From 2c97e3150eeef0ea16d2c111c50adac6c47fdc2f Mon Sep 17 00:00:00 2001
From: "Casper V. Kristensen" <casper@vkristensen.dk>
Date: Fri, 31 May 2024 11:42:39 +0200
Subject: [PATCH] matrix synapse

---
 hosts/sigma/acme.nix       |  7 +++++
 hosts/sigma/default.nix    |  2 ++
 hosts/sigma/matrix.nix     | 57 ++++++++++++++++++++++++++++++++++++++
 hosts/sigma/postgresql.nix | 51 ++++++++++++++++++++++++++++++++++
 modules/borg.nix           |  2 ++
 5 files changed, 119 insertions(+)
 create mode 100644 hosts/sigma/matrix.nix
 create mode 100644 hosts/sigma/postgresql.nix

diff --git a/hosts/sigma/acme.nix b/hosts/sigma/acme.nix
index 4422569..18eb539 100644
--- a/hosts/sigma/acme.nix
+++ b/hosts/sigma/acme.nix
@@ -18,6 +18,13 @@
       ];
       group = lib.mkForce "acme";
     };
+    "vkristensen.dk" = {
+      extraDomainNames = ["*.vkristensen.dk"];
+      reloadServices = [
+        "caddy.service"
+      ];
+      group = lib.mkForce "acme";
+    };
   };
   users.groups.acme.members = [
     "caddy"
diff --git a/hosts/sigma/default.nix b/hosts/sigma/default.nix
index a6a7a75..b6aad58 100644
--- a/hosts/sigma/default.nix
+++ b/hosts/sigma/default.nix
@@ -12,8 +12,10 @@
     ./hardware.nix
     ./jellyfin.nix
     ./mail.nix
+    ./matrix.nix
     ./memos.nix
     ./network.nix
+    ./postgresql.nix
     ./samba.nix
     ./sonarr.nix
     ./syncthing.nix
diff --git a/hosts/sigma/matrix.nix b/hosts/sigma/matrix.nix
new file mode 100644
index 0000000..27dbd1f
--- /dev/null
+++ b/hosts/sigma/matrix.nix
@@ -0,0 +1,57 @@
+{...}: {
+  # https://element-hq.github.io/synapse/latest/
+  # https://nixos.org/manual/nixos/stable/#module-services-matrix
+  # https://wiki.nixos.org/wiki/Matrix
+  # https://federationtester.matrix.org
+  services.matrix-synapse = {
+    enable = true;
+    # https://element-hq.github.io/synapse/latest/usage/configuration/index.html
+    settings = {
+      # The server_name name appears at the end of usernames and room addresses
+      # created on the server. It should NOT be a matrix-specific subdomain
+      # such as matrix.example.com.
+      # Caddy *does* however serve synapse on matrix.vkristensen.dk (rather
+      # than vkristensen.dk directly). This is done through /.well-known/matrix delegation:
+      # https://element-hq.github.io/synapse/latest/delegate.html.
+      server_name = "vkristensen.dk";
+      # The public-facing base URL that clients use to access this Homeserver.
+      # This is the same URL a user might enter into the 'Custom Homeserver
+      # URL' field on their client. If you use Synapse with a reverse proxy,
+      # this should be the URL to reach Synapse via the proxy.
+      public_baseurl = "https://matrix.vkristensen.dk";
+      listeners = [
+        {
+          port = 8008;
+          type = "http";
+          tls = false;
+          x_forwarded = true;
+          resources = [
+            {
+              # Enable client-server and server-server APIs
+              names = ["client" "federation"];
+            }
+          ];
+        }
+      ];
+      # Disable trusting signing keys from matrix.org (the default). If set to
+      # the empty array, then Synapse will request the keys directly from the
+      # server that owns the keys.
+      trusted_key_servers = [];
+      # The public URIs of the TURN server to give to clients.
+      # https://element-hq.github.io/synapse/latest/turn-howto.html
+      turn_uris = ["turn:turn.matrix.org?transport=udp" "turn:turn.matrix.org?transport=tcp"];
+      turn_shared_secret = "n0t4ctuAllymatr1Xd0TorgSshar3d5ecret4obvIousreAsons";
+    };
+  };
+
+  environment.persistence."/nix/persist" = {
+    directories = [
+      {
+        directory = "/var/lib/matrix-synapse";
+        user = "matrix-synapse";
+        group = "matrix-synapse";
+        mode = "0700";
+      }
+    ];
+  };
+}
diff --git a/hosts/sigma/postgresql.nix b/hosts/sigma/postgresql.nix
new file mode 100644
index 0000000..80b4a66
--- /dev/null
+++ b/hosts/sigma/postgresql.nix
@@ -0,0 +1,51 @@
+{pkgs, ...}: {
+  # https://nixos.org/manual/nixos/stable/#module-postgresql
+  # https://wiki.nixos.org/wiki/PostgreSQL
+  # > sudo -u postgres psql
+  services.postgresql = {
+    enable = true;
+    # https://nixos.org/manual/nixos/stable/#module-services-postgres-upgrading
+    package = pkgs.postgresql_16;
+    ensureDatabases = [
+      "matrix-synapse"
+    ];
+    ensureUsers = [
+      # If the database user name equals the connecting system user name,
+      # postgres by default will accept a passwordless connection via unix
+      # domain socket. This makes it possible to run many postgres-backed
+      # services without creating any database secrets at all.
+      {
+        name = "matrix-synapse";
+        ensureDBOwnership = true;
+      }
+    ];
+    initialScript = pkgs.writeText "init.sql" ''
+      # https://github.com/NixOS/nixpkgs/commit/8be61f7a36f403c15e1a242e129be7375aafaa85
+      CREATE DATABASE "matrix-synapse"
+        TEMPLATE template0
+        LC_COLLATE = "C"
+        LC_CTYPE = "C";
+    '';
+  };
+
+  services.postgresqlBackup = {
+    enable = true;
+  };
+
+  environment.persistence."/nix/persist" = {
+    directories = [
+      {
+        directory = "/var/lib/postgresql";
+        user = "postgres";
+        group = "postgres";
+        mode = "0750";
+      }
+      {
+        directory = "/var/backup/postgresql";
+        user = "postgres";
+        group = "root";
+        mode = "0700";
+      }
+    ];
+  };
+}
diff --git a/modules/borg.nix b/modules/borg.nix
index c999192..29cf983 100644
--- a/modules/borg.nix
+++ b/modules/borg.nix
@@ -95,6 +95,8 @@
       "! /srv/torrents"
       "! /var/lib/containers/overlay*"
       "! /var/lib/docker/overlay2"
+      # postgres databases are dumped to /var/backup/postgresql by services.postgresqlBackup
+      "! /var/lib/postgresql"
       "- *.tmp"
 
       "! /home/*/Android/Sdk"