about summary refs log tree commit diff
path: root/nixos
diff options
context:
space:
mode:
authorroblabla <robinlambertz+dev@gmail.com>2016-01-08 15:12:00 +0100
committerroblabla <robinlambertz+dev@gmail.com>2016-01-15 15:17:14 +0100
commit7e10bf4327491a6ebccbe1aaa8e6c6c0aca4663a (patch)
tree4ef7028f35bccac3ca3969355047a51b3879f43d /nixos
parentc29df5f8a7122fbc9411765156ab42c12baadbbb (diff)
downloadnixlib-7e10bf4327491a6ebccbe1aaa8e6c6c0aca4663a.tar
nixlib-7e10bf4327491a6ebccbe1aaa8e6c6c0aca4663a.tar.gz
nixlib-7e10bf4327491a6ebccbe1aaa8e6c6c0aca4663a.tar.bz2
nixlib-7e10bf4327491a6ebccbe1aaa8e6c6c0aca4663a.tar.lz
nixlib-7e10bf4327491a6ebccbe1aaa8e6c6c0aca4663a.tar.xz
nixlib-7e10bf4327491a6ebccbe1aaa8e6c6c0aca4663a.tar.zst
nixlib-7e10bf4327491a6ebccbe1aaa8e6c6c0aca4663a.zip
matrix-synapse: init at 0.12.0
Diffstat (limited to 'nixos')
-rw-r--r--nixos/modules/misc/ids.nix2


-rw-r--r--nixos/modules/module-list.nix1


-rw-r--r--nixos/modules/services/misc/matrix-synapse-log_config.yaml25


-rw-r--r--nixos/modules/services/misc/matrix-synapse.nix279


4 files changed, 307 insertions, 0 deletions
diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix
index 39ed914994c1..6a3baf98a004 100644
--- a/nixos/modules/misc/ids.nix
+++ b/nixos/modules/misc/ids.nix
@@ -245,6 +245,7 @@
       opendkim = 221;
       dspam = 222;
       gale = 223;
+      matrix-synapse = 224;
 
       # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
 
@@ -467,6 +468,7 @@
       opendkim = 221;
       dspam = 222;
       gale = 223;
+      matrix-synapse = 224;
 
       # When adding a gid, make sure it doesn't match an existing
       # uid. Users and groups with the same name should have equal
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index d9e8c2da5b32..4f125b09afbf 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -214,6 +214,7 @@
   ./services/misc/gpsd.nix
   ./services/misc/ihaskell.nix
   ./services/misc/mathics.nix
+  ./services/misc/matrix-synapse.nix
   ./services/misc/mbpfan.nix
   ./services/misc/mediatomb.nix
   ./services/misc/mesos-master.nix
diff --git a/nixos/modules/services/misc/matrix-synapse-log_config.yaml b/nixos/modules/services/misc/matrix-synapse-log_config.yaml
new file mode 100644
index 000000000000..d85bdd1208f9
--- /dev/null
+++ b/nixos/modules/services/misc/matrix-synapse-log_config.yaml
@@ -0,0 +1,25 @@
+version: 1
+
+# In systemd's journal, loglevel is implicitly stored, so let's omit it
+# from the message text.
+formatters:
+    journal_fmt:
+        format: '%(name)s: [%(request)s] %(message)s'
+
+filters:
+    context:
+        (): synapse.util.logcontext.LoggingContextFilter
+        request: ""
+
+handlers:
+    journal:
+        class: systemd.journal.JournalHandler
+        formatter: journal_fmt
+        filters: [context]
+        SYSLOG_IDENTIFIER: synapse
+
+root:
+    level: INFO
+    handlers: [journal]
+
+disable_existing_loggers: False
diff --git a/nixos/modules/services/misc/matrix-synapse.nix b/nixos/modules/services/misc/matrix-synapse.nix
new file mode 100644
index 000000000000..27c5a38e6b88
--- /dev/null
+++ b/nixos/modules/services/misc/matrix-synapse.nix
@@ -0,0 +1,279 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.services.matrix-synapse;
+  logConfigFile = pkgs.writeText "log_config.yaml" cfg.logConfig;
+  configFile = pkgs.writeText "homeserver.yaml" ''
+tls_certificate_path: "${cfg.tls_certificate_path}"
+tls_private_key_path: "${cfg.tls_private_key_path}"
+tls_dh_params_path: "${cfg.tls_dh_params_path}"
+no_tls: ${if cfg.no_tls then "true" else "false"}
+bind_port: ${toString cfg.bind_port}
+unsecure_port: ${toString cfg.unsecure_port}
+bind_host: "${cfg.bind_host}"
+server_name: "${cfg.server_name}"
+pid_file: "/var/run/matrix-synapse.pid"
+web_client: ${if cfg.web_client then "true" else "false"}
+database: {
+  name: "${cfg.database_type}",
+  args: {
+    ${concatStringsSep ",\n    " (
+      mapAttrsToList (n: v: "\"${n}\": ${v}") cfg.database_args
+    )}
+  }
+}
+log_file: "/var/log/matrix-synapse/homeserver.log"
+log_config: "${logConfigFile}"
+media_store_path: "/var/lib/matrix-synapse/media"
+recaptcha_private_key: "${cfg.recaptcha_private_key}"
+recaptcha_public_key: "${cfg.recaptcha_public_key}"
+enable_registration_captcha: ${if cfg.enable_registration_captcha then "true" else "false"}
+turn_uris: ${if (length cfg.turn_uris) == 0 then "[]" else ("\n" + (concatStringsSep "\n" (map (s: "- " + s) cfg.turn_uris)))}
+turn_shared_secret: "${cfg.turn_shared_secret}"
+enable_registration: ${if cfg.enable_registration then "true" else "false"}
+${optionalString (cfg.registration_shared_secret != "") ''
+registration_shared_secret: "${cfg.registration_shared_secret}"
+''}
+enable_metrics: ${if cfg.enable_metrics then "true" else "false"}
+report_stats: ${if cfg.report_stats then "true" else "false"}
+signing_key_path: "/var/lib/matrix-synapse/homeserver.signing.key"
+perspectives:
+  servers: {
+    ${concatStringsSep "},\n" (mapAttrsToList (n: v: ''
+    "${n}": {
+      "verify_keys": {
+        ${concatStringsSep "},\n" (mapAttrsToList (n: v: ''
+        "${n}": {
+          "key": "${v}"
+        }'') v)}
+      }
+    '') cfg.servers)}
+    }
+  }
+${cfg.extraConfig}
+'';
+in {
+  options = {
+    services.matrix-synapse = {
+      enable = mkEnableOption "matrix.org synapse";
+      package = mkOption {
+        type = types.package;
+        default = pkgs.matrix-synapse;
+        description = ''
+          Overridable attribute of the matrix synapse server package to use.
+        '';
+      };
+      no_tls = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Don't bind to the https port
+        '';
+      };
+      tls_certificate_path = mkOption {
+        type = types.path;
+        default = "/var/lib/matrix-synapse/homeserver.tls.crt";
+        description = ''
+          PEM encoded X509 certificate for TLS
+        '';
+      };
+      tls_private_key_path = mkOption {
+        type = types.path;
+        default = "/var/lib/matrix-synapse/homeserver.tls.key";
+        description = ''
+          PEM encoded private key for TLS
+        '';
+      };
+      tls_dh_params_path = mkOption {
+        type = types.path;
+        default = "/var/lib/matrix-synapse/homeserver.tls.dh";
+        description = ''
+          PEM dh parameters for ephemeral keys
+        '';
+      };
+      bind_port = mkOption {
+        type = types.int;
+        default = 8448;
+        description = ''
+          The port to listen for HTTPS requests on.
+          For when matrix traffic is sent directly to synapse.
+        '';
+      };
+      unsecure_port = mkOption {
+        type = types.int;
+        default = 8008;
+        description = ''
+          The port to listen for HTTP requests on.
+          For when matrix traffic passes through loadbalancer that unwraps TLS.
+        '';
+      };
+      bind_host = mkOption {
+        type = types.str;
+        default = "";
+        description = ''
+          Local interface to listen on.
+          The empty string will cause synapse to listen on all interfaces.
+        '';
+      };
+      server_name = mkOption {
+        type = types.str;
+        description = ''
+          The domain name of the server, with optional explicit port.
+          This is used by remote servers to connect to this server,
+          e.g. matrix.org, localhost:8080, etc.
+          This is also the last part of your UserID.
+        '';
+      };
+      web_client = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Whether to serve a web client from the HTTP/HTTPS root resource.
+        '';
+      };
+      database_type = mkOption {
+        type = types.enum [ "sqlite3" "psycopg2" ];
+        default = "sqlite3";
+        description = ''
+          The database engine name. Can be sqlite or psycopg2.
+        '';
+      };
+      database_args = mkOption {
+        type = types.attrs;
+        default = {
+          database = "/var/lib/matrix-synapse/homeserver.db";
+        };
+        description = ''
+          Arguments to pass to the engine.
+        '';
+      };
+      recaptcha_private_key = mkOption {
+        type = types.str;
+        default = "";
+        description = ''
+          This Home Server's ReCAPTCHA private key.
+        '';
+      };
+      recaptcha_public_key = mkOption {
+        type = types.str;
+        default = "";
+        description = ''
+          This Home Server's ReCAPTCHA public key.
+        '';
+      };
+      enable_registration_captcha = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Enables ReCaptcha checks when registering, preventing signup
+          unless a captcha is answered. Requires a valid ReCaptcha
+          public/private key.
+        '';
+      };
+      turn_uris = mkOption {
+        type = types.listOf types.str;
+        default = [];
+        description = ''
+          The public URIs of the TURN server to give to clients
+        '';
+      };
+      turn_shared_secret = mkOption {
+        type = types.str;
+        default = "";
+        description = ''
+          The shared secret used to compute passwords for the TURN server
+        '';
+      };
+      enable_registration = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Enable registration for new users.
+        '';
+      };
+      registration_shared_secret = mkOption {
+        type = types.str;
+        default = "";
+        description = ''
+          If set, allows registration by anyone who also has the shared
+          secret, even if registration is otherwise disabled.
+        '';
+      };
+      enable_metrics = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Enable collection and rendering of performance metrics
+        '';
+      };
+      report_stats = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+        '';
+      };
+      servers = mkOption {
+        type = types.attrs;
+        default = {
+          "matrix.org" = {
+            "ed25519:auto" = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw";
+          };
+        };
+        description = ''
+          The trusted servers to download signing keys from.
+        '';
+      };
+      extraConfig = mkOption {
+        type = types.lines;
+        default = "";
+        description = ''
+          Extra config options for matrix-synapse.
+        '';
+      };
+      logConfig = mkOption {
+        type = types.lines;
+        default = readFile ./matrix-synapse-log_config.yaml;
+        description = ''
+          A yaml python logging config file
+        '';
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    users.extraUsers = [
+      { name = "matrix-synapse";
+        group = "matrix-synapse";
+        home = "/var/lib/matrix-synapse";
+        createHome = true;
+        shell = "${pkgs.bash}/bin/bash";
+        uid = config.ids.uids.matrix-synapse;
+      } ];
+
+    users.extraGroups = [
+      { name = "matrix-synapse";
+        gid = config.ids.gids.matrix-synapse;
+      } ];
+
+    systemd.services.matrix-synapse = {
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      preStart = ''
+        mkdir -p /var/lib/matrix-synapse
+        chmod 700 /var/lib/matrix-synapse
+        chown -R matrix-synapse:matrix-synapse /var/lib/matrix-synapse
+        ${cfg.package}/bin/homeserver --config-path ${configFile} --generate-keys
+      '';
+      serviceConfig = {
+        Type = "simple";
+        User = "matrix-synapse";
+        Group = "matrix-synapse";
+        WorkingDirectory = "/var/lib/matrix-synapse";
+        PermissionsStartOnly = true;
+        ExecStart = "${cfg.package}/bin/homeserver --config-path ${configFile}";
+      };
+    };
+  };
+}

 

generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-17 06:55:15 +0000