{ pkgs, config, lib, inputs, ... }: { config = { age.secrets.matrix = { file = "${inputs.self}/secrets/matrix.age"; mode = "600"; owner = "root"; group = "root"; }; services.dendrite = let database_config = { connection_string = "postgresql:///dendrite?host=/run/postgresql"; max_open_conns = 10; max_idle_conns = 5; }; in { enable = true; loadCredential = ["private_key:${config.age.secrets.matrix.path}" "tlsCert:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tzlil.net/tzlil.net.crt" "tlsKey:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tzlil.net/tzlil.net.key"]; # tlsCert = "$CREDENTIALS_DIRECTORY/tlsCert"; # tlsKey = "$CREDENTIALS_DIRECTORY/tlsKey"; # httpPort = null; # httpsPort = 8448; settings = { global = { server_name = "tzlil.net"; private_key = "$CREDENTIALS_DIRECTORY/private_key"; # preserve across restarts jetstream.storage_path = "/var/lib/dendrite/"; dns_cache = { enabled = true; cache_size = 4096; cache_lifetime = "600s"; }; presence = { enable_inbound = true; enable_outbound = true; }; cache.max_size_estimated = "16gb"; }; federation_api.key_perspectives = [ { server_name = "matrix.org"; keys = [ { key_id = "ed25519:auto"; public_key = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"; } { key_id = "ed25519:a_RXGa"; public_key = "l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ"; } ]; } ]; app_service_api.database = database_config; federation_api.database = database_config; key_server.database = database_config; media_api.database = database_config; mscs.database = database_config; room_server.database = database_config; sync_api.database = database_config; user_api.account_database = database_config; user_api.device_database = database_config; }; }; systemd.services.dendrite.serviceConfig.ExecStart = lib.mkForce (lib.strings.concatStringsSep " " [ "${pkgs.dendrite}/bin/dendrite" "--config /run/dendrite/dendrite.yaml" "--http-bind-address :8008" "--https-bind-address :8448" "--tls-cert $CREDENTIALS_DIRECTORY/tlsCert" "--tls-key $CREDENTIALS_DIRECTORY/tlsKey" ]); services.postgresql = { enable = true; ensureUsers = [ { name = "dendrite"; ensurePermissions = { "DATABASE dendrite" = "ALL PRIVILEGES"; }; } ]; ensureDatabases = ["dendrite"]; }; # not needed if i use /var/lib/private , DynamicUser can remap the permissions for the service # systemd.services.dendrite.serviceConfig.User = "dendrite"; # systemd.services.dendrite.serviceConfig.Group = "dendrite"; environment.persistence."/nix/persist".directories = [ { directory = "/var/lib/postgresql/${config.services.postgresql.package.psqlSchema}"; user = "postgres"; group = "postgres"; } { directory = "/var/lib/private/dendrite"; user = "root"; group = "root"; } ]; systemd.services.dendrite.after = ["postgresql.service"]; services.caddy = { # for federation virtualHosts."tzlil.net:8448".extraConfig = '' reverse_proxy /_matrix/* localhost:8008 ''; # for clients virtualHosts."tzlil.net".extraConfig = '' reverse_proxy /_matrix/* localhost:8008 header /.well-known/matrix/* Content-Type application/json header /.well-known/matrix/* Access-Control-Allow-Origin * respond /.well-known/matrix/server `{"m.server": "tzlil.net"}` ''; }; networking.firewall.allowedTCPPorts = [8448]; }; }