blob: 26095e100040b78dc4a66ce7b891ff7c0bb71358 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
|
{
pkgs,
config,
...
}: {
config = {
# services.matrix-synapse = {
# enable = true;
# settings.server_name = config.networking.domain;
# settings.listeners = [
# {
# port = 8008;
# bind_addresses = ["::1"];
# type = "http";
# tls = false;
# x_forwarded = true;
# resources = [
# {
# names = ["client" "federation"];
# compress = true;
# }
# ];
# }
# ];
# };
# networking.firewall.allowedTCPPorts = [80 443];
age.secrets = {
matrix = {
file = ../secrets/matrix.age;
mode = "600";
owner = "root";
group = "root";
};
};
services.dendrite = let
database_config = {
connection_string = "postgresql:///dendrite?host=/run/postgresql";
max_open_conns = 10;
max_idle_conns = 5;
}; in {
enable = true;
tlsCert = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tzlil.net/tzlil.net.crt";
tlsKey = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tzlil.net/tzlil.net.key";
httpPort = null;
httpsPort = 8448;
loadCredential = ["private_key:${config.age.secrets.matrix.path}"];
settings = {
global = {
private_key = "$CREDENTIALS_DIRECTORY/private_key";
# preserve across restarts
jetstream.storage_path = "/var/lib/dendrite/";
dns_cache = {
enabled = true;
cache_size = 4096;
cache_lifetime = "600s";
};
presence = {
enable_inbound = true;
enable_outbound = true;
};
cache.max_size_estimated = "16gb";
};
federation_api.key_perspectives = [
{
server_name = "matrix.org";
keys = [
{ key_id = "ed25519:auto"; public_key = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"; }
{ key_id = "ed25519:a_RXGa"; public_key = "l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ"; }
];
}
];
app_service_api.database = database_config;
federation_api.database = database_config;
key_server.database = database_config;
media_api.database = database_config;
mscs.database = database_config;
room_server.database = database_config;
sync_api.database = database_config;
user_api.account_database = database_config;
user_api.device_database = database_config;
};
};
postgresql = {
ensureUsers = [
{
name = "dendrite";
ensurePermissions = {
"DATABASE dendrite" = "ALL PRIVILEGES";
};
}
];
ensureDatabases = [ "dendrite" ];
};
};
# not needed if i use /var/lib/private , DynamicUser can remap the permissions for the service
# systemd.services.dendrite.serviceConfig.User = "dendrite";
# systemd.services.dendrite.serviceConfig.Group = "dendrite";
environment.persistence."/nix/persist".directories = [
{
directory = /var/lib/postgresql/${config.services.postgresql.package.psqlSchema};
user = "postgres";
group = "postgres";
}
{
directory = /var/lib/private/dendrite;
user = "root";
group = "root";
}
];
systemd.services.dendrite.after = [ "postgresql.service" ];
networking.firewall.allowedTCPPorts = [8448];
}
|
