129 lines
4 KiB
Nix
129 lines
4 KiB
Nix
{ cluster, config, lib, pkgs, depot, ... }:
|
|
let
|
|
inherit (depot.lib.meta) domain;
|
|
inherit (cluster.config.services.matrix) secrets;
|
|
|
|
patroni = cluster.config.links.patroni-pg-access;
|
|
|
|
listener = {
|
|
port = 8008;
|
|
bind_addresses = lib.singleton "127.0.0.1";
|
|
type = "http";
|
|
tls = false;
|
|
x_forwarded = true;
|
|
resources = lib.singleton {
|
|
names = [ "client" "federation" ];
|
|
compress = false;
|
|
};
|
|
};
|
|
clientConfig = {
|
|
"m.homeserver".base_url = "https://matrix.${domain}:443";
|
|
"m.integrations".managers = [{
|
|
api_url = "https://dimension.t2bot.io/api/v1/scalar";
|
|
ui_url = "https://dimension.t2bot.io/riot";
|
|
}];
|
|
} // lib.optionalAttrs config.services.jitsi-meet.enable {
|
|
"im.vector.riot.jitsi".preferredDomain = config.services.jitsi-meet.hostName;
|
|
};
|
|
logConfig = {
|
|
version = 1;
|
|
formatters.structured.class = "synapse.logging.TerseJsonFormatter";
|
|
handlers.journal = {
|
|
class = "systemd.journal.JournalHandler";
|
|
formatter = "structured";
|
|
SYSLOG_IDENTIFIER = "synapse";
|
|
};
|
|
loggers.synapse = {
|
|
level = "WARNING";
|
|
handlers = [ "journal" ];
|
|
};
|
|
};
|
|
dbConfig.database = {
|
|
name = "psycopg2";
|
|
args = {
|
|
user = "matrix";
|
|
database = "matrix";
|
|
host = patroni.ipv4;
|
|
inherit (patroni) port;
|
|
cp_min = 1;
|
|
cp_max = 10;
|
|
};
|
|
};
|
|
clientConfigJSON = pkgs.writeText "matrix-client-config.json" (builtins.toJSON clientConfig);
|
|
logConfigJSON = pkgs.writeText "matrix-log-config.json" (builtins.toJSON logConfig);
|
|
dbConfigJSON = pkgs.writeText "matrix-log-config.json" (builtins.toJSON dbConfig);
|
|
dbPasswordFile = secrets.dbConfig.path;
|
|
dbConfigOut = "${cfg.dataDir}/synapse-db-config-generated.yml";
|
|
cfg = config.services.matrix-synapse;
|
|
in {
|
|
services.matrix-synapse = {
|
|
enable = true;
|
|
plugins = [ pkgs.matrix-synapse-plugins.matrix-synapse-ldap3 ];
|
|
dataDir = "/srv/storage/private/matrix";
|
|
|
|
settings = {
|
|
server_name = domain;
|
|
listeners = lib.singleton listener;
|
|
url_preview_enabled = true;
|
|
experimental_features.spaces_enabled = true;
|
|
admin_contact = "mailto:admins@${domain}";
|
|
max_upload_size = "32M";
|
|
max_spider_size = "10M";
|
|
emable_registration = true;
|
|
allow_guest_access = true;
|
|
push.include_content = true;
|
|
group_creation_prefix = "unofficial/";
|
|
log_config = logConfigJSON;
|
|
# HACK: upstream has a weird assertion that doesn't work with our HAProxy setup
|
|
# this host gets overridden by dbConfigOut
|
|
database = lib.recursiveUpdate dbConfig.database { args.host = "_patroni.local"; };
|
|
app_service_config_files = [
|
|
"/etc/synapse/discord-registration.yaml"
|
|
];
|
|
turn_uris = let
|
|
combinations = lib.cartesianProduct {
|
|
proto = [ "udp" "tcp" ];
|
|
scheme = [ "turns" "turn" ];
|
|
};
|
|
makeTurnServer = x: "${x.scheme}:turn.${domain}?transport=${x.proto}";
|
|
in map makeTurnServer combinations;
|
|
};
|
|
|
|
extraConfigFiles = (map (x: secrets."${x}Config".path) [
|
|
"ldap"
|
|
"turn"
|
|
"keys"
|
|
]) ++ [ dbConfigOut ];
|
|
};
|
|
|
|
services.nginx.virtualHosts = depot.lib.nginx.mappers.mapSubdomains {
|
|
matrix = depot.lib.nginx.vhosts.basic // {
|
|
locations."/".return = "204";
|
|
locations."/_matrix" = {
|
|
proxyPass = "http://127.0.0.1:8008";
|
|
extraConfig = ''
|
|
client_max_body_size ${cfg.settings.max_upload_size};
|
|
access_log off;
|
|
'';
|
|
};
|
|
locations."= /.well-known/matrix/client" = {
|
|
alias = clientConfigJSON;
|
|
extraConfig = ''
|
|
add_header Access-Control-Allow-Origin "*";
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
systemd.services = lib.mkMerge [
|
|
(lib.genAttrs [ "coturn" "matrix-appservice-discord" "matrix-synapse" ] (_: {
|
|
serviceConfig = {
|
|
Slice = "communications.slice";
|
|
};
|
|
}))
|
|
{
|
|
matrix-synapse.preStart = ''
|
|
${pkgs.jq}/bin/jq -c --slurp '.[0] * .[1]' ${dbConfigJSON} '${dbPasswordFile}' | install -Dm400 /dev/stdin '${dbConfigOut}'
|
|
'';
|
|
}
|
|
];
|
|
}
|