nixos-config/config/services/dendrite.nix

103 lines
3.7 KiB
Nix
Raw Normal View History

2022-04-29 20:21:31 +00:00
{ lib, config, ... }: {
services.dendrite = {
enable = true;
environmentFile = config.sops.secrets."services/dendrite/secrets".path;
settings = {
global = {
server_name = "chir.rs";
trusted_third_party_id_servers = [
"matrix.org"
"vector.im"
];
presence = {
enable_inbound = true;
enable_outbound = true;
};
2022-04-29 20:30:14 +00:00
private_key = config.sops.secrets."services/dendrite/private_key".path;
};
2022-04-30 19:57:51 +00:00
app_service_api.database = {
connection_string = "postgresql:///dendrite_app_service?sslmode=disable&host=/run/postgresql";
config_files = [
2022-04-30 20:10:45 +00:00
"/var/lib/mautrix-telegram/telegram-registration.yaml"
2022-04-30 19:57:51 +00:00
];
};
client_api = {
registration_shared_secret = "$REGISTRATION_SHARED_SECRET";
};
federation_api = {
2022-04-29 20:39:41 +00:00
database.connection_string = "postgresql:///dendrite_federation?sslmode=disable&host=/run/postgresql";
};
2022-04-29 20:39:41 +00:00
key_server.database.connection_string = "postgresql:///dendrite_keyserver?sslmode=disable&host=/run/postgresql";
2022-04-29 20:47:08 +00:00
media_api.database.connection_string = "postgresql:///dendrite_mediaapi?sslmode=disable&host=/run/postgresql";
2022-04-29 20:21:31 +00:00
mscs = {
mscs = [ "msc2836" "msc2946" ];
2022-04-29 20:39:41 +00:00
database.connection_string = "postgresql:///dendrite_mscs?sslmode=disable&host=/run/postgresql";
2022-04-29 20:21:31 +00:00
};
2022-04-29 20:39:41 +00:00
room_server.database.connection_string = "postgresql:///dendrite_roomserver?sslmode=disable&host=/run/postgresql";
sync_api.database.connection_string = "postgresql:///dendrite_syncapi?sslmode=disable&host=/run/postgresql";
2022-04-30 07:32:54 +00:00
user_api.account_database.connection_string = "postgresql:///dendrite_userapi?sslmode=disable&host=/run/postgresql";
};
};
sops.secrets."services/dendrite/secrets" = { owner = "dendrite"; };
2022-04-29 20:30:14 +00:00
sops.secrets."services/dendrite/private_key" = { owner = "dendrite"; };
services.postgresql.ensureDatabases = [
"dendrite_app_service"
"dendrite_federation"
"dendrite_keyserver"
2022-04-29 20:21:31 +00:00
"dendrite_mediaapi"
"dendrite_mscs"
"dendrite_roomserver"
"dendrite_syncapi"
"dendrite_userapi"
];
services.postgresql.ensureUsers = [{
name = "dendrite";
ensurePermissions = {
"DATABASE dendrite_app_service" = "ALL PRIVILEGES";
"DATABASE dendrite_federation" = "ALL PRIVILEGES";
"DATABASE dendrite_keyserver" = "ALL PRIVILEGES";
2022-04-29 20:21:31 +00:00
"DATABASE dendrite_mediaapi" = "ALL PRIVILEGES";
"DATABASE dendrite_mscs" = "ALL PRIVILEGES";
"DATABASE dendrite_roomserver" = "ALL PRIVILEGES";
"DATABASE dendrite_syncapi" = "ALL PRIVILEGES";
"DATABASE dendrite_userapi" = "ALL PRIVILEGES";
};
}];
2022-04-29 20:30:14 +00:00
systemd.services.dendrite.serviceConfig = {
User = "dendrite";
Group = "dendrite";
DynamicUser = lib.mkForce false;
};
users.users.dendrite = {
2022-04-30 20:10:45 +00:00
description = "Dendrite";
2022-04-29 20:30:14 +00:00
home = "/var/lib/dendrite";
useDefaultShell = true;
group = "dendrite";
isSystemUser = true;
};
users.groups.dendrite = { };
2022-04-29 20:21:31 +00:00
services.nginx.virtualHosts =
let
listenIPs = (import ../../utils/getInternalIP.nix config).listenIPs;
listenStatements = lib.concatStringsSep "\n" (builtins.map (ip: "listen ${ip}:443 http3;") listenIPs) + ''
add_header Alt-Svc 'h3=":443"';
'';
dendrite = {
listenAddresses = listenIPs;
locations."/_matrix" = {
proxyPass = "http://localhost:8008";
};
};
in
{
"matrix.chir.rs" = dendrite // {
sslCertificate = "/var/lib/acme/chir.rs/cert.pem";
sslCertificateKey = "/var/lib/acme/chir.rs/key.pem";
};
"matrix.int.chir.rs" = dendrite // {
sslCertificate = "/var/lib/acme/int.chir.rs/cert.pem";
sslCertificateKey = "/var/lib/acme/int.chir.rs/key.pem";
};
};
}