From e278715249e4da50d24c546d6d4045178b48c73f Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Wed, 9 Mar 2022 19:23:00 +0100 Subject: bump --- flake.lock | 18 +++---- hosts/surtr/default.nix | 1 - hosts/surtr/matrix/default.nix | 107 +++++++++++++++++++++-------------------- 3 files changed, 63 insertions(+), 63 deletions(-) diff --git a/flake.lock b/flake.lock index a6270724..b1e62113 100644 --- a/flake.lock +++ b/flake.lock @@ -46,11 +46,11 @@ ] }, "locked": { - "lastModified": 1645970334, - "narHash": "sha256-6nn4YF9bPtkxkB7bM6yJO3m//p3sGilxNQFjm1epLEM=", + "lastModified": 1646559628, + "narHash": "sha256-WDoqxH/IPTV8CkI15wwzvXYgXq9UPr8xd8WKziuaynw=", "owner": "nix-community", "repo": "home-manager", - "rev": "ea85f4b1fdf3f25cf97dc49f4a9ec4eafda2ea25", + "rev": "afe96e7433c513bf82375d41473c57d1f66b4e68", "type": "github" }, "original": { @@ -62,11 +62,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1646135945, - "narHash": "sha256-AjOuxMoIEHI6fSck5Ew6UKW2urIgrIEIcAHOvXjkBA4=", + "lastModified": 1646849019, + "narHash": "sha256-HDdVmjkHQFIxYGZST7jFEueWdx/dXIY1bQP+dsVXS/M=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "e3c78ec446db310c01504dca6cb7ee4cba0f8a7d", + "rev": "60e275ec4148969d0832f27ea2e138a914b8da12", "type": "github" }, "original": { @@ -91,11 +91,11 @@ ] }, "locked": { - "lastModified": 1645891244, - "narHash": "sha256-Pu3a97Zn0PpWi/prTyD9TulCmxyeVnlqofor+yScRD8=", + "lastModified": 1646696263, + "narHash": "sha256-a+6WgDoU2fd4bbSFMqK67i/ZTPzia29otmyeODa1uDU=", "owner": "Mic92", "repo": "sops-nix", - "rev": "afb0d686dced029ea720c466f693c12ebfd4107b", + "rev": "4e21493d34f7485a568e05b9cbefa11fe047ecd3", "type": "github" }, "original": { diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix index d30e0cba..711e8bc8 100644 --- a/hosts/surtr/default.nix +++ b/hosts/surtr/default.nix @@ -146,7 +146,6 @@ defaultBitSize = 4096; params = { nginx = {}; - matrix-synapse = {}; coturn = {}; }; stateful = true; diff --git a/hosts/surtr/matrix/default.nix b/hosts/surtr/matrix/default.nix index 09b5c125..07c445b7 100644 --- a/hosts/surtr/matrix/default.nix +++ b/hosts/surtr/matrix/default.nix @@ -6,68 +6,69 @@ with lib; config = { services.matrix-synapse = { enable = true; - enable_metrics = true; - enable_registration = true; - allow_guest_access = false; + settings = { + enable_metrics = true; + + enable_registration = true; + allow_guest_access = false; + + server_name = "synapse.li"; + + listeners = [ + { bind_addresses = ["::1" "127.0.0.1"]; + port = 8008; + resources = [ + { names = [ "client" "federation" ]; + compress = false; + } + ]; + tls = false; + type = "http"; + x_forwarded = true; + } + ]; - server_name = "synapse.li"; + tls_certificate_path = "/run/credentials/matrix-synapse.service/synapse.li.pem"; + tls_private_key_path = "/run/credentials/matrix-synapse.service/synapse.li.key.pem"; - listeners = [ - { bind_address = "localhost"; - port = 8008; - resources = [ - { names = [ "client" "federation" ]; - compress = false; - } - ]; - tls = false; - type = "http"; - x_forwarded = true; - } - ]; + turn_uris = ["turn:turn.synapse.li?transport=udp" "turn:turn.synapse.li?transport=tcp"]; + turn_user_lifetime = "1h"; + + refreshable_access_token_lifetime = "5m"; + # nonrefreshable_access_token_lifetime = "1w"; # TODO: uncomment once all (relevant) clients have support for refreshable tokens + refresh_token_lifetime = "1w"; + registration_requires_token = true; - tls_certificate_path = "/run/credentials/matrix-synapse.service/synapse.li.pem"; - tls_private_key_path = "/run/credentials/matrix-synapse.service/synapse.li.key.pem"; - tls_dh_params_path = config.security.dhparams.params.matrix-synapse.path; + admin_contact = "mailto:matrix-admin@yggdrasil.li"; - turn_uris = ["turn:turn.synapse.li?transport=udp" "turn:turn.synapse.li?transport=tcp"]; - turn_user_lifetime = "1h"; + url_preview_enabled = true; + url_preview_ip_range_blacklist = [ + "127.0.0.0/8" "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" + "100.64.0.0/10" "192.0.0.0/24" "169.254.0.0/16" + "192.88.99.0/24" "198.18.0.0/15" "192.0.2.0/24" + "198.51.100.0/24" "203.0.113.0/24" "224.0.0.0/4" "::1/128" + "fe80::/10" "fc00::/7" "2001:db8::/32" "ff00::/8" + "fec0::/10" "2a03:4000:52:ada::/64" + ]; + url_preview_ip_range_whitelist = [ + "2a03:4000:52:ada::/128" + ]; + + max_upload_size = "500M"; + + trusted_key_servers = [ + { server_name = "matrix.org"; + } + { server_name = "vector.im"; + } + ]; + suppress_key_server_warning = true; + }; extraConfigFiles = [ "/run/credentials/matrix-synapse.service/registration.yaml" "/run/credentials/matrix-synapse.service/turn-secret.yaml" - (pkgs.writeText "homeserver.yaml" (generators.toYAML {} { - "refreshable_access_token_lifetime" = "5m"; - # "nonrefreshable_access_token_lifetime" = "1w"; # TODO: uncomment once all (relevant) clients have support for refreshable tokens - "refresh_token_lifetime" = "1w"; - "registration_requires_token" = true; - - "admin_contact" = "mailto:matrix-admin@yggdrasil.li"; - - "url_preview_enabled" = true; - "url_preview_ip_range_blacklist" = [ - "127.0.0.0/8" "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" - "100.64.0.0/10" "192.0.0.0/24" "169.254.0.0/16" - "192.88.99.0/24" "198.18.0.0/15" "192.0.2.0/24" - "198.51.100.0/24" "203.0.113.0/24" "224.0.0.0/4" "::1/128" - "fe80::/10" "fc00::/7" "2001:db8::/32" "ff00::/8" - "fec0::/10" "2a03:4000:52:ada::/64" - ]; - "url_preview_ip_range_whitelist" = [ - "2a03:4000:52:ada::/128" - ]; - - "max_upload_size" = "500M"; - - "trusted_key_servers" = [ - { "server_name" = "matrix.org"; - } - { "server_name" = "vector.im"; - } - ]; - "suppress_key_server_warning" = true; - })) ]; }; sops.secrets."matrix-synapse-registration.yaml" = { -- cgit v1.2.3