diff options
Diffstat (limited to 'modules/nixfiles/matrix/dendrite.nix')
| -rw-r--r-- | modules/nixfiles/matrix/dendrite.nix | 148 |
1 files changed, 148 insertions, 0 deletions
diff --git a/modules/nixfiles/matrix/dendrite.nix b/modules/nixfiles/matrix/dendrite.nix new file mode 100644 index 0000000..4e40e97 --- /dev/null +++ b/modules/nixfiles/matrix/dendrite.nix @@ -0,0 +1,148 @@ +{ + config, + lib, + inputs, + pkgs, + ... +}: +with lib; let + cfg = config.nixfiles.modules.matrix.dendrite; +in { + options.nixfiles.modules.matrix.dendrite = { + enable = mkEnableOption "Whether to enable Dendrite Matrix server."; + + domain = mkOption { + description = "Domain name sans protocol scheme."; + type = with types; str; + default = config.networking.domain; + }; + }; + + config = mkIf cfg.enable { + secrets.dendrite-private-key = { + file = "${inputs.self}/secrets/dendrite-private-key"; + mode = "0444"; # User is dynamic. + }; + + nixfiles.modules = { + nginx = { + enable = true; + virtualHosts.${cfg.domain}.locations = { + "/_matrix".proxyPass = "http://127.0.0.1:${toString config.services.dendrite.httpPort}"; + "= /.well-known/matrix/server" = { + extraConfig = '' + add_header Content-Type application/json; + ''; + return = "200 '${ + generators.toJSON {} {"m.server" = "${cfg.domain}:443";} + }'"; + }; + "= /.well-known/matrix/client" = { + extraConfig = '' + add_header Content-Type application/json; + add_header Access-Control-Allow-Origin *; + ''; + return = "200 '${ + generators.toJSON {} { + "m.homeserver".base_url = "https://${cfg.domain}"; + } + }'"; + }; + }; + }; + postgresql.enable = true; + }; + + services = let + name = "dendrite"; + prefix = "${name}-"; + databaseNames = [ + "account" + "appservice" + "device" + "federation" + "key" + "media" + "mscs" + "room" + "sync" + ]; + databaseList = forEach databaseNames (x: concatStrings [prefix x]); + databaseAttr = genAttrs databaseNames (x: concatStrings [prefix x]); + + mkDatabaseConnection = database: "postgres://${name}@/${database}?sslmode=disable"; + in { + dendrite = { + enable = true; + httpPort = 8008; + settings = { + global = { + server_name = cfg.domain; + + private_key = config.secrets.dendrite-private-key.path; + + disable_federation = false; + }; + + app_service_api.database.connection_string = + mkDatabaseConnection databaseAttr.appservice; + + client_api = { + registration_disabled = true; + turn = {}; # TODO + }; + + federation_api.database.connection_string = + mkDatabaseConnection databaseAttr.federation; + + key_server.database.connection_string = + mkDatabaseConnection databaseAttr.key; + + media_api = { + database.connection_string = + mkDatabaseConnection databaseAttr.media; + base_path = "./media"; + }; + + mscs.database.connection_string = + mkDatabaseConnection databaseAttr.mscs; + + room_server.database.connection_string = + mkDatabaseConnection databaseAttr.room; + + sync_api.database.connection_string = + mkDatabaseConnection databaseAttr.sync; + + user_api = { + account_database.connection_string = + mkDatabaseConnection databaseAttr.account; + device_database.connection_string = + mkDatabaseConnection databaseAttr.device; + }; + + metrics.enabled = false; # TODO + }; + }; + + postgresql = { + ensureDatabases = databaseList; + ensureUsers = + map (x: { + inherit name; + ensurePermissions."DATABASE \"${x}\"" = "ALL PRIVILEGES"; + }) + databaseList; + }; + }; + + systemd.services.dendrite.serviceConfig.ExecStart = + mkForce + (concatStringsSep " " [ + "${pkgs.dendrite}/bin/dendrite-monolith-server" + "--config /run/dendrite/dendrite.yaml" + "--http-bind-address 127.0.0.1:${ + toString config.services.dendrite.httpPort + }" + ]); + }; +} |