chn/nixos
1
0
Fork 0
mirror of https://github.com/CHN-beta/nixos.git synced 2026-01-12 04:39:23 +08:00
Code Issues Packages Projects Releases Wiki Activity

modules.services.synapse: remove sliding

Browse Source
This commit is contained in:
陈浩南
2024-11-07 12:45:52 +08:00
parent fc44aba8d4
commit 9da408acbc
3 changed files with 152 additions and 220 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
devices/vps7/default.nix
View File

@@ -40,7 +40,7 @@ inputs:
synapse.instances =
{
synapse.matrixHostname = "synapse.chn.moe";
matrix = { port = 8009; redisPort = 6380; slidingSyncPort = 9001; };
matrix = { port = 8009; redisPort = 6380; };
};
vaultwarden.enable = true;
beesd.instances.root = { device = "/"; hashTableSizeMB = 512; };

2
devices/vps7/secrets.yaml
View File

@@ -39,14 +39,12 @@ synapse:
macaroon: ENC[AES256_GCM,data:2/8GuF/a+ocVtLN0PU17JDvXw/RoXX/CXFHPlI9THl5bY8lBm6tEawijnOKVoFLovfU=,iv:GPAr3ZjqLf9ixevsZoQgs4cPkv0VL4WJoFfQZOdThlw=,tag:HRt/igDEfUJ3K39mG7b9Fg==,type:str]
form: ENC[AES256_GCM,data:Z9cYL9ibRWmOhAYtB269n0cWZSvL4zGgc03ZRag0m8cz2j0god/Fn/w6kx3cyGK1C70=,iv:Yst6WSV63IvbMF5nnicIoBj77eSwVMnAHtHrKo2UcDk=,tag:4qf6F2rdctcCf4J9vECvYg==,type:str]
signing-key: ENC[AES256_GCM,data:BbPJiNcVTqMAL2XG3K3CIbsb8EM4r8ct/WxPK10FHRwAnqChKy3CAviYU9gewO/tNZXHvUYUAUbPww==,iv:IZB/40EE3DIxAqagdH/a4kcSmiec5l24XLCQKCQNaRo=,tag:/1t0WAPBYmYrPTx4V4wgkw==,type:str]
sliding-sync: ENC[AES256_GCM,data:POXExkTRRhXin4lD4MA61xsuzYXCT6U7QtQWtNnEb6kUWRrAvS9mqk+JTBn3onCzf2Azhi3WQOY/t+OiQFXI1w==,iv:GJfJSGb6t/q9KdVCr0dVVcD+e0yZUQzrJrtuhOlYJIE=,tag:ovd1ZXRkk7VoNo8KoYDViA==,type:str]
matrix:
coturn: ENC[AES256_GCM,data:MwZKkYMefshuk46Cne4wn9ooFH8RCDbrxp+MbLJWli9iPHuzJJzUuQNU9EDL0aNbzyYEMt/7DErw42z6KrpGww==,iv:u/SVVTgfJO2FakiYU+uLHXjA4tHU/W6ASsR3S31+pWs=,tag:VTeKNOKwm2bsiZAOVXeBOQ==,type:str]
registration: ENC[AES256_GCM,data:+pA61vTg12lYUyXjLrHSY7y/ExfTQffLlGUI4HBOSFFPTck7bu68FrCaHOIBTtEMfjU=,iv:Ex/phkBZxglG8HiRz+m7h2HNanpq2Pxwbm08vdM3xFc=,tag:mM3YEa70FnCeYIUthK4TeA==,type:str]
macaroon: ENC[AES256_GCM,data:/+RaayKiPPpVV7OWWdaSkSSRHMjb8d58lZcpvltN9cYkN1btvMViEgdLSlfqzRRlPUE=,iv:pg9GXgNsrVWKlUAiCKZ2pYXugRH6MsBIMpHKoYWYLik=,tag:/mj5Ak7XAX/FH7sNPEVALw==,type:str]
form: ENC[AES256_GCM,data:7HF7HMUH1BTJgXXP6cpUiVj0jCwGW57bx9wKTJu7PnRsNuAam/+nKX7Zfg7WD+gSBlA=,iv:SYeUsuFVgAA6U6STCtKT5c5E8Kglh3x7hy6+Op4n0W8=,tag:eICmHTwwn0KcgNhdDGnusA==,type:str]
signing-key: ENC[AES256_GCM,data:hzxxDbGp1L09O7+ueUSa5lJOY/QvF2zvHdpueEHjaPQEToQt9mr2loeTQHC7ObTegfLb9UHrI1jn4A==,iv:KngfahwYZZmDQ5LeOUPWptTMGAC8TZm1G0FWcrwCwsw=,tag:U9pW6/boBIpiswn67Ezrfw==,type:str]
sliding-sync: ENC[AES256_GCM,data:BeA6g98IWDP6hnLFI77QqG6esDwB6j3OPzAv3eJxWoTajAsByHSgSYP1vHN5Iok6IgvSSmkf0/HiOJy1Ca8IIA==,iv:ca+t/rYwc/fAVUcz0JTmrRQCOcbDNscbnE8BpHkx/OE=,tag:eEfhUChUt4kRnO82XqRY4g==,type:str]
vaultwarden:
#ENC[AES256_GCM,data:yFDD8GHjZWHN/Yh53DseevKAhDVwrHX60e8sGZnF4BUsUuPA/4S2PRzj7CtlpFzUH3kb0i+HkLKRvbchg93U3as=,iv:JGG7daEKs0oMKTNVi9GS7PrXn/8rFtVkHknACsEQR+g=,tag:RSN6fojLsI4dcuPu2eTiWA==,type:comment]
admin_token: ENC[AES256_GCM,data:OpjREmxJSRj+aGVoP8KKRE7ClNqRtaV8va4WLVmpl1AO6D0q/GapJvhORHQb5s5ZjIAgvWTz1w+fh050Q9sPwRsNUke3FIcyeNy7k0PHgnnVIdxnU1Vn9KMz/SovjQ0/qEQ7tArvW/EXtKfwnP9lsz9m94VBvA==,iv:9AvDqMa2PeQOSrP2th3YBgA2RxPl3oKZTyUzi/yjRTM=,tag:HYFTQDgWvBsHQk8IZxWkfw==,type:str]

368
modules/services/synapse.nix
View File

@@ -8,18 +8,12 @@ inputs:
autoStart = mkOption { type = types.bool; default = true; };
port = mkOption { type = types.ints.unsigned; default = 8008; };
redisPort = mkOption { type = types.ints.unsigned; default = 6379; };
slidingSyncPort = mkOption { type = types.ints.unsigned; default = 9000; };
hostname = mkOption
{
type = types.nonEmptyStr;
default = "${submoduleInputs.config._module.args.name}.chn.moe";
};
matrixHostname = mkOption { type = types.nonEmptyStr; default = "chn.moe"; };
slidingSyncHostname = mkOption
{
type = types.nonEmptyStr;
default = "syncv3.${submoduleInputs.config.hostname}";
};
# , synapse_homeserver --config-path homeserver.yaml --generate-config --report-stats=yes --server-name xxx
};}));
default = {};
@@ -50,263 +44,203 @@ inputs:
systemd = mkMerge (map
(instance: let workdir = "/var/lib/synapse/${instance.name}"; in
{
services =
{
"synapse-${instance.name}" =
let
package = inputs.pkgs.matrix-synapse.override
{ extras = [ "url-preview" "postgres" "redis" ]; plugins = []; };
config = inputs.config.sops.templates."synapse/${instance.name}/config.yaml".path;
homeserver = "${package}/bin/synapse_homeserver";
in
{
description = "synapse-${instance.name}";
enable = instance.value.autoStart;
after = [ "network-online.target" "postgresql.service" ];
requires = [ "network-online.target" "postgresql.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig =
{
ExecStart = "${homeserver} --config-path ${config} --keys-directory ${workdir}";
Type = "notify";
User = "synapse-${instance.name}";
Group = "synapse-${instance.name}";
WorkingDirectory = workdir;
ExecReload = "${inputs.pkgs.util-linux}/bin/kill -HUP $MAINPID";
Restart = "on-failure";
UMask = "0077";
CapabilityBoundingSet = [ "" ];
# hardening
LockPersonality = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateTmp = true;
PrivateUsers = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
ReadWritePaths = [ workdir ];
RemoveIPC = true;
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [ "@system-service" "~@resources" "~@privileged" ];
};
};
"synapse-sliding-sync-${instance.name}" =
services."synapse-${instance.name}" =
let
package = inputs.pkgs.matrix-synapse.override
{ extras = [ "url-preview" "postgres" "redis" ]; plugins = []; };
config = inputs.config.sops.templates."synapse/${instance.name}/config.yaml".path;
homeserver = "${package}/bin/synapse_homeserver";
in
{
after = [ "synapse-${instance.name}.service" ];
wants = [ "synapse-${instance.name}.service" ];
description = "synapse-${instance.name}";
enable = instance.value.autoStart;
after = [ "network-online.target" "postgresql.service" ];
requires = [ "network-online.target" "postgresql.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig =
{
ExecStart = "${homeserver} --config-path ${config} --keys-directory ${workdir}";
Type = "notify";
User = "synapse-${instance.name}";
Group = "synapse-${instance.name}";
EnvironmentFile = inputs.config.sops.templates."synapse/${instance.name}-sliding-sync/env".path;
ExecStart = inputs.lib.getExe inputs.pkgs.matrix-sliding-sync;
WorkingDirectory = workdir + "-sliding-sync";
WorkingDirectory = workdir;
ExecReload = "${inputs.pkgs.util-linux}/bin/kill -HUP $MAINPID";
Restart = "on-failure";
RestartSec = "1s";
UMask = "0077";
CapabilityBoundingSet = [ "" ];
# hardening
LockPersonality = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateTmp = true;
PrivateUsers = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
ReadWritePaths = [ workdir ];
RemoveIPC = true;
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [ "@system-service" "~@resources" "~@privileged" ];
};
};
};
tmpfiles.rules =
[
"d /var/lib/synapse 0755 root root"
"d ${workdir} 0700 synapse-${instance.name} synapse-${instance.name}"
"Z ${workdir} - synapse-${instance.name} synapse-${instance.name}"
"d ${workdir}-sliding-sync 0700 synapse-${instance.name} synapse-${instance.name}"
"Z ${workdir}-sliding-sync - synapse-${instance.name} synapse-${instance.name}"
];
})
(attrsToList synapse.instances));
sops = mkMerge (map
(instance:
{
templates =
templates."synapse/${instance.name}/config.yaml" =
{
"synapse/${instance.name}/config.yaml" =
{
owner = "synapse-${instance.name}";
group = "synapse-${instance.name}";
content =
let
inherit (inputs.config.sops) placeholder;
in builtins.readFile ((inputs.pkgs.formats.yaml {}).generate "${instance.name}.yaml"
owner = "synapse-${instance.name}";
group = "synapse-${instance.name}";
content =
let
inherit (inputs.config.sops) placeholder;
in builtins.readFile ((inputs.pkgs.formats.yaml {}).generate "${instance.name}.yaml"
{
server_name = instance.value.matrixHostname;
public_baseurl = "https://${instance.value.hostname}/";
listeners =
[{
bind_addresses = [ "127.0.0.1" ];
inherit (instance.value) port;
resources = [{ names = [ "client" "federation" ]; compress = false; }];
tls = false;
type = "http";
x_forwarded = true;
}];
database =
{
server_name = instance.value.matrixHostname;
public_baseurl = "https://${instance.value.hostname}/";
listeners =
[{
bind_addresses = [ "127.0.0.1" ];
inherit (instance.value) port;
resources = [{ names = [ "client" "federation" ]; compress = false; }];
tls = false;
type = "http";
x_forwarded = true;
}];
database =
name = "psycopg2";
args =
{
name = "psycopg2";
args =
{
user = "synapse_${replaceStrings [ "-" ] [ "_" ] instance.name}";
password = placeholder."postgresql/synapse_${replaceStrings [ "-" ] [ "_" ] instance.name}";
database = "synapse_${replaceStrings [ "-" ] [ "_" ] instance.name}";
host = "127.0.0.1";
port = "5432";
};
allow_unsafe_locale = true;
user = "synapse_${replaceStrings [ "-" ] [ "_" ] instance.name}";
password = placeholder."postgresql/synapse_${replaceStrings [ "-" ] [ "_" ] instance.name}";
database = "synapse_${replaceStrings [ "-" ] [ "_" ] instance.name}";
host = "127.0.0.1";
port = "5432";
};
redis =
{
enabled = true;
port = instance.value.redisPort;
password = placeholder."redis/synapse-${instance.name}";
};
turn_shared_secret = placeholder."synapse/${instance.name}/coturn";
registration_shared_secret = placeholder."synapse/${instance.name}/registration";
macaroon_secret_key = placeholder."synapse/${instance.name}/macaroon";
form_secret = placeholder."synapse/${instance.name}/form";
signing_key_path = inputs.config.sops.secrets."synapse/${instance.name}/signing-key".path;
email =
{
smtp_host = "mail.chn.moe";
smtp_port = 25;
smtp_user = "bot@chn.moe";
smtp_pass = placeholder."mail/bot";
require_transport_security = true;
notif_from = "Your Friendly %(app)s homeserver <bot@chn.moe>";
app_name = "Haonan Chen's synapse";
};
admin_contact = "mailto:chn@chn.moe";
enable_registration = true;
registrations_require_3pid = [ "email" ];
registration_requires_token = true;
turn_uris = [ "turns:coturn.chn.moe" "turn:coturn.chn.moe" ];
max_upload_size = "1024M";
web_client_location = "https://element.chn.moe/";
extra_well_known_client_content."org.matrix.msc3575.proxy".url =
"https://${instance.value.slidingSyncHostname}";
report_stats = true;
trusted_key_servers =
[{
server_name = "matrix.org";
verify_keys."ed25519:auto" = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw";
}];
suppress_key_server_warning = true;
log_config = (inputs.pkgs.formats.yaml {}).generate "log.yaml"
{
version = 1;
formatters.precise.format =
"%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s";
handlers.console = { class = "logging.StreamHandler"; formatter = "precise"; };
root = { level = "INFO"; handlers = [ "console" ]; };
disable_existing_loggers = true;
};
pid_file = "/run/synapse-${instance.name}.pid";
media_store_path = "/var/lib/synapse/${instance.name}/media_store";
presence.enabled = true;
url_preview_enabled = true;
url_preview_ip_range_blacklist =
[
"10.0.0.0/8" "100.64.0.0/10" "127.0.0.0/8" "169.254.0.0/16" "172.16.0.0/12" "192.0.0.0/24"
"192.0.2.0/24" "192.168.0.0/16" "192.88.99.0/24" "198.18.0.0/15" "198.51.100.0/24" "2001:db8::/32"
"203.0.113.0/24" "224.0.0.0/4" "::1/128" "fc00::/7" "fe80::/10" "fec0::/10" "ff00::/8"
];
max_image_pixels = "32M";
dynamic_thumbnails = false;
});
};
"synapse/${instance.name}-sliding-sync/env" =
{
owner = "synapse-${instance.name}";
group = "synapse-${instance.name}";
content =
let
inherit (inputs.config.sops) placeholder;
pgString = "postgresql://"
+ "synapse_${replaceStrings [ "-" ] [ "_" ] instance.name}"
+ ":${placeholder."postgresql/synapse_${replaceStrings [ "-" ] [ "_" ] instance.name}"}"
+ "@127.0.0.1:5432"
+ "/synapse_${replaceStrings [ "-" ] [ "_" ] instance.name}_sliding_sync"
+ "?sslmode=disable";
in
''
SYNCV3_SERVER=https://${instance.value.hostname}
SYNCV3_DB=${pgString}
SYNCV3_SECRET=${placeholder."synapse/${instance.name}/sliding-sync"}
SYNCV3_BINDADDR=127.0.0.1:${toString instance.value.slidingSyncPort}
'';
};
allow_unsafe_locale = true;
};
redis =
{
enabled = true;
port = instance.value.redisPort;
password = placeholder."redis/synapse-${instance.name}";
};
turn_shared_secret = placeholder."synapse/${instance.name}/coturn";
registration_shared_secret = placeholder."synapse/${instance.name}/registration";
macaroon_secret_key = placeholder."synapse/${instance.name}/macaroon";
form_secret = placeholder."synapse/${instance.name}/form";
signing_key_path = inputs.config.sops.secrets."synapse/${instance.name}/signing-key".path;
email =
{
smtp_host = "mail.chn.moe";
smtp_port = 25;
smtp_user = "bot@chn.moe";
smtp_pass = placeholder."mail/bot";
require_transport_security = true;
notif_from = "Your Friendly %(app)s homeserver <bot@chn.moe>";
app_name = "Haonan Chen's synapse";
};
admin_contact = "mailto:chn@chn.moe";
enable_registration = true;
registrations_require_3pid = [ "email" ];
registration_requires_token = true;
turn_uris = [ "turns:coturn.chn.moe" "turn:coturn.chn.moe" ];
max_upload_size = "1024M";
web_client_location = "https://element.chn.moe/";
report_stats = true;
trusted_key_servers =
[{
server_name = "matrix.org";
verify_keys."ed25519:auto" = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw";
}];
suppress_key_server_warning = true;
log_config = (inputs.pkgs.formats.yaml {}).generate "log.yaml"
{
version = 1;
formatters.precise.format =
"%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s";
handlers.console = { class = "logging.StreamHandler"; formatter = "precise"; };
root = { level = "INFO"; handlers = [ "console" ]; };
disable_existing_loggers = true;
};
pid_file = "/run/synapse-${instance.name}.pid";
media_store_path = "/var/lib/synapse/${instance.name}/media_store";
presence.enabled = true;
url_preview_enabled = true;
url_preview_ip_range_blacklist =
[
"10.0.0.0/8" "100.64.0.0/10" "127.0.0.0/8" "169.254.0.0/16" "172.16.0.0/12" "192.0.0.0/24"
"192.0.2.0/24" "192.168.0.0/16" "192.88.99.0/24" "198.18.0.0/15" "198.51.100.0/24" "2001:db8::/32"
"203.0.113.0/24" "224.0.0.0/4" "::1/128" "fc00::/7" "fe80::/10" "fec0::/10" "ff00::/8"
];
max_image_pixels = "32M";
dynamic_thumbnails = false;
});
};
secrets = (listToAttrs (map
(secret: { name = "synapse/${instance.name}/${secret}"; value = {}; })
[ "coturn" "registration" "macaroon" "form" "sliding-sync" ]))
[ "coturn" "registration" "macaroon" "form" ]))
// { "synapse/${instance.name}/signing-key".owner = "synapse-${instance.name}"; }
// { "mail/bot" = {}; };
})
(attrsToList synapse.instances));
nixos.services =
{
postgresql.instances = listToAttrs (concatLists (map
postgresql.instances = listToAttrs (map
(instance:
[
{
name = "synapse_${replaceStrings [ "-" ] [ "_" ] instance.name}";
value.initializeFlags = { TEMPLATE = "template0"; LC_CTYPE = "C"; LC_COLLATE = "C"; };
}
{
name = "synapse_${replaceStrings [ "-" ] [ "_" ] instance.name}_sliding_sync";
value.user = "synapse_${replaceStrings [ "-" ] [ "_" ] instance.name}";
}
])
(attrsToList synapse.instances)));
{
name = "synapse_${replaceStrings [ "-" ] [ "_" ] instance.name}";
value.initializeFlags = { TEMPLATE = "template0"; LC_CTYPE = "C"; LC_COLLATE = "C"; };
})
(attrsToList synapse.instances));
redis.instances = listToAttrs (map
(instance: { name = "synapse-${instance.name}"; value.port = instance.value.redisPort; })
(attrsToList synapse.instances));
nginx =
{
enable = mkIf (synapse.instances != {}) true;
https = listToAttrs (concatLists (map
https = listToAttrs (map
(instance: with instance.value;
[
{
name = hostname;
value.location =
{
name = hostname;
value.location =
"/".proxy = { upstream = "http://127.0.0.1:${toString port}"; websocket = true; };
"/.well-known/matrix/server".static =
{
"/".proxy = { upstream = "http://127.0.0.1:${toString port}"; websocket = true; };
"/.well-known/matrix/server".static =
root = builtins.toString (inputs.pkgs.writeTextFile
{
root = builtins.toString (inputs.pkgs.writeTextFile
name = "server";
text = builtins.toJSON
{
name = "server";
text = builtins.toJSON
{
"m.server" = "${hostname}:443";
};
destination = "/.well-known/matrix/server";
});
};
"m.server" = "${hostname}:443";
};
destination = "/.well-known/matrix/server";
});
};
}
{
name = slidingSyncHostname;
value.location."/".proxy =
{ upstream = "http://127.0.0.1:${toString slidingSyncPort}"; websocket = true; };
}
])
(attrsToList synapse.instances)));
};
})
(attrsToList synapse.instances));
};
};
};