switch to synapse

This commit is contained in:
Charlotte 🦝 Delenk 2022-05-01 07:50:10 +01:00
parent 7162a762fb
commit 4bc48badd3
Signed by: darkkirb
GPG key ID: AB2BD8DAF2E37122
4 changed files with 75 additions and 111 deletions

View file

@ -15,7 +15,7 @@
./services/hostapd.nix
./services/mastodon.nix
./services/rspamd.nix
./services/dendrite.nix
./services/synapse.nix
./services/mautrix-telegram.nix
];

View file

@ -1,105 +0,0 @@
{ lib, config, ... }: {
services.dendrite = {
enable = true;
environmentFile = config.sops.secrets."services/dendrite/secrets".path;
settings = {
global = {
server_name = "chir.rs";
trusted_third_party_id_servers = [
"matrix.org"
"vector.im"
];
presence = {
enable_inbound = true;
enable_outbound = true;
};
private_key = config.sops.secrets."services/dendrite/private_key".path;
};
app_service_api = {
database.connection_string = "postgresql:///dendrite_app_service?sslmode=disable&host=/run/postgresql";
config_files = [
"/var/lib/mautrix-telegram/telegram-registration.yaml"
];
};
client_api = {
registration_shared_secret = "$REGISTRATION_SHARED_SECRET";
};
federation_api = {
database.connection_string = "postgresql:///dendrite_federation?sslmode=disable&host=/run/postgresql";
};
key_server.database.connection_string = "postgresql:///dendrite_keyserver?sslmode=disable&host=/run/postgresql";
media_api.database.connection_string = "postgresql:///dendrite_mediaapi?sslmode=disable&host=/run/postgresql";
mscs = {
mscs = [ "msc2836" "msc2946" ];
database.connection_string = "postgresql:///dendrite_mscs?sslmode=disable&host=/run/postgresql";
};
room_server.database.connection_string = "postgresql:///dendrite_roomserver?sslmode=disable&host=/run/postgresql";
sync_api.database.connection_string = "postgresql:///dendrite_syncapi?sslmode=disable&host=/run/postgresql";
user_api.account_database.connection_string = "postgresql:///dendrite_userapi?sslmode=disable&host=/run/postgresql";
user_api.device_database.connection_string = "postgresql:///dendrite_deviceapi?sslmode=disable&host=/run/postgresql";
};
};
sops.secrets."services/dendrite/secrets" = { owner = "dendrite"; };
sops.secrets."services/dendrite/private_key" = { owner = "dendrite"; };
services.postgresql.ensureDatabases = [
"dendrite_app_service"
"dendrite_federation"
"dendrite_keyserver"
"dendrite_mediaapi"
"dendrite_mscs"
"dendrite_roomserver"
"dendrite_syncapi"
"dendrite_userapi"
"dendrite_userapi_devices"
];
services.postgresql.ensureUsers = [{
name = "dendrite";
ensurePermissions = {
"DATABASE dendrite_app_service" = "ALL PRIVILEGES";
"DATABASE dendrite_federation" = "ALL PRIVILEGES";
"DATABASE dendrite_keyserver" = "ALL PRIVILEGES";
"DATABASE dendrite_mediaapi" = "ALL PRIVILEGES";
"DATABASE dendrite_mscs" = "ALL PRIVILEGES";
"DATABASE dendrite_roomserver" = "ALL PRIVILEGES";
"DATABASE dendrite_syncapi" = "ALL PRIVILEGES";
"DATABASE dendrite_userapi" = "ALL PRIVILEGES";
"DATABASE dendrite_userapi_devices" = "ALL PRIVILEGES";
};
}];
systemd.services.dendrite.serviceConfig = {
User = "dendrite";
Group = "dendrite";
DynamicUser = lib.mkForce false;
};
users.users.dendrite = {
description = "Dendrite";
home = "/var/lib/dendrite";
useDefaultShell = true;
group = "dendrite";
isSystemUser = true;
};
users.groups.dendrite = { };
services.nginx.virtualHosts =
let
listenIPs = (import ../../utils/getInternalIP.nix config).listenIPs;
listenStatements = lib.concatStringsSep "\n" (builtins.map (ip: "listen ${ip}:443 http3;") listenIPs) + ''
add_header Alt-Svc 'h3=":443"';
'';
dendrite = {
listenAddresses = listenIPs;
locations."/_matrix" = {
proxyPass = "http://localhost:8008";
};
};
in
{
"matrix.chir.rs" = dendrite // {
sslCertificate = "/var/lib/acme/chir.rs/cert.pem";
sslCertificateKey = "/var/lib/acme/chir.rs/key.pem";
};
"matrix.int.chir.rs" = dendrite // {
sslCertificate = "/var/lib/acme/int.chir.rs/cert.pem";
sslCertificateKey = "/var/lib/acme/int.chir.rs/key.pem";
};
};
}

View file

@ -0,0 +1,70 @@
{ lib, config, ... }: {
services.matrix-synapse = {
enable = true;
settings = {
server_name = "chir.rs";
public_baseurl = "https://matrix.chir.rs/";
listeners = [{
port = 8008;
tls = false;
type = "http";
x_forwarded = true;
bind_addresses = [ "::1" "127.0.0.1" ];
resources = [{
names = [ "client" "federation" ];
compress = false;
}];
}];
admin_contact = "mailto:lotte@chir.rs";
retention.enabled = true;
database = {
name = "psycopg2";
txn_limit = 10000;
args = {
host = "/run/postgresql";
user = "matrix-synapse";
database = "synapse";
};
};
enable_media_repo = false;
url_preview_enabled = true;
url_preview_ip_range_blacklist = [
"127.0.0.0/8"
"10.0.0.0/8"
"172.16.0.0/12"
"192.168.0.0/16"
"100.64.0.0/10"
"192.0.0.0/24"
"169.254.0.0/16"
"192.88.99.0/24"
"198.18.0.0/15"
"192.0.2.0/24"
"198.51.100.0/24"
"203.0.113.0/24"
"224.0.0.0/4"
"fe80::/10"
"fc00::/7"
"2001:db8::/32"
"ff00::/8"
"fec0::/10"
];
enable_registration = false;
app_service_config_files = [
"/var/lib/mautrix-telegram/telegram-registration.yaml"
];
signing_key_path = config.sops.secrets."services/synapse/private_key".path;
encryption_enabled_by_default_for_room_type = "all";
};
withJemalloc = true;
};
sops.secrets."services/synapse/private_key" = { owner = "matrix-synapse"; };
services.postgresql.ensureDatabases = [
"synapse"
];
services.postgresql.ensureUsers = [{
name = "matrix-synapse";
ensurePermissions = {
"DATABASE matrix-synapse" = "ALL PRIVILEGES";
};
}];
}

View file

@ -2,9 +2,8 @@ network:
wireguard:
privkey: ENC[AES256_GCM,data:JDCu/XUbXJz13OqC35DQS+g0XDUGUXIBMDK2i0gCnnRqe7pTkIauTLHeh64=,iv:Ybex9u6i4QN6MXECTBJy8YBgK5Ge/LRxZLE5lXBhBPM=,tag:v+ESpwLqMcDxv9ThgqxXiw==,type:str]
services:
dendrite:
secrets: ENC[AES256_GCM,data:NTm9xCA51s3ASIhIKy/wET4MqNQ=,iv:ktv+IAtbFTu6MI7HfKnT8a4m9KnFiA3hbOrhUFG6sUw=,tag:X/6O6iheQ24KbFl7XFOJpw==,type:str]
private_key: ENC[AES256_GCM,data:WODNoOxyNF0TjS98abNseCsXrAPQpNRGAg7qUKLxc0MaSnq4OxXQvP4jZ/AFQeOOyy1J0OeKnzg4WSiOXMWVf1+WCy4OL2IOIQQa733BTLhBsl3OzvZ/wKN0aLSdnTN32bN7srUkPTxhAE9C1eHApW0v7/mxxo4XUHcVViy2Lhq4n09LxswgHOY=,iv:G7ovMcU+Fs41OV9Prqi9NoxBiwciIBdFi/YPswBemdU=,tag:QmNsYGrPjJKY+Uss5ZMuTg==,type:str]
synapse:
private_key: ENC[AES256_GCM,data:bu+jW65saJKkq9yxP23MXdebZlI8jPUSiwdlCeCRku7yXnzI1rshh5DPvduewrVNxHujaNZiB6k6MxhvkKtDa8cJWDs+kce5XgeD56vwQXusE55oB3sa2QhxBzzfgIAt1AfeBQncssKSJekzcEa0f8tPoZ3B2HUp/OTD60B2StmvZP7XAcj274M=,iv:RIk+LdJbAZr0KeLZz8rYFwsRktbGHRx1jouos3VV1dY=,tag:Mwj1xY9K/qpggTYxNpF98g==,type:str]
mautrix:
telegram: ENC[AES256_GCM,data:xqGq14icmy8Eapm+aFNf+2wSjjwyjp/8OrOpiHBVqCk87SQ/B8K3o+WN50wjuscg8pe+L9S7xdENLroY/V1wcanvEpY4XcKfatKqw5h+E0O9mGs2GZJqi2dpKt09OTSJ8j1Je1ENPGazHVjBix9jK5x2+qrs0s1Vrqg4do9fBh3CPfDwIBVQCxrz3i5LI8il1Nr6bJ3x83vB22nw21UpqBnVQu//zNjzCPtma0dr5mPuiZkDriKYVaFTsFBRNpADNcHwWqaCkO57UoLhPA==,iv:BFe08lLaA2hjEhq99dmNSHE4rq4TLKHV9k8ZC8eRQhk=,tag:MydlA3g3dJJEdHHLOruHMg==,type:str]
hydra:
@ -58,8 +57,8 @@ sops:
WnV3QWxtalIzWFdoQmpDTmJsNGdNOW8K++rFGXy0G6Gcu2gQwSP6xfXInQ/y5nh5
2oGp8sfOLFWnNI4SWL0ChP47K3C/9ysUHwQnUYPbRafZ/4X6cN40ZQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-04-30T21:18:37Z"
mac: ENC[AES256_GCM,data:qxfY5zFazFEvqG5v1VbGJGxD8pu344rleuitWzvrmfVO1A375wiTApokGDkwgBCVbulKTpFPIprc64ZmHNob4EE+tuRipJL4pCcaFgrNPLyqgLbvt41dduQRDwvGkkJgM7ktmFmm03dLrgfCaZed99k2UCBGoTiDlq8rcLFziTE=,iv:TNoZL1969PJv95rQgH40nMrDcYmXLeYmNc7vEEX4+hI=,tag:SkJyXS9yaiXHCixyZK6BUA==,type:str]
lastmodified: "2022-05-01T06:46:51Z"
mac: ENC[AES256_GCM,data:EPschppnbMaVibvgNOmCpuP7/UfDwx5NdoTFG4m0OdG9gLoVYs0HVZZPRwwEhopPRhv3gqeaYi+ILcHMF1ES08darbC1SnEEPeoRndlRr4Fj2dQO9Ys/FFEFHccjbOSgT6R92EFD3yBXq6WDhMssrLa9LCcM2M8afHhjUzSapuc=,iv:sa5sTcrcVJb5dAijfxBQ/UJX/9RRMXiRemmbwnGuKFE=,tag:t6Ri1DEApIyQb5wo98v8aA==,type:str]
pgp:
- created_at: "2022-04-24T10:34:20Z"
enc: |