nix-dotfiles/hosts/tsuki/services/matrix/default.nix
2022-10-06 21:30:47 +02:00

110 lines
3.0 KiB
Nix

{ pkgs, lib, config, secrets, ... }: {
imports = [
./bridges/mautrix-facebook.nix
./bridges/mx-puppet-discord.nix
# TODO: fix irc service
# ./bridges/matrix-appservice-irc.nix
./postgres.nix
./coturn.nix
];
services.matrix-synapse = {
enable = true;
settings = {
turn_uris = let
inherit (config.services.coturn) realm;
p = toString secrets.ports.matrix.default;
in ["turn:${realm}:${p}?transport=udp" "turn:${realm}:${p}?transport=tcp"];
turn_shared_secret = config.services.coturn.static-auth-secret;
turn_user_lifetime = "1h";
trusted_key_servers = let
emptykey = server_name: {
inherit server_name;
verify_keys = {};
};
in [
{
server_name = "matrix.org";
verify_keys = {
"ed25519:auto" = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw";
};
}
(emptykey "pvv.ntnu.no")
(emptykey "feal.no")
(emptykey "dodsorf.as")
];
server_name = "nani.wtf";
public_baseurl = "https://matrix.nani.wtf";
enable_metrics = true;
listeners = [
{
port = secrets.ports.matrix.listener;
bind_addresses = [
"0.0.0.0"
"::1"
];
type = "http";
tls = false;
x_forwarded = true;
resources = [
{
names = [ "client" "federation" "metrics" ];
compress = false;
}
];
}
];
# NOTE: To register a new admin user, use a nix-shell with
# package 'matrix-synapse', and use the register_new_matrix_user command
# with the registration shared secret
enable_registration = false;
registration_shared_secret = secrets.keys.matrix.registration-shared-secret;
# password_config.enabled = lib.mkForce false;
dataDir = "${config.machineVars.dataDrives.default}/var/matrix";
database_type = "postgres";
# database_args = {
# password = "synapse";
# };
# TODO: Figure out a way to do this declaratively.
# The files need to be owned by matrix-synapse
app_service_config_files = [
"/var/lib/matrix-synapse/discord-registration.yaml"
# (pkgs.writeText "facebook-registrations.yaml" (builtins.toJSON config.services.mautrix-facebook.registrationData))
"/var/lib/matrix-synapse/facebook-registration.yaml"
];
# redis.enabled = true;
max_upload_size = "100M";
};
};
# services.redis.enable = true;
networking.firewall = {
interfaces.enp2s0 = let
range = with config.services.coturn; [ {
from = secrets.ports.matrix.coturn.min;
to = secrets.ports.matrix.coturn.max;
} ];
in
{
allowedUDPPortRanges = range;
allowedUDPPorts = [ secrets.ports.matrix.default ];
allowedTCPPortRanges = range;
allowedTCPPorts = [ secrets.ports.matrix.default ];
};
};
}