From 085c563d7538b238e0a180fa0627de27e9ca069d Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 19 Oct 2023 10:42:19 +0000 Subject: [PATCH 1/6] hosts: homes: mousqueton: disable gpg-agent It doesn't work well in this environment anyway. --- hosts/homes/ambroisie@mousqueton/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hosts/homes/ambroisie@mousqueton/default.nix b/hosts/homes/ambroisie@mousqueton/default.nix index 9096610..0bd2272 100644 --- a/hosts/homes/ambroisie@mousqueton/default.nix +++ b/hosts/homes/ambroisie@mousqueton/default.nix @@ -15,6 +15,8 @@ programs.git.package = lib.mkForce pkgs.emptyDirectory; + services.gpg-agent.enable = lib.mkForce false; + # I use scripts that use the passthrough sequence often on this host my.home.tmux.enablePassthrough = true; } From 1425c424899752f4f955a7f2fd1c73711abd9ed5 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 28 Sep 2023 15:28:11 +0000 Subject: [PATCH 2/6] modules: services: matrix: refactor vhost --- modules/services/matrix/default.nix | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/modules/services/matrix/default.nix b/modules/services/matrix/default.nix index c73afed..9acd8c2 100644 --- a/modules/services/matrix/default.nix +++ b/modules/services/matrix/default.nix @@ -13,6 +13,7 @@ let federationPort = { public = 8448; private = 11338; }; clientPort = { public = 443; private = 11339; }; domain = config.networking.domain; + matrixDomain = "matrix.${domain}"; in { options.my.services.matrix = with lib; { @@ -52,7 +53,7 @@ in settings = { server_name = domain; - public_baseurl = "https://matrix.${domain}"; + public_baseurl = "https://${matrixDomain}"; enable_registration = false; @@ -98,7 +99,7 @@ in conf = { default_server_config = { "m.homeserver" = { - "base_url" = "https://matrix.${domain}"; + "base_url" = "https://${matrixDomain}"; "server_name" = domain; }; "m.identity_server" = { @@ -120,7 +121,7 @@ in # Those are too complicated to use my wrapper... services.nginx.virtualHosts = { - "matrix.${domain}" = { + ${matrixDomain} = { onlySSL = true; useACMEHost = domain; @@ -148,9 +149,9 @@ in }; # same as above, but listening on the federation port - "matrix.${domain}_federation" = { + "${matrixDomain}_federation" = { onlySSL = true; - serverName = "matrix.${domain}"; + serverName = matrixDomain; useACMEHost = domain; locations."/".return = "404"; @@ -171,7 +172,7 @@ in locations."= /.well-known/matrix/server".extraConfig = let - server = { "m.server" = "matrix.${domain}:${toString federationPort.public}"; }; + server = { "m.server" = "${matrixDomain}:${toString federationPort.public}"; }; in '' add_header Content-Type application/json; @@ -181,7 +182,7 @@ in locations."= /.well-known/matrix/client".extraConfig = let client = { - "m.homeserver" = { "base_url" = "https://matrix.${domain}"; }; + "m.homeserver" = { "base_url" = "https://${matrixDomain}"; }; "m.identity_server" = { "base_url" = "https://vector.im"; }; }; # ACAO required to allow element-web on any URL to request this json file From 52413dcaf7d937a69002be661b8a6c26443e162c Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 28 Sep 2023 15:53:46 +0000 Subject: [PATCH 3/6] hosts: nixos: porthos: secrets: add matrix sync --- .../nixos/porthos/secrets/matrix/sliding-sync-secret.age | 9 +++++++++ hosts/nixos/porthos/secrets/secrets.nix | 3 +++ 2 files changed, 12 insertions(+) create mode 100644 hosts/nixos/porthos/secrets/matrix/sliding-sync-secret.age diff --git a/hosts/nixos/porthos/secrets/matrix/sliding-sync-secret.age b/hosts/nixos/porthos/secrets/matrix/sliding-sync-secret.age new file mode 100644 index 0000000..d375a35 --- /dev/null +++ b/hosts/nixos/porthos/secrets/matrix/sliding-sync-secret.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 cKojmg N182xey8TWRVUWTRP16rT0zlhYZNr/pOZVR7YRnlIkk +HVqAag55z1cKLgjR3WsUj2wvaVjxm169JcDRJGRvCVU +-> ssh-ed25519 jPowng Dc+aaUTxDsMTY+oOst0SC3ldq1e6zX8F5A5uBL5RHhc +JWZou6+VaFc5f2OLRIrmFFWg3Er6WSY+TloXU0mP1K8 +-> |9_9Aqh%-grease $ X8Mn|5 aKnl' fl Date: Thu, 28 Sep 2023 18:42:13 +0200 Subject: [PATCH 4/6] modules: services: matrix: register dummy vhosts This is simply to make use of my infrastructure for port collision detection. --- modules/services/matrix/default.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/modules/services/matrix/default.nix b/modules/services/matrix/default.nix index 9acd8c2..42c5cda 100644 --- a/modules/services/matrix/default.nix +++ b/modules/services/matrix/default.nix @@ -117,6 +117,15 @@ in }; }; } + # Dummy VHosts for port collision detection + { + subdomain = "matrix-federation"; + port = federationPort.private; + } + { + subdomain = "matrix-client"; + port = clientPort.private; + } ]; # Those are too complicated to use my wrapper... From b4c2cc581b6b79db1961e0aa840fad6d17ee6652 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 28 Sep 2023 15:53:46 +0000 Subject: [PATCH 5/6] modules: services: matrix: add sliding sync --- hosts/nixos/porthos/services.nix | 3 +++ modules/services/matrix/default.nix | 40 +++++++++++++++++++++++++++++ 2 files changed, 43 insertions(+) diff --git a/hosts/nixos/porthos/services.nix b/hosts/nixos/porthos/services.nix index 8487157..d73cdc1 100644 --- a/hosts/nixos/porthos/services.nix +++ b/hosts/nixos/porthos/services.nix @@ -64,6 +64,9 @@ in mailConfigFile = secrets."matrix/mail".path; # Only necessary when doing the initial registration secretFile = secrets."matrix/secret".path; + slidingSync = { + secretFile = secrets."matrix/sliding-sync-secret".path; + }; }; miniflux = { enable = true; diff --git a/modules/services/matrix/default.nix b/modules/services/matrix/default.nix index 42c5cda..52b60c5 100644 --- a/modules/services/matrix/default.nix +++ b/modules/services/matrix/default.nix @@ -26,6 +26,21 @@ in description = "Shared secret to register users"; }; + slidingSync = { + port = mkOption { + type = types.port; + default = 8009; + example = 8084; + description = "Port used by sliding sync server"; + }; + + secretFile = mkOption { + type = types.str; + example = "/var/lib/matrix/sliding-sync-secret-file.env"; + description = "Secret file which contains SYNCV3_SECRET definition"; + }; + }; + mailConfigFile = mkOption { type = types.str; example = "/var/lib/matrix/email-config.yaml"; @@ -89,6 +104,17 @@ in extraConfigFiles = [ cfg.mailConfigFile ] ++ lib.optional (cfg.secretFile != null) cfg.secretFile; + + sliding-sync = { + enable = true; + + settings = { + SYNCV3_SERVER = "https://${matrixDomain}"; + SYNCV3_BINDADDR = "127.0.0.1:${toString cfg.slidingSync.port}"; + }; + + environmentFile = cfg.slidingSync.secretFile; + }; }; my.services.nginx.virtualHosts = [ @@ -105,6 +131,9 @@ in "m.identity_server" = { "base_url" = "https://vector.im"; }; + "org.matrix.msc3575.proxy" = { + "url" = "https://matrix-sync.${domain}"; + }; }; showLabsSettings = true; defaultCountryCode = "FR"; # cocorico @@ -126,6 +155,11 @@ in subdomain = "matrix-client"; port = clientPort.private; } + # Sliding sync + { + subdomain = "matrix-sync"; + inherit (cfg.slidingSync) port; + } ]; # Those are too complicated to use my wrapper... @@ -148,6 +182,11 @@ in "/_matrix" = proxyToClientPort; "/_synapse/client" = proxyToClientPort; + + # Sliding sync + "~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = { + proxyPass = "http://${config.services.matrix-synapse.sliding-sync.settings.SYNCV3_BINDADDR}"; + }; }; listen = [ @@ -193,6 +232,7 @@ in client = { "m.homeserver" = { "base_url" = "https://${matrixDomain}"; }; "m.identity_server" = { "base_url" = "https://vector.im"; }; + "org.matrix.msc3575.proxy" = { "url" = "https://matrix-sync.${domain}"; }; }; # ACAO required to allow element-web on any URL to request this json file in From 5248eb59f8480c3531e8e3775580c7ac8941852a Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 26 Oct 2023 12:27:31 +0000 Subject: [PATCH 6/6] hosts: homes: mousqueton: fix `tmux` 24-bit color This is based on this answer [1] from Stack Overflow. I'll have to look into what the proper fix would be in general, this is just a band-aid to get it working correctly while SSH-ing from my laptop. [1]: https://stackoverflow.com/a/41786092 --- hosts/homes/ambroisie@mousqueton/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/hosts/homes/ambroisie@mousqueton/default.nix b/hosts/homes/ambroisie@mousqueton/default.nix index 0bd2272..ac73da6 100644 --- a/hosts/homes/ambroisie@mousqueton/default.nix +++ b/hosts/homes/ambroisie@mousqueton/default.nix @@ -19,4 +19,9 @@ # I use scripts that use the passthrough sequence often on this host my.home.tmux.enablePassthrough = true; + + programs.tmux.extraConfig = '' + # Setup 24-bit color explicitly, as the default terminfo entry does not + set-option -sa terminal-overrides ",xterm-256color:Tc" + ''; }