Commit 179ab757b0d3bf6d9079e70342b5e1aaef125214 - nixrc

containers(matrix): fix dendrite Tony Olagbaiye a month ago

5 changed file(s) with 91 addition(s) and 60 deletion(s). Raw diff Collapse all Expand all

+43

-30

containers/matrix.nix less more

3	3	hostAddress = "10.7.0.1";
4	4	localAddress = "10.7.0.2";
5	5	in {
6		services.postgresql = let
7		databases = [
8		"naffka"
9		"appservice"
10		"federationsender"
11		"keyserver"
12		"mediaapi"
13		"mscs"
14		"roomserver"
15		"signingkeyserver"
16		"syncapi"
17		"userapi-accounts"
18		"userapi-devices"
19		];
20		in {
	6	services.postgresql = {
21	7	enable = true;
22		ensureUsers = map (x: {
	8	ensureUsers = [{
23	9	name = "dendrite";
24		ensurePermissions."DATABASE \"dendrite-${x}\"" = "ALL PRIVILEGES";
25		}) databases;
26		ensureDatabases = map (x: "dendrite-${x}") databases;
	10	ensurePermissions."DATABASE \"dendrite\"" = "ALL PRIVILEGES";
	11	}];
	12	ensureDatabases = [ "dendrite" ];
27	13	};
28	14
29	15	containers.matrix =

39	25	{
40	26	#environment.memoryAllocator.provider = "jemalloc";
41	27
42		environment.systemPackages = with pkgs; [ screen ];
	28	nixpkgs = { inherit pkgs; };
	29
	30	environment.systemPackages = with pkgs; [ screen jq vim ipfs ipfscat ];
	31	environment.variables = {
	32	IPFS_PATH = "/var/lib/ipfs";
	33	};
	34
43	35	services.matrix-dendrite = rec {
44	36	enable = true;
45	37	generatePrivateKey = true;
46	38	generateTls = false;
47	39	httpPort = 8008;
	40	httpsPort = 8448;
48	41	settings = let
49	42	mkDb = with {
50		authority = "dendrite";
	43	login = "dendrite";
51	44	hostname = hostAddress;
52		}; name: "postgresql://${authority}@${hostname}/dendrite-${name}?sslmode=disable";
	45	database = "dendrite";
	46	args = "sslmode=disable";
	47	}; name: "postgresql://${login}@${hostname}/${database}?${args}";
53	48	in {
54	49	global.server_name = "${usr.secrets.domains.srvc}";
55	50	global.disable_federation = false;

63	58	mscs.database.connection_string = mkDb "mscs";
64	59	room_server.database.connection_string = mkDb "roomserver";
65	60	signing_key_server.database.connection_string = mkDb "signingkeyserver";
	61	signing_key_server.prefer_direct_fetch = false;
	62	signing_key_server.key_perspectives = [{
	63	server_name = "matrix.org";
	64	keys = [{
	65	key_id = "ed25519:auto";
	66	public_key = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw";
	67	} {
	68	key_id = "ed25519:a_RXGa";
	69	public_key = "l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ";
	70	}];
	71	}];
66	72	sync_api.database.connection_string = mkDb "syncapi";
	73	sync_api.real_ip_header = "X-Real-IP";
67	74	user_api.account_database.connection_string = mkDb "userapi-accounts";
68	75	user_api.device_database.connection_string = mkDb "userapi-devices";
69	76	client_api = {

71	78	inherit (usr.secrets.matrix.synapse) registration_shared_secret;
72	79	};
73	80	mscs.mscs = [ "msc2946" ];
	81	logging = [{
	82	type = "file";
	83	level = "debug";
	84	params.path = "/var/lib/matrix-dendrite/log";
	85	}];
74	86	};
75	87	tlsCert = "/var/lib/acme/${usr.secrets.domains.srvc}/fullchain.pem";
76	88	tlsKey = "/var/lib/acme/${usr.secrets.domains.srvc}/key.pem";

79	91	services.nginx.enable = true;
80	92	services.nginx.virtualHosts.wellknown-matrix = {
81	93	locations = {
82		#"/.well-known/matrix/server".extraConfig = ''
83		# return 200 '{ "m.server": "${cfg.nginxVhost}:443" }';
84		#'';
85		#"/.well-known/matrix/client".extraConfig = ''
86		# return 200 '{ "m.homeserver": { "base_url": "https://${cfg.nginxVhost}" } }';
87		#'';
88		#"/_matrix".proxyPass = "http://localhost:8008";
89	94	"/server".extraConfig = ''
90		return 200 '{ "m.server": "${usr.secrets.domains.srvc}:443" }';
	95	return 200 '{ "m.server": "m.${usr.secrets.domains.srvc}:443" }';
91	96	'';
92	97	"/client".extraConfig = ''
93	98	return 200 '{ "m.homeserver": { "base_url": "https://m.${usr.secrets.domains.srvc}" } }';

126	131	hostPath = "/var/lib/acme";
127	132	isReadOnly = true;
128	133	};
	134	"/var/lib/ipfs" = {
	135	hostPath = "/var/lib/ipfs";
	136	isReadOnly = true;
	137	};
	138	"/run/ipfs.sock" = {
	139	hostPath = "/run/ipfs.sock";
	140	isReadOnly = false;
	141	};
129	142	};
130	143	};
131	144	}

-3

flake.lock less more

258	258	"dendrite": {
259	259	"flake": false,
260	260	"locked": {
261		"lastModified": 1613643494,
262		"narHash": "sha256-CXkPJqiHcFVWUPAHU4S+8/qVDqI8awrNH8J+dfAX2UM=",
	261	"lastModified": 1615227388,
	262	"narHash": "sha256-96EurIxPgAdzDdccxy6HtHtjCKztHFw30Y9qKCjoGeg=",
263	263	"owner": "matrix-org",
264	264	"repo": "dendrite",
265		"rev": "3069079e37510dbda59b2b272ce133ef81832d7b",
	265	"rev": "3c419be6af2938170d2c04f56d8616c0129ca673",
266	266	"type": "github"
267	267	},
268	268	"original": {

-1

hosts/zeta/default.nix less more

143	143	host all all 127.0.0.1/32 md5
144	144	host all all ::1/128 md5
145	145	host ${mastodon.name} ${mastodon.user} ${config.containers.mastodon.localAddress}/24 trust
146		host all dendrite ${config.containers.matrix.localAddress}/24 trust
	146	host dendrite dendrite ${config.containers.matrix.localAddress}/24 trust
147	147	'');
148	148	services.openssh.enable = true;
149	149	services.openssh.forwardX11 = true;

-1

pkgs/servers/dendrite/default.nix less more

5	5
6	6	src = withSources.dendrite;
7	7
8		vendorSha256 = "NnSxqjY5HcSnxWbn9OAperNhysMZbpaOVlR5EHfzPNA=";
	8	vendorSha256 = "CDCgp693pM+83ATPzmE35utYvQPb5sFal0xN5oasKSg=";
9	9
10	10	passthru.config = "${src}/dendrite-config.yaml";
11	11	}

+43

-25

profiles/networking/traefik/default.nix less more

100	100	entryPoints = [ "https" ];
101	101	tls.domains = [{ main = "tw.${domains.srvc}"; }];
102	102	};
103		dendrite = {
104		entryPoints = [ "dendrite" ];
105		rule = "PathPrefix(`/_matrix`)";
	103	dendrite-http = {
	104	entryPoints = [ "http" ];
	105	rule = "(Host(`matrix.${domains.srvc}`) \|\| Host(`m.${domains.srvc}`)) && PathPrefix(`/_matrix`)";
106	106	service = "dendrite";
107		};
108		dendrite-http = dendrite // {
109		entryPoints = [ "http" ];
110		rule = "(Host(`matrix.${domains.srvc}`) \|\| Host(`m.${domains.srvc}`)) && PathPrefix(`/_matrix`)";
111	107	};
112	108	dendrite-https = dendrite-http // {
113	109	entryPoints = [ "https" ];

116	112	{ main = "m.${domains.srvc}"; }
117	113	];
118	114	};
119		dendrite-tls = dendrite // {
120		entryPoints = [ "dendrite-tls" ];
121		tls.domains = [{ main = "${domains.srvc}"; }];
122		};
123		dendrite-wellknown = dendrite // {
124		rule = "PathPrefix(`/.well-known/matrix`)";
	115	dendrite-http-wellknown = dendrite-http // {
	116	rule = "(Host(`matrix.${domains.srvc}`) \|\| Host(`m.${domains.srvc}`) \|\| Host(`${domains.srvc}`)) && PathPrefix(`/.well-known/matrix`)";
125	117	service = "dendrite-wellknown";
126	118	middlewares = [ "matrix-wellknown" ];
127	119	};
128		dendrite-http-wellknown = dendrite-http // {
129		rule = "(Host(`matrix.${domains.srvc}`) \|\| Host(`m.${domains.srvc}`)) && PathPrefix(`/.well-known/matrix`)";
	120	dendrite-https-wellknown = dendrite-https // {
	121	rule = "(Host(`matrix.${domains.srvc}`) \|\| Host(`m.${domains.srvc}`) \|\| Host(`${domains.srvc}`)) && PathPrefix(`/.well-known/matrix`)";
130	122	service = "dendrite-wellknown";
131	123	middlewares = [ "matrix-wellknown" ];
132		};
133		dendrite-https-wellknown = dendrite-https // {
134		rule = "(Host(`matrix.${domains.srvc}`) \|\| Host(`m.${domains.srvc}`)) && PathPrefix(`/.well-known/matrix`)";
135		service = "dendrite-wellknown";
136		middlewares = [ "matrix-wellknown" ];
137		};
138		dendrite-tls-wellknown = dendrite-wellknown // {
139		entryPoints = [ "dendrite-tls" ];
140		tls.domains = [{ main = "${domains.srvc}"; }];
141	124	};
142	125	certauth = {
143	126	entryPoints = [ "http" "https" ];

668	651	rule = "HostSNI(`*`)";
669	652	service = "klaus";
670	653	};
	654	dendrite = {
	655	entryPoints = [ "dendrite" ];
	656	rule = "HostSNI(`*`)";
	657	service = "dendrite";
	658	};
	659	dendrite-tls = {
	660	entryPoints = [ "dendrite-tls" ];
	661	rule = "HostSNI(`*`)";
	662	service = "dendrite-tls";
	663	};
671	664	transmission-dht-tcp = {
672	665	entryPoints = [ "transmission-dht-tcp" ];
673	666	rule = "HostSNI(`*`)";

713	706	];
714	707	terminationDelay = 100;
715	708	};
	709	#dendrite.loadBalancer = {
	710	# servers = [
	711	# { address = "10.7.0.2:8008"; }
	712	# ];
	713	# terminationDelay = 100;
	714	#};
	715	#dendrite-tls.loadBalancer = {
	716	# servers = [
	717	# { address = "10.7.0.2:8448"; }
	718	# ];
	719	# terminationDelay = 100;
	720	#};
716	721	transmission-dht.loadBalancer = {
717	722	servers = [
718	723	{ address = "10.11.0.2:51413"; }

922	927	};
923	928
924	929	accessLog = {
925		filePath = "/var/log/access";
	930	filePath = "/var/log/traefik/access.json";
926	931	format = "json";
	932	fields.headers.defaultMode = "keep";
927	933	bufferingSize = 100;
928	934	};
	935	};
	936	};
	937
	938	services.logrotate = {
	939	enable = true;
	940	paths.traefik = {
	941	enable = true;
	942	path = "/var/log/traefik/access.*";
	943	user = config.systemd.services.traefik.serviceConfig.User;
	944	group = config.systemd.services.traefik.serviceConfig.Group;
	945	frequency = "daily";
	946	keep = 16;
929	947	};
930	948	};
931	949	}