Gitiles
Code Review Sign In
git.clicks.codes / Infra / NixFiles / 77897517f1c68c7dab878e0f66b1ba082c7ca1de / . / modules / common / matrix.nix
blob: 26b2c2672898b10f4a3f31d0d74e714137e4e122 [file] [log] [blame]
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]1{ base, config, lib, pkgs, ... }:
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]2lib.recursiveUpdate {
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]3 services.matrix-synapse = {
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]4 enable = true;
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]5 withJemalloc = true;
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]6
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]7 plugins = with config.services.matrix-synapse.package.plugins;
8 [ matrix-synapse-mjolnir-antispam ];
Skyler Grey874a2a82023-06-08 12:29:28 +0200[diff] [blame]9
Skyler Grey1144d002023-05-21 00:17:29 +0200[diff] [blame]10 settings = rec {
Skyler Grey22428b02023-11-19 13:20:56 +0000[diff] [blame]11 server_name = "clicks.codes";
Skyler Grey1144d002023-05-21 00:17:29 +0200[diff] [blame]12 auto_join_rooms = [ "#general:${server_name}" ];
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]13 enable_registration = true;
14 registration_requires_token = true;
Skyler Greyd18587c2023-10-09 07:25:36 +0000[diff] [blame]15 allow_public_rooms_over_federation = true;
16 allow_device_name_lookup_over_federation = true;
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]17 registration_shared_secret = "!!registration_shared_secret!!";
Skyler Grey22428b02023-11-19 13:20:56 +0000[diff] [blame]18 public_baseurl = "https://matrix-backend.clicks.codes/";
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]19 max_upload_size = "100M";
20 listeners = [{
21 x_forwarded = true;
22 tls = false;
23 resources = [{
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]24 names = [ "client" "federation" ];
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]25 compress = true;
26 }];
Skyler Grey7610ce42023-11-29 19:29:59 +0000[diff] [blame]27 port = 1030;
28 bind_addresses = [ "generic" ];
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]29 }];
30 enable_metrics = true;
31 database.args.database = "synapse";
Skyler Grey22428b02023-11-19 13:20:56 +0000[diff] [blame]32
33 oidc_providers = [
34 {
35 idp_id = "keycloak";
36 idp_name = "Clicks Keycloak";
37 issuer = "https://login.clicks.codes/realms/master";
38 client_id = "matrix";
39 client_secret = "!!matrix_keycloak_client_secret!!";
40 scopes = [ "openid" "profile" ];
41 user_mapping_provider = {
42 config = {
43 localpart_template = "{{ user.preferred_username }}";
44 display_name_template = "{{ user.name }}";
45 };
46 };
47 backchannel_logout_enabled = true;
48 }
49 ];
50
Skyler Greyd18587c2023-10-09 07:25:36 +0000[diff] [blame]51 log_config = lib.pipe {
52 version = 1;
53 formatters = {
54 precise = {
55 format =
56 "%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s";
57 };
58 };
59 handlers = {
60 console = {
61 class = "logging.StreamHandler";
62 formatter = "precise";
63 };
64 };
65 loggers = { "synapse.storage.SQL" = { level = "WARNING"; }; };
66 root = {
67 level = "ERROR";
68 handlers = [ "console" ];
69 };
70 "disable_existing_loggers" = false;
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]71 } [ builtins.toJSON (builtins.toFile "logcfg.yaml") ];
Skyler Greye6a5a912023-11-21 20:19:30 +0000[diff] [blame]72
73 server_notices = {
74 system_mxid_localpart = "system";
75 system_mxid_display_name = "Clicks Administrators";
76 room_name = "Announcements";
77 };
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]78 };
Skyler Grey7610ce42023-11-29 19:29:59 +0000[diff] [blame]79
80 sliding-sync = {
81 enable = true;
82 settings = {
83 SYNCV3_SERVER = "https://matrix-backend.clicks.codes";
84 SYNCV3_BINDADDR = "generic:1031";
85 SYNCV3_LOG_LEVEL = "warn";
86 };
87 environmentFile = config.sops.secrets.matrix_sliding_sync_env.path;
88 createDatabase = true;
89 };
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]90 };
91
Skyler Greyb64b5e92023-08-20 21:53:37 +0000[diff] [blame]92 networking.firewall.allowedTCPPorts = [ 3478 5349 ];
93 networking.firewall.allowedUDPPorts = [ 3478 5349 ];
94
Skyler Grey874a2a82023-06-08 12:29:28 +0200[diff] [blame]95 services.mjolnir = {
Skyler Grey083b1e32023-11-20 18:48:02 +0000[diff] [blame]96 enable = true;
Skyler Grey874a2a82023-06-08 12:29:28 +0200[diff] [blame]97
98 settings = {
99 autojoinOnlyIfManager = true;
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]100 automaticallyRedactForReasons =
101 [ "nsfw" "gore" "spam" "harassment" "hate" ];
Skyler Grey874a2a82023-06-08 12:29:28 +0200[diff] [blame]102 recordIgnoredInvites = true;
103 admin.enableMakeRoomAdminCommand = true;
104 allowNoPrefix = true;
105 protections.wordlist.words = [ ];
Skyler Grey22428b02023-11-19 13:20:56 +0000[diff] [blame]106 protectedRooms = [ "https://matrix.to/#/#global:clicks.codes" ];
Skyler Grey874a2a82023-06-08 12:29:28 +0200[diff] [blame]107 };
108
109 pantalaimon = {
110 enable = true;
111 username = "system";
112 passwordFile = config.sops.secrets.mjolnir_password.path;
113 options = {
114 ssl = false;
115 listenAddress = "127.0.0.1";
116 };
117 };
118
Skyler Grey915067d2023-12-03 13:46:53 +0000[diff] [blame]119 homeserverUrl = "http://generic:1030";
Skyler Grey874a2a82023-06-08 12:29:28 +0200[diff] [blame]120
Skyler Grey22428b02023-11-19 13:20:56 +0000[diff] [blame]121 managementRoom = "#moderation-commands:clicks.codes";
Skyler Grey874a2a82023-06-08 12:29:28 +0200[diff] [blame]122 };
123
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]124 sops.secrets = {
Skyler Grey7610ce42023-11-29 19:29:59 +0000[diff] [blame]125 matrix_sliding_sync_env = {
126 mode = "0600";
127 owner = config.users.users.root.name;
128 group = config.users.users.root.group;
129 sopsFile = ../../secrets/matrix_sliding_sync.env.bin;
130 format = "binary";
131 };
Skyler Grey22428b02023-11-19 13:20:56 +0000[diff] [blame]132 matrix_keycloak_client_secret = {
133 mode = "0400";
134 owner = config.users.users.matrix-synapse.name;
135 group = config.users.users.matrix-synapse.group;
136 sopsFile = ../../secrets/matrix.json;
137 format = "json";
138 };
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]139 registration_shared_secret = {
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]140 mode = "0400";
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]141 owner = config.users.users.root.name;
Skyler Greybcb46d32023-11-10 20:48:38 +0000[diff] [blame]142 group = config.users.users.root.group;
Samuel Shuertf68685d2023-10-28 20:07:56 -0400[diff] [blame]143 sopsFile = ../../secrets/matrix.json;
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]144 format = "json";
145 };
146 matrix_private_key = {
147 mode = "0600";
148 owner = config.users.users.matrix-synapse.name;
149 group = config.users.users.matrix-synapse.group;
Samuel Shuertf68685d2023-10-28 20:07:56 -0400[diff] [blame]150 sopsFile = ../../secrets/matrix_private_key.pem;
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]151 format = "binary";
Skyler Grey8e32c832023-05-20 22:54:30 +0200[diff] [blame]152 path = config.services.matrix-synapse.settings.signing_key_path;
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]153 };
Skyler Grey083b1e32023-11-20 18:48:02 +0000[diff] [blame]154 mjolnir_password = {
Skyler Grey874a2a82023-06-08 12:29:28 +0200[diff] [blame]155 mode = "0600";
156 owner = config.users.users.mjolnir.name;
157 group = config.users.users.mjolnir.group;
Samuel Shuertf68685d2023-10-28 20:07:56 -0400[diff] [blame]158 sopsFile = ../../secrets/matrix.json;
Skyler Grey874a2a82023-06-08 12:29:28 +0200[diff] [blame]159 format = "json";
Skyler Grey083b1e32023-11-20 18:48:02 +0000[diff] [blame]160 };
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]161 };
Skyler Greyfae88b12023-12-03 12:02:49 +0000[diff] [blame]162
Skyler Grey915067d2023-12-03 13:46:53 +0000[diff] [blame]163 systemd.services.matrix-synapse.requires = [ "postgresql.service" "nginx.service" "keycloak.service" ];
Skyler Greyfae88b12023-12-03 12:02:49 +0000[diff] [blame]164
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]165} (let isDerived = base != null;
166in if isDerived
167# We cannot use mkIf as both sides are evaluated no matter the condition value
168# Given we use base as an attrset, mkIf will error if base is null in here
169then
170 let synapse_cfgfile = config.services.matrix-synapse.configFile;
171 in {
172 scalpel.trafos."synapse.yaml" = {
173 source = toString synapse_cfgfile;
174 matchers."registration_shared_secret".secret =
175 config.sops.secrets.registration_shared_secret.path;
Skyler Grey22428b02023-11-19 13:20:56 +0000[diff] [blame]176 matchers."matrix_keycloak_client_secret".secret =
177 config.sops.secrets.matrix_keycloak_client_secret.path;
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]178 owner = config.users.users.matrix-synapse.name;
179 group = config.users.users.matrix-synapse.group;
180 mode = "0400";
181 };
182
183 systemd.services.matrix-synapse.serviceConfig.ExecStart = lib.mkForce
184 (builtins.replaceStrings [ "${synapse_cfgfile}" ]
185 [ "${config.scalpel.trafos."synapse.yaml".destination}" ]
186 "${base.config.systemd.services.matrix-synapse.serviceConfig.ExecStart}");
187
188 systemd.services.matrix-synapse.preStart = lib.mkForce
189 (builtins.replaceStrings [ "${synapse_cfgfile}" ]
190 [ "${config.scalpel.trafos."synapse.yaml".destination}" ]
191 "${base.config.systemd.services.matrix-synapse.preStart}");
192
193 systemd.services.matrix-synapse.restartTriggers = [ synapse_cfgfile ];
194
195 environment.systemPackages = with lib;
Skyler Grey874a2a82023-06-08 12:29:28 +0200[diff] [blame]196 let
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]197 cfg = config.services.matrix-synapse;
198 registerNewMatrixUser = let
199 isIpv6 = x: lib.length (lib.splitString ":" x) > 1;
200 listener = lib.findFirst (listener:
201 lib.any (resource: lib.any (name: name == "client") resource.names)
202 listener.resources) (lib.last cfg.settings.listeners)
203 cfg.settings.listeners;
204 # FIXME: Handle cases with missing client listener properly,
205 # don't rely on lib.last, this will not work.
Skyler Greya78aa672023-05-20 13:48:18 +0200[diff] [blame]206
Skyler Greyfe1740c2023-10-21 01:24:18 +0000[diff] [blame]207 # add a tail, so that without any bind_addresses we still have a useable address
208 bindAddress = head (listener.bind_addresses ++ [ "127.0.0.1" ]);
209 listenerProtocol = if listener.tls then "https" else "http";
210 in pkgs.writeShellScriptBin "matrix-synapse-register_new_matrix_user" ''
211 exec ${cfg.package}/bin/register_new_matrix_user \
212 $@ \
213 ${
214 lib.concatMapStringsSep " " (x: "-c ${x}")
215 ([ config.scalpel.trafos."synapse.yaml".destination ]
216 ++ cfg.extraConfigFiles)
217 } \
218 "${listenerProtocol}://${
219 if (isIpv6 bindAddress) then
220 "[${bindAddress}]"
221 else
222 "${bindAddress}"
223 }:${builtins.toString listener.port}/"
224 '';
225 in [ (lib.meta.hiPrio registerNewMatrixUser) ];
226 }
227else
228 { })