diff --git a/modules/cloud/postgresql/default.nix b/modules/cloud/postgresql/default.nix index da38e90..8cbaeb3 100644 --- a/modules/cloud/postgresql/default.nix +++ b/modules/cloud/postgresql/default.nix @@ -10,7 +10,7 @@ let userFromDatabase = databaseName: { name = databaseName; ensurePermissions = { - "DATABASE ${databaseName}" = "ALL PRIVILEGES"; + "DATABASE \"${databaseName}\"" = "ALL PRIVILEGES"; }; }; in diff --git a/nki-personal-do/configuration.nix b/nki-personal-do/configuration.nix index 6f1abe7..adfd52a 100644 --- a/nki-personal-do/configuration.nix +++ b/nki-personal-do/configuration.nix @@ -18,6 +18,7 @@ ./gitea.nix ./miniflux.nix ./writefreely.nix + ./synapse.nix ]; common.linux.enable = false; # Don't enable the "common linux" module, this is a special machine. @@ -104,7 +105,6 @@ # Conduit sops.secrets.heisenbridge = { owner = "heisenbridge"; }; - sops.secrets.matrix-discord-bridge = { mode = "0644"; }; cloud.conduit.enable = true; cloud.conduit.instances = { "nkagami" = { @@ -128,15 +128,6 @@ appserviceFile = config.sops.secrets.heisenbridge.path; homeserver = "https://m.nkagami.me"; }; - # services.matrix-appservice-discord = { - # enable = true; - # environmentFile = config.sops.secrets.matrix-discord-bridge.path; - # serviceDependencies = [ "matrix-conduit-dtth.service" ]; - # settings.bridge = { - # domain = "dtth.ch"; - # homeserverUrl = "https://m.dtth.ch:443"; - # }; - # }; # Navidrome back to the PC cloud.traefik.hosts.navidrome = { diff --git a/nki-personal-do/secrets/secrets.yaml b/nki-personal-do/secrets/secrets.yaml index 1104edd..938d983 100644 --- a/nki-personal-do/secrets/secrets.yaml +++ b/nki-personal-do/secrets/secrets.yaml @@ -31,6 +31,9 @@ miniflux: pocket-consumer-key: ENC[AES256_GCM,data:NXY9Y8rFlzCVVG3ATUL/u7Sj6Im1RU/D16toUOLcIfKvddBjlu+QddKXWfLKppV1BQZ0,iv:nf3gkm098UhpZOgMbOdyG1FYVcl5G0gxoI6RTsZ1r14=,tag:bMOYwtFwUJ4SFornsWo8ig==,type:str] admin-creds: ENC[AES256_GCM,data:cBCwwRZR0B8nH7XLxHVZCThqmnUI6ZHFp3wH9TjdRbBTmySjPqU526ltn3lRQtopgqQ0IOuneTztXJ+wfqmLUABV6xlLBkXD7VX6Mf43RtIDyHL+UC56eIdn3xeawGsIjnta,iv:DOwHUL64ufLS7FbvnJCPxPYwMJF1pMPqjx78vltm9IY=,tag:A2Fpk4rI0/WK0jFtTlGhaA==,type:str] writefreely-dtth: ENC[AES256_GCM,data:Q2b3eCr5GLLyBMrGlTUSIuMN/vZXmMZV8T56+t7RjcoHQmEVDKGwPGgka4jf/yO9Nf6TdGB7iiXft+XK3t74XdnzTCTYYVFzFsv49eZDKpTeaR6pKcbesfJYyqOcHIuatQz/orQ1X6Ext9Xf9aBStY4GV6ticLpvdW3GtHzchMPuMm8vY8A8DYNH/kLGb96aHpQ53paKkckeDWcbDyCulUU=,iv:G4TNJ4vY6qo4iOrEBmsf6hHJWAqbl3t8JAyDIZ1lUUg=,tag:HEknuS+MjBBFbkpDEIRUfw==,type:str] +matrix-synapse-dtth: + oidc-config: ENC[AES256_GCM,data:06lv5ejqnQ1jBAhCBxXY3nNulXFnDt/S2ycma9+hlG6mSMGfRfIcfDZfKOfUUuV2uMI7ix4r0QdM3351VucvnWCZZlXz5YpVgNg1YZDvtSQxe3SJqKj/y3u+nYbPPIRgACiFpiajBeEvS/evIT8+Ty3myDVPHovYkuCb0U1eD3/xGK38lx6+H3Cjk3LyszMg1EwXdkDjbcDVYDhSEelkB9rWXH1vw5qNZOzGgIoYEe6ppMmPZjpUM9jyounuF/+FzLbkWz6YvY4zWD5fND5fFdT4AA1e1jzCLQIsaVZ8N6co5lwzfBfydLosEy+h/COv1wzvfXiEjNi4f+2Ol7kSu4+G3u3V6EcqTyVjj38oTLaAx1cG9pnPmAc/zTUCmepITAWysvuzIVd8gwde1CheANLp1WnQrAAKJiHv/6bxPoi0ROu0BpQqupU9XUcTXRysuTjBH5/ABjlvk8lTiFi8Ryt7KzC23kPWf541B8BO/yfpmq8mheMz1AYm+fkTZOqKgkfm4NStN58oiYn6NEyWpuaAx7DEUgO/MIrIKXfTzGCT++33Cnr41fLSqWgqIUhBxd9P1s3cYk942UxC2VdKf1qq6IGZK4iq8T1FUoXqmTnjEfwvTm2hDkZqwEdvkKZUolKvnsZL44KRBow/LMGGsDDFoOMsMT9MqE2fBGOudTnHncs3I/T7eEDnHH+z+60Axo6mKGwmaHRHeqeiV4OIrPmM5X8uUIWvKoNsY3UvL/VgKA2Zh7wm8irB0rgcaKDW6QMmJIxqd3RK9WwmOT4hPy/SC5nm1ZRlag/f+H6q+WOtEaK+,iv:5pYzz4QzKHVhHh+YFnerD5Q2S93stqBKILM2sxD23Fc=,tag:V0rVa/nTH3hv77Z8KOQOiw==,type:str] + appservice-discord: ENC[AES256_GCM,data:lAAEa6ltXi29+POrG87bMAvv8du3DiGYl8f7npqW0ga3YgrvofgYnC8QJUyznIQ3Ye9yWxzjzaClu7viFgkN0yIXlpENIOcSTrdlMgg5mdJ8f9elltp/VPiwVimubPa8QnpLNRy/NAEVpDFygw9VOM+Fu203M/pofK0qX6NfO9PeQGma1iKQeMKrV/6RwjF+70rnTMEhO0PCyTl2PEwZiDtkxgI7Yyl37p8bUuJ4YZ5MhZN94lODb+toPaN29BZT4q23VrJmxiW3VEeJj+tEmx4X+KeCO5AArtPl9YOkoRt/uSRKljsf109AIiclRj0wITqOx/QL2qntFuAidxTm8MoJQ6eoq/bwQp/BUpPubIMeY+z2b8XIgZGZSPZMdaObvaqDFdMLq7GW61GxYKFgNxHYA4uhndbE5VDNkcFkw4FEC5x40fwqGaunmqvAdb3p4I9EhlQ28e5S+hX1FFrMHjsJWlnjSySDRjCodJMtep19J+qVVgyf5A==,iv:PBo7+OSqBGxI7DzUpclcGWEFwTpcNqySRJzqHu7medU=,tag:fi06xru3e92WfqOJxHXd2w==,type:str] sops: kms: [] gcp_kms: [] @@ -64,8 +67,8 @@ sops: by9kZFlTRVdCZFkxYTVVb0RIRk8zUlkKCqMw9oL9RaYBV5Hhy3o8Nm5xmGrPH8Sd hv36sxRFFNZT/DCKaHaSRbT3mfpBZSTXJt1dgl4nZe6whH54t/1KmA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-06-10T13:45:36Z" - mac: ENC[AES256_GCM,data:Xz40gmGvm9GQIVSzVnn641Fhebn3zO1BPxtfRhJuIYL88SjItXop5kVjh0M6FSEznBmj+W/ZL8r9RZhKIO8WQZ3oXISjldu9fHK+n6X0QOdILI9rh/Y85J4YoSTvMWfLg+CiO1ECoDJKlrlHFXU7aBMHbI3BImIIFfmKhEJnu3s=,iv:825o5TpSPJhEV5j0XTSvBXasVX9KgjAlcNvYDny/f8I=,tag:Lnu89p+U1lZlDUYY3u/Omw==,type:str] + lastmodified: "2023-06-24T15:00:57Z" + mac: ENC[AES256_GCM,data:YScpMiCWfnVj9BhFGxcYwZ1+Su/nKiCS4EKTDrxjzQWHn/2nlJm1aOQ8NnP1xOaWj50STCLu32Zb1Gw+9JMejti4d90xit9WP0KpwmiHjPN5NjiM90DUkXD/Oz5BAQ0XKvjYnjrKMo/b+WQjuCzR9DfGNLIAFyPlzbfT/90pH80=,iv:OygOtvtKJ4/0+rt9Y49vgjU4hRpWL4rY8iOP8zIZh5w=,tag:ckjytQvd8h8TGZuob2wqJg==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3 diff --git a/nki-personal-do/synapse.nix b/nki-personal-do/synapse.nix new file mode 100644 index 0000000..070aab0 --- /dev/null +++ b/nki-personal-do/synapse.nix @@ -0,0 +1,113 @@ +{ pkgs, lib, config, ... }: +let + port = 61001; + user = "matrix-synapse"; + host = "m.dtth.ch"; + app_services = [ + config.sops.secrets."matrix-synapse-dtth/appservice-discord".path + ]; +in +{ + sops.secrets."matrix-synapse-dtth/oidc-config".owner = user; + sops.secrets."matrix-synapse-dtth/appservice-discord".owner = user; + sops.secrets.matrix-discord-bridge = { mode = "0644"; }; + + cloud.postgresql.databases = [ user ]; + cloud.traefik.hosts.matrix-synapse = { + inherit port; + filter = "Host(`m.dtth.ch`) && (PathPrefix(`/_matrix`) || PathPrefix(`/_synapse/client`))"; + }; + cloud.traefik.hosts.matrix-synapse-delegation = { + port = port + 1; + filter = "Host(`dtth.ch`) && PathPrefix(`/.well-known/matrix`)"; + }; + + # Synapse instance for DTTH + services.matrix-synapse = { + enable = true; + withJemalloc = true; + dataDir = "${config.fileSystems.data.mountPoint}/matrix-synapse-dtth"; + settings = { + server_name = "dtth.ch"; + enable_registration = false; + public_baseurl = "https://${host}/"; + + listeners = [{ + inherit port; + x_forwarded = true; + tls = false; + resources = [ + { names = [ "client" "federation" ]; compress = false; } + ]; + }]; + database = { + name = "psycopg2"; + args = { + inherit user; + database = user; + host = "/var/run/postgresql"; + }; + }; + dynamic_thumbnails = true; + + url_preview_enabled = true; + url_preview_ip_range_blacklist = [ + "127.0.0.0/8" + "10.0.0.0/8" + "172.16.0.0/12" + "192.168.0.0/16" + "100.64.0.0/10" + "192.0.0.0/24" + "169.254.0.0/16" + "192.88.99.0/24" + "198.18.0.0/15" + "192.0.2.0/24" + "198.51.100.0/24" + "203.0.113.0/24" + "224.0.0.0/4" + "::1/128" + "fe80::/10" + "fc00::/7" + "2001:db8::/32" + "ff00::/8" + "fec0::/10" + ]; + app_service_config_files = app_services; + }; + extraConfigFiles = [ + (config.sops.secrets."matrix-synapse-dtth/oidc-config".path) + ]; + }; + + services.matrix-appservice-discord = { + enable = true; + environmentFile = config.sops.secrets.matrix-discord-bridge.path; + settings.bridge = { + domain = "dtth.ch"; + homeserverUrl = "https://m.dtth.ch"; + }; + }; + + services.nginx.virtualHosts.synapse-dtth-wellknown = { + listen = [{ addr = "127.0.0.1"; port = port + 1; }]; + # Check https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-well-known.md + # for the file structure. + root = pkgs.symlinkJoin + { + name = "well-known-files-for-synapse"; + paths = [ + (pkgs.writeTextDir ".well-known/matrix/client" (builtins.toJSON { + "m.homeserver".base_url = "https://${host}"; + })) + (pkgs.writeTextDir ".well-known/matrix/server" (builtins.toJSON { + "m.server" = "${host}:443"; + })) + ]; + }; + # Enable CORS from anywhere since we want all clients to find us out + extraConfig = '' + add_header 'Access-Control-Allow-Origin' "*"; + ''; + }; +} +