Compare commits

...

11 commits

Author SHA1 Message Date
2afc9befbf
matrix-synapse: bump to nixos 21.05, new structure
This patches an import path for our new structure, and adjusts the build
inputs for our hacked version of matrix-synapse with a newer version of
twisted (for tls 1.3 support), which is apparently still necessary even
in nixos 21.05.

Seems to build fine (have not waited for all tests in the matrix packag;
these take ages)
2021-08-26 22:55:47 +02:00
13b8ae5c13
matrix-synapse: update twisted (mail library)
This overrides the python38Packages.twisted derivation to a more recent
version that /hopefully/ doesn't force old tls versions. This includes
using and override on the actual twisted package, and another on the
matrix-synapse packages, which now has parts of its definition repeated
in the overlay since overlays apparently don't propagate into
dependencies of packages (since packages are essentiall functions which
have already been called).

On the one hand, this may break things in case the definition of
matrix-synapse changes too much upstream. On the other hand, it doesn't
seem like anyone update the python packages too often, so probably that
won't happen for a long while.

Additionally, prohibitively long to build, since synapse insists on
running a complete test suite while building itself, and there doesn't
appear to be an obvious version to turn this off. If this situation
continues (also with some of the other packages) I guess at some point
we should just set up hainich as a substitution server for Nix ...
2021-08-26 22:51:01 +02:00
8c9b666bfe
synapse: deduplicate public_baseurl 2021-08-26 22:51:01 +02:00
schweby
1b58bd0f7b
synapse: cleaned up config 2021-08-26 22:51:01 +02:00
42e1d2e990
synapse: delete unnessary parts of the default config
(i.e. those parts which are managable by nix, and a couple which were defined
twice were deduplicated)
2021-08-26 22:51:01 +02:00
schweby
1d5a9d74f0
hainich/matrix: set some setting, miss others 2021-08-26 22:51:01 +02:00
4c6f13c68a
synapse: add mail config (currently broken)
tl;dr: mail config works, but on trying to send mail synapse gets rejected by
postfix for using a too-old version of tls, as apparently tls in twisted (the
python library used for mail in synapse) is just hardcoded to v1, which our
postfix rejects.

```
postfix/smtpd[9737]: warning: TLS library problem: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1685:
synapse[9211]: synapse.handlers.identity: [POST-41] Error sending threepid validation email to stuebinm@hacc.space
               Traceback (most recent call last):
                 File "/nix/store/55mh6w2ark2blrbkyq0d1jjg9alb1dw5-matrix-synapse-1.29.0/lib/python3.8/site-packages/synapse/handlers/identity.py", line 382, in send_threepid_validation
                   await send_email_func(email_address, token, client_secret, session_id)
                 File "/nix/store/55mh6w2ark2blrbkyq0d1jjg9alb1dw5-matrix-synapse-1.29.0/lib/python3.8/site-packages/synapse/push/mailer.py", line 207, in send_add_threepid_mail
                   await self.send_email(
                 File "/nix/store/55mh6w2ark2blrbkyq0d1jjg9alb1dw5-matrix-synapse-1.29.0/lib/python3.8/site-packages/synapse/push/mailer.py", line 349, in send_email
                   await make_deferred_yieldable(
               twisted.mail._except.SMTPConnectError: Unable to connect to server.
```

This is a known issue [1], which should be fixed in the current version of twisted,
which will be in the next version of synapse.

[1] https://github.com/matrix-org/synapse/issues/6211
2021-08-26 22:51:01 +02:00
2c708c4117
element: move from element.matrix.hacc.space to element.hacc.space 2021-08-26 22:51:01 +02:00
1f9bbf4051
synapse/element: nicer code layout for the config 2021-08-26 22:51:01 +02:00
e15b205214
Synapse/Element: Fixed the config.
In brief: the example was missing a protocol specification.

Also I just learnt that the element at app.element.io uses deprecated
config options. Fun!
2021-08-26 22:51:01 +02:00
schweby
59cd29a3ee
hainich/matrix: init matrix & element 2021-08-26 22:50:58 +02:00
3 changed files with 274 additions and 0 deletions

View file

@ -21,6 +21,7 @@
../../services/gitlab-runner.nix ../../services/gitlab-runner.nix
../../services/unifi.nix ../../services/unifi.nix
../../services/lantifa.nix ../../services/lantifa.nix
../../services/matrix-synapse.nix
./lxc.nix ./lxc.nix
]; ];

53
pkgs/matrix/default.nix Normal file
View file

@ -0,0 +1,53 @@
self: super:
{
python38Packages = super.python3Packages // {
twisted = with super.python3Packages;
twisted.overrideAttrs (old: rec {
version = "21.2.0";
src = fetchPypi {
inherit version;
extension = "tar.gz";
pname = "Twisted";
sha256 = "04jsr67swzj8vn8z64fzbha7vpkm1jz9ns26566vjsfg8n4llm3p";
};
});
};
matrix-synapse = super.matrix-synapse.overrideAttrs (old: {
propagatedBuildInputs = with self.python3Packages; [
authlib
bcrypt
bleach
canonicaljson
daemonize
frozendict
ijson
jinja2
jsonschema
lxml
msgpack
netaddr
phonenumbers
pillow
prometheus_client
psutil
psycopg2
pyasn1
pyjwt
pymacaroons
pynacl
pyopenssl
pysaml2
pyyaml
requests
setuptools
signedjson
sortedcontainers
treq
twisted
typing-extensions
unpaddedbase64
];
python = self.python3;
});
}

220
services/matrix-synapse.nix Normal file
View file

@ -0,0 +1,220 @@
{config, lib, pkgs, ... }:
{
networking.firewall.allowedTCPPorts = [ 80 443 ];
nixpkgs.overlays = [ (import ./../pkgs/matrix) ];
services.postgresql.enable = true;
services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" ''
CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
'';
services.nginx = {
enable = true;
# only recommendedProxySettings and recommendedGzipSettings are strictly required,
# but the rest make sense as well (according to the broken example from the manual)
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
virtualHosts = {
# This host section can be placed on a different host than the rest,
# i.e. to delegate from the host on which matrix / synapse actually run.
# This may make migration easier; in our case it's mostly added complexity.
"hacc.space" = {
# see https://matrix.org/docs/spec/client_server/latest#get-well-known-matrix-client
# for documentation on what should be returned at these endpoints.
locations."= /.well-known/matrix/server".extraConfig = ''
add_header Content-Type application/json;
return 200 '${builtins.toJSON { "m.server" = "matrix.hacc.space:443"; }}';
'';
# this is to configure the nice default homeserver setting for our element web.
locations."= /.well-known/matrix/client".extraConfig =
let client = {
"m.homeserver" = { "base_url" = "https://matrix.hacc.space"; };
"m.identity_server" = { "base_url" = "https://vector.im"; };
};
in ''
add_header Content-Type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON client}';
'';
};
# this serves the actual matrix endpoint
"matrix.hacc.space" = {
enableACME = true;
forceSSL = true;
# it is not recommended to have the actual element web interface on the same domain,
# cf. https://github.com/vector-im/element-web#separate-domains on this.
locations."/".extraConfig = ''
return 404;
'';
locations."/_matrix" = {
proxyPass = "http://[::1]:8008";
};
};
# the element web client for our matrix server.
"element.hacc.space" = {
enableACME = true;
forceSSL = true;
root = pkgs.element-web.override {
conf = {
# the base_url here must be identical to the one on hacc.space/.well-known above.
default_server_config."m.homeserver" = {
"base_url" = "https://matrix.hacc.space";
"server_name" = "matrix.hacc.space";
};
};
};
};
};
};
services.matrix-synapse = {
enable = true;
server_name = "hacc.space";
public_baseurl = "https://matrix.hacc.space";
enable_registration = true;
allow_guest_access = true;
max_upload_size = "25M";
max_image_pixels = "25M";
dynamic_thumbnails = true;
extraConfigFiles = [ "/var/lib/matrix-synapse/secrets.yml" ];
extraConfig = ''
email:
smtp_host: mail.hacc.space
smtp_user: "noreply@infra4future.de"
smtp_port: 587
notif_from: "Your Friendly %(app)s homeserver <noreply@hacc.space>"
require_transport_security: true
enable_notifs: true
client_base_url: "https://element.hacc.space"
invite_client_location: "https://element.hacc.space"
admin_contact: 'mailto:admin@hacc.space'
web_client_location: https://element.hacc.space/
use_presence: false # uses lots of CPU for bacially nothing
limit_profile_requests_to_users_who_share_rooms: true # limits unoticed stalking/network analysis
allow_public_rooms_without_auth: true # public rooms should be public. can be changed if too much spam occurs
default_room_version: "6"
redaction_retention_period: 3d # ich hab keine Ahnung, was das tut, aber weniger klingt besser
user_ips_max_age: 1d # ich will das Zeug gar nicht qq
retention:
enabled: true
default_policy:
min_lifetime: 1d # does nothing
max_lifetime: 2w
allowed_lifetime_min: 1h
allowed_lifetime_max: 15w
purge_jobs:
- longest_max_lifetime: 1h
interval: 15m
- longest_max_lifetime: 1d
interval: 1h
- longest_max_lifetime: 3d
interval: 12h
- shortest_max_lifetime: 1w
interval: 1d
auto_join_rooms:
- "#lobby:hacc.space"
auto_join_rooms_for_guests: true
password_config:
policy:
enabled: true
minimum_length: 16
push:
include_content: false
group_unread_count_by_room: false
encryption_enabled_by_default_for_room_type: all # invite might be the more sane setting, but like this we never retain any unecrypted messeage from our rooms
enable_group_creation: true
group_creation_prefix: "__" # groups created by non-admins start eith this prefix
user_directory:
enabled: true
search_all_users: false
prefer_local_users: true
# User Consent configuration
#
# for detailed instructions, see
# https://github.com/matrix-org/synapse/blob/master/docs/consent_tracking.md
#
# Parts of this section are required if enabling the 'consent' resource under
# 'listeners', in particular 'template_dir' and 'version'.
#
# 'template_dir' gives the location of the templates for the HTML forms.
# This directory should contain one subdirectory per language (eg, 'en', 'fr'),
# and each language directory should contain the policy document (named as
# '<version>.html') and a success page (success.html).
#
# 'version' specifies the 'current' version of the policy document. It defines
# the version to be served by the consent resource if there is no 'v'
# parameter.
#
# 'server_notice_content', if enabled, will send a user a "Server Notice"
# asking them to consent to the privacy policy. The 'server_notices' section
# must also be configured for this to work. Notices will *not* be sent to
# guest users unless 'send_server_notice_to_guests' is set to true.
#
# 'block_events_error', if set, will block any attempts to send events
# until the user consents to the privacy policy. The value of the setting is
# used as the text of the error.
#
# 'require_at_registration', if enabled, will add a step to the registration
# process, similar to how captcha works. Users will be required to accept the
# policy before their account is created.
#
# 'policy_name' is the display name of the policy users will see when registering
# for an account. Has no effect unless `require_at_registration` is enabled.
# Defaults to "Privacy Policy".
#
#user_consent:
# template_dir: res/templates/privacy
# version: 1.0
# server_notice_content:
# msgtype: m.text
# body: >-
# To continue using this homeserver you must review and agree to the
# terms and conditions at %(consent_uri)s
# send_server_notice_to_guests: true
# block_events_error: >-
# To continue using this homeserver you must review and agree to the
# terms and conditions at %(consent_uri)s
# require_at_registration: false
# policy_name: Privacy Policy
#
'';
listeners = [ {
port = 8008;
bind_address = "::1";
type = "http";
tls = false;
x_forwarded = true;
resources = [ {
names = [ "client" "federation" ];
compress = false;
} ];
} ];
};
}