nixos-config/config/services/matrix-media-repo.nix

176 lines
5.1 KiB
Nix
Raw Normal View History

2022-06-12 15:39:15 +00:00
{
nix-packages,
system,
config,
pkgs,
lib,
...
}: let
2022-06-12 15:42:42 +00:00
inherit (nix-packages.packages.${system}) matrix-media-repo;
2022-06-12 15:39:15 +00:00
config-yml = pkgs.writeText "matrix-media-repo.yaml" (lib.generators.toYAML {} {
2022-04-29 16:34:08 +00:00
repo = {
bindAddress = "127.0.0.1";
port = 8008;
2022-05-27 17:58:46 +00:00
logDirectory = "-";
2022-04-29 16:34:08 +00:00
};
2022-04-29 20:11:01 +00:00
database.postgres = "postgresql:///matrix_media_repo?sslmode=disable&host=/run/postgresql";
2022-06-12 15:39:15 +00:00
homeservers = [
{
name = "matrix.chir.rs";
csApi = "https://matrix.chir.rs";
}
];
admins = ["@lotte:chir.rs"];
datastores = [
{
type = "s3";
enabled = true;
forKinds = ["all"];
opts = {
tempPath = "/tmp/mediarepo_s3_upload";
endpoint = "s3.us-west-000.backblazeb2.com";
accessKeyId = "#ACCESS_KEY_ID#";
accessSecret = "#SECRET_ACCESS_KEY#";
ssl = true;
bucketName = "matrix-chir-rs";
region = "us-west-000";
};
}
];
2022-05-03 09:31:27 +00:00
metrics = {
enabled = true;
bindAddress = "::";
2022-05-03 09:31:27 +00:00
port = 9000;
};
2022-05-27 14:27:16 +00:00
urlPreviews = {
enabled = true;
numWorkers = 10;
oEmbed = true;
2022-08-20 13:18:18 +00:00
allowedNetworks = [
"0.0.0.0/0"
"::/0"
];
2022-05-27 14:27:16 +00:00
disallowedNetworks = [
"127.0.0.1/8"
"10.0.0.0/8"
"172.16.0.0/12"
"192.168.0.0/16"
"::1/128"
"fe80::/64"
"fc00::/7"
];
userAgent = "TelegramBot (like TwitterBot)"; # to make it work with fxtwitter/vxtwitter
2022-05-27 14:27:16 +00:00
};
downloads = {
expireAfterDays = 7;
};
2022-05-28 07:38:51 +00:00
featureSupport = {
MSC2448.enabled = true;
MSC2246 = {
enabled = true;
asyncUploadExpirySecs = 120;
};
};
2022-05-28 07:43:59 +00:00
sentry = {
enable = true;
dsn = "https://18e36e6f16b5490c83364101717cddba@o253952.ingest.sentry.io/6449283";
};
2022-04-29 16:34:08 +00:00
});
2022-06-12 15:39:15 +00:00
in {
networking.firewall.interfaces."wg0".allowedTCPPorts = [9000];
2022-04-29 16:34:08 +00:00
systemd.services.matrix-media-repo = {
description = "Matrix Media Repo";
2022-06-12 15:39:15 +00:00
after = ["network.target"];
wantedBy = ["multi-user.target"];
path = [matrix-media-repo];
2022-04-29 16:34:08 +00:00
preStart = ''
akid=$(cat ${config.sops.secrets."services/matrix-media-repo/access-key-id".path})
2022-04-30 08:15:58 +00:00
sak=$(cat ${config.sops.secrets."services/matrix-media-repo/secret-access-key".path})
2022-04-29 16:42:18 +00:00
cat ${config-yml} > /var/lib/matrix-media-repo/config.yml
2022-04-29 16:46:43 +00:00
sed -i "s|#ACCESS_KEY_ID#|$akid|g" /var/lib/matrix-media-repo/config.yml
sed -i "s|#SECRET_ACCESS_KEY#|$sak|g" /var/lib/matrix-media-repo/config.yml
2022-04-29 16:34:08 +00:00
'';
serviceConfig = {
Type = "simple";
User = "matrix-media-repo";
Group = "matrix-media-repo";
Restart = "always";
ExecStart = "${matrix-media-repo}/bin/media_repo -config /var/lib/matrix-media-repo/config.yml";
};
};
sops.secrets."services/matrix-media-repo/access-key-id".owner = "matrix-media-repo";
sops.secrets."services/matrix-media-repo/secret-access-key".owner = "matrix-media-repo";
users.users.matrix-media-repo = {
description = "Matrix Media Repository";
home = "/var/lib/matrix-media-repo";
useDefaultShell = true;
group = "matrix-media-repo";
isSystemUser = true;
};
2022-06-12 15:39:15 +00:00
users.groups.matrix-media-repo = {};
2022-04-29 16:34:08 +00:00
systemd.tmpfiles.rules = [
"d '/var/lib/matrix-media-repo' 0750 matrix-media-repo matrix-media-repo - -"
];
2022-04-29 20:00:21 +00:00
services.postgresql.ensureDatabases = [
"matrix_media_repo"
2022-04-29 20:00:21 +00:00
];
2022-06-12 15:39:15 +00:00
services.postgresql.ensureUsers = [
{
name = "matrix-media-repo";
ensurePermissions = {
"DATABASE matrix_media_repo" = "ALL PRIVILEGES";
};
}
];
2022-04-29 20:35:33 +00:00
services.nginx.virtualHosts."matrix.chir.rs" = {
2022-04-29 20:55:02 +00:00
sslCertificate = "/var/lib/acme/chir.rs/cert.pem";
sslCertificateKey = "/var/lib/acme/chir.rs/key.pem";
2022-04-29 20:35:33 +00:00
locations."/_matrix" = {
proxyPass = "https://matrix.int.chir.rs";
proxyWebsockets = true;
extraConfig = ''
proxy_ssl_server_name on;
2022-04-30 08:02:19 +00:00
proxy_hide_header Access-Control-Allow-Origin;
add_header Access-Control-Allow-Origin '*' always;
2022-04-29 20:35:33 +00:00
'';
};
locations."/_matrix/media" = {
proxyPass = "http://localhost:8008";
proxyWebsockets = true;
2022-04-30 08:02:19 +00:00
extraConfig = ''
proxy_hide_header Access-Control-Allow-Origin;
add_header Access-Control-Allow-Origin '*' always;
'';
2022-04-29 20:35:33 +00:00
};
2022-04-30 07:15:14 +00:00
locations."/.well-known/matrix/server" = {
extraConfig = ''
return 200 '{ "m.server": "matrix.chir.rs:443" }';
'';
};
locations."/.well-known/matrix/client" = {
extraConfig = ''
add_header Access-Control-Allow-Origin '*';
return 200 '{ "m.homeserver": { "base_url": "https://matrix.chir.rs" } }';
'';
};
2022-05-03 14:23:05 +00:00
locations."/_synapse/metrics" = {
extraConfig = ''
return 404 'Not found';
'';
};
2022-04-29 20:35:33 +00:00
};
services.nginx.virtualHosts."chir.rs" = {
locations."/.well-known/matrix/server" = {
extraConfig = ''
return 200 '{ "m.server": "matrix.chir.rs:443" }';
'';
};
locations."/.well-known/matrix/client" = {
extraConfig = ''
add_header Access-Control-Allow-Origin '*';
2022-04-30 07:15:14 +00:00
return 200 '{ "m.homeserver": { "base_url": "https://matrix.chir.rs" } }';
2022-04-29 20:35:33 +00:00
'';
};
};
2022-04-29 16:34:08 +00:00
}