haccfiles/services/matrix-synapse.nix
stuebinm 13b8ae5c13
matrix-synapse: update twisted (mail library)
This overrides the python38Packages.twisted derivation to a more recent
version that /hopefully/ doesn't force old tls versions. This includes
using and override on the actual twisted package, and another on the
matrix-synapse packages, which now has parts of its definition repeated
in the overlay since overlays apparently don't propagate into
dependencies of packages (since packages are essentiall functions which
have already been called).

On the one hand, this may break things in case the definition of
matrix-synapse changes too much upstream. On the other hand, it doesn't
seem like anyone update the python packages too often, so probably that
won't happen for a long while.

Additionally, prohibitively long to build, since synapse insists on
running a complete test suite while building itself, and there doesn't
appear to be an obvious version to turn this off. If this situation
continues (also with some of the other packages) I guess at some point
we should just set up hainich as a substitution server for Nix ...
2021-08-26 22:51:01 +02:00

220 lines
8 KiB
Nix

{config, lib, pkgs, ... }:
{
networking.firewall.allowedTCPPorts = [ 80 443 ];
nixpkgs.overlays = [ (import ./../../../pkgs/matrix) ];
services.postgresql.enable = true;
services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" ''
CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
'';
services.nginx = {
enable = true;
# only recommendedProxySettings and recommendedGzipSettings are strictly required,
# but the rest make sense as well (according to the broken example from the manual)
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
virtualHosts = {
# This host section can be placed on a different host than the rest,
# i.e. to delegate from the host on which matrix / synapse actually run.
# This may make migration easier; in our case it's mostly added complexity.
"hacc.space" = {
# see https://matrix.org/docs/spec/client_server/latest#get-well-known-matrix-client
# for documentation on what should be returned at these endpoints.
locations."= /.well-known/matrix/server".extraConfig = ''
add_header Content-Type application/json;
return 200 '${builtins.toJSON { "m.server" = "matrix.hacc.space:443"; }}';
'';
# this is to configure the nice default homeserver setting for our element web.
locations."= /.well-known/matrix/client".extraConfig =
let client = {
"m.homeserver" = { "base_url" = "https://matrix.hacc.space"; };
"m.identity_server" = { "base_url" = "https://vector.im"; };
};
in ''
add_header Content-Type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON client}';
'';
};
# this serves the actual matrix endpoint
"matrix.hacc.space" = {
enableACME = true;
forceSSL = true;
# it is not recommended to have the actual element web interface on the same domain,
# cf. https://github.com/vector-im/element-web#separate-domains on this.
locations."/".extraConfig = ''
return 404;
'';
locations."/_matrix" = {
proxyPass = "http://[::1]:8008";
};
};
# the element web client for our matrix server.
"element.hacc.space" = {
enableACME = true;
forceSSL = true;
root = pkgs.element-web.override {
conf = {
# the base_url here must be identical to the one on hacc.space/.well-known above.
default_server_config."m.homeserver" = {
"base_url" = "https://matrix.hacc.space";
"server_name" = "matrix.hacc.space";
};
};
};
};
};
};
services.matrix-synapse = {
enable = true;
server_name = "hacc.space";
public_baseurl = "https://matrix.hacc.space";
enable_registration = true;
allow_guest_access = true;
max_upload_size = "25M";
max_image_pixels = "25M";
dynamic_thumbnails = true;
extraConfigFiles = [ "/var/lib/matrix-synapse/secrets.yml" ];
extraConfig = ''
email:
smtp_host: mail.hacc.space
smtp_user: "noreply@infra4future.de"
smtp_port: 587
notif_from: "Your Friendly %(app)s homeserver <noreply@hacc.space>"
require_transport_security: true
enable_notifs: true
client_base_url: "https://element.hacc.space"
invite_client_location: "https://element.hacc.space"
admin_contact: 'mailto:admin@hacc.space'
web_client_location: https://element.hacc.space/
use_presence: false # uses lots of CPU for bacially nothing
limit_profile_requests_to_users_who_share_rooms: true # limits unoticed stalking/network analysis
allow_public_rooms_without_auth: true # public rooms should be public. can be changed if too much spam occurs
default_room_version: "6"
redaction_retention_period: 3d # ich hab keine Ahnung, was das tut, aber weniger klingt besser
user_ips_max_age: 1d # ich will das Zeug gar nicht qq
retention:
enabled: true
default_policy:
min_lifetime: 1d # does nothing
max_lifetime: 2w
allowed_lifetime_min: 1h
allowed_lifetime_max: 15w
purge_jobs:
- longest_max_lifetime: 1h
interval: 15m
- longest_max_lifetime: 1d
interval: 1h
- longest_max_lifetime: 3d
interval: 12h
- shortest_max_lifetime: 1w
interval: 1d
auto_join_rooms:
- "#lobby:hacc.space"
auto_join_rooms_for_guests: true
password_config:
policy:
enabled: true
minimum_length: 16
push:
include_content: false
group_unread_count_by_room: false
encryption_enabled_by_default_for_room_type: all # invite might be the more sane setting, but like this we never retain any unecrypted messeage from our rooms
enable_group_creation: true
group_creation_prefix: "__" # groups created by non-admins start eith this prefix
user_directory:
enabled: true
search_all_users: false
prefer_local_users: true
# User Consent configuration
#
# for detailed instructions, see
# https://github.com/matrix-org/synapse/blob/master/docs/consent_tracking.md
#
# Parts of this section are required if enabling the 'consent' resource under
# 'listeners', in particular 'template_dir' and 'version'.
#
# 'template_dir' gives the location of the templates for the HTML forms.
# This directory should contain one subdirectory per language (eg, 'en', 'fr'),
# and each language directory should contain the policy document (named as
# '<version>.html') and a success page (success.html).
#
# 'version' specifies the 'current' version of the policy document. It defines
# the version to be served by the consent resource if there is no 'v'
# parameter.
#
# 'server_notice_content', if enabled, will send a user a "Server Notice"
# asking them to consent to the privacy policy. The 'server_notices' section
# must also be configured for this to work. Notices will *not* be sent to
# guest users unless 'send_server_notice_to_guests' is set to true.
#
# 'block_events_error', if set, will block any attempts to send events
# until the user consents to the privacy policy. The value of the setting is
# used as the text of the error.
#
# 'require_at_registration', if enabled, will add a step to the registration
# process, similar to how captcha works. Users will be required to accept the
# policy before their account is created.
#
# 'policy_name' is the display name of the policy users will see when registering
# for an account. Has no effect unless `require_at_registration` is enabled.
# Defaults to "Privacy Policy".
#
#user_consent:
# template_dir: res/templates/privacy
# version: 1.0
# server_notice_content:
# msgtype: m.text
# body: >-
# To continue using this homeserver you must review and agree to the
# terms and conditions at %(consent_uri)s
# send_server_notice_to_guests: true
# block_events_error: >-
# To continue using this homeserver you must review and agree to the
# terms and conditions at %(consent_uri)s
# require_at_registration: false
# policy_name: Privacy Policy
#
'';
listeners = [ {
port = 8008;
bind_address = "::1";
type = "http";
tls = false;
x_forwarded = true;
resources = [ {
names = [ "client" "federation" ];
compress = false;
} ];
} ];
};
}