+1

machines/fovps/services/caddy/default.nix

reviewed

··· 53 53 54 54 }; 55 55 networking.firewall.allowedTCPPorts = [ 80 443 ]; 56 56 + networking.firewall.allowedUDPPorts = [ 80 443 ]; 56 57 }

+1

machines/fovps/services/default.nix

reviewed

··· 5 5 ./caddy 6 6 ./cloudlog.nix 7 7 ./minecraft.nix 8 8 + ./synapse.nix 8 9 ]; 9 10 }

+93

machines/fovps/services/synapse.nix

reviewed

··· 1 1 + { config, pkgs, lib, ... }: 2 2 + 3 3 + with builtins; 4 4 + let 5 5 + domain = "eeep.ee"; 6 6 + synapsePort = 8008; # todo: unix socket maybe? 7 7 + slidingPort = 8009; 8 8 + 9 9 + synapse = config.services.matrix-synapse; 10 10 + synapseUnit = config.systemd.services.matrix-synapse.serviceConfig; 11 11 + in 12 12 + { 13 13 + services.matrix-synapse.enable = true; 14 14 + services.matrix-synapse.withJemalloc = true; # hell why not 15 15 + 16 16 + services.matrix-synapse.settings.server_name = domain; 17 17 + services.matrix-synapse.settings.enableRegistrationScript = true; 18 18 + 19 19 + # automatically created 20 20 + services.matrix-synapse.settings.registration_shared_secret_path = "${synapse.dataDir}/.env.synapse-reg"; 21 21 + 22 22 + #services.coturn = { 23 23 + # enable = true; 24 24 + # use-auth-secret = true; 25 25 + # static-auth-secret-file = ""; 26 26 + #}; 27 27 + 28 28 + services.matrix-synapse.settings.database.name = "psycopg2"; 29 29 + services.postgresql = let args = synapse.settings.database.args; in { 30 30 + enable = true; 31 31 + initdbArgs = [ "--locale=C" "--encoding=UTF8" ]; 32 32 + ensureDatabases = [ args.database ]; 33 33 + ensureUsers = [ { name = args.user; ensureDBOwnership = true; } ]; 34 34 + }; 35 35 + 36 36 + services.matrix-sliding-sync = { 37 37 + enable = true; 38 38 + createDatabase = true; 39 39 + settings = { 40 40 + SYNCV3_SERVER = "https://localhost:${toString synapsePort}"; 41 41 + SYNCV3_BINDADDR = "127.0.0.1:${toString slidingPort}"; 42 42 + }; 43 43 + # https://stackoverflow.com/questions/42835750/systemd-script-environment-file-updated-by-execstartpre 44 44 + environmentFile = "${synapseUnit.WorkingDirectory}/.env.sliding-sync"; 45 45 + }; 46 46 + systemd.services.matrix-sliding-sync = rec { 47 47 + preStart = let 48 48 + envFile = config.services.matrix-sliding-sync.environmentFile; 49 49 + in '' 50 50 + if ! [ -f "${envFile}" ]; then 51 51 + echo -n 'SYNCV3_SECRET=' > ${envFile} 52 52 + ${pkgs.openssl}/bin/openssl rand -hex 64 >> ${envFile} 53 53 + fi 54 54 + ''; 55 55 + serviceConfig = { 56 56 + DynamicUser = lib.mkForce false; 57 57 + User = synapseUnit.User; 58 58 + Group = synapseUnit.Group; 59 59 + WorkingDirectory = lib.mkForce synapseUnit.WorkingDirectory; 60 60 + StateDirectory = lib.mkForce ""; 61 61 + EnvironmentFile = lib.mkForce "-${config.services.matrix-sliding-sync.environmentFile}"; 62 62 + }; 63 63 + }; 64 64 + 65 65 + services.matrix-synapse.settings.listeners = [ 66 66 + { 67 67 + bind_addresses = [ "127.0.0.1" ]; 68 68 + port = synapsePort; 69 69 + resources = [ 70 70 + { 71 71 + compress = false; 72 72 + names = [ "client" "federation" ]; 73 73 + } 74 74 + ]; 75 75 + tls = false; 76 76 + type = "http"; 77 77 + x_forwarded = true; 78 78 + } 79 79 + ]; 80 80 + services.caddy.enable = true; 81 81 + services.caddy.virtualHosts."${domain}".extraConfig = '' 82 82 + reverse_proxy /_matrix/* localhost:${toString synapsePort} 83 83 + reverse_proxy /_synapse/client/* localhost:${toString synapsePort} 84 84 + 85 85 + reverse_proxy /_matrix/client/unstable/org.matrix.msc3575/sync localhost:${toString slidingPort} 86 86 + ''; 87 87 + services.caddy.virtualHosts."https://${domain}:8448".extraConfig = '' 88 88 + reverse_proxy /_matrix/* localhost:${toString synapsePort} 89 89 + respond / "Balls" 200 90 90 + ''; 91 91 + networking.firewall.allowedTCPPorts = [ 8448 ]; 92 92 + networking.firewall.allowedUDPPorts = [ 8448 ]; 93 93 + }