oysteikt/nix-dotfiles
oysteikt
/
nix-dotfiles
2
1
Fork 0
Code Issues Pull Requests Activity
nix-dotfiles/hosts/tsuki/services/matrix.nix

264 lines
7.1 KiB
Nix
Raw Blame History

{ config, pkgs, lib, secrets, ... }: {
# TODO: configure synapse to point users to coturn
services.matrix-synapse = {
enable = true;
turn_uris = let
inherit (config.services.coturn) realm;
p = toString secrets.ports.matrix.default;
in ["turn:${realm}:${p}?transport=udp" "turn:${realm}:${p}?transport=tcp"];
turn_shared_secret = config.services.coturn.static-auth-secret;
turn_user_lifetime = "1h";
server_name = "nani.wtf";
public_baseurl = "https://matrix.nani.wtf";
registration_shared_secret = secrets.keys.matrix.registration-shared-secret;
enable_metrics = true;
listeners = [
{
port = secrets.ports.matrix.listener;
bind_address = "::1";
type = "http";
tls = false;
x_forwarded = true;
resources = [
{
names = [ "client" "federation" "metrics" ];
compress = false;
}
];
}
];
enable_registration = false;
# password_config.enabled = lib.mkForce false;
dataDir = "/data/var/matrix";
database_type = "psycopg2";
database_args = {
password = "synapse";
};
# TODO: Figure out a way to do this declaratively.
# The files need to be owned by matrix-synapse
app_service_config_files = [
"/var/lib/matrix-synapse/discord-registration.yaml"
# (pkgs.writeText "facebook-registrations.yaml" (builtins.toJSON config.services.mautrix-facebook.registrationData))
"/var/lib/matrix-synapse/facebook-registration.yaml"
];
# redis.enabled = true;
# settings = {
# };
};
services.redis.enable = true;
services.mx-puppet-discord = {
enable = true;
settings = {
bridge = {
bindAddress = "localhost";
domain = "nani.wtf";
# TODO: connect via localhost
homeserverUrl = "https://matrix.nani.wtf";
port = secrets.ports.matrix.mx-puppet-discord;
enableGroupSync = true;
};
database = {
filename = "/var/lib/mx-puppet-discord/database.db";
};
namePatterns = {
room = ":name";
user = ":name";
userOverride = ":displayname";
group = ":name";
};
presence = {
enabled = true;
interval = 500;
};
logging = {
console = "info";
lineDateFormat = "MMM-D HH:mm:ss.SSS";
};
provisioning.whitelist = [ "@h7x4:nani\\.wtf" ];
relay.whitelist = [ "@h7x4:nani\\.wtf" ];
selfService.whitelist = [ "@h7x4:nani\\.wtf" ];
};
};
services.mautrix-facebook = {
enable = true;
configurePostgresql = true;
registrationData = {
# NOTE: This is a randomly generated UUID
inherit (secrets.keys.matrix.mautrix-facebook) as_token;
inherit (secrets.keys.matrix.mautrix-facebook) hs_token;
};
settings = {
homeserver = {
# TODO: connect via localhost
address = "https://matrix.nani.wtf";
domain = "nani.wtf";
};
appservice = rec {
address = "http://${hostname}:${toString port}";
bot_username = "facebookbot";
hostname = "0.0.0.0";
ephemeral_events = true;
port = secrets.ports.matrix.mautrix-facebook;
inherit (secrets.keys.matrix.mautrix-facebook) as_token;
inherit (secrets.keys.matrix.mautrix-facebook) hs_token;
};
bridge = {
encryption = {
allow = true;
default = true;
};
backfilling = {
initial_limit = 8000;
};
username_template = "facebook_{userid}";
sync_with_custom_puppets = false;
permissions = {
"@h7x4:nani.wtf" = "admin";
"nani.wtf" = "user";
};
};
logging = {
formatters = {
journal_fmt = {
format = "%(name)s: %(message)s";
};
};
handlers = {
journal = {
SYSLOG_IDENTIFIER = "mautrix-facebook";
class = "systemd.journal.JournalHandler";
formatter = "journal_fmt";
};
};
root = {
handlers = [
"journal"
];
level = "INFO";
};
version = 1;
};
manhole = {
enabled = false;
};
metrics = {
enabled = false;
};
};
};
services.coturn = rec {
enable = true;
no-cli = true;
no-tcp-relay = true;
min-port = secrets.ports.matrix.coturn.min;
max-port = secrets.ports.matrix.coturn.max;
use-auth-secret = true;
static-auth-secret = secrets.keys.matrix.static-auth-secret;
realm = "turn.nani.wtf";
cert = "${secrets.keys.certificates.server.crt}";
pkey = "${secrets.keys.certificates.server.key}";
extraConfig = ''
# for debugging
verbose
# ban private IP ranges
no-multicast-peers
denied-peer-ip=0.0.0.0-0.255.255.255
denied-peer-ip=10.0.0.0-10.255.255.255
denied-peer-ip=100.64.0.0-100.127.255.255
denied-peer-ip=127.0.0.0-127.255.255.255
denied-peer-ip=169.254.0.0-169.254.255.255
denied-peer-ip=172.16.0.0-172.31.255.255
denied-peer-ip=192.0.0.0-192.0.0.255
denied-peer-ip=192.0.2.0-192.0.2.255
denied-peer-ip=192.88.99.0-192.88.99.255
denied-peer-ip=192.168.0.0-192.168.255.255
denied-peer-ip=198.18.0.0-198.19.255.255
denied-peer-ip=198.51.100.0-198.51.100.255
denied-peer-ip=203.0.113.0-203.0.113.255
denied-peer-ip=240.0.0.0-255.255.255.255
denied-peer-ip=::1
denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
'';
};
services.postgresql = {
enable = true;
## postgresql user and db name remains in the
## service.matrix-synapse.database_args setting which
## by default is matrix-synapse
initialScript = pkgs.writeText "synapse-init.sql" ''
CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
'';
};
# open the firewall
networking.firewall = {
interfaces.enp2s0 = let
range = with config.services.coturn; [ {
from = secrets.ports.matrix.coturn.min;
to = secrets.ports.matrix.coturn.max;
} ];
in
{
allowedUDPPortRanges = range;
allowedUDPPorts = [ secrets.ports.matrix.default ];
allowedTCPPortRanges = range;
allowedTCPPorts = [ secrets.ports.matrix.default ];
};
};
# get a certificate
# security.acme.certs.${config.services.coturn.realm} = {
# /* insert here the right configuration to obtain a certificate */
# postRun = "systemctl restart coturn.service";
# group = "turnserver";
# };
}
Reference in New Issue View Git Blame Copy Permalink