3 files changed, 63 insertions, 63 deletions
diff --git a/flake.lock b/flake.lock
index a6270724..b1e62113 100644
--- a/flake.lock
+++ b/flake.lock
@@ -46,11 +46,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1645970334,
+        "lastModified": 1646559628,
-        "narHash": "sha256-6nn4YF9bPtkxkB7bM6yJO3m//p3sGilxNQFjm1epLEM=",
+        "narHash": "sha256-WDoqxH/IPTV8CkI15wwzvXYgXq9UPr8xd8WKziuaynw=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "ea85f4b1fdf3f25cf97dc49f4a9ec4eafda2ea25",
+        "rev": "afe96e7433c513bf82375d41473c57d1f66b4e68",
        "type": "github"
      },
      "original": {
@@ -62,11 +62,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1646135945,
+        "lastModified": 1646849019,
-        "narHash": "sha256-AjOuxMoIEHI6fSck5Ew6UKW2urIgrIEIcAHOvXjkBA4=",
+        "narHash": "sha256-HDdVmjkHQFIxYGZST7jFEueWdx/dXIY1bQP+dsVXS/M=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "e3c78ec446db310c01504dca6cb7ee4cba0f8a7d",
+        "rev": "60e275ec4148969d0832f27ea2e138a914b8da12",
        "type": "github"
      },
      "original": {
@@ -91,11 +91,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1645891244,
+        "lastModified": 1646696263,
-        "narHash": "sha256-Pu3a97Zn0PpWi/prTyD9TulCmxyeVnlqofor+yScRD8=",
+        "narHash": "sha256-a+6WgDoU2fd4bbSFMqK67i/ZTPzia29otmyeODa1uDU=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "afb0d686dced029ea720c466f693c12ebfd4107b",
+        "rev": "4e21493d34f7485a568e05b9cbefa11fe047ecd3",
        "type": "github"
      },
      "original": {
diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix
index d30e0cba..711e8bc8 100644
--- a/hosts/surtr/default.nix
+++ b/hosts/surtr/default.nix
@@ -146,7 +146,6 @@
      defaultBitSize = 4096;
      params = {
        nginx = {};
-        matrix-synapse = {};
        coturn = {};
      };
      stateful = true;
diff --git a/hosts/surtr/matrix/default.nix b/hosts/surtr/matrix/default.nix
index 09b5c125..07c445b7 100644
--- a/hosts/surtr/matrix/default.nix
+++ b/hosts/surtr/matrix/default.nix
@@ -6,68 +6,69 @@ with lib;
  config = {
    services.matrix-synapse = {
      enable = true;
-      enable_metrics = true;
-      enable_registration = true;
+      settings = {
-      allow_guest_access = false;
+        enable_metrics = true;
+        enable_registration = true;
+        allow_guest_access = false;
+        server_name = "synapse.li";
+        listeners = [
+          { bind_addresses = ["::1" "127.0.0.1"];
+            port = 8008;
+            resources = [
+              { names = [ "client" "federation" ];
+                compress = false;
+              }
+            ];
+            tls = false;
+            type = "http";
+            x_forwarded = true;
+          }
+        ];
-      server_name = "synapse.li";
+        tls_certificate_path = "/run/credentials/matrix-synapse.service/synapse.li.pem";
+        tls_private_key_path = "/run/credentials/matrix-synapse.service/synapse.li.key.pem";
-      listeners = [
+        turn_uris = ["turn:turn.synapse.li?transport=udp" "turn:turn.synapse.li?transport=tcp"];
-        { bind_address = "localhost";
+        turn_user_lifetime = "1h";
-          port = 8008;
-          resources = [
+        refreshable_access_token_lifetime = "5m";
-            { names = [ "client" "federation" ];
+        # nonrefreshable_access_token_lifetime = "1w"; # TODO: uncomment once all (relevant) clients have support for refreshable tokens
-              compress = false;
+        refresh_token_lifetime = "1w";
-            }
+        registration_requires_token = true;
-          ];
-          tls = false;
-          type = "http";
-          x_forwarded = true;
-        }
-      ];
-      tls_certificate_path = "/run/credentials/matrix-synapse.service/synapse.li.pem";
+        admin_contact = "mailto:matrix-admin@yggdrasil.li";
-      tls_private_key_path = "/run/credentials/matrix-synapse.service/synapse.li.key.pem";
-      tls_dh_params_path = config.security.dhparams.params.matrix-synapse.path;
-      turn_uris = ["turn:turn.synapse.li?transport=udp" "turn:turn.synapse.li?transport=tcp"];
+        url_preview_enabled = true;
-      turn_user_lifetime = "1h";
+        url_preview_ip_range_blacklist = [
+          "127.0.0.0/8" "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16"
+          "100.64.0.0/10" "192.0.0.0/24" "169.254.0.0/16"
+          "192.88.99.0/24" "198.18.0.0/15" "192.0.2.0/24"
+          "198.51.100.0/24" "203.0.113.0/24" "224.0.0.0/4" "::1/128"
+          "fe80::/10" "fc00::/7" "2001:db8::/32" "ff00::/8"
+          "fec0::/10" "2a03:4000:52:ada::/64"
+        ];
+        url_preview_ip_range_whitelist = [
+          "2a03:4000:52:ada::/128"
+        ];
+        max_upload_size = "500M";
+        trusted_key_servers = [
+          { server_name = "matrix.org";
+          }
+          { server_name = "vector.im";
+          }
+        ];
+        suppress_key_server_warning = true;
+      };
      extraConfigFiles = [
        "/run/credentials/matrix-synapse.service/registration.yaml"
        "/run/credentials/matrix-synapse.service/turn-secret.yaml"
-        (pkgs.writeText "homeserver.yaml" (generators.toYAML {} {
-          "refreshable_access_token_lifetime" = "5m";
-          # "nonrefreshable_access_token_lifetime" = "1w"; # TODO: uncomment once all (relevant) clients have support for refreshable tokens
-          "refresh_token_lifetime" = "1w";
-          "registration_requires_token" = true;
-          "admin_contact" = "mailto:matrix-admin@yggdrasil.li";
-          "url_preview_enabled" = true;
-          "url_preview_ip_range_blacklist" = [
-            "127.0.0.0/8" "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16"
-            "100.64.0.0/10" "192.0.0.0/24" "169.254.0.0/16"
-            "192.88.99.0/24" "198.18.0.0/15" "192.0.2.0/24"
-            "198.51.100.0/24" "203.0.113.0/24" "224.0.0.0/4" "::1/128"
-            "fe80::/10" "fc00::/7" "2001:db8::/32" "ff00::/8"
-            "fec0::/10" "2a03:4000:52:ada::/64"
-          ];
-          "url_preview_ip_range_whitelist" = [
-            "2a03:4000:52:ada::/128"
-          ];
-          "max_upload_size" = "500M";
-          "trusted_key_servers" = [
-            { "server_name" = "matrix.org";
-            }
-            { "server_name" = "vector.im";
-            }
-          ];
-          "suppress_key_server_warning" = true;
-        }))
      ];
    };
    sops.secrets."matrix-synapse-registration.yaml" = {

diff --git a/flake.lock b/flake.lock index a6270724..b1e62113 100644 --- a/flake.lock +++ b/flake.lock
@@ -46,11 +46,11 @@
46	]	46	]
47	},	47	},
48	"locked": {	48	"locked": {
49	"lastModified": 1645970334,	49	"lastModified": 1646559628,
50	"narHash": "sha256-6nn4YF9bPtkxkB7bM6yJO3m//p3sGilxNQFjm1epLEM=",	50	"narHash": "sha256-WDoqxH/IPTV8CkI15wwzvXYgXq9UPr8xd8WKziuaynw=",
51	"owner": "nix-community",	51	"owner": "nix-community",
52	"repo": "home-manager",	52	"repo": "home-manager",
53	"rev": "ea85f4b1fdf3f25cf97dc49f4a9ec4eafda2ea25",	53	"rev": "afe96e7433c513bf82375d41473c57d1f66b4e68",
54	"type": "github"	54	"type": "github"
55	},	55	},
56	"original": {	56	"original": {
@@ -62,11 +62,11 @@
62	},	62	},
63	"nixpkgs": {	63	"nixpkgs": {
64	"locked": {	64	"locked": {
65	"lastModified": 1646135945,	65	"lastModified": 1646849019,
66	"narHash": "sha256-AjOuxMoIEHI6fSck5Ew6UKW2urIgrIEIcAHOvXjkBA4=",	66	"narHash": "sha256-HDdVmjkHQFIxYGZST7jFEueWdx/dXIY1bQP+dsVXS/M=",
67	"owner": "NixOS",	67	"owner": "NixOS",
68	"repo": "nixpkgs",	68	"repo": "nixpkgs",
69	"rev": "e3c78ec446db310c01504dca6cb7ee4cba0f8a7d",	69	"rev": "60e275ec4148969d0832f27ea2e138a914b8da12",
70	"type": "github"	70	"type": "github"
71	},	71	},
72	"original": {	72	"original": {
@@ -91,11 +91,11 @@
91	]	91	]
92	},	92	},
93	"locked": {	93	"locked": {
94	"lastModified": 1645891244,	94	"lastModified": 1646696263,
95	"narHash": "sha256-Pu3a97Zn0PpWi/prTyD9TulCmxyeVnlqofor+yScRD8=",	95	"narHash": "sha256-a+6WgDoU2fd4bbSFMqK67i/ZTPzia29otmyeODa1uDU=",
96	"owner": "Mic92",	96	"owner": "Mic92",
97	"repo": "sops-nix",	97	"repo": "sops-nix",
98	"rev": "afb0d686dced029ea720c466f693c12ebfd4107b",	98	"rev": "4e21493d34f7485a568e05b9cbefa11fe047ecd3",
99	"type": "github"	99	"type": "github"
100	},	100	},
101	"original": {	101	"original": {


diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix index d30e0cba..711e8bc8 100644 --- a/hosts/surtr/default.nix +++ b/hosts/surtr/default.nix
@@ -146,7 +146,6 @@
146	defaultBitSize = 4096;	146	defaultBitSize = 4096;
147	params = {	147	params = {
148	nginx = {};	148	nginx = {};
149	matrix-synapse = {};
150	coturn = {};	149	coturn = {};
151	};	150	};
152	stateful = true;	151	stateful = true;


diff --git a/hosts/surtr/matrix/default.nix b/hosts/surtr/matrix/default.nix index 09b5c125..07c445b7 100644 --- a/hosts/surtr/matrix/default.nix +++ b/hosts/surtr/matrix/default.nix
@@ -6,68 +6,69 @@ with lib;
6	config = {	6	config = {
7	services.matrix-synapse = {	7	services.matrix-synapse = {
8	enable = true;	8	enable = true;
9	enable_metrics = true;
10		9
11	enable_registration = true;	10	settings = {
12	allow_guest_access = false;	11	enable_metrics = true;
		12
		13	enable_registration = true;
		14	allow_guest_access = false;
		15
		16	server_name = "synapse.li";
		17
		18	listeners = [
		19	{ bind_addresses = ["::1" "127.0.0.1"];
		20	port = 8008;
		21	resources = [
		22	{ names = [ "client" "federation" ];
		23	compress = false;
		24	}
		25	];
		26	tls = false;
		27	type = "http";
		28	x_forwarded = true;
		29	}
		30	];
13		31
14	server_name = "synapse.li";	32	tls_certificate_path = "/run/credentials/matrix-synapse.service/synapse.li.pem";
		33	tls_private_key_path = "/run/credentials/matrix-synapse.service/synapse.li.key.pem";
15		34
16	listeners = [	35	turn_uris = ["turn:turn.synapse.li?transport=udp" "turn:turn.synapse.li?transport=tcp"];
17	{ bind_address = "localhost";	36	turn_user_lifetime = "1h";
18	port = 8008;	37
19	resources = [	38	refreshable_access_token_lifetime = "5m";
20	{ names = [ "client" "federation" ];	39	# nonrefreshable_access_token_lifetime = "1w"; # TODO: uncomment once all (relevant) clients have support for refreshable tokens
21	compress = false;	40	refresh_token_lifetime = "1w";
22	}	41	registration_requires_token = true;
23	];
24	tls = false;
25	type = "http";
26	x_forwarded = true;
27	}
28	];
29		42
30	tls_certificate_path = "/run/credentials/matrix-synapse.service/synapse.li.pem";	43	admin_contact = "mailto:matrix-admin@yggdrasil.li";
31	tls_private_key_path = "/run/credentials/matrix-synapse.service/synapse.li.key.pem";
32	tls_dh_params_path = config.security.dhparams.params.matrix-synapse.path;
33		44
34	turn_uris = ["turn:turn.synapse.li?transport=udp" "turn:turn.synapse.li?transport=tcp"];	45	url_preview_enabled = true;
35	turn_user_lifetime = "1h";	46	url_preview_ip_range_blacklist = [
		47	"127.0.0.0/8" "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16"
		48	"100.64.0.0/10" "192.0.0.0/24" "169.254.0.0/16"
		49	"192.88.99.0/24" "198.18.0.0/15" "192.0.2.0/24"
		50	"198.51.100.0/24" "203.0.113.0/24" "224.0.0.0/4" "::1/128"
		51	"fe80::/10" "fc00::/7" "2001:db8::/32" "ff00::/8"
		52	"fec0::/10" "2a03:4000:52:ada::/64"
		53	];
		54	url_preview_ip_range_whitelist = [
		55	"2a03:4000:52:ada::/128"
		56	];
		57
		58	max_upload_size = "500M";
		59
		60	trusted_key_servers = [
		61	{ server_name = "matrix.org";
		62	}
		63	{ server_name = "vector.im";
		64	}
		65	];
		66	suppress_key_server_warning = true;
		67	};
36		68
37	extraConfigFiles = [	69	extraConfigFiles = [
38	"/run/credentials/matrix-synapse.service/registration.yaml"	70	"/run/credentials/matrix-synapse.service/registration.yaml"
39	"/run/credentials/matrix-synapse.service/turn-secret.yaml"	71	"/run/credentials/matrix-synapse.service/turn-secret.yaml"
40	(pkgs.writeText "homeserver.yaml" (generators.toYAML {} {
41	"refreshable_access_token_lifetime" = "5m";
42	# "nonrefreshable_access_token_lifetime" = "1w"; # TODO: uncomment once all (relevant) clients have support for refreshable tokens
43	"refresh_token_lifetime" = "1w";
44	"registration_requires_token" = true;
45
46	"admin_contact" = "mailto:matrix-admin@yggdrasil.li";
47
48	"url_preview_enabled" = true;
49	"url_preview_ip_range_blacklist" = [
50	"127.0.0.0/8" "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16"
51	"100.64.0.0/10" "192.0.0.0/24" "169.254.0.0/16"
52	"192.88.99.0/24" "198.18.0.0/15" "192.0.2.0/24"
53	"198.51.100.0/24" "203.0.113.0/24" "224.0.0.0/4" "::1/128"
54	"fe80::/10" "fc00::/7" "2001:db8::/32" "ff00::/8"
55	"fec0::/10" "2a03:4000:52:ada::/64"
56	];
57	"url_preview_ip_range_whitelist" = [
58	"2a03:4000:52:ada::/128"
59	];
60
61	"max_upload_size" = "500M";
62
63	"trusted_key_servers" = [
64	{ "server_name" = "matrix.org";
65	}
66	{ "server_name" = "vector.im";
67	}
68	];
69	"suppress_key_server_warning" = true;
70	}))
71	];	72	];
72	};	73	};
73	sops.secrets."matrix-synapse-registration.yaml" = {	74	sops.secrets."matrix-synapse-registration.yaml" = {