Merge branch 'matrix-synapse' into 'main'

WIP: matrix synapse & element See merge request hacc/infra/haccfiles!46
2021-09-19 06:19:00 +00:00 · 2021-09-19 06:19:00 +00:00 · a5585d4e4f
parent f4089803ff 2afc9befbf
commit a5585d4e4f
3 changed files with 274 additions and 0 deletions
--- a/hosts/parsons/configuration.nix
+++ b/hosts/parsons/configuration.nix
@ -21,6 +21,7 @@
    ../../services/gitlab-runner.nix
    ../../services/unifi.nix
    ../../services/lantifa.nix
+    ../../services/matrix-synapse.nix

    ./lxc.nix
  ];
--- a/pkgs/matrix/default.nix
+++ b/pkgs/matrix/default.nix
@ -0,0 +1,53 @@
+self: super:
+{
+  python38Packages = super.python3Packages // {
+    twisted = with super.python3Packages;
+      twisted.overrideAttrs (old: rec {
+        version = "21.2.0";
+        src = fetchPypi {
+          inherit version;
+          extension = "tar.gz";
+          pname = "Twisted";
+          sha256 = "04jsr67swzj8vn8z64fzbha7vpkm1jz9ns26566vjsfg8n4llm3p";
+        };
+      });
+  };
+
+  matrix-synapse = super.matrix-synapse.overrideAttrs (old: {
+    propagatedBuildInputs = with self.python3Packages; [
+      authlib
+      bcrypt
+      bleach
+      canonicaljson
+      daemonize
+      frozendict
+      ijson
+      jinja2
+      jsonschema
+      lxml
+      msgpack
+      netaddr
+      phonenumbers
+      pillow
+      prometheus_client
+      psutil
+      psycopg2
+      pyasn1
+      pyjwt
+      pymacaroons
+      pynacl
+      pyopenssl
+      pysaml2
+      pyyaml
+      requests
+      setuptools
+      signedjson
+      sortedcontainers
+      treq
+      twisted
+      typing-extensions
+      unpaddedbase64
+    ];
+    python = self.python3;
+  });
+}
--- a/services/matrix-synapse.nix
+++ b/services/matrix-synapse.nix
@ -0,0 +1,220 @@
+{config, lib, pkgs, ... }:
+
+{
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  nixpkgs.overlays = [ (import ./../pkgs/matrix) ];
+
+
+  services.postgresql.enable = true;
+  services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" ''
+    CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
+    CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
+      TEMPLATE template0
+      LC_COLLATE = "C"
+      LC_CTYPE = "C";
+  '';
+
+  services.nginx = {
+    enable = true;
+    # only recommendedProxySettings and recommendedGzipSettings are strictly required,
+    # but the rest make sense as well (according to the broken example from the manual)
+    recommendedTlsSettings = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+    recommendedProxySettings = true;
+
+    virtualHosts = {
+
+      # This host section can be placed on a different host than the rest,
+      # i.e. to delegate from the host on which matrix / synapse actually run.
+      # This may make migration easier; in our case it's mostly added complexity.
+      "hacc.space" = {
+        # see https://matrix.org/docs/spec/client_server/latest#get-well-known-matrix-client
+        # for documentation on what should be returned at these endpoints.
+        locations."= /.well-known/matrix/server".extraConfig = ''
+          add_header Content-Type application/json;
+          return 200 '${builtins.toJSON  { "m.server" = "matrix.hacc.space:443"; }}';
+        '';
+        # this is to configure the nice default homeserver setting for our element web.
+        locations."= /.well-known/matrix/client".extraConfig =
+          let client = {
+            "m.homeserver" =  { "base_url" = "https://matrix.hacc.space"; };
+            "m.identity_server" =  { "base_url" = "https://vector.im"; };
+          };
+        in ''
+          add_header Content-Type application/json;
+          add_header Access-Control-Allow-Origin *;
+          return 200 '${builtins.toJSON client}';
+        '';
+      };
+
+
+      # this serves the actual matrix endpoint
+      "matrix.hacc.space" = {
+        enableACME = true;
+        forceSSL = true;
+
+        # it is not recommended to have the actual element web interface on the same domain,
+        # cf. https://github.com/vector-im/element-web#separate-domains on this.
+        locations."/".extraConfig = ''
+          return 404;
+        '';
+
+        locations."/_matrix" = {
+          proxyPass = "http://[::1]:8008";
+        };
+      };
+
+
+      # the element web client for our matrix server.
+      "element.hacc.space" = {
+        enableACME = true;
+        forceSSL = true;
+        root = pkgs.element-web.override {
+          conf = {
+            # the base_url here must be identical to the one on hacc.space/.well-known above.
+            default_server_config."m.homeserver" = {
+              "base_url" = "https://matrix.hacc.space";
+              "server_name" = "matrix.hacc.space";
+            };
+          };
+        };
+      };
+    };
+  };
+
+  services.matrix-synapse = {
+    enable = true;
+    server_name = "hacc.space";
+    public_baseurl = "https://matrix.hacc.space";
+    enable_registration = true;
+    allow_guest_access = true;
+    max_upload_size = "25M";
+    max_image_pixels = "25M";
+    dynamic_thumbnails = true;
+    extraConfigFiles = [ "/var/lib/matrix-synapse/secrets.yml" ];
+    extraConfig = ''
+      email:
+        smtp_host: mail.hacc.space
+        smtp_user: "noreply@infra4future.de"
+        smtp_port: 587
+        notif_from: "Your Friendly %(app)s homeserver <noreply@hacc.space>"
+        require_transport_security: true
+        enable_notifs: true
+        client_base_url: "https://element.hacc.space"
+        invite_client_location: "https://element.hacc.space"
+
+      admin_contact: 'mailto:admin@hacc.space'
+      web_client_location: https://element.hacc.space/
+      use_presence: false # uses lots of CPU for bacially nothing
+      limit_profile_requests_to_users_who_share_rooms: true # limits unoticed stalking/network analysis
+      allow_public_rooms_without_auth: true # public rooms should be public. can be changed if too much spam occurs
+      default_room_version: "6"
+
+      redaction_retention_period: 3d # ich hab keine Ahnung, was das tut, aber weniger klingt besser
+      user_ips_max_age: 1d # ich will das Zeug gar nicht qq
+
+      retention:
+        enabled: true
+        default_policy:
+          min_lifetime: 1d # does nothing
+          max_lifetime: 2w
+        allowed_lifetime_min: 1h
+        allowed_lifetime_max: 15w
+        purge_jobs:
+          - longest_max_lifetime: 1h
+            interval: 15m
+          - longest_max_lifetime: 1d
+            interval: 1h
+          - longest_max_lifetime: 3d
+            interval: 12h
+          - shortest_max_lifetime: 1w
+            interval: 1d
+      
+      auto_join_rooms:
+        - "#lobby:hacc.space"
+      auto_join_rooms_for_guests: true
+
+      password_config:
+         policy:
+            enabled: true
+            minimum_length: 16
+
+      push:
+        include_content: false
+        group_unread_count_by_room: false
+
+      encryption_enabled_by_default_for_room_type: all # invite might be the more sane setting, but like this we never retain any unecrypted messeage from our rooms
+
+      enable_group_creation: true
+      group_creation_prefix: "__" # groups created by non-admins start eith this prefix
+
+      user_directory:
+          enabled: true
+          search_all_users: false
+          prefer_local_users: true
+
+      # User Consent configuration
+      #
+      # for detailed instructions, see
+      # https://github.com/matrix-org/synapse/blob/master/docs/consent_tracking.md
+      #
+      # Parts of this section are required if enabling the 'consent' resource under
+      # 'listeners', in particular 'template_dir' and 'version'.
+      #
+      # 'template_dir' gives the location of the templates for the HTML forms.
+      # This directory should contain one subdirectory per language (eg, 'en', 'fr'),
+      # and each language directory should contain the policy document (named as
+      # '<version>.html') and a success page (success.html).
+      #
+      # 'version' specifies the 'current' version of the policy document. It defines
+      # the version to be served by the consent resource if there is no 'v'
+      # parameter.
+      #
+      # 'server_notice_content', if enabled, will send a user a "Server Notice"
+      # asking them to consent to the privacy policy. The 'server_notices' section
+      # must also be configured for this to work. Notices will *not* be sent to
+      # guest users unless 'send_server_notice_to_guests' is set to true.
+      #
+      # 'block_events_error', if set, will block any attempts to send events
+      # until the user consents to the privacy policy. The value of the setting is
+      # used as the text of the error.
+      #
+      # 'require_at_registration', if enabled, will add a step to the registration
+      # process, similar to how captcha works. Users will be required to accept the
+      # policy before their account is created.
+      #
+      # 'policy_name' is the display name of the policy users will see when registering
+      # for an account. Has no effect unless `require_at_registration` is enabled.
+      # Defaults to "Privacy Policy".
+      #
+      #user_consent:
+      #  template_dir: res/templates/privacy
+      #  version: 1.0
+      #  server_notice_content:
+      #    msgtype: m.text
+      #    body: >-
+      #      To continue using this homeserver you must review and agree to the
+      #      terms and conditions at %(consent_uri)s
+      #  send_server_notice_to_guests: true
+      #  block_events_error: >-
+      #    To continue using this homeserver you must review and agree to the
+      #    terms and conditions at %(consent_uri)s
+      #  require_at_registration: false
+      #  policy_name: Privacy Policy
+      #      
+    '';
+    listeners = [ {
+      port = 8008;
+      bind_address = "::1";
+      type = "http";
+      tls = false;
+      x_forwarded = true;
+      resources = [ {
+        names = [ "client" "federation" ];
+        compress = false;
+      } ];
+    } ];
+  };
+}