102 lines
3.8 KiB
Nix
102 lines
3.8 KiB
Nix
{
|
|
config,
|
|
secrets,
|
|
...
|
|
}: {
|
|
# https://element-hq.github.io/synapse/latest/
|
|
# https://nixos.org/manual/nixos/stable/#module-services-matrix
|
|
# https://wiki.nixos.org/wiki/Matrix
|
|
# https://federationtester.matrix.org
|
|
services.matrix-synapse = {
|
|
enable = true;
|
|
# https://element-hq.github.io/synapse/latest/usage/configuration/index.html
|
|
settings = {
|
|
# The server_name name appears at the end of usernames and room addresses
|
|
# created on the server. It should NOT be a matrix-specific subdomain
|
|
# such as matrix.example.com.
|
|
# Caddy *does* however serve synapse on matrix.vkristensen.dk (rather
|
|
# than vkristensen.dk directly). This is done through /.well-known/matrix delegation:
|
|
# https://element-hq.github.io/synapse/latest/delegate.html.
|
|
server_name = "vkristensen.dk";
|
|
# The public-facing base URL that clients use to access this Homeserver.
|
|
# This is the same URL a user might enter into the 'Custom Homeserver
|
|
# URL' field on their client. If you use Synapse with a reverse proxy,
|
|
# this should be the URL to reach Synapse via the proxy.
|
|
public_baseurl = "https://matrix.vkristensen.dk";
|
|
listeners = [
|
|
{
|
|
port = 8008;
|
|
type = "http";
|
|
tls = false;
|
|
x_forwarded = true;
|
|
resources = [
|
|
{
|
|
# Enable client-server and server-server APIs
|
|
names = ["client" "federation"];
|
|
}
|
|
];
|
|
}
|
|
];
|
|
# Disable trusting signing keys from matrix.org (the default). If set to
|
|
# the empty array, then Synapse will request the keys directly from the
|
|
# server that owns the keys.
|
|
# TODO: This is disabled (so we implicitly trust matrix.org) since,
|
|
# apparently, the matrix protocol isn't distributed at all and nothing
|
|
# works if you don't do this.
|
|
# trusted_key_servers = [];
|
|
# The public URIs of the TURN server to give to clients.
|
|
# https://element-hq.github.io/synapse/latest/turn-howto.html
|
|
turn_uris = ["turn:turn.matrix.org?transport=udp" "turn:turn.matrix.org?transport=tcp"];
|
|
turn_shared_secret = "n0t4ctuAllymatr1Xd0TorgSshar3d5ecret4obvIousreAsons";
|
|
};
|
|
};
|
|
|
|
# https://github.com/matrix-org/sliding-sync
|
|
services.matrix-sliding-sync = {
|
|
# Unlike matrix-synapse, sliding-sync has createDatabase=true by default,
|
|
# which means we don't have to configure the database in the postgres
|
|
# service manually.
|
|
enable = true;
|
|
settings.SYNCV3_SERVER = config.services.matrix-synapse.settings.public_baseurl;
|
|
environmentFile = config.age.secrets.matrix-sliding-sync-environment-file.path;
|
|
};
|
|
|
|
services.postgresql = {
|
|
ensureDatabases = [
|
|
# matrix-synapse expects the database to have the options `LC_COLLATE`
|
|
# and `LC_CTYPE` set to `C`, which basically instructs postgres to
|
|
# ignore any locale-based preferences. Do this manually.
|
|
# https://github.com/NixOS/nixpkgs/commit/8be61f7a36f403c15e1a242e129be7375aafaa85
|
|
"matrix-synapse"
|
|
];
|
|
ensureUsers = [
|
|
# If the database user name equals the connecting system user name,
|
|
# postgres by default will accept a passwordless connection via unix
|
|
# domain socket. This makes it possible to run many postgres-backed
|
|
# services without creating any database secrets at all.
|
|
{
|
|
name = "matrix-synapse";
|
|
ensureDBOwnership = true;
|
|
}
|
|
];
|
|
};
|
|
|
|
environment.persistence."/nix/persist" = {
|
|
directories = [
|
|
{
|
|
directory = "/var/lib/matrix-synapse";
|
|
user = "matrix-synapse";
|
|
group = "matrix-synapse";
|
|
mode = "0700";
|
|
}
|
|
];
|
|
};
|
|
|
|
age.secrets.matrix-sliding-sync-environment-file = {
|
|
file = "${secrets}/secrets/matrix-sliding-sync-environment-file.age";
|
|
mode = "400";
|
|
owner = "root";
|
|
group = "root";
|
|
};
|
|
}
|