From 59cd29a3eeeefe43f101fb19cdaf125d1ff3dc38 Mon Sep 17 00:00:00 2001 From: schweby Date: Mon, 1 Feb 2021 16:20:08 +0100 Subject: [PATCH 01/11] hainich/matrix: init matrix & element --- hosts/parsons/configuration.nix | 1 + services/matrix-synapse.nix | 106 ++++++++++++++++++++++++++++++++ 2 files changed, 107 insertions(+) create mode 100644 services/matrix-synapse.nix diff --git a/hosts/parsons/configuration.nix b/hosts/parsons/configuration.nix index c41dfa0..7158eaa 100644 --- a/hosts/parsons/configuration.nix +++ b/hosts/parsons/configuration.nix @@ -21,6 +21,7 @@ ../../services/gitlab-runner.nix ../../services/unifi.nix ../../services/lantifa.nix + ../../services/matrix-synapse.nix ./lxc.nix ]; diff --git a/services/matrix-synapse.nix b/services/matrix-synapse.nix new file mode 100644 index 0000000..dde8f7f --- /dev/null +++ b/services/matrix-synapse.nix @@ -0,0 +1,106 @@ +{config, lib, pkgs, ... }: +{ + networking.firewall.allowedTCPPorts = [ 80 443 ]; + + services.postgresql.enable = true; + services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" '' + CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; + CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + ''; + + services.nginx = { + enable = true; + # only recommendedProxySettings and recommendedGzipSettings are strictly required, + # but the rest make sense as well + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + + virtualHosts = { + # This host section can be placed on a different host than the rest, + # i.e. to delegate from the host being accessible as ${config.networking.domain} + # to another host actually running the Matrix homeserver. + "hacc.space" = { + locations."= /.well-known/matrix/server".extraConfig = + let + # use 443 instead of the default 8448 port to unite + # the client-server and server-server port for simplicity + server = { "m.server" = "matrix.hacc.space:443"; }; + in '' + add_header Content-Type application/json; + return 200 '${builtins.toJSON server}'; + ''; + locations."= /.well-known/matrix/client".extraConfig = + let + client = { + "m.homeserver" = { "base_url" = "https://matrix.hacc.space"; }; + "m.identity_server" = { "base_url" = "https://vector.im"; }; + }; + # ACAO required to allow element-web on any URL to request this json file + in '' + add_header Content-Type application/json; + add_header Access-Control-Allow-Origin *; + return 200 '${builtins.toJSON client}'; + ''; + }; + + # Reverse proxy for Matrix client-server and server-server communication + "matrix.hacc.space" = { + enableACME = true; + forceSSL = true; + + # Or do a redirect instead of the 404, or whatever is appropriate for you. + # But do not put a Matrix Web client here! See the Element web section below. + locations."/".extraConfig = '' + return 404; + ''; + + # forward all Matrix API calls to the synapse Matrix homeserver + locations."/_matrix" = { + proxyPass = "http://[::1]:8008"; # without a trailing / + }; + }; + }; + }; + + services.matrix-synapse = { + enable = true; + server_name = "matrix.hacc.space"; + listeners = [ + { + port = 8008; + bind_address = "::1"; + type = "http"; + tls = false; + x_forwarded = true; + resources = [ + { + names = [ "client" "federation" ]; + compress = false; + } + ]; + } + ]; + }; + + services.nginx.virtualHosts."element.matrix.hacc.space" = { + enableACME = true; + forceSSL = true; + serverAliases = [ + "element.hacc.space" + ]; + + root = pkgs.element-web.override { + conf = { + default_server_config."m.homeserver" = { + "base_url" = "matrix.hacc.space"; + "server_name" = "matrix.hacc.space"; + }; + }; + }; + }; +} From e15b205214da8e32ac306080f98a4f788c78c930 Mon Sep 17 00:00:00 2001 From: stuebinm Date: Thu, 18 Mar 2021 22:50:18 +0100 Subject: [PATCH 02/11] Synapse/Element: Fixed the config. In brief: the example was missing a protocol specification. Also I just learnt that the element at app.element.io uses deprecated config options. Fun! --- services/matrix-synapse.nix | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/services/matrix-synapse.nix b/services/matrix-synapse.nix index dde8f7f..fcb61b2 100644 --- a/services/matrix-synapse.nix +++ b/services/matrix-synapse.nix @@ -1,4 +1,5 @@ {config, lib, pkgs, ... }: + { networking.firewall.allowedTCPPorts = [ 80 443 ]; @@ -69,7 +70,12 @@ services.matrix-synapse = { enable = true; - server_name = "matrix.hacc.space"; + server_name = "hacc.space"; + # TODO: this is horrible, and should probably be removed once everything's running + # so we won't have secrets in the nix store. + # + # I used this to test that the server works at all, and I've removed it again for now. + registration_shared_secret = ""; listeners = [ { port = 8008; @@ -93,14 +99,15 @@ serverAliases = [ "element.hacc.space" ]; - root = pkgs.element-web.override { conf = { default_server_config."m.homeserver" = { - "base_url" = "matrix.hacc.space"; + "base_url" = "https://matrix.hacc.space"; "server_name" = "matrix.hacc.space"; }; }; }; + + #locations."= /config.element.matrix.hacc.space.json".alias = element.outPath + "/config.json"; }; } From 1f9bbf4051bcc630066ed7f1d2dc9f17bd8cfda0 Mon Sep 17 00:00:00 2001 From: stuebinm Date: Thu, 18 Mar 2021 23:01:41 +0100 Subject: [PATCH 03/11] synapse/element: nicer code layout for the config --- services/matrix-synapse.nix | 121 ++++++++++++++++-------------------- 1 file changed, 55 insertions(+), 66 deletions(-) diff --git a/services/matrix-synapse.nix b/services/matrix-synapse.nix index fcb61b2..49151da 100644 --- a/services/matrix-synapse.nix +++ b/services/matrix-synapse.nix @@ -15,54 +15,70 @@ services.nginx = { enable = true; # only recommendedProxySettings and recommendedGzipSettings are strictly required, - # but the rest make sense as well + # but the rest make sense as well (according to the broken example from the manual) recommendedTlsSettings = true; recommendedOptimisation = true; recommendedGzipSettings = true; recommendedProxySettings = true; virtualHosts = { + # This host section can be placed on a different host than the rest, - # i.e. to delegate from the host being accessible as ${config.networking.domain} - # to another host actually running the Matrix homeserver. + # i.e. to delegate from the host on which matrix / synapse actually run. + # This may make migration easier; in our case it's mostly added complexity. "hacc.space" = { - locations."= /.well-known/matrix/server".extraConfig = - let - # use 443 instead of the default 8448 port to unite - # the client-server and server-server port for simplicity - server = { "m.server" = "matrix.hacc.space:443"; }; - in '' - add_header Content-Type application/json; - return 200 '${builtins.toJSON server}'; - ''; + # see https://matrix.org/docs/spec/client_server/latest#get-well-known-matrix-client + # for documentation on what should be returned at these endpoints. + locations."= /.well-known/matrix/server".extraConfig = '' + add_header Content-Type application/json; + return 200 '${builtins.toJSON { "m.server" = "matrix.hacc.space:443"; }}'; + ''; + # this is to configure the nice default homeserver setting for our element web. locations."= /.well-known/matrix/client".extraConfig = - let - client = { - "m.homeserver" = { "base_url" = "https://matrix.hacc.space"; }; - "m.identity_server" = { "base_url" = "https://vector.im"; }; - }; - # ACAO required to allow element-web on any URL to request this json file - in '' - add_header Content-Type application/json; - add_header Access-Control-Allow-Origin *; - return 200 '${builtins.toJSON client}'; - ''; + let client = { + "m.homeserver" = { "base_url" = "https://matrix.hacc.space"; }; + "m.identity_server" = { "base_url" = "https://vector.im"; }; + }; + in '' + add_header Content-Type application/json; + add_header Access-Control-Allow-Origin *; + return 200 '${builtins.toJSON client}'; + ''; }; - # Reverse proxy for Matrix client-server and server-server communication + + # this serves the actual matrix endpoint "matrix.hacc.space" = { enableACME = true; forceSSL = true; - # Or do a redirect instead of the 404, or whatever is appropriate for you. - # But do not put a Matrix Web client here! See the Element web section below. + # it is not recommended to have the actual element web interface on the same domain, + # cf. https://github.com/vector-im/element-web#separate-domains on this. locations."/".extraConfig = '' return 404; ''; - # forward all Matrix API calls to the synapse Matrix homeserver locations."/_matrix" = { - proxyPass = "http://[::1]:8008"; # without a trailing / + proxyPass = "http://[::1]:8008"; + }; + }; + + + # the element web client for our matrix server. + "element.matrix.hacc.space" = { + enableACME = true; + forceSSL = true; + serverAliases = [ + "element.hacc.space" + ]; + root = pkgs.element-web.override { + conf = { + # the base_url here must be identical to the one on hacc.space/.well-known above. + default_server_config."m.homeserver" = { + "base_url" = "https://matrix.hacc.space"; + "server_name" = "matrix.hacc.space"; + }; + }; }; }; }; @@ -71,43 +87,16 @@ services.matrix-synapse = { enable = true; server_name = "hacc.space"; - # TODO: this is horrible, and should probably be removed once everything's running - # so we won't have secrets in the nix store. - # - # I used this to test that the server works at all, and I've removed it again for now. - registration_shared_secret = ""; - listeners = [ - { - port = 8008; - bind_address = "::1"; - type = "http"; - tls = false; - x_forwarded = true; - resources = [ - { - names = [ "client" "federation" ]; - compress = false; - } - ]; - } - ]; - }; - - services.nginx.virtualHosts."element.matrix.hacc.space" = { - enableACME = true; - forceSSL = true; - serverAliases = [ - "element.hacc.space" - ]; - root = pkgs.element-web.override { - conf = { - default_server_config."m.homeserver" = { - "base_url" = "https://matrix.hacc.space"; - "server_name" = "matrix.hacc.space"; - }; - }; - }; - - #locations."= /config.element.matrix.hacc.space.json".alias = element.outPath + "/config.json"; + listeners = [ { + port = 8008; + bind_address = "::1"; + type = "http"; + tls = false; + x_forwarded = true; + resources = [ { + names = [ "client" "federation" ]; + compress = false; + } ]; + } ]; }; } From 2c708c41179ca095a0b5ac3ad1235a34156413b8 Mon Sep 17 00:00:00 2001 From: stuebinm Date: Thu, 25 Mar 2021 14:24:29 +0100 Subject: [PATCH 04/11] element: move from element.matrix.hacc.space to element.hacc.space --- services/matrix-synapse.nix | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/services/matrix-synapse.nix b/services/matrix-synapse.nix index 49151da..1b60a54 100644 --- a/services/matrix-synapse.nix +++ b/services/matrix-synapse.nix @@ -65,12 +65,9 @@ # the element web client for our matrix server. - "element.matrix.hacc.space" = { + "element.hacc.space" = { enableACME = true; forceSSL = true; - serverAliases = [ - "element.hacc.space" - ]; root = pkgs.element-web.override { conf = { # the base_url here must be identical to the one on hacc.space/.well-known above. From 4c6f13c68a88b322ae523ef3ba6880caf89a63e1 Mon Sep 17 00:00:00 2001 From: stuebinm Date: Thu, 25 Mar 2021 14:39:25 +0100 Subject: [PATCH 05/11] synapse: add mail config (currently broken) tl;dr: mail config works, but on trying to send mail synapse gets rejected by postfix for using a too-old version of tls, as apparently tls in twisted (the python library used for mail in synapse) is just hardcoded to v1, which our postfix rejects. ``` postfix/smtpd[9737]: warning: TLS library problem: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1685: synapse[9211]: synapse.handlers.identity: [POST-41] Error sending threepid validation email to stuebinm@hacc.space Traceback (most recent call last): File "/nix/store/55mh6w2ark2blrbkyq0d1jjg9alb1dw5-matrix-synapse-1.29.0/lib/python3.8/site-packages/synapse/handlers/identity.py", line 382, in send_threepid_validation await send_email_func(email_address, token, client_secret, session_id) File "/nix/store/55mh6w2ark2blrbkyq0d1jjg9alb1dw5-matrix-synapse-1.29.0/lib/python3.8/site-packages/synapse/push/mailer.py", line 207, in send_add_threepid_mail await self.send_email( File "/nix/store/55mh6w2ark2blrbkyq0d1jjg9alb1dw5-matrix-synapse-1.29.0/lib/python3.8/site-packages/synapse/push/mailer.py", line 349, in send_email await make_deferred_yieldable( twisted.mail._except.SMTPConnectError: Unable to connect to server. ``` This is a known issue [1], which should be fixed in the current version of twisted, which will be in the next version of synapse. [1] https://github.com/matrix-org/synapse/issues/6211 --- services/matrix-synapse.nix | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/services/matrix-synapse.nix b/services/matrix-synapse.nix index 1b60a54..5c2a209 100644 --- a/services/matrix-synapse.nix +++ b/services/matrix-synapse.nix @@ -84,6 +84,19 @@ services.matrix-synapse = { enable = true; server_name = "hacc.space"; + extraConfigFiles = [ "/var/lib/matrix-synapse/secrets.yml" ]; + extraConfig = '' + public_baseurl: https://matrix.hacc.space + email: + smtp_host: mail.hacc.space + smtp_user: "noreply@infra4future.de" + smtp_port: 587 + notif_from: "Your Friendly %(app)s homeserver " + require_transport_security: true + enable_notifs: true + client_base_url: "https://element.hacc.space" + invite_client_location: "https://element.hacc.space" + ''; listeners = [ { port = 8008; bind_address = "::1"; From 1d5a9d74f08f4db5df59d60b4660c9a6c1e4c739 Mon Sep 17 00:00:00 2001 From: schweby Date: Thu, 25 Mar 2021 18:23:45 +0100 Subject: [PATCH 06/11] hainich/matrix: set some setting, miss others --- services/matrix-synapse.nix | 249 ++++++++++++++++++++++++++++++++++++ 1 file changed, 249 insertions(+) diff --git a/services/matrix-synapse.nix b/services/matrix-synapse.nix index 5c2a209..fb16189 100644 --- a/services/matrix-synapse.nix +++ b/services/matrix-synapse.nix @@ -96,6 +96,255 @@ enable_notifs: true client_base_url: "https://element.hacc.space" invite_client_location: "https://element.hacc.space" + enable_registration = true; + allow_guest_access = true; + admin_contact: 'mailto:admin@hacc.space' + web_client_location: https://element.hacc.space/ + public_baseurl: https://matrix.hacc.space/ + use_presence: false # uses lots of CPU for bacially nothing + limit_profile_requests_to_users_who_share_rooms: true # limits unoticed stalking/network analysis + allow_public_rooms_without_auth: true # public rooms should be public. can be changed if too much spam occurs + default_room_version: "6" + + limit_usage_by_mau: false # disables max userer + mau_stats_only: false + + redaction_retention_period: 3d # ich hab keine Ahnung, was das tut, aber weniger klingt besser + user_ips_max_age: 1d # ich will das Zeug gar nicht qq + + retention: + enabled: true + default_policy: + min_lifetime: 1d # does nothing + max_lifetime: 2w + allowed_lifetime_min: 1h + allowed_lifetime_max: 15w + purge_jobs: + - longest_max_lifetime: 1h + interval: 15m + - longest_max_lifetime: 1d + interval: 1h + - longest_max_lifetime: 3d + interval: 12h + - shortest_max_lifetime: 1w + interval: 1d + + + ## TLS ## + + # PEM-encoded X509 certificate for TLS. + # This certificate, as of Synapse 1.0, will need to be a valid and verifiable + # certificate, signed by a recognised Certificate Authority. + # + # See 'ACME support' below to enable auto-provisioning this certificate via + # Let's Encrypt. + # + # If supplying your own, be sure to use a `.pem` file that includes the + # full certificate chain including any intermediate certificates (for + # instance, if using certbot, use `fullchain.pem` as your certificate, + # not `cert.pem`). + # + #tls_certificate_path: "CONFDIR/SERVERNAME.tls.crt" + + # PEM-encoded private key for TLS + # + #tls_private_key_path: "CONFDIR/SERVERNAME.tls.key" + + # The minimum TLS version that will be used for outbound federation requests. + # + # Defaults to `1`. Configurable to `1`, `1.1`, `1.2`, or `1.3`. Note + # that setting this value higher than `1.2` will prevent federation to most + # of the public Matrix network: only configure it to `1.3` if you have an + # entirely private federation setup and you can ensure TLS 1.3 support. + # + #federation_client_minimum_tls_version: 1.2 # also eigentlich will ich ja 1.3 und wieso zur hölle das nicht standard ist, keine Ahnung. Ich lass die Option mal drin, dass wir ran kommen, wenn 1.2 engültig broken ist + + acme: + # ACME support is disabled by default. Set this to `true` and uncomment + # tls_certificate_path and tls_private_key_path above to enable it. + # + enabled: false + + # Endpoint to use to request certificates. If you only want to test, + # use Let's Encrypt's staging url: + # https://acme-staging.api.letsencrypt.org/directory + # + #url: https://acme-v01.api.letsencrypt.org/directory + + # Port number to listen on for the HTTP-01 challenge. Change this if + # you are forwarding connections through Apache/Nginx/etc. + # + port: 80 + + # Local addresses to listen on for incoming connections. + # Again, you may want to change this if you are forwarding connections + # through Apache/Nginx/etc. + # + bind_addresses: ['::', '0.0.0.0'] + + # How many days remaining on a certificate before it is renewed. + # + reprovision_threshold: 30 + + # The domain that the certificate should be for. Normally this + # should be the same as your Matrix domain (i.e., 'server_name'), but, + # by putting a file at 'https:///.well-known/matrix/server', + # you can delegate incoming traffic to another server. If you do that, + # you should give the target of the delegation here. + # + # For example: if your 'server_name' is 'example.com', but + # 'https://example.com/.well-known/matrix/server' delegates to + # 'matrix.example.com', you should put 'matrix.example.com' here. + # + # If not set, defaults to your 'server_name'. + # + domain: matrix.example.com + + # file to use for the account key. This will be generated if it doesn't + # exist. + # + # If unspecified, we will use CONFDIR/client.key. + # + account_key_file: DATADIR/acme_account.key + + + + ## Database ## + + # The 'database' setting defines the database that synapse uses to store all of + # its data. + # + # 'name' gives the database engine to use: either 'sqlite3' (for SQLite) or + # 'psycopg2' (for PostgreSQL). + # + # 'args' gives options which are passed through to the database engine, + # except for options starting 'cp_', which are used to configure the Twisted + # connection pool. For a reference to valid arguments, see: + # * for sqlite: https://docs.python.org/3/library/sqlite3.html#sqlite3.connect + # * for postgres: https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS + # * for the connection pool: https://twistedmatrix.com/documents/current/api/twisted.enterprise.adbapi.ConnectionPool.html#__init__ + # + # + # Example SQLite configuration: + # + #database: + # name: sqlite3 + # args: + # database: /path/to/homeserver.db + # + # + # Example Postgres configuration: + # + #database: + # name: psycopg2 + # args: + # user: synapse_user + # password: secretpassword + # database: synapse + # host: localhost + # cp_min: 5 + # cp_max: 10 + # + # For more information on using Synapse with Postgres, see `docs/postgres.md`. + # + #database: + # name: sqlite3 + # args: + # database: DATADIR/homeserver.db + + + + max_upload_size: 50M + max_image_pixels: 24M + url_preview_enabled: false # disabled, can leak urls of encrypted communication + + enable_registration: false + + auto_join_rooms: + - "#lobby:hacc.space" + auto_join_rooms_for_guests: true + + + enable_metrics: false + report_stats: false + + password_config: + policy: + enabled: true + minimum_length: 16 + + push: + include_content: false + group_unread_count_by_room: false + + encryption_enabled_by_default_for_room_type: all # invite might be the more sane setting, but like this we never retain any unecrypted messeage from our rooms + + enable_group_creation: true + group_creation_prefix: "__" # groups created by non-admins start eith this prefix + + user_directory: + enabled: true + search_all_users: false + prefer_local_users: true + + + # User Consent configuration + # + # for detailed instructions, see + # https://github.com/matrix-org/synapse/blob/master/docs/consent_tracking.md + # + # Parts of this section are required if enabling the 'consent' resource under + # 'listeners', in particular 'template_dir' and 'version'. + # + # 'template_dir' gives the location of the templates for the HTML forms. + # This directory should contain one subdirectory per language (eg, 'en', 'fr'), + # and each language directory should contain the policy document (named as + # '.html') and a success page (success.html). + # + # 'version' specifies the 'current' version of the policy document. It defines + # the version to be served by the consent resource if there is no 'v' + # parameter. + # + # 'server_notice_content', if enabled, will send a user a "Server Notice" + # asking them to consent to the privacy policy. The 'server_notices' section + # must also be configured for this to work. Notices will *not* be sent to + # guest users unless 'send_server_notice_to_guests' is set to true. + # + # 'block_events_error', if set, will block any attempts to send events + # until the user consents to the privacy policy. The value of the setting is + # used as the text of the error. + # + # 'require_at_registration', if enabled, will add a step to the registration + # process, similar to how captcha works. Users will be required to accept the + # policy before their account is created. + # + # 'policy_name' is the display name of the policy users will see when registering + # for an account. Has no effect unless `require_at_registration` is enabled. + # Defaults to "Privacy Policy". + # + #user_consent: + # template_dir: res/templates/privacy + # version: 1.0 + # server_notice_content: + # msgtype: m.text + # body: >- + # To continue using this homeserver you must review and agree to the + # terms and conditions at %(consent_uri)s + # send_server_notice_to_guests: true + # block_events_error: >- + # To continue using this homeserver you must review and agree to the + # terms and conditions at %(consent_uri)s + # require_at_registration: false + # policy_name: Privacy Policy + # + + stats: + enabled: true # disabling this apparently breaks the room directory + bucket_size: 1w + + + + "; ''; listeners = [ { port = 8008; From 42e1d2e99040e2cbe16758fd020c1ab8bbba44ec Mon Sep 17 00:00:00 2001 From: stuebinm Date: Thu, 25 Mar 2021 18:49:25 +0100 Subject: [PATCH 07/11] synapse: delete unnessary parts of the default config (i.e. those parts which are managable by nix, and a couple which were defined twice were deduplicated) --- services/matrix-synapse.nix | 135 ++---------------------------------- 1 file changed, 4 insertions(+), 131 deletions(-) diff --git a/services/matrix-synapse.nix b/services/matrix-synapse.nix index fb16189..b840d74 100644 --- a/services/matrix-synapse.nix +++ b/services/matrix-synapse.nix @@ -96,11 +96,11 @@ enable_notifs: true client_base_url: "https://element.hacc.space" invite_client_location: "https://element.hacc.space" + enable_registration = true; allow_guest_access = true; admin_contact: 'mailto:admin@hacc.space' web_client_location: https://element.hacc.space/ - public_baseurl: https://matrix.hacc.space/ use_presence: false # uses lots of CPU for bacially nothing limit_profile_requests_to_users_who_share_rooms: true # limits unoticed stalking/network analysis allow_public_rooms_without_auth: true # public rooms should be public. can be changed if too much spam occurs @@ -129,136 +129,11 @@ - shortest_max_lifetime: 1w interval: 1d - - ## TLS ## - - # PEM-encoded X509 certificate for TLS. - # This certificate, as of Synapse 1.0, will need to be a valid and verifiable - # certificate, signed by a recognised Certificate Authority. - # - # See 'ACME support' below to enable auto-provisioning this certificate via - # Let's Encrypt. - # - # If supplying your own, be sure to use a `.pem` file that includes the - # full certificate chain including any intermediate certificates (for - # instance, if using certbot, use `fullchain.pem` as your certificate, - # not `cert.pem`). - # - #tls_certificate_path: "CONFDIR/SERVERNAME.tls.crt" - - # PEM-encoded private key for TLS - # - #tls_private_key_path: "CONFDIR/SERVERNAME.tls.key" - - # The minimum TLS version that will be used for outbound federation requests. - # - # Defaults to `1`. Configurable to `1`, `1.1`, `1.2`, or `1.3`. Note - # that setting this value higher than `1.2` will prevent federation to most - # of the public Matrix network: only configure it to `1.3` if you have an - # entirely private federation setup and you can ensure TLS 1.3 support. - # - #federation_client_minimum_tls_version: 1.2 # also eigentlich will ich ja 1.3 und wieso zur hölle das nicht standard ist, keine Ahnung. Ich lass die Option mal drin, dass wir ran kommen, wenn 1.2 engültig broken ist - - acme: - # ACME support is disabled by default. Set this to `true` and uncomment - # tls_certificate_path and tls_private_key_path above to enable it. - # - enabled: false - - # Endpoint to use to request certificates. If you only want to test, - # use Let's Encrypt's staging url: - # https://acme-staging.api.letsencrypt.org/directory - # - #url: https://acme-v01.api.letsencrypt.org/directory - - # Port number to listen on for the HTTP-01 challenge. Change this if - # you are forwarding connections through Apache/Nginx/etc. - # - port: 80 - - # Local addresses to listen on for incoming connections. - # Again, you may want to change this if you are forwarding connections - # through Apache/Nginx/etc. - # - bind_addresses: ['::', '0.0.0.0'] - - # How many days remaining on a certificate before it is renewed. - # - reprovision_threshold: 30 - - # The domain that the certificate should be for. Normally this - # should be the same as your Matrix domain (i.e., 'server_name'), but, - # by putting a file at 'https:///.well-known/matrix/server', - # you can delegate incoming traffic to another server. If you do that, - # you should give the target of the delegation here. - # - # For example: if your 'server_name' is 'example.com', but - # 'https://example.com/.well-known/matrix/server' delegates to - # 'matrix.example.com', you should put 'matrix.example.com' here. - # - # If not set, defaults to your 'server_name'. - # - domain: matrix.example.com - - # file to use for the account key. This will be generated if it doesn't - # exist. - # - # If unspecified, we will use CONFDIR/client.key. - # - account_key_file: DATADIR/acme_account.key - - - - ## Database ## - - # The 'database' setting defines the database that synapse uses to store all of - # its data. - # - # 'name' gives the database engine to use: either 'sqlite3' (for SQLite) or - # 'psycopg2' (for PostgreSQL). - # - # 'args' gives options which are passed through to the database engine, - # except for options starting 'cp_', which are used to configure the Twisted - # connection pool. For a reference to valid arguments, see: - # * for sqlite: https://docs.python.org/3/library/sqlite3.html#sqlite3.connect - # * for postgres: https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS - # * for the connection pool: https://twistedmatrix.com/documents/current/api/twisted.enterprise.adbapi.ConnectionPool.html#__init__ - # - # - # Example SQLite configuration: - # - #database: - # name: sqlite3 - # args: - # database: /path/to/homeserver.db - # - # - # Example Postgres configuration: - # - #database: - # name: psycopg2 - # args: - # user: synapse_user - # password: secretpassword - # database: synapse - # host: localhost - # cp_min: 5 - # cp_max: 10 - # - # For more information on using Synapse with Postgres, see `docs/postgres.md`. - # - #database: - # name: sqlite3 - # args: - # database: DATADIR/homeserver.db - - - + max_upload_size: 50M max_image_pixels: 24M url_preview_enabled: false # disabled, can leak urls of encrypted communication - - enable_registration: false + auto_join_rooms: - "#lobby:hacc.space" @@ -341,9 +216,7 @@ stats: enabled: true # disabling this apparently breaks the room directory bucket_size: 1w - - - + "; ''; listeners = [ { From 1b58bd0f7b7df2bab97030dcc8e45924f8ad07b0 Mon Sep 17 00:00:00 2001 From: schweby Date: Thu, 25 Mar 2021 19:08:11 +0100 Subject: [PATCH 08/11] synapse: cleaned up config --- services/matrix-synapse.nix | 44 ++++++++++++------------------------- 1 file changed, 14 insertions(+), 30 deletions(-) diff --git a/services/matrix-synapse.nix b/services/matrix-synapse.nix index b840d74..aab097b 100644 --- a/services/matrix-synapse.nix +++ b/services/matrix-synapse.nix @@ -84,6 +84,12 @@ services.matrix-synapse = { enable = true; server_name = "hacc.space"; + public_baseurl = "https://matrix.hacc.space"; + enable_registration = true; + allow_guest_access = true; + max_upload_size = "25M"; + max_image_pixels = "25M"; + dynamic_thumbnails = true; extraConfigFiles = [ "/var/lib/matrix-synapse/secrets.yml" ]; extraConfig = '' public_baseurl: https://matrix.hacc.space @@ -97,8 +103,6 @@ client_base_url: "https://element.hacc.space" invite_client_location: "https://element.hacc.space" - enable_registration = true; - allow_guest_access = true; admin_contact: 'mailto:admin@hacc.space' web_client_location: https://element.hacc.space/ use_presence: false # uses lots of CPU for bacially nothing @@ -106,12 +110,9 @@ allow_public_rooms_without_auth: true # public rooms should be public. can be changed if too much spam occurs default_room_version: "6" - limit_usage_by_mau: false # disables max userer - mau_stats_only: false - redaction_retention_period: 3d # ich hab keine Ahnung, was das tut, aber weniger klingt besser user_ips_max_age: 1d # ich will das Zeug gar nicht qq - + retention: enabled: true default_policy: @@ -129,40 +130,29 @@ - shortest_max_lifetime: 1w interval: 1d - - max_upload_size: 50M - max_image_pixels: 24M - url_preview_enabled: false # disabled, can leak urls of encrypted communication - - auto_join_rooms: - "#lobby:hacc.space" auto_join_rooms_for_guests: true - - - enable_metrics: false - report_stats: false - + password_config: policy: enabled: true minimum_length: 16 - + push: include_content: false group_unread_count_by_room: false - + encryption_enabled_by_default_for_room_type: all # invite might be the more sane setting, but like this we never retain any unecrypted messeage from our rooms - + enable_group_creation: true group_creation_prefix: "__" # groups created by non-admins start eith this prefix - + user_directory: enabled: true search_all_users: false prefer_local_users: true - - + # User Consent configuration # # for detailed instructions, see @@ -211,13 +201,7 @@ # terms and conditions at %(consent_uri)s # require_at_registration: false # policy_name: Privacy Policy - # - - stats: - enabled: true # disabling this apparently breaks the room directory - bucket_size: 1w - - "; + # ''; listeners = [ { port = 8008; From 8c9b666bfe9cd38af4dba15d2b4f9b7459b34971 Mon Sep 17 00:00:00 2001 From: stuebinm Date: Thu, 25 Mar 2021 19:31:09 +0100 Subject: [PATCH 09/11] synapse: deduplicate public_baseurl --- services/matrix-synapse.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/services/matrix-synapse.nix b/services/matrix-synapse.nix index aab097b..7e88452 100644 --- a/services/matrix-synapse.nix +++ b/services/matrix-synapse.nix @@ -92,7 +92,6 @@ dynamic_thumbnails = true; extraConfigFiles = [ "/var/lib/matrix-synapse/secrets.yml" ]; extraConfig = '' - public_baseurl: https://matrix.hacc.space email: smtp_host: mail.hacc.space smtp_user: "noreply@infra4future.de" From 13b8ae5c1366a6e53b4d92fb6f65ce1b05df896d Mon Sep 17 00:00:00 2001 From: stuebinm Date: Thu, 22 Apr 2021 22:45:52 +0200 Subject: [PATCH 10/11] matrix-synapse: update twisted (mail library) This overrides the python38Packages.twisted derivation to a more recent version that /hopefully/ doesn't force old tls versions. This includes using and override on the actual twisted package, and another on the matrix-synapse packages, which now has parts of its definition repeated in the overlay since overlays apparently don't propagate into dependencies of packages (since packages are essentiall functions which have already been called). On the one hand, this may break things in case the definition of matrix-synapse changes too much upstream. On the other hand, it doesn't seem like anyone update the python packages too often, so probably that won't happen for a long while. Additionally, prohibitively long to build, since synapse insists on running a complete test suite while building itself, and there doesn't appear to be an obvious version to turn this off. If this situation continues (also with some of the other packages) I guess at some point we should just set up hainich as a substitution server for Nix ... --- pkgs/matrix/default.nix | 54 +++++++++++++++++++++++++++++++++++++ services/matrix-synapse.nix | 3 +++ 2 files changed, 57 insertions(+) create mode 100644 pkgs/matrix/default.nix diff --git a/pkgs/matrix/default.nix b/pkgs/matrix/default.nix new file mode 100644 index 0000000..b58a98c --- /dev/null +++ b/pkgs/matrix/default.nix @@ -0,0 +1,54 @@ +self: super: +{ + python38Packages = super.python3Packages // { + twisted = with super.python3Packages; + twisted.overrideAttrs (old: rec { + version = "21.2.0"; + src = fetchPypi { + inherit version; + extension = "tar.gz"; + pname = "Twisted"; + sha256 = "04jsr67swzj8vn8z64fzbha7vpkm1jz9ns26566vjsfg8n4llm3p"; + }; + }); + }; + + matrix-synapse = super.matrix-synapse.overrideAttrs (old: { + propagatedBuildInputs = with self.python3Packages; [ + setuptools + bcrypt + bleach + canonicaljson + daemonize + frozendict + jinja2 + jsonschema + lxml + msgpack + netaddr + phonenumbers + pillow + prometheus_client + psutil + psycopg2 + pyasn1 + pymacaroons + pynacl + pyopenssl + pysaml2 + pyyaml + requests + signedjson + sortedcontainers + treq + twisted + unpaddedbase64 + typing-extensions + authlib + pyjwt + systemd + hiredis + ]; + python = self.python3; + }); +} diff --git a/services/matrix-synapse.nix b/services/matrix-synapse.nix index 7e88452..2084821 100644 --- a/services/matrix-synapse.nix +++ b/services/matrix-synapse.nix @@ -3,6 +3,9 @@ { networking.firewall.allowedTCPPorts = [ 80 443 ]; + nixpkgs.overlays = [ (import ./../../../pkgs/matrix) ]; + + services.postgresql.enable = true; services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" '' CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; From 2afc9befbfd21a8e9be94e49f0d5fef89ded88fd Mon Sep 17 00:00:00 2001 From: stuebinm Date: Thu, 26 Aug 2021 22:55:47 +0200 Subject: [PATCH 11/11] matrix-synapse: bump to nixos 21.05, new structure This patches an import path for our new structure, and adjusts the build inputs for our hacked version of matrix-synapse with a newer version of twisted (for tls 1.3 support), which is apparently still necessary even in nixos 21.05. Seems to build fine (have not waited for all tests in the matrix packag; these take ages) --- pkgs/matrix/default.nix | 11 +++++------ services/matrix-synapse.nix | 2 +- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/pkgs/matrix/default.nix b/pkgs/matrix/default.nix index b58a98c..b132c5d 100644 --- a/pkgs/matrix/default.nix +++ b/pkgs/matrix/default.nix @@ -15,12 +15,13 @@ self: super: matrix-synapse = super.matrix-synapse.overrideAttrs (old: { propagatedBuildInputs = with self.python3Packages; [ - setuptools + authlib bcrypt bleach canonicaljson daemonize frozendict + ijson jinja2 jsonschema lxml @@ -32,22 +33,20 @@ self: super: psutil psycopg2 pyasn1 + pyjwt pymacaroons pynacl pyopenssl pysaml2 pyyaml requests + setuptools signedjson sortedcontainers treq twisted - unpaddedbase64 typing-extensions - authlib - pyjwt - systemd - hiredis + unpaddedbase64 ]; python = self.python3; }); diff --git a/services/matrix-synapse.nix b/services/matrix-synapse.nix index 2084821..2d34903 100644 --- a/services/matrix-synapse.nix +++ b/services/matrix-synapse.nix @@ -3,7 +3,7 @@ { networking.firewall.allowedTCPPorts = [ 80 443 ]; - nixpkgs.overlays = [ (import ./../../../pkgs/matrix) ]; + nixpkgs.overlays = [ (import ./../pkgs/matrix) ]; services.postgresql.enable = true;