forked from pub-solar/infra
teutat3s
a3ce107c73
Reviewed-on: pub-solar/infra#76 Reviewed-by: Akshay Mankar <axeman@noreply.git.pub.solar>
252 lines
6.6 KiB
Nix
252 lines
6.6 KiB
Nix
{ flake, config, pkgs, ... }:
|
|
let
|
|
publicDomain = "matrix.pub.solar";
|
|
serverDomain = "pub.solar";
|
|
in {
|
|
age.secrets."matrix-synapse-signing-key" = {
|
|
file = "${flake.self}/secrets/matrix-synapse-signing-key.age";
|
|
mode = "400";
|
|
owner = "matrix-synapse";
|
|
};
|
|
|
|
age.secrets."matrix-synapse-secret-config.yaml" = {
|
|
file = "${flake.self}/secrets/matrix-synapse-secret-config.yaml.age";
|
|
mode = "400";
|
|
owner = "matrix-synapse";
|
|
};
|
|
|
|
services.matrix-synapse = {
|
|
enable = true;
|
|
settings = {
|
|
server_name = serverDomain;
|
|
public_baseurl = "https://${publicDomain}/";
|
|
database = {
|
|
name = "psycopg2";
|
|
args = {
|
|
host = "/run/postgresql";
|
|
cp_max = 10;
|
|
cp_min = 5;
|
|
database = "matrix";
|
|
};
|
|
allow_unsafe_locale = false;
|
|
txn_limit = 0;
|
|
};
|
|
|
|
account_threepid_delegates.msisdn = "";
|
|
alias_creation_rules = [{
|
|
action = "allow";
|
|
alias= "*";
|
|
room_id = "*" ;
|
|
user_id = "*";
|
|
}];
|
|
allow_guest_access = false;
|
|
allow_public_rooms_over_federation = true;
|
|
allow_public_rooms_without_auth = false;
|
|
auto_join_rooms = [
|
|
"#community:${serverDomain}"
|
|
"#general:${serverDomain}"
|
|
];
|
|
|
|
autocreate_auto_join_rooms = true;
|
|
caches.global_factor = 0.5;
|
|
|
|
default_room_version = "10";
|
|
disable_msisdn_registration = true;
|
|
enable_media_repo = true;
|
|
enable_metrics = true;
|
|
enable_registration = false;
|
|
enable_registration_captcha = false;
|
|
enable_registration_without_verification = false;
|
|
enable_room_list_search = true;
|
|
encryption_enabled_by_default_for_room_type = "off";
|
|
event_cache_size = "100K";
|
|
federation_rr_transactions_per_room_per_second = 50;
|
|
forget_rooms_on_leave = true;
|
|
include_profile_data_on_invite = true;
|
|
instance_map = {};
|
|
limit_profile_requests_to_users_who_share_rooms = false;
|
|
|
|
log_config = ./matrix-log-config.yaml;
|
|
|
|
max_spider_size = "10M";
|
|
max_upload_size = "50M";
|
|
media_storage_providers = [];
|
|
|
|
password_config = {
|
|
enabled = false;
|
|
localdb_enabled = false;
|
|
pepper = "";
|
|
};
|
|
|
|
presence.enabled = true;
|
|
push.include_content = false;
|
|
|
|
rc_admin_redaction= {
|
|
burst_count = 50;
|
|
per_second = 1;
|
|
};
|
|
rc_federation= {
|
|
concurrent = 3;
|
|
reject_limit = 50;
|
|
sleep_delay = 500;
|
|
sleep_limit = 10;
|
|
window_size = 1000;
|
|
};
|
|
rc_invites= {
|
|
per_issuer= {
|
|
burst_count = 10;
|
|
per_second = 0.3;
|
|
};
|
|
per_room= {
|
|
burst_count = 10;
|
|
per_second = 0.3;
|
|
};
|
|
per_user= {
|
|
burst_count = 5;
|
|
per_second = 0.003;
|
|
};
|
|
};
|
|
rc_joins= {
|
|
local= {
|
|
burst_count = 10;
|
|
per_second = 0.1;
|
|
};
|
|
remote= {
|
|
burst_count = 10;
|
|
per_second = 0.01;
|
|
};
|
|
};
|
|
rc_login= {
|
|
account= {
|
|
burst_count = 3;
|
|
per_second = 0.17;
|
|
};
|
|
address= {
|
|
burst_count = 3;
|
|
per_second = 0.17;
|
|
};
|
|
failed_attempts= {
|
|
burst_count = 3;
|
|
per_second = 0.17;
|
|
};
|
|
};
|
|
rc_message= {
|
|
burst_count = 10;
|
|
per_second = 0.2;
|
|
};
|
|
rc_registration= {
|
|
burst_count = 3;
|
|
per_second = 0.17;
|
|
};
|
|
redaction_retention_period = "7d";
|
|
redis.enabled = false;
|
|
registration_requires_token = false;
|
|
registrations_require_3pid = ["email"];
|
|
report_stats = false;
|
|
require_auth_for_profile_requests = false;
|
|
room_list_publication_rules = [{
|
|
action = "allow";
|
|
alias = "*";
|
|
room_id = "*";
|
|
user_id = "*";
|
|
}];
|
|
|
|
signing_key_path = "/run/agenix/matrix-synapse-signing-key";
|
|
|
|
stream_writers = {};
|
|
trusted_key_servers = [{ server_name = "matrix.org";}];
|
|
|
|
turn_allow_guests = false;
|
|
turn_uris = [
|
|
"turn:${config.services.coturn.realm}:3478?transport=udp"
|
|
"turn:${config.services.coturn.realm}:3478?transport=tcp"
|
|
];
|
|
turn_user_lifetime = "1h";
|
|
|
|
url_preview_accept_language = [
|
|
"en-US"
|
|
"en"
|
|
];
|
|
url_preview_enabled = true;
|
|
url_preview_ip_range_blacklist = [
|
|
"127.0.0.0/8"
|
|
"10.0.0.0/8"
|
|
"172.16.0.0/12"
|
|
"192.168.0.0/16"
|
|
"100.64.0.0/10"
|
|
"192.0.0.0/24"
|
|
"169.254.0.0/16"
|
|
"192.88.99.0/24"
|
|
"198.18.0.0/15"
|
|
"192.0.2.0/24"
|
|
"198.51.100.0/24"
|
|
"203.0.113.0/24"
|
|
"224.0.0.0/4"
|
|
"::1/128"
|
|
"fe80::/10"
|
|
"fc00::/7"
|
|
"2001:db8::/32"
|
|
"ff00::/8"
|
|
"fec0::/10"
|
|
];
|
|
|
|
user_directory = {
|
|
prefer_local_users = false;
|
|
search_all_users = false;
|
|
};
|
|
user_ips_max_age = "28d";
|
|
|
|
app_service_config_files = [
|
|
"/var/lib/matrix-synapse/telegram-registration.yaml"
|
|
"/var/lib/matrix-appservice-irc/registration.yml"
|
|
# "/matrix-appservice-slack-registration.yaml"
|
|
# "/hookshot-registration.yml"
|
|
# "/matrix-mautrix-signal-registration.yaml"
|
|
# "/matrix-mautrix-telegram-registration.yaml"
|
|
];
|
|
};
|
|
|
|
extraConfigFiles = [
|
|
"/run/agenix/matrix-synapse-secret-config.yaml"
|
|
|
|
# The registration file is automatically generated after starting the
|
|
# appservice for the first time.
|
|
# cp /var/lib/mautrix-telegram/telegram-registration.yaml \
|
|
# /var/lib/matrix-synapse/
|
|
# chown matrix-synapse:matrix-synapse \
|
|
# /var/lib/matrix-synapse/telegram-registration.yaml
|
|
"/var/lib/matrix-synapse/telegram-registration.yaml"
|
|
];
|
|
|
|
extras = [
|
|
"oidc"
|
|
"redis"
|
|
];
|
|
|
|
plugins = [
|
|
config.services.matrix-synapse.package.plugins.matrix-synapse-shared-secret-auth
|
|
];
|
|
};
|
|
|
|
services.restic.backups.matrix-synapse-storagebox = {
|
|
paths = [
|
|
"/var/lib/matrix-synapse"
|
|
"/var/lib/matrix-appservice-irc"
|
|
"/var/lib/mautrix-telegram"
|
|
"/tmp/matrix-synapse-backup.sql"
|
|
];
|
|
timerConfig = {
|
|
OnCalendar = "*-*-* 05:00:00 Etc/UTC";
|
|
};
|
|
initialize = true;
|
|
passwordFile = config.age.secrets."restic-repo-storagebox".path;
|
|
repository = "sftp:u377325@u377325.your-storagebox.de:/backups";
|
|
backupPrepareCommand = ''
|
|
${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d matrix > /tmp/matrix-synapse-backup.sql
|
|
'';
|
|
backupCleanupCommand = ''
|
|
rm /tmp/matrix-synapse-backup.sql
|
|
'';
|
|
};
|
|
}
|