Merge pull request 'half-finished migration to synapse' (#157) from Mic92-main into main
All checks were successful
checks / test (push) Successful in 27s
All checks were successful
checks / test (push) Successful in 27s
This commit is contained in:
commit
40d7673f9f
53
flake.lock
53
flake.lock
|
@ -18,15 +18,16 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1712517122,
|
||||
"narHash": "sha256-ynjRTeXDICFXYbcMdZfl9t7TD0d9RoNzMIq14WmZl0E=",
|
||||
"ref": "refs/heads/main",
|
||||
"rev": "d89edef9a1943cbf0150fd70cde25015161410a7",
|
||||
"revCount": 2433,
|
||||
"lastModified": 1712910239,
|
||||
"narHash": "sha256-0Iu86fs3QqmDTEBZ2kJFYeNQc59L0ncW22CnJItDIuE=",
|
||||
"ref": "synapse",
|
||||
"rev": "e22501799b2409b9c1db340a25acadc5ff730e4c",
|
||||
"revCount": 2473,
|
||||
"type": "git",
|
||||
"url": "https://git.clan.lol/clan/clan-core"
|
||||
},
|
||||
"original": {
|
||||
"ref": "synapse",
|
||||
"type": "git",
|
||||
"url": "https://git.clan.lol/clan/clan-core"
|
||||
}
|
||||
|
@ -39,11 +40,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1711588700,
|
||||
"narHash": "sha256-vBB5HoQVnA6c/UrDOhLXKAahEwSRccw2YXYHxD7qoi4=",
|
||||
"lastModified": 1712356478,
|
||||
"narHash": "sha256-kTcEtrQIRnexu5lAbLsmUcfR2CrmsACF1s3ZFw1NEVA=",
|
||||
"owner": "nix-community",
|
||||
"repo": "disko",
|
||||
"rev": "502241afa3de2a24865ddcbe4c122f4546e32092",
|
||||
"rev": "0a17298c0d96190ef3be729d594ba202b9c53beb",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -59,11 +60,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1712356478,
|
||||
"narHash": "sha256-kTcEtrQIRnexu5lAbLsmUcfR2CrmsACF1s3ZFw1NEVA=",
|
||||
"lastModified": 1712798444,
|
||||
"narHash": "sha256-aAksVB7zMfBQTz0q2Lw3o78HM3Bg2FRziX2D6qnh+sk=",
|
||||
"owner": "nix-community",
|
||||
"repo": "disko",
|
||||
"rev": "0a17298c0d96190ef3be729d594ba202b9c53beb",
|
||||
"rev": "a297cb1cb0337ee10a7a0f9517954501d8f6f74d",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -94,11 +95,11 @@
|
|||
},
|
||||
"nixlib": {
|
||||
"locked": {
|
||||
"lastModified": 1711241261,
|
||||
"narHash": "sha256-knrTvpl81yGFHIpm1SsLDApe0thFkw1cl3ISAMPmP/0=",
|
||||
"lastModified": 1711846064,
|
||||
"narHash": "sha256-cqfX0QJNEnge3a77VnytM0Q6QZZ0DziFXt6tSCV8ZSc=",
|
||||
"owner": "nix-community",
|
||||
"repo": "nixpkgs.lib",
|
||||
"rev": "b2a1eeef8c185f6bd27432b053ff09d773244cbc",
|
||||
"rev": "90b1a963ff84dc532db92f678296ff2499a60a87",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -116,11 +117,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1711626141,
|
||||
"narHash": "sha256-0qV1pHeIyUZ18cp8ijQnMf7uV+Uk4+UqTCC6yGSGWvk=",
|
||||
"lastModified": 1712191720,
|
||||
"narHash": "sha256-xXtSSnVHURHsxLQO30dzCKW5NJVGV/umdQPmFjPFMVA=",
|
||||
"owner": "nix-community",
|
||||
"repo": "nixos-generators",
|
||||
"rev": "63194fceafbfe583a9eb7d16ab499adc0a6c0bc2",
|
||||
"rev": "0c15e76bed5432d7775a22e8d22059511f59d23a",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -131,11 +132,11 @@
|
|||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1712482522,
|
||||
"narHash": "sha256-Ai/xNgZpbwGcw0TSXwEPwwbPi8Iu906sB9M9z3o6UgA=",
|
||||
"lastModified": 1712849433,
|
||||
"narHash": "sha256-flQtf/ZPJgkLY/So3Fd+dGilw2DKIsiwgMEn7BbBHL0=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "efe8ce06ca261f370d672def5b1e0be300c726e1",
|
||||
"rev": "f173d0881eff3b21ebb29a2ef8bedbc106c86ea5",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -164,11 +165,11 @@
|
|||
"nixpkgs-stable": []
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1712458908,
|
||||
"narHash": "sha256-DMgBS+jNHDg8z3g9GkwqL8xTKXCRQ/0FGsAyrniVonc=",
|
||||
"lastModified": 1712617241,
|
||||
"narHash": "sha256-a4hbls4vlLRMciv62YrYT/Xs/3Cubce8WFHPUDWwzf8=",
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"rev": "39191e8e6265b106c9a2ba0cfd3a4dafe98a31c6",
|
||||
"rev": "538c114cfdf1f0458f507087b1dcf018ce1c0c4c",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -184,11 +185,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1712191870,
|
||||
"narHash": "sha256-+MzSZ4IuZNT4QJS8b+gM48thfWkrJ7vL4NV5zG8Lqx8=",
|
||||
"lastModified": 1712882618,
|
||||
"narHash": "sha256-TnVDEMpOrOEKhgVMQmkamKVRkQWz3Q4lYgtTnD8G0CQ=",
|
||||
"owner": "numtide",
|
||||
"repo": "srvos",
|
||||
"rev": "ddafe2fd3547f63e6bf75b6e1a99ecfa61c59687",
|
||||
"rev": "4f89af165fde1454cb917a5f23e1f82d32541d38",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
10
flake.nix
10
flake.nix
|
@ -1,10 +1,10 @@
|
|||
{
|
||||
description = "Dependencies to deploy a clan";
|
||||
|
||||
nixConfig = {
|
||||
extra-substituters = [ "https://cache.clan.lol" ];
|
||||
extra-trusted-public-keys = [ "cache.clan.lol-1:3KztgSAB5R1M+Dz7vzkBGzXdodizbgLXGXKXlcQLA28=" ];
|
||||
};
|
||||
#nixConfig = {
|
||||
# extra-substituters = [ "https://cache.clan.lol" ];
|
||||
# extra-trusted-public-keys = [ "cache.clan.lol-1:3KztgSAB5R1M+Dz7vzkBGzXdodizbgLXGXKXlcQLA28=" ];
|
||||
#};
|
||||
|
||||
inputs = {
|
||||
nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
|
||||
|
@ -24,7 +24,7 @@
|
|||
# Use the version of nixpkgs that has been tested to work with SrvOS
|
||||
srvos.inputs.nixpkgs.follows = "nixpkgs";
|
||||
|
||||
clan-core.url = "git+https://git.clan.lol/clan/clan-core";
|
||||
clan-core.url = "git+https://git.clan.lol/clan/clan-core?ref=synapse";
|
||||
clan-core.inputs.flake-parts.follows = "flake-parts";
|
||||
clan-core.inputs.nixpkgs.follows = "nixpkgs";
|
||||
clan-core.inputs.treefmt-nix.follows = "treefmt-nix";
|
||||
|
|
|
@ -2,12 +2,12 @@
|
|||
imports = [
|
||||
./borgbackup.nix
|
||||
./clan-merge.nix
|
||||
./dendrite.nix
|
||||
./gitea
|
||||
./harmonia.nix
|
||||
./homepage.nix
|
||||
./postfix.nix
|
||||
./jobs.nix
|
||||
./matrix-synapse.nix
|
||||
../dev.nix
|
||||
self.inputs.clan-core.clanModules.zt-tcp-relay
|
||||
];
|
||||
|
|
|
@ -1,147 +0,0 @@
|
|||
{ config
|
||||
, pkgs
|
||||
, ...
|
||||
}:
|
||||
let
|
||||
database = {
|
||||
connection_string = "postgres:///dendrite?host=/run/postgresql";
|
||||
max_open_conns = 100;
|
||||
max_idle_conns = 5;
|
||||
conn_max_lifetime = -1;
|
||||
};
|
||||
inherit (config.services.dendrite.settings.global) server_name;
|
||||
domain = "clan.lol";
|
||||
nginx-vhost = "matrix.${domain}";
|
||||
element-web =
|
||||
pkgs.runCommand "element-web-with-config"
|
||||
{
|
||||
nativeBuildInputs = [ pkgs.buildPackages.jq ];
|
||||
} ''
|
||||
cp -r ${pkgs.element-web} $out
|
||||
chmod -R u+w $out
|
||||
jq '."default_server_config"."m.homeserver" = { "base_url": "https://${nginx-vhost}:443", "server_name": "${server_name}" }' \
|
||||
> $out/config.json < ${pkgs.element-web}/config.json
|
||||
ln -s $out/config.json $out/config.${nginx-vhost}.json
|
||||
'';
|
||||
in
|
||||
{
|
||||
services.dendrite = {
|
||||
enable = true;
|
||||
httpPort = 8043;
|
||||
# $ echo "REGISTRATION_SHARED_SECRET=$(openssl rand -base64 32)"
|
||||
|
||||
# To create a user:
|
||||
# $ password=$(nix run "nixpkgs#xkcdpass" -- -n 3 -d-)
|
||||
# $ shared_secret=$(sops -d --extract '["registration-secret"]' ./secrets.yaml| sed s/REGISTRATION_SHARED_SECRET=//)
|
||||
# $ nix shell "nixpkgs#matrix-synapse" -c register_new_matrix_user --password "${password}" --shared-secret "${shared_secret}" "https://matrix.clan.lol:443"
|
||||
environmentFile = config.sops.secrets.registration-secret.path;
|
||||
|
||||
settings = {
|
||||
sync_api.search = {
|
||||
enabled = true;
|
||||
index_path = "/var/lib/dendrite/searchindex";
|
||||
};
|
||||
global = {
|
||||
server_name = domain;
|
||||
# `private_key` has the type `path`
|
||||
# prefix a `/` to make `path` happy
|
||||
private_key = "/$CREDENTIALS_DIRECTORY/matrix-server-key";
|
||||
trusted_third_party_id_servers = [
|
||||
"matrix.org"
|
||||
"vector.im"
|
||||
];
|
||||
metrics.enabled = true;
|
||||
};
|
||||
logging = [
|
||||
{
|
||||
type = "std";
|
||||
level = "warn";
|
||||
}
|
||||
];
|
||||
app_service_api = {
|
||||
inherit database;
|
||||
config_files = [ ];
|
||||
};
|
||||
client_api = {
|
||||
registration_disabled = true;
|
||||
rate_limiting.enabled = false;
|
||||
registration_shared_secret = ''''${REGISTRATION_SHARED_SECRET}'';
|
||||
};
|
||||
media_api = {
|
||||
inherit database;
|
||||
dynamic_thumbnails = true;
|
||||
};
|
||||
room_server = {
|
||||
inherit database;
|
||||
};
|
||||
push_server = {
|
||||
inherit database;
|
||||
};
|
||||
relay_api = {
|
||||
inherit database;
|
||||
};
|
||||
mscs = {
|
||||
inherit database;
|
||||
mscs = [ "msc2836" "msc2946" ];
|
||||
};
|
||||
sync_api = {
|
||||
inherit database;
|
||||
real_ip_header = "X-Real-IP";
|
||||
};
|
||||
key_server = {
|
||||
inherit database;
|
||||
};
|
||||
federation_api = {
|
||||
inherit database;
|
||||
key_perspectives = [
|
||||
{
|
||||
server_name = "matrix.org";
|
||||
keys = [
|
||||
{
|
||||
key_id = "ed25519:auto";
|
||||
public_key = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw";
|
||||
}
|
||||
{
|
||||
key_id = "ed25519:a_RXGa";
|
||||
public_key = "l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ";
|
||||
}
|
||||
];
|
||||
}
|
||||
];
|
||||
prefer_direct_fetch = false;
|
||||
};
|
||||
user_api = {
|
||||
account_database = database;
|
||||
device_database = database;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.dendrite.serviceConfig.LoadCredential = [
|
||||
# $ nix-shell -p dendrite --run 'generate-keys --private-key /tmp/key'
|
||||
"matrix-server-key:${config.sops.secrets.matrix-server-key.path}"
|
||||
];
|
||||
|
||||
systemd.services.dendrite.after = [ "postgresql.service" ];
|
||||
services.postgresql = {
|
||||
ensureDatabases = [ "dendrite" ];
|
||||
ensureUsers = [{
|
||||
name = "dendrite";
|
||||
ensureDBOwnership = true;
|
||||
}];
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts.${nginx-vhost} = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
extraConfig = ''
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_read_timeout 600;
|
||||
'';
|
||||
locations."/_matrix".proxyPass = "http://127.0.0.1:${toString config.services.dendrite.httpPort}";
|
||||
# for remote admin access
|
||||
locations."/_synapse".proxyPass = "http://127.0.0.1:${toString config.services.dendrite.httpPort}";
|
||||
locations."/".root = element-web;
|
||||
};
|
||||
}
|
|
@ -26,7 +26,7 @@
|
|||
forceSSL = true;
|
||||
enableACME = true;
|
||||
# to be deployed via rsync
|
||||
root = "/var/www";
|
||||
root = "/var/www/clan.lol";
|
||||
extraConfig = ''
|
||||
charset utf-8;
|
||||
source_charset utf-8;
|
||||
|
|
6
modules/web01/matrix-synapse.nix
Normal file
6
modules/web01/matrix-synapse.nix
Normal file
|
@ -0,0 +1,6 @@
|
|||
{ self, ... }:
|
||||
{
|
||||
imports = [ self.inputs.clan-core.clanModules.matrix-synapse ];
|
||||
clan.matrix-synapse.enable = true;
|
||||
clan.matrix-synapse.domain = "clan.lol";
|
||||
}
|
|
@ -0,0 +1 @@
|
|||
../../../machines/web01
|
24
sops/secrets/web01-synapse-registration_shared_secret/secret
Normal file
24
sops/secrets/web01-synapse-registration_shared_secret/secret
Normal file
|
@ -0,0 +1,24 @@
|
|||
{
|
||||
"data": "ENC[AES256_GCM,data:WiZs10+sI+bNAwM4pVvIgpCkLF+2xStvOzKE3U2P4TmVGFu4GN3xf3oh1hbaM1wFBVXs9BCvXsFn23ja6w==,iv:9rvQ7cEelvD+i2n7vFWFmmWgbhCdk9UsUkOMh2wrnXk=,tag:u/DKSOhKyVXHwzA8lLlJow==,type:str]",
|
||||
"sops": {
|
||||
"kms": null,
|
||||
"gcp_kms": null,
|
||||
"azure_kv": null,
|
||||
"hc_vault": null,
|
||||
"age": [
|
||||
{
|
||||
"recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6RGdKOTF6RVdqQ2t1allZ\nckxuTUx0T1o0LzhiTUdpeTFVb0RjWnJHaW5RCitwWDNBVlZIT0ZORkt4dHRDTWpM\nd3dENW01T01Pa2F6RUxocGliSXpvOEUKLS0tIHQwMDZuUjJjZHBOd3o4TDNXWDF3\nSmZ3TkhzYXpta2I5MjYrRDNTclBFT00KcqGkVoI8aIAEr/5W2U1KXef4e8fl6nmZ\nzC5ZZcx3lQhvjHIHzEvFIVVSGKO+6qEB/boGxRtslkX9dZMRgoqNlg==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
},
|
||||
{
|
||||
"recipient": "age17xuvz0fqtynzdmf8rfh4g3e46tx8w3mc6zgytrmuj5v9dhnldgxs7ue7ct",
|
||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4VVoySlc2dzBOdEVOUVRK\neC9VbGZpS2VHWWxzV2FPUWVDaE9HV1VZWUIwCkxrZzdoRTNkc1NSOHMvQVRLVjVo\nUllQU1Jia1VRcXZmWXZlZE1IbkRDUjQKLS0tIFkyQ1QwdEt0TndwdjA3VTBqdjhR\nTUxyV3RjUVhRSER0U2NrYy84R2ZBM1kKk4mDrYMD0izfhXx9k0Vqj/2TjjH8YJOT\nKL+AMnUtB843H5EUQH/OLKfaf6N2kl2/UHcFWZQd5Z23kwZ2NNOzDg==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||
}
|
||||
],
|
||||
"lastmodified": "2024-04-04T16:03:10Z",
|
||||
"mac": "ENC[AES256_GCM,data:naOhP4Q6AhGH0pUWPab1CiIF/6BU2lxa4e7pqfjx46zmu7M31Ia9Xh5GLf0YOuidsHi/QwGPL3+t5EMBaVZN0rVGgGuGEFz4IqJxWskRDWwM9kggxvKfiRJjMxY3gVsXhkKjpMVBTcNNOBgVPf/cbREMkL9QpQjncMIkQYFbQS8=,iv:wGdKkjuRAOZYfJJsDv5F5KzBo5yPeYvx5UHG1i3Chx8=,tag:OYKF5j3znT3SmLSN9imPsg==,type:str]",
|
||||
"pgp": null,
|
||||
"unencrypted_suffix": "_unencrypted",
|
||||
"version": "3.8.1"
|
||||
}
|
||||
}
|
|
@ -0,0 +1 @@
|
|||
../../../users/joerg
|
Loading…
Reference in New Issue
Block a user