tristan/nix
1
0
Fork 0
Code Projects Releases Packages Activity
nix/nixos/services/synapse/default.nix

137 lines
4.1 KiB
Nix
Raw Permalink Blame History

{
pkgs,
config,
...
}: let
fqdn = "${hostname}.${domain}";
domain = "tristans.cloud";
hostname = "matrix";
mkWellKnown = data: ''
default_type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON data}';
'';
port = 8008;
inherit (config) sops;
inherit (config.services) matrix-synapse matrix-sliding-sync;
inherit (sops) secrets templates;
in {
imports = [./metrics.nix];
services.postgresql.enable = true;
services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" ''
CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
'';
sops.secrets = {
"synapse/signing_key".owner = "matrix-synapse";
"synapse/oidc_client_secret" = {};
"synapse/sliding_sync_secret" = {};
};
sops.templates = {
"synapse/secrets.yaml" = {
owner = "matrix-synapse";
content = builtins.toJSON {
jwt_config = {
enabled = true;
secret = sops.placeholder."synapse/oidc_client_secret";
algorithm = "RS256";
};
oidc_providers = [
{
idp_id = "authentik";
idp_name = "authentik";
discover = true;
issuer = "https://auth.tristans.cloud/application/o/chat/";
client_id = "fdad520e8c57f228aaa658aa74d5e00ba9b164a3";
client_secret = sops.placeholder."synapse/oidc_client_secret";
scopes = ["openid" "profile" "email"];
user_mapping_provider = {
config = {
localpart_template = "{{ user.preferred_username }}";
display_name_template = "{{ user.name|capitalize }}";
};
};
}
];
};
};
"synapse/sliding_sync_env".content = ''
SYNCV3_SECRET=${sops.placeholder."synapse/sliding_sync_secret"}
'';
};
services.matrix-synapse = {
enable = true;
extraConfigFiles = [templates."synapse/secrets.yaml".path];
# https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html
settings = {
signing_key_path = secrets."synapse/signing_key".path;
server_name = domain;
baseurl = "https://${domain}";
oidc_providers = [];
listeners = [
{
inherit port;
bind_addresses = ["localhost"];
type = "http";
tls = false;
x_forwarded = true;
resources = [
{
names = ["client" "federation"];
compress = true;
}
];
}
];
# log_config = pkgs.writeTextFile {
# name = "synapse-logging.json";
# text = builtins.toJSON {
# version = 1;
# root = {
# level = "INFO";
# handlers = ["console"];
# };
# formatters.precise.format = "%(levelname)s - %(name)s - %(message)s";
# handlers.console = {
# class = "logging.StreamHandler";
# formatter = "precise";
# };
# };
# };
};
};
services.nginx.virtualHosts = {
${domain} = {
locations."= /.well-known/matrix/server".extraConfig = mkWellKnown {
"m.server" = "${fqdn}:443";
};
locations."= /.well-known/matrix/client".extraConfig = mkWellKnown {
"m.homeserver".base_url = "https://${fqdn}";
};
locations."= /.well-known/matrix/support".extraConfig = mkWellKnown {
admins = [
{
matrix_id = "@tristan:tristans.cloud";
email_address = "tristan@tristans.cloud";
role = "admin";
}
];
};
locations."/_matrix".proxyPass = "http://localhost:${toString port}";
locations."/_synapse/client".proxyPass = "http://localhost:${toString port}";
};
${fqdn} = {
enableACME = true;
forceSSL = true;
locations."/_matrix".proxyPass = "http://localhost:${toString port}";
locations."/_synapse/client".proxyPass = "http://localhost:${toString port}";
};
};
}
View git blame Copy permalink