From 14fa3fdec2cba2353c8cbf377d32dd298349c950 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Sat, 16 Dec 2023 13:53:34 +0100 Subject: [PATCH 1/4] feat(matrix): enable sliding-sync Sliding Sync is an implementation of MSC3575 and a prerequisite for running the new (still beta) Element X clients (Element X iOS and Element X Android). https://github.com/matrix-org/sliding-sync https://github.com/matrix-org/matrix-spec-proposals/blob/kegan/sync-v3/proposals/3575-sync.md --- hosts/nachtigall/apps/matrix/synapse.nix | 18 ++++++++++++ hosts/nachtigall/apps/nginx-matrix.nix | 6 ++++ .../matrix-synapse-sliding-sync-secret.age | 28 +++++++++++++++++++ secrets/secrets.nix | 1 + 4 files changed, 53 insertions(+) create mode 100644 secrets/matrix-synapse-sliding-sync-secret.age diff --git a/hosts/nachtigall/apps/matrix/synapse.nix b/hosts/nachtigall/apps/matrix/synapse.nix index 050cad2c..1c76e1da 100644 --- a/hosts/nachtigall/apps/matrix/synapse.nix +++ b/hosts/nachtigall/apps/matrix/synapse.nix @@ -15,6 +15,12 @@ in { owner = "matrix-synapse"; }; + age.secrets."matrix-synapse-sliding-sync-secret" = { + file = "${flake.self}/secrets/matrix-synapse-sliding-sync-secret.age"; + mode = "400"; + owner = "matrix-synapse"; + }; + services.matrix-synapse = { enable = true; settings = { @@ -226,6 +232,18 @@ in { plugins = [ config.services.matrix-synapse.package.plugins.matrix-synapse-shared-secret-auth ]; + + sliding-sync = { + enable = true; + settings = { + SYNCV3_SERVER = "https://${publicDomain}"; + SYNCV3_BINDADDR = "127.0.0.1:8011"; + # The bind addr for Prometheus metrics, which will be accessible at + # /metrics at this address + SYNCV3_PROM = "127.0.0.1:9100"; + }; + environmentFile = config.age.secrets."matrix-synapse-sliding-sync-secret".path; + }; }; services.restic.backups.matrix-synapse-storagebox = { diff --git a/hosts/nachtigall/apps/nginx-matrix.nix b/hosts/nachtigall/apps/nginx-matrix.nix index ef4ee28c..afeb9c46 100644 --- a/hosts/nachtigall/apps/nginx-matrix.nix +++ b/hosts/nachtigall/apps/nginx-matrix.nix @@ -98,6 +98,12 @@ in extraConfig = commonHeaders; }; + # sliding-sync + "/sliding-sync" = { + proxyPass = "http://127.0.0.1:8011"; + extraConfig = commonHeaders; + }; + "~* ^(/_matrix|/_synapse/client|/_synapse/oidc)" = { proxyPass = "http://127.0.0.1:8008"; diff --git a/secrets/matrix-synapse-sliding-sync-secret.age b/secrets/matrix-synapse-sliding-sync-secret.age new file mode 100644 index 00000000..87c6fb19 --- /dev/null +++ b/secrets/matrix-synapse-sliding-sync-secret.age @@ -0,0 +1,28 @@ +age-encryption.org/v1 +-> ssh-ed25519 iDKjwg ZAytAxSCDBwBmR7gjWbITQsp3XDf2DRR3pj5yncgcDw +taDoCdUqg9yy0bObDyUSZHE8pUxNqHQMv1nWfDCmAjQ +-> ssh-ed25519 uYcDNw eGOdA1rVklmAfeZ1KkOIPzpHzesMZNpfLsEw7V0J8AE +9jdpr/XURp5XK5yRq/EB9tUGMx+4i+tTi7eqhexEo0A +-> ssh-rsa kFDS0A +U+m/e7AsVAFvSUHEZn6E/ZQW4h0A/b5Guh1demD5N40P1k3TdOq2L/UbKF3Xu85p +R48Fg6EB8VnXXaERx1Oifld+hLkClM5vS1xTgRT7x7ghXc+wnirOxRhWq7R1mUD3 +KTWEZ+RYiqz4GXV1PjzVDI2j0rd4a5sCFk238DZyYeJ/sSrrDcUEf15XCb9iPQQQ +XgV2VqMnkNxswqg2JO5oTno6VWJD+Xj5agOnPnHSIJs4LD60AyepQFQRDTmjgk9l +e3+Kp2S+nlXE+qGjCPtKhu4CUDDxiN0Ken5SgaOe2UJUnBmZdrk4dfnxaHTpD1Qv +knDpzklAnGkofqFKxaBpACGNDayqJndoHOIpAhH1xxMpgKp2whHOI+nZox6wNhtZ +LNdk7/Pm1l9yFYKtNTo/7UKQuJIRQ7BXqM8XXZu+nyDHoSZSOolF3ZQ7PJC+bGpN +id0uV2JWts6dRAiP0JVot3JND+bbcgBn98kP7rCw3hv9/dAwy4jueUfDOaJS6Xpb +zvYpurUZxCiVXJ42A4Lt0oVK1W0IxOw/R6goP3xNCRU/UarpPN7CW7+kswL4Doaq +wdScue8HkHMIjwt1KVBoSFKWQKiPTCZ8PL4ySxaa/Kf1OsZ/x7t5TNKtQsDQ45GK +3piOdjYvL6noaPjLk0ev23bs4bQyITQXThFMgIij7WA +-> ssh-ed25519 YFSOsg lZOhoVyzA9a39Ogslpma4Wu9vzx9d05DDB+FTqZzsj8 +XdXtBlFMRUJnB2tFhOpT/TgwVt06ba9v5F9hWho1a3A +-> ssh-ed25519 iHV63A /LYzVHc7Fh0ZmVzJKbkBF7F6CdZOJ6QLT6vOLeS9tXc +2M8BXLo+oBG0sdkuIr4jdPOguqH9yPR4riGdGuuyiwA +-> ssh-ed25519 BVsyTA eV6iYMJAz2AFzjJK9eB4xImnKXsvWawFfvqm59nx2m0 +9uxzMlyGDO38vLFdbMng0pqpQ2AdkYEq/FaajZaVDEU +-> a-grease \-@wjs :O +2MFVQpzuIz5l71cLzswjoczEiVEAUnM+Mge943oyo/xl/027wsev15JetLLiUa93 +OzwLMmg5cAhjuKOfaDxZ8AOa +--- bBFGpIH3XBmtk3VzEkQz0g069LNXWnaWyIZfZ61P+aw +kZIQ䈷/ \cl|\>N1,?[t~Fy.cAT0H'vAh4Sg0 /*8M \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 712839d8..21e7a522 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -44,6 +44,7 @@ in { "matrix-mautrix-telegram-env-file.age".publicKeys = nachtigallKeys ++ baseKeys; "matrix-synapse-signing-key.age".publicKeys = nachtigallKeys ++ baseKeys; "matrix-synapse-secret-config.yaml.age".publicKeys = nachtigallKeys ++ baseKeys; + "matrix-synapse-sliding-sync-secret.age".publicKeys = nachtigallKeys ++ baseKeys; "nextcloud-secrets.age".publicKeys = nachtigallKeys ++ baseKeys; "nextcloud-admin-pass.age".publicKeys = nachtigallKeys ++ baseKeys; From a56f8d2a00ef5b6f8bef50c2652e302881402222 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Sat, 16 Dec 2023 14:33:20 +0100 Subject: [PATCH 2/4] fix: add missing SYNCV3_SECRET env var --- .../matrix-synapse-sliding-sync-secret.age | 51 +++++++++---------- 1 file changed, 25 insertions(+), 26 deletions(-) diff --git a/secrets/matrix-synapse-sliding-sync-secret.age b/secrets/matrix-synapse-sliding-sync-secret.age index 87c6fb19..966eb280 100644 --- a/secrets/matrix-synapse-sliding-sync-secret.age +++ b/secrets/matrix-synapse-sliding-sync-secret.age @@ -1,28 +1,27 @@ age-encryption.org/v1 --> ssh-ed25519 iDKjwg ZAytAxSCDBwBmR7gjWbITQsp3XDf2DRR3pj5yncgcDw -taDoCdUqg9yy0bObDyUSZHE8pUxNqHQMv1nWfDCmAjQ --> ssh-ed25519 uYcDNw eGOdA1rVklmAfeZ1KkOIPzpHzesMZNpfLsEw7V0J8AE -9jdpr/XURp5XK5yRq/EB9tUGMx+4i+tTi7eqhexEo0A +-> ssh-ed25519 iDKjwg O7ax7BWOp2BEKA9i4WAmI0hsGoRjSzfAbMb4eRLdoRM +LlddBgKAoFe7qKvq7ixIphiWiO1JzKSyLJ6PSmUd2xA +-> ssh-ed25519 uYcDNw 5gN/+TZa94jPsMsrwXlrb1U8alMnCJq5/EIegIus0SI +NUTWQw6WCZTpKK4EFBL1lxSSnI9WEAb1MB7iFiezDFg -> ssh-rsa kFDS0A -U+m/e7AsVAFvSUHEZn6E/ZQW4h0A/b5Guh1demD5N40P1k3TdOq2L/UbKF3Xu85p -R48Fg6EB8VnXXaERx1Oifld+hLkClM5vS1xTgRT7x7ghXc+wnirOxRhWq7R1mUD3 -KTWEZ+RYiqz4GXV1PjzVDI2j0rd4a5sCFk238DZyYeJ/sSrrDcUEf15XCb9iPQQQ -XgV2VqMnkNxswqg2JO5oTno6VWJD+Xj5agOnPnHSIJs4LD60AyepQFQRDTmjgk9l -e3+Kp2S+nlXE+qGjCPtKhu4CUDDxiN0Ken5SgaOe2UJUnBmZdrk4dfnxaHTpD1Qv -knDpzklAnGkofqFKxaBpACGNDayqJndoHOIpAhH1xxMpgKp2whHOI+nZox6wNhtZ -LNdk7/Pm1l9yFYKtNTo/7UKQuJIRQ7BXqM8XXZu+nyDHoSZSOolF3ZQ7PJC+bGpN -id0uV2JWts6dRAiP0JVot3JND+bbcgBn98kP7rCw3hv9/dAwy4jueUfDOaJS6Xpb -zvYpurUZxCiVXJ42A4Lt0oVK1W0IxOw/R6goP3xNCRU/UarpPN7CW7+kswL4Doaq -wdScue8HkHMIjwt1KVBoSFKWQKiPTCZ8PL4ySxaa/Kf1OsZ/x7t5TNKtQsDQ45GK -3piOdjYvL6noaPjLk0ev23bs4bQyITQXThFMgIij7WA --> ssh-ed25519 YFSOsg lZOhoVyzA9a39Ogslpma4Wu9vzx9d05DDB+FTqZzsj8 -XdXtBlFMRUJnB2tFhOpT/TgwVt06ba9v5F9hWho1a3A --> ssh-ed25519 iHV63A /LYzVHc7Fh0ZmVzJKbkBF7F6CdZOJ6QLT6vOLeS9tXc -2M8BXLo+oBG0sdkuIr4jdPOguqH9yPR4riGdGuuyiwA --> ssh-ed25519 BVsyTA eV6iYMJAz2AFzjJK9eB4xImnKXsvWawFfvqm59nx2m0 -9uxzMlyGDO38vLFdbMng0pqpQ2AdkYEq/FaajZaVDEU --> a-grease \-@wjs :O -2MFVQpzuIz5l71cLzswjoczEiVEAUnM+Mge943oyo/xl/027wsev15JetLLiUa93 -OzwLMmg5cAhjuKOfaDxZ8AOa ---- bBFGpIH3XBmtk3VzEkQz0g069LNXWnaWyIZfZ61P+aw -kZIQ䈷/ \cl|\>N1,?[t~Fy.cAT0H'vAh4Sg0 /*8M \ No newline at end of file +mXTGOqDXWJSVo58aok+GC2v7Xm/lL/QUrA9H4Ywfz1ksK2O1vZFmmrj9YOGMwtz3 +KodmEn8339Oyz0Tw2lSDMJb22OZPxs2q1tYQ33tvj1OXVQygzW1q/RfTPXFtTCVo +alKl2Dbr8esFN+Cfpdh4zHJFab73m6FUDGF2k4O5Gos8eOUiUx1O8WPMDtKgwTqM +Wtbnk0iBiTdgjwdFjkdMnx1bxGxa4pEtqtBdw9UiLwPKoPWJzHg7F9uIWH8L0FkQ +ml7K+pjZMzwWdJwuaLpIB3yCTDiSF4j9Wr74sXjUGQ/atGesIImIGnXEyZ0v6RI2 +uRP4gx4zA9eoYcIWpuitgx9VKDwwJjcAyhffbZvTYF2ogtnWtCBIlY5jAtIV5l9I +x0k/FMfq0hGvXOJb976zsW83ZaXVPFpUEV75mweVAUbsnRmML1kyYKAFWF58hSoa +aEmij9hDvPIoQn2f6OTCtWXSJBtJjhxr4uvbKfrvhQojol91cU0w+fDe5rsZzhMk +CksD3JM+OmCpguvl+4jANxPVY58avIjZArOn/UVyM0LLuKFLfRzqpBup6ifv3Wpk +gplElrdz4iGHoEnceCGVJXcxXVbMfB4cr8I5BMK65TgN0pkl+VG6vY/TvgUl5a1C +VjLQxIVg3hEy8mRvIGjjo0R2E8qTkcMn5Bz5mjFJeXI +-> ssh-ed25519 YFSOsg nvVCR2LV8DHU+hIQa19uX9pEhA+NQxMkmBUMDktKOGU +Q9qhrcOeEA3myMqZbptbsWCS9hbm67pF5qO3jARN/bs +-> ssh-ed25519 iHV63A +Pca506lCnqn/+2e3lKVzlLcsa63EgngYry54yiAxA0 +hyZZUoRuYjJvhznZBAkRRjq2x6jZvJX0sfj+jigX39c +-> ssh-ed25519 BVsyTA hza+5wLH7L3VyXIwBK/sq5UNR6SC3EnKxQ3ucrVPwXc +BAXKAf2gdMT29ZXEAeq0B54ojrGa9LwfhBK91v68yis +-> !By"-grease +7r6wODXXipdv7nXJ+K653PLYdKOLF1pEvCWeKk8/q49s5ScMqZpGVA +--- zNjNg84OVHL/CbJyutcBz6eWD+71peLb7weZ/EjQaic +r!?RUoE~W>_t=*7t=QԹ[`@B۝jedܰ qo^PN{H^jBh:PP&♗mܯt \ No newline at end of file From 768d4c78bc28c4f422cb011c295f1a2cb570bcca Mon Sep 17 00:00:00 2001 From: teutat3s Date: Sat, 16 Dec 2023 14:48:08 +0100 Subject: [PATCH 3/4] fix: use nginx locations recommended by upstream https://github.com/matrix-org/sliding-sync#same-hostname --- hosts/nachtigall/apps/nginx-matrix.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/nachtigall/apps/nginx-matrix.nix b/hosts/nachtigall/apps/nginx-matrix.nix index afeb9c46..5d5217d9 100644 --- a/hosts/nachtigall/apps/nginx-matrix.nix +++ b/hosts/nachtigall/apps/nginx-matrix.nix @@ -99,7 +99,7 @@ in }; # sliding-sync - "/sliding-sync" = { + "~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = { proxyPass = "http://127.0.0.1:8011"; extraConfig = commonHeaders; }; From a310b414f7a8d6376b64148f205bf3a0a365258d Mon Sep 17 00:00:00 2001 From: teutat3s Date: Sat, 16 Dec 2023 14:57:36 +0100 Subject: [PATCH 4/4] fix: update well-known for sliding-sync --- hosts/nachtigall/apps/nginx-matrix.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/nachtigall/apps/nginx-matrix.nix b/hosts/nachtigall/apps/nginx-matrix.nix index 5d5217d9..5dd3c485 100644 --- a/hosts/nachtigall/apps/nginx-matrix.nix +++ b/hosts/nachtigall/apps/nginx-matrix.nix @@ -9,7 +9,7 @@ let wellKnownClient = domain: { "m.homeserver".base_url = "https://matrix.${domain}"; "m.identity_server".base_url = "https://matrix.${domain}"; - "org.matrix.msc3575.proxy".url = "https://matrix.${domain}/sliding-sync"; + "org.matrix.msc3575.proxy".url = "https://matrix.${domain}"; "im.vector.riot.e2ee".default = true; "io.element.e2ee" = { default = true;