forked from Drift/pvv-nixos-config
228 lines
5.9 KiB
Nix
228 lines
5.9 KiB
Nix
{ config, lib, pkgs, values, ... }:
|
|
|
|
let
|
|
cfg = config.services.matrix-synapse-next;
|
|
|
|
imap0Attrs = with lib; f: set:
|
|
listToAttrs (imap0 (i: attr: nameValuePair attr (f i attr set.${attr})) (attrNames set));
|
|
in {
|
|
sops.secrets."matrix/synapse/dbconfig" = {
|
|
owner = config.users.users.matrix-synapse.name;
|
|
group = config.users.users.matrix-synapse.group;
|
|
};
|
|
|
|
sops.secrets."matrix/synapse/signing_key" = {
|
|
owner = config.users.users.matrix-synapse.name;
|
|
group = config.users.users.matrix-synapse.group;
|
|
};
|
|
|
|
services.matrix-synapse-next = {
|
|
enable = true;
|
|
|
|
dataDir = "/data/synapse";
|
|
|
|
workers.federationSenders = 2;
|
|
workers.federationReceivers = 1;
|
|
workers.initialSyncers = 1;
|
|
workers.normalSyncers = 1;
|
|
workers.eventPersisters = 1;
|
|
workers.useUserDirectoryWorker = true;
|
|
|
|
enableNginx = true;
|
|
|
|
extraConfigFiles = [
|
|
config.sops.secrets."matrix/synapse/dbconfig".path
|
|
];
|
|
|
|
settings = {
|
|
server_name = "pvv.ntnu.no";
|
|
public_baseurl = "https://matrix.pvv.ntnu.no";
|
|
|
|
signing_key_path = config.sops.secrets."matrix/synapse/signing_key".path;
|
|
|
|
media_store_path = "${cfg.dataDir}/media";
|
|
|
|
autocreate_auto_join_rooms = false;
|
|
auto_join_rooms = [
|
|
"#pvv:pvv.ntnu.no" # Main space
|
|
"#announcements:pvv.ntnu.no"
|
|
"#general:pvv.ntnu.no"
|
|
];
|
|
|
|
allow_public_rooms_over_federation = true;
|
|
|
|
max_upload_size = "150M";
|
|
|
|
enable_metrics = true;
|
|
|
|
enable_registration = false;
|
|
|
|
password_config.enabled = lib.mkForce false;
|
|
|
|
trusted_key_servers = [
|
|
{ server_name = "matrix.org"; }
|
|
{ server_name = "dodsorf.as"; }
|
|
];
|
|
|
|
url_preview_enabled = true;
|
|
url_preview_ip_range_blacklist = [
|
|
# synapse example config
|
|
"127.0.0.0/8"
|
|
"10.0.0.0/8"
|
|
"172.16.0.0/12"
|
|
"192.168.0.0/16"
|
|
"100.64.0.0/10"
|
|
"192.0.0.0/24"
|
|
"169.254.0.0/16"
|
|
"192.88.99.0/24"
|
|
"198.18.0.0/15"
|
|
"192.0.2.0/24"
|
|
"198.51.100.0/24"
|
|
"203.0.113.0/24"
|
|
"224.0.0.0/4"
|
|
"::1/128"
|
|
"fe80::/10"
|
|
"fc00::/7"
|
|
"2001:db8::/32"
|
|
"ff00::/8"
|
|
"fec0::/10"
|
|
|
|
# NTNU
|
|
"129.241.0.0/16"
|
|
"2001:700:300::/44"
|
|
];
|
|
|
|
saml2_config = {
|
|
sp_config.metadata.remote = [
|
|
{ url = "https://idp.pvv.ntnu.no/simplesaml/saml2/idp/metadata.php"; }
|
|
];
|
|
|
|
description = [ "Matrix Synapse SP" "en" ];
|
|
name = [ "Matrix Synapse SP" "en" ];
|
|
|
|
ui_info = {
|
|
display_name = [
|
|
{
|
|
lang = "en";
|
|
text = "PVV Matrix login";
|
|
}
|
|
];
|
|
description = [
|
|
{
|
|
lang = "en";
|
|
text = "Matrix is a modern free and open federated chat protocol";
|
|
}
|
|
];
|
|
#information_url = [
|
|
# {
|
|
# lang = "en";
|
|
# text = "";
|
|
# };
|
|
#];
|
|
#privacy_statement_url = [
|
|
# {
|
|
# lang = "en";
|
|
# text = "";
|
|
# };
|
|
#];
|
|
keywords = [
|
|
{
|
|
lang = "en";
|
|
text = [ "Matrix" "Element" ];
|
|
}
|
|
];
|
|
#logo = [
|
|
# {
|
|
# lang = "en";
|
|
# text = "";
|
|
# width = "";
|
|
# height = "";
|
|
# }
|
|
#];
|
|
};
|
|
|
|
organization = {
|
|
name = "Programvareverkstedet";
|
|
display_name = [ "Programvareverkstedet" "en" ];
|
|
url = "https://www.pvv.ntnu.no";
|
|
};
|
|
contact_person = [
|
|
{ given_name = "Drift";
|
|
sur_name = "King";
|
|
email_adress = [ "drift@pvv.ntnu.no" ];
|
|
contact_type = "technical";
|
|
}
|
|
];
|
|
|
|
user_mapping_provider = {
|
|
config = {
|
|
mxid_source_attribute = "uid"; # What is this supposed to be?
|
|
mxid_mapping = "hexencode";
|
|
};
|
|
};
|
|
|
|
#attribute_requirements = [
|
|
# {attribute = "userGroup"; value = "medlem";} # Do we have this?
|
|
#];
|
|
};
|
|
};
|
|
};
|
|
|
|
services.redis.servers."".enable = true;
|
|
|
|
services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [({
|
|
locations = let
|
|
isListenerType = type: listener: lib.lists.any (r: lib.lists.any (n: n == type) r.names) listener.resources;
|
|
isMetricsListener = l: isListenerType "metrics" l;
|
|
|
|
firstMetricsListener = w: lib.lists.findFirst isMetricsListener (throw "No metrics endpoint on worker") w.settings.worker_listeners;
|
|
|
|
wAddress = w: lib.lists.findFirst (_: true) (throw "No address in receiver") (firstMetricsListener w).bind_addresses;
|
|
wPort = w: (firstMetricsListener w).port;
|
|
|
|
socketAddress = w: "${wAddress w}:${toString (wPort w)}";
|
|
|
|
metricsPath = w: "/metrics/${w.type}/${toString w.index}";
|
|
proxyPath = w: "http://${socketAddress w}/_synapse/metrics";
|
|
in lib.mapAttrs' (n: v: lib.nameValuePair
|
|
(metricsPath v) ({
|
|
proxyPass = proxyPath v;
|
|
extraConfig = ''
|
|
allow ${values.ildkule.ipv4};
|
|
allow [${values.ildkule.ipv6}];
|
|
deny all;
|
|
'';
|
|
}))
|
|
cfg.workers.instances;
|
|
})
|
|
({
|
|
locations."/metrics/master/1" = {
|
|
proxyPass = "http://127.0.0.1:9000/_synapse/metrics";
|
|
extraConfig = ''
|
|
allow ${values.ildkule.ipv4};
|
|
allow [${values.ildkule.ipv6}];
|
|
deny all;
|
|
'';
|
|
};
|
|
|
|
locations."/metrics/" = let
|
|
endpoints = builtins.map (x: "matrix.pvv.ntnu.no/metrics/${x}") [
|
|
"master/1"
|
|
"fed-sender/1"
|
|
"fed-sender/2"
|
|
"fed-receiver/1"
|
|
"initial-sync/1"
|
|
"normal-sync/1"
|
|
"event-persist/1"
|
|
"user-dir/1"
|
|
];
|
|
in {
|
|
alias = pkgs.writeTextDir "/config.json"
|
|
(builtins.toJSON [
|
|
{ targets = endpoints;
|
|
labels = { };
|
|
}]) + "/";
|
|
};
|
|
})];
|
|
}
|