switch to synapse
This commit is contained in:
parent
7162a762fb
commit
4bc48badd3
4 changed files with 75 additions and 111 deletions
|
@ -15,7 +15,7 @@
|
|||
./services/hostapd.nix
|
||||
./services/mastodon.nix
|
||||
./services/rspamd.nix
|
||||
./services/dendrite.nix
|
||||
./services/synapse.nix
|
||||
./services/mautrix-telegram.nix
|
||||
];
|
||||
|
||||
|
|
|
@ -1,105 +0,0 @@
|
|||
{ lib, config, ... }: {
|
||||
services.dendrite = {
|
||||
enable = true;
|
||||
environmentFile = config.sops.secrets."services/dendrite/secrets".path;
|
||||
settings = {
|
||||
global = {
|
||||
server_name = "chir.rs";
|
||||
trusted_third_party_id_servers = [
|
||||
"matrix.org"
|
||||
"vector.im"
|
||||
];
|
||||
presence = {
|
||||
enable_inbound = true;
|
||||
enable_outbound = true;
|
||||
};
|
||||
private_key = config.sops.secrets."services/dendrite/private_key".path;
|
||||
};
|
||||
app_service_api = {
|
||||
database.connection_string = "postgresql:///dendrite_app_service?sslmode=disable&host=/run/postgresql";
|
||||
config_files = [
|
||||
"/var/lib/mautrix-telegram/telegram-registration.yaml"
|
||||
];
|
||||
};
|
||||
client_api = {
|
||||
registration_shared_secret = "$REGISTRATION_SHARED_SECRET";
|
||||
};
|
||||
federation_api = {
|
||||
database.connection_string = "postgresql:///dendrite_federation?sslmode=disable&host=/run/postgresql";
|
||||
};
|
||||
key_server.database.connection_string = "postgresql:///dendrite_keyserver?sslmode=disable&host=/run/postgresql";
|
||||
media_api.database.connection_string = "postgresql:///dendrite_mediaapi?sslmode=disable&host=/run/postgresql";
|
||||
mscs = {
|
||||
mscs = [ "msc2836" "msc2946" ];
|
||||
database.connection_string = "postgresql:///dendrite_mscs?sslmode=disable&host=/run/postgresql";
|
||||
};
|
||||
room_server.database.connection_string = "postgresql:///dendrite_roomserver?sslmode=disable&host=/run/postgresql";
|
||||
sync_api.database.connection_string = "postgresql:///dendrite_syncapi?sslmode=disable&host=/run/postgresql";
|
||||
user_api.account_database.connection_string = "postgresql:///dendrite_userapi?sslmode=disable&host=/run/postgresql";
|
||||
user_api.device_database.connection_string = "postgresql:///dendrite_deviceapi?sslmode=disable&host=/run/postgresql";
|
||||
};
|
||||
};
|
||||
sops.secrets."services/dendrite/secrets" = { owner = "dendrite"; };
|
||||
sops.secrets."services/dendrite/private_key" = { owner = "dendrite"; };
|
||||
services.postgresql.ensureDatabases = [
|
||||
"dendrite_app_service"
|
||||
"dendrite_federation"
|
||||
"dendrite_keyserver"
|
||||
"dendrite_mediaapi"
|
||||
"dendrite_mscs"
|
||||
"dendrite_roomserver"
|
||||
"dendrite_syncapi"
|
||||
"dendrite_userapi"
|
||||
"dendrite_userapi_devices"
|
||||
];
|
||||
services.postgresql.ensureUsers = [{
|
||||
name = "dendrite";
|
||||
ensurePermissions = {
|
||||
"DATABASE dendrite_app_service" = "ALL PRIVILEGES";
|
||||
"DATABASE dendrite_federation" = "ALL PRIVILEGES";
|
||||
"DATABASE dendrite_keyserver" = "ALL PRIVILEGES";
|
||||
"DATABASE dendrite_mediaapi" = "ALL PRIVILEGES";
|
||||
"DATABASE dendrite_mscs" = "ALL PRIVILEGES";
|
||||
"DATABASE dendrite_roomserver" = "ALL PRIVILEGES";
|
||||
"DATABASE dendrite_syncapi" = "ALL PRIVILEGES";
|
||||
"DATABASE dendrite_userapi" = "ALL PRIVILEGES";
|
||||
"DATABASE dendrite_userapi_devices" = "ALL PRIVILEGES";
|
||||
};
|
||||
}];
|
||||
systemd.services.dendrite.serviceConfig = {
|
||||
User = "dendrite";
|
||||
Group = "dendrite";
|
||||
DynamicUser = lib.mkForce false;
|
||||
};
|
||||
users.users.dendrite = {
|
||||
description = "Dendrite";
|
||||
home = "/var/lib/dendrite";
|
||||
useDefaultShell = true;
|
||||
group = "dendrite";
|
||||
isSystemUser = true;
|
||||
};
|
||||
users.groups.dendrite = { };
|
||||
services.nginx.virtualHosts =
|
||||
let
|
||||
listenIPs = (import ../../utils/getInternalIP.nix config).listenIPs;
|
||||
listenStatements = lib.concatStringsSep "\n" (builtins.map (ip: "listen ${ip}:443 http3;") listenIPs) + ''
|
||||
add_header Alt-Svc 'h3=":443"';
|
||||
'';
|
||||
dendrite = {
|
||||
listenAddresses = listenIPs;
|
||||
locations."/_matrix" = {
|
||||
proxyPass = "http://localhost:8008";
|
||||
};
|
||||
};
|
||||
in
|
||||
{
|
||||
"matrix.chir.rs" = dendrite // {
|
||||
sslCertificate = "/var/lib/acme/chir.rs/cert.pem";
|
||||
sslCertificateKey = "/var/lib/acme/chir.rs/key.pem";
|
||||
};
|
||||
"matrix.int.chir.rs" = dendrite // {
|
||||
sslCertificate = "/var/lib/acme/int.chir.rs/cert.pem";
|
||||
sslCertificateKey = "/var/lib/acme/int.chir.rs/key.pem";
|
||||
};
|
||||
};
|
||||
}
|
70
config/services/synapse.nix
Normal file
70
config/services/synapse.nix
Normal file
|
@ -0,0 +1,70 @@
|
|||
{ lib, config, ... }: {
|
||||
services.matrix-synapse = {
|
||||
enable = true;
|
||||
settings = {
|
||||
server_name = "chir.rs";
|
||||
public_baseurl = "https://matrix.chir.rs/";
|
||||
listeners = [{
|
||||
port = 8008;
|
||||
tls = false;
|
||||
type = "http";
|
||||
x_forwarded = true;
|
||||
bind_addresses = [ "::1" "127.0.0.1" ];
|
||||
resources = [{
|
||||
names = [ "client" "federation" ];
|
||||
compress = false;
|
||||
}];
|
||||
}];
|
||||
admin_contact = "mailto:lotte@chir.rs";
|
||||
retention.enabled = true;
|
||||
database = {
|
||||
name = "psycopg2";
|
||||
txn_limit = 10000;
|
||||
args = {
|
||||
host = "/run/postgresql";
|
||||
user = "matrix-synapse";
|
||||
database = "synapse";
|
||||
};
|
||||
};
|
||||
enable_media_repo = false;
|
||||
url_preview_enabled = true;
|
||||
url_preview_ip_range_blacklist = [
|
||||
"127.0.0.0/8"
|
||||
"10.0.0.0/8"
|
||||
"172.16.0.0/12"
|
||||
"192.168.0.0/16"
|
||||
"100.64.0.0/10"
|
||||
"192.0.0.0/24"
|
||||
"169.254.0.0/16"
|
||||
"192.88.99.0/24"
|
||||
"198.18.0.0/15"
|
||||
"192.0.2.0/24"
|
||||
"198.51.100.0/24"
|
||||
"203.0.113.0/24"
|
||||
"224.0.0.0/4"
|
||||
"fe80::/10"
|
||||
"fc00::/7"
|
||||
"2001:db8::/32"
|
||||
"ff00::/8"
|
||||
"fec0::/10"
|
||||
];
|
||||
enable_registration = false;
|
||||
app_service_config_files = [
|
||||
"/var/lib/mautrix-telegram/telegram-registration.yaml"
|
||||
];
|
||||
signing_key_path = config.sops.secrets."services/synapse/private_key".path;
|
||||
encryption_enabled_by_default_for_room_type = "all";
|
||||
};
|
||||
withJemalloc = true;
|
||||
};
|
||||
sops.secrets."services/synapse/private_key" = { owner = "matrix-synapse"; };
|
||||
services.postgresql.ensureDatabases = [
|
||||
"synapse"
|
||||
];
|
||||
services.postgresql.ensureUsers = [{
|
||||
name = "matrix-synapse";
|
||||
ensurePermissions = {
|
||||
"DATABASE matrix-synapse" = "ALL PRIVILEGES";
|
||||
};
|
||||
}];
|
||||
}
|
|
@ -2,9 +2,8 @@ network:
|
|||
wireguard:
|
||||
privkey: ENC[AES256_GCM,data:JDCu/XUbXJz13OqC35DQS+g0XDUGUXIBMDK2i0gCnnRqe7pTkIauTLHeh64=,iv:Ybex9u6i4QN6MXECTBJy8YBgK5Ge/LRxZLE5lXBhBPM=,tag:v+ESpwLqMcDxv9ThgqxXiw==,type:str]
|
||||
services:
|
||||
dendrite:
|
||||
secrets: ENC[AES256_GCM,data:NTm9xCA51s3ASIhIKy/wET4MqNQ=,iv:ktv+IAtbFTu6MI7HfKnT8a4m9KnFiA3hbOrhUFG6sUw=,tag:X/6O6iheQ24KbFl7XFOJpw==,type:str]
|
||||
private_key: ENC[AES256_GCM,data:WODNoOxyNF0TjS98abNseCsXrAPQpNRGAg7qUKLxc0MaSnq4OxXQvP4jZ/AFQeOOyy1J0OeKnzg4WSiOXMWVf1+WCy4OL2IOIQQa733BTLhBsl3OzvZ/wKN0aLSdnTN32bN7srUkPTxhAE9C1eHApW0v7/mxxo4XUHcVViy2Lhq4n09LxswgHOY=,iv:G7ovMcU+Fs41OV9Prqi9NoxBiwciIBdFi/YPswBemdU=,tag:QmNsYGrPjJKY+Uss5ZMuTg==,type:str]
|
||||
synapse:
|
||||
private_key: ENC[AES256_GCM,data:bu+jW65saJKkq9yxP23MXdebZlI8jPUSiwdlCeCRku7yXnzI1rshh5DPvduewrVNxHujaNZiB6k6MxhvkKtDa8cJWDs+kce5XgeD56vwQXusE55oB3sa2QhxBzzfgIAt1AfeBQncssKSJekzcEa0f8tPoZ3B2HUp/OTD60B2StmvZP7XAcj274M=,iv:RIk+LdJbAZr0KeLZz8rYFwsRktbGHRx1jouos3VV1dY=,tag:Mwj1xY9K/qpggTYxNpF98g==,type:str]
|
||||
mautrix:
|
||||
telegram: ENC[AES256_GCM,data:xqGq14icmy8Eapm+aFNf+2wSjjwyjp/8OrOpiHBVqCk87SQ/B8K3o+WN50wjuscg8pe+L9S7xdENLroY/V1wcanvEpY4XcKfatKqw5h+E0O9mGs2GZJqi2dpKt09OTSJ8j1Je1ENPGazHVjBix9jK5x2+qrs0s1Vrqg4do9fBh3CPfDwIBVQCxrz3i5LI8il1Nr6bJ3x83vB22nw21UpqBnVQu//zNjzCPtma0dr5mPuiZkDriKYVaFTsFBRNpADNcHwWqaCkO57UoLhPA==,iv:BFe08lLaA2hjEhq99dmNSHE4rq4TLKHV9k8ZC8eRQhk=,tag:MydlA3g3dJJEdHHLOruHMg==,type:str]
|
||||
hydra:
|
||||
|
@ -58,8 +57,8 @@ sops:
|
|||
WnV3QWxtalIzWFdoQmpDTmJsNGdNOW8K++rFGXy0G6Gcu2gQwSP6xfXInQ/y5nh5
|
||||
2oGp8sfOLFWnNI4SWL0ChP47K3C/9ysUHwQnUYPbRafZ/4X6cN40ZQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2022-04-30T21:18:37Z"
|
||||
mac: ENC[AES256_GCM,data:qxfY5zFazFEvqG5v1VbGJGxD8pu344rleuitWzvrmfVO1A375wiTApokGDkwgBCVbulKTpFPIprc64ZmHNob4EE+tuRipJL4pCcaFgrNPLyqgLbvt41dduQRDwvGkkJgM7ktmFmm03dLrgfCaZed99k2UCBGoTiDlq8rcLFziTE=,iv:TNoZL1969PJv95rQgH40nMrDcYmXLeYmNc7vEEX4+hI=,tag:SkJyXS9yaiXHCixyZK6BUA==,type:str]
|
||||
lastmodified: "2022-05-01T06:46:51Z"
|
||||
mac: ENC[AES256_GCM,data:EPschppnbMaVibvgNOmCpuP7/UfDwx5NdoTFG4m0OdG9gLoVYs0HVZZPRwwEhopPRhv3gqeaYi+ILcHMF1ES08darbC1SnEEPeoRndlRr4Fj2dQO9Ys/FFEFHccjbOSgT6R92EFD3yBXq6WDhMssrLa9LCcM2M8afHhjUzSapuc=,iv:sa5sTcrcVJb5dAijfxBQ/UJX/9RRMXiRemmbwnGuKFE=,tag:t6Ri1DEApIyQb5wo98v8aA==,type:str]
|
||||
pgp:
|
||||
- created_at: "2022-04-24T10:34:20Z"
|
||||
enc: |
|
||||
|
|
Loading…
Reference in a new issue