diff options
Diffstat (limited to 'modules/nixos/matrix')
| -rw-r--r-- | modules/nixos/matrix/default.nix | 6 | ||||
| -rw-r--r-- | modules/nixos/matrix/dendrite.nix | 238 | ||||
| -rw-r--r-- | modules/nixos/matrix/element.nix | 62 |
3 files changed, 0 insertions, 306 deletions
diff --git a/modules/nixos/matrix/default.nix b/modules/nixos/matrix/default.nix deleted file mode 100644 index e7d5a02..0000000 --- a/modules/nixos/matrix/default.nix +++ /dev/null @@ -1,6 +0,0 @@ -_: { - imports = [ - ./dendrite.nix - ./element.nix - ]; -} diff --git a/modules/nixos/matrix/dendrite.nix b/modules/nixos/matrix/dendrite.nix deleted file mode 100644 index 5e8a7e4..0000000 --- a/modules/nixos/matrix/dendrite.nix +++ /dev/null @@ -1,238 +0,0 @@ -{ - config, - lib, - inputs, - pkgs, - ... -}: -with lib; -let - cfg = config.nixfiles.modules.matrix.dendrite; -in -{ - options.nixfiles.modules.matrix.dendrite = { - enable = mkEnableOption "Dendrite Matrix server"; - - port = mkOption { - description = "Port."; - type = with types; port; - default = 8008; - }; - - domain = mkOption { - type = types.str; - default = config.networking.domain; - description = "Domain name sans protocol scheme."; - }; - }; - - config = - let - db = "dendrite"; - in - mkIf cfg.enable { - ark.directories = [ - "/var/lib/dendrite" - "/var/lib/private/dendrite" - ]; - - # FIXME Use systemd secrets/environment for this. - secrets.dendrite-private-key = { - file = "${inputs.self}/secrets/dendrite-private-key"; - mode = "0444"; - }; - secrets.dendrite-environment-file = { - file = "${inputs.self}/secrets/dendrite-environment-file"; - mode = "0444"; - }; - - nixfiles.modules = { - nginx = { - enable = true; - upstreams.dendrite.servers."127.0.0.1:${toString config.services.dendrite.httpPort}" = { }; - virtualHosts.${cfg.domain}.locations = { - "/_matrix".proxyPass = "http://dendrite"; - "= /.well-known/matrix/server" = { - extraConfig = '' - add_header Content-Type application/json; - ''; - return = "200 '${generators.toJSON { } { "m.server" = "${cfg.domain}:443"; }}'"; - }; - "= /.well-known/matrix/client" = { - extraConfig = '' - add_header Content-Type application/json; - add_header Access-Control-Allow-Origin *; - ''; - return = "200 '${generators.toJSON { } { "m.homeserver".base_url = "https://${cfg.domain}"; }}'"; - }; - }; - }; - - postgresql = { - enable = true; - extraPostStart = [ - '' - $PSQL "${db}" -tAc 'GRANT ALL ON SCHEMA "public" TO "${db}"' - '' - ]; - }; - - promtail.filters = [ - { - match = { - selector = ''{syslog_identifier="dendrite"} |~ ".*Failed to fetch key for server.*"''; - action = "drop"; - }; - } - { - match = { - selector = ''{syslog_identifier="dendrite"} |~ ".*could not download key for.*"''; - action = "drop"; - }; - } - ]; - }; - - services.postgresql = { - ensureDatabases = [ db ]; - ensureUsers = [ - { - name = db; - ensureDBOwnership = true; - } - ]; - }; - - systemd.services.dendrite = { - description = "Dendrite Matrix homeserver"; - wantedBy = [ "multi-user.target" ]; - requires = [ - "network.target" - "postgresql.service" - ]; - after = [ - "network.target" - "postgresql.service" - ]; - serviceConfig = - let - needsPrivileges = cfg.port < 1024; - capabilities = [ "" ] ++ optionals needsPrivileges [ "CAP_NET_BIND_SERVICE" ]; - in - { - Restart = "on-failure"; - ExecStartPre = - let - settings = { - version = 2; - global = { - server_name = cfg.domain; - private_key = config.secrets.dendrite-private-key.path; - database = { - connection_string = "postgresql://${db}@/${db}?host=/run/postgresql"; - max_open_conns = 64; - max_idle_connections = 8; - }; - cache = { - max_size_estimated = "1gb"; - max_age = "1h"; - }; - trusted_third_party_id_servers = [ - "matrix.org" - "nixos.org" - "vector.im" - ]; - presence = { - enable_inbound = false; - enable_outbound = false; - }; - }; - client_api = { - registration_disabled = true; - guests_disabled = true; - registration_shared_secret = "$REGISTRATION_SHARED_SECRET"; - }; - media_api = { - base_path = "/var/lib/dendrite/media_store"; - max_file_size_bytes = 0; - dynamic_thumbnails = true; - max_thumbnail_generators = 8; - thumbnail_sizes = [ - { - width = 32; - height = 32; - method = "crop"; - } - { - width = 96; - height = 96; - method = "crop"; - } - { - width = 640; - height = 480; - method = "scale"; - } - ]; - }; - logging = [ - { - type = "std"; - level = "warn"; - } - ]; - }; - in - concatStringsSep " " [ - (getExe pkgs.envsubst) - "-i ${(pkgs.formats.yaml { }).generate "dendrite.yaml" settings}" - "-o /run/dendrite/dendrite.yaml" - ]; - ExecStart = concatStringsSep " " [ - (getExe' pkgs.dendrite "dendrite") - "--config /run/dendrite/dendrite.yaml" - "--http-bind-address 127.0.0.1:${toString cfg.port}" - ]; - ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; - EnvironmentFile = config.secrets.dendrite-environment-file.path; - DynamicUser = true; - StateDirectory = "dendrite"; - RuntimeDirectory = "dendrite"; - RuntimeDirectoryMode = "0700"; - AmbientCapabilities = capabilities; - CapabilityBoundingSet = capabilities; - UMask = "0077"; - LockPersonality = true; - MemoryDenyWriteExecute = true; - NoNewPrivileges = true; - PrivateDevices = true; - PrivateTmp = true; - PrivateUsers = !needsPrivileges; - ProtectClock = true; - ProtectControlGroups = true; - ProtectHome = true; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - ProtectSystem = "strict"; - ProtectProc = "noaccess"; - ProcSubset = "pid"; - RemoveIPC = true; - RestrictAddressFamilies = [ - "AF_UNIX" - "AF_INET" - "AF_INET6" - ]; - RestrictNamespaces = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - SystemCallArchitectures = "native"; - SystemCallFilter = [ - "@system-service" - "~@privileged" - ]; - }; - }; - }; -} diff --git a/modules/nixos/matrix/element.nix b/modules/nixos/matrix/element.nix deleted file mode 100644 index 92a2927..0000000 --- a/modules/nixos/matrix/element.nix +++ /dev/null @@ -1,62 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: -with lib; -let - cfg = config.nixfiles.modules.matrix.element; -in -{ - options.nixfiles.modules.matrix.element = { - enable = mkEnableOption "Element, a Matrix web interface"; - - domain = mkOption { - description = "Domain name sans protocol scheme."; - type = with types; nullOr str; - default = "element.${config.networking.domain}"; - }; - - homeserver = mkOption { - description = "Default Matrix homeserver."; - type = with types; str; - default = my.domain.azahi; - }; - }; - - config = mkIf cfg.enable { - assertions = [ - { - assertion = - with config.nixfiles.modules.matrix; - (synapse.enable || dendrite.enable) && !(!synapse.enable && !dendrite.enable); - message = "Synapse or Dendrite must be enabled"; - } - ]; - - nixfiles.modules.nginx = with cfg; { - enable = true; - virtualHosts.${domain}.locations."/".root = pkgs.element-web.override { - conf = { - default_server_config."m.homeserver" = { - base_url = "https://${homeserver}"; - server_name = homeserver; - }; - disable_custom_urls = true; - disable_guests = true; - disable_login_language_selector = true; - disable_3pid_login = true; - brand = homeserver; - branding.authFooterLinks = [ - { - text = "Hosted on NixOS"; - url = "https://nixos.org"; - } - ]; - default_theme = "dark"; - }; - }; - }; - }; -} |