Merge pull request 'half-finished migration to synapse' (#157) from Mic92-main into main

flake.lock

@@ -18,15 +18,16 @@
         ]
       },
       "locked": {
-        "lastModified": 1712517122,
-        "narHash": "sha256-ynjRTeXDICFXYbcMdZfl9t7TD0d9RoNzMIq14WmZl0E=",
-        "ref": "refs/heads/main",
-        "rev": "d89edef9a1943cbf0150fd70cde25015161410a7",
-        "revCount": 2433,
+        "lastModified": 1712910239,
+        "narHash": "sha256-0Iu86fs3QqmDTEBZ2kJFYeNQc59L0ncW22CnJItDIuE=",
+        "ref": "synapse",
+        "rev": "e22501799b2409b9c1db340a25acadc5ff730e4c",
+        "revCount": 2473,
         "type": "git",
         "url": "https://git.clan.lol/clan/clan-core"
       },
       "original": {
+        "ref": "synapse",
         "type": "git",
         "url": "https://git.clan.lol/clan/clan-core"
       }
@@ -39,11 +40,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1711588700,
-        "narHash": "sha256-vBB5HoQVnA6c/UrDOhLXKAahEwSRccw2YXYHxD7qoi4=",
+        "lastModified": 1712356478,
+        "narHash": "sha256-kTcEtrQIRnexu5lAbLsmUcfR2CrmsACF1s3ZFw1NEVA=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "502241afa3de2a24865ddcbe4c122f4546e32092",
+        "rev": "0a17298c0d96190ef3be729d594ba202b9c53beb",
         "type": "github"
       },
       "original": {
@@ -59,11 +60,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1712356478,
-        "narHash": "sha256-kTcEtrQIRnexu5lAbLsmUcfR2CrmsACF1s3ZFw1NEVA=",
+        "lastModified": 1712798444,
+        "narHash": "sha256-aAksVB7zMfBQTz0q2Lw3o78HM3Bg2FRziX2D6qnh+sk=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "0a17298c0d96190ef3be729d594ba202b9c53beb",
+        "rev": "a297cb1cb0337ee10a7a0f9517954501d8f6f74d",
         "type": "github"
       },
       "original": {
@@ -94,11 +95,11 @@
     },
     "nixlib": {
       "locked": {
-        "lastModified": 1711241261,
-        "narHash": "sha256-knrTvpl81yGFHIpm1SsLDApe0thFkw1cl3ISAMPmP/0=",
+        "lastModified": 1711846064,
+        "narHash": "sha256-cqfX0QJNEnge3a77VnytM0Q6QZZ0DziFXt6tSCV8ZSc=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "b2a1eeef8c185f6bd27432b053ff09d773244cbc",
+        "rev": "90b1a963ff84dc532db92f678296ff2499a60a87",
         "type": "github"
       },
       "original": {
@@ -116,11 +117,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1711626141,
-        "narHash": "sha256-0qV1pHeIyUZ18cp8ijQnMf7uV+Uk4+UqTCC6yGSGWvk=",
+        "lastModified": 1712191720,
+        "narHash": "sha256-xXtSSnVHURHsxLQO30dzCKW5NJVGV/umdQPmFjPFMVA=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "63194fceafbfe583a9eb7d16ab499adc0a6c0bc2",
+        "rev": "0c15e76bed5432d7775a22e8d22059511f59d23a",
         "type": "github"
       },
       "original": {
@@ -131,11 +132,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1712482522,
-        "narHash": "sha256-Ai/xNgZpbwGcw0TSXwEPwwbPi8Iu906sB9M9z3o6UgA=",
+        "lastModified": 1712849433,
+        "narHash": "sha256-flQtf/ZPJgkLY/So3Fd+dGilw2DKIsiwgMEn7BbBHL0=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "efe8ce06ca261f370d672def5b1e0be300c726e1",
+        "rev": "f173d0881eff3b21ebb29a2ef8bedbc106c86ea5",
         "type": "github"
       },
       "original": {
@@ -164,11 +165,11 @@
         "nixpkgs-stable": []
       },
       "locked": {
-        "lastModified": 1712458908,
-        "narHash": "sha256-DMgBS+jNHDg8z3g9GkwqL8xTKXCRQ/0FGsAyrniVonc=",
+        "lastModified": 1712617241,
+        "narHash": "sha256-a4hbls4vlLRMciv62YrYT/Xs/3Cubce8WFHPUDWwzf8=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "39191e8e6265b106c9a2ba0cfd3a4dafe98a31c6",
+        "rev": "538c114cfdf1f0458f507087b1dcf018ce1c0c4c",
         "type": "github"
       },
       "original": {
@@ -184,11 +185,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1712191870,
-        "narHash": "sha256-+MzSZ4IuZNT4QJS8b+gM48thfWkrJ7vL4NV5zG8Lqx8=",
+        "lastModified": 1712882618,
+        "narHash": "sha256-TnVDEMpOrOEKhgVMQmkamKVRkQWz3Q4lYgtTnD8G0CQ=",
         "owner": "numtide",
         "repo": "srvos",
-        "rev": "ddafe2fd3547f63e6bf75b6e1a99ecfa61c59687",
+        "rev": "4f89af165fde1454cb917a5f23e1f82d32541d38",
         "type": "github"
       },
       "original": {

flake.nix

@@ -1,10 +1,10 @@
 {
   description = "Dependencies to deploy a clan";
 
-  nixConfig = {
-    extra-substituters = [ "https://cache.clan.lol" ];
-    extra-trusted-public-keys = [ "cache.clan.lol-1:3KztgSAB5R1M+Dz7vzkBGzXdodizbgLXGXKXlcQLA28=" ];
-  };
+  #nixConfig = {
+  #  extra-substituters = [ "https://cache.clan.lol" ];
+  #  extra-trusted-public-keys = [ "cache.clan.lol-1:3KztgSAB5R1M+Dz7vzkBGzXdodizbgLXGXKXlcQLA28=" ];
+  #};
 
   inputs = {
     nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
@@ -24,7 +24,7 @@
     # Use the version of nixpkgs that has been tested to work with SrvOS
     srvos.inputs.nixpkgs.follows = "nixpkgs";
 
-    clan-core.url = "git+https://git.clan.lol/clan/clan-core";
+    clan-core.url = "git+https://git.clan.lol/clan/clan-core?ref=synapse";
     clan-core.inputs.flake-parts.follows = "flake-parts";
     clan-core.inputs.nixpkgs.follows = "nixpkgs";
     clan-core.inputs.treefmt-nix.follows = "treefmt-nix";

modules/web01/default.nix

@@ -2,12 +2,12 @@
   imports = [
     ./borgbackup.nix
     ./clan-merge.nix
-    ./dendrite.nix
     ./gitea
     ./harmonia.nix
     ./homepage.nix
     ./postfix.nix
     ./jobs.nix
+    ./matrix-synapse.nix
     ../dev.nix
     self.inputs.clan-core.clanModules.zt-tcp-relay
   ];

modules/web01/dendrite.nix

@@ -1,147 +0,0 @@
-{ config
-, pkgs
-, ...
-}:
-let
-  database = {
-    connection_string = "postgres:///dendrite?host=/run/postgresql";
-    max_open_conns = 100;
-    max_idle_conns = 5;
-    conn_max_lifetime = -1;
-  };
-  inherit (config.services.dendrite.settings.global) server_name;
-  domain = "clan.lol";
-  nginx-vhost = "matrix.${domain}";
-  element-web =
-    pkgs.runCommand "element-web-with-config"
-      {
-        nativeBuildInputs = [ pkgs.buildPackages.jq ];
-      } ''
-      cp -r ${pkgs.element-web} $out
-      chmod -R u+w $out
-      jq '."default_server_config"."m.homeserver" = { "base_url": "https://${nginx-vhost}:443", "server_name": "${server_name}" }' \
-        > $out/config.json < ${pkgs.element-web}/config.json
-      ln -s $out/config.json $out/config.${nginx-vhost}.json
-    '';
-in
-{
-  services.dendrite = {
-    enable = true;
-    httpPort = 8043;
-    # $ echo "REGISTRATION_SHARED_SECRET=$(openssl rand -base64 32)"
-
-    # To create a user:
-    # $ password=$(nix run "nixpkgs#xkcdpass" -- -n 3 -d-)
-    # $ shared_secret=$(sops -d --extract '["registration-secret"]' ./secrets.yaml| sed s/REGISTRATION_SHARED_SECRET=//)
-    # $ nix shell "nixpkgs#matrix-synapse" -c register_new_matrix_user --password "${password}" --shared-secret "${shared_secret}" "https://matrix.clan.lol:443"
-    environmentFile = config.sops.secrets.registration-secret.path;
-
-    settings = {
-      sync_api.search = {
-        enabled = true;
-        index_path = "/var/lib/dendrite/searchindex";
-      };
-      global = {
-        server_name = domain;
-        # `private_key` has the type `path`
-        # prefix a `/` to make `path` happy
-        private_key = "/$CREDENTIALS_DIRECTORY/matrix-server-key";
-        trusted_third_party_id_servers = [
-          "matrix.org"
-          "vector.im"
-        ];
-        metrics.enabled = true;
-      };
-      logging = [
-        {
-          type = "std";
-          level = "warn";
-        }
-      ];
-      app_service_api = {
-        inherit database;
-        config_files = [ ];
-      };
-      client_api = {
-        registration_disabled = true;
-        rate_limiting.enabled = false;
-        registration_shared_secret = ''''${REGISTRATION_SHARED_SECRET}'';
-      };
-      media_api = {
-        inherit database;
-        dynamic_thumbnails = true;
-      };
-      room_server = {
-        inherit database;
-      };
-      push_server = {
-        inherit database;
-      };
-      relay_api = {
-        inherit database;
-      };
-      mscs = {
-        inherit database;
-        mscs = [ "msc2836" "msc2946" ];
-      };
-      sync_api = {
-        inherit database;
-        real_ip_header = "X-Real-IP";
-      };
-      key_server = {
-        inherit database;
-      };
-      federation_api = {
-        inherit database;
-        key_perspectives = [
-          {
-            server_name = "matrix.org";
-            keys = [
-              {
-                key_id = "ed25519:auto";
-                public_key = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw";
-              }
-              {
-                key_id = "ed25519:a_RXGa";
-                public_key = "l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ";
-              }
-            ];
-          }
-        ];
-        prefer_direct_fetch = false;
-      };
-      user_api = {
-        account_database = database;
-        device_database = database;
-      };
-    };
-  };
-
-  systemd.services.dendrite.serviceConfig.LoadCredential = [
-    # $ nix-shell -p dendrite --run 'generate-keys --private-key /tmp/key'
-    "matrix-server-key:${config.sops.secrets.matrix-server-key.path}"
-  ];
-
-  systemd.services.dendrite.after = [ "postgresql.service" ];
-  services.postgresql = {
-    ensureDatabases = [ "dendrite" ];
-    ensureUsers = [{
-      name = "dendrite";
-      ensureDBOwnership = true;
-    }];
-  };
-
-  services.nginx.virtualHosts.${nginx-vhost} = {
-    forceSSL = true;
-    enableACME = true;
-    extraConfig = ''
-      proxy_set_header Host $host;
-      proxy_set_header X-Real-IP $remote_addr;
-      proxy_read_timeout 600;
-    '';
-    locations."/_matrix".proxyPass = "http://127.0.0.1:${toString config.services.dendrite.httpPort}";
-    # for remote admin access
-    locations."/_synapse".proxyPass = "http://127.0.0.1:${toString config.services.dendrite.httpPort}";
-    locations."/".root = element-web;
-  };
-}

modules/web01/homepage.nix

@@ -26,7 +26,7 @@
       forceSSL = true;
       enableACME = true;
       # to be deployed via rsync
-      root = "/var/www";
+      root = "/var/www/clan.lol";
       extraConfig = ''
         charset utf-8;
         source_charset utf-8;

modules/web01/matrix-synapse.nix

@@ -0,0 +1,6 @@
+{ self, ... }:
+{
+  imports = [ self.inputs.clan-core.clanModules.matrix-synapse ];
+  clan.matrix-synapse.enable = true;
+  clan.matrix-synapse.domain = "clan.lol";
+}

sops/secrets/web01-synapse-registration_shared_secret/machines/web01

@@ -0,0 +1 @@
+../../../machines/web01

sops/secrets/web01-synapse-registration_shared_secret/secret

@@ -0,0 +1,24 @@
+{
+	"data": "ENC[AES256_GCM,data:WiZs10+sI+bNAwM4pVvIgpCkLF+2xStvOzKE3U2P4TmVGFu4GN3xf3oh1hbaM1wFBVXs9BCvXsFn23ja6w==,iv:9rvQ7cEelvD+i2n7vFWFmmWgbhCdk9UsUkOMh2wrnXk=,tag:u/DKSOhKyVXHwzA8lLlJow==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6RGdKOTF6RVdqQ2t1allZ\nckxuTUx0T1o0LzhiTUdpeTFVb0RjWnJHaW5RCitwWDNBVlZIT0ZORkt4dHRDTWpM\nd3dENW01T01Pa2F6RUxocGliSXpvOEUKLS0tIHQwMDZuUjJjZHBOd3o4TDNXWDF3\nSmZ3TkhzYXpta2I5MjYrRDNTclBFT00KcqGkVoI8aIAEr/5W2U1KXef4e8fl6nmZ\nzC5ZZcx3lQhvjHIHzEvFIVVSGKO+6qEB/boGxRtslkX9dZMRgoqNlg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age17xuvz0fqtynzdmf8rfh4g3e46tx8w3mc6zgytrmuj5v9dhnldgxs7ue7ct",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4VVoySlc2dzBOdEVOUVRK\neC9VbGZpS2VHWWxzV2FPUWVDaE9HV1VZWUIwCkxrZzdoRTNkc1NSOHMvQVRLVjVo\nUllQU1Jia1VRcXZmWXZlZE1IbkRDUjQKLS0tIFkyQ1QwdEt0TndwdjA3VTBqdjhR\nTUxyV3RjUVhRSER0U2NrYy84R2ZBM1kKk4mDrYMD0izfhXx9k0Vqj/2TjjH8YJOT\nKL+AMnUtB843H5EUQH/OLKfaf6N2kl2/UHcFWZQd5Z23kwZ2NNOzDg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-04-04T16:03:10Z",
+		"mac": "ENC[AES256_GCM,data:naOhP4Q6AhGH0pUWPab1CiIF/6BU2lxa4e7pqfjx46zmu7M31Ia9Xh5GLf0YOuidsHi/QwGPL3+t5EMBaVZN0rVGgGuGEFz4IqJxWskRDWwM9kggxvKfiRJjMxY3gVsXhkKjpMVBTcNNOBgVPf/cbREMkL9QpQjncMIkQYFbQS8=,iv:wGdKkjuRAOZYfJJsDv5F5KzBo5yPeYvx5UHG1i3Chx8=,tag:OYKF5j3znT3SmLSN9imPsg==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.8.1"
+	}
+}

sops/secrets/web01-synapse-registration_shared_secret/users/joerg

@@ -0,0 +1 @@
+../../../users/joerg