feat(matrix): enable sliding-sync

Sliding Sync is an implementation of MSC3575 and a prerequisite for
running the new (still beta) Element X clients (Element X iOS and
Element X Android).

https://github.com/matrix-org/sliding-sync
https://github.com/matrix-org/matrix-spec-proposals/blob/kegan/sync-v3/proposals/3575-sync.md

hosts/nachtigall/apps/matrix/synapse.nix

@@ -15,6 +15,12 @@ in {
     owner = "matrix-synapse";
   };
 
+  age.secrets."matrix-synapse-sliding-sync-secret" = {
+    file = "${flake.self}/secrets/matrix-synapse-sliding-sync-secret.age";
+    mode = "400";
+    owner = "matrix-synapse";
+  };
+
   services.matrix-synapse = {
     enable = true;
     settings = {
@@ -226,6 +232,18 @@ in {
     plugins = [
       config.services.matrix-synapse.package.plugins.matrix-synapse-shared-secret-auth
     ];
+
+    sliding-sync = {
+      enable = true;
+      settings = {
+        SYNCV3_SERVER = "https://${publicDomain}";
+        SYNCV3_BINDADDR = "127.0.0.1:8011";
+        # The bind addr for Prometheus metrics, which will be accessible at
+        # /metrics at this address
+        SYNCV3_PROM = "127.0.0.1:9100";
+      };
+      environmentFile = config.age.secrets."matrix-synapse-sliding-sync-secret".path;
+    };
   };
 
   services.restic.backups.matrix-synapse-storagebox = {

hosts/nachtigall/apps/nginx-matrix.nix

@@ -98,6 +98,12 @@ in
           extraConfig = commonHeaders;
         };
 
+        # sliding-sync
+        "/sliding-sync" = {
+          proxyPass = "http://127.0.0.1:8011";
+          extraConfig = commonHeaders;
+        };
+
         "~* ^(/_matrix|/_synapse/client|/_synapse/oidc)" = {
           proxyPass = "http://127.0.0.1:8008";
 

secrets/matrix-synapse-sliding-sync-secret.age

@@ -0,0 +1,28 @@
+age-encryption.org/v1
+-> ssh-ed25519 iDKjwg ZAytAxSCDBwBmR7gjWbITQsp3XDf2DRR3pj5yncgcDw
+taDoCdUqg9yy0bObDyUSZHE8pUxNqHQMv1nWfDCmAjQ
+-> ssh-ed25519 uYcDNw eGOdA1rVklmAfeZ1KkOIPzpHzesMZNpfLsEw7V0J8AE
+9jdpr/XURp5XK5yRq/EB9tUGMx+4i+tTi7eqhexEo0A
+-> ssh-rsa kFDS0A
+U+m/e7AsVAFvSUHEZn6E/ZQW4h0A/b5Guh1demD5N40P1k3TdOq2L/UbKF3Xu85p
+R48Fg6EB8VnXXaERx1Oifld+hLkClM5vS1xTgRT7x7ghXc+wnirOxRhWq7R1mUD3
+KTWEZ+RYiqz4GXV1PjzVDI2j0rd4a5sCFk238DZyYeJ/sSrrDcUEf15XCb9iPQQQ
+XgV2VqMnkNxswqg2JO5oTno6VWJD+Xj5agOnPnHSIJs4LD60AyepQFQRDTmjgk9l
+e3+Kp2S+nlXE+qGjCPtKhu4CUDDxiN0Ken5SgaOe2UJUnBmZdrk4dfnxaHTpD1Qv
+knDpzklAnGkofqFKxaBpACGNDayqJndoHOIpAhH1xxMpgKp2whHOI+nZox6wNhtZ
+LNdk7/Pm1l9yFYKtNTo/7UKQuJIRQ7BXqM8XXZu+nyDHoSZSOolF3ZQ7PJC+bGpN
+id0uV2JWts6dRAiP0JVot3JND+bbcgBn98kP7rCw3hv9/dAwy4jueUfDOaJS6Xpb
+zvYpurUZxCiVXJ42A4Lt0oVK1W0IxOw/R6goP3xNCRU/UarpPN7CW7+kswL4Doaq
+wdScue8HkHMIjwt1KVBoSFKWQKiPTCZ8PL4ySxaa/Kf1OsZ/x7t5TNKtQsDQ45GK
+3piOdjYvL6noaPjLk0ev23bs4bQyITQXThFMgIij7WA
+-> ssh-ed25519 YFSOsg lZOhoVyzA9a39Ogslpma4Wu9vzx9d05DDB+FTqZzsj8
+XdXtBlFMRUJnB2tFhOpT/TgwVt06ba9v5F9hWho1a3A
+-> ssh-ed25519 iHV63A /LYzVHc7Fh0ZmVzJKbkBF7F6CdZOJ6QLT6vOLeS9tXc
+2M8BXLo+oBG0sdkuIr4jdPOguqH9yPR4riGdGuuyiwA
+-> ssh-ed25519 BVsyTA eV6iYMJAz2AFzjJK9eB4xImnKXsvWawFfvqm59nx2m0
+9uxzMlyGDO38vLFdbMng0pqpQ2AdkYEq/FaajZaVDEU
+-> a-grease \-@wjs :O
+2MFVQpzuIz5l71cLzswjoczEiVEAUnM+Mge943oyo/xl/027wsev15JetLLiUa93
+OzwLMmg5cAhjuKOfaDxZ8AOa
+--- bBFGpIH3XBmtk3VzEkQz0g069LNXWnaWyIZfZ61P+aw
+•k¥ÏZŽªŠ¿“IæÈQšô䈷/	\Ïàócl|µ\„áõã>N1,¯Ÿý—?¹[t~F½Ššýøé´y.cAT0“íH'üvA¹õh²4¢SgÑ0²<>/ñ*8M<38>

secrets/secrets.nix

@@ -44,6 +44,7 @@ in {
   "matrix-mautrix-telegram-env-file.age".publicKeys = nachtigallKeys ++ baseKeys;
   "matrix-synapse-signing-key.age".publicKeys = nachtigallKeys ++ baseKeys;
   "matrix-synapse-secret-config.yaml.age".publicKeys = nachtigallKeys ++ baseKeys;
+  "matrix-synapse-sliding-sync-secret.age".publicKeys = nachtigallKeys ++ baseKeys;
 
   "nextcloud-secrets.age".publicKeys = nachtigallKeys ++ baseKeys;
   "nextcloud-admin-pass.age".publicKeys = nachtigallKeys ++ baseKeys;