From a65eb5d9197bc36bd95a58158347c110e4e864b2 Mon Sep 17 00:00:00 2001
From: tzlil <tzlils@protonmail.com>
Date: Fri, 21 Apr 2023 16:39:58 +0300
Subject: working on matrix

---
 hosts/vps/hydrus.nix |   2 +-
 hosts/vps/matrix.nix | 132 +++++++++++++++++++++++++++++++++++++++++++++------
 secrets/matrix.age   | Bin 0 -> 533 bytes
 secrets/secrets.nix  |   1 +
 4 files changed, 119 insertions(+), 16 deletions(-)
 create mode 100644 secrets/matrix.age

diff --git a/hosts/vps/hydrus.nix b/hosts/vps/hydrus.nix
index 2fe988e..6727ed7 100644
--- a/hosts/vps/hydrus.nix
+++ b/hosts/vps/hydrus.nix
@@ -25,7 +25,7 @@
         RestartSec = "5s";
       };
     };
-
+ 
     systemd.services.hydrus = {
       description = "Hydrus";
       wantedBy = [ "multi-user.target" "Xvnc.service" ];
diff --git a/hosts/vps/matrix.nix b/hosts/vps/matrix.nix
index 2d606b0..26095e1 100644
--- a/hosts/vps/matrix.nix
+++ b/hosts/vps/matrix.nix
@@ -4,25 +4,127 @@
   ...
 }: {
   config = {
-    services.matrix-synapse = {
+    # services.matrix-synapse = {
+    #   enable = true;
+    #   settings.server_name = config.networking.domain;
+    #   settings.listeners = [
+    #     {
+    #       port = 8008;
+    #       bind_addresses = ["::1"];
+    #       type = "http";
+    #       tls = false;
+    #       x_forwarded = true;
+    #       resources = [
+    #         {
+    #           names = ["client" "federation"];
+    #           compress = true;
+    #         }
+    #       ];
+    #     }
+    #   ];
+    # };
+    # networking.firewall.allowedTCPPorts = [80 443];
+
+    age.secrets = {
+      matrix = {
+        file = ../secrets/matrix.age;
+        mode = "600";
+        owner = "root";
+        group = "root";
+      };
+    };
+
+    services.dendrite = let
+  database_config = {
+    connection_string = "postgresql:///dendrite?host=/run/postgresql";
+    max_open_conns = 10;
+    max_idle_conns = 5;
+  }; in {
       enable = true;
-      settings.server_name = config.networking.domain;
-      settings.listeners = [
+
+      tlsCert = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tzlil.net/tzlil.net.crt";
+      tlsKey = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tzlil.net/tzlil.net.key";
+
+      httpPort = null;
+      httpsPort = 8448;
+
+      loadCredential = ["private_key:${config.age.secrets.matrix.path}"];
+
+      settings = {
+        global = {
+          private_key = "$CREDENTIALS_DIRECTORY/private_key";
+
+          # preserve across restarts
+          jetstream.storage_path = "/var/lib/dendrite/";
+
+          dns_cache = {
+            enabled = true;
+            cache_size = 4096;
+            cache_lifetime = "600s";
+          };
+
+          presence = {
+            enable_inbound = true;
+            enable_outbound = true;
+          };
+
+          cache.max_size_estimated = "16gb";
+        };
+        federation_api.key_perspectives = [
+          {
+            server_name = "matrix.org";
+            keys = [
+              { key_id = "ed25519:auto"; public_key = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"; }
+              { key_id = "ed25519:a_RXGa"; public_key = "l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ"; }
+            ];
+          }
+        ];
+
+        app_service_api.database = database_config;
+        federation_api.database = database_config;
+        key_server.database = database_config;
+        media_api.database = database_config;
+        mscs.database = database_config;
+        room_server.database = database_config;
+        sync_api.database = database_config;
+        user_api.account_database = database_config;
+        user_api.device_database = database_config;
+      };
+    };
+
+    postgresql = {
+      ensureUsers = [
         {
-          port = 8008;
-          bind_addresses = ["::1"];
-          type = "http";
-          tls = false;
-          x_forwarded = true;
-          resources = [
-            {
-              names = ["client" "federation"];
-              compress = true;
-            }
-          ];
+          name = "dendrite";
+          ensurePermissions = {
+            "DATABASE dendrite" = "ALL PRIVILEGES";
+          };
         }
       ];
+
+      ensureDatabases = [ "dendrite" ];
     };
-    networking.firewall.allowedTCPPorts = [80 443];
   };
+
+  # not needed if i use /var/lib/private , DynamicUser can remap the permissions for the service
+  # systemd.services.dendrite.serviceConfig.User = "dendrite";
+  # systemd.services.dendrite.serviceConfig.Group = "dendrite";
+  environment.persistence."/nix/persist".directories = [
+    {
+      directory = /var/lib/postgresql/${config.services.postgresql.package.psqlSchema};
+      user = "postgres";
+      group = "postgres";
+    }
+
+    {
+      directory = /var/lib/private/dendrite;
+      user = "root";
+      group = "root";
+    }
+  ];
+
+  systemd.services.dendrite.after = [ "postgresql.service" ];
+
+  networking.firewall.allowedTCPPorts = [8448];
+
 }
diff --git a/secrets/matrix.age b/secrets/matrix.age
new file mode 100644
index 0000000..80f357f
Binary files /dev/null and b/secrets/matrix.age differ
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index ac101d3..57045f6 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -7,4 +7,5 @@ let
   systems = [vm vps laptop];
 in {
   "id_ed25519.age".publicKeys = [tzlil] ++ systems;
+  "matrix.age".publicKeys = [tzlil vps];
 }
-- 
cgit 1.4.1