Gitiles
Code Review Sign In
git.clicks.codes / Infra / NixFiles / 624e51101c96aff8ffe856cc47175673d021ba7b / . / modules / matrix.nix
blob: 41c41538132f90f03dd94590bf8916c5380ba2ba [file] [log] [blame]
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]1{ base, config, lib, pkgs, ... }:
Skyler Grey19f9fa22023-05-24 17:51:24 +0200[diff] [blame]2lib.recursiveUpdate
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]3{
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]4 services.matrix-synapse = {
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]5 enable = true;
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]6 withJemalloc = true;
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]7
Skyler Grey874a2a82023-06-08 12:29:28 +0200[diff] [blame]8 plugins = with config.services.matrix-synapse.package.plugins; [
9 matrix-synapse-mjolnir-antispam
10 ];
11
Skyler Grey1144d002023-05-21 00:17:29 +0200[diff] [blame]12 settings = rec {
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]13 server_name = "coded.codes";
Skyler Grey1144d002023-05-21 00:17:29 +0200[diff] [blame]14 auto_join_rooms = [ "#general:${server_name}" ];
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]15 enable_registration = true;
16 registration_requires_token = true;
17 registration_shared_secret = "!!registration_shared_secret!!";
18 public_baseurl = "https://matrix-backend.coded.codes/";
19 max_upload_size = "100M";
20 listeners = [{
21 x_forwarded = true;
22 tls = false;
23 resources = [{
24 names = [
25 "client"
26 "federation"
27 ];
28 compress = true;
29 }];
30 port = 4527;
31 }];
32 enable_metrics = true;
33 database.args.database = "synapse";
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]34 };
35 };
36
Skyler Grey874a2a82023-06-08 12:29:28 +0200[diff] [blame]37 services.mjolnir = {
38 enable = true;
39
40 settings = {
41 autojoinOnlyIfManager = true;
42 automaticallyRedactForReasons = [ "nsfw" "gore" "spam" "harassment" "hate" ];
43 recordIgnoredInvites = true;
44 admin.enableMakeRoomAdminCommand = true;
45 allowNoPrefix = true;
46 protections.wordlist.words = [ ];
Skyler Greyaaed7b12023-06-14 22:45:49 +0200[diff] [blame]47 protectedRooms = [ "https://matrix.to/#/#global:coded.codes" ];
Skyler Grey874a2a82023-06-08 12:29:28 +0200[diff] [blame]48 };
49
50 pantalaimon = {
51 enable = true;
52 username = "system";
53 passwordFile = config.sops.secrets.mjolnir_password.path;
54 options = {
55 ssl = false;
56 listenAddress = "127.0.0.1";
57 };
58 };
59
60 homeserverUrl = "http://localhost:4527";
61
62 managementRoom = "#moderation-commands:coded.codes";
63 };
64
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]65 sops.secrets = {
66 registration_shared_secret = {
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]67 mode = "0400";
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]68 owner = config.users.users.root.name;
69 group = config.users.users.nobody.group;
70 sopsFile = ../secrets/matrix.json;
71 format = "json";
72 };
73 matrix_private_key = {
74 mode = "0600";
75 owner = config.users.users.matrix-synapse.name;
76 group = config.users.users.matrix-synapse.group;
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]77 sopsFile = ../secrets/matrix_private_key.pem;
78 format = "binary";
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]79 path = config.services.matrix-synapse.settings.signing_key_path;
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]80 };
Skyler Grey874a2a82023-06-08 12:29:28 +0200[diff] [blame]81 mjolnir_password = {
82 mode = "0600";
83 owner = config.users.users.mjolnir.name;
84 group = config.users.users.mjolnir.group;
85 sopsFile = ../secrets/matrix.json;
86 format = "json";
87 };
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]88 };
Skyler Grey874a2a82023-06-08 12:29:28 +0200[diff] [blame]89}
90 (
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]91 let
Skyler Grey874a2a82023-06-08 12:29:28 +0200[diff] [blame]92 isDerived = base != null;
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]93 in
Skyler Grey874a2a82023-06-08 12:29:28 +0200[diff] [blame]94 if isDerived
95 # We cannot use mkIf as both sides are evaluated no matter the condition value
96 # Given we use base as an attrset, mkIf will error if base is null in here
97 then
98 let
99 synapse_cfgfile = config.services.matrix-synapse.configFile;
100 in
101 {
102 scalpel.trafos."synapse.yaml" = {
103 source = toString synapse_cfgfile;
104 matchers."registration_shared_secret".secret =
105 config.sops.secrets.registration_shared_secret.path;
106 owner = config.users.users.matrix-synapse.name;
107 group = config.users.users.matrix-synapse.group;
108 mode = "0400";
109 };
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]110
Skyler Grey874a2a82023-06-08 12:29:28 +0200[diff] [blame]111 systemd.services.matrix-synapse.serviceConfig.ExecStart = lib.mkForce (
112 builtins.replaceStrings
113 [ "${synapse_cfgfile}" ]
114 [ "${config.scalpel.trafos."synapse.yaml".destination}" ]
115 "${base.config.systemd.services.matrix-synapse.serviceConfig.ExecStart}"
116 );
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]117
Skyler Grey874a2a82023-06-08 12:29:28 +0200[diff] [blame]118 systemd.services.matrix-synapse.preStart = lib.mkForce (
119 builtins.replaceStrings
120 [ "${synapse_cfgfile}" ]
121 [ "${config.scalpel.trafos."synapse.yaml".destination}" ]
122 "${base.config.systemd.services.matrix-synapse.preStart}"
123 );
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]124
Skyler Grey874a2a82023-06-08 12:29:28 +0200[diff] [blame]125 systemd.services.matrix-synapse.restartTriggers = [ synapse_cfgfile ];
Skyler Greyb3516c22023-05-24 19:17:11 +0200[diff] [blame]126
Skyler Grey874a2a82023-06-08 12:29:28 +0200[diff] [blame]127 environment.systemPackages =
128 with lib; let
129 cfg = config.services.matrix-synapse;
130 registerNewMatrixUser =
131 let
132 isIpv6 = x: lib.length (lib.splitString ":" x) > 1;
133 listener =
134 lib.findFirst
135 (
136 listener: lib.any
137 (
138 resource: lib.any
139 (
140 name: name == "client"
141 )
142 resource.names
143 )
144 listener.resources
145 )
146 (lib.last cfg.settings.listeners)
147 cfg.settings.listeners;
148 # FIXME: Handle cases with missing client listener properly,
149 # don't rely on lib.last, this will not work.
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]150
Skyler Grey874a2a82023-06-08 12:29:28 +0200[diff] [blame]151 # add a tail, so that without any bind_addresses we still have a useable address
152 bindAddress = head (listener.bind_addresses ++ [ "127.0.0.1" ]);
153 listenerProtocol =
154 if listener.tls
155 then "https"
156 else "http";
157 in
158 pkgs.writeShellScriptBin "matrix-synapse-register_new_matrix_user" ''
159 exec ${cfg.package}/bin/register_new_matrix_user \
160 $@ \
161 ${lib.concatMapStringsSep " " (x: "-c ${x}") ([
162 config.scalpel.trafos."synapse.yaml".destination ] ++ cfg.extraConfigFiles)} \
163 "${listenerProtocol}://${
164 if (isIpv6 bindAddress) then
165 "[${bindAddress}]"
166 else
167 "${bindAddress}"
168 }:${builtins.toString listener.port}/"
169 '';
170 in
171 [ (lib.meta.hiPrio registerNewMatrixUser) ];
172 }
173 else { }
174 )