summaryrefslogtreecommitdiff
path: root/hosts
diff options
context:
space:
mode:
Diffstat (limited to 'hosts')
-rw-r--r--hosts/surtr/default.nix1
-rw-r--r--hosts/surtr/matrix/default.nix107
2 files changed, 54 insertions, 54 deletions
diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix
index d30e0cba..711e8bc8 100644
--- a/hosts/surtr/default.nix
+++ b/hosts/surtr/default.nix
@@ -146,7 +146,6 @@
146 defaultBitSize = 4096; 146 defaultBitSize = 4096;
147 params = { 147 params = {
148 nginx = {}; 148 nginx = {};
149 matrix-synapse = {};
150 coturn = {}; 149 coturn = {};
151 }; 150 };
152 stateful = true; 151 stateful = true;
diff --git a/hosts/surtr/matrix/default.nix b/hosts/surtr/matrix/default.nix
index 09b5c125..07c445b7 100644
--- a/hosts/surtr/matrix/default.nix
+++ b/hosts/surtr/matrix/default.nix
@@ -6,68 +6,69 @@ with lib;
6 config = { 6 config = {
7 services.matrix-synapse = { 7 services.matrix-synapse = {
8 enable = true; 8 enable = true;
9 enable_metrics = true;
10 9
11 enable_registration = true; 10 settings = {
12 allow_guest_access = false; 11 enable_metrics = true;
12
13 enable_registration = true;
14 allow_guest_access = false;
15
16 server_name = "synapse.li";
17
18 listeners = [
19 { bind_addresses = ["::1" "127.0.0.1"];
20 port = 8008;
21 resources = [
22 { names = [ "client" "federation" ];
23 compress = false;
24 }
25 ];
26 tls = false;
27 type = "http";
28 x_forwarded = true;
29 }
30 ];
13 31
14 server_name = "synapse.li"; 32 tls_certificate_path = "/run/credentials/matrix-synapse.service/synapse.li.pem";
33 tls_private_key_path = "/run/credentials/matrix-synapse.service/synapse.li.key.pem";
15 34
16 listeners = [ 35 turn_uris = ["turn:turn.synapse.li?transport=udp" "turn:turn.synapse.li?transport=tcp"];
17 { bind_address = "localhost"; 36 turn_user_lifetime = "1h";
18 port = 8008; 37
19 resources = [ 38 refreshable_access_token_lifetime = "5m";
20 { names = [ "client" "federation" ]; 39 # nonrefreshable_access_token_lifetime = "1w"; # TODO: uncomment once all (relevant) clients have support for refreshable tokens
21 compress = false; 40 refresh_token_lifetime = "1w";
22 } 41 registration_requires_token = true;
23 ];
24 tls = false;
25 type = "http";
26 x_forwarded = true;
27 }
28 ];
29 42
30 tls_certificate_path = "/run/credentials/matrix-synapse.service/synapse.li.pem"; 43 admin_contact = "mailto:matrix-admin@yggdrasil.li";
31 tls_private_key_path = "/run/credentials/matrix-synapse.service/synapse.li.key.pem";
32 tls_dh_params_path = config.security.dhparams.params.matrix-synapse.path;
33 44
34 turn_uris = ["turn:turn.synapse.li?transport=udp" "turn:turn.synapse.li?transport=tcp"]; 45 url_preview_enabled = true;
35 turn_user_lifetime = "1h"; 46 url_preview_ip_range_blacklist = [
47 "127.0.0.0/8" "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16"
48 "100.64.0.0/10" "192.0.0.0/24" "169.254.0.0/16"
49 "192.88.99.0/24" "198.18.0.0/15" "192.0.2.0/24"
50 "198.51.100.0/24" "203.0.113.0/24" "224.0.0.0/4" "::1/128"
51 "fe80::/10" "fc00::/7" "2001:db8::/32" "ff00::/8"
52 "fec0::/10" "2a03:4000:52:ada::/64"
53 ];
54 url_preview_ip_range_whitelist = [
55 "2a03:4000:52:ada::/128"
56 ];
57
58 max_upload_size = "500M";
59
60 trusted_key_servers = [
61 { server_name = "matrix.org";
62 }
63 { server_name = "vector.im";
64 }
65 ];
66 suppress_key_server_warning = true;
67 };
36 68
37 extraConfigFiles = [ 69 extraConfigFiles = [
38 "/run/credentials/matrix-synapse.service/registration.yaml" 70 "/run/credentials/matrix-synapse.service/registration.yaml"
39 "/run/credentials/matrix-synapse.service/turn-secret.yaml" 71 "/run/credentials/matrix-synapse.service/turn-secret.yaml"
40 (pkgs.writeText "homeserver.yaml" (generators.toYAML {} {
41 "refreshable_access_token_lifetime" = "5m";
42 # "nonrefreshable_access_token_lifetime" = "1w"; # TODO: uncomment once all (relevant) clients have support for refreshable tokens
43 "refresh_token_lifetime" = "1w";
44 "registration_requires_token" = true;
45
46 "admin_contact" = "mailto:matrix-admin@yggdrasil.li";
47
48 "url_preview_enabled" = true;
49 "url_preview_ip_range_blacklist" = [
50 "127.0.0.0/8" "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16"
51 "100.64.0.0/10" "192.0.0.0/24" "169.254.0.0/16"
52 "192.88.99.0/24" "198.18.0.0/15" "192.0.2.0/24"
53 "198.51.100.0/24" "203.0.113.0/24" "224.0.0.0/4" "::1/128"
54 "fe80::/10" "fc00::/7" "2001:db8::/32" "ff00::/8"
55 "fec0::/10" "2a03:4000:52:ada::/64"
56 ];
57 "url_preview_ip_range_whitelist" = [
58 "2a03:4000:52:ada::/128"
59 ];
60
61 "max_upload_size" = "500M";
62
63 "trusted_key_servers" = [
64 { "server_name" = "matrix.org";
65 }
66 { "server_name" = "vector.im";
67 }
68 ];
69 "suppress_key_server_warning" = true;
70 }))
71 ]; 72 ];
72 }; 73 };
73 sops.secrets."matrix-synapse-registration.yaml" = { 74 sops.secrets."matrix-synapse-registration.yaml" = {