From 9a5427e3a0c0ccf2a82dc503149a26b23fbd6004 Mon Sep 17 00:00:00 2001 From: Azat Bahawi Date: Sun, 31 Mar 2024 21:29:27 +0300 Subject: 2024-03-31 --- modules/nixos/matrix/dendrite.nix | 259 ++++++++++++++++++++------------------ 1 file changed, 137 insertions(+), 122 deletions(-) (limited to 'modules/nixos/matrix/dendrite.nix') diff --git a/modules/nixos/matrix/dendrite.nix b/modules/nixos/matrix/dendrite.nix index c65b55b..5e8a7e4 100644 --- a/modules/nixos/matrix/dendrite.nix +++ b/modules/nixos/matrix/dendrite.nix @@ -5,9 +5,11 @@ pkgs, ... }: -with lib; let +with lib; +let cfg = config.nixfiles.modules.matrix.dendrite; -in { +in +{ options.nixfiles.modules.matrix.dendrite = { enable = mkEnableOption "Dendrite Matrix server"; @@ -24,9 +26,10 @@ in { }; }; - config = let - db = "dendrite"; - in + config = + let + db = "dendrite"; + in mkIf cfg.enable { ark.directories = [ "/var/lib/dendrite" @@ -46,25 +49,21 @@ in { nixfiles.modules = { nginx = { enable = true; - upstreams.dendrite.servers."127.0.0.1:${toString config.services.dendrite.httpPort}" = {}; + upstreams.dendrite.servers."127.0.0.1:${toString config.services.dendrite.httpPort}" = { }; virtualHosts.${cfg.domain}.locations = { "/_matrix".proxyPass = "http://dendrite"; "= /.well-known/matrix/server" = { extraConfig = '' add_header Content-Type application/json; ''; - return = "200 '${generators.toJSON {} { - "m.server" = "${cfg.domain}:443"; - }}'"; + return = "200 '${generators.toJSON { } { "m.server" = "${cfg.domain}:443"; }}'"; }; "= /.well-known/matrix/client" = { extraConfig = '' add_header Content-Type application/json; add_header Access-Control-Allow-Origin *; ''; - return = "200 '${generators.toJSON {} { - "m.homeserver".base_url = "https://${cfg.domain}"; - }}'"; + return = "200 '${generators.toJSON { } { "m.homeserver".base_url = "https://${cfg.domain}"; }}'"; }; }; }; @@ -95,7 +94,7 @@ in { }; services.postgresql = { - ensureDatabases = [db]; + ensureDatabases = [ db ]; ensureUsers = [ { name = db; @@ -106,118 +105,134 @@ in { systemd.services.dendrite = { description = "Dendrite Matrix homeserver"; - wantedBy = ["multi-user.target"]; - requires = ["network.target" "postgresql.service"]; - after = ["network.target" "postgresql.service"]; - serviceConfig = let - needsPrivileges = cfg.port < 1024; - capabilities = [""] ++ optionals needsPrivileges ["CAP_NET_BIND_SERVICE"]; - in { - Restart = "on-failure"; - ExecStartPre = let - settings = { - version = 2; - global = { - server_name = cfg.domain; - private_key = config.secrets.dendrite-private-key.path; - database = { - connection_string = "postgresql://${db}@/${db}?host=/run/postgresql"; - max_open_conns = 64; - max_idle_connections = 8; - }; - cache = { - max_size_estimated = "1gb"; - max_age = "1h"; - }; - trusted_third_party_id_servers = [ - "matrix.org" - "nixos.org" - "vector.im" - ]; - presence = { - enable_inbound = false; - enable_outbound = false; + wantedBy = [ "multi-user.target" ]; + requires = [ + "network.target" + "postgresql.service" + ]; + after = [ + "network.target" + "postgresql.service" + ]; + serviceConfig = + let + needsPrivileges = cfg.port < 1024; + capabilities = [ "" ] ++ optionals needsPrivileges [ "CAP_NET_BIND_SERVICE" ]; + in + { + Restart = "on-failure"; + ExecStartPre = + let + settings = { + version = 2; + global = { + server_name = cfg.domain; + private_key = config.secrets.dendrite-private-key.path; + database = { + connection_string = "postgresql://${db}@/${db}?host=/run/postgresql"; + max_open_conns = 64; + max_idle_connections = 8; + }; + cache = { + max_size_estimated = "1gb"; + max_age = "1h"; + }; + trusted_third_party_id_servers = [ + "matrix.org" + "nixos.org" + "vector.im" + ]; + presence = { + enable_inbound = false; + enable_outbound = false; + }; + }; + client_api = { + registration_disabled = true; + guests_disabled = true; + registration_shared_secret = "$REGISTRATION_SHARED_SECRET"; + }; + media_api = { + base_path = "/var/lib/dendrite/media_store"; + max_file_size_bytes = 0; + dynamic_thumbnails = true; + max_thumbnail_generators = 8; + thumbnail_sizes = [ + { + width = 32; + height = 32; + method = "crop"; + } + { + width = 96; + height = 96; + method = "crop"; + } + { + width = 640; + height = 480; + method = "scale"; + } + ]; + }; + logging = [ + { + type = "std"; + level = "warn"; + } + ]; }; - }; - client_api = { - registration_disabled = true; - guests_disabled = true; - registration_shared_secret = "$REGISTRATION_SHARED_SECRET"; - }; - media_api = { - base_path = "/var/lib/dendrite/media_store"; - max_file_size_bytes = 0; - dynamic_thumbnails = true; - max_thumbnail_generators = 8; - thumbnail_sizes = [ - { - width = 32; - height = 32; - method = "crop"; - } - { - width = 96; - height = 96; - method = "crop"; - } - { - width = 640; - height = 480; - method = "scale"; - } - ]; - }; - logging = [ - { - type = "std"; - level = "warn"; - } + in + concatStringsSep " " [ + (getExe pkgs.envsubst) + "-i ${(pkgs.formats.yaml { }).generate "dendrite.yaml" settings}" + "-o /run/dendrite/dendrite.yaml" ]; - }; - in - concatStringsSep " " [ - (getExe pkgs.envsubst) - "-i ${(pkgs.formats.yaml {}).generate "dendrite.yaml" settings}" - "-o /run/dendrite/dendrite.yaml" + ExecStart = concatStringsSep " " [ + (getExe' pkgs.dendrite "dendrite") + "--config /run/dendrite/dendrite.yaml" + "--http-bind-address 127.0.0.1:${toString cfg.port}" ]; - ExecStart = concatStringsSep " " [ - (getExe' pkgs.dendrite "dendrite") - "--config /run/dendrite/dendrite.yaml" - "--http-bind-address 127.0.0.1:${toString cfg.port}" - ]; - ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; - EnvironmentFile = config.secrets.dendrite-environment-file.path; - DynamicUser = true; - StateDirectory = "dendrite"; - RuntimeDirectory = "dendrite"; - RuntimeDirectoryMode = "0700"; - AmbientCapabilities = capabilities; - CapabilityBoundingSet = capabilities; - UMask = "0077"; - LockPersonality = true; - MemoryDenyWriteExecute = true; - NoNewPrivileges = true; - PrivateDevices = true; - PrivateTmp = true; - PrivateUsers = !needsPrivileges; - ProtectClock = true; - ProtectControlGroups = true; - ProtectHome = true; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - ProtectSystem = "strict"; - ProtectProc = "noaccess"; - ProcSubset = "pid"; - RemoveIPC = true; - RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6"]; - RestrictNamespaces = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - SystemCallArchitectures = "native"; - SystemCallFilter = ["@system-service" "~@privileged"]; - }; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + EnvironmentFile = config.secrets.dendrite-environment-file.path; + DynamicUser = true; + StateDirectory = "dendrite"; + RuntimeDirectory = "dendrite"; + RuntimeDirectoryMode = "0700"; + AmbientCapabilities = capabilities; + CapabilityBoundingSet = capabilities; + UMask = "0077"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + PrivateUsers = !needsPrivileges; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectSystem = "strict"; + ProtectProc = "noaccess"; + ProcSubset = "pid"; + RemoveIPC = true; + RestrictAddressFamilies = [ + "AF_UNIX" + "AF_INET" + "AF_INET6" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + ]; + }; }; }; } -- cgit v1.2.3