Add sliding sync proxy for matrix
Sliding sync is a future version of the matrix spec, but the proxy can be
deployed while still allowing us to use a non-proxied version. Sliding
sync allows much faster client load times, etc. as the client no longer
needs to sync everything
also: rip out commented/disabled coturn code
Change-Id: I9026ed7dcaec961f1bc54469f18f04b68f6e3918
Reviewed-on: https://git.clicks.codes/c/Clicks/NixFiles/+/82
Tested-by: Skyler Grey <minion@clicks.codes>
Reviewed-by: Maddie H <maddie@clicks.codes>
diff --git a/modules/common/matrix.nix b/modules/common/matrix.nix
index d87732f..9a559f7 100644
--- a/modules/common/matrix.nix
+++ b/modules/common/matrix.nix
@@ -24,7 +24,8 @@
names = [ "client" "federation" ];
compress = true;
}];
- port = 4527;
+ port = 1030;
+ bind_addresses = [ "generic" ];
}];
enable_metrics = true;
database.args.database = "synapse";
@@ -47,16 +48,6 @@
}
];
- turn_uris = [
-
- /* "turn:turn.clicks.codes:3478?transport=udp"
- "turn:turn.clicks.codes:3478?transport=tcp"
- "turns:turn.clicks.codes:5349?transport=udp"
- "turns:turn.clicks.codes:5349?transport=tcp"
- */
- ]; # Please use matrix.org turn
- # turn_shared_secret = "!!turn_shared_secret!!";
-
log_config = lib.pipe {
version = 1;
formatters = {
@@ -85,6 +76,17 @@
room_name = "Announcements";
};
};
+
+ sliding-sync = {
+ enable = true;
+ settings = {
+ SYNCV3_SERVER = "https://matrix-backend.clicks.codes";
+ SYNCV3_BINDADDR = "generic:1031";
+ SYNCV3_LOG_LEVEL = "warn";
+ };
+ environmentFile = config.sops.secrets.matrix_sliding_sync_env.path;
+ createDatabase = true;
+ };
};
networking.firewall.allowedTCPPorts = [ 3478 5349 ];
@@ -119,31 +121,14 @@
managementRoom = "#moderation-commands:clicks.codes";
};
- services.coturn = {
- enable = false;
-
- use-auth-secret = true;
- # static-auth-secret-file = config.sops.secrets.turn_shared_secret.path;
-
- realm = "turn.clicks.codes";
-
- no-tcp-relay = true;
-
- no-cli = true;
-
- extraConfig = ''
- external-ip=turn.clicks.codes
- '';
- };
-
sops.secrets = {
- #turn_shared_secret = {
- # mode = "0440";
- # owner = "turnserver";
- # group = "matrix-synapse";
- # sopsFile = ../../secrets/matrix.json;
- # format = "json";
- #};
+ matrix_sliding_sync_env = {
+ mode = "0600";
+ owner = config.users.users.root.name;
+ group = config.users.users.root.group;
+ sopsFile = ../../secrets/matrix_sliding_sync.env.bin;
+ format = "binary";
+ };
matrix_keycloak_client_secret = {
mode = "0400";
owner = config.users.users.matrix-synapse.name;
@@ -187,8 +172,6 @@
config.sops.secrets.registration_shared_secret.path;
matchers."matrix_keycloak_client_secret".secret =
config.sops.secrets.matrix_keycloak_client_secret.path;
- # matchers."turn_shared_secret".secret =
- # config.sops.secrets.turn_shared_secret.path;
owner = config.users.users.matrix-synapse.name;
group = config.users.users.matrix-synapse.group;
mode = "0400";
diff --git a/modules/common/nginx-routes.nix b/modules/common/nginx-routes.nix
index 8db7de7..865a171 100644
--- a/modules/common/nginx-routes.nix
+++ b/modules/common/nginx-routes.nix
@@ -69,8 +69,10 @@
]))
(Hosts ["matrix-backend.clicks.codes" "matrix-backend.coded.codes"] (Compose [
(Path "/_synapse/admin/" (Status 403))
- (ReverseProxy "127.0.0.1:4527")
+ (ReverseProxy "generic:1030")
]))
+ (Hosts ["matrix-sliding-sync.clicks.codes" "matrix-sliding-sync.coded.codes"]
+ (ReverseProxy "generic:1031"))
];
clicks.nginx.serviceAliases = with helpers.nginx; [
(Aliases "nextcloud.clicks.codes" [
diff --git a/modules/common/nginx/clicks.codes/.well-known/matrix b/modules/common/nginx/clicks.codes/.well-known/matrix
index c7ba524..57b6176 100644
--- a/modules/common/nginx/clicks.codes/.well-known/matrix
+++ b/modules/common/nginx/clicks.codes/.well-known/matrix
@@ -3,5 +3,8 @@
"m.homeserver": {
"base_url": "https://matrix-backend.clicks.codes:443",
"server_name": "clicks.codes"
+ },
+ "org.matrix.msc3575.proxy": {
+ "url": "https://matrix-sliding-sync.clicks.codes"
}
}
diff --git a/secrets/matrix_sliding_sync.env.bin b/secrets/matrix_sliding_sync.env.bin
new file mode 100644
index 0000000..0d4ec01
--- /dev/null
+++ b/secrets/matrix_sliding_sync.env.bin
@@ -0,0 +1,32 @@
+{
+ "data": "ENC[AES256_GCM,data:pE09iGBJTa3DPkRRkD1kqFI4npSTchDxWHir0+YGPUUMp2bdepcVufVZlErF5PIiNiheb0EJRu2wtfPMpNDNzrpgGCY7UhCgEuk26ccU7Q==,iv:FiFiaXfdDMQYE1e0x1LCwxl6ElidipJqa1I8IOs65sE=,tag:ThBAHfsJlaTCOMSnw9qOuw==,type:str]",
+ "sops": {
+ "kms": null,
+ "gcp_kms": null,
+ "azure_kv": null,
+ "hc_vault": null,
+ "age": [
+ {
+ "recipient": "age15mv77dpnh5762gk5rsw2u79uza4tg8cu6r3nlwjudlzmdqqck3ss6mg9dy",
+ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpN2cwMTVLOVgrUWlFSTRQ\naWtQZlA1OThkZ051dmZoN3o2SFN4RDQvYXlnCm1zRlJPZXJ6N3VtYVF3T2VDZ3c1\nQTkrQW13bHlvMmxlM1BScjNRWGR5MEUKLS0tIGlwNjIyZG9vbXJ3S2ZoUXdWaUl6\nUVhoVWhJcUp6YjBlaEpEVlBTdnpxUVkKdULIwFUC3qw/wjBaz2YWsNiaNAFWs2TI\nBwzbzPVhRVtgvWmP84zjoxc7VxYT5mCVvsIkcA7YH9lds3lqfCzB7Q==\n-----END AGE ENCRYPTED FILE-----\n"
+ },
+ {
+ "recipient": "age1m7k864feyuezllp2hj4edkccn36rthrvfw969j6f0l3c0mhh5emsnfx6pd",
+ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFMHkxQnlkVmptNnNqUk1Q\nU3ZEZWNvbDhoMDFSYzVqUk9VWG05MDlkbUY4Ck5JOUF2aHJMSHdqVzF3SVliNkFN\nV2pZVTA1Q0FYOEUxNmxJM0ozNFNTdzAKLS0tIDF4VEU5ZEtoR2pGMklGcXkyS2E2\nZUROa2VNVGhBNUtiK3pVKzNhdzRKaVEKh6wyxRdps+P4Zi8z8tI77moMR/DbE7Gt\noISh0IqgAvJ9ATGPHEHRMZQViMP5Jx1f0UCpNtPRweF6PFNxWyMyRA==\n-----END AGE ENCRYPTED FILE-----\n"
+ },
+ {
+ "recipient": "age1fxxnmkeuqhhct93c43pwkzhuzzq8857s5hye6pgfpku70kjn4ecqtamfqr",
+ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvbmlPNGV3YTd2SW5QWXhH\nbVNvbHJxS3djOUxicVJldzVtaHJjNHJkRUNjCmZUVytlbXdPeEtFTXdUdk9qUDhh\nWHR2NjlPWUU0Q2RwQUl6dWxuMVpNZlkKLS0tIHg3Ykx2bzJaVWU0eW11UXNpMnQy\nWDg0UHdYOGdFRU9ya2VNQTVCOEE0bEUKZCSo8O0XlFZdvRyEqYEsWaQX28TQsOmz\nax6CB8PijG0Ovu8+juiRs+mqoIfn2M0wBaaNbtEecU8T52WCQny3vA==\n-----END AGE ENCRYPTED FILE-----\n"
+ },
+ {
+ "recipient": "age1zunqahfz404x7v8x0gs4hv5kq2xlyvqmukhlwvpymj74805jcunq4r7ugv",
+ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiQU1jZFdJcGFQSW5iTC9k\najVZS25oU2F3OTZVL0owYVB4MnNlV1l0Nnp3CnFKQkJOZ0JXRmxJK24rU2lRZVEx\nUUM3TWJ0SzZkbTdLTzVSd1BmSWxCMk0KLS0tIFR4ci9HRzRITkJtZGV1WGpqVlhX\na2UwQnZjNnI0SkJWNkU3NXRYcmhvc1EKkIqgtLYisGPhQ+Qt1SWbezurnUPjuNiu\nTWeCjpO1GxgkkyaisjaZ47y7zBDr+yrBZzIDl1yunI3+AJ0ksI8q5w==\n-----END AGE ENCRYPTED FILE-----\n"
+ }
+ ],
+ "lastmodified": "2023-11-29T19:28:44Z",
+ "mac": "ENC[AES256_GCM,data:kEzCOQaAmRkWh6Dtr0SIlneG3rt9jqhhSMEjMxnzeeweFJoJa6ErxRwEev5tJpiBardwME1oUwnnepn5sxD7QCLm1E+0sk0k7s6JQWWldENl+BWETkHwGqHSs5jw0NUTrr9XAe2ex0qh8U0yP50L66t9pWt6U92T8Q6uqugYqNU=,iv:0i3lUpUZGVIw/iRoUb0o1sw20zqAD+rhbgP7z9nAso8=,tag:qLc5pyCqiznhF1syYdGZ7w==,type:str]",
+ "pgp": null,
+ "unencrypted_suffix": "_unencrypted",
+ "version": "3.7.3"
+ }
+}
\ No newline at end of file