Sovran_Systems/Sovran_SystemsOS
1
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity
Files
6e96b2b968f2af75219839ed3e2d341c405b0eff
Sovran_SystemsOS/modules/synapse.nix
naturallaw77 6e96b2b968 removed agenix
2026-03-27 20:45:09 -05:00

120 lines
3.6 KiB
Nix
Executable File
Raw Blame History

{ config, pkgs, lib, ... }:
lib.mkIf config.sovran_systemsOS.services.synapse {
services.postgresql = {
ensureDatabases = [ "matrix-synapse" ];
ensureUsers = [
{
name = "matrix-synapse";
ensureDBOwnership = true;
}
];
};
systemd.services.matrix-synapse-db-init = {
description = "Generate Matrix Synapse DB password if missing";
wantedBy = [ "multi-user.target" ];
before = [ "matrix-synapse.service" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
path = [ pkgs.pwgen ];
script = ''
SECRET_FILE="/var/lib/matrix-synapse/db-password"
if [ ! -f "$SECRET_FILE" ]; then
mkdir -p /var/lib/matrix-synapse
pwgen -s 32 1 > "$SECRET_FILE"
chown matrix-synapse:matrix-synapse "$SECRET_FILE"
chmod 600 "$SECRET_FILE"
echo "Generated new DB password at $SECRET_FILE"
else
echo "DB password already exists, skipping"
fi
'';
};
systemd.services.matrix-synapse-runtime-config = {
description = "Generate Synapse runtime config from domain files";
before = [ "matrix-synapse.service" ];
after = [ "matrix-synapse-db-init.service" "matrix-synapse-secret-init.service" ];
requiredBy = [ "matrix-synapse.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
unitConfig = {
ConditionPathExists = "/var/lib/domains/matrix";
};
path = [ pkgs.coreutils ];
script = ''
MATRIX=$(cat /var/lib/domains/matrix)
mkdir -p /run/matrix-synapse
cat > /run/matrix-synapse/runtime-config.yaml <<EOF
server_name: "$MATRIX"
public_baseurl: "https://$MATRIX"
registration_shared_secret_path: "/var/lib/matrix-synapse/registration-secret"
EOF
chown matrix-synapse:matrix-synapse /run/matrix-synapse/runtime-config.yaml
chmod 640 /run/matrix-synapse/runtime-config.yaml
'';
};
services.matrix-synapse = {
enable = true;
extraConfigFiles = [
"/run/matrix-synapse/runtime-config.yaml"
];
settings = {
database = {
name = "psycopg2";
args = {
host = "localhost";
database = "matrix-synapse";
user = "matrix-synapse";
};
};
push.include_content = false;
url_preview_enabled = true;
group_unread_count_by_room = false;
encryption_enabled_by_default_for_room_type = "invite";
allow_profile_lookup_over_federation = false;
allow_device_name_lookup_over_federation = false;
url_preview_ip_range_blacklist = [
"10.0.0.0/8" "100.64.0.0/10" "169.254.0.0/16" "172.16.0.0/12"
"192.0.0.0/24" "192.0.2.0/24" "192.168.0.0/16" "192.88.99.0/24"
"198.18.0.0/15" "198.51.100.0/24" "2001:db8::/32" "203.0.113.0/24"
"224.0.0.0/4" "::1/128" "fc00::/7" "fe80::/10" "fec0::/10" "ff00::/8"
];
url_preview_ip_ranger_whitelist = [ "127.0.0.1" ];
presence.enabled = true;
enable_registration = false;
listeners = [
{
port = 8008;
bind_addresses = [ "::1" ];
type = "http";
tls = false;
x_forwarded = true;
resources = [
{ names = [ "client" ]; compress = true; }
{ names = [ "federation" ]; compress = false; }
];
}
];
};
};
systemd.services.matrix-synapse.after = [ "matrix-synapse-secret-init.service" ];
systemd.services.matrix-synapse.wants = [ "matrix-synapse-secret-init.service" ];
sovran_systemsOS.domainRequirements = [
{ name = "matrix"; label = "Matrix Synapse"; example = "matrix.yourdomain.com"; }
];
}
Reference in New Issue View Git Blame Copy Permalink