1 files changed, 207 insertions, 0 deletions
diff --git a/host/Rory-nginx/services/matrix/synapse.nix b/host/Rory-nginx/services/matrix/synapse.nix
new file mode 100755
index 0000000..b69af7a
--- /dev/null
+++ b/host/Rory-nginx/services/matrix/synapse.nix
@@ -0,0 +1,207 @@
+{ config, pkgs, lib, ... }:
+
+{
+  imports =
+    [
+      ../../modules/base-server.nix
+    ];
+
+  services.matrix-synapse = {
+    enable = true;
+    withJemalloc = true;
+
+    # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html
+    settings = {
+      server_name = "rory.gay";
+
+      enable_registration = true;
+      registration_requires_token = true;
+
+      require_membership_for_aliases = false;
+      redaction_retention_period = null;
+      user_ips_max_age = null;
+      allow_device_name_lookup_over_federation = true;
+
+      federation = {
+        client_timeout = "60s";
+        max_short_retries = 6;
+        max_short_retry_delay = "10s";
+        max_long_retries = 5;
+        max_long_retry_delay = "30s";
+      };
+
+      event_cache_size = "30K"; #defaults to 10K
+      caches = {
+        global_factor = 1.0;
+        sync_response_cache_duration = "30m";
+        cache_autotuning = {
+          max_cache_memory_usage = "2048M";
+          target_cache_memory_usage = "1024M";
+          min_cache_ttl = "30m";
+        };
+      };
+
+
+      # Alicia - figure this out later...
+      #registration_shared_secret = builtins.exec ["cat" "/dev/urandom" "|" "tr" "-dc" "a-zA-Z0-9" "|" "fold" "-w" "256" "|" "head" "-n" "1"];
+      registration_shared_secret_path = "/var/lib/matrix-synapse/registration_shared_secret.txt";
+      
+      listeners = [
+        { 
+          port = 8008;
+          bind_addresses = [ "192.168.1.2" "127.0.0.1" ];
+          type = "http";
+          tls = false;
+          x_forwarded = true;
+          resources = [ {
+            names = [ "client" "federation" ];
+            compress = true;
+          } ];
+        }
+      ];
+      dynamic_thumbnails = true;
+      presence = {
+        enable = true;
+        update_interval = 60;
+      };
+      url_preview_enabled = true;
+      database = {
+        name = "psycopg2";
+        args = {
+          user = "matrix-synapse-rory-gay";
+          #passwordFile = "/run/secrets/matrix-synapse-password";
+          password = "somepassword";
+          database = "matrix-synapse-rory-gay";
+          host = "127.0.0.1";
+          application_name = "matrix-synapse (rory.gay)";
+          cp_min = 5;
+          cp_max = 50;
+          #cp_reconnect_interval = "True";
+        };
+      };
+      app_service_config_files = [
+        #"/etc/matrix-synapse/appservice-registration.yaml"
+      ];
+
+      rc_message = {
+        per_second = 1000;
+        burst_count = 1000;
+      };
+      rc_login = {
+        address = {
+          per_second = 1000;
+          burst_count = 1000;
+        };
+        account = {
+          per_second = 1000;
+          burst_count = 1000;
+        };
+        failed_attempts = {
+          per_second = 0.1;
+          burst_count = 3;
+        };
+      };
+      rc_joins = {
+        local = {
+          per_second = 1000;
+          burst_count = 1000;
+        };
+        remote = {
+          per_second = 1000;
+          burst_count = 1000;
+        };
+      };
+      rc_joins_per_room = {
+        per_second = 1000;
+        burst_count = 1000;
+      };
+      rc_invites = {
+        per_room = {
+          per_second = 1000;
+          burst_count = 1000;
+        };
+        per_user = {
+          per_second = 1000;
+          burst_count = 1000;
+        };
+        per_issuer = {
+          per_second = 1000;
+          burst_count = 1000;
+        };
+      };
+      rc_federation = {
+        window_size = 10;
+        sleep_limit = 1000;
+        sleep_delay = 100;
+        reject_limit = 1000;
+        concurrent = 100;
+      };
+      federation_rr_transactions_per_room_per_second = 1;
+
+      max_image_pixels = "100M";
+
+      ui_auth = {
+        session_timeout = "1m";
+      };
+
+      login_via_existing_session = {
+        enabled = true;
+        require_ui_auth = true;
+        token_timeout = "1y";
+      };
+
+      #sentry = {
+      #  dsn = "https://77c8de07855d4e0c90dbcf0945a04f01@sentry.thearcanebrony.net/14";
+      #};
+
+      report_stats = false;
+
+      user_directory = {
+        enabled = true;
+        search_all_users = true;
+        prefer_local_users = true;
+      };
+    };
+
+    plugins = with pkgs.matrix-synapse-plugins; [
+      # Alicia - need to port draupnir...
+      #matrix-synapse-mjolnir-antispam
+#      matrix-synapse-pam
+    ];
+#    extraConfigFiles = [
+#        (pkgs.writeTextFile {
+#          name = "matrix-synapse-extra-config.yml";
+#          text = ''
+#            modules:
+#              - module: "pam_auth_provider.PAMAuthProvider"
+#                config:
+#                  create_users: true
+#                  skip_user_check: false
+#          '';
+#        })
+#      ];
+  };
+
+    systemd.services.matrix-synapse-reg-token = {
+      description = "Random registration token for Synapse.";
+      before = ["matrix-synapse.service"]; # So the registration can be used by Synapse
+      wantedBy = ["multi-user.target"];
+      after = ["network.target"];
+
+      script = ''
+
+        if [ ! -f "registration_shared_secret.txt" ]
+        then
+          cat /dev/urandom | tr -dc a-zA-Z0-9 | fold -w 256 | head -n 1 > registration_shared_secret.txt
+        else
+          echo Not generating key, key exists;
+        fi'';
+      serviceConfig = {
+        User = "matrix-synapse";
+        Group = "matrix-synapse";
+        WorkingDirectory = "/var/lib/matrix-synapse";
+      };
+    };
+  system.stateVersion = "22.11"; # DO NOT EDIT!
+}
+