From 57cf518ca2180166b26d4ed9f49f3567347db367 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 28 Sep 2023 15:28:11 +0000 Subject: [PATCH 1/3] modules: services: matrix: refactor vhost --- modules/services/matrix/default.nix | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/modules/services/matrix/default.nix b/modules/services/matrix/default.nix index c73afed..9acd8c2 100644 --- a/modules/services/matrix/default.nix +++ b/modules/services/matrix/default.nix @@ -13,6 +13,7 @@ let federationPort = { public = 8448; private = 11338; }; clientPort = { public = 443; private = 11339; }; domain = config.networking.domain; + matrixDomain = "matrix.${domain}"; in { options.my.services.matrix = with lib; { @@ -52,7 +53,7 @@ in settings = { server_name = domain; - public_baseurl = "https://matrix.${domain}"; + public_baseurl = "https://${matrixDomain}"; enable_registration = false; @@ -98,7 +99,7 @@ in conf = { default_server_config = { "m.homeserver" = { - "base_url" = "https://matrix.${domain}"; + "base_url" = "https://${matrixDomain}"; "server_name" = domain; }; "m.identity_server" = { @@ -120,7 +121,7 @@ in # Those are too complicated to use my wrapper... services.nginx.virtualHosts = { - "matrix.${domain}" = { + ${matrixDomain} = { onlySSL = true; useACMEHost = domain; @@ -148,9 +149,9 @@ in }; # same as above, but listening on the federation port - "matrix.${domain}_federation" = { + "${matrixDomain}_federation" = { onlySSL = true; - serverName = "matrix.${domain}"; + serverName = matrixDomain; useACMEHost = domain; locations."/".return = "404"; @@ -171,7 +172,7 @@ in locations."= /.well-known/matrix/server".extraConfig = let - server = { "m.server" = "matrix.${domain}:${toString federationPort.public}"; }; + server = { "m.server" = "${matrixDomain}:${toString federationPort.public}"; }; in '' add_header Content-Type application/json; @@ -181,7 +182,7 @@ in locations."= /.well-known/matrix/client".extraConfig = let client = { - "m.homeserver" = { "base_url" = "https://matrix.${domain}"; }; + "m.homeserver" = { "base_url" = "https://${matrixDomain}"; }; "m.identity_server" = { "base_url" = "https://vector.im"; }; }; # ACAO required to allow element-web on any URL to request this json file From ec6fb2efa7eae09ba7365bb676985881e6129f9f Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 28 Sep 2023 15:53:46 +0000 Subject: [PATCH 2/3] hosts: nixos: porthos: secrets: add matrix sync --- .../nixos/porthos/secrets/matrix/sliding-sync-secret.age | 9 +++++++++ hosts/nixos/porthos/secrets/secrets.nix | 3 +++ 2 files changed, 12 insertions(+) create mode 100644 hosts/nixos/porthos/secrets/matrix/sliding-sync-secret.age diff --git a/hosts/nixos/porthos/secrets/matrix/sliding-sync-secret.age b/hosts/nixos/porthos/secrets/matrix/sliding-sync-secret.age new file mode 100644 index 0000000..d375a35 --- /dev/null +++ b/hosts/nixos/porthos/secrets/matrix/sliding-sync-secret.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 cKojmg N182xey8TWRVUWTRP16rT0zlhYZNr/pOZVR7YRnlIkk +HVqAag55z1cKLgjR3WsUj2wvaVjxm169JcDRJGRvCVU +-> ssh-ed25519 jPowng Dc+aaUTxDsMTY+oOst0SC3ldq1e6zX8F5A5uBL5RHhc +JWZou6+VaFc5f2OLRIrmFFWg3Er6WSY+TloXU0mP1K8 +-> |9_9Aqh%-grease $ X8Mn|5 aKnl' fl Date: Thu, 28 Sep 2023 15:53:46 +0000 Subject: [PATCH 3/3] modules: services: matrix: add sliding sync --- hosts/nixos/porthos/services.nix | 3 +++ modules/services/matrix/default.nix | 33 +++++++++++++++++++++++++++++ 2 files changed, 36 insertions(+) diff --git a/hosts/nixos/porthos/services.nix b/hosts/nixos/porthos/services.nix index 863048c..b187833 100644 --- a/hosts/nixos/porthos/services.nix +++ b/hosts/nixos/porthos/services.nix @@ -64,6 +64,9 @@ in mailConfigFile = secrets."matrix/mail".path; # Only necessary when doing the initial registration secretFile = secrets."matrix/secret".path; + slidingSync = { + secretFile = secrets."matrix/sliding-sync-secret".path; + }; }; miniflux = { enable = true; diff --git a/modules/services/matrix/default.nix b/modules/services/matrix/default.nix index 9acd8c2..c87b6e4 100644 --- a/modules/services/matrix/default.nix +++ b/modules/services/matrix/default.nix @@ -26,6 +26,23 @@ in description = "Shared secret to register users"; }; + slidingSync = { + enable = my.mkDisableOption "sliding sync"; + + port = mkOption { + type = types.port; + default = 8009; + example = 8084; + description = "Port used by sliding sync server"; + }; + + secretFile = mkOption { + type = types.str; + example = "/var/lib/matrix/sliding-sync-secret-file.env"; + description = "Secret file which contains SYNCV3_SECRET definition"; + }; + }; + mailConfigFile = mkOption { type = types.str; example = "/var/lib/matrix/email-config.yaml"; @@ -89,6 +106,17 @@ in extraConfigFiles = [ cfg.mailConfigFile ] ++ lib.optional (cfg.secretFile != null) cfg.secretFile; + + sliding-sync = lib.mkIf cfg.slidingSync.enable { + enable = true; + + settings = { + SYNCV3_SERVER = "https://${matrixDomain}"; + SYNCV3_BINDADDR = "127.0.0.1:${cfg.slidingSync.port}"; + }; + + environmentFile = cfg.slidingSync.secretFile; + }; }; my.services.nginx.virtualHosts = [ @@ -139,6 +167,11 @@ in "/_matrix" = proxyToClientPort; "/_synapse/client" = proxyToClientPort; + + # Sliding sync + "~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = { + proxyPass = "http://${config.services.matrix-synapse.sliding-sync.settings.SYNCV3_BINDADDR}"; + }; }; listen = [