Enable dtth synapse

modules/cloud/postgresql/default.nix

@@ -10,7 +10,7 @@ let
   userFromDatabase = databaseName: {
     name = databaseName;
     ensurePermissions = {
-      "DATABASE ${databaseName}" = "ALL PRIVILEGES";
+      "DATABASE \"${databaseName}\"" = "ALL PRIVILEGES";
     };
   };
 in

nki-personal-do/configuration.nix

@@ -18,6 +18,7 @@
     ./gitea.nix
     ./miniflux.nix
     ./writefreely.nix
+    ./synapse.nix
   ];
 
   common.linux.enable = false; # Don't enable the "common linux" module, this is a special machine.
@@ -104,7 +105,6 @@
 
   # Conduit
   sops.secrets.heisenbridge = { owner = "heisenbridge"; };
-  sops.secrets.matrix-discord-bridge = { mode = "0644"; };
   cloud.conduit.enable = true;
   cloud.conduit.instances = {
     "nkagami" = {
@@ -128,15 +128,6 @@
     appserviceFile = config.sops.secrets.heisenbridge.path;
     homeserver = "https://m.nkagami.me";
   };
-  # services.matrix-appservice-discord = {
-  #   enable = true;
-  #   environmentFile = config.sops.secrets.matrix-discord-bridge.path;
-  #   serviceDependencies = [ "matrix-conduit-dtth.service" ];
-  #   settings.bridge = {
-  #     domain = "dtth.ch";
-  #     homeserverUrl = "https://m.dtth.ch:443";
-  #   };
-  # };
 
   # Navidrome back to the PC
   cloud.traefik.hosts.navidrome = {

nki-personal-do/secrets/secrets.yaml

@@ -31,6 +31,9 @@ miniflux:
     pocket-consumer-key: ENC[AES256_GCM,data:NXY9Y8rFlzCVVG3ATUL/u7Sj6Im1RU/D16toUOLcIfKvddBjlu+QddKXWfLKppV1BQZ0,iv:nf3gkm098UhpZOgMbOdyG1FYVcl5G0gxoI6RTsZ1r14=,tag:bMOYwtFwUJ4SFornsWo8ig==,type:str]
     admin-creds: ENC[AES256_GCM,data:cBCwwRZR0B8nH7XLxHVZCThqmnUI6ZHFp3wH9TjdRbBTmySjPqU526ltn3lRQtopgqQ0IOuneTztXJ+wfqmLUABV6xlLBkXD7VX6Mf43RtIDyHL+UC56eIdn3xeawGsIjnta,iv:DOwHUL64ufLS7FbvnJCPxPYwMJF1pMPqjx78vltm9IY=,tag:A2Fpk4rI0/WK0jFtTlGhaA==,type:str]
 writefreely-dtth: ENC[AES256_GCM,data:Q2b3eCr5GLLyBMrGlTUSIuMN/vZXmMZV8T56+t7RjcoHQmEVDKGwPGgka4jf/yO9Nf6TdGB7iiXft+XK3t74XdnzTCTYYVFzFsv49eZDKpTeaR6pKcbesfJYyqOcHIuatQz/orQ1X6Ext9Xf9aBStY4GV6ticLpvdW3GtHzchMPuMm8vY8A8DYNH/kLGb96aHpQ53paKkckeDWcbDyCulUU=,iv:G4TNJ4vY6qo4iOrEBmsf6hHJWAqbl3t8JAyDIZ1lUUg=,tag:HEknuS+MjBBFbkpDEIRUfw==,type:str]
+matrix-synapse-dtth:
+    oidc-config: ENC[AES256_GCM,data:06lv5ejqnQ1jBAhCBxXY3nNulXFnDt/S2ycma9+hlG6mSMGfRfIcfDZfKOfUUuV2uMI7ix4r0QdM3351VucvnWCZZlXz5YpVgNg1YZDvtSQxe3SJqKj/y3u+nYbPPIRgACiFpiajBeEvS/evIT8+Ty3myDVPHovYkuCb0U1eD3/xGK38lx6+H3Cjk3LyszMg1EwXdkDjbcDVYDhSEelkB9rWXH1vw5qNZOzGgIoYEe6ppMmPZjpUM9jyounuF/+FzLbkWz6YvY4zWD5fND5fFdT4AA1e1jzCLQIsaVZ8N6co5lwzfBfydLosEy+h/COv1wzvfXiEjNi4f+2Ol7kSu4+G3u3V6EcqTyVjj38oTLaAx1cG9pnPmAc/zTUCmepITAWysvuzIVd8gwde1CheANLp1WnQrAAKJiHv/6bxPoi0ROu0BpQqupU9XUcTXRysuTjBH5/ABjlvk8lTiFi8Ryt7KzC23kPWf541B8BO/yfpmq8mheMz1AYm+fkTZOqKgkfm4NStN58oiYn6NEyWpuaAx7DEUgO/MIrIKXfTzGCT++33Cnr41fLSqWgqIUhBxd9P1s3cYk942UxC2VdKf1qq6IGZK4iq8T1FUoXqmTnjEfwvTm2hDkZqwEdvkKZUolKvnsZL44KRBow/LMGGsDDFoOMsMT9MqE2fBGOudTnHncs3I/T7eEDnHH+z+60Axo6mKGwmaHRHeqeiV4OIrPmM5X8uUIWvKoNsY3UvL/VgKA2Zh7wm8irB0rgcaKDW6QMmJIxqd3RK9WwmOT4hPy/SC5nm1ZRlag/f+H6q+WOtEaK+,iv:5pYzz4QzKHVhHh+YFnerD5Q2S93stqBKILM2sxD23Fc=,tag:V0rVa/nTH3hv77Z8KOQOiw==,type:str]
+    appservice-discord: ENC[AES256_GCM,data:lAAEa6ltXi29+POrG87bMAvv8du3DiGYl8f7npqW0ga3YgrvofgYnC8QJUyznIQ3Ye9yWxzjzaClu7viFgkN0yIXlpENIOcSTrdlMgg5mdJ8f9elltp/VPiwVimubPa8QnpLNRy/NAEVpDFygw9VOM+Fu203M/pofK0qX6NfO9PeQGma1iKQeMKrV/6RwjF+70rnTMEhO0PCyTl2PEwZiDtkxgI7Yyl37p8bUuJ4YZ5MhZN94lODb+toPaN29BZT4q23VrJmxiW3VEeJj+tEmx4X+KeCO5AArtPl9YOkoRt/uSRKljsf109AIiclRj0wITqOx/QL2qntFuAidxTm8MoJQ6eoq/bwQp/BUpPubIMeY+z2b8XIgZGZSPZMdaObvaqDFdMLq7GW61GxYKFgNxHYA4uhndbE5VDNkcFkw4FEC5x40fwqGaunmqvAdb3p4I9EhlQ28e5S+hX1FFrMHjsJWlnjSySDRjCodJMtep19J+qVVgyf5A==,iv:PBo7+OSqBGxI7DzUpclcGWEFwTpcNqySRJzqHu7medU=,tag:fi06xru3e92WfqOJxHXd2w==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -64,8 +67,8 @@ sops:
             by9kZFlTRVdCZFkxYTVVb0RIRk8zUlkKCqMw9oL9RaYBV5Hhy3o8Nm5xmGrPH8Sd
             hv36sxRFFNZT/DCKaHaSRbT3mfpBZSTXJt1dgl4nZe6whH54t/1KmA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-06-10T13:45:36Z"
-    mac: ENC[AES256_GCM,data:Xz40gmGvm9GQIVSzVnn641Fhebn3zO1BPxtfRhJuIYL88SjItXop5kVjh0M6FSEznBmj+W/ZL8r9RZhKIO8WQZ3oXISjldu9fHK+n6X0QOdILI9rh/Y85J4YoSTvMWfLg+CiO1ECoDJKlrlHFXU7aBMHbI3BImIIFfmKhEJnu3s=,iv:825o5TpSPJhEV5j0XTSvBXasVX9KgjAlcNvYDny/f8I=,tag:Lnu89p+U1lZlDUYY3u/Omw==,type:str]
+    lastmodified: "2023-06-24T15:00:57Z"
+    mac: ENC[AES256_GCM,data:YScpMiCWfnVj9BhFGxcYwZ1+Su/nKiCS4EKTDrxjzQWHn/2nlJm1aOQ8NnP1xOaWj50STCLu32Zb1Gw+9JMejti4d90xit9WP0KpwmiHjPN5NjiM90DUkXD/Oz5BAQ0XKvjYnjrKMo/b+WQjuCzR9DfGNLIAFyPlzbfT/90pH80=,iv:OygOtvtKJ4/0+rt9Y49vgjU4hRpWL4rY8iOP8zIZh5w=,tag:ckjytQvd8h8TGZuob2wqJg==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.7.3

nki-personal-do/synapse.nix

@@ -0,0 +1,113 @@
+{ pkgs, lib, config, ... }:
+let
+  port = 61001;
+  user = "matrix-synapse";
+  host = "m.dtth.ch";
+  app_services = [
+    config.sops.secrets."matrix-synapse-dtth/appservice-discord".path
+  ];
+in
+{
+  sops.secrets."matrix-synapse-dtth/oidc-config".owner = user;
+  sops.secrets."matrix-synapse-dtth/appservice-discord".owner = user;
+  sops.secrets.matrix-discord-bridge = { mode = "0644"; };
+
+  cloud.postgresql.databases = [ user ];
+  cloud.traefik.hosts.matrix-synapse = {
+    inherit port;
+    filter = "Host(`m.dtth.ch`) && (PathPrefix(`/_matrix`) || PathPrefix(`/_synapse/client`))";
+  };
+  cloud.traefik.hosts.matrix-synapse-delegation = {
+    port = port + 1;
+    filter = "Host(`dtth.ch`) && PathPrefix(`/.well-known/matrix`)";
+  };
+
+  # Synapse instance for DTTH
+  services.matrix-synapse = {
+    enable = true;
+    withJemalloc = true;
+    dataDir = "${config.fileSystems.data.mountPoint}/matrix-synapse-dtth";
+    settings = {
+      server_name = "dtth.ch";
+      enable_registration = false;
+      public_baseurl = "https://${host}/";
+
+      listeners = [{
+        inherit port;
+        x_forwarded = true;
+        tls = false;
+        resources = [
+          { names = [ "client" "federation" ]; compress = false; }
+        ];
+      }];
+      database = {
+        name = "psycopg2";
+        args = {
+          inherit user;
+          database = user;
+          host = "/var/run/postgresql";
+        };
+      };
+      dynamic_thumbnails = true;
+
+      url_preview_enabled = true;
+      url_preview_ip_range_blacklist = [
+        "127.0.0.0/8"
+        "10.0.0.0/8"
+        "172.16.0.0/12"
+        "192.168.0.0/16"
+        "100.64.0.0/10"
+        "192.0.0.0/24"
+        "169.254.0.0/16"
+        "192.88.99.0/24"
+        "198.18.0.0/15"
+        "192.0.2.0/24"
+        "198.51.100.0/24"
+        "203.0.113.0/24"
+        "224.0.0.0/4"
+        "::1/128"
+        "fe80::/10"
+        "fc00::/7"
+        "2001:db8::/32"
+        "ff00::/8"
+        "fec0::/10"
+      ];
+      app_service_config_files = app_services;
+    };
+    extraConfigFiles = [
+      (config.sops.secrets."matrix-synapse-dtth/oidc-config".path)
+    ];
+  };
+
+  services.matrix-appservice-discord = {
+    enable = true;
+    environmentFile = config.sops.secrets.matrix-discord-bridge.path;
+    settings.bridge = {
+      domain = "dtth.ch";
+      homeserverUrl = "https://m.dtth.ch";
+    };
+  };
+
+  services.nginx.virtualHosts.synapse-dtth-wellknown = {
+    listen = [{ addr = "127.0.0.1"; port = port + 1; }];
+    # Check https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-well-known.md
+    # for the file structure.
+    root = pkgs.symlinkJoin
+      {
+        name = "well-known-files-for-synapse";
+        paths = [
+          (pkgs.writeTextDir ".well-known/matrix/client" (builtins.toJSON {
+            "m.homeserver".base_url = "https://${host}";
+          }))
+          (pkgs.writeTextDir ".well-known/matrix/server" (builtins.toJSON {
+            "m.server" = "${host}:443";
+          }))
+        ];
+      };
+    # Enable CORS from anywhere since we want all clients to find us out
+    extraConfig = ''
+      add_header 'Access-Control-Allow-Origin' "*";
+    '';
+  };
+}
+