Blame - modules/matrix.nix - Infra/NixFiles

blob: 967e9d9bfee87badd1b06068023a0381078af3ab [file] [log] [blame]

Skyler Grey	a78aa67	2023-05-20 13:48:18 +0200	[diff] [blame]	1	{ base, config, lib, pkgs, ... }:
Skyler Grey	a78aa67	2023-05-20 13:48:18 +0200	[diff] [blame]	2	{
Skyler Grey	8e32c83	2023-05-20 22:54:30 +0200	[diff] [blame^]	3	services.matrix-synapse = {
Skyler Grey	a78aa67	2023-05-20 13:48:18 +0200	[diff] [blame]	4	enable = true;
Skyler Grey	8e32c83	2023-05-20 22:54:30 +0200	[diff] [blame^]	5	withJemalloc = true;
Skyler Grey	a78aa67	2023-05-20 13:48:18 +0200	[diff] [blame]	6
Skyler Grey	8e32c83	2023-05-20 22:54:30 +0200	[diff] [blame^]	7	settings = {
				8	server_name = "coded.codes";
				9	enable_registration = true;
				10	registration_requires_token = true;
				11	registration_shared_secret = "!!registration_shared_secret!!";
				12	public_baseurl = "https://matrix-backend.coded.codes/";
				13	max_upload_size = "100M";
				14	listeners = [{
				15	x_forwarded = true;
				16	tls = false;
				17	resources = [{
				18	names = [
				19	"client"
				20	"federation"
				21	];
				22	compress = true;
				23	}];
				24	port = 4527;
				25	}];
				26	enable_metrics = true;
				27	database.args.database = "synapse";
Skyler Grey	a78aa67	2023-05-20 13:48:18 +0200	[diff] [blame]	28	};
				29	};
				30
Skyler Grey	8e32c83	2023-05-20 22:54:30 +0200	[diff] [blame^]	31	sops.secrets = {
				32	registration_shared_secret = {
Skyler Grey	a78aa67	2023-05-20 13:48:18 +0200	[diff] [blame]	33	mode = "0400";
Skyler Grey	8e32c83	2023-05-20 22:54:30 +0200	[diff] [blame^]	34	owner = config.users.users.root.name;
				35	group = config.users.users.nobody.group;
				36	sopsFile = ../secrets/matrix.json;
				37	format = "json";
				38	};
				39	matrix_private_key = {
				40	mode = "0600";
				41	owner = config.users.users.matrix-synapse.name;
				42	group = config.users.users.matrix-synapse.group;
Skyler Grey	a78aa67	2023-05-20 13:48:18 +0200	[diff] [blame]	43	sopsFile = ../secrets/matrix_private_key.pem;
				44	format = "binary";
Skyler Grey	8e32c83	2023-05-20 22:54:30 +0200	[diff] [blame^]	45	path = config.services.matrix-synapse.settings.signing_key_path;
Skyler Grey	a78aa67	2023-05-20 13:48:18 +0200	[diff] [blame]	46	};
				47	};
				48	} // (
				49	let
				50	isDerived = base != null;
				51	in
				52	if isDerived
				53	# We cannot use mkIf as both sides are evaluated no matter the condition value
				54	# Given we use base as an attrset, mkIf will error if base is null in here
				55	then
				56	let
Skyler Grey	8e32c83	2023-05-20 22:54:30 +0200	[diff] [blame^]	57	synapse_cfgfile = config.services.matrix-synapse.configFile;
Skyler Grey	a78aa67	2023-05-20 13:48:18 +0200	[diff] [blame]	58	in
				59	{
Skyler Grey	8e32c83	2023-05-20 22:54:30 +0200	[diff] [blame^]	60	scalpel.trafos."synapse.yaml" = {
				61	source = toString synapse_cfgfile;
Skyler Grey	a78aa67	2023-05-20 13:48:18 +0200	[diff] [blame]	62	matchers."registration_shared_secret".secret =
				63	config.sops.secrets.registration_shared_secret.path;
Skyler Grey	8e32c83	2023-05-20 22:54:30 +0200	[diff] [blame^]	64	owner = config.users.users.matrix-synapse.name;
				65	group = config.users.users.matrix-synapse.group;
Skyler Grey	a78aa67	2023-05-20 13:48:18 +0200	[diff] [blame]	66	mode = "0400";
				67	};
				68
Skyler Grey	8e32c83	2023-05-20 22:54:30 +0200	[diff] [blame^]	69	systemd.services.matrix-synapse.serviceConfig.ExecStart = lib.mkForce (
Skyler Grey	a78aa67	2023-05-20 13:48:18 +0200	[diff] [blame]	70	builtins.replaceStrings
Skyler Grey	8e32c83	2023-05-20 22:54:30 +0200	[diff] [blame^]	71	[ "${synapse_cfgfile}" ]
				72	[ "${config.scalpel.trafos."synapse.yaml".destination}" ]
				73	"${base.config.systemd.services.matrix-synapse.serviceConfig.ExecStart}"
Skyler Grey	a78aa67	2023-05-20 13:48:18 +0200	[diff] [blame]	74	);
Skyler Grey	8e32c83	2023-05-20 22:54:30 +0200	[diff] [blame^]	75
				76	systemd.services.matrix-synapse.preStart = lib.mkForce (
				77	builtins.replaceStrings
				78	[ "${synapse_cfgfile}" ]
				79	[ "${config.scalpel.trafos."synapse.yaml".destination}" ]
				80	"${base.config.systemd.services.matrix-synapse.preStart}"
				81	);
				82
				83	environment.systemPackages =
				84	with lib; let
				85	cfg = config.services.matrix-synapse;
				86	registerNewMatrixUser =
				87	let
				88	isIpv6 = x: lib.length (lib.splitString ":" x) > 1;
				89	listener =
				90	lib.findFirst
				91	(
				92	listener: lib.any
				93	(
				94	resource: lib.any
				95	(
				96	name: name == "client"
				97	)
				98	resource.names
				99	)
				100	listener.resources
				101	)
				102	(lib.last cfg.settings.listeners)
				103	cfg.settings.listeners;
				104	# FIXME: Handle cases with missing client listener properly,
				105	# don't rely on lib.last, this will not work.
				106
				107	# add a tail, so that without any bind_addresses we still have a useable address
				108	bindAddress = head (listener.bind_addresses ++ [ "127.0.0.1" ]);
				109	listenerProtocol =
				110	if listener.tls
				111	then "https"
				112	else "http";
				113	in
				114	pkgs.writeShellScriptBin "matrix-synapse-register_new_matrix_user" ''
				115	exec ${cfg.package}/bin/register_new_matrix_user \
				116	$@ \
				117	${lib.concatMapStringsSep " " (x: "-c ${x}") ([
				118	config.scalpel.trafos."synapse.yaml".destination ] ++ cfg.extraConfigFiles)} \
				119	"${listenerProtocol}://${
				120	if (isIpv6 bindAddress) then
				121	"[${bindAddress}]"
				122	else
				123	"${bindAddress}"
				124	}:${builtins.toString listener.port}/"
				125	'';
				126	in
				127	[ (lib.meta.hiPrio registerNewMatrixUser) ];
Skyler Grey	a78aa67	2023-05-20 13:48:18 +0200	[diff] [blame]	128	}
				129	else { }
				130	)