gerd.matrix-synapse: initial add

This commit is contained in:
eyjhb 2024-08-24 15:02:21 +02:00
parent 84a3027d0c
commit fd2729afc8
No known key found for this signature in database
GPG key ID: 609F508E3239F920
5 changed files with 201 additions and 0 deletions

View file

@ -19,6 +19,8 @@
./gerd/services/cyberchef.nix ./gerd/services/cyberchef.nix
./gerd/services/nextcloud.nix ./gerd/services/nextcloud.nix
./gerd/services/stalwart ./gerd/services/stalwart
./gerd/services/matrix-synapse.nix
]; ];
networking.hostName = "gerd"; networking.hostName = "gerd";
@ -33,6 +35,7 @@
"safe/svcs/hedgedoc" = { mountpoint = "/srv/hedgedoc"; extra.options.quota = "5G"; }; "safe/svcs/hedgedoc" = { mountpoint = "/srv/hedgedoc"; extra.options.quota = "5G"; };
"safe/svcs/nextcloud" = { mountpoint = "/srv/nextcloud"; extra.options.quota = "5G"; }; "safe/svcs/nextcloud" = { mountpoint = "/srv/nextcloud"; extra.options.quota = "5G"; };
"safe/svcs/stalwart" = { mountpoint = "/srv/stalwart"; extra.options.quota = "5G"; }; "safe/svcs/stalwart" = { mountpoint = "/srv/stalwart"; extra.options.quota = "5G"; };
"safe/svcs/synapse" = { mountpoint = "/srv/synapse"; extra.options.quota = "5G"; };
"safe/svcs/postgresql" = { mountpoint = "/srv/postgresql"; extra.options.quota = "5G"; }; "safe/svcs/postgresql" = { mountpoint = "/srv/postgresql"; extra.options.quota = "5G"; };
"backup/postgresql" = { mountpoint = "/media/backup/postgresqlbackup"; extra.options.quota = "5G"; }; "backup/postgresql" = { mountpoint = "/media/backup/postgresqlbackup"; extra.options.quota = "5G"; };
}; };

View file

@ -0,0 +1,182 @@
{ config, lib, pkgs, ... }:
let
svc_domain = "matrix.${config.mine.shared.settings.domain}";
max_upload_size = "50M";
name = "matrix-synapse";
matrix_synapse_user = name;
matrix_synapse_group = name;
oidcConfigPath = "/run/${name}/oidc.yaml";
stateDir = config.mine.zfsMounts."rpool/safe/svcs/synapse";
matrix_port = 8448;
in {
services.matrix-synapse = {
enable = true;
dataDir = stateDir;
extras = [ "oidc" ];
extraConfigFiles = [
oidcConfigPath
];
settings = {
server_name = config.mine.shared.settings.domain;
public_baseurl = "https://${svc_domain}";
enable_registration = false;
password_config.enabled = false;
listeners = [
{
port = matrix_port;
bind_addresses = [ "localhost" ];
x_forwarded = true;
tls = false;
resources = [{
names = [ "federation" "client" ];
compress = false;
}];
}
];
# database
# shut up shut up shut up shut up!!!
database.allow_unsafe_locale = true;
database_type = "psycopg2";
database_args.database = "matrix-synapse";
# increase max_upload_size, otherwise might not
# be able to watch cat videos
max_upload_size = max_upload_size;
# retentien policies
media_retention = {
local_media_lifetime = "90d";
remote_media_lifetime = "14d";
};
# keep messages MIN 1 day, MAX 1 year
retention = {
enabled = true;
default_policy = {
min_lifetime = "1d";
max_lifetime = "1y";
};
allowed_lifetime_min = "1d";
allowed_lifetime_max = "1y";
};
};
};
# setup OIDC/OpenID/OAUTH2/whatever for synapse
# do this way, instead of having EVERYTHING in a secret file.
systemd.services.matrix-synapse = {
# https://linux-audit.com/systemd/systemd-syscall-filtering/
# https://github.com/restic/rest-server/pull/249
# https://github.com/golang/go/issues/46279
serviceConfig.SystemCallFilter = [ "setrlimit" ];
serviceConfig.EnvironmentFile = config.age.secrets.matrix-synapse-config-authelia-secret.path;
preStart = let
oidc_config = (pkgs.formats.yaml {}).generate "matrix-synapse-oidc-config" {
oidc_providers = [{
idp_id = "authelia";
idp_name = "Authelia";
idp_icon = "mxc://authelia.com/cKlrTPsGvlpKxAYeHWJsdVHI";
client_id = "synapse";
client_secret = "$CLIENT_SECRET";
issuer = "https://${config.mine.shared.settings.authelia.domain}";
discover = true;
scopes = [
"openid"
"profile"
"email"
];
user_mapping_provider.config = {
subject_claim = "sub";
localpart_template = "{{ user.preferred_username }}";
display_name_template = "{{ user.name }}";
email_template = "{{ user.email }}";
};
}];
};
in ''
${pkgs.envsubst}/bin/envsubst \
-o ${oidcConfigPath} \
-i ${oidc_config}
'';
};
# setup for oidc
services.authelia.instances.main.settings.identity_providers.oidc.clients = [{
client_id = "synapse";
client_name = "Synapse";
client_secret = "$pbkdf2-sha512$310000$dO6Qohc.TolD5kFu5bOiOg$O4Bt519VVDDHeUkmH4vzu0/ea/T7H9rCTgjIyLl7mx9CDZ/TP8ZQtbuOKMjKv8anBKs85a/nTS4b2S9SG7mnkg";
redirect_uris = [ "https://${svc_domain}/_synapse/client/oidc/callback" ];
scopes = [
"openid"
"profile"
"email"
];
}];
# ensure databases + user is setup
services.postgresql = {
ensureDatabases = [ matrix_synapse_user ];
ensureUsers = [{
name = matrix_synapse_user;
ensureDBOwnership = true;
}];
};
services.nginx = {
virtualHosts."${svc_domain}" = {
enableACME = true;
forceSSL = true;
# only proxy `_matrix` and `_synapse/client`, it is not ideal to proxy `_synapse/admin`
locations."~ ^(/_matrix|/_synapse/client)" = {
proxyPass = "http://localhost:${builtins.toString matrix_port}";
extraConfig = "client_max_body_size ${max_upload_size};";
};
};
# serve `.well-known/matrix/{server,client}` because matrix synapse runs on subdomain
virtualHosts."${config.mine.shared.settings.domain}" = let
client = {
"m.homeserver" = { "base_url" = "https://${svc_domain}"; };
"m.identity_server" = { "base_url" = "https://matrix.org"; };
};
server = { "m.server" = "${svc_domain}:443"; };
in {
locations."/.well-known/matrix/server".extraConfig = ''
add_header Content-Type application/json;
return 200 '${builtins.toJSON server}';
'';
locations."/.well-known/matrix/client".extraConfig = ''
add_header Content-Type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON client}';
'';
};
};
systemd.tmpfiles.rules = [
"Z ${stateDir} 0770 ${matrix_synapse_user} ${matrix_synapse_group} -"
];
age.secrets = {
matrix-synapse-config-authelia-secret.owner = matrix_synapse_user;
};
}

View file

@ -35,6 +35,9 @@
# stalwart # stalwart
stalwart-admin-fallback-password.file = ./stalwart/admin-fallback-password.age; stalwart-admin-fallback-password.file = ./stalwart/admin-fallback-password.age;
# matrix-synapse
matrix-synapse-config-authelia-secret.file = ./matrix-synapse/config-authelia-secret.age;
}; };
users.groups.secrets-lldap-bind-user-pass = {}; users.groups.secrets-lldap-bind-user-pass = {};

View file

@ -0,0 +1,10 @@
age-encryption.org/v1
-> ssh-ed25519 QSDXqg 0jVC1Y1IcRGcf1MyzlKhRRmIly5kZJVvwS7ENtyAhCs
dBX55nxL2QPRweNhA6SaEJCp6WC4Sez3c8g/Ms72uis
-> ssh-ed25519 n8n9DQ 2OdafHqXFjQPRcyb2aE0WTrx8mDnT0i0ggbQ5rOlGiE
RYs11Z+3ZhqTAH8GtLNiJuaIHco7eM0eV+pvzVI5Mkc
-> ssh-ed25519 BTp6UA xNy6a5bOAlNUosHZ8+vLYys6WSqREbYaOk42oruiVzc
NSYAozntUTDf1no5zXTFu+37r9O+5Fixjxod8/6NwAw
--- /nM6Wr/EQ+XwrVgRWKRbbKourneNaexwSdX0GkfLMZo
Úùž
mïÆ^.Ç»N¬ŠÛ´—8”€1Ÿâ::ûÈΟ 6v5ëÓ©¨²ñÍIã¨_.¨xkãšs†È%Å—Ùæ™<0F>r oªfÏyá×<C3A1>qå'-v”(W9Ý(:€âEN?±¦èʇZëÓO…Ö•†«Èúæ

View file

@ -39,4 +39,7 @@ in
# mailserver/stalwart # mailserver/stalwart
"stalwart/admin-fallback-password.age".publicKeys = defaultAccess; "stalwart/admin-fallback-password.age".publicKeys = defaultAccess;
# matrix-synapse
"matrix-synapse/config-authelia-secret.age".publicKeys = defaultAccess;
} }