2 files changed, 54 insertions, 54 deletions
diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix
index d30e0cba..711e8bc8 100644
--- a/hosts/surtr/default.nix
+++ b/hosts/surtr/default.nix
@@ -146,7 +146,6 @@
      defaultBitSize = 4096;
      params = {
        nginx = {};
-        matrix-synapse = {};
        coturn = {};
      };
      stateful = true;
diff --git a/hosts/surtr/matrix/default.nix b/hosts/surtr/matrix/default.nix
index 09b5c125..07c445b7 100644
--- a/hosts/surtr/matrix/default.nix
+++ b/hosts/surtr/matrix/default.nix
@@ -6,68 +6,69 @@ with lib;
  config = {
    services.matrix-synapse = {
      enable = true;
-      enable_metrics = true;
-      enable_registration = true;
+      settings = {
-      allow_guest_access = false;
+        enable_metrics = true;
+        enable_registration = true;
+        allow_guest_access = false;
+        server_name = "synapse.li";
+        listeners = [
+          { bind_addresses = ["::1" "127.0.0.1"];
+            port = 8008;
+            resources = [
+              { names = [ "client" "federation" ];
+                compress = false;
+              }
+            ];
+            tls = false;
+            type = "http";
+            x_forwarded = true;
+          }
+        ];
-      server_name = "synapse.li";
+        tls_certificate_path = "/run/credentials/matrix-synapse.service/synapse.li.pem";
+        tls_private_key_path = "/run/credentials/matrix-synapse.service/synapse.li.key.pem";
-      listeners = [
+        turn_uris = ["turn:turn.synapse.li?transport=udp" "turn:turn.synapse.li?transport=tcp"];
-        { bind_address = "localhost";
+        turn_user_lifetime = "1h";
-          port = 8008;
-          resources = [
+        refreshable_access_token_lifetime = "5m";
-            { names = [ "client" "federation" ];
+        # nonrefreshable_access_token_lifetime = "1w"; # TODO: uncomment once all (relevant) clients have support for refreshable tokens
-              compress = false;
+        refresh_token_lifetime = "1w";
-            }
+        registration_requires_token = true;
-          ];
-          tls = false;
-          type = "http";
-          x_forwarded = true;
-        }
-      ];
-      tls_certificate_path = "/run/credentials/matrix-synapse.service/synapse.li.pem";
+        admin_contact = "mailto:matrix-admin@yggdrasil.li";
-      tls_private_key_path = "/run/credentials/matrix-synapse.service/synapse.li.key.pem";
-      tls_dh_params_path = config.security.dhparams.params.matrix-synapse.path;
-      turn_uris = ["turn:turn.synapse.li?transport=udp" "turn:turn.synapse.li?transport=tcp"];
+        url_preview_enabled = true;
-      turn_user_lifetime = "1h";
+        url_preview_ip_range_blacklist = [
+          "127.0.0.0/8" "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16"
+          "100.64.0.0/10" "192.0.0.0/24" "169.254.0.0/16"
+          "192.88.99.0/24" "198.18.0.0/15" "192.0.2.0/24"
+          "198.51.100.0/24" "203.0.113.0/24" "224.0.0.0/4" "::1/128"
+          "fe80::/10" "fc00::/7" "2001:db8::/32" "ff00::/8"
+          "fec0::/10" "2a03:4000:52:ada::/64"
+        ];
+        url_preview_ip_range_whitelist = [
+          "2a03:4000:52:ada::/128"
+        ];
+        max_upload_size = "500M";
+        trusted_key_servers = [
+          { server_name = "matrix.org";
+          }
+          { server_name = "vector.im";
+          }
+        ];
+        suppress_key_server_warning = true;
+      };
      extraConfigFiles = [
        "/run/credentials/matrix-synapse.service/registration.yaml"
        "/run/credentials/matrix-synapse.service/turn-secret.yaml"
-        (pkgs.writeText "homeserver.yaml" (generators.toYAML {} {
-          "refreshable_access_token_lifetime" = "5m";
-          # "nonrefreshable_access_token_lifetime" = "1w"; # TODO: uncomment once all (relevant) clients have support for refreshable tokens
-          "refresh_token_lifetime" = "1w";
-          "registration_requires_token" = true;
-          "admin_contact" = "mailto:matrix-admin@yggdrasil.li";
-          "url_preview_enabled" = true;
-          "url_preview_ip_range_blacklist" = [
-            "127.0.0.0/8" "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16"
-            "100.64.0.0/10" "192.0.0.0/24" "169.254.0.0/16"
-            "192.88.99.0/24" "198.18.0.0/15" "192.0.2.0/24"
-            "198.51.100.0/24" "203.0.113.0/24" "224.0.0.0/4" "::1/128"
-            "fe80::/10" "fc00::/7" "2001:db8::/32" "ff00::/8"
-            "fec0::/10" "2a03:4000:52:ada::/64"
-          ];
-          "url_preview_ip_range_whitelist" = [
-            "2a03:4000:52:ada::/128"
-          ];
-          "max_upload_size" = "500M";
-          "trusted_key_servers" = [
-            { "server_name" = "matrix.org";
-            }
-            { "server_name" = "vector.im";
-            }
-          ];
-          "suppress_key_server_warning" = true;
-        }))
      ];
    };
    sops.secrets."matrix-synapse-registration.yaml" = {

diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix index d30e0cba..711e8bc8 100644 --- a/hosts/surtr/default.nix +++ b/hosts/surtr/default.nix
@@ -146,7 +146,6 @@
146	defaultBitSize = 4096;	146	defaultBitSize = 4096;
147	params = {	147	params = {
148	nginx = {};	148	nginx = {};
149	matrix-synapse = {};
150	coturn = {};	149	coturn = {};
151	};	150	};
152	stateful = true;	151	stateful = true;


diff --git a/hosts/surtr/matrix/default.nix b/hosts/surtr/matrix/default.nix index 09b5c125..07c445b7 100644 --- a/hosts/surtr/matrix/default.nix +++ b/hosts/surtr/matrix/default.nix
@@ -6,68 +6,69 @@ with lib;
6	config = {	6	config = {
7	services.matrix-synapse = {	7	services.matrix-synapse = {
8	enable = true;	8	enable = true;
9	enable_metrics = true;
10		9
11	enable_registration = true;	10	settings = {
12	allow_guest_access = false;	11	enable_metrics = true;
		12
		13	enable_registration = true;
		14	allow_guest_access = false;
		15
		16	server_name = "synapse.li";
		17
		18	listeners = [
		19	{ bind_addresses = ["::1" "127.0.0.1"];
		20	port = 8008;
		21	resources = [
		22	{ names = [ "client" "federation" ];
		23	compress = false;
		24	}
		25	];
		26	tls = false;
		27	type = "http";
		28	x_forwarded = true;
		29	}
		30	];
13		31
14	server_name = "synapse.li";	32	tls_certificate_path = "/run/credentials/matrix-synapse.service/synapse.li.pem";
		33	tls_private_key_path = "/run/credentials/matrix-synapse.service/synapse.li.key.pem";
15		34
16	listeners = [	35	turn_uris = ["turn:turn.synapse.li?transport=udp" "turn:turn.synapse.li?transport=tcp"];
17	{ bind_address = "localhost";	36	turn_user_lifetime = "1h";
18	port = 8008;	37
19	resources = [	38	refreshable_access_token_lifetime = "5m";
20	{ names = [ "client" "federation" ];	39	# nonrefreshable_access_token_lifetime = "1w"; # TODO: uncomment once all (relevant) clients have support for refreshable tokens
21	compress = false;	40	refresh_token_lifetime = "1w";
22	}	41	registration_requires_token = true;
23	];
24	tls = false;
25	type = "http";
26	x_forwarded = true;
27	}
28	];
29		42
30	tls_certificate_path = "/run/credentials/matrix-synapse.service/synapse.li.pem";	43	admin_contact = "mailto:matrix-admin@yggdrasil.li";
31	tls_private_key_path = "/run/credentials/matrix-synapse.service/synapse.li.key.pem";
32	tls_dh_params_path = config.security.dhparams.params.matrix-synapse.path;
33		44
34	turn_uris = ["turn:turn.synapse.li?transport=udp" "turn:turn.synapse.li?transport=tcp"];	45	url_preview_enabled = true;
35	turn_user_lifetime = "1h";	46	url_preview_ip_range_blacklist = [
		47	"127.0.0.0/8" "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16"
		48	"100.64.0.0/10" "192.0.0.0/24" "169.254.0.0/16"
		49	"192.88.99.0/24" "198.18.0.0/15" "192.0.2.0/24"
		50	"198.51.100.0/24" "203.0.113.0/24" "224.0.0.0/4" "::1/128"
		51	"fe80::/10" "fc00::/7" "2001:db8::/32" "ff00::/8"
		52	"fec0::/10" "2a03:4000:52:ada::/64"
		53	];
		54	url_preview_ip_range_whitelist = [
		55	"2a03:4000:52:ada::/128"
		56	];
		57
		58	max_upload_size = "500M";
		59
		60	trusted_key_servers = [
		61	{ server_name = "matrix.org";
		62	}
		63	{ server_name = "vector.im";
		64	}
		65	];
		66	suppress_key_server_warning = true;
		67	};
36		68
37	extraConfigFiles = [	69	extraConfigFiles = [
38	"/run/credentials/matrix-synapse.service/registration.yaml"	70	"/run/credentials/matrix-synapse.service/registration.yaml"
39	"/run/credentials/matrix-synapse.service/turn-secret.yaml"	71	"/run/credentials/matrix-synapse.service/turn-secret.yaml"
40	(pkgs.writeText "homeserver.yaml" (generators.toYAML {} {
41	"refreshable_access_token_lifetime" = "5m";
42	# "nonrefreshable_access_token_lifetime" = "1w"; # TODO: uncomment once all (relevant) clients have support for refreshable tokens
43	"refresh_token_lifetime" = "1w";
44	"registration_requires_token" = true;
45
46	"admin_contact" = "mailto:matrix-admin@yggdrasil.li";
47
48	"url_preview_enabled" = true;
49	"url_preview_ip_range_blacklist" = [
50	"127.0.0.0/8" "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16"
51	"100.64.0.0/10" "192.0.0.0/24" "169.254.0.0/16"
52	"192.88.99.0/24" "198.18.0.0/15" "192.0.2.0/24"
53	"198.51.100.0/24" "203.0.113.0/24" "224.0.0.0/4" "::1/128"
54	"fe80::/10" "fc00::/7" "2001:db8::/32" "ff00::/8"
55	"fec0::/10" "2a03:4000:52:ada::/64"
56	];
57	"url_preview_ip_range_whitelist" = [
58	"2a03:4000:52:ada::/128"
59	];
60
61	"max_upload_size" = "500M";
62
63	"trusted_key_servers" = [
64	{ "server_name" = "matrix.org";
65	}
66	{ "server_name" = "vector.im";
67	}
68	];
69	"suppress_key_server_warning" = true;
70	}))
71	];	72	];
72	};	73	};
73	sops.secrets."matrix-synapse-registration.yaml" = {	74	sops.secrets."matrix-synapse-registration.yaml" = {