mas: move to module, add secrets for prod

This commit is contained in:
teutat3s 2024-10-30 17:57:33 +01:00
parent 4434a90136
commit 9d9bcf9a15
Signed by untrusted user: teutat3s
GPG key ID: 4FA1D3FA524F22C1
6 changed files with 135 additions and 104 deletions

View file

@ -82,28 +82,39 @@
owner = "matrix-synapse"; owner = "matrix-synapse";
}; };
pub-solar-os.matrix-synapse = { age.secrets."matrix-authentication-service-secret-config.yml" = {
enable = true; file = "${flake.self}/secrets/matrix-authentication-service-secret-config.yml.age";
sliding-sync.enable = true; mode = "400";
signing_key_path = config.age.secrets."matrix-synapse-signing-key".path; owner = "matrix-authentication-service";
extra-config-files = [ };
config.age.secrets."matrix-synapse-secret-config.yaml".path
# The registration file is automatically generated after starting the pub-solar-os.matrix = {
# appservice for the first time. enable = true;
# cp /var/lib/mautrix-telegram/telegram-registration.yaml \ synapse = {
# /var/lib/matrix-synapse/ sliding-sync.enable = true;
# chown matrix-synapse:matrix-synapse \ signing_key_path = config.age.secrets."matrix-synapse-signing-key".path;
# /var/lib/matrix-synapse/telegram-registration.yaml extra-config-files = [
"/var/lib/matrix-synapse/telegram-registration.yaml" config.age.secrets."matrix-synapse-secret-config.yaml".path
];
app-service-config-files = [ # The registration file is automatically generated after starting the
"/var/lib/matrix-synapse/telegram-registration.yaml" # appservice for the first time.
"/var/lib/matrix-appservice-irc/registration.yml" # cp /var/lib/mautrix-telegram/telegram-registration.yaml \
# "/matrix-appservice-slack-registration.yaml" # /var/lib/matrix-synapse/
# "/hookshot-registration.yml" # chown matrix-synapse:matrix-synapse \
# "/matrix-mautrix-signal-registration.yaml" # /var/lib/matrix-synapse/telegram-registration.yaml
# "/matrix-mautrix-telegram-registration.yaml" "/var/lib/matrix-synapse/telegram-registration.yaml"
];
app-service-config-files = [
"/var/lib/matrix-synapse/telegram-registration.yaml"
"/var/lib/matrix-appservice-irc/registration.yml"
# "/matrix-appservice-slack-registration.yaml"
# "/hookshot-registration.yml"
# "/matrix-mautrix-signal-registration.yaml"
# "/matrix-mautrix-telegram-registration.yaml"
];
};
matrix-authentication-service.extra-config-files = [
config.age.secrets."matrix-authentication-service-secret-config.yml".path
]; ];
}; };

View file

@ -9,10 +9,12 @@
./networking.nix ./networking.nix
./wireguard.nix ./wireguard.nix
./backups.nix ./backups.nix
"${flake.inputs.fork}/nixos/modules/services//matrix/matrix-authentication-service.nix"
"${flake.inputs.unstable}/nixos/modules/services/web-apps/mastodon.nix" "${flake.inputs.unstable}/nixos/modules/services/web-apps/mastodon.nix"
]; ];
disabledModules = [ disabledModules = [
"services/matrix/matrix-authentication-service.nix "
"services/web-apps/mastodon.nix" "services/web-apps/mastodon.nix"
]; ];
} }

View file

@ -42,72 +42,28 @@
owner = "matrix-authentication-service"; owner = "matrix-authentication-service";
}; };
pub-solar-os.matrix-synapse = { pub-solar-os.matrix = {
enable = true; enable = true;
extra-config-files = [ synapse = {
config.age.secrets."staging-matrix-synapse-secret-config.yaml".path extra-config-files = [
config.age.secrets."staging-matrix-synapse-secret-config.yaml".path
# The registration file is automatically generated after starting the # The registration file is automatically generated after starting the
# appservice for the first time. # appservice for the first time.
# cp /var/lib/mautrix-telegram/telegram-registration.yaml \ # cp /var/lib/mautrix-telegram/telegram-registration.yaml \
# /var/lib/matrix-synapse/ # /var/lib/matrix-synapse/
# chown matrix-synapse:matrix-synapse \ # chown matrix-synapse:matrix-synapse \
# /var/lib/matrix-synapse/telegram-registration.yaml # /var/lib/matrix-synapse/telegram-registration.yaml
#"/var/lib/matrix-synapse/telegram-registration.yaml" #"/var/lib/matrix-synapse/telegram-registration.yaml"
]; ];
app-service-config-files = [ app-service-config-files = [
"/var/lib/matrix-appservice-irc/registration.yml" "/var/lib/matrix-appservice-irc/registration.yml"
#"/var/lib/matrix-synapse/telegram-registration.yaml" #"/var/lib/matrix-synapse/telegram-registration.yaml"
]; ];
}; };
matrix-authentication-service.extra-config-files = [
services.matrix-authentication-service = {
enable = true;
createDatabase = true;
extraConfigFiles = [
config.age.secrets."staging-matrix-authentication-service-secret-config.yml".path config.age.secrets."staging-matrix-authentication-service-secret-config.yml".path
]; ];
settings = {
http.public_base = "https://mas.${config.pub-solar-os.networking.domain}";
http.issuer = "https://mas.${config.pub-solar-os.networking.domain}";
http.listeners = [
{
name = "web";
resources = [
{ name = "discovery"; }
{ name = "human"; }
{ name = "oauth"; }
{ name = "compat"; }
{ name = "graphql"; }
{
name = "assets";
path = "${config.services.matrix-authentication-service.package}/share/matrix-authentication-service/assets";
}
];
binds = [
{
host = "0.0.0.0";
port = 8090;
}
];
proxy_protocol = false;
}
{
name = "internal";
resources = [
{ name = "health"; }
];
binds = [
{
host = "0.0.0.0";
port = 8081;
}
];
proxy_protocol = false;
}
];
passwords.enabled = false;
};
}; };
services.openssh.openFirewall = true; services.openssh.openFirewall = true;

View file

@ -10,33 +10,46 @@ let
serverDomain = "${config.pub-solar-os.networking.domain}"; serverDomain = "${config.pub-solar-os.networking.domain}";
in in
{ {
options.pub-solar-os.matrix-synapse = { options.pub-solar-os = {
enable = lib.mkEnableOption "Enable matrix-synapse to run on the node"; matrix = {
enable = lib.mkEnableOption "Enable matrix-synapse and matrix-authentication-service to run on the node";
app-service-config-files = lib.mkOption { synapse = {
description = "List of app service config files"; app-service-config-files = lib.mkOption {
type = lib.types.listOf lib.types.str; description = "List of app service config files";
default = [ ]; type = lib.types.listOf lib.types.str;
}; default = [ ];
};
extra-config-files = lib.mkOption { extra-config-files = lib.mkOption {
description = "List of extra synapse config files"; description = "List of extra synapse config files";
type = lib.types.listOf lib.types.str; type = lib.types.listOf lib.types.str;
default = [ ]; default = [ ];
}; };
signing_key_path = lib.mkOption { signing_key_path = lib.mkOption {
description = "Path to file containing the signing key"; description = "Path to file containing the signing key";
type = lib.types.str; type = lib.types.str;
default = "${config.services.matrix-synapse.dataDir}/homeserver.signing.key"; default = "${config.services.matrix-synapse.dataDir}/homeserver.signing.key";
}; };
sliding-sync.enable = lib.mkEnableOption {
description = "Whether to enable a sliding-sync proxy, no longer needed with synapse version 1.114+"; sliding-sync.enable = lib.mkEnableOption {
default = false; description = "Whether to enable a sliding-sync proxy, no longer needed with synapse version 1.114+";
default = false;
};
};
matrix-authentication-service = {
extra-config-files = lib.mkOption {
description = "List of extra mas config files";
type = lib.types.listOf lib.types.str;
default = [ ];
};
};
}; };
}; };
config = lib.mkIf config.pub-solar-os.matrix-synapse.enable { config = lib.mkIf config.pub-solar-os.matrix.enable {
services.matrix-synapse = { services.matrix-synapse = {
enable = true; enable = true;
settings = { settings = {
@ -265,6 +278,54 @@ in
plugins = [ config.services.matrix-synapse.package.plugins.matrix-synapse-shared-secret-auth ]; plugins = [ config.services.matrix-synapse.package.plugins.matrix-synapse-shared-secret-auth ];
}; };
services.matrix-authentication-service = {
enable = true;
createDatabase = true;
extraConfigFiles = config.pub-solar-os.matrix.matrix-authentication-service.extra-config-files;
settings = {
http.public_base = "https://mas.${config.pub-solar-os.networking.domain}";
http.issuer = "https://mas.${config.pub-solar-os.networking.domain}";
http.listeners = [
{
name = "web";
resources = [
{ name = "discovery"; }
{ name = "human"; }
{ name = "oauth"; }
{ name = "compat"; }
{ name = "graphql"; }
{
name = "assets";
path = "${config.services.matrix-authentication-service.package}/share/matrix-authentication-service/assets";
}
];
binds = [
{
host = "0.0.0.0";
port = 8090;
}
];
proxy_protocol = false;
}
{
name = "internal";
resources = [
{ name = "health"; }
];
binds = [
{
host = "0.0.0.0";
port = 8081;
}
];
proxy_protocol = false;
}
];
passwords.enabled = false;
};
};
services.matrix-sliding-sync = { services.matrix-sliding-sync = {
enable = config.pub-solar-os.matrix-synapse.sliding-sync.enable; enable = config.pub-solar-os.matrix-synapse.sliding-sync.enable;
settings = { settings = {

View file

@ -68,6 +68,7 @@ in
"matrix-synapse-signing-key.age".publicKeys = nachtigallKeys ++ adminKeys; "matrix-synapse-signing-key.age".publicKeys = nachtigallKeys ++ adminKeys;
"matrix-synapse-secret-config.yaml.age".publicKeys = nachtigallKeys ++ adminKeys; "matrix-synapse-secret-config.yaml.age".publicKeys = nachtigallKeys ++ adminKeys;
"matrix-synapse-sliding-sync-secret.age".publicKeys = nachtigallKeys ++ adminKeys; "matrix-synapse-sliding-sync-secret.age".publicKeys = nachtigallKeys ++ adminKeys;
"matrix-authentication-service-secret-config.yml.age".publicKeys = nachtigallKeys ++ adminKeys;
"staging-matrix-synapse-secret-config.yaml.age".publicKeys = undergroundKeys ++ adminKeys; "staging-matrix-synapse-secret-config.yaml.age".publicKeys = undergroundKeys ++ adminKeys;
"staging-matrix-authentication-service-secret-config.yml.age".publicKeys = "staging-matrix-authentication-service-secret-config.yml.age".publicKeys =