Migrate matrix-synapse away from docker

2021-07-10 14:19:05 +02:00 · 2021-07-10 14:19:05 +02:00 · 3af05052c8
commit 3af05052c8
parent 7051e2e1e3
10 changed files with 202 additions and 0 deletions
--- a/machines/lasting-integrity/default.nix
+++ b/machines/lasting-integrity/default.nix
@ -31,6 +31,7 @@
    };
    games.tetris.server = true;
    services = {
+      matrix.enable = true;
      nextcloud.enable = true;
      syncthing.enable = true;
    };
--- a/machines/lasting-integrity/secret.nix
+++ b/machines/lasting-integrity/secret.nix
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@ -6,6 +6,7 @@
    ./containers
    ./data-access
    ./deluge
+    ./matrix
    ./nextcloud
    ./nginx
    ./syncthing
--- a/modules/services/matrix/default.nix
+++ b/modules/services/matrix/default.nix
@ -0,0 +1,168 @@
+{ config, lib, pkgs, ... }:
+
+{
+  options.chvp.services.matrix.enable = lib.mkOption {
+    default = false;
+    example = true;
+  };
+
+  config = lib.mkIf config.chvp.services.matrix.enable {
+    chvp.services.nginx.hosts = [{
+      fqdn = "matrix.vanpetegem.me";
+      options.locations = {
+        "/" = {
+          proxyPass = "http://127.0.0.1:8448";
+          extraConfig = ''
+            proxy_set_header X-Forwarded-Ssl on;
+            proxy_read_timeout 600;
+            client_max_body_size 10M;
+          '';
+        };
+        "/_slack" = {
+          proxyPass = "http://127.0.0.1:9898";
+          extraConfig = ''
+            proxy_set_header X-Forwarded-Ssl on;
+          '';
+        };
+      };
+    }];
+
+    services = {
+      matrix-synapse = {
+        enable = true;
+        server_name = "vanpetegem.me";
+        public_baseurl = "https://vanpetegem.me";
+        listeners = [{
+          port = 8448;
+          bind_address = "localhost";
+          type = "http";
+          tls = false;
+          x_forwarded = true;
+          resources = [
+            { names = ["client" "webclient"]; compress = true; }
+            { names = ["federation"]; compress = false; }
+          ];
+        }];
+        url_preview_enabled = true;
+        enable_metrics = false;
+        enable_registration = false;
+        report_stats = false;
+        allow_guest_access = false;
+        app_service_config_files = [
+          config.age.secrets."files/services/matrix-synapse/whatsapp-registration.yml".path
+          config.age.secrets."files/services/matrix-synapse/slack-registration.yml".path
+        ];
+        extraConfigFiles = [
+          config.age.secrets."files/services/matrix-synapse/config.yml".path
+        ];
+        dataDir = "${config.chvp.dataPrefix}/var/lib/matrix-synapse";
+      };
+      postgresql = {
+        enable = true;
+        dataDir = "${config.chvp.dataPrefix}/var/lib/postgresql/${config.services.postgresql.package.psqlSchema}";
+        ensureDatabases = [
+          "matrix-synapse"
+          "matrix_appservice_slack"
+          "mautrix_whatsapp"
+        ];
+        ensureUsers = [
+          {
+            name = "matrix_appservice_slack";
+            ensurePermissions = {
+              "DATABASE matrix_appservice_slack" = "ALL PRIVILEGES";
+            };
+          }
+          {
+            name = "mautrix_whatsapp";
+            ensurePermissions = {
+              "DATABASE mautrix_whatsapp" = "ALL PRIVILEGES";
+            };
+          }
+          {
+            name = "matrix-synapse";
+            ensurePermissions = {
+              "DATABASE \"matrix-synapse\"" = "ALL PRIVILEGES";
+            };
+          }
+        ];
+      };
+    };
+
+    systemd.services = {
+      matrix-appservice-slack = {
+        description = "Matrix <-> Slack bridge";
+        wantedBy = [ "multi-user.target" ];
+        after = [ "network.target" ];
+        requires = [ "postgresql.service" "matrix-synapse.service" ];
+        script = "${pkgs.matrix-appservice-slack}/bin/matrix-appservice-slack --config ${config.age.secrets."files/services/matrix-appservice-slack/config.yml".path} --file ${config.age.secrets."files/services/matrix-appservice-slack/registration.yml".path}";
+        serviceConfig = {
+          User = "matrix_appservice_slack";
+          Group = "matrix_appservice_slack";
+        };
+      };
+      matrix-synapse = {
+        requires = [ "postgresql.service" ];
+      };
+      mautrix-whatsapp = {
+        description = "Matrix <-> WhatsApp bridge";
+        wantedBy = [ "multi-user.target" ];
+        after = [ "network.target" ];
+        requires = [ "postgresql.service" "matrix-synapse.service" ];
+        script = "${pkgs.mautrix-whatsapp}/bin/mautrix-whatsapp --config ${config.age.secrets."files/services/mautrix-whatsapp/config.yml".path}";
+        serviceConfig = {
+          User = "mautrix_whatsapp";
+          Group = "mautrix_whatsapp";
+        };
+      };
+    };
+    systemd.tmpfiles.rules = [
+      "d /var/log/mautrix-whatsapp - mautrix_whatsapp mautrix_whatsapp"
+    ];
+
+    users = {
+      users = {
+        matrix_appservice_slack = {
+          group = "matrix_appservice_slack";
+          isSystemUser = true;
+        };
+        mautrix_whatsapp = {
+          group = "mautrix_whatsapp";
+          isSystemUser = true;
+        };
+      };
+      groups = {
+        matrix_appservice_slack = {};
+        mautrix_whatsapp = {};
+      };
+    };
+
+    age.secrets."files/services/matrix-appservice-slack/config.yml" = {
+      file = ../../../secrets/files/services/matrix-appservice-slack/config.yml.age;
+      owner = "matrix_appservice_slack";
+    };
+    age.secrets."files/services/matrix-appservice-slack/registration.yml" = {
+      file = ../../../secrets/files/services/matrix-appservice-slack/registration.yml.age;
+      owner = "matrix_appservice_slack";
+    };
+    age.secrets."files/services/mautrix-whatsapp/config.yml" = {
+      file = ../../../secrets/files/services/mautrix-whatsapp/config.yml.age;
+      owner = "mautrix_whatsapp";
+    };
+    age.secrets."files/services/mautrix-whatsapp/registration.yml" = {
+      file = ../../../secrets/files/services/mautrix-whatsapp/registration.yml.age;
+      owner = "mautrix_whatsapp";
+    };
+    age.secrets."files/services/matrix-synapse/config.yml" = {
+      file = ../../../secrets/files/services/matrix-synapse/config.yml.age;
+      owner = "matrix-synapse";
+    };
+    age.secrets."files/services/matrix-synapse/slack-registration.yml" = {
+      file = ../../../secrets/files/services/matrix-appservice-slack/registration.yml.age;
+      owner = "matrix-synapse";
+    };
+    age.secrets."files/services/matrix-synapse/whatsapp-registration.yml" = {
+      file = ../../../secrets/files/services/mautrix-whatsapp/registration.yml.age;
+      owner = "matrix-synapse";
+    };
+  };
+}
--- a/secrets.nix
+++ b/secrets.nix
@ -46,6 +46,12 @@ in

  "secrets/passwords/services/data-basic-auth.age".publicKeys = [ urithiru ] ++ users;

+  "secrets/files/services/matrix-appservice-slack/config.yml.age".publicKeys = [ lasting-integrity ] ++ users;
+  "secrets/files/services/matrix-appservice-slack/registration.yml.age".publicKeys = [ lasting-integrity ] ++ users;
+  "secrets/files/services/matrix-synapse/config.yml.age".publicKeys = [ lasting-integrity ] ++ users;
+  "secrets/files/services/mautrix-whatsapp/config.yml.age".publicKeys = [ lasting-integrity ] ++ users;
+  "secrets/files/services/mautrix-whatsapp/registration.yml.age".publicKeys = [ lasting-integrity ] ++ users;
+
  "secrets/data-access/ssh_host_rsa_key.age".publicKeys = [ urithiru ] ++ users;
  "secrets/data-access/ssh_host_rsa_key.pub.age".publicKeys = [ urithiru ] ++ users;
  "secrets/data-access/ssh_host_ed25519_key.age".publicKeys = [ urithiru ] ++ users;
--- a/secrets/files/services/matrix-appservice-slack/config.yml.age
+++ b/secrets/files/services/matrix-appservice-slack/config.yml.age
--- a/secrets/files/services/matrix-appservice-slack/registration.yml.age
+++ b/secrets/files/services/matrix-appservice-slack/registration.yml.age
--- a/secrets/files/services/matrix-synapse/config.yml.age
+++ b/secrets/files/services/matrix-synapse/config.yml.age
@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> ssh-ed25519 hKAFvQ 8smxRyefvJCc5vKEGHaepQMT8bow/DNCoM+JLnCCtDc
+Hf32K1yhV4oVnW/oCmAVeIM5cuGWE+Yn7gYI8EmVV/E
+-> ssh-ed25519 s9rb8g rUwHvPZ6imYJGruQEp3CJqVt7QG/9je39cOyGAK6Kgc
+asUG1z+XJgbK5WLFUo1RyUhjbBpfN+4bklzIgnjRCOY
+-> ssh-ed25519 yad4VQ MY6hLbI5APbve6XZQmCSdYiKp2XeqQmE8IkIjq+I3DI
+1ts+jW41Hi+OzMJZka8BhvfpcL3F1fMDoUtqAIEEHU8
+-> M[#DV(x>-grease k!'J+ 8b48w@ IyA8fZS Mm!wBM
+efJSJLAjOg
+--- qH7jsRJxviBS797tKOHqZ+8Dw9TUW77Kxh+FzXe2wrU
+ôÊ˜i¤z`ç/’lK‘¨Ì“ÍX
+ÝÚB‰u$T5*!ø!Öp±p™ì<[¯94ì ôC¾Û'ð2¹JŸÚ¨ž¨
kd‹ˆsGB&L5*†oŒîèY"¥ì˜_é%ûµýüT“£åÆfˆ
ôQ<C3B4>L÷žù¸^@ƒáAÁË· [®2)4l¶‘•ãö ^r&?ˆ¥dÛ.:žÏŠ!rš×(¾è•lNµÁ`5…s¡îõÿ›A’š0
‡‘œ‰j›ÊØï1jMì6§AÅxÿ+›	“kbð4”!n<…»í¸Ÿ®|<7C>pÓª¢::Õ9®R‡Vt%Oh3ÎÖómåƒ™PË8®8«jt %Zˆ-<2D>PªÃúMAŒ,½ð@zó'ühû<68>Ÿ†ä²š`
+j™®MyÃãÙXðóï{³÷"º
¿yóçñ'²<>éûšÕ–Y5dÛ£,J®SÎó±ét×mŸSRã{<7B><ô[Ê“oË
--- a/secrets/files/services/mautrix-whatsapp/config.yml.age
+++ b/secrets/files/services/mautrix-whatsapp/config.yml.age
--- a/secrets/files/services/mautrix-whatsapp/registration.yml.age
+++ b/secrets/files/services/mautrix-whatsapp/registration.yml.age
@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> ssh-ed25519 hKAFvQ 86VloTluhamQNdKHRUAxq/vIOIofC3bZ9hWebD7k00A
+2NwKLN+uxE7uk/C9qbP18wnnhxxgaZgO3lEBTyI4hRU
+-> ssh-ed25519 s9rb8g iTwdPsRGqXYX8v7rE1AhYQ3WertuPXeMkIUZyWCYdyQ
+nFtFK8dCYHEOvbGOxOoDFQihPgUJcHs7GEdcKDFdQuA
+-> ssh-ed25519 yad4VQ 40+mwVfKKnI/7Hn6kUZ6b4FzUSsc94muTCsmnbwy6R8
+bN5uXoRq6W69YEqYeHYOOOvhk8YOBeWG/mPC3LTTpOg
+-> "~~w-grease \.L) j)?:q_F ]J_GYI`w
+fmjAIxkdBwk+aehXvYQ3qORkUU835c89sGnKHhJlr0Fh+g962TjT8t6iJUDaG52m
+BTfwzyNDyXlMoeyOcscjVrbSzHTBJ7OakmP4bAfhHAR4zimyfLOhhMl+
+--- DroKHvz6niysIke4xiNwhuiP7OmU3GNd5acA9kcqkik
+?qAÕŒö(JÐ™Q<'Û;Q„ž…þ6KuçÂ€,Ëï³$‰iß«ÁÛü„H(Úª8&³‘ª-7-/,@õF¢ÆpWJ‡PNß=‚Ž¤éN^kEtÒ¥£³<C2A3>"èæ¥Gó‹Ôz¥XDâ*8®^y>Ë{‚Nµ|ùc£%'«·¸{hŒ'À@Ø¢q'ÅÊuØHé £pAÖ>éÜ4Ö½ÄgÍ"«Î‹½Øu‹ßd"@5ƒt¿,—ýèMHŸÐS<:<10>ck>®>Ý¨NPsªØ´kèFÖ<1E>€
+tC3‘Ü|ÛÔ8¢=Q vìù‡Bh;}Ê`;ü~W ÆHÎob*àÑN²Ka¢î¸)ˆdÉ#i<>“õTKK®¿$^žúW~…¯¦¦¼ÄÇbÎöqG~ÅÊ„³)>-höž‘&ÂwH£•–©$Þ<1C>*Î&c“ý<E2809C>Tñ^G<12>Tk—”’z1ÄsÓXçï-Ñ$¾Ì<C2BE>Bx?s¦æYÿù”nLã\dß-°í¡nyw+€©ÏH·èF’ƒ©ú9ñÝ<C3B1>–œp®žNÌËÀ_½ó¿Éw™Ù»<C399>ð