2021-02-01 15:20:08 +00:00
{ config , lib , pkgs , . . . }:
2021-03-18 21:50:18 +00:00
2021-02-01 15:20:08 +00:00
{
networking . firewall . allowedTCPPorts = [ 80 443 ] ;
2021-04-22 20:45:52 +00:00
nixpkgs . overlays = [ ( import ./../../../pkgs/matrix ) ] ;
2021-02-01 15:20:08 +00:00
services . postgresql . enable = true ;
services . postgresql . initialScript = pkgs . writeText " s y n a p s e - i n i t . s q l " ''
CREATE ROLE " m a t r i x - s y n a p s e " WITH LOGIN PASSWORD ' synapse' ;
CREATE DATABASE " m a t r i x - s y n a p s e " WITH OWNER " m a t r i x - s y n a p s e "
TEMPLATE template0
LC_COLLATE = " C "
LC_CTYPE = " C " ;
'' ;
services . nginx = {
enable = true ;
# only recommendedProxySettings and recommendedGzipSettings are strictly required,
2021-03-18 22:01:41 +00:00
# but the rest make sense as well (according to the broken example from the manual)
2021-02-01 15:20:08 +00:00
recommendedTlsSettings = true ;
recommendedOptimisation = true ;
recommendedGzipSettings = true ;
recommendedProxySettings = true ;
virtualHosts = {
2021-03-18 22:01:41 +00:00
2021-02-01 15:20:08 +00:00
# This host section can be placed on a different host than the rest,
2021-03-18 22:01:41 +00:00
# i.e. to delegate from the host on which matrix / synapse actually run.
# This may make migration easier; in our case it's mostly added complexity.
2021-02-01 15:20:08 +00:00
" h a c c . s p a c e " = {
2021-03-18 22:01:41 +00:00
# see https://matrix.org/docs/spec/client_server/latest#get-well-known-matrix-client
# for documentation on what should be returned at these endpoints.
locations . " = / . w e l l - k n o w n / m a t r i x / s e r v e r " . extraConfig = ''
add_header Content-Type application/json ;
return 200 ' $ { builtins . toJSON { " m . s e r v e r " = " m a t r i x . h a c c . s p a c e : 4 4 3 " ; } } ' ;
'' ;
# this is to configure the nice default homeserver setting for our element web.
2021-02-01 15:20:08 +00:00
locations . " = / . w e l l - k n o w n / m a t r i x / c l i e n t " . extraConfig =
2021-03-18 22:01:41 +00:00
let client = {
" m . h o m e s e r v e r " = { " b a s e _ u r l " = " h t t p s : / / m a t r i x . h a c c . s p a c e " ; } ;
" m . i d e n t i t y _ s e r v e r " = { " b a s e _ u r l " = " h t t p s : / / v e c t o r . i m " ; } ;
} ;
in ''
add_header Content-Type application/json ;
add_header Access-Control-Allow-Origin * ;
return 200 ' $ { builtins . toJSON client } ' ;
'' ;
2021-02-01 15:20:08 +00:00
} ;
2021-03-18 22:01:41 +00:00
# this serves the actual matrix endpoint
2021-02-01 15:20:08 +00:00
" m a t r i x . h a c c . s p a c e " = {
enableACME = true ;
forceSSL = true ;
2021-03-18 22:01:41 +00:00
# it is not recommended to have the actual element web interface on the same domain,
# cf. https://github.com/vector-im/element-web#separate-domains on this.
2021-02-01 15:20:08 +00:00
locations . " / " . extraConfig = ''
return 404 ;
'' ;
locations . " / _ m a t r i x " = {
2021-03-18 22:01:41 +00:00
proxyPass = " h t t p : / / [ : : 1 ] : 8 0 0 8 " ;
2021-02-01 15:20:08 +00:00
} ;
} ;
2021-03-18 22:01:41 +00:00
# the element web client for our matrix server.
2021-03-25 13:24:29 +00:00
" e l e m e n t . h a c c . s p a c e " = {
2021-03-18 22:01:41 +00:00
enableACME = true ;
forceSSL = true ;
root = pkgs . element-web . override {
conf = {
# the base_url here must be identical to the one on hacc.space/.well-known above.
default_server_config . " m . h o m e s e r v e r " = {
" b a s e _ u r l " = " h t t p s : / / m a t r i x . h a c c . s p a c e " ;
" s e r v e r _ n a m e " = " m a t r i x . h a c c . s p a c e " ;
} ;
} ;
2021-02-01 15:20:08 +00:00
} ;
} ;
} ;
2021-03-18 22:01:41 +00:00
} ;
2021-03-18 21:50:18 +00:00
2021-03-18 22:01:41 +00:00
services . matrix-synapse = {
enable = true ;
server_name = " h a c c . s p a c e " ;
2021-03-25 18:08:11 +00:00
public_baseurl = " h t t p s : / / m a t r i x . h a c c . s p a c e " ;
enable_registration = true ;
allow_guest_access = true ;
max_upload_size = " 2 5 M " ;
max_image_pixels = " 2 5 M " ;
dynamic_thumbnails = true ;
synapse: add mail config (currently broken)
tl;dr: mail config works, but on trying to send mail synapse gets rejected by
postfix for using a too-old version of tls, as apparently tls in twisted (the
python library used for mail in synapse) is just hardcoded to v1, which our
postfix rejects.
```
postfix/smtpd[9737]: warning: TLS library problem: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1685:
synapse[9211]: synapse.handlers.identity: [POST-41] Error sending threepid validation email to stuebinm@hacc.space
Traceback (most recent call last):
File "/nix/store/55mh6w2ark2blrbkyq0d1jjg9alb1dw5-matrix-synapse-1.29.0/lib/python3.8/site-packages/synapse/handlers/identity.py", line 382, in send_threepid_validation
await send_email_func(email_address, token, client_secret, session_id)
File "/nix/store/55mh6w2ark2blrbkyq0d1jjg9alb1dw5-matrix-synapse-1.29.0/lib/python3.8/site-packages/synapse/push/mailer.py", line 207, in send_add_threepid_mail
await self.send_email(
File "/nix/store/55mh6w2ark2blrbkyq0d1jjg9alb1dw5-matrix-synapse-1.29.0/lib/python3.8/site-packages/synapse/push/mailer.py", line 349, in send_email
await make_deferred_yieldable(
twisted.mail._except.SMTPConnectError: Unable to connect to server.
```
This is a known issue [1], which should be fixed in the current version of twisted,
which will be in the next version of synapse.
[1] https://github.com/matrix-org/synapse/issues/6211
2021-03-25 13:39:25 +00:00
extraConfigFiles = [ " / v a r / l i b / m a t r i x - s y n a p s e / s e c r e t s . y m l " ] ;
extraConfig = ''
email :
smtp_host : mail . hacc . space
smtp_user : " n o r e p l y @ i n f r a 4 f u t u r e . d e "
smtp_port : 587
notif_from : " Y o u r F r i e n d l y % ( a p p ) s h o m e s e r v e r < n o r e p l y @ h a c c . s p a c e > "
require_transport_security : true
enable_notifs : true
client_base_url : " h t t p s : / / e l e m e n t . h a c c . s p a c e "
invite_client_location : " h t t p s : / / e l e m e n t . h a c c . s p a c e "
2021-03-25 17:49:25 +00:00
2021-03-25 17:23:45 +00:00
admin_contact : ' mailto:admin@hacc.space'
web_client_location : https://element.hacc.space/
use_presence : false # uses lots of CPU for bacially nothing
limit_profile_requests_to_users_who_share_rooms : true # limits unoticed stalking/network analysis
allow_public_rooms_without_auth : true # public rooms should be public. can be changed if too much spam occurs
default_room_version : " 6 "
redaction_retention_period : 3 d # ich hab keine Ahnung, was das tut, aber weniger klingt besser
user_ips_max_age : 1 d # ich will das Zeug gar nicht qq
2021-03-25 18:08:11 +00:00
2021-03-25 17:23:45 +00:00
retention :
enabled : true
default_policy :
min_lifetime : 1 d # does nothing
max_lifetime : 2 w
allowed_lifetime_min : 1 h
allowed_lifetime_max : 1 5 w
purge_jobs :
- longest_max_lifetime : 1 h
interval : 1 5 m
- longest_max_lifetime : 1 d
interval : 1 h
- longest_max_lifetime : 3 d
interval : 1 2 h
- shortest_max_lifetime : 1 w
interval : 1 d
auto_join_rooms :
- " # l o b b y : h a c c . s p a c e "
auto_join_rooms_for_guests : true
2021-03-25 18:08:11 +00:00
2021-03-25 17:23:45 +00:00
password_config :
policy :
enabled : true
minimum_length : 16
2021-03-25 18:08:11 +00:00
2021-03-25 17:23:45 +00:00
push :
include_content : false
group_unread_count_by_room : false
2021-03-25 18:08:11 +00:00
2021-03-25 17:23:45 +00:00
encryption_enabled_by_default_for_room_type : all # invite might be the more sane setting, but like this we never retain any unecrypted messeage from our rooms
2021-03-25 18:08:11 +00:00
2021-03-25 17:23:45 +00:00
enable_group_creation : true
group_creation_prefix : " _ _ " # groups created by non-admins start eith this prefix
2021-03-25 18:08:11 +00:00
2021-03-25 17:23:45 +00:00
user_directory :
enabled : true
search_all_users : false
prefer_local_users : true
2021-03-25 18:08:11 +00:00
2021-03-25 17:23:45 +00:00
# User Consent configuration
#
# for detailed instructions, see
# https://github.com/matrix-org/synapse/blob/master/docs/consent_tracking.md
#
# Parts of this section are required if enabling the 'consent' resource under
# 'listeners', in particular 'template_dir' and 'version'.
#
# 'template_dir' gives the location of the templates for the HTML forms.
# This directory should contain one subdirectory per language (eg, 'en', 'fr'),
# and each language directory should contain the policy document (named as
# '<version>.html') and a success page (success.html).
#
# 'version' specifies the 'current' version of the policy document. It defines
# the version to be served by the consent resource if there is no 'v'
# parameter.
#
# 'server_notice_content', if enabled, will send a user a "Server Notice"
# asking them to consent to the privacy policy. The 'server_notices' section
# must also be configured for this to work. Notices will *not* be sent to
# guest users unless 'send_server_notice_to_guests' is set to true.
#
# 'block_events_error', if set, will block any attempts to send events
# until the user consents to the privacy policy. The value of the setting is
# used as the text of the error.
#
# 'require_at_registration', if enabled, will add a step to the registration
# process, similar to how captcha works. Users will be required to accept the
# policy before their account is created.
#
# 'policy_name' is the display name of the policy users will see when registering
# for an account. Has no effect unless `require_at_registration` is enabled.
# Defaults to "Privacy Policy".
#
#user_consent:
# template_dir: res/templates/privacy
# version: 1.0
# server_notice_content:
# msgtype: m.text
# body: >-
# To continue using this homeserver you must review and agree to the
# terms and conditions at %(consent_uri)s
# send_server_notice_to_guests: true
# block_events_error: >-
# To continue using this homeserver you must review and agree to the
# terms and conditions at %(consent_uri)s
# require_at_registration: false
# policy_name: Privacy Policy
2021-03-25 18:08:11 +00:00
#
synapse: add mail config (currently broken)
tl;dr: mail config works, but on trying to send mail synapse gets rejected by
postfix for using a too-old version of tls, as apparently tls in twisted (the
python library used for mail in synapse) is just hardcoded to v1, which our
postfix rejects.
```
postfix/smtpd[9737]: warning: TLS library problem: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1685:
synapse[9211]: synapse.handlers.identity: [POST-41] Error sending threepid validation email to stuebinm@hacc.space
Traceback (most recent call last):
File "/nix/store/55mh6w2ark2blrbkyq0d1jjg9alb1dw5-matrix-synapse-1.29.0/lib/python3.8/site-packages/synapse/handlers/identity.py", line 382, in send_threepid_validation
await send_email_func(email_address, token, client_secret, session_id)
File "/nix/store/55mh6w2ark2blrbkyq0d1jjg9alb1dw5-matrix-synapse-1.29.0/lib/python3.8/site-packages/synapse/push/mailer.py", line 207, in send_add_threepid_mail
await self.send_email(
File "/nix/store/55mh6w2ark2blrbkyq0d1jjg9alb1dw5-matrix-synapse-1.29.0/lib/python3.8/site-packages/synapse/push/mailer.py", line 349, in send_email
await make_deferred_yieldable(
twisted.mail._except.SMTPConnectError: Unable to connect to server.
```
This is a known issue [1], which should be fixed in the current version of twisted,
which will be in the next version of synapse.
[1] https://github.com/matrix-org/synapse/issues/6211
2021-03-25 13:39:25 +00:00
'' ;
2021-03-18 22:01:41 +00:00
listeners = [ {
port = 8008 ;
bind_address = " : : 1 " ;
type = " h t t p " ;
tls = false ;
x_forwarded = true ;
resources = [ {
names = [ " c l i e n t " " f e d e r a t i o n " ] ;
compress = false ;
} ] ;
} ] ;
2021-02-01 15:20:08 +00:00
} ;
}