diff options
Diffstat (limited to 'hosts')
-rw-r--r-- | hosts/surtr/default.nix | 1 | ||||
-rw-r--r-- | hosts/surtr/matrix/default.nix | 107 |
2 files changed, 54 insertions, 54 deletions
diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix index d30e0cba..711e8bc8 100644 --- a/hosts/surtr/default.nix +++ b/hosts/surtr/default.nix | |||
@@ -146,7 +146,6 @@ | |||
146 | defaultBitSize = 4096; | 146 | defaultBitSize = 4096; |
147 | params = { | 147 | params = { |
148 | nginx = {}; | 148 | nginx = {}; |
149 | matrix-synapse = {}; | ||
150 | coturn = {}; | 149 | coturn = {}; |
151 | }; | 150 | }; |
152 | stateful = true; | 151 | stateful = true; |
diff --git a/hosts/surtr/matrix/default.nix b/hosts/surtr/matrix/default.nix index 09b5c125..07c445b7 100644 --- a/hosts/surtr/matrix/default.nix +++ b/hosts/surtr/matrix/default.nix | |||
@@ -6,68 +6,69 @@ with lib; | |||
6 | config = { | 6 | config = { |
7 | services.matrix-synapse = { | 7 | services.matrix-synapse = { |
8 | enable = true; | 8 | enable = true; |
9 | enable_metrics = true; | ||
10 | 9 | ||
11 | enable_registration = true; | 10 | settings = { |
12 | allow_guest_access = false; | 11 | enable_metrics = true; |
12 | |||
13 | enable_registration = true; | ||
14 | allow_guest_access = false; | ||
15 | |||
16 | server_name = "synapse.li"; | ||
17 | |||
18 | listeners = [ | ||
19 | { bind_addresses = ["::1" "127.0.0.1"]; | ||
20 | port = 8008; | ||
21 | resources = [ | ||
22 | { names = [ "client" "federation" ]; | ||
23 | compress = false; | ||
24 | } | ||
25 | ]; | ||
26 | tls = false; | ||
27 | type = "http"; | ||
28 | x_forwarded = true; | ||
29 | } | ||
30 | ]; | ||
13 | 31 | ||
14 | server_name = "synapse.li"; | 32 | tls_certificate_path = "/run/credentials/matrix-synapse.service/synapse.li.pem"; |
33 | tls_private_key_path = "/run/credentials/matrix-synapse.service/synapse.li.key.pem"; | ||
15 | 34 | ||
16 | listeners = [ | 35 | turn_uris = ["turn:turn.synapse.li?transport=udp" "turn:turn.synapse.li?transport=tcp"]; |
17 | { bind_address = "localhost"; | 36 | turn_user_lifetime = "1h"; |
18 | port = 8008; | 37 | |
19 | resources = [ | 38 | refreshable_access_token_lifetime = "5m"; |
20 | { names = [ "client" "federation" ]; | 39 | # nonrefreshable_access_token_lifetime = "1w"; # TODO: uncomment once all (relevant) clients have support for refreshable tokens |
21 | compress = false; | 40 | refresh_token_lifetime = "1w"; |
22 | } | 41 | registration_requires_token = true; |
23 | ]; | ||
24 | tls = false; | ||
25 | type = "http"; | ||
26 | x_forwarded = true; | ||
27 | } | ||
28 | ]; | ||
29 | 42 | ||
30 | tls_certificate_path = "/run/credentials/matrix-synapse.service/synapse.li.pem"; | 43 | admin_contact = "mailto:matrix-admin@yggdrasil.li"; |
31 | tls_private_key_path = "/run/credentials/matrix-synapse.service/synapse.li.key.pem"; | ||
32 | tls_dh_params_path = config.security.dhparams.params.matrix-synapse.path; | ||
33 | 44 | ||
34 | turn_uris = ["turn:turn.synapse.li?transport=udp" "turn:turn.synapse.li?transport=tcp"]; | 45 | url_preview_enabled = true; |
35 | turn_user_lifetime = "1h"; | 46 | url_preview_ip_range_blacklist = [ |
47 | "127.0.0.0/8" "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" | ||
48 | "100.64.0.0/10" "192.0.0.0/24" "169.254.0.0/16" | ||
49 | "192.88.99.0/24" "198.18.0.0/15" "192.0.2.0/24" | ||
50 | "198.51.100.0/24" "203.0.113.0/24" "224.0.0.0/4" "::1/128" | ||
51 | "fe80::/10" "fc00::/7" "2001:db8::/32" "ff00::/8" | ||
52 | "fec0::/10" "2a03:4000:52:ada::/64" | ||
53 | ]; | ||
54 | url_preview_ip_range_whitelist = [ | ||
55 | "2a03:4000:52:ada::/128" | ||
56 | ]; | ||
57 | |||
58 | max_upload_size = "500M"; | ||
59 | |||
60 | trusted_key_servers = [ | ||
61 | { server_name = "matrix.org"; | ||
62 | } | ||
63 | { server_name = "vector.im"; | ||
64 | } | ||
65 | ]; | ||
66 | suppress_key_server_warning = true; | ||
67 | }; | ||
36 | 68 | ||
37 | extraConfigFiles = [ | 69 | extraConfigFiles = [ |
38 | "/run/credentials/matrix-synapse.service/registration.yaml" | 70 | "/run/credentials/matrix-synapse.service/registration.yaml" |
39 | "/run/credentials/matrix-synapse.service/turn-secret.yaml" | 71 | "/run/credentials/matrix-synapse.service/turn-secret.yaml" |
40 | (pkgs.writeText "homeserver.yaml" (generators.toYAML {} { | ||
41 | "refreshable_access_token_lifetime" = "5m"; | ||
42 | # "nonrefreshable_access_token_lifetime" = "1w"; # TODO: uncomment once all (relevant) clients have support for refreshable tokens | ||
43 | "refresh_token_lifetime" = "1w"; | ||
44 | "registration_requires_token" = true; | ||
45 | |||
46 | "admin_contact" = "mailto:matrix-admin@yggdrasil.li"; | ||
47 | |||
48 | "url_preview_enabled" = true; | ||
49 | "url_preview_ip_range_blacklist" = [ | ||
50 | "127.0.0.0/8" "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" | ||
51 | "100.64.0.0/10" "192.0.0.0/24" "169.254.0.0/16" | ||
52 | "192.88.99.0/24" "198.18.0.0/15" "192.0.2.0/24" | ||
53 | "198.51.100.0/24" "203.0.113.0/24" "224.0.0.0/4" "::1/128" | ||
54 | "fe80::/10" "fc00::/7" "2001:db8::/32" "ff00::/8" | ||
55 | "fec0::/10" "2a03:4000:52:ada::/64" | ||
56 | ]; | ||
57 | "url_preview_ip_range_whitelist" = [ | ||
58 | "2a03:4000:52:ada::/128" | ||
59 | ]; | ||
60 | |||
61 | "max_upload_size" = "500M"; | ||
62 | |||
63 | "trusted_key_servers" = [ | ||
64 | { "server_name" = "matrix.org"; | ||
65 | } | ||
66 | { "server_name" = "vector.im"; | ||
67 | } | ||
68 | ]; | ||
69 | "suppress_key_server_warning" = true; | ||
70 | })) | ||
71 | ]; | 72 | ]; |
72 | }; | 73 | }; |
73 | sops.secrets."matrix-synapse-registration.yaml" = { | 74 | sops.secrets."matrix-synapse-registration.yaml" = { |