| Skyler Grey | a78aa67 | 2023-05-20 13:48:18 +0200 | [diff] [blame^] | 1 | { base, config, lib, pkgs, ... }: |
| 2 | let |
| 3 | postgresUrlFor = service: |
| 4 | "postgres://dendrite:!!dendrite_db_password!!@localhost:${toString config.services.postgresql.port}/dendrite_${service}?sslmode=disable"; |
| 5 | in |
| 6 | { |
| 7 | services.dendrite = { |
| 8 | enable = true; |
| 9 | httpPort = 4527; |
| 10 | settings = { |
| 11 | global = { |
| 12 | server_name = "coded.codes"; |
| 13 | private_key = config.sops.secrets.matrix_private_key.path; |
| 14 | }; |
| 15 | user_api = { |
| 16 | account_database.connection_string = postgresUrlFor "account_database"; |
| 17 | device_database.connection_string = postgresUrlFor "device_database"; |
| 18 | }; |
| 19 | sync_api = { |
| 20 | search.enable = true; |
| 21 | database.connection_string = postgresUrlFor "sync_api"; |
| 22 | }; |
| 23 | room_server.database.connection_string = postgresUrlFor "room_server"; |
| 24 | mscs.database.connection_string = postgresUrlFor "mscs"; |
| 25 | media_api.database.connection_string = postgresUrlFor "media_api"; |
| 26 | key_server.database.connection_string = postgresUrlFor "key_server"; |
| 27 | federation_api.database.connection_string = postgresUrlFor "federation_api"; |
| 28 | app_service_api.database.connection_string = postgresUrlFor "app_service_api"; |
| 29 | |
| 30 | client_api.registration_shared_secret = "!!registration_shared_secret!!"; |
| 31 | }; |
| 32 | }; |
| 33 | |
| 34 | users.users.dendrite = { |
| 35 | isSystemUser = true; |
| 36 | createHome = true; |
| 37 | home = config.systemd.services.dendrite.serviceConfig.WorkingDirectory; |
| 38 | group = "clicks"; |
| 39 | shell = pkgs.bashInteractive; |
| 40 | }; |
| 41 | |
| 42 | systemd.services.dendrite.serviceConfig = { |
| 43 | DynamicUser = lib.mkForce false; |
| 44 | User = lib.mkForce config.users.users.dendrite.name; |
| 45 | Group = lib.mkForce config.users.users.dendrite.group; |
| 46 | }; |
| 47 | |
| 48 | sops.secrets = (lib.pipe [ |
| 49 | "registration_shared_secret" |
| 50 | ] [ |
| 51 | (map (name: { |
| 52 | inherit name; |
| 53 | value = { |
| 54 | mode = "0400"; |
| 55 | owner = config.users.users.root.name; |
| 56 | group = config.users.users.nobody.group; |
| 57 | sopsFile = ../secrets/matrix.json; |
| 58 | format = "json"; |
| 59 | }; |
| 60 | })) |
| 61 | builtins.listToAttrs |
| 62 | ]) // { |
| 63 | matrix_private_key = { |
| 64 | mode = "0400"; |
| 65 | owner = config.users.users.dendrite.name; |
| 66 | group = config.users.users.dendrite.group; |
| 67 | sopsFile = ../secrets/matrix_private_key.pem; |
| 68 | format = "binary"; |
| 69 | }; |
| 70 | }; |
| 71 | } // ( |
| 72 | let |
| 73 | isDerived = base != null; |
| 74 | in |
| 75 | if isDerived |
| 76 | # We cannot use mkIf as both sides are evaluated no matter the condition value |
| 77 | # Given we use base as an attrset, mkIf will error if base is null in here |
| 78 | then |
| 79 | let |
| 80 | ExecStartPre = "${base.config.systemd.services.dendrite.serviceConfig.ExecStartPre}"; |
| 81 | dendrite_cfgfile = builtins.head (builtins.match ".*-i ([^[:space:]]+).*" "${ExecStartPre}"); |
| 82 | in |
| 83 | { |
| 84 | scalpel.trafos."dendrite.yaml" = { |
| 85 | source = dendrite_cfgfile; |
| 86 | matchers."dendrite_db_password".secret = |
| 87 | config.sops.secrets.dendrite_db_password.path; # Defined in postgres.nix |
| 88 | matchers."registration_shared_secret".secret = |
| 89 | config.sops.secrets.registration_shared_secret.path; |
| 90 | owner = config.users.users.dendrite.name; |
| 91 | group = config.users.users.dendrite.group; |
| 92 | mode = "0400"; |
| 93 | }; |
| 94 | |
| 95 | systemd.services.dendrite.serviceConfig.ExecStartPre = lib.mkForce ( |
| 96 | builtins.replaceStrings |
| 97 | [ "${dendrite_cfgfile}" ] |
| 98 | [ "${config.scalpel.trafos."dendrite.yaml".destination}" ] |
| 99 | "${ExecStartPre}" |
| 100 | ); |
| 101 | } |
| 102 | else { } |
| 103 | ) |