commit f68685dc7059e31dcd58135137f601cbd881c30a
author Samuel Shuert <coded@clicks.codes> Sat Oct 28 20:07:56 2023 -0400
committer Skyler Grey <minion@clicks.codes> Thu Nov 16 22:53:33 2023 +0000
tree abc11f485cd945c6539adb2e8b4867b6565a4f1b
parent 8faa2562e0499d7aa68b7a4c2c9e6ad11353567e

Move all flakes into modules/ and sep't, create deploy script for a1d2

Change-Id: Ie4d50fb8f16da193195beb139922a366b72b0b0a

modules/common/matrix.nix

diff --git a/modules/common/matrix.nix b/modules/common/matrix.nix
new file mode 100644
index 0000000..c71ba37
--- /dev/null
+++ b/modules/common/matrix.nix
@@ -0,0 +1,208 @@
+{ base, config, lib, pkgs, ... }:
+lib.recursiveUpdate {
+  services.matrix-synapse = {
+    enable = true;
+    withJemalloc = true;
+
+    plugins = with config.services.matrix-synapse.package.plugins;
+      [ matrix-synapse-mjolnir-antispam ];
+
+    settings = rec {
+      server_name = "coded.codes";
+      auto_join_rooms = [ "#general:${server_name}" ];
+      enable_registration = true;
+      registration_requires_token = true;
+      allow_public_rooms_over_federation = true;
+      allow_device_name_lookup_over_federation = true;
+      registration_shared_secret = "!!registration_shared_secret!!";
+      public_baseurl = "https://matrix-backend.coded.codes/";
+      max_upload_size = "100M";
+      listeners = [{
+        x_forwarded = true;
+        tls = false;
+        resources = [{
+          names = [ "client" "federation" ];
+          compress = true;
+        }];
+        port = 4527;
+      }];
+      enable_metrics = true;
+      database.args.database = "synapse";
+      turn_uris = [
+
+        /* "turn:turn.coded.codes:3478?transport=udp"
+           "turn:turn.coded.codes:3478?transport=tcp"
+           "turns:turn.coded.codes:5349?transport=udp"
+           "turns:turn.coded.codes:5349?transport=tcp"
+        */
+      ]; # Please use matrix.org turn
+      # turn_shared_secret = "!!turn_shared_secret!!";
+
+      log_config = lib.pipe {
+        version = 1;
+        formatters = {
+          precise = {
+            format =
+              "%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s";
+          };
+        };
+        handlers = {
+          console = {
+            class = "logging.StreamHandler";
+            formatter = "precise";
+          };
+        };
+        loggers = { "synapse.storage.SQL" = { level = "WARNING"; }; };
+        root = {
+          level = "ERROR";
+          handlers = [ "console" ];
+        };
+        "disable_existing_loggers" = false;
+      } [ builtins.toJSON (builtins.toFile "logcfg.yaml") ];
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 3478 5349 ];
+  networking.firewall.allowedUDPPorts = [ 3478 5349 ];
+
+  services.mjolnir = {
+    enable = true;
+
+    settings = {
+      autojoinOnlyIfManager = true;
+      automaticallyRedactForReasons =
+        [ "nsfw" "gore" "spam" "harassment" "hate" ];
+      recordIgnoredInvites = true;
+      admin.enableMakeRoomAdminCommand = true;
+      allowNoPrefix = true;
+      protections.wordlist.words = [ ];
+      protectedRooms = [ "https://matrix.to/#/#global:coded.codes" ];
+    };
+
+    pantalaimon = {
+      enable = true;
+      username = "system";
+      passwordFile = config.sops.secrets.mjolnir_password.path;
+      options = {
+        ssl = false;
+        listenAddress = "127.0.0.1";
+      };
+    };
+
+    homeserverUrl = "http://localhost:4527";
+
+    managementRoom = "#moderation-commands:coded.codes";
+  };
+
+  services.coturn = {
+    enable = false;
+
+    use-auth-secret = true;
+    # static-auth-secret-file = config.sops.secrets.turn_shared_secret.path;
+
+    realm = "turn.coded.codes";
+
+    no-tcp-relay = true;
+
+    no-cli = true;
+
+    extraConfig = ''
+      external-ip=turn.coded.codes
+    '';
+  };
+
+  sops.secrets = {
+    #turn_shared_secret = {
+    #  mode = "0440";
+    #  owner = "turnserver";
+    #  group = "matrix-synapse";
+    #  sopsFile = ../../secrets/matrix.json;
+    #  format = "json";
+    #};
+    registration_shared_secret = {
+      mode = "0400";
+      owner = config.users.users.root.name;
+      group = config.users.users.root.group;
+      sopsFile = ../../secrets/matrix.json;
+      format = "json";
+    };
+    matrix_private_key = {
+      mode = "0600";
+      owner = config.users.users.matrix-synapse.name;
+      group = config.users.users.matrix-synapse.group;
+      sopsFile = ../../secrets/matrix_private_key.pem;
+      format = "binary";
+      path = config.services.matrix-synapse.settings.signing_key_path;
+    };
+    mjolnir_password = {
+      mode = "0600";
+      owner = config.users.users.mjolnir.name;
+      group = config.users.users.mjolnir.group;
+      sopsFile = ../../secrets/matrix.json;
+      format = "json";
+    };
+  };
+} (let isDerived = base != null;
+in if isDerived
+# We cannot use mkIf as both sides are evaluated no matter the condition value
+# Given we use base as an attrset, mkIf will error if base is null in here
+then
+  let synapse_cfgfile = config.services.matrix-synapse.configFile;
+  in {
+    scalpel.trafos."synapse.yaml" = {
+      source = toString synapse_cfgfile;
+      matchers."registration_shared_secret".secret =
+        config.sops.secrets.registration_shared_secret.path;
+      # matchers."turn_shared_secret".secret =
+      #   config.sops.secrets.turn_shared_secret.path;
+      owner = config.users.users.matrix-synapse.name;
+      group = config.users.users.matrix-synapse.group;
+      mode = "0400";
+    };
+
+    systemd.services.matrix-synapse.serviceConfig.ExecStart = lib.mkForce
+      (builtins.replaceStrings [ "${synapse_cfgfile}" ]
+        [ "${config.scalpel.trafos."synapse.yaml".destination}" ]
+        "${base.config.systemd.services.matrix-synapse.serviceConfig.ExecStart}");
+
+    systemd.services.matrix-synapse.preStart = lib.mkForce
+      (builtins.replaceStrings [ "${synapse_cfgfile}" ]
+        [ "${config.scalpel.trafos."synapse.yaml".destination}" ]
+        "${base.config.systemd.services.matrix-synapse.preStart}");
+
+    systemd.services.matrix-synapse.restartTriggers = [ synapse_cfgfile ];
+
+    environment.systemPackages = with lib;
+      let
+        cfg = config.services.matrix-synapse;
+        registerNewMatrixUser = let
+          isIpv6 = x: lib.length (lib.splitString ":" x) > 1;
+          listener = lib.findFirst (listener:
+            lib.any (resource: lib.any (name: name == "client") resource.names)
+            listener.resources) (lib.last cfg.settings.listeners)
+            cfg.settings.listeners;
+          # FIXME: Handle cases with missing client listener properly,
+          # don't rely on lib.last, this will not work.
+
+          # add a tail, so that without any bind_addresses we still have a useable address
+          bindAddress = head (listener.bind_addresses ++ [ "127.0.0.1" ]);
+          listenerProtocol = if listener.tls then "https" else "http";
+        in pkgs.writeShellScriptBin "matrix-synapse-register_new_matrix_user" ''
+          exec ${cfg.package}/bin/register_new_matrix_user \
+            $@ \
+            ${
+              lib.concatMapStringsSep " " (x: "-c ${x}")
+              ([ config.scalpel.trafos."synapse.yaml".destination ]
+                ++ cfg.extraConfigFiles)
+            } \
+            "${listenerProtocol}://${
+              if (isIpv6 bindAddress) then
+                "[${bindAddress}]"
+              else
+                "${bindAddress}"
+            }:${builtins.toString listener.port}/"
+        '';
+      in [ (lib.meta.hiPrio registerNewMatrixUser) ];
+  }
+else
+  { })