NixOS-Config/nixos/server/synapse.nix

97 lines
2.7 KiB
Nix

{pkgs, config, ...}: {
services = let
secrets = import ../modules/secrets.nix;
in {
# Synapse Matrix server
matrix-synapse = with config.services.coturn; {
enable = true;
settings = {
server_name = "${secrets.jimDomain}";
public_baseurl = "https://matrix.${secrets.jimDomain}";
suppress_key_server_warning = true;
# Set the network config
listeners = [{
# Client config
port = 8008;
bind_addresses = [ "::" "0.0.0.0" ];
resources = [ { compress = false; names = [ "client" "federation" ]; } ];
type = "http";
tls = false;
x_forwarded = true;
}];
# Enable smtp for password resets
email = {
notif_from = "Jimbo's Matrix <noreply@${secrets.jimDomain}>";
smtp_host = "mx.${secrets.jimDomain}";
smtp_user = "noreply@${secrets.jimDomain}";
smtp_pass = secrets.noreplyPassword;
enable_tls = true;
smtp_port = 587;
require_transport_security = true;
};
# Disable registration without email
registrations_require_3pid = [ "email" ];
# Allow only this range of emails
allowed_local_3pids = [{
medium = "email";
pattern = "^[^@]+@jimbosfiles\\.com$";
}];
# Set the type of database
database.name = "sqlite3";
# Allow account registration
enable_registration = true;
# General settings
url_preview_enabled = true;
max_upload_size = "50M";
report_stats = false;
# Turn settings
turn_uris = [
"turn:turn.${secrets.jimDomain}:3478?transport=udp"
"turn:turn.${secrets.jimDomain}:3478?transport=tcp"
];
turn_shared_secret = static-auth-secret;
turn_user_lifetime = "1h";
# Ratelimiting
burst_count = 15;
};
};
# Sliding sync proxy for Matrix
matrix-sliding-sync = let
matrixSecretFile = pkgs.writeText "matrixsecret" ''
SYNCV3_SECRET=${secrets.matrixSecret}
'';
in {
enable = true;
settings = {
SYNCV3_SERVER = "https://matrix.${secrets.jimDomain}";
SYNCV3_BINDADDR = "0.0.0.0:8009";
};
environmentFile = "${matrixSecretFile}";
};
# Coturn for VC
coturn = rec {
enable = true;
no-cli = true;
no-tcp-relay = true;
min-port = 49000;
max-port = 50000;
use-auth-secret = true;
static-auth-secret = "will be world readable for local users :(";
realm = "turn.${secrets.jimDomain}";
cert = "/var/lib/acme/turn.${secrets.jimDomain}.com/fullchain.pem";
pkey = "/var/lib/acme/turn.${secrets.jimDomain}.com/key.pem";
};
};
}