hacc/haccfiles
8
0
Fork 1
Code Issues 1 Pull requests Projects Releases Wiki Activity
haccfiles/services/matrix-synapse.nix
stuebinm 2afc9befbf
matrix-synapse: bump to nixos 21.05, new structure 
This patches an import path for our new structure, and adjusts the build
inputs for our hacked version of matrix-synapse with a newer version of
twisted (for tls 1.3 support), which is apparently still necessary even
in nixos 21.05.

Seems to build fine (have not waited for all tests in the matrix packag;
these take ages)
2021-08-26 22:55:47 +02:00

221 lines
8 KiB
Nix
Raw Blame History

{config, lib, pkgs, ... }:
{
networking.firewall.allowedTCPPorts = [ 80 443 ];
nixpkgs.overlays = [ (import ./../pkgs/matrix) ];
services.postgresql.enable = true;
services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" ''
CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
'';
services.nginx = {
enable = true;
# only recommendedProxySettings and recommendedGzipSettings are strictly required,
# but the rest make sense as well (according to the broken example from the manual)
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
virtualHosts = {
# This host section can be placed on a different host than the rest,
# i.e. to delegate from the host on which matrix / synapse actually run.
# This may make migration easier; in our case it's mostly added complexity.
"hacc.space" = {
# see https://matrix.org/docs/spec/client_server/latest#get-well-known-matrix-client
# for documentation on what should be returned at these endpoints.
locations."= /.well-known/matrix/server".extraConfig = ''
add_header Content-Type application/json;
return 200 '${builtins.toJSON { "m.server" = "matrix.hacc.space:443"; }}';
'';
# this is to configure the nice default homeserver setting for our element web.
locations."= /.well-known/matrix/client".extraConfig =
let client = {
"m.homeserver" = { "base_url" = "https://matrix.hacc.space"; };
"m.identity_server" = { "base_url" = "https://vector.im"; };
};
in ''
add_header Content-Type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON client}';
'';
};
# this serves the actual matrix endpoint
"matrix.hacc.space" = {
enableACME = true;
forceSSL = true;
# it is not recommended to have the actual element web interface on the same domain,
# cf. https://github.com/vector-im/element-web#separate-domains on this.
locations."/".extraConfig = ''
return 404;
'';
locations."/_matrix" = {
proxyPass = "http://[::1]:8008";
};
};
# the element web client for our matrix server.
"element.hacc.space" = {
enableACME = true;
forceSSL = true;
root = pkgs.element-web.override {
conf = {
# the base_url here must be identical to the one on hacc.space/.well-known above.
default_server_config."m.homeserver" = {
"base_url" = "https://matrix.hacc.space";
"server_name" = "matrix.hacc.space";
};
};
};
};
};
};
services.matrix-synapse = {
enable = true;
server_name = "hacc.space";
public_baseurl = "https://matrix.hacc.space";
enable_registration = true;
allow_guest_access = true;
max_upload_size = "25M";
max_image_pixels = "25M";
dynamic_thumbnails = true;
extraConfigFiles = [ "/var/lib/matrix-synapse/secrets.yml" ];
extraConfig = ''
email:
smtp_host: mail.hacc.space
smtp_user: "noreply@infra4future.de"
smtp_port: 587
notif_from: "Your Friendly %(app)s homeserver <noreply@hacc.space>"
require_transport_security: true
enable_notifs: true
client_base_url: "https://element.hacc.space"
invite_client_location: "https://element.hacc.space"
admin_contact: 'mailto:admin@hacc.space'
web_client_location: https://element.hacc.space/
use_presence: false # uses lots of CPU for bacially nothing
limit_profile_requests_to_users_who_share_rooms: true # limits unoticed stalking/network analysis
allow_public_rooms_without_auth: true # public rooms should be public. can be changed if too much spam occurs
default_room_version: "6"
redaction_retention_period: 3d # ich hab keine Ahnung, was das tut, aber weniger klingt besser
user_ips_max_age: 1d # ich will das Zeug gar nicht qq
retention:
enabled: true
default_policy:
min_lifetime: 1d # does nothing
max_lifetime: 2w
allowed_lifetime_min: 1h
allowed_lifetime_max: 15w
purge_jobs:
- longest_max_lifetime: 1h
interval: 15m
- longest_max_lifetime: 1d
interval: 1h
- longest_max_lifetime: 3d
interval: 12h
- shortest_max_lifetime: 1w
interval: 1d
auto_join_rooms:
- "#lobby:hacc.space"
auto_join_rooms_for_guests: true
password_config:
policy:
enabled: true
minimum_length: 16
push:
include_content: false
group_unread_count_by_room: false
encryption_enabled_by_default_for_room_type: all # invite might be the more sane setting, but like this we never retain any unecrypted messeage from our rooms
enable_group_creation: true
group_creation_prefix: "__" # groups created by non-admins start eith this prefix
user_directory:
enabled: true
search_all_users: false
prefer_local_users: true
# User Consent configuration
#
# for detailed instructions, see
# https://github.com/matrix-org/synapse/blob/master/docs/consent_tracking.md
#
# Parts of this section are required if enabling the 'consent' resource under
# 'listeners', in particular 'template_dir' and 'version'.
#
# 'template_dir' gives the location of the templates for the HTML forms.
# This directory should contain one subdirectory per language (eg, 'en', 'fr'),
# and each language directory should contain the policy document (named as
# '<version>.html') and a success page (success.html).
#
# 'version' specifies the 'current' version of the policy document. It defines
# the version to be served by the consent resource if there is no 'v'
# parameter.
#
# 'server_notice_content', if enabled, will send a user a "Server Notice"
# asking them to consent to the privacy policy. The 'server_notices' section
# must also be configured for this to work. Notices will *not* be sent to
# guest users unless 'send_server_notice_to_guests' is set to true.
#
# 'block_events_error', if set, will block any attempts to send events
# until the user consents to the privacy policy. The value of the setting is
# used as the text of the error.
#
# 'require_at_registration', if enabled, will add a step to the registration
# process, similar to how captcha works. Users will be required to accept the
# policy before their account is created.
#
# 'policy_name' is the display name of the policy users will see when registering
# for an account. Has no effect unless `require_at_registration` is enabled.
# Defaults to "Privacy Policy".
#
#user_consent:
# template_dir: res/templates/privacy
# version: 1.0
# server_notice_content:
# msgtype: m.text
# body: >-
# To continue using this homeserver you must review and agree to the
# terms and conditions at %(consent_uri)s
# send_server_notice_to_guests: true
# block_events_error: >-
# To continue using this homeserver you must review and agree to the
# terms and conditions at %(consent_uri)s
# require_at_registration: false
# policy_name: Privacy Policy
#
'';
listeners = [ {
port = 8008;
bind_address = "::1";
type = "http";
tls = false;
x_forwarded = true;
resources = [ {
names = [ "client" "federation" ];
compress = false;
} ];
} ];
};
}
Reference in a new issue View git blame Copy permalink