secrets."services/matrix-media-repo/secret-access-key".owner = "matrix-media-repo";
|
2022-11-20 14:54:52 +00:00
|
|
|
sops.secrets."services/matrix-media-repo/matrix-token".owner = "matrix-media-repo";
|
2022-04-29 16:34:08 +00:00
|
|
|
users.users.matrix-media-repo = {
|
|
|
|
description = "Matrix Media Repository";
|
|
|
|
home = "/var/lib/matrix-media-repo";
|
|
|
|
useDefaultShell = true;
|
|
|
|
group = "matrix-media-repo";
|
|
|
|
isSystemUser = true;
|
|
|
|
};
|
2022-06-12 15:39:15 +00:00
|
|
|
users.groups.matrix-media-repo = {};
|
2022-04-29 16:34:08 +00:00
|
|
|
systemd.tmpfiles.rules = [
|
|
|
|
"d '/var/lib/matrix-media-repo' 0750 matrix-media-repo matrix-media-repo - -"
|
|
|
|
];
|
2022-04-29 20:00:21 +00:00
|
|
|
services.postgresql.ensureDatabases = [
|
2022-04-29 20:02:32 +00:00
|
|
|
"matrix_media_repo"
|
2022-04-29 20:00:21 +00:00
|
|
|
];
|
2022-06-12 15:39:15 +00:00
|
|
|
services.postgresql.ensureUsers = [
|
|
|
|
{
|
|
|
|
name = "matrix-media-repo";
|
|
|
|
ensurePermissions = {
|
|
|
|
"DATABASE matrix_media_repo" = "ALL PRIVILEGES";
|
|
|
|
};
|
|
|
|
}
|
|
|
|
];
|
2022-08-26 15:28:14 +00:00
|
|
|
services.caddy.virtualHosts."matrix.chir.rs" = {
|
|
|
|
useACMEHost = "chir.rs";
|
2022-12-30 13:03:57 +00:00
|
|
|
logFormat = pkgs.lib.mkForce "";
|
2022-08-26 15:28:14 +00:00
|
|
|
extraConfig = ''
|
|
|
|
import baseConfig
|
|
|
|
handle /_matrix/media/* {
|
|
|
|
reverse_proxy http://localhost:8008 {
|
2022-08-27 13:20:51 +00:00
|
|
|
header_down Access-Control-Allow-Origin *
|
2023-03-20 07:09:15 +00:00
|
|
|
header_down Access-Control-Allow-Headers *
|
2022-08-26 15:28:14 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
handle /_matrix/client/v3/logout/* {
|
|
|
|
reverse_proxy http://localhost:8008
|
|
|
|
}
|
|
|
|
|
|
|
|
handle /_matrix/* {
|
|
|
|
reverse_proxy {
|
|
|
|
to https://matrix.int.chir.rs
|
|
|
|
header_up Host {upstream_hostport}
|
|
|
|
|
|
|
|
transport http {
|
|
|
|
versions 1.1 2 3
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
handle /.well-known/matrix/server {
|
2022-08-27 13:20:51 +00:00
|
|
|
header Access-Control-Allow-Origin *
|
|
|
|
header Content-Type application/json
|
2022-08-28 15:19:48 +00:00
|
|
|
respond "{ \"m.server\": \"matrix.chir.rs:443\" }" 200
|
2022-08-26 15:28:14 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
handle /.well-known/matrix/client {
|
2022-08-27 13:20:51 +00:00
|
|
|
header Access-Control-Allow-Origin *
|
|
|
|
header Content-Type application/json
|
2022-08-28 15:19:48 +00:00
|
|
|
respond "{ \"m.homeserver\": { \"base_url\": \"https://matrix.chir.rs\" } }" 200
|
2022-08-26 15:28:14 +00:00
|
|
|
}
|
|
|
|
'';
|
2022-04-29 20:35:33 +00:00
|
|
|
};
|
2022-04-29 16:34:08 +00:00
|
|
|
}
|