Merge branch 'e1mo/synapse'
Deployment of matrix synapse after migrating.
This commit is contained in:
Moritz 'e1mo' Fromm
commit
f09d21053f
11 changed files with 304 additions and 28 deletions
32
flake.lock
32
flake.lock
|
|
@ -5,11 +5,11 @@
|
|||
"systems": "systems"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1689068808,
|
||||
"narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=",
|
||||
"lastModified": 1692799911,
|
||||
"narHash": "sha256-3eihraek4qL744EvQXsK1Ha6C3CR7nnT8X2qWap4RNk=",
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4",
|
||||
"rev": "f9e7cf818399d17d347f847525c5a5a8032e4e44",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
@ -27,11 +27,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1686137513,
|
||||
"narHash": "sha256-u30JB/KsBjF4xWAz4iswdKIAmVGtkahD+VV7sywYCBA=",
|
||||
"lastModified": 1692954414,
|
||||
"narHash": "sha256-rl1g3aGG0Nlmae7DCGqvOe+yQAcqTGUxehcMAk6usWQ=",
|
||||
"ref": "main",
|
||||
"rev": "61db764a7ed44159c1ade3cd9bf9c068de0bdeb8",
|
||||
"revCount": 20,
|
||||
"rev": "1594009c5040acd2d0c6b8700ca2cc64808041c4",
|
||||
"revCount": 23,
|
||||
"type": "git",
|
||||
"url": "https://cyberchaos.dev/e1mo/freescout-nix-flake"
|
||||
},
|
||||
|
|
@ -43,11 +43,11 @@
|
|||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1689940971,
|
||||
"narHash": "sha256-397xShPnFqPC59Bmpo3lS+/Aw0yoDRMACGo1+h2VJMo=",
|
||||
"lastModified": 1693377291,
|
||||
"narHash": "sha256-vYGY9bnqEeIncNarDZYhm6KdLKgXMS+HA2mTRaWEc80=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "9ca785644d067445a4aa749902b29ccef61f7476",
|
||||
"rev": "e7f38be3775bab9659575f192ece011c033655f0",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
@ -59,11 +59,11 @@
|
|||
},
|
||||
"nixpkgs-stable": {
|
||||
"locked": {
|
||||
"lastModified": 1689473667,
|
||||
"narHash": "sha256-41ePf1ylHMTogSPAiufqvBbBos+gtB6zjQlYFSEKFMM=",
|
||||
"lastModified": 1693097136,
|
||||
"narHash": "sha256-fBZSMdBaoZ0INFbyZ5s0DOF7zDNcLsLxgkwdDh3l9Pc=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "13231eccfa1da771afa5c0807fdd73e05a1ec4e6",
|
||||
"rev": "9117c4e9dc117a6cd0319cca40f2349ed333669d",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
@ -89,11 +89,11 @@
|
|||
"nixpkgs-stable": "nixpkgs-stable"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1689534977,
|
||||
"narHash": "sha256-EB4hasmjKgetTR0My2bS5AwELZFIQ4zANLqHKi7aVXg=",
|
||||
"lastModified": 1693404499,
|
||||
"narHash": "sha256-cx/7yvM/AP+o/3wPJmA9W9F+WHemJk5t+Xcr+Qwkqhg=",
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"rev": "bd695cc4d0a5e1bead703cc1bec5fa3094820a81",
|
||||
"rev": "d9c5dc41c4b1f74c77f0dbffd0f3a4ebde447b7a",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
|
|||
|
|
@ -1,10 +1,11 @@
|
|||
{ lib, pkgs, baseDomain, ... }: {
|
||||
{ lib, pkgs, config, ... }: {
|
||||
cj.deployment.environment = "dev";
|
||||
|
||||
imports = [
|
||||
./hardware-config.nix
|
||||
../../services/mumble.nix
|
||||
../../services/website.nix
|
||||
../../services/matrix
|
||||
../../services/vaultwarden.nix
|
||||
../../services/dokuwiki.nix
|
||||
../../services/freescout.nix
|
||||
|
|
@ -32,4 +33,13 @@
|
|||
registerPassword = lib.mkForce "";
|
||||
environmentFile = lib.mkForce null;
|
||||
};
|
||||
|
||||
# This is specific to every host!
|
||||
systemd.mounts = [{
|
||||
what = "/dev/disk/by-id/scsi-0HC_Volume_27793580";
|
||||
where = config.services.matrix-synapse.settings.media_store_path;
|
||||
type = "ext4";
|
||||
options = "discard,nofail,defaults";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
}];
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,8 +1,9 @@
|
|||
{ pkgs, baseDomain, ... }: {
|
||||
{ pkgs, baseDomain, config, ... }: {
|
||||
cj.deployment.environment = "prod";
|
||||
|
||||
imports = [
|
||||
./hardware-config.nix
|
||||
../../services/matrix
|
||||
];
|
||||
|
||||
system.stateVersion = "23.05";
|
||||
|
|
@ -28,4 +29,13 @@
|
|||
ipv6.addresses = [ { address = "2a01:4f8:1c1e:b564::1"; prefixLength = 64; } ];
|
||||
};
|
||||
};
|
||||
|
||||
# This is specific to every host!
|
||||
systemd.mounts = [{
|
||||
what = "/dev/disk/by-id/scsi-0HC_Volume_7628580";
|
||||
where = config.services.matrix-synapse.settings.media_store_path;
|
||||
type = "ext4";
|
||||
options = "discard,nofail,defaults";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
}];
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
{ pkgs, baseDomain, ... }: {
|
||||
{ pkgs, config, ... }: {
|
||||
cj.deployment.environment = "prod";
|
||||
|
||||
imports = [
|
||||
|
|
|
|||
|
|
@ -145,4 +145,42 @@ final: prev:
|
|||
installPhase = "mkdir -p $out; cp -R * $out/";
|
||||
};
|
||||
};
|
||||
|
||||
pythonPackagesExtensions = prev.pythonPackagesExtensions ++ [(
|
||||
pfinal: pprev: {
|
||||
matrix-synapse-saml-mapper = pfinal.buildPythonPackage rec {
|
||||
pname = "matrix-synapse-saml-mapper";
|
||||
version = "2020-09-21";
|
||||
SETUPTOOLS_SCM_PRETEND_VERSION = "0.1+chaos.jetzt.${builtins.substring 0 6 src.rev}.d${builtins.replaceStrings ["-"] [""] version}";
|
||||
|
||||
postPatch = ''
|
||||
substituteInPlace setup.py \
|
||||
--replace "attr>=0.3.1" "attrs"
|
||||
'';
|
||||
|
||||
src = final.fetchFromGitHub {
|
||||
owner = "chaos-jetzt";
|
||||
repo = "matrix-synapse-saml-mapper";
|
||||
rev = "1aca2bfc73568a1a25d4e63a52b7a8ea9bdb7272";
|
||||
hash = "sha256-s2AQ92VQOXg7lxjWZKsM5h+4IWnsnLRbOC2mAmr1nZo=";
|
||||
};
|
||||
|
||||
# This is absolutely ugly and not nice
|
||||
# In theory python should pick up the res as data files (manual bdist_wheel does manage to do so)
|
||||
# but somehow this isn't the case with buildPythonPackage
|
||||
# FIXME: Make this something more robus and "propper"
|
||||
postInstall = ''
|
||||
cp -ar $src/matrix_synapse_saml_mapper/res $out/lib/python*/site-packages/*/
|
||||
'';
|
||||
|
||||
nativeBuildInputs = with pfinal; [
|
||||
setuptools-scm
|
||||
];
|
||||
propagatedBuildInputs = with pfinal; [
|
||||
pysaml2
|
||||
attrs
|
||||
final.matrix-synapse-unwrapped
|
||||
];
|
||||
};
|
||||
})];
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,6 +1,7 @@
|
|||
coturn_static_auth_secret: ENC[AES256_GCM,data:OH5Qhl+hy1Afs2ARKOuXXSlMVy8LOr+q+hDeWMR8UKR1TKH5Cu4IkIp76T8Sep7Xih8OQyZOBScPaa9ftMUok7P0c5DNmV2xsQyVBy+dp0TokYBRqviFLouqZA+yOkm9nt7/Fx6qZ61cxh8PhnHrBHYR7R/7bxurPjRbXApKw6wwE33lzdCJ1bcA1oASZzYLz61ii9Ema0BqaWNsbvG3np+b86bKFnIgI7JSas07nUIKFTZEDtY/XtIQkEfWvyb5DyisPVEdt0w12ceuHrjFXZFnL/uPOUYnmT6U5Mrd5OBk1HUr2GqQp7wtWtquTL0L4niXCXnmX5tQCk0nb1YBWQ==,iv:/36tKe9d+I1eGFNyZrNtlgnrcguDYG4XegcWZCAGhS4=,tag:dlBd2I3OnD1y+tNL0WhnoQ==,type:str]
|
||||
synapse:
|
||||
signing_key: ENC[AES256_GCM,data:/wXjsAY30plaYptGL3SvS4JyP+UWgX7nzvMlMPepbLG5qplq1Ieo5qNTAugWIhtP8z3DkZBnIgTpOg==,iv:WwPs9XHkoHS70b+2oNjxgDdYsDZrudk/U3UgpTpLD2k=,tag:INce/W/Nxbvxz89AvIG2cg==,type:str]
|
||||
registration_shared_secret: ENC[AES256_GCM,data:8mo0Dr06uGOZKDCAHo66VOsU/FC6Az1SjEJX2zLQRDEXQAI1DfjxscQO+m/EJZTAYZ2BgRyo0kCuD7bDpx/qMw==,iv:bV+VLsEwNYapYXcA33clf4CHmAvpmHrjSrWWGRR5nxg=,tag:GG+w1MU617UlTjIu5sC9WQ==,type:str]
|
||||
secret_config: ENC[AES256_GCM,data:kSkRKCFy9TtoBfTWSBzQ65XOQ2WXDCsn0Xgwx3Nvd67+MDLmUmds6BMJREm+dZvqbo3VHjdBSYGHcBrodBtEWJ6JTOVXEwyuUqvrlFbnQm71mvVGFPyKJQW+bm6m3qoXj257cnDSBLAt2sxKSYs5Xb5b/vHSTLJFQ88787Z45f5Kd/29I3khIV+XKZsuwIUsPLe0cTVMlfc/yWmzRk+zR0aXXCHP5/GUn5U5o1xIR/Ok/C/PgrB2CXKb/IiGGsgJK4eA4qDUwiLXBghSlztZXkfp9s/UaFq80hVPfqPRy1UOIG2hgJcNAX9A7EkgLKff2xV9FAfr++rDBuReb8fvb9bzsfXq+wa7wh5hGmCjXgl7Ux+p3LlhAAv7SRx2jAUwKEPcu5+RKpYEdyw4fx1y4hsj8psInMOfPMEV/yPkBmJFDMoaZ9rke3se6iGbP/ZNvzZ0TI8HzltwMbA4jsCfoDOQWZMEXiYzhv49F+Uhc1l7PswjY0GIlL8R2zYotrRwxtf2j2n+1l0kxuuj2yc287YJHRRUAQw0UdF46zxLhTRIaNfsQlPM/l134wGoELYjGrKNrJoonAksEKUAUoIHIt0xTuAG6RbqVXVlMsVg6zeRHUaD1AyN6AoMBIoMxDaO4ga+3g3kbHFx6ZNcGV8mWcG6BR7MmwtnOm3e0JFy8t88YDFXHKAfwtS/Cb1etUJalNyJgSq6TL/LTZmD/cUHBprNw5G7DaWKcy4wANCl3Bj7c/MhNOz6XJKYo6LvxvL7qTYHmMhPcjbVQ7ogeIbNMZNXnJyw75sL4fh7fl21HRfaVbHxpH5ajX5X9e/xg2oC/k1azY8clPYNU74igknk4wiKnvWkq9s5nCJA0zxn1F18GvLlH8WuVTwi9tDxnE1ZVBUs6hT7seUY0rR4BxgDPzfsr9NJiWAJ7lfH9e60tIm8mHfT5dmuEPs3lDC3/RVkNtGYNkDOFcmePEeTvOs29DwuV7P6PlnKOI+iHwRjHhv2UfcbXSbt8ZifzqEw+Mx8dSNS5IenXY68M53y5kBDTF/VZ8IYHjtHqDa45q+EnV/NRvpSTKe85K4GkcW7QvzSCuHw2n1XRg2mq3UwRYpk,iv:tQiBocxEJodi4A0iTpe9Z1sJCJSYI7wHBjOEx7Lhx5w=,tag:Kjx+9hJKnBTbw1flRNnE4w==,type:str]
|
||||
murmur:
|
||||
#ENC[AES256_GCM,data:ionYo3rz6G1ZhOmwBDleXPO7/reeF6tpgA==,iv:4iQ1FYTvxyyNaQDPxHErV0fevsnU5p55wT27nOwMStM=,tag:ynCgbQsvX5ow4+vc2Qz8MQ==,type:comment]
|
||||
|
|
@ -9,7 +10,7 @@ dokuwiki:
|
|||
keycloak_key: ENC[AES256_GCM,data:/6+NWA==,iv:61M+OdGx3lCR3uFWmArpYUm9Q4L+pv656V8g257YMTw=,tag:fOESdHA6+bpMMDRbWRFn+A==,type:str]
|
||||
vaultwarden:
|
||||
env: ENC[AES256_GCM,data:mDqHHAjisl0din/q67+zH7NMKLXld9qC0Si6ZREhRStXr6HEFD/QwaGLN86AvUI7sHNf9l4nrgKOht7uXNJrkjuidGsFEEJWkuUOjBRnrtipNKV2YK7giPQXEhH7wTdGeaqxqi4sk90Oq/FoKi2vPkFyNWGOQ5vOXkKKXjjHnbyKIQkIRWya2Dy6IN0CXU8UK0OiQXY3kgEFOyJoqt4sx/HOScHNKkaLb8U+0rpfzxSVyP3oY4o/DFkE51bnd/CNKg3ZK4Ynp/5m7Rs=,iv:aWpDXSp6Ds7cfdw/vfM3I5wcHz0MytnhpIIWEa24LBE=,tag:5YZKo4ZCT57gji8iyBMAiQ==,type:str]
|
||||
hedgedoc_env: ENC[AES256_GCM,data:MeMyjUNchdUm9gqt7hOZU0xvlZvbUWmgh2iiZjkmb20y9dGt083FbGLNuWLkWd8WFM93dETaOj9WD0mbRK11THXyV61rjrwpBkx2NjCFeHX/JjUe7MzxAhm/7Kn9IFl9As5B++SiD97QxEBpcG0AJDoluXqVpZSIHgG6W5FXSYDgZ+/V8dmfSplF5Nj2cseD5kI=,iv:7l8wNfi9HWc8Ep1Y9bUkdJo+2UQVkTfqW0J3pfPxpNg=,tag:xS+vD73r6rDmeeAB4bstww==,type:str]
|
||||
hedgedoc_env: ENC[AES256_GCM,data:VHIzmq7P1pqS72HbRXRT3k7n6vyPkzkQFJdveseCAHnzdXlEF0lHr+Up7J6XhfhtQXO3ogV2jkGZpOMY0OuEvhLf2yGkBj3W0ZtG7Kx6Rdcbb5rG7Z6Vb1vpL/aT88QFd3VX23M+FPFyWeYKGOvGRuCela+mUX7jDs2W4jOrYOtEGe3+V08DcvtcCvE2L1NqeDQ=,iv:011/ZRdQlkFQ2TZpzQhfRf/OTawnHFQDockLGlOrkmc=,tag:Y66RIBtyjl5VSo23GU4sNg==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
|
|
@ -25,8 +26,8 @@ sops:
|
|||
QjBmYlNYWlFoWHd0ZFJkWE0xMkpvZzQKJwKap35S2pWGNOtBHe931dRqAQAczbWv
|
||||
/BUEtl900F8YLQCB1/myV0Dk5X9XDlww1yrzw/La3gXANY93Ndu3MA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2023-07-24T14:30:13Z"
|
||||
mac: ENC[AES256_GCM,data:UXYfO7Ezx6jhuElF4ncJ3qcm5e9S4dLnIJ6ieELzmwHZEAIf8HCeovJIuubv9UbQeXg3F+jQzUA7xP8cGcx4fh6WzaXZuq+i/GbF79HCbgtYb8KogC7C/nbi7aFgd6euM84txNpIFlBMmcOAaVAdO+9zM6AxaclPq0Am+I+eG2E=,iv:ObMNbl1fI0yFQraR56rxSxBzv++MMdNY6JOZtPqBl5U=,tag:Nu5GZqWutwWxxORWcfLlVQ==,type:str]
|
||||
lastmodified: "2023-08-30T11:23:54Z"
|
||||
mac: ENC[AES256_GCM,data:YG1Te+quE4eFadTJPyHPpJhVbs24bKtGCNS6VNvXK2fwUosd7GngprCIAfCKZ2Jzexjj+71zsfY72n/io952vK4bKoWDzFwE3cr1VJ0QQQ+BEoZjFJYEk4GOrmoEVzfIBqDEFpbOsA7VSvEawRrSeL2RqjHkaF/CNJWZfuH3tD8=,iv:M+t9Qn/Gl4oZwoSX72XeStPpVG3wAX7OKsk3vrJ9wto=,tag:/Tpy/92lUqLMqgIVkpBaFw==,type:str]
|
||||
pgp:
|
||||
- created_at: "2023-07-23T14:01:56Z"
|
||||
enc: |-
|
||||
|
|
|
|||
|
|
@ -1,4 +1,8 @@
|
|||
placeholder: ENC[AES256_GCM,data:rzHtxg==,iv:cCQcC7FZJkGC1YIKNdqiTU+7W6YJ8hJlwT5XwdTyu/k=,tag:AfZlrP54Yh6U8l7bwCT3Bg==,type:bool]
|
||||
coturn_static_auth_secret: ENC[AES256_GCM,data:7m7ymyb7hgN0H4KVujlr8NdkrzanQuOq1nl+ggtqvMxFauBoBLzKDMAOtH19uG7g3phkSGp9QlqD8cStlh0dE5FOiw0UN531Y6zFrZ0+wLgg0IKnqm6fmCjjKec/qsh59wRuE2BOIo1Lb74iRcP2CPPERQHrT5acRiC6SfSOZG8=,iv:KgaxzZWM7bWM+wiUrj7OzFV64JJlmep1EFrVlo0sd1Q=,tag:s7R5P2zWSKyDOOUlC4TTGw==,type:str]
|
||||
synapse:
|
||||
signing_key: ENC[AES256_GCM,data:WLdNVbGn772vuO9avavFvaHDlq5F1Pl2oxPlkIQC/pK9Q9GmFA2oxUy2QUPdrTfhlL6gJkjwO1JOiA==,iv:IcUQqTeJkASHTa++gXcWBzRP86Em4gm/1N/leMtFvRc=,tag:1zHAh64W/PDWa6BvhowS6w==,type:str]
|
||||
registration_shared_secret: ENC[AES256_GCM,data:3mcyn8+8bfRQTJf8a6CwfO/v10W1PvM3D6POq52BV49N1KVBSs27aGq6YZFzR0H9vF5qUGXGRzk+zdNk+GK0Lw==,iv:54ZI2SGGXOQstRU0C89sJlWluC0XnxNLqrjt/ad0MzQ=,tag:gD9h+nIOz049GlaRjgX5Aw==,type:str]
|
||||
secret_config: ENC[AES256_GCM,data:2NYKCQxZn2S5HP6h01epylIryfFVdPdm8Mew7b3eDnfrCmJcIS//OGlYaUM76Q574V5LHg86CXDBM1pgl38oxjT7MM1GMYXiYL7ancKUivUnvfcRBYi1ZF+oCJMEwmnx6FuElU3qQ82NnJgv1rSP9mJTkGt+02LTTZR3f/UdvBohmDUYk9jhzRhdX/I9wFR1JV8Dk1PcQ4ysLrCfL0lKvvGdBE3E2C5eRrFSjWAn+ezFYP23KfyNtpDHuKW7TEzlrpZrS1yPsQ9D3tt6K1bypuJX+7zpMpXP443dxs/ZAalL2yyodQysJ3/Sb5kQQXWudEnsXP72Biw26tUVgX6o8iZ9yJEmuZDhAk3PGSmuBeohYnxk8fKIkieIDTM14GEPvEaI,iv:Xemjx/o4v9QlbbI/ZLFnT9F14xTlJ0zDP4hnVvho3wc=,tag:PoE0dVAoU2twuWUqNSUPmg==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
|
|
@ -14,8 +18,8 @@ sops:
|
|||
aWQ2QW05a1lrbTZZci9VMldpVzNCZFkKCJwEd5TkZaIb2M1E149/NEUB1E5E8gLu
|
||||
YSDnb7eKfx8auWCEVCMiHx6POdpVvwxKnxUWHEnUBIMHhx+Y1MSclg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2023-08-12T08:45:36Z"
|
||||
mac: ENC[AES256_GCM,data:pjGhTGsY7I7AF2Pd2fINT0PzJOWSF6TvE26NTC6xNwJ2fnL+opANJnLkdRpZFw7rXVqGdjvZmtYV/Z4MZTH3n5NRM9cg/sQ1kRLS6LIgGFd0xqxhCE26gArquOSqbWb7BU9vyq9A4XFqi9Jx0yjP9+ywYOjrIuVN7OHDyWsN4sU=,iv:3nSB6qNHq9HRa1YCHDGRopiArXPWob10/ON8Y7rMeKc=,tag:2FElWlRUskM+Z/DlfeAs1w==,type:str]
|
||||
lastmodified: "2023-08-31T18:55:28Z"
|
||||
mac: ENC[AES256_GCM,data:Jfqd39+c22Zaib+98DgSku612aU6vhmccurPtV7nQ59dg8/C4vDQ13lfxljzlk8Xe9Lc56qfvhjpdGpDuGH1EB6OFoOvdYRWvn+GofCMRV/ss+BY4LEStMH3cWBerJSC9aUu7ULqqGuzMzfWbXOBVtR5OhqVcD6SRvMufbwoGa0=,iv:FqlSyXQIKPDC3qnsT9ljB2L2ZjRNDelr5RhIUDLW738=,tag:l5qU7y6znrA1p1GB1sQ3MQ==,type:str]
|
||||
pgp:
|
||||
- created_at: "2023-08-12T09:39:58Z"
|
||||
enc: |-
|
||||
|
|
|
|||
|
|
@ -2,6 +2,8 @@ murmur:
|
|||
registry_password: ENC[AES256_GCM,data:jgMmirQNhwTQZMyfbbbJku9JDqxtuKepIIpbiloX0qnUnytu1vvjFkGZH5dag/e/EDHszqkALNlUZz7wdlxZn3QDDlv0rQITJtsp,iv:aLIPiHDGC4vNXfNgqR852/jbChv2uu5q0Yy9I4ej5ts=,tag:cy4rs+YCglNKEaq+3arfow==,type:str]
|
||||
dokuwiki:
|
||||
keycloak_key: ENC[AES256_GCM,data:gXCRVg==,iv:BqBPRnD8mIQ97MHfn/KESqe8ABXGaDXEIAGyYcbfXlI=,tag:KhgQX5N3MATmnqXnEIjzBQ==,type:str]
|
||||
synapse:
|
||||
registration_shared_secret: ENC[AES256_GCM,data:h6GwLIrOOvCGRpEHvXt8Kw4uFwOKN86qN/pjjobImnkz3H7J/7v3XIneHnRYRHsFRX0XB53iz6VKN+7b+zuMtg==,iv:kg5hpTQH+MTO7Ocblck0yhgsDiXJIme5OGpcaxERiVc=,tag:goRj0JtTLHnz56Ti8Sumgg==,type:str]
|
||||
vaultwarden:
|
||||
env: ENC[AES256_GCM,data:4zeSpiaJQ8v00EBHrS6IU/1KXCEP6EBpkMacW0mf3ygZxSfUL3oQ11sXOu24OOMnTpaZUPJ68rj1jSNgBoVQ7rLttpCHKy62ART2xi0PcSCpDCBLpBocPdpFydQzwFOrMAYpcS6SB/ijy2ZxvfzVQqykcqfLdwdZs3PCys15OSQT269FmFERT25pTW7d6zxE3eY2YhLf1Y+6MjYHffAEv8RqN35UWyAOh8dJU09lbEsUiBRwN3tNhQ0STOsShhxY/ogMZdAHQwvGjo0=,iv:yK9PBOURtOVBBPwuJSpARvb5eXUIhPypEbEYbX2PqRs=,tag:MG7fcBPMg9eMjtD5V+yjBw==,type:str]
|
||||
hedgedoc_env: ENC[AES256_GCM,data:M/UW8QjiiHU/YsSYsYnZbeA+SPAub53E1FAiSvRFTeQeR0d3+t0g0lfn9Wqcok541NjETs7LN4lCrYBR6cH4EqQ9581pj2Fi5KabypA/2DUNTaAjtCbA2RNM/M/1/ka5n8AFNgzXppb/yEQ2xqQfV7IN/d6ClJzfFi+3FoFa3wRwAajvkH+yP8rfTBkQFamQWTQ=,iv:6vOeJHkNnva92GCrhuIj3HtG6z50UBnxRGg97jv2/gk=,tag:eYN4q7/HL0BtPdYLlbaW+A==,type:str]
|
||||
|
|
@ -20,8 +22,8 @@ sops:
|
|||
Z3FXczZaSUVLY2lCcWJaQklXNHBzczAKQev4noy5ValCq65BhvXl1weY2QNsTe6f
|
||||
f4SUmm5NGbTiGaghOLC1Cio3K8ibA0vszVyySNE1khkvcM7JewIXAQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2023-07-24T15:00:19Z"
|
||||
mac: ENC[AES256_GCM,data:TqoMFF2XBc1iA/FnwgEwKdTKneHV6AvvPRVR+E7bkpqHQsxcl/wRLUzfQ5bg3YDviB/kB1KDuS25xQn/ztJKoBn7deWF0+9xz5npStQimNWuzgbTCIQS5hbqahgOejnnGVvJ/zms67ZOOG/Ek8W4eE8DUNMlUlNNIxGD8fkRwYI=,iv:FYW3K/QipSCrk0ZrxUhJANB5CBY4K5af4KhUf7GwuYU=,tag:HeLAe/yCZnDXqNHeUDpylQ==,type:str]
|
||||
lastmodified: "2023-08-30T11:25:43Z"
|
||||
mac: ENC[AES256_GCM,data:Yvd2DHOKJJr0hm/nt6nO8RgG4nMUtfBa5M1KPlQYjzul8UVNdX7WvgYwbMlERifiVVirAjCeB0DybvWBozpPcAhPcZ6+8AlUQg77wQt+PgqaVCXvFMBeGFqPNaCi1JPVDjKvAEC/A+mvUDL52JH0c2PCoRCl/W1WXq7TfXRjzis=,iv:k930uOJRCxddz86vCu16SiWHZXSiLD5htVnGd73aIZk=,tag:ouMgLZqZ/e35P1we1mCsVw==,type:str]
|
||||
pgp:
|
||||
- created_at: "2023-07-23T14:01:46Z"
|
||||
enc: |-
|
||||
|
|
|
|||
179
services/matrix/default.nix
Normal file
179
services/matrix/default.nix
Normal file
|
|
@ -0,0 +1,179 @@
|
|||
{ lib, config, pkgs, baseDomain, ... }: let
|
||||
matrixPort = 8008;
|
||||
isDev = (builtins.substring 0 3 baseDomain) == "dev";
|
||||
synapseDb = config.services.matrix-synapse.settings.database.args;
|
||||
initSynapseDb = ''CREATE DATABASE "${synapseDb.database}" WITH OWNER "${synapseDb.user}" ENCODING "UTF8" TEMPLATE template0 LC_COLLATE = "C" LC_CTYPE = "C";'';
|
||||
in {
|
||||
sops.secrets = {
|
||||
"coturn_static_auth_secret".owner = "turnserver";
|
||||
"synapse/signing_key" = {
|
||||
owner = "matrix-synapse";
|
||||
path = config.services.matrix-synapse.settings.signing_key_path;
|
||||
mode = "0600";
|
||||
};
|
||||
"synapse/secret_config".owner = "matrix-synapse";
|
||||
"synapse/registration_shared_secret".owner = "matrix-synapse";
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts = {
|
||||
"chat.${baseDomain}" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
|
||||
root = pkgs.element-web.override {
|
||||
# Somewhat duplicate of the stuff in website.nix but I am
|
||||
# not sure if we absolutely need to dedup this, just out of complexity perspective
|
||||
conf = {
|
||||
default_server_config."m.homeserver" = {
|
||||
base_url = "https://matrix.${baseDomain}/";
|
||||
server_name = baseDomain;
|
||||
};
|
||||
default_country_code = "DE";
|
||||
};
|
||||
};
|
||||
};
|
||||
"matrix.${baseDomain}" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
# It's also possible to do a redirect here or something else, this vhost is not
|
||||
# needed for Matrix. It's recommended though to *not put* element
|
||||
# here, see also the section about Element.
|
||||
locations."/".extraConfig = ''
|
||||
return 404;
|
||||
'';
|
||||
# Forward all Matrix API calls to the synapse Matrix homeserver. A trailing slash
|
||||
# *must not* be used here.
|
||||
locations."/_matrix" = {
|
||||
proxyPass = "http://[::1]:${toString matrixPort}";
|
||||
recommendedProxySettings = true;
|
||||
};
|
||||
# Forward requests for e.g. SSO and password-resets.
|
||||
locations."/_synapse/client" = {
|
||||
proxyPass = "http://[::1]:${toString matrixPort}";
|
||||
recommendedProxySettings = true;
|
||||
};
|
||||
# # Allow public access to the synapse admin API
|
||||
# # The docs advise against leaving this open to just everyone. That's why this currently is commented out
|
||||
# # if admin things need to be done, it's required to SSH to the server and then direct all admin requests to
|
||||
# # localhost:8008/_synapse/admin
|
||||
# # Leaving that in here for when I (e1mo) wonder why calls to the admin API don't work in the future
|
||||
# locations."/_synapse/admin".proxyPass = "http://[::1]:${toString matrixPort}";
|
||||
};
|
||||
};
|
||||
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
ensureUsers = [
|
||||
{ name = synapseDb.user; }
|
||||
];
|
||||
};
|
||||
systemd.services.postgresql = {
|
||||
postStart = ''
|
||||
$PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'matrix-synapse'" | grep -q 1 || $PSQL -tAc '${initSynapseDb}'
|
||||
'';
|
||||
};
|
||||
|
||||
security.acme.certs."turn.${baseDomain}" = {
|
||||
group = "turnserver";
|
||||
reloadServices = [ "coturn.service" ];
|
||||
};
|
||||
services.coturn = let
|
||||
sslDir = config.security.acme.certs."turn.${baseDomain}".directory;
|
||||
in {
|
||||
enable = true;
|
||||
cert = "${sslDir}/fullchain.pem";
|
||||
pkey = "${sslDir}/key.pem";
|
||||
static-auth-secret-file = config.sops.secrets."coturn_static_auth_secret".path;
|
||||
};
|
||||
|
||||
# TODO: Use media storage volume on prod
|
||||
services.matrix-synapse = {
|
||||
enable = true;
|
||||
plugins = [
|
||||
pkgs.python3Packages.matrix-synapse-saml-mapper
|
||||
];
|
||||
settings = {
|
||||
server_name = baseDomain;
|
||||
public_baseurl = "https://matrix.${baseDomain}";
|
||||
allow_public_rooms_over_federation = true;
|
||||
enable_registration = false;
|
||||
registration_shared_secret_path = config.sops.secrets."synapse/registration_shared_secret".path;
|
||||
log_config = ./synapse-log_config.yaml;
|
||||
database = {
|
||||
name = "psycopg2";
|
||||
args.database = "matrix-synapse";
|
||||
};
|
||||
federation_ip_range_blacklist = [
|
||||
"127.0.0.0/8"
|
||||
"10.0.0.0/8"
|
||||
"172.16.0.0/12"
|
||||
"192.168.0.0/16"
|
||||
"100.64.0.0/10"
|
||||
"169.254.0.0/16"
|
||||
"::1/128"
|
||||
"fe80::/64"
|
||||
"fc00::/7"
|
||||
];
|
||||
|
||||
admin_contact = "mailto:administration@chaos.jetzt";
|
||||
url_preview_enabled = true;
|
||||
media_store_path = "/mnt/synapse_media_store";
|
||||
turn_uris = let
|
||||
turn_base = "turn.${baseDomain}";
|
||||
ct = config.services.coturn;
|
||||
port = builtins.toString ct.listening-port;
|
||||
tlsPort = builtins.toString ct.tls-listening-port;
|
||||
in [
|
||||
"turn:${turn_base}:${port}?transport=tcp"
|
||||
"turn:${turn_base}:${port}?transport=udp"
|
||||
"turns:${turn_base}:${tlsPort}?transport=tcp"
|
||||
"turns:${turn_base}:${tlsPort}?transport=udp"
|
||||
];
|
||||
auto_join_rooms = builtins.map (v: "#${v}:${baseDomain}") [ "grosse_halle" "allgemein" ];
|
||||
autocreate_auto_join_rooms = true;
|
||||
enable_metrics = false;
|
||||
user_directory = {
|
||||
enabled = true;
|
||||
search_all_users = true;
|
||||
};
|
||||
saml2_config = {
|
||||
enabled = true;
|
||||
sp_config.metadata.remote = [{
|
||||
url = "https://sso.chaos.jetzt/auth/realms/${if isDev then "dev" else "chaos-jetzt"}/protocol/saml/descriptor";
|
||||
}];
|
||||
user_mapping_provider.module = "matrix_synapse_saml_mapper.SamlMappingProvider";
|
||||
};
|
||||
password_config.enabled = false;
|
||||
};
|
||||
extraConfigFiles = let
|
||||
format = (pkgs.formats.yaml {}).generate;
|
||||
in [
|
||||
# Contains turn_shared_secret, macaroon_secret_key, and form_secret
|
||||
config.sops.secrets."synapse/secret_config".path
|
||||
# For our saml sso stuff we need to have additional_ressouces, but they are not possible with the NixOS module listener
|
||||
(format "additional_ressources.yaml" {
|
||||
listeners = [{
|
||||
bind_addresses = [ "::1" "127.0.0.1" ];
|
||||
port = matrixPort;
|
||||
type = "http";
|
||||
tls = false;
|
||||
x_forwarded = true;
|
||||
resources = [{
|
||||
names = [ "client" "federation" ];
|
||||
compress = false;
|
||||
}];
|
||||
additional_resources."/_matrix/saml2/pick_username".module = "matrix_synapse_saml_mapper.pick_username_resource";
|
||||
}];
|
||||
})
|
||||
];
|
||||
};
|
||||
|
||||
system.activationScripts."synapse-media-store-mnt".text = ''
|
||||
mkdir -p ${lib.escapeShellArg config.services.matrix-synapse.settings.media_store_path}
|
||||
chown matrix-synapse:matrix-synapse ${lib.escapeShellArg config.services.matrix-synapse.settings.media_store_path}
|
||||
'';
|
||||
systemd.services.matrix-synapse = {
|
||||
unitConfig.RequiresMountsFor = [ config.services.matrix-synapse.settings.media_store_path ];
|
||||
serviceConfig.ReadWritePaths = [ config.services.matrix-synapse.settings.media_store_path ];
|
||||
};
|
||||
}
|
||||
27
services/matrix/synapse-log_config.yaml
Normal file
27
services/matrix/synapse-log_config.yaml
Normal file
|
|
@ -0,0 +1,27 @@
|
|||
# Based on https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/services/matrix/synapse-log_config.yaml
|
||||
# Just with a log-level of warning
|
||||
version: 1
|
||||
|
||||
# In systemd's journal, loglevel is implicitly stored, so let's omit it
|
||||
# from the message text.
|
||||
formatters:
|
||||
journal_fmt:
|
||||
format: '%(name)s: [%(request)s] %(message)s'
|
||||
|
||||
filters:
|
||||
context:
|
||||
(): synapse.util.logcontext.LoggingContextFilter
|
||||
request: ""
|
||||
|
||||
handlers:
|
||||
journal:
|
||||
class: systemd.journal.JournalHandler
|
||||
formatter: journal_fmt
|
||||
filters: [context]
|
||||
SYSLOG_IDENTIFIER: synapse
|
||||
|
||||
root:
|
||||
level: WARNING
|
||||
handlers: [journal]
|
||||
|
||||
disable_existing_loggers: False
|
||||
|
|
@ -8,6 +8,11 @@
|
|||
inherit (lib) escapeRegex;
|
||||
inherit (config.networking) fqdn hostName;
|
||||
|
||||
# Absolute hack until https://github.com/chaos-jetzt/chaos-jetzt-nixfiles/pull/29 is merged
|
||||
# But needed for us to have a working monitoring on our main matrix server (kinda important)
|
||||
# FIXME: Remove when #29 is merged
|
||||
monIf = if config.networking.hostName == "hamilton" then "enp7s0" else "ens10";
|
||||
|
||||
# Basically a manual list of (legacy) hosts not yet migrated to NixOS
|
||||
# but on which we'd like to have included in the monitoring.
|
||||
externalTargets = let
|
||||
|
|
@ -124,7 +129,7 @@ in {
|
|||
];
|
||||
};
|
||||
|
||||
networking.firewall.interfaces.ens10.allowedTCPPorts = let
|
||||
networking.firewall.interfaces.${monIf}.allowedTCPPorts = let
|
||||
inherit (config.services) prometheus;
|
||||
ifEnabled = x: lib.optional x.enable x.port;
|
||||
in (
|
||||
|
|
|
|||
Loading…
Reference in a new issue