nixos/chatterbox: Add Matrix sliding sync proxy

Also fix nginx upstream definitions

lib/constants.nix

@@ -1,4 +1,13 @@
 { lib }: rec {
+  ids = {
+    uids = {
+      matrix-syncv3 = 400;
+    };
+    gids = {
+      matrix-syncv3 = 400;
+    };
+  };
+
   nginx = {
     proxyHeaders = ''
       # Setting any proxy_header in a child (e.g. location) will nuke the parents...

nixos/boxes/colony/vms/shill/containers/chatterbox.nix

@@ -22,7 +22,7 @@ in
 
     configuration = { lib, pkgs, config, assignments, allAssignments, ... }:
     let
-      inherit (lib) mkMerge mkIf;
+      inherit (lib) mkMerge mkIf mkForce;
       inherit (lib.my) networkdAssignment;
     in
     {
@@ -43,16 +43,41 @@ in
                   owner = "matrix-synapse";
                   group = "matrix-synapse";
                 };
+                "chatterbox/syncv3.env" = {
+                  owner = "matrix-syncv3";
+                  group = "matrix-syncv3";
+                };
               };
             };
 
             firewall = {
-              tcp.allowed = [ 19999 8008 ];
+              tcp.allowed = [ 19999 8008 8009 ];
+            };
+          };
+
+          users = with lib.my.c.ids; {
+            users = {
+              matrix-syncv3 = {
+                isSystemUser = true;
+                uid = uids.matrix-syncv3;
+                group = "matrix-syncv3";
+              };
+            };
+            groups = {
+              matrix-syncv3.gid = gids.matrix-syncv3;
             };
           };
 
           systemd = {
             network.networks."80-container-host0" = networkdAssignment "host0" assignments.internal;
+            services = {
+              matrix-sliding-sync.serviceConfig = {
+                # Needs to be able to read its secrets
+                DynamicUser = mkForce false;
+                User = "matrix-syncv3";
+                Group = "matrix-syncv3";
+              };
+            };
           };
 
           services = {
@@ -142,6 +167,16 @@ in
                   "/var/lib/heisenbridge/registration.yml"
                 ];
               };
+
+              sliding-sync = {
+                enable = true;
+                createDatabase = false;
+                environmentFile = config.age.secrets."chatterbox/syncv3.env".path;
+                settings = {
+                  SYNCV3_BINDADDR = "[::]:8009";
+                  SYNCV3_SERVER = "http://localhost:8008";
+                };
+              };
             };
 
             heisenbridge = {

nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix

@@ -4,6 +4,7 @@ let
   inherit (lib) mkMerge mkDefault genAttrs flatten concatStringsSep;
   inherit (lib.my.c) pubDomain;
   inherit (lib.my.c.nginx) proxyHeaders;
+  inherit (config.networking) domain;
 
   dualStackListen' = l: map (addr: l // { inherit addr; }) [ "0.0.0.0" "[::]" ];
   dualStackListen = ll: flatten (map dualStackListen' ll);
@@ -34,6 +35,7 @@ let
       # For clients
       (mkWellKnown "matrix/client" (toJSON {
         "m.homeserver".base_url = "https://matrix.nul.ie";
+        "org.matrix.msc3575.proxy".url = "https://matrix-syncv3.nul.ie";
       }))
     ];
   };
@@ -121,7 +123,7 @@ in
             "~ /(?<behost>${matchHosts})$".return = "301 https://$host/$behost/";
             "~ /(?<behost>${matchHosts})/(?<ndpath>.*)" = mkMerge [
               {
-                proxyPass = "http://$behost.${config.networking.pubDomain}:19999/$ndpath$is_args$args";
+                proxyPass = "http://$behost.${domain}:19999/$ndpath$is_args$args";
                 extraConfig = ''
                   proxy_pass_request_headers on;
                   ${proxyHeaders}
@@ -143,7 +145,7 @@ in
 
       "pass.${pubDomain}" =
       let
-        upstream = "http://vaultwarden-ctr.${config.networking.pubDomain}";
+        upstream = "http://vaultwarden-ctr.${domain}";
       in
       {
         locations = {
@@ -173,13 +175,17 @@ in
         ];
         locations = mkMerge [
           {
-            "/".proxyPass = "http://chatterbox-ctr.${config.networking.pubDomain}:8008";
+            "/".proxyPass = "http://chatterbox-ctr.${domain}:8008";
             "= /".return = "301 https://element.${pubDomain}";
           }
           wellKnown
         ];
         useACMEHost = pubDomain;
       };
+      "matrix-syncv3.${pubDomain}" = {
+        locations."/".proxyPass = "http://chatterbox-ctr.${domain}:8009";
+        useACMEHost = pubDomain;
+      };
 
       "element.${pubDomain}" =
       let
@@ -233,7 +239,7 @@ in
         {
           locations."/" = mkMerge [
             {
-              proxyPass = "http://jackflix-ctr.${config.networking.pubDomain}:9091";
+              proxyPass = "http://jackflix-ctr.${domain}:9091";
             }
             (ssoLoc "generic")
           ];
@@ -246,7 +252,7 @@ in
         {
           locations."/" = mkMerge [
             {
-              proxyPass = "http://jackflix-ctr.${config.networking.pubDomain}:9117";
+              proxyPass = "http://jackflix-ctr.${domain}:9117";
             }
             (ssoLoc "generic")
           ];
@@ -258,7 +264,7 @@ in
         {
           locations."/" = mkMerge [
             {
-              proxyPass = "http://jackflix-ctr.${config.networking.pubDomain}:7878";
+              proxyPass = "http://jackflix-ctr.${domain}:7878";
               proxyWebsockets = true;
               extraConfig = proxyHeaders;
             }
@@ -272,7 +278,7 @@ in
         {
           locations."/" = mkMerge [
             {
-              proxyPass = "http://jackflix-ctr.${config.networking.pubDomain}:8989";
+              proxyPass = "http://jackflix-ctr.${domain}:8989";
               proxyWebsockets = true;
               extraConfig = proxyHeaders;
             }
@@ -285,7 +291,7 @@ in
 
       "jackflix.${pubDomain}" =
       let
-        upstream = "http://jackflix-ctr.${config.networking.pubDomain}:8096";
+        upstream = "http://jackflix-ctr.${domain}:8096";
       in
       {
         extraConfig = ''
@@ -335,17 +341,17 @@ in
             "/".tryFiles = "$uri @proxy";
 
             "^~ /api/v1/streaming" = {
-              proxyPass = "http://toot-ctr.${config.networking.pubDomain}:55000";
+              proxyPass = "http://toot-ctr.${domain}:55000";
               proxyWebsockets = true;
               extraConfig = ''
                 ${proxyHeaders}
                 proxy_set_header Proxy "";
 
-                add_header Strict-Transport-Security "max-age=63072000; includeSubpubDomains";
+                add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
               '';
             };
             "@proxy" = {
-              proxyPass = "http://toot-ctr.${config.networking.pubDomain}:55001";
+              proxyPass = "http://toot-ctr.${domain}:55001";
               proxyWebsockets = true;
               extraConfig = ''
                 ${proxyHeaders}
@@ -366,7 +372,7 @@ in
 
       "share.${pubDomain}" = {
         locations."/" = {
-          proxyPass = "http://object-ctr.${config.networking.pubDomain}:9090";
+          proxyPass = "http://object-ctr.${domain}:9090";
           proxyWebsockets = true;
           extraConfig = proxyHeaders;
         };
@@ -388,7 +394,7 @@ in
 
     minio =
     let
-      host = "object-ctr.${config.networking.pubDomain}";
+      host = "object-ctr.${domain}";
       s3Upstream = "http://${host}:9000";
       extraConfig = ''
         chunked_transfer_encoding off;
@@ -443,7 +449,7 @@ in
 
     defaultsFor = mapAttrs (n: _: {
       onlySSL = mkDefault true;
-      useACMEHost = mkDefault "${config.networking.pubDomain}";
+      useACMEHost = mkDefault "${domain}";
       kTLS = mkDefault true;
       http2 = mkDefault true;
     });

secrets/chatterbox/syncv3.env.age

@@ -0,0 +1,16 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFpCM2U2USBYUTlr
+Mm1ubFFPTHhhb3NERHJPaXoxamt5bUtqQmRkUTFGZCsvaUtyZGdrCmVNUEtrSTVQ
+MkdHWnd1OTNSN3lOaFdrdWsxUHM2S0VZVlNRWGt4R0FyZ0UKLT4gWDI1NTE5IFNZ
+QUhpVU04WWpEZThEaE82WDJvT3NVVWxNRVFEZjluVW8rbGhOQ0Rua0kKOWlZYlFh
+RjduNDAwS0NJa0lPNmx6dmIvdmFtcXJyaG5FQ2hVU01qby9sTQotPiBVJjEhLWdy
+ZWFzZSBOYyllZE4KV0lYMmErd3RvUWp1UVRvdlpKTUZWWlJHK1laN2FoZGh2aVlM
+dTdLbWZsVkozVTBwb2JyeGpFMy9FcjR0eDhxQQpUL05uT2ZSUytNV01wMjFYRWZL
+NTRkSmlkcUl4LzJYTDQwMm43cVJVeTdkY0dxdkI1ZjA3Z2NoU3NBCi0tLSB4Y3lV
+UVphTEtIWFhVQ1h4MUZzNDYzSEhDUFpMcE1ZdFNtd1A2Rk5lMUhRCp/F11nGICQA
+L5uInKKk8jVGzpG93U4Kz3zut6jGF/is4cVuvkRHZLKiUVC4kILirdinnbxlJY2Y
+Gkpef0zthmNhfFhsgjj5Tmxyiu1L+6GkY0z2GlKR8uRUG4bXsDQzDkZQm8Wcmrrt
+9lG04SI0Dj7Gc2HJEwjl7ZPBi9qnFU49on+/Y5DIpzTllgE7luduFLjLM2Q+kNGK
+cU8cF+gvrpyAFytiUZ3jhATtXsqC0dzsugjj8pmT1WQzZd6iqVJ84G2pMg+boVyn
+aVLGrcn3qOnIIJLKrYEjyxSYMGs=
+-----END AGE ENCRYPTED FILE-----