Compare commits
11 commits
main
...
matrix-syn
Author | SHA1 | Date | |
---|---|---|---|
2afc9befbf | |||
13b8ae5c13 | |||
8c9b666bfe | |||
|
1b58bd0f7b | ||
42e1d2e990 | |||
|
1d5a9d74f0 | ||
4c6f13c68a | |||
2c708c4117 | |||
1f9bbf4051 | |||
e15b205214 | |||
|
59cd29a3ee |
3 changed files with 274 additions and 0 deletions
|
@ -21,6 +21,7 @@
|
||||||
../../services/gitlab-runner.nix
|
../../services/gitlab-runner.nix
|
||||||
../../services/unifi.nix
|
../../services/unifi.nix
|
||||||
../../services/lantifa.nix
|
../../services/lantifa.nix
|
||||||
|
../../services/matrix-synapse.nix
|
||||||
|
|
||||||
./lxc.nix
|
./lxc.nix
|
||||||
];
|
];
|
||||||
|
|
53
pkgs/matrix/default.nix
Normal file
53
pkgs/matrix/default.nix
Normal file
|
@ -0,0 +1,53 @@
|
||||||
|
self: super:
|
||||||
|
{
|
||||||
|
python38Packages = super.python3Packages // {
|
||||||
|
twisted = with super.python3Packages;
|
||||||
|
twisted.overrideAttrs (old: rec {
|
||||||
|
version = "21.2.0";
|
||||||
|
src = fetchPypi {
|
||||||
|
inherit version;
|
||||||
|
extension = "tar.gz";
|
||||||
|
pname = "Twisted";
|
||||||
|
sha256 = "04jsr67swzj8vn8z64fzbha7vpkm1jz9ns26566vjsfg8n4llm3p";
|
||||||
|
};
|
||||||
|
});
|
||||||
|
};
|
||||||
|
|
||||||
|
matrix-synapse = super.matrix-synapse.overrideAttrs (old: {
|
||||||
|
propagatedBuildInputs = with self.python3Packages; [
|
||||||
|
authlib
|
||||||
|
bcrypt
|
||||||
|
bleach
|
||||||
|
canonicaljson
|
||||||
|
daemonize
|
||||||
|
frozendict
|
||||||
|
ijson
|
||||||
|
jinja2
|
||||||
|
jsonschema
|
||||||
|
lxml
|
||||||
|
msgpack
|
||||||
|
netaddr
|
||||||
|
phonenumbers
|
||||||
|
pillow
|
||||||
|
prometheus_client
|
||||||
|
psutil
|
||||||
|
psycopg2
|
||||||
|
pyasn1
|
||||||
|
pyjwt
|
||||||
|
pymacaroons
|
||||||
|
pynacl
|
||||||
|
pyopenssl
|
||||||
|
pysaml2
|
||||||
|
pyyaml
|
||||||
|
requests
|
||||||
|
setuptools
|
||||||
|
signedjson
|
||||||
|
sortedcontainers
|
||||||
|
treq
|
||||||
|
twisted
|
||||||
|
typing-extensions
|
||||||
|
unpaddedbase64
|
||||||
|
];
|
||||||
|
python = self.python3;
|
||||||
|
});
|
||||||
|
}
|
220
services/matrix-synapse.nix
Normal file
220
services/matrix-synapse.nix
Normal file
|
@ -0,0 +1,220 @@
|
||||||
|
{config, lib, pkgs, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||||
|
|
||||||
|
nixpkgs.overlays = [ (import ./../pkgs/matrix) ];
|
||||||
|
|
||||||
|
|
||||||
|
services.postgresql.enable = true;
|
||||||
|
services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" ''
|
||||||
|
CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
|
||||||
|
CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
|
||||||
|
TEMPLATE template0
|
||||||
|
LC_COLLATE = "C"
|
||||||
|
LC_CTYPE = "C";
|
||||||
|
'';
|
||||||
|
|
||||||
|
services.nginx = {
|
||||||
|
enable = true;
|
||||||
|
# only recommendedProxySettings and recommendedGzipSettings are strictly required,
|
||||||
|
# but the rest make sense as well (according to the broken example from the manual)
|
||||||
|
recommendedTlsSettings = true;
|
||||||
|
recommendedOptimisation = true;
|
||||||
|
recommendedGzipSettings = true;
|
||||||
|
recommendedProxySettings = true;
|
||||||
|
|
||||||
|
virtualHosts = {
|
||||||
|
|
||||||
|
# This host section can be placed on a different host than the rest,
|
||||||
|
# i.e. to delegate from the host on which matrix / synapse actually run.
|
||||||
|
# This may make migration easier; in our case it's mostly added complexity.
|
||||||
|
"hacc.space" = {
|
||||||
|
# see https://matrix.org/docs/spec/client_server/latest#get-well-known-matrix-client
|
||||||
|
# for documentation on what should be returned at these endpoints.
|
||||||
|
locations."= /.well-known/matrix/server".extraConfig = ''
|
||||||
|
add_header Content-Type application/json;
|
||||||
|
return 200 '${builtins.toJSON { "m.server" = "matrix.hacc.space:443"; }}';
|
||||||
|
'';
|
||||||
|
# this is to configure the nice default homeserver setting for our element web.
|
||||||
|
locations."= /.well-known/matrix/client".extraConfig =
|
||||||
|
let client = {
|
||||||
|
"m.homeserver" = { "base_url" = "https://matrix.hacc.space"; };
|
||||||
|
"m.identity_server" = { "base_url" = "https://vector.im"; };
|
||||||
|
};
|
||||||
|
in ''
|
||||||
|
add_header Content-Type application/json;
|
||||||
|
add_header Access-Control-Allow-Origin *;
|
||||||
|
return 200 '${builtins.toJSON client}';
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
|
||||||
|
# this serves the actual matrix endpoint
|
||||||
|
"matrix.hacc.space" = {
|
||||||
|
enableACME = true;
|
||||||
|
forceSSL = true;
|
||||||
|
|
||||||
|
# it is not recommended to have the actual element web interface on the same domain,
|
||||||
|
# cf. https://github.com/vector-im/element-web#separate-domains on this.
|
||||||
|
locations."/".extraConfig = ''
|
||||||
|
return 404;
|
||||||
|
'';
|
||||||
|
|
||||||
|
locations."/_matrix" = {
|
||||||
|
proxyPass = "http://[::1]:8008";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
|
||||||
|
# the element web client for our matrix server.
|
||||||
|
"element.hacc.space" = {
|
||||||
|
enableACME = true;
|
||||||
|
forceSSL = true;
|
||||||
|
root = pkgs.element-web.override {
|
||||||
|
conf = {
|
||||||
|
# the base_url here must be identical to the one on hacc.space/.well-known above.
|
||||||
|
default_server_config."m.homeserver" = {
|
||||||
|
"base_url" = "https://matrix.hacc.space";
|
||||||
|
"server_name" = "matrix.hacc.space";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.matrix-synapse = {
|
||||||
|
enable = true;
|
||||||
|
server_name = "hacc.space";
|
||||||
|
public_baseurl = "https://matrix.hacc.space";
|
||||||
|
enable_registration = true;
|
||||||
|
allow_guest_access = true;
|
||||||
|
max_upload_size = "25M";
|
||||||
|
max_image_pixels = "25M";
|
||||||
|
dynamic_thumbnails = true;
|
||||||
|
extraConfigFiles = [ "/var/lib/matrix-synapse/secrets.yml" ];
|
||||||
|
extraConfig = ''
|
||||||
|
email:
|
||||||
|
smtp_host: mail.hacc.space
|
||||||
|
smtp_user: "noreply@infra4future.de"
|
||||||
|
smtp_port: 587
|
||||||
|
notif_from: "Your Friendly %(app)s homeserver <noreply@hacc.space>"
|
||||||
|
require_transport_security: true
|
||||||
|
enable_notifs: true
|
||||||
|
client_base_url: "https://element.hacc.space"
|
||||||
|
invite_client_location: "https://element.hacc.space"
|
||||||
|
|
||||||
|
admin_contact: 'mailto:admin@hacc.space'
|
||||||
|
web_client_location: https://element.hacc.space/
|
||||||
|
use_presence: false # uses lots of CPU for bacially nothing
|
||||||
|
limit_profile_requests_to_users_who_share_rooms: true # limits unoticed stalking/network analysis
|
||||||
|
allow_public_rooms_without_auth: true # public rooms should be public. can be changed if too much spam occurs
|
||||||
|
default_room_version: "6"
|
||||||
|
|
||||||
|
redaction_retention_period: 3d # ich hab keine Ahnung, was das tut, aber weniger klingt besser
|
||||||
|
user_ips_max_age: 1d # ich will das Zeug gar nicht qq
|
||||||
|
|
||||||
|
retention:
|
||||||
|
enabled: true
|
||||||
|
default_policy:
|
||||||
|
min_lifetime: 1d # does nothing
|
||||||
|
max_lifetime: 2w
|
||||||
|
allowed_lifetime_min: 1h
|
||||||
|
allowed_lifetime_max: 15w
|
||||||
|
purge_jobs:
|
||||||
|
- longest_max_lifetime: 1h
|
||||||
|
interval: 15m
|
||||||
|
- longest_max_lifetime: 1d
|
||||||
|
interval: 1h
|
||||||
|
- longest_max_lifetime: 3d
|
||||||
|
interval: 12h
|
||||||
|
- shortest_max_lifetime: 1w
|
||||||
|
interval: 1d
|
||||||
|
|
||||||
|
auto_join_rooms:
|
||||||
|
- "#lobby:hacc.space"
|
||||||
|
auto_join_rooms_for_guests: true
|
||||||
|
|
||||||
|
password_config:
|
||||||
|
policy:
|
||||||
|
enabled: true
|
||||||
|
minimum_length: 16
|
||||||
|
|
||||||
|
push:
|
||||||
|
include_content: false
|
||||||
|
group_unread_count_by_room: false
|
||||||
|
|
||||||
|
encryption_enabled_by_default_for_room_type: all # invite might be the more sane setting, but like this we never retain any unecrypted messeage from our rooms
|
||||||
|
|
||||||
|
enable_group_creation: true
|
||||||
|
group_creation_prefix: "__" # groups created by non-admins start eith this prefix
|
||||||
|
|
||||||
|
user_directory:
|
||||||
|
enabled: true
|
||||||
|
search_all_users: false
|
||||||
|
prefer_local_users: true
|
||||||
|
|
||||||
|
# User Consent configuration
|
||||||
|
#
|
||||||
|
# for detailed instructions, see
|
||||||
|
# https://github.com/matrix-org/synapse/blob/master/docs/consent_tracking.md
|
||||||
|
#
|
||||||
|
# Parts of this section are required if enabling the 'consent' resource under
|
||||||
|
# 'listeners', in particular 'template_dir' and 'version'.
|
||||||
|
#
|
||||||
|
# 'template_dir' gives the location of the templates for the HTML forms.
|
||||||
|
# This directory should contain one subdirectory per language (eg, 'en', 'fr'),
|
||||||
|
# and each language directory should contain the policy document (named as
|
||||||
|
# '<version>.html') and a success page (success.html).
|
||||||
|
#
|
||||||
|
# 'version' specifies the 'current' version of the policy document. It defines
|
||||||
|
# the version to be served by the consent resource if there is no 'v'
|
||||||
|
# parameter.
|
||||||
|
#
|
||||||
|
# 'server_notice_content', if enabled, will send a user a "Server Notice"
|
||||||
|
# asking them to consent to the privacy policy. The 'server_notices' section
|
||||||
|
# must also be configured for this to work. Notices will *not* be sent to
|
||||||
|
# guest users unless 'send_server_notice_to_guests' is set to true.
|
||||||
|
#
|
||||||
|
# 'block_events_error', if set, will block any attempts to send events
|
||||||
|
# until the user consents to the privacy policy. The value of the setting is
|
||||||
|
# used as the text of the error.
|
||||||
|
#
|
||||||
|
# 'require_at_registration', if enabled, will add a step to the registration
|
||||||
|
# process, similar to how captcha works. Users will be required to accept the
|
||||||
|
# policy before their account is created.
|
||||||
|
#
|
||||||
|
# 'policy_name' is the display name of the policy users will see when registering
|
||||||
|
# for an account. Has no effect unless `require_at_registration` is enabled.
|
||||||
|
# Defaults to "Privacy Policy".
|
||||||
|
#
|
||||||
|
#user_consent:
|
||||||
|
# template_dir: res/templates/privacy
|
||||||
|
# version: 1.0
|
||||||
|
# server_notice_content:
|
||||||
|
# msgtype: m.text
|
||||||
|
# body: >-
|
||||||
|
# To continue using this homeserver you must review and agree to the
|
||||||
|
# terms and conditions at %(consent_uri)s
|
||||||
|
# send_server_notice_to_guests: true
|
||||||
|
# block_events_error: >-
|
||||||
|
# To continue using this homeserver you must review and agree to the
|
||||||
|
# terms and conditions at %(consent_uri)s
|
||||||
|
# require_at_registration: false
|
||||||
|
# policy_name: Privacy Policy
|
||||||
|
#
|
||||||
|
'';
|
||||||
|
listeners = [ {
|
||||||
|
port = 8008;
|
||||||
|
bind_address = "::1";
|
||||||
|
type = "http";
|
||||||
|
tls = false;
|
||||||
|
x_forwarded = true;
|
||||||
|
resources = [ {
|
||||||
|
names = [ "client" "federation" ];
|
||||||
|
compress = false;
|
||||||
|
} ];
|
||||||
|
} ];
|
||||||
|
};
|
||||||
|
}
|
Loading…
Reference in a new issue