nixos: Initial Synapse

nixos/boxes/colony/vms/shill/containers/chatterbox.nix

@@ -15,7 +15,7 @@
       };
     };
 
-    configuration = { lib, pkgs, config, assignments, ... }:
+    configuration = { lib, pkgs, config, assignments, allAssignments, ... }:
     let
       inherit (lib) mkMerge mkIf;
       inherit (lib.my) networkdAssignment;
@@ -28,8 +28,11 @@
             server.enable = true;
 
             secrets = {
-              #key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICkly/tnPmoX05lDjEpQOkllPqYA0PY92pOKqvx8Po02";
+              key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP1ajgIF5V14bf9Zol567k2ieeg1zEd1vJ6gXkydE5UT";
-              files."synapse.yaml" = {};
+              files."synapse.yaml" = {
+                owner = "matrix-synapse";
+                group = "matrix-synapse";
+              };
             };
 
             firewall = {
@@ -42,13 +45,80 @@
           };
 
           services = {
-            #matrix-synapse = {
+            matrix-synapse = {
-            #  enable = true;
+              enable = true;
-            #  withJemalloc = true;
+              withJemalloc = true;
-            #  settings = {
 
-            #  };
+              extraConfigFiles = [ config.age.secrets."synapse.yaml".path ];
-            #};
+              settings = {
+                server_name = "nul.ie";
+                public_baseurl = "https://matrix.nul.ie";
+                admin_contact = "dev@nul.ie";
+                prescence.enabled = true;
+
+                listeners = [
+                  {
+                    port = 8008;
+                    type = "http";
+                    tls = false;
+                    x_forwarded = true;
+                    resources = [
+                      {
+                        compress = false;
+                        names = [ "client" "federation" ];
+                      }
+                    ];
+                  }
+                  {
+                    port = 9000;
+                    bind_addresses = [ "127.0.0.1" "::1" ];
+                    type = "manhole";
+
+                    # The NixOS module has defaults for these that we need to override since they don't make sense here
+                    tls = false;
+                    resources = [];
+                  }
+                ];
+                # Even public options must be in the secret file because options are only merged at the top level.
+                # Let's just override the defaults in the base config to keep Nix happy
+                database = {
+                  name = "sqlite3";
+                  args.database = "/dev/null";
+                };
+
+                #media_store_path = "/var/lib/synapse-media";
+                max_upload_size = "1024M";
+                dynamic_thumbnails = true;
+                url_preview_enabled = true;
+                url_preview_ip_range_blacklist = [
+                  "127.0.0.0/8"
+                  "10.0.0.0/8"
+                  "172.16.0.0/12"
+                  "192.168.0.0/16"
+                  "100.64.0.0/10"
+                  "192.0.0.0/24"
+                  "169.254.0.0/16"
+                  "192.88.99.0/24"
+                  "198.18.0.0/15"
+                  "192.0.2.0/24"
+                  "198.51.100.0/24"
+                  "203.0.113.0/24"
+                  "224.0.0.0/4"
+                  "::1/128"
+                  "fe80::/10"
+                  "fc00::/7"
+                  "2001:db8::/32"
+                  "ff00::/8"
+                  "fec0::/10"
+                ] ++ (with lib.my.colony.prefixes; [ all.v4 all.v6 ]);
+                url_preview_ip_range_whitelist =
+                  with allAssignments.middleman.internal;
+                  [ ipv4.address ipv6.address ];
+
+                enable_registration = false;
+                allow_guest_access = false;
+              };
+            };
           };
         }
         (mkIf config.my.build.isDevVM {

nixos/boxes/colony/vms/shill/containers/colony-psql.nix

@@ -6,6 +6,7 @@
     assignments = {
       internal = {
         name = "colony-psql-ctr";
+        altNames = [ "colony-psql" ];
         domain = lib.my.colony.domain;
         ipv4.address = "${lib.my.colony.start.ctrs.v4}4";
         ipv6 = {
@@ -45,6 +46,11 @@
               package = pkgs.postgresql_14;
               enable = true;
               enableTCPIP = true;
+
+              authentication = with lib.my.colony.prefixes; ''
+                host all all ${all.v4} md5
+                host all all ${all.v6} md5
+              '';
               ensureUsers = [
                 {
                   name = "root";

nixos/boxes/colony/vms/shill/containers/default.nix

@@ -3,5 +3,6 @@
     ./middleman
     ./vaultwarden.nix
     ./colony-psql.nix
+    ./chatterbox.nix
   ];
 }

nixos/boxes/colony/vms/shill/default.nix

@@ -104,6 +104,7 @@
                 middleman = {};
                 vaultwarden = {};
                 colony-psql = {};
+                chatterbox = {};
               };
             };
           }

nixos/modules/tmproot.nix

@@ -245,6 +245,15 @@ in
           }
         ];
       })
+      (mkIf config.services.matrix-synapse.enable {
+        my.tmproot.persistence.config.directories = [
+          {
+            directory = config.services.matrix-synapse.dataDir;
+            user = "matrix-synapse";
+            group = "matrix-synapse";
+          }
+        ];
+      })
       (mkIf config.my.build.isDevVM {
         fileSystems = mkVMOverride {
           # Hijack the "root" device for persistence in the VM

secrets/synapse.yaml.age

@@ -1,10 +1,10 @@
 age-encryption.org/v1
--> ssh-ed25519 FAIX7A 65LI0Fvoezo5osErygJNYp5d8LhvABZpD5SjjBlvCBc
+-> ssh-ed25519 FAIX7A 1P9UO3/Yn0osO1W4zxm6SgkJwGYaqyYGU38QpNtN3nM
-jsez8jYQjFgR66hJtj3NfD+ugkfuc5CQ2PpLatOstMY
+GZcsY52UYsuJUEAFL4j4kxV2A2D4iS4JQE9iOSZHMn4
--> X25519 JpPee9xg9YoHwwUk8OCYuZQJdq0yYhsJtUFHwumHvSc
+-> X25519 inCZutigxecNFFhLn6+PNTHdwn3VLnR7TIeEF1ROpRU
-MZUCvUjHCS65dBvT/7eNtT+cydIAqa7BAXGBJrP1/Yg
+43LkgwpJozQXBU+mBnj9QW2u6Ay2LOprYI5Al2v6LNk
--> j-grease `YENpG`_
+-> 3Y-grease
-7kJXScC89DIP3niPa5sEf8rQQfXCTztTrAyhq8fv/eIFUhWqE1P7TebzPCuE6XeA
+6Fn9H5/BnHQhLEhAYCJ/sJ2h9/29Bvt9BTEuWF6M071W9YG+g1CLgApN3dW4pFkl
-p0WTNfd0xsZJ7d+PIK/HLhPFRS2wKaYfHXXCYtJsFK/tbRz522f9O/YH
+oTeaF9xeMPv/wdBWRyZjbg
---- EI8mVA7L/VX9EBG3hvME3sznKAVacRjqRFbcGDhvhSM
+--- TCIr5y4Z9uWZexDP4jb1o2k/h6rd/7O2UHjPxNaTjm0
-Ù;ó§'ÖÉ<C396>K}9D,h€<11>:l<><‹‘h“1DØæTEæ»ÿT3VÕ|u<>l4X­™”_ÍXÍE\÷u! B2téZ¯Òu‘b5¿»ˆ‘h
;«
+xÃf«ƒÀµ9dgÏhò•Ô`N¶;¡fÖr`¯úê÷†$¬ý¢Óû˜ÑŸO¡Pí™;€€º¶抑ùíÌâùAÙtꩱòil´TKã%…<><E280A6>ÙM•ñÊ:ùˆÈŽÏ/Öû'´”5-³«xELÚäly@÷Á	ÈNÃH/¯cby0kµ„UU´S镨Œ„"|ÖßAëƒ=ö*î¡Û²zÀ.

secrets/user-passwd.txt.age

@@ -1,21 +1,21 @@
 age-encryption.org/v1
--> ssh-ed25519 SKXJUw CsKtHFHS/9MNiNGT/O+bxx+btotr9riXwJWgHAplcXQ
+-> ssh-ed25519 FAIX7A PkWyLLijQZgNyFSvjEcWkYTYIyOpbxsu69hczCKx1g4
-W6kL/S4y1aFstYGOIhrwJfXx2uhswH3uSdyJzRCAtHM
+qGruVJb5SjTNm6EhRMbaO+aZc8hXQdU9jcfRN4CVAC8
--> ssh-ed25519 wbGjmA 7em05wqUq9PA9CZ9MlnNSxdeknvN0lrS0yYxUTtGawE
+-> ssh-ed25519 SKXJUw JIFQcXOdHl/9uLcvmriKLBmtXEHKrKUII99KgOkqPFI
-TyAI9Pu0DJodhdT5sBodIaBxPg3VBmXcq18IIHtFs3I
+ODO2TuI3VYWcPJnwAmpQi38a8CXV0C6pAFwd5otrh+w
--> ssh-ed25519 B9K/XQ ZAVd8XBFPOJ6hC2WunnkGmEifYOHcUhYQIi4gvsLajc
+-> ssh-ed25519 wbGjmA rZm8T6+N1cw3vpXrtrAIufUdjTpzu8wXLsERZAjVwHQ
-5hPdqVBWi9OtqQPyq4gz4CX6vVpuLGQURufTCnDNYgM
+MdfU6LwTZpiBEJwVvsY+BPUmN+955Ty1Xc6c0PfwH+o
--> ssh-ed25519 H162lQ wKj8wzesVAOzm5o4VB9NEBSr+xlr0VjR/A48NL+6uls
+-> ssh-ed25519 B9K/XQ XQiWYiYiEcVrrcjkel5TDwZSxIommrxk1cVNvDoiFSo
-lpmijvrflnMeVT6R2YcUmLFljFxZsTeVziErcQ7GKuk
+EE7VDprouGZ/MpNFPjhh7TSr1jzr0ZeIOmmO3G6JAeU
--> ssh-ed25519 b6YMqg ykVDRMnyBsh6+HN/A/5lT3K36wgJZggIcjlsPSc3byM
+-> ssh-ed25519 H162lQ ce5lAulJBRSzeCKnJBNuSy1HE1R5TG20Wdx5kavPNTg
-HF5qzv2Lf2s87OHi/0++shAjF4+xr5NAHL/9lncMHRU
+BPXI69PEmSP0BmO3f8MAPqGyBR29hts798DbevMUATg
--> ssh-ed25519 Lqn0Yw 4+F3gxpsI9QnbCHWpLz29CUj3RAeXSH7PHkuFw3E7T8
+-> ssh-ed25519 b6YMqg w0JygLSUv/Y5j1zWlUY5zoeTwX3s+URX1yJxc99rg1Y
-yzZAylZ7QAV7ufljd4VEBys8sNd8JodWqN5f0JzRI/g
+01VfQiWgldlCBNPTBoudyKVpXXfVbrXhaVMq+MBFhVM
--> X25519 YMeCBP/yDOGPs04ihx7NkZSpqEotUHKs3yMRkg9JWAI
+-> ssh-ed25519 Lqn0Yw TWRasWvKcfxukcFX95KJ6QnRwNfJSF/RCz40IrsfSGY
-Li1FOGm6NIAPGVQRj3HYiyKiR/ZSk35vnOK/ia59IQU
+/CSufoexTjNSVK225VjCD3pm/z2gK6Moud7fST9tjuc
--> tjxC(g-grease
+-> X25519 bFnUlqUCBjMxEPrBiMpOeQTqR4qpmBQhMzIvtLKuHUk
-817wn107V7X7yjCXvKBMt/55PWcEYdm6ZDOdoZC5A3s+iRFVpLvGmxlkEVxQCqsA
+PEYj+yEbPfUWDKRTsYMUPUcM+i3KZ0Zu0YQ4JE3zFEE
-K4WG/Ye5PC/raEjsS8/6AqHs4E+JSfuZjm47fVclbu3kp8Yu3BaLEa9glucxBQbc
+-> T-grease NFmx4<h Dqu[ eL! o!=j{Ly
-X0A
++LGjt+Z9HFtj3TJDY1Y41Q
---- C/lfT3RLOrCR2mOv6Q0aDyEVUrq4GzdVpHhj7Ly2ov4
+--- 4QYQUgsOOGqXgYQ+PxShmUhezpwPXOEIKcEIfcFAFdk
-§&„Ǩ<C387>äò<C3A4><C3B2>q)È	Whº<68>ÀŠŸ&3œ‚M}]R§E<C2A7>e%ÝtXýˆˆŒ*X˜l
ï¹0­hûl[@ö]8'G><3E>ÊpþeSf°Ý™™®ÀóPËÃÛJYÛ”Fª¸Lz¿¨1ñ¨?<3F>ƒ»¬"ݲ­Üÿε•)àœG¡ÀËêª_ºÐÜõí
+€sÞ‚Ê=_ØnwzœÏߚ؉+5~¸ë›äTãGãË-}R‰hOv˜†[Tr°sH<÷@»£ŠªÄ¨Í²°ì•zÀèW¸QaÝšô§údTŠœØ@vœoBÛ¦¦ÜO•âMÙ“Çd(hX帼¶m÷v᥆X£-Qpä*¤u‰y<E280B0>S⻓c1ˆ3³ÐÆë

secrets/vaultwarden.env.age

@@ -1,12 +1,10 @@
 age-encryption.org/v1
--> ssh-ed25519 Lqn0Yw 527NE0GoR6SQTwb1hmgpxn4APXMb2oW3/VNjjbwtnx8
+-> ssh-ed25519 Lqn0Yw COtpnkiIOsiZ6sI7GpZW6DSrMdP+V8SFm+G6VSx6Tlg
-9jWxt9FYx8G4pyPVtU8mp33QuurzQHI4Npt+79ej2qU
+foNXyNZ/u5RVNdijDQr0mGn5BQaPDhOqLhD9gxEP5e4
--> X25519 wW5ClCuDyZvFJOA/aeitGr5yr29DOdULnUlPRz1sDk0
+-> X25519 xbW4hHBb8lJ9fIwnRsfBpTmLGO74ZBkwmdXpWQ1H9CA
-db70JP2sIH3T8NsMHqnTCGNE1tY7PyjGKOKmzNE632Q
+ucFk4TvPIxiQNyuNgQ/dHKy+p9LvePmwWLYd2e60AT0
--> zGd-grease * _!K!a] 3C\vn
+-> "d-grease
-sOkK0VjY4v3j6XcG
+7zl7veXnoG49diEebRbI1ok+U0CMgjo7AQK8rsCsOa4tDR8L460m4CfSOSEMEqzK
---- CHljgmb9kcrECrIM2Ve+Wp5AkGWeIQb0Bhh9sgEtD5U
+QjEjuxC9NY0liwnNsRLNWccKxa3V1LQLL68RhA
-K=ÖX÷K9	¸,¬q†ËjžŸÚ)=G›¹au{N
VœÐé‰,<2C>«2N$€wþ‡
+--- exAOdELiQNGSJcweG5qVkiX4SLNMq8x9uNyp77pCrWA
-×kzO¸@‡‘¸#É
FµøÇ<C3B8>
+B·;Ö	ØiAîöo,ULbñ(ÂG«eÛa?HÄØ‹åƉÆ f¸«ÔhzàÛë+«š^¯¿”²°iŒj0Ô%ΫKìÄ<C3AC>¸Íö3<>azsðU]ô§LŒ!Y×ÇD>v|â'W!!¥ÍêKÕ'
- ¾ÕÛÌ»CF­Åâ3ã³PzNG,3Pw]-VÊžo«Ôžm„zÉ
-ó¯<EFBFBD>ð²e