infra/nixos/hosts/silver/services/synapse.nix

{config, ...}: let
  httpIntPort = 14030;
  dbIntPort = 14032;
  domHost = "mtx.min.rip"; # TODO: hardcoding
  domDelegate = "min.rip"; # TODO: hardcoding
  dir = "/srv/synapse";
  dirSynapse = "${dir}/synapse";
  dirDb = "${dir}/db";
in {
  services.nginx = {
    virtualHosts.${domHost} = {
      forceSSL = true;
      enableACME = true;

      locations."/" = {
        proxyPass = "http://127.0.0.1:${toString httpIntPort}";
      };
    };
    virtualHosts.${domDelegate} = {
      locations."/.well-known/matrix/client" = {
        return = ''200 '{"m.homeserver": {"base_url": "https://${domHost}:443"}}' '';
        extraConfig = ''
          default_type application/json;
          add_header Access-Control-Allow-Origin *;
        '';
      };
      locations."/.well-known/matrix/server" = {
        return = ''200 '{"m.server": "${domHost}:443"}' '';
        extraConfig = ''
          default_type application/json;
          add_header Access-Control-Allow-Origin *;
        '';
      };
    };
  };

  # Auto-create directories we need
  systemd.tmpfiles.rules = [
    "d ${dir} 0777 root root - -"
    "d ${dirSynapse} 0750 224 224 - -"
    "d ${dirDb} 0750 70 70 - -"
  ];

  virtualisation.oci-containers.containers.synapse-db = {
    image = "docker.io/postgres:12-alpine";
    environment = {
      POSTGRES_USER = "synapse";
      POSTGRES_PASSWORD = "synapse";
      POSTGRES_INITDB_ARGS = "--encoding=UTF-8 --lc-collate=C --lc-ctype=C";
    };
    volumes = [
      "${dirDb}:/var/lib/postgresql/data"
    ];
    ports = ["${toString dbIntPort}:5432/tcp"];
    # extraOptions = [
    #   "--health-cmd" "pg_isready -U \${POSTGRES_USER}"
    #   "--health-interval=5s"
    #   "--health-retries=5"
    # ];
  };

  sops.secrets."svc-synapse-synapse-config" = {
    owner = "matrix-synapse";
    group = "matrix-synapse";
    mode = "0664";
  };

  services.matrix-synapse = {
    enable = true;
    withJemalloc = true;
    dataDir = dirSynapse;

    extraConfigFiles = [config.sops.secrets."svc-synapse-synapse-config".path];
    settings = {
      server_name = domDelegate;
      listeners = [
        {
          bind_addresses = ["127.0.0.1"];
          port = httpIntPort;
          tls = false;
          type = "http";
          x_forwarded = true;
          resources = [
            {
              names = ["client" "federation"];
              compress = false;
            }
          ];
        }
      ];
      database = {
        name = "psycopg2";
        args = {
          user = "synapse";
          password = "synapse";
          database = "synapse";
          host = "127.0.0.1";
          port = dbIntPort;
        };
      };
      report_stats = false;
    };
  };
}
Initial commit 2024-10-13 15:16:39 -05:00			`{config, ...}: let`
			`httpIntPort = 14030;`
			`dbIntPort = 14032;`
Prepare for refactors 2024-10-17 17:32:14 -05:00			`domHost = "mtx.min.rip"; # TODO: hardcoding`
			`domDelegate = "min.rip"; # TODO: hardcoding`
Initial commit 2024-10-13 15:16:39 -05:00			`dir = "/srv/synapse";`
			`dirSynapse = "${dir}/synapse";`
			`dirDb = "${dir}/db";`
			`in {`
			`services.nginx = {`
			`virtualHosts.${domHost} = {`
Partial rollout of HTTP/3 2024-10-13 18:14:29 -05:00			`forceSSL = true;`
			`enableACME = true;`

Initial commit 2024-10-13 15:16:39 -05:00			`locations."/" = {`
			`proxyPass = "http://127.0.0.1:${toString httpIntPort}";`
			`};`
			`};`
			`virtualHosts.${domDelegate} = {`
			`locations."/.well-known/matrix/client" = {`
			`return = ''200 '{"m.homeserver": {"base_url": "https://${domHost}:443"}}' '';`
			`extraConfig = ''`
			`default_type application/json;`
			`add_header Access-Control-Allow-Origin *;`
			`'';`
			`};`
			`locations."/.well-known/matrix/server" = {`
			`return = ''200 '{"m.server": "${domHost}:443"}' '';`
			`extraConfig = ''`
			`default_type application/json;`
			`add_header Access-Control-Allow-Origin *;`
			`'';`
			`};`
			`};`
			`};`

			`# Auto-create directories we need`
			`systemd.tmpfiles.rules = [`
			`"d ${dir} 0777 root root - -"`
			`"d ${dirSynapse} 0750 224 224 - -"`
			`"d ${dirDb} 0750 70 70 - -"`
			`];`

			`virtualisation.oci-containers.containers.synapse-db = {`
			`image = "docker.io/postgres:12-alpine";`
			`environment = {`
			`POSTGRES_USER = "synapse";`
			`POSTGRES_PASSWORD = "synapse";`
			`POSTGRES_INITDB_ARGS = "--encoding=UTF-8 --lc-collate=C --lc-ctype=C";`
			`};`
			`volumes = [`
			`"${dirDb}:/var/lib/postgresql/data"`
			`];`
			`ports = ["${toString dbIntPort}:5432/tcp"];`
			`# extraOptions = [`
			`# "--health-cmd" "pg_isready -U \${POSTGRES_USER}"`
			`# "--health-interval=5s"`
			`# "--health-retries=5"`
			`# ];`
			`};`

			`sops.secrets."svc-synapse-synapse-config" = {`
			`owner = "matrix-synapse";`
			`group = "matrix-synapse";`
			`mode = "0664";`
			`};`

			`services.matrix-synapse = {`
			`enable = true;`
			`withJemalloc = true;`
			`dataDir = dirSynapse;`

			`extraConfigFiles = [config.sops.secrets."svc-synapse-synapse-config".path];`
			`settings = {`
			`server_name = domDelegate;`
			`listeners = [`
			`{`
			`bind_addresses = ["127.0.0.1"];`
			`port = httpIntPort;`
			`tls = false;`
			`type = "http";`
			`x_forwarded = true;`
			`resources = [`
			`{`
			`names = ["client" "federation"];`
			`compress = false;`
			`}`
			`];`
			`}`
			`];`
			`database = {`
			`name = "psycopg2";`
			`args = {`
			`user = "synapse";`
			`password = "synapse";`
			`database = "synapse";`
			`host = "127.0.0.1";`
			`port = dbIntPort;`
			`};`
			`};`
			`report_stats = false;`
			`};`
			`};`
			`}`