stuebinm
42e1d2e990
(i.e. those parts which are managable by nix, and a couple which were defined twice were deduplicated)
234 lines
8.3 KiB
Nix
234 lines
8.3 KiB
Nix
{config, lib, pkgs, ... }:
|
|
|
|
{
|
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
|
|
|
services.postgresql.enable = true;
|
|
services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" ''
|
|
CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
|
|
CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
|
|
TEMPLATE template0
|
|
LC_COLLATE = "C"
|
|
LC_CTYPE = "C";
|
|
'';
|
|
|
|
services.nginx = {
|
|
enable = true;
|
|
# only recommendedProxySettings and recommendedGzipSettings are strictly required,
|
|
# but the rest make sense as well (according to the broken example from the manual)
|
|
recommendedTlsSettings = true;
|
|
recommendedOptimisation = true;
|
|
recommendedGzipSettings = true;
|
|
recommendedProxySettings = true;
|
|
|
|
virtualHosts = {
|
|
|
|
# This host section can be placed on a different host than the rest,
|
|
# i.e. to delegate from the host on which matrix / synapse actually run.
|
|
# This may make migration easier; in our case it's mostly added complexity.
|
|
"hacc.space" = {
|
|
# see https://matrix.org/docs/spec/client_server/latest#get-well-known-matrix-client
|
|
# for documentation on what should be returned at these endpoints.
|
|
locations."= /.well-known/matrix/server".extraConfig = ''
|
|
add_header Content-Type application/json;
|
|
return 200 '${builtins.toJSON { "m.server" = "matrix.hacc.space:443"; }}';
|
|
'';
|
|
# this is to configure the nice default homeserver setting for our element web.
|
|
locations."= /.well-known/matrix/client".extraConfig =
|
|
let client = {
|
|
"m.homeserver" = { "base_url" = "https://matrix.hacc.space"; };
|
|
"m.identity_server" = { "base_url" = "https://vector.im"; };
|
|
};
|
|
in ''
|
|
add_header Content-Type application/json;
|
|
add_header Access-Control-Allow-Origin *;
|
|
return 200 '${builtins.toJSON client}';
|
|
'';
|
|
};
|
|
|
|
|
|
# this serves the actual matrix endpoint
|
|
"matrix.hacc.space" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
|
|
# it is not recommended to have the actual element web interface on the same domain,
|
|
# cf. https://github.com/vector-im/element-web#separate-domains on this.
|
|
locations."/".extraConfig = ''
|
|
return 404;
|
|
'';
|
|
|
|
locations."/_matrix" = {
|
|
proxyPass = "http://[::1]:8008";
|
|
};
|
|
};
|
|
|
|
|
|
# the element web client for our matrix server.
|
|
"element.hacc.space" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
root = pkgs.element-web.override {
|
|
conf = {
|
|
# the base_url here must be identical to the one on hacc.space/.well-known above.
|
|
default_server_config."m.homeserver" = {
|
|
"base_url" = "https://matrix.hacc.space";
|
|
"server_name" = "matrix.hacc.space";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
services.matrix-synapse = {
|
|
enable = true;
|
|
server_name = "hacc.space";
|
|
extraConfigFiles = [ "/var/lib/matrix-synapse/secrets.yml" ];
|
|
extraConfig = ''
|
|
public_baseurl: https://matrix.hacc.space
|
|
email:
|
|
smtp_host: mail.hacc.space
|
|
smtp_user: "noreply@infra4future.de"
|
|
smtp_port: 587
|
|
notif_from: "Your Friendly %(app)s homeserver <noreply@hacc.space>"
|
|
require_transport_security: true
|
|
enable_notifs: true
|
|
client_base_url: "https://element.hacc.space"
|
|
invite_client_location: "https://element.hacc.space"
|
|
|
|
enable_registration = true;
|
|
allow_guest_access = true;
|
|
admin_contact: 'mailto:admin@hacc.space'
|
|
web_client_location: https://element.hacc.space/
|
|
use_presence: false # uses lots of CPU for bacially nothing
|
|
limit_profile_requests_to_users_who_share_rooms: true # limits unoticed stalking/network analysis
|
|
allow_public_rooms_without_auth: true # public rooms should be public. can be changed if too much spam occurs
|
|
default_room_version: "6"
|
|
|
|
limit_usage_by_mau: false # disables max userer
|
|
mau_stats_only: false
|
|
|
|
redaction_retention_period: 3d # ich hab keine Ahnung, was das tut, aber weniger klingt besser
|
|
user_ips_max_age: 1d # ich will das Zeug gar nicht qq
|
|
|
|
retention:
|
|
enabled: true
|
|
default_policy:
|
|
min_lifetime: 1d # does nothing
|
|
max_lifetime: 2w
|
|
allowed_lifetime_min: 1h
|
|
allowed_lifetime_max: 15w
|
|
purge_jobs:
|
|
- longest_max_lifetime: 1h
|
|
interval: 15m
|
|
- longest_max_lifetime: 1d
|
|
interval: 1h
|
|
- longest_max_lifetime: 3d
|
|
interval: 12h
|
|
- shortest_max_lifetime: 1w
|
|
interval: 1d
|
|
|
|
|
|
max_upload_size: 50M
|
|
max_image_pixels: 24M
|
|
url_preview_enabled: false # disabled, can leak urls of encrypted communication
|
|
|
|
|
|
auto_join_rooms:
|
|
- "#lobby:hacc.space"
|
|
auto_join_rooms_for_guests: true
|
|
|
|
|
|
enable_metrics: false
|
|
report_stats: false
|
|
|
|
password_config:
|
|
policy:
|
|
enabled: true
|
|
minimum_length: 16
|
|
|
|
push:
|
|
include_content: false
|
|
group_unread_count_by_room: false
|
|
|
|
encryption_enabled_by_default_for_room_type: all # invite might be the more sane setting, but like this we never retain any unecrypted messeage from our rooms
|
|
|
|
enable_group_creation: true
|
|
group_creation_prefix: "__" # groups created by non-admins start eith this prefix
|
|
|
|
user_directory:
|
|
enabled: true
|
|
search_all_users: false
|
|
prefer_local_users: true
|
|
|
|
|
|
# User Consent configuration
|
|
#
|
|
# for detailed instructions, see
|
|
# https://github.com/matrix-org/synapse/blob/master/docs/consent_tracking.md
|
|
#
|
|
# Parts of this section are required if enabling the 'consent' resource under
|
|
# 'listeners', in particular 'template_dir' and 'version'.
|
|
#
|
|
# 'template_dir' gives the location of the templates for the HTML forms.
|
|
# This directory should contain one subdirectory per language (eg, 'en', 'fr'),
|
|
# and each language directory should contain the policy document (named as
|
|
# '<version>.html') and a success page (success.html).
|
|
#
|
|
# 'version' specifies the 'current' version of the policy document. It defines
|
|
# the version to be served by the consent resource if there is no 'v'
|
|
# parameter.
|
|
#
|
|
# 'server_notice_content', if enabled, will send a user a "Server Notice"
|
|
# asking them to consent to the privacy policy. The 'server_notices' section
|
|
# must also be configured for this to work. Notices will *not* be sent to
|
|
# guest users unless 'send_server_notice_to_guests' is set to true.
|
|
#
|
|
# 'block_events_error', if set, will block any attempts to send events
|
|
# until the user consents to the privacy policy. The value of the setting is
|
|
# used as the text of the error.
|
|
#
|
|
# 'require_at_registration', if enabled, will add a step to the registration
|
|
# process, similar to how captcha works. Users will be required to accept the
|
|
# policy before their account is created.
|
|
#
|
|
# 'policy_name' is the display name of the policy users will see when registering
|
|
# for an account. Has no effect unless `require_at_registration` is enabled.
|
|
# Defaults to "Privacy Policy".
|
|
#
|
|
#user_consent:
|
|
# template_dir: res/templates/privacy
|
|
# version: 1.0
|
|
# server_notice_content:
|
|
# msgtype: m.text
|
|
# body: >-
|
|
# To continue using this homeserver you must review and agree to the
|
|
# terms and conditions at %(consent_uri)s
|
|
# send_server_notice_to_guests: true
|
|
# block_events_error: >-
|
|
# To continue using this homeserver you must review and agree to the
|
|
# terms and conditions at %(consent_uri)s
|
|
# require_at_registration: false
|
|
# policy_name: Privacy Policy
|
|
#
|
|
|
|
stats:
|
|
enabled: true # disabling this apparently breaks the room directory
|
|
bucket_size: 1w
|
|
|
|
";
|
|
'';
|
|
listeners = [ {
|
|
port = 8008;
|
|
bind_address = "::1";
|
|
type = "http";
|
|
tls = false;
|
|
x_forwarded = true;
|
|
resources = [ {
|
|
names = [ "client" "federation" ];
|
|
compress = false;
|
|
} ];
|
|
} ];
|
|
};
|
|
}
|