jawz/NixOS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

module for synapse-matrix

Browse Source
This commit is contained in:
Danilo Reyes 2025-03-08 20:00:09 -06:00
parent c526970745
commit a0efbc5188
5 changed files with 95 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
hosts/miniserver/toggles.nix
View File

@ -113,5 +113,9 @@
enable = true; enable = true;
enableProxy = true; enableProxy = true;
}; };
synapse = {
enable = true;
enableProxy = true;
};
}; };
} }

4
modules/modules.nix
View File

@ -120,6 +120,10 @@ in
enable = config.my.enableProxy; enable = config.my.enableProxy;
clientMaxBodySize = "4096m"; clientMaxBodySize = "4096m";
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
}; };
networking.firewall = networking.firewall =
let let

1
modules/servers/postgres.nix
View File

@ -33,6 +33,7 @@ let
"shiori" "shiori"
"mealie" "mealie"
"firefly-iii" "firefly-iii"
"matrix-synapse"
]; ];
in in
{ {

82
modules/servers/synapse.nix Normal file
View File

@ -0,0 +1,82 @@
{ lib, config, ... }:
let
cfg = config.my.servers.synapse;
setup = import ./setup.nix { inherit lib config; };
clientConfig."m.homeserver".base_url = cfg.url;
serverConfig."m.server" = "${cfg.host}:443";
mkWellKnown = data: ''
default_type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON data}';
'';
in
{
options.my.servers.synapse = setup.mkOptions "synapse" "pYLemuAfsrzNBaH77xSu" 8008;
config = {
my.servers.synapse.domain = "wedsgk5ac2qcaf9yb.click";
sops.secrets = lib.mkIf cfg.enable {
synapse = {
sopsFile = ../../secrets/env.yaml;
owner = "matrix-synapse";
group = "matrix-synapse";
};
};
networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal) [ cfg.port ];
services = {
matrix-synapse = {
enable = true;
extraConfigFiles = [
config.sops.secrets.synapse.path
];
settings = {
server_name = cfg.domain;
public_baseurl = cfg.url;
federation_domain_whitelist = [ cfg.domain ];
allow_public_rooms_without_auth = false;
allow_public_rooms_over_federation = false;
max_upload_size = "4096M";
listeners = [
{
inherit (cfg) port;
bind_addresses = [ "::1" ];
type = "http";
tls = false;
x_forwarded = true;
resources = [
{
names = [
"client"
"media"
];
compress = true;
}
];
}
];
};
};
nginx.virtualHosts = lib.mkIf cfg.enableProxy {
"${cfg.domain}" = {
enableACME = true;
forceSSL = true;
locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
};
"${cfg.host}" = {
enableACME = true;
forceSSL = true;
locations."/".extraConfig = ''
return 404;
'';
locations."/_matrix".proxyPass = "http://[::1]:${toString cfg.port}";
locations."/_synapse/client".proxyPass = "http://[::1]:${toString cfg.port}";
extraConfig = ''
ssl_verify_client on;
ssl_client_certificate ${config.sops.secrets."iqQCY4iAWO-ca/pem".path};
error_page 403 /403.html;
'';
};
};
};
};
}

7
secrets/env.yaml
View File

@ -9,8 +9,9 @@ mealie: ENC[AES256_GCM,data:RjKqDs70lWhGN0LXPp3feQfW/WtfJlR6vX++0hwGtqcA3iepEh2A
maloja: ENC[AES256_GCM,data:yCwokfD4I1Boy2NOhOTLA3dWgUVOdSzWKIEdYC0klvYu41IGcM8bM65uYFmiOtk+jHgt6j3kO/pBBlC4w/iTElphTqFyFRGdBN4fNRntAhMzqOszBZII,iv:Vf9hfNwSTBkh2cXV7Y2fv4NA8kng2M1i7BtTXJvy4u4=,tag:KLc8sP6N2/Pp/9069E3aPQ==,type:str] maloja: ENC[AES256_GCM,data:yCwokfD4I1Boy2NOhOTLA3dWgUVOdSzWKIEdYC0klvYu41IGcM8bM65uYFmiOtk+jHgt6j3kO/pBBlC4w/iTElphTqFyFRGdBN4fNRntAhMzqOszBZII,iv:Vf9hfNwSTBkh2cXV7Y2fv4NA8kng2M1i7BtTXJvy4u4=,tag:KLc8sP6N2/Pp/9069E3aPQ==,type:str]
multi-scrobbler: ENC[AES256_GCM,data:98VAMghaZwptB2npogH9qkA2zUVwW4A3POQs6/+jHRjtlxo3yL4NAeD2QLMv0ZljciFEuIQd3K1LNBs0gbmAMfB1wFjOjjUicCdUoEbv8AVaWHF4VWfv6mcaK7m2JER4/Dd1oZpD7cxMaJHc9W6xmXBoCkewORIOtvE4qoCyHxPpTW9g/AYhMfvBr34NMBWEc6awvbsK1X2cVhYGjnoGAdcLED9cT8Ydy5keusAbjA/EWRTDPyg4Y1xH48H5yS6MuYzXR5dSdQUEuFJ2M3V95Kp64w6xZHZzrK4O1J3mMNaUvRSGG1DN6gBDtEv8/WWbkKOBxmgVMrVuJz1fxJJvD4Fs,iv:nfWM7Kq00w0T5pfBv5ksJhD4R1USMPSX8TaKeiKH7wc=,tag:IxpS2KgzQ/NdcBMidjguhw==,type:str] multi-scrobbler: ENC[AES256_GCM,data:98VAMghaZwptB2npogH9qkA2zUVwW4A3POQs6/+jHRjtlxo3yL4NAeD2QLMv0ZljciFEuIQd3K1LNBs0gbmAMfB1wFjOjjUicCdUoEbv8AVaWHF4VWfv6mcaK7m2JER4/Dd1oZpD7cxMaJHc9W6xmXBoCkewORIOtvE4qoCyHxPpTW9g/AYhMfvBr34NMBWEc6awvbsK1X2cVhYGjnoGAdcLED9cT8Ydy5keusAbjA/EWRTDPyg4Y1xH48H5yS6MuYzXR5dSdQUEuFJ2M3V95Kp64w6xZHZzrK4O1J3mMNaUvRSGG1DN6gBDtEv8/WWbkKOBxmgVMrVuJz1fxJJvD4Fs,iv:nfWM7Kq00w0T5pfBv5ksJhD4R1USMPSX8TaKeiKH7wc=,tag:IxpS2KgzQ/NdcBMidjguhw==,type:str]
vaultwarden: ENC[AES256_GCM,data:NituIOyGrYALEkuwKT0RRS1gvi3wjC6ZSAfUIejfi8xoePE6vSNztJTGsRSIh4sJnRrQIiDuKTmRKZDM6AtX/oEBsNW8MVq+lWAq/vtcO7fuTriySEungmpXhQwRZD6NsXE+9283P3s6RshpA4iipmENiW2v2/uxkIXxtTguUxfX0psWYtF6mx5/hpaoNZ523OB69m6veAxD6Pmnj+pTOAORGXHldoNrxNc35WBDdndjAZICyO873tbs22VJOWD9a66BNxtfwIPYoFkuPO6QG3nnFfyPSQ==,iv:rmDJbrP+NQ5HGdRCWSYfymP8dU9WJdMEhAg80eupgeY=,tag:kdNzgWjgeqaTCjqUCc4uWw==,type:str] vaultwarden: ENC[AES256_GCM,data:NituIOyGrYALEkuwKT0RRS1gvi3wjC6ZSAfUIejfi8xoePE6vSNztJTGsRSIh4sJnRrQIiDuKTmRKZDM6AtX/oEBsNW8MVq+lWAq/vtcO7fuTriySEungmpXhQwRZD6NsXE+9283P3s6RshpA4iipmENiW2v2/uxkIXxtTguUxfX0psWYtF6mx5/hpaoNZ523OB69m6veAxD6Pmnj+pTOAORGXHldoNrxNc35WBDdndjAZICyO873tbs22VJOWD9a66BNxtfwIPYoFkuPO6QG3nnFfyPSQ==,iv:rmDJbrP+NQ5HGdRCWSYfymP8dU9WJdMEhAg80eupgeY=,tag:kdNzgWjgeqaTCjqUCc4uWw==,type:str]
dns: ENC[AES256_GCM,data:GOBiaKrx82ghFMhbCL19+l2ON9d6cdgd2bVXqP0u8lCHaXkJlv+jODBrbIWVm8gbd8XgOTcPxf4b460sT2qqneeqmyyC+vw37bNutYvqXDqCSGRrjMM0OJPn0w0ZyfsgX+sli/4floeULwJbfxfqmz6BOXU8UvX8uBZmCKOxeQqZXUxv,iv:0CXJ4nJdaPrFxAbGxJ0yYmyozITpEx3viki6Hj25GuM=,tag:vbYWCyUDYbPix3AXf8re1A==,type:str] dns: ENC[AES256_GCM,data:fQN3SOm0HzOjSjTohRAD4KlXdEu5PbQc3DvK3rLC1S4G0G4HUPkgucN6vJUwVJPiY0AB+L/iLNcqCRz8OH0qNtfnikBbDicq0OfrwjnN+VzmbwmrS6AdFo6lilbxI3Jb8YwGMrQxXg0U9F2/WVLETbzICG2KpukwIER0xxQpb51OVL+2hviGV8JpWKo66S6pug628Zc+uMJXEBPSqCpz2vXHXnXWMszP6MlqVfNm/zE=,iv:DOj0e8y+2N9eRA81nlT0kS66sXWZoLSVn0NAiUkNcDY=,tag:+0Baqs6TbTAmt3lRfncE6Q==,type:str]
cloudflare-api: ENC[AES256_GCM,data:iNUMlY8rz5yHVitpK4HGaFSK7j+c8Pm7rOQMOQGmSJ3a8ASyrtouPgLbcnoPY/jalsJYAj991dSiui+Vwqs=,iv:qWONG/KLd9/F4tqrWF5T25Zxst3bk+kOYaOFBFSBAAY=,tag:gRFxar8KS8gnX8oaCD156Q==,type:str] cloudflare-api: ENC[AES256_GCM,data:iNUMlY8rz5yHVitpK4HGaFSK7j+c8Pm7rOQMOQGmSJ3a8ASyrtouPgLbcnoPY/jalsJYAj991dSiui+Vwqs=,iv:qWONG/KLd9/F4tqrWF5T25Zxst3bk+kOYaOFBFSBAAY=,tag:gRFxar8KS8gnX8oaCD156Q==,type:str]
synapse: ENC[AES256_GCM,data:IR0pFwQBEM4O8mzzYXrPe2FjulSUGuitzLDLms2uovr6gEU82mCkRO/UCQOybNm03iOQeXX0Whz739kpYSGSInEyx69BNG/etH+bMu+GbYeMdrTEyXHSa7kcH4Ug,iv:Vn2ILYXnCj+Op/E2kWoxV+2ZtlxYJxO6XK3Ql41KW6w=,tag:9wogJFLlmfM5PRgPdwFlcw==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -53,8 +54,8 @@ sops:
QXRUYWtGcWZCVW11U3VYRktuUjlCbDgKsTK4WhUza/JuoDTU3uATa6fq/8eYzxtb QXRUYWtGcWZCVW11U3VYRktuUjlCbDgKsTK4WhUza/JuoDTU3uATa6fq/8eYzxtb
9BUK1ddzx9Mghea9XBMS17YGtGmW800OsLBomb3SINnOFvejcnKf8Q== 9BUK1ddzx9Mghea9XBMS17YGtGmW800OsLBomb3SINnOFvejcnKf8Q==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-03-08T03:20:01Z" lastmodified: "2025-03-08T05:31:03Z"
mac: ENC[AES256_GCM,data:c625lqZhrlmV9rVcLQfeaB1XN7uX+SJ7R6ei1X/oHqT68nCfqoNhnLgpIIllZhOwdRCjrgH9eZXMwP/2RCyozqJim//cKbK2E33vrsxyqJZjNgnNON2imycy4hkaTbQo6rGrzJqUkpTdfRJxTJ8PvNBzk+tua5FY0gpfYGHSD5c=,iv:mKGT+lZZr7EjoNyFKlS347kY/tBSOqi6AgRvzwC3o7Q=,tag:GXGSVEhrJq+XrVtYMceVYQ==,type:str] mac: ENC[AES256_GCM,data:/thb94+m4S8XC6+2HXI5HqjznqV0kaCJzk4bUaTDgHf+3DewAy5UvMy78xrTeSyJqRIXLCs/QR1xMTyUOFiWEOcF2GQ5GBt04Mdstc2VkUGbgd8UGERzMlNYbt0d4se2hM6xRpMr/iPH3w6a415czfprcYnlTc9iU3+7lsHhhe0=,iv:PziCnPs7Mm8ETjsLXOtDhFcWL59S+sYXsclu8P4f7is=,tag:uBukCE2RNDpLHZPT2c1QOw==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.9.4 version: 3.9.4