diff --git a/host/Rory-nginx/configuration.nix b/host/Rory-nginx/configuration.nix
index 3f0bcc4..9448569 100755..100644
--- a/host/Rory-nginx/configuration.nix
+++ b/host/Rory-nginx/configuration.nix
@@ -18,13 +18,15 @@
../../modules/users/Alice.nix
./services/postgres.nix
- ./services/matrix/root.nix
./services/nginx/nginx.nix
#./services/jitsi.nix
./services/cgit.nix
- #./services/ollama.nix
+ ./services/ollama.nix
+ ./services/deluge.nix
./services/prometheus.nix
];
+
+ boot.loader.grub.devices = [ "/dev/vda" ];
users.groups.ocp = { };
networking = {
hostName = "Rory-nginx";
@@ -51,27 +53,25 @@
enableIPv6 = false;
};
enableIPv6 = lib.mkForce false;
- nameservers = lib.mkOverride [ "192.168.1.1" ];
+ nameservers = lib.mkForce [ "192.168.1.1" ];
};
-# environment.etc."resolv.conf" = lib.mkOverride {
-# text = ''
-# nameserver 192.168.1.1
-# '';
-# };
-
monitoring = {
monitorAll = true;
localPrometheus = true;
exposePrometheus = true;
localGrafana = true;
exposeGrafana = true;
- nginxHost = "monitoring.rory.gay";
+ nginxHost = "monitoring.old.rory.gay";
nginxSsl = true;
};
- nixpkgs.config.permittedInsecurePackages = [ "olm-3.2.16" ];
-
+ nixpkgs.config.permittedInsecurePackages = [
+ "olm-3.2.16"
+ "dotnet-runtime-wrapped-7.0.20"
+ "dotnet-runtime-7.0.20"
+ "dotnet-sdk-7.0.20"
+ ];
services.irqbalance.enable = true;
environment.memoryAllocator.provider = "jemalloc";
@@ -81,23 +81,17 @@
# conduit = grapevine;
#};
- containers."matrixunittests" = import ./services/containers/matrixunittests/container.nix { inherit pkgs lib grapevine; };
-
- containers."matrixunittests-conduit" = import ./services/containers/matrixunittests-conduit/container.nix {
- inherit pkgs lib;
- conduit = conduit;
+ containers."matrixunittests" = import ./services/containers/matrixunittests/container.nix {
+ inherit pkgs lib grapevine;
};
-
- services.pgadmin = {
- enable = true;
- initialEmail = "root@localhost.localdomain";
- initialPasswordFile = "/etc/matrix-user-pass";
- };
- containers."draupnir-cme" = import ./services/containers/draupnir-cme/container.nix { inherit pkgs lib nixpkgs-Draupnir; };
-
- #containers."draupnir-linux-mint" = import ./services/containers/draupnir-linux-mint/container.nix { inherit pkgs lib nixpkgs-Draupnir; };
+ #
+ #containers."matrixunittests-conduit" = import ./services/containers/matrixunittests-conduit/container.nix {
+ # inherit pkgs lib;
+ # conduit = conduit;
+ #};
system.stateVersion = "22.11"; # DO NOT EDIT!
environment.systemPackages = with pkgs; [ waypipe ];
+ nix.nrBuildUsers = 128;
}
diff --git a/host/Rory-nginx/post-rebuild.sh b/host/Rory-nginx/hooks/post-rebuild.sh
index 9b0c17c..198b7e6 100755
--- a/host/Rory-nginx/post-rebuild.sh
+++ b/host/Rory-nginx/hooks/post-rebuild.sh
@@ -1,6 +1,7 @@
#!/usr/bin/env nix-shell
#!nix-shell -i bash -p curl gnused nix coreutils jq openssl
#set -x
+exit
REG_KEY=`cat /var/lib/matrix-synapse/registration_shared_secret.txt`
LOCALPART='rory.gay'
REACHABLE_DOMAIN='http://localhost:8008'
diff --git a/host/Rory-nginx/services/containers/draupnir-cme/container.nix b/host/Rory-nginx/services/containers/draupnir-cme/container.nix
deleted file mode 100755
index b8936ac..0000000
--- a/host/Rory-nginx/services/containers/draupnir-cme/container.nix
+++ /dev/null
@@ -1,28 +0,0 @@
-{ nixpkgs-Draupnir, ... }:
-
-{
- privateNetwork = true;
- autoStart = true;
- specialArgs = {
- inherit nixpkgs-Draupnir;
- };
- config =
- { lib, pkgs, ... }:
- {
- imports = [
- ../shared.nix
- ./root.nix
- ./services/draupnir.nix
- "${nixpkgs-Draupnir}/nixos/modules/services/matrix/draupnir.nix"
- ];
- nixpkgs.overlays = [ (final: prev: { draupnir = nixpkgs-Draupnir.legacyPackages.${pkgs.stdenv.hostPlatform.system}.draupnir; }) ];
- };
- hostAddress = "192.168.100.1";
- localAddress = "192.168.100.17";
-
- bindMounts."draupnir-access-token" = {
- hostPath = "/etc/draupnir-cme-access-token";
- mountPoint = "/etc/draupnir-access-token";
- isReadOnly = true;
- };
-}
diff --git a/host/Rory-nginx/services/containers/draupnir-cme/root.nix b/host/Rory-nginx/services/containers/draupnir-cme/root.nix
deleted file mode 100755
index e4da810..0000000
--- a/host/Rory-nginx/services/containers/draupnir-cme/root.nix
+++ /dev/null
@@ -1,21 +0,0 @@
-{ ... }:
-
-{
- environment.etc."resolv.conf".text = ''
- nameserver 8.8.8.8
- nameserver 8.4.4.8
- nameserver 1.1.1.1
- nameserver 1.0.0.1
- '';
-
- networking.hosts = {
- "192.168.100.1" = [
- "matrix.rory.gay"
- "rory.gay"
- ];
- };
-
- networking.firewall = {
- enable = true;
- };
-}
diff --git a/host/Rory-nginx/services/containers/draupnir-cme/services/draupnir.nix b/host/Rory-nginx/services/containers/draupnir-cme/services/draupnir.nix
deleted file mode 100755
index cf59809..0000000
--- a/host/Rory-nginx/services/containers/draupnir-cme/services/draupnir.nix
+++ /dev/null
@@ -1,23 +0,0 @@
-{ ... }:
-
-{
- services.draupnir = {
- enable = true;
- accessTokenFile = "/etc/draupnir-access-token";
- homeserverUrl = "https://matrix.rory.gay";
-
- settings = {
- managementRoom = "#draupnir-cme:rory.gay";
- recordIgnoredInvites = true; # We want to be aware of invites
- autojoinOnlyIfManager = true; # ... but we don't want the bot to be invited to eg. Matrix HQ...
- automaticallyRedactForReasons = [ "*" ]; # Always autoredact
- fasterMembershipChecks = true;
-
- backgroundDelayMS = 10; # delay isn't needed, I don't mind the performance hit
- pollReports = false;
-
- admin.enableMakeRoomAdminCommand = false;
- commands.ban.defaultReasons = [ "spam" ];
- };
- };
-}
diff --git a/host/Rory-nginx/services/containers/draupnir-linux-mint/container.nix b/host/Rory-nginx/services/containers/draupnir-linux-mint/container.nix
deleted file mode 100755
index 17c981a..0000000
--- a/host/Rory-nginx/services/containers/draupnir-linux-mint/container.nix
+++ /dev/null
@@ -1,28 +0,0 @@
-{ nixpkgs-Draupnir, ... }:
-
-{
- privateNetwork = true;
- autoStart = true;
- specialArgs = {
- inherit nixpkgs-Draupnir;
- };
- config =
- { lib, pkgs, ... }:
- {
- imports = [
- ../shared.nix
- ./root.nix
- ./services/draupnir.nix
- "${nixpkgs-Draupnir}/nixos/modules/services/matrix/draupnir.nix"
- ];
- nixpkgs.overlays = [ (final: prev: { draupnir = nixpkgs-Draupnir.legacyPackages.${pkgs.stdenv.hostPlatform.system}.draupnir; }) ];
- };
- hostAddress = "192.168.100.1";
- localAddress = "192.168.100.19";
-
- bindMounts."draupnir-access-token" = {
- hostPath = "/etc/draupnir-linux-mint-access-token";
- mountPoint = "/etc/draupnir-access-token";
- isReadOnly = true;
- };
-}
diff --git a/host/Rory-nginx/services/containers/draupnir-linux-mint/root.nix b/host/Rory-nginx/services/containers/draupnir-linux-mint/root.nix
deleted file mode 100755
index 2254695..0000000
--- a/host/Rory-nginx/services/containers/draupnir-linux-mint/root.nix
+++ /dev/null
@@ -1,21 +0,0 @@
-{ pkgs, ... }:
-
-{
- environment.etc."resolv.conf".text = ''
- nameserver 8.8.8.8
- nameserver 8.4.4.8
- nameserver 1.1.1.1
- nameserver 1.0.0.1
- '';
-
- networking.hosts = {
- "192.168.100.18" = [
- "matrix.rory.gay"
- "rory.gay"
- ];
- };
-
- networking.firewall = {
- enable = true;
- };
-}
diff --git a/host/Rory-nginx/services/containers/draupnir-linux-mint/services/draupnir.nix b/host/Rory-nginx/services/containers/draupnir-linux-mint/services/draupnir.nix
deleted file mode 100755
index 042651a..0000000
--- a/host/Rory-nginx/services/containers/draupnir-linux-mint/services/draupnir.nix
+++ /dev/null
@@ -1,26 +0,0 @@
-{ ... }:
-
-{
- services.draupnir = {
- enable = true;
- accessTokenFile = "/etc/draupnir-access-token";
- homeserverUrl = "https://matrix.rory.gay";
-
- settings = {
- managementRoom = "#draupnir-linux-mint:rory.gay";
- recordIgnoredInvites = true; # We want to be aware of invites
- autojoinOnlyIfManager = true; # ... but we don't want the bot to be invited to eg. Matrix HQ...
- automaticallyRedactForReasons = [ "*" ]; # Always autoredact
- fasterMembershipChecks = true;
-
- backgroundDelayMS = 10; # delay isn't needed, I don't mind the performance hit
- pollReports = false;
-
- admin.enableMakeRoomAdminCommand = false;
- commands.ban.defaultReasons = [
- "spam"
- "code of conduct violation"
- ];
- };
- };
-}
diff --git a/host/Rory-nginx/services/containers/matrixunittests-conduit/container.nix b/host/Rory-nginx/services/containers/matrixunittests-conduit/container.nix
index 35c4bea..daefba1 100755..100644
--- a/host/Rory-nginx/services/containers/matrixunittests-conduit/container.nix
+++ b/host/Rory-nginx/services/containers/matrixunittests-conduit/container.nix
@@ -19,12 +19,7 @@
./services/nginx.nix
./services/conduit.nix
];
- environment.etc."resolv.conf".text = ''
- nameserver 8.8.8.8
- nameserver 8.4.4.8
- nameserver 1.1.1.1
- nameserver 1.0.0.1
- '';
+ networking.useHostResolvConf = true;
networking.firewall = {
enable = true;
allowedTCPPorts = [ 80 ];
diff --git a/host/Rory-nginx/services/containers/matrixunittests-conduit/services/conduit.nix b/host/Rory-nginx/services/containers/matrixunittests-conduit/services/conduit.nix
index 3df71be..3df71be 100755..100644
--- a/host/Rory-nginx/services/containers/matrixunittests-conduit/services/conduit.nix
+++ b/host/Rory-nginx/services/containers/matrixunittests-conduit/services/conduit.nix
diff --git a/host/Rory-nginx/services/containers/matrixunittests-conduit/services/nginx.nix b/host/Rory-nginx/services/containers/matrixunittests-conduit/services/nginx.nix
index 0d7874e..0d7874e 100755..100644
--- a/host/Rory-nginx/services/containers/matrixunittests-conduit/services/nginx.nix
+++ b/host/Rory-nginx/services/containers/matrixunittests-conduit/services/nginx.nix
diff --git a/host/Rory-nginx/services/containers/matrixunittests/container.nix b/host/Rory-nginx/services/containers/matrixunittests/container.nix
index 1de1ddf..cbd90f8 100755..100644
--- a/host/Rory-nginx/services/containers/matrixunittests/container.nix
+++ b/host/Rory-nginx/services/containers/matrixunittests/container.nix
@@ -17,12 +17,7 @@
grapevine.nixosModules.default
];
- environment.etc."resolv.conf".text = ''
- nameserver 8.8.8.8
- nameserver 8.4.4.8
- nameserver 1.1.1.1
- nameserver 1.0.0.1
- '';
+ networking.useHostResolvConf = true;
networking.firewall = {
enable = true;
allowedTCPPorts = [
diff --git a/host/Rory-nginx/services/containers/matrixunittests/services/conduit.nix b/host/Rory-nginx/services/containers/matrixunittests/services/conduit.nix
index a49a003..cd5776f 100755..100644
--- a/host/Rory-nginx/services/containers/matrixunittests/services/conduit.nix
+++ b/host/Rory-nginx/services/containers/matrixunittests/services/conduit.nix
@@ -6,13 +6,7 @@
enable = true;
settings = {
server_name = "matrixunittests.rory.gay";
- enable_lightning_bolt = true;
- max_concurrent_requests = 1000;
- allow_check_for_updates = false;
allow_registration = true;
- yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse = true;
- allow_guest_registration = true;
- disable_federation = true;
listen = [
{
@@ -21,6 +15,8 @@
port = 6167;
}
];
+ federation.enable = false;
+ server_discovery.client.base_url = "https://matrixunittests.rory.gay"; # This is required for some reason
database = {
backend = "rocksdb";
@@ -44,5 +40,4 @@
Restart = "on-failure";
};
};
-
}
diff --git a/host/Rory-nginx/services/containers/matrixunittests/services/nginx.nix b/host/Rory-nginx/services/containers/matrixunittests/services/nginx.nix
index 0236182..0236182 100755..100644
--- a/host/Rory-nginx/services/containers/matrixunittests/services/nginx.nix
+++ b/host/Rory-nginx/services/containers/matrixunittests/services/nginx.nix
diff --git a/host/Rory-nginx/services/containers/pluralcontactbotpoc/container.nix b/host/Rory-nginx/services/containers/pluralcontactbotpoc/container.nix
index 38049db..6be7c83 100755..100644
--- a/host/Rory-nginx/services/containers/pluralcontactbotpoc/container.nix
+++ b/host/Rory-nginx/services/containers/pluralcontactbotpoc/container.nix
@@ -18,12 +18,7 @@
./root.nix
../shared.nix
];
- environment.etc."resolv.conf".text = ''
- nameserver 8.8.8.8
- nameserver 8.4.4.8
- nameserver 1.1.1.1
- nameserver 1.0.0.1
- '';
+ networking.useHostResolvConf = true;
networking.firewall = {
enable = true;
allowedTCPPorts = [ 80 ];
diff --git a/host/Rory-nginx/services/containers/pluralcontactbotpoc/root.nix b/host/Rory-nginx/services/containers/pluralcontactbotpoc/root.nix
index 11d0be3..11d0be3 100755..100644
--- a/host/Rory-nginx/services/containers/pluralcontactbotpoc/root.nix
+++ b/host/Rory-nginx/services/containers/pluralcontactbotpoc/root.nix
diff --git a/host/Rory-nginx/services/containers/pluralcontactbotpoc/services/conduit.nix b/host/Rory-nginx/services/containers/pluralcontactbotpoc/services/conduit.nix
index db9df9a..db9df9a 100755..100644
--- a/host/Rory-nginx/services/containers/pluralcontactbotpoc/services/conduit.nix
+++ b/host/Rory-nginx/services/containers/pluralcontactbotpoc/services/conduit.nix
diff --git a/host/Rory-nginx/services/containers/pluralcontactbotpoc/services/nginx.nix b/host/Rory-nginx/services/containers/pluralcontactbotpoc/services/nginx.nix
index 9d8041a..9d8041a 100755..100644
--- a/host/Rory-nginx/services/containers/pluralcontactbotpoc/services/nginx.nix
+++ b/host/Rory-nginx/services/containers/pluralcontactbotpoc/services/nginx.nix
diff --git a/host/Rory-nginx/services/containers/pluralcontactbotpoc/services/pantalaimon.nix b/host/Rory-nginx/services/containers/pluralcontactbotpoc/services/pantalaimon.nix
index 335176f..335176f 100755..100644
--- a/host/Rory-nginx/services/containers/pluralcontactbotpoc/services/pantalaimon.nix
+++ b/host/Rory-nginx/services/containers/pluralcontactbotpoc/services/pantalaimon.nix
diff --git a/host/Rory-nginx/services/deluge.nix b/host/Rory-nginx/services/deluge.nix
new file mode 100644
index 0000000..4a499ed
--- /dev/null
+++ b/host/Rory-nginx/services/deluge.nix
@@ -0,0 +1,14 @@
+{ ... }:
+
+{
+ # systemd.tmpfiles.rules = [ "d /data/ollama 0750 ostgres postgres" ];
+
+ services.deluge = {
+ enable = true;
+ web.enable = true;
+ #dataDir = "/mnt/torrent/deluge";
+ declarative = false;
+ user = "Rory";
+ group = "users";
+ };
+}
diff --git a/host/Rory-nginx/services/jitsi.nix b/host/Rory-nginx/services/jitsi.nix
index 9fe8d73..9fe8d73 100755..100644
--- a/host/Rory-nginx/services/jitsi.nix
+++ b/host/Rory-nginx/services/jitsi.nix
diff --git a/host/Rory-nginx/services/mastodon.nix b/host/Rory-nginx/services/mastodon.nix
new file mode 100644
index 0000000..5febe3b
--- /dev/null
+++ b/host/Rory-nginx/services/mastodon.nix
@@ -0,0 +1,12 @@
+{ ... }:
+
+{
+ services.mastodon = {
+ enable = true;
+ webProcesses = 8;
+ webThreads = 4;
+
+ streamingProcesses = 63;
+ localDomain = "rory.gay";
+ };
+}
diff --git a/host/Rory-nginx/services/matrix/coturn.nix b/host/Rory-nginx/services/matrix/coturn.nix
deleted file mode 100755
index 805faa9..0000000
--- a/host/Rory-nginx/services/matrix/coturn.nix
+++ /dev/null
@@ -1,52 +0,0 @@
-{ ... }:
-
-{
- # coturn (WebRTC)
- services.coturn = {
- enable = false; # Alicia - figure out secret first...
- no-cli = true;
- no-tcp-relay = true;
- min-port = 49000;
- max-port = 50000;
- use-auth-secret = true;
- static-auth-secret = "will be world readable for local users :(";
- realm = "turn.example.com";
- # Alicia - figure out how to get this to work, since nginx runs on separate machine...
- #cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
- #pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
- extraConfig = ''
- # for debugging
- verbose
- # ban private IP ranges
- no-multicast-peers
- denied-peer-ip=0.0.0.0-0.255.255.255
- denied-peer-ip=10.0.0.0-10.255.255.255
- denied-peer-ip=100.64.0.0-100.127.255.255
- denied-peer-ip=127.0.0.0-127.255.255.255
- denied-peer-ip=169.254.0.0-169.254.255.255
- denied-peer-ip=172.16.0.0-172.31.255.255
- denied-peer-ip=192.0.0.0-192.0.0.255
- denied-peer-ip=192.0.2.0-192.0.2.255
- denied-peer-ip=192.88.99.0-192.88.99.255
- denied-peer-ip=192.168.0.0-192.168.255.255
- denied-peer-ip=198.18.0.0-198.19.255.255
- denied-peer-ip=198.51.100.0-198.51.100.255
- denied-peer-ip=203.0.113.0-203.0.113.255
- denied-peer-ip=240.0.0.0-255.255.255.255
- denied-peer-ip=::1
- denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
- denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
- denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
- denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
- denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
- denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
- denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
- '';
- };
- #services.matrix-synapse = with config.services.coturn; {
- # turn_uris = ["turn:${realm}:3478?transport=udp" "turn:${realm}:3478?transport=tcp"];
- # turn_shared_secret = static-auth-secret;
- # turn_user_lifetime = "1h";
- #};
-
-}
diff --git a/host/Rory-nginx/services/matrix/draupnir.nix b/host/Rory-nginx/services/matrix/draupnir.nix
deleted file mode 100755
index f20a7d0..0000000
--- a/host/Rory-nginx/services/matrix/draupnir.nix
+++ /dev/null
@@ -1,50 +0,0 @@
-{ ... }:
-
-{
- services.draupnir = {
- enable = true;
- homeserverUrl = "https://matrix.rory.gay";
- accessTokenFile = "/etc/draupnir-access-token";
-
- #pantalaimon = {
- # enable = false;
- # username = "draupnir";
- # passwordFile = "/etc/draupnir-password";
- # options = {
- #homeserver = "http://localhost:8008";
- #ssl = false;
- # };
- #};
- settings = {
- managementRoom = "#draupnir-mgmt:rory.gay";
- verboseLogging = false;
- recordIgnoredInvites = true; # Let's log ignored invites, just incase
- autojoinOnlyIfManager = true; # Let's not open ourselves up to DoS attacks
- automaticallyRedactForReasons = [ "*" ]; # I always want autoredact
- fasterMembershipChecks = true;
- roomStateBackingStore.enabled = true; # broken under nix.
-
- backgroundDelayMS = 10; # delay isn't needed, I don't mind the performance hit
- pollReports = false; # this is a single person homeserver... let's save ourself the work
-
- admin.enableMakeRoomAdminCommand = true;
- commands.ban.defaultReasons = [
- "spam"
- "harassment"
- "transphobia"
- "scam"
- ];
- protections = {
- wordlist = {
- words = [
- "tranny"
- "faggot"
- "ywnbaw"
- "nigger"
- ];
- minutesBeforeTrusting = 0;
- };
- };
- };
- };
-}
diff --git a/host/Rory-nginx/services/matrix/grapevine.nix b/host/Rory-nginx/services/matrix/grapevine.nix
index 0f0006b..c73b48c 100755..100644
--- a/host/Rory-nginx/services/matrix/grapevine.nix
+++ b/host/Rory-nginx/services/matrix/grapevine.nix
@@ -6,7 +6,7 @@
settings = {
conduit_compat = true;
server_name = "conduit.rory.gay";
- trusted_servers = [ "rory.gay" ];
+ #trusted_servers = [ "rory.gay" ];
listen = [
{
@@ -15,17 +15,16 @@
port = 6167;
}
];
+ server_discovery.client.base_url = "https://conduit.rory.gay"; # This is required for some reason
database = {
backend = "rocksdb";
};
-
- allow_check_for_updates = false;
allow_registration = false;
#log = "info";
#log_format = "full";
- log = "debug";
+ #log = "debug";
};
};
}
diff --git a/host/Rory-nginx/services/matrix/matrix-appservice-discord.nix b/host/Rory-nginx/services/matrix/matrix-appservice-discord.nix
deleted file mode 100755
index 3041aaa..0000000
--- a/host/Rory-nginx/services/matrix/matrix-appservice-discord.nix
+++ /dev/null
@@ -1,25 +0,0 @@
-{ ... }:
-
-{
- # Discord bridge
- services.matrix-appservice-discord = {
- enable = false; # Alicia - figure out secret first...
- environmentFile = /etc/keyring/matrix-appservice-discord/tokens.env;
- # The appservice is pre-configured to use SQLite by default.
- # It's also possible to use PostgreSQL.
- settings = {
- bridge = {
- domain = "rory.gay";
- homeserverUrl = "https://matrix.rory.gay";
- };
-
- # The service uses SQLite by default, but it's also possible to use
- # PostgreSQL instead:
- database = {
- # filename = ""; # empty value to disable sqlite
- connString = "postgres://postgres@127.0.0.1/matrix-appservice-discord";
- };
- };
- };
-
-}
diff --git a/host/Rory-nginx/services/matrix/ooye.nix b/host/Rory-nginx/services/matrix/ooye.nix
new file mode 100644
index 0000000..7b9c403
--- /dev/null
+++ b/host/Rory-nginx/services/matrix/ooye.nix
@@ -0,0 +1,10 @@
+{ ... }:
+
+{
+ services.matrix-ooye = {
+ enable = true;
+ homeserver = "https://matrix.rory.gay";
+ homeserverName = "rory.gay";
+ enableSynapseIntegration = true;
+ };
+}
diff --git a/host/Rory-nginx/services/matrix/root.nix b/host/Rory-nginx/services/matrix/root.nix
index b13c38a..5bb3915 100755..100644
--- a/host/Rory-nginx/services/matrix/root.nix
+++ b/host/Rory-nginx/services/matrix/root.nix
@@ -7,7 +7,8 @@
./matrix-appservice-discord.nix
./draupnir.nix
./grapevine.nix
- ./sliding-sync.nix
+ # ./sliding-sync.nix # removed from nixpkgs, use synapse support instead
+ ./ooye.nix
];
}
diff --git a/host/Rory-nginx/services/matrix/sliding-sync.nix b/host/Rory-nginx/services/matrix/sliding-sync.nix
deleted file mode 100644
index a8fbd0c..0000000
--- a/host/Rory-nginx/services/matrix/sliding-sync.nix
+++ /dev/null
@@ -1,12 +0,0 @@
-{ ... }:
-{
- services.matrix-sliding-sync = {
- enable = true;
- settings = {
- "SYNCV3_SERVER" = "http://matrix.rory.gay";
- "SYNCV3_DB" = "postgresql://%2Frun%2Fpostgresql/syncv3";
- "SYNCV3_BINDADDR" = "0.0.0.0:8100";
- };
- environmentFile = "/etc/sliding-sync.env";
- };
-}
diff --git a/host/Rory-nginx/services/matrix/synapse/db.nix b/host/Rory-nginx/services/matrix/synapse/db.nix
index 77d9773..409c039 100644
--- a/host/Rory-nginx/services/matrix/synapse/db.nix
+++ b/host/Rory-nginx/services/matrix/synapse/db.nix
@@ -32,19 +32,18 @@
10
else
throw "synapse/db.nix: Invalid dbGroup: ${if dbGroup == null then "null" else dbGroup}";
-
+
# cp_reconnect - default=True - https://github.com/element-hq/synapse/blob/develop/synapse/storage/database.py#L129
# cp_noisy - default=False - https://docs.twisted.org/en/stable/api/twisted.enterprise.adbapi.ConnectionPool.html#__init__ - info logs during operation
# check_same_thread - default=False - https://github.com/element-hq/synapse/blob/develop/synapse/config/database.py#L65 - can this even be set?
};
-
-
- # synchronous_commit - default=True - https://github.com/element-hq/synapse/blob/develop/synapse/storage/engines/postgres.py#L56
+
+ # synchronous_commit - default=True - https://github.com/element-hq/synapse/blob/develop/synapse/storage/engines/postgres.py#L56
# statement_timeout - default=60 * 60 * 1000 ms - https://github.com/element-hq/synapse/blob/develop/synapse/storage/engines/postgres.py#L63
# allow_unsafe_locale - default=False - https://github.com/element-hq/synapse/blob/develop/synapse/storage/engines/postgres.py#L99
# allow_outdated_version - default=False - https://github.com/element-hq/synapse/blob/develop/synapse/storage/engines/postgres.py#L92 - needs source link
# txn_limit - default=0 - https://github.com/element-hq/synapse/blob/develop/synapse/storage/database.py#L564
-
- statement_timeout = 24 * 60 * 60 * 1000; #24 hours, good for bg jobs
- txn_limit = 500; #maybe dropping old data from pg caches helps?
+
+ statement_timeout = 24 * 60 * 60 * 1000; # 24 hours, good for bg jobs
+ txn_limit = 500; # maybe dropping old data from pg caches helps?
}
diff --git a/host/Rory-nginx/services/matrix/synapse/ratelimits.nix b/host/Rory-nginx/services/matrix/synapse/ratelimits.nix
index ffce1cc..851cf50 100644
--- a/host/Rory-nginx/services/matrix/synapse/ratelimits.nix
+++ b/host/Rory-nginx/services/matrix/synapse/ratelimits.nix
@@ -53,7 +53,7 @@
reject_limit = 1000;
concurrent = 100;
};
- federation_rr_transactions_per_room_per_second = 1;
+ federation_rr_transactions_per_room_per_second = 1000;
# media
rc_media_create = {
@@ -82,4 +82,16 @@
per_second = 1000;
burst_count = 1000;
};
+
+ #presence
+ rc_presence.per_user = {
+ per_second = 1;
+ burst_count = 2;
+ };
+
+ #delayed events
+ rc_delayed_event_mgmt = {
+ per_second = 1000;
+ burst_count = 1000;
+ };
}
diff --git a/host/Rory-nginx/services/matrix/synapse/synapse-main.nix b/host/Rory-nginx/services/matrix/synapse/synapse-main.nix
index d1dafb1..d65b614 100755..100644
--- a/host/Rory-nginx/services/matrix/synapse/synapse-main.nix
+++ b/host/Rory-nginx/services/matrix/synapse/synapse-main.nix
@@ -18,7 +18,7 @@
clientReaders = 2; # 4
syncWorkers = 2; # 4
authWorkers = 0;
-
+
eventCreators = 16;
federationReaders = 8; # 8
@@ -40,149 +40,152 @@
#sharedStreamWriters = 1;
# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html
- settings = {
- server_name = "rory.gay";
-
-# use_frozen_dicts = true;
-# user_agent_suffix = " (rory.gay)";
-
- # look into later: replication_torture_level - https://github.com/element-hq/synapse/blob/develop/synapse/config/server.py#L560
- # limit_remote_rooms ???
- # cleanup_extremities_with_dummy_events - default=True
- # dummy_devents_treshold - default=10 - required forward extremities to send dummy event
- # enable_ephemeral_messages - default=False - ???
- # rooms_to_exclude_from_sync - default=[] - room ids...
- # third_party_event_rules - https://github.com/element-hq/synapse/blob/develop/synapse/config/third_party_event_rules.py - ???
- # default_power_level_content_override - default=None - https://github.com/element-hq/synapse/blob/develop/synapse/config/room.py#L73
-
- dummy_devents_treshold = 2;
- cleanup_extremities_with_dummy_events = true;
-
- enable_registration = true;
- registration_requires_token = true;
-
- require_membership_for_aliases = false;
- redaction_retention_period = null;
- user_ips_max_age = null;
- allow_device_name_lookup_over_federation = true;
-
- federation = {
- client_timeout = "30s"; # default=60s
- max_short_retries = 12;
- max_short_retry_delay = "5s";
- max_long_retries = 5;
- max_long_retry_delay = "30s";
-
- # rapid retry, small increments
- destination_min_retry_interval = "5m"; # default=10m
- destination_max_retry_interval = "12h"; #default=7d
- destination_retry_multiplier = 1.2; #default=2
- };
-
- registration_shared_secret_path = "/var/lib/matrix-synapse/registration_shared_secret.txt";
-
- listeners = [
- {
- port = 8008;
- bind_addresses = [ "127.0.0.1" ];
- type = "http";
- tls = false;
- x_forwarded = true;
- resources = [
- {
- names = [
- "client"
- "federation"
- ];
- compress = false;
- }
- ];
- }
- {
- type = "http";
- path = "/run/matrix-synapse/main.sock";
- resources = [
- {
- names = [ "replication" ];
- compress = false;
- }
- ];
- }
- ];
- presence = {
- enablee = true;
- update_interval = 60;
- };
- database = (
- import ./db.nix {
- workerName = "main";
- dbGroup = "medium";
- }
- );
- app_service_config_files = [
- #"/etc/matrix-synapse/appservice-registration.yaml"
- "/var/lib/matrix-synapse/modas-registration.yaml"
- ];
-
- #region Media
- max_upload_size = "512M";
-
- max_avatar_size = "512M";
- max_image_pixels = "250M";
-
- max_pending_media_uploads = 512;
- dynamic_thumbnails = true;
-
- prevent_media_downloads_from = [
- # none, give me all the media
- ];
- enable_authenticated_media = false;
-
- url_preview_enabled = true;
- max_spider_size = "50M";
-
- #endregion
-
- ui_auth = {
- session_timeout = "1m";
- };
-
- login_via_existing_session = {
- enabled = true;
- require_ui_auth = true;
- token_timeout = "1y";
- };
-
- report_stats = false;
-
- user_directory = {
- enabled = true;
- search_all_users = true;
- prefer_local_users = true;
- };
-
- # https://github.com/element-hq/synapse/blob/master/synapse/config/experimental.py
- experimental_features = {
- "msc2815_enabled" = true; # Redacted event content
- "msc3026_enabled" = true; # Busy presence
- "msc3266_enabled" = true; # Room summary API
- "msc3916_authenticated_media_enabled" = true; # Authenticated media
- "msc3823_account_suspension" = true; # Account suspension
- "msc4151_enabled" = true; # Report room API (CS-API)
- };
-
- redis = {
- enabled = true;
- path = "/run/redis-matrix-synapse/redis.sock";
- };
-
- instance_map = {
- main = {
- # replication listener
- path = "/run/matrix-synapse/main.sock";
+ settings =
+ {
+ server_name = "rory.gay";
+
+ # use_frozen_dicts = true;
+ # user_agent_suffix = " (rory.gay)";
+
+ # look into later: replication_torture_level - https://github.com/element-hq/synapse/blob/develop/synapse/config/server.py#L560
+ # limit_remote_rooms ???
+ # cleanup_extremities_with_dummy_events - default=True
+ # dummy_devents_treshold - default=10 - required forward extremities to send dummy event
+ # enable_ephemeral_messages - default=False - ???
+ # rooms_to_exclude_from_sync - default=[] - room ids...
+ # third_party_event_rules - https://github.com/element-hq/synapse/blob/develop/synapse/config/third_party_event_rules.py - ???
+ # default_power_level_content_override - default=None - https://github.com/element-hq/synapse/blob/develop/synapse/config/room.py#L73
+
+ dummy_devents_treshold = 2;
+ cleanup_extremities_with_dummy_events = true;
+
+ enable_registration = true;
+ registration_requires_token = true;
+
+ require_membership_for_aliases = false;
+ redaction_retention_period = null;
+ user_ips_max_age = null;
+ allow_device_name_lookup_over_federation = true;
+
+ federation = {
+ client_timeout = "30s"; # default=60s
+ max_short_retries = 12;
+ max_short_retry_delay = "5s";
+ max_long_retries = 5;
+ max_long_retry_delay = "30s";
+
+ # rapid retry, small increments
+ destination_min_retry_interval = "5m"; # default=10m
+ destination_max_retry_interval = "12h"; # default=7d
+ destination_retry_multiplier = 1.2; # default=2
+ };
+
+ registration_shared_secret_path = "/var/lib/matrix-synapse/registration_shared_secret.txt";
+
+ listeners = [
+ {
+ port = 8008;
+ bind_addresses = [ "127.0.0.1" ];
+ type = "http";
+ tls = false;
+ x_forwarded = true;
+ resources = [
+ {
+ names = [
+ "client"
+ "federation"
+ ];
+ compress = false;
+ }
+ ];
+ }
+ {
+ type = "http";
+ path = "/run/matrix-synapse/main.sock";
+ resources = [
+ {
+ names = [ "replication" ];
+ compress = false;
+ }
+ ];
+ }
+ ];
+ presence = {
+ enablee = true;
+ update_interval = 60;
+ };
+ database = (
+ import ./db.nix {
+ workerName = "main";
+ dbGroup = "medium";
+ }
+ );
+ app_service_config_files = [
+ #"/etc/matrix-synapse/appservice-registration.yaml"
+ "/var/lib/matrix-synapse/modas-registration.yaml"
+ ];
+
+ #region Media
+ max_upload_size = "512M";
+
+ max_avatar_size = "512M";
+ max_image_pixels = "250M";
+
+ max_pending_media_uploads = 512;
+ dynamic_thumbnails = true;
+
+ prevent_media_downloads_from = [
+ # none, give me all the media
+ ];
+ enable_authenticated_media = false;
+
+ url_preview_enabled = true;
+ max_spider_size = "50M";
+
+ #endregion
+
+ ui_auth = {
+ session_timeout = "1m";
+ };
+
+ login_via_existing_session = {
+ enabled = true;
+ require_ui_auth = true;
+ token_timeout = "1y";
+ };
+
+ report_stats = false;
+
+ user_directory = {
+ enabled = true;
+ search_all_users = true;
+ prefer_local_users = true;
+ };
+
+ # https://github.com/element-hq/synapse/blob/master/synapse/config/experimental.py
+ experimental_features = {
+ "msc2815_enabled" = true; # Redacted event content
+ "msc3026_enabled" = true; # Busy presence
+ "msc3266_enabled" = true; # Room summary API
+ "msc3916_authenticated_media_enabled" = true; # Authenticated media
+ "msc3823_account_suspension" = true; # Account suspension
+ "msc4151_enabled" = true; # Report room API (CS-API)
+ };
+
+ redis = {
+ enabled = true;
+ path = "/run/redis-matrix-synapse/redis.sock";
+ };
+
+ instance_map = {
+ main = {
+ # replication listener
+ path = "/run/matrix-synapse/main.sock";
+ };
};
- };
- } // import ./ratelimits.nix // import ./caches.nix;
+ }
+ // import ./ratelimits.nix
+ // import ./caches.nix;
};
systemd.services.matrix-synapse-reg-token = {
@@ -207,7 +210,7 @@
};
services.redis = {
- package = pkgs.keydb;
+ package = pkgs.valkey;
servers.matrix-synapse = {
enable = true;
user = "matrix-synapse";
diff --git a/host/Rory-nginx/services/matrix/synapse/workers/auth.nix b/host/Rory-nginx/services/matrix/synapse/workers/auth.nix
index 3c8d1e9..6e97c15 100644
--- a/host/Rory-nginx/services/matrix/synapse/workers/auth.nix
+++ b/host/Rory-nginx/services/matrix/synapse/workers/auth.nix
@@ -97,6 +97,7 @@ in
name = "unix:/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
value = {
max_fails = 0;
+ fail_timeout = "0s";
};
}) workers
);
diff --git a/host/Rory-nginx/services/matrix/synapse/workers/client-reader.nix b/host/Rory-nginx/services/matrix/synapse/workers/client-reader.nix
index 9a0aafa..0d039c0 100644
--- a/host/Rory-nginx/services/matrix/synapse/workers/client-reader.nix
+++ b/host/Rory-nginx/services/matrix/synapse/workers/client-reader.nix
@@ -28,6 +28,8 @@ let
# unstable
"~ ^/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$"
+ "~ ^/_matrix/client/v3/keys/query$"
+ "~ ^/_matrix/client/v3/room_keys/keys/"
]
++ lib.optionals (cfg.authWorkers == 0) [
"~ ^/_matrix/client/(api/v1|r0|v3|unstable)/login$"
@@ -112,14 +114,16 @@ in
name = "${workerName}-${type}";
value = {
extraConfig = ''
- keepalive 32;
- least_conn;
+ keepalive 32;
+ # least_conn;
+ hash $request_uri consistent;
'';
servers = lib.listToAttrs (
lib.map (index: {
name = "unix:/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
value = {
max_fails = 0;
+ fail_timeout = "0s";
};
}) workers
);
diff --git a/host/Rory-nginx/services/matrix/synapse/workers/event-creator.nix b/host/Rory-nginx/services/matrix/synapse/workers/event-creator.nix
index 2be7a5b..0966573 100644
--- a/host/Rory-nginx/services/matrix/synapse/workers/event-creator.nix
+++ b/host/Rory-nginx/services/matrix/synapse/workers/event-creator.nix
@@ -13,6 +13,7 @@ let
"~ ^/_matrix/client/(api/v1|r0|v3|unstable)/join/"
"~ ^/_matrix/client/(api/v1|r0|v3|unstable)/knock/"
"~ ^/_matrix/client/(api/v1|r0|v3|unstable)/profile/"
+ "~ ^/_synapse/admin/v1/rooms" # We have a lot of them, so let's do a bunch of jobs at once!
];
federation = [ ];
media = [ ];
@@ -85,14 +86,16 @@ in
name = "${workerName}-${type}";
value = {
extraConfig = ''
- keepalive 32;
- least_conn;
+ keepalive 32;
+ # least_conn;
+ hash $request_uri consistent;
'';
servers = lib.listToAttrs (
lib.map (index: {
name = "unix:/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
value = {
max_fails = 0;
+ fail_timeout = "0s";
};
}) workers
);
diff --git a/host/Rory-nginx/services/matrix/synapse/workers/federation-inbound.nix b/host/Rory-nginx/services/matrix/synapse/workers/federation-inbound.nix
index effaa69..bdaf456 100644
--- a/host/Rory-nginx/services/matrix/synapse/workers/federation-inbound.nix
+++ b/host/Rory-nginx/services/matrix/synapse/workers/federation-inbound.nix
@@ -86,6 +86,7 @@ in
name = "unix:/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
value = {
max_fails = 0;
+ fail_timeout = "0s";
};
}) workers
);
diff --git a/host/Rory-nginx/services/matrix/synapse/workers/federation-reader.nix b/host/Rory-nginx/services/matrix/synapse/workers/federation-reader.nix
index 5b3d4bf..c5852d3 100644
--- a/host/Rory-nginx/services/matrix/synapse/workers/federation-reader.nix
+++ b/host/Rory-nginx/services/matrix/synapse/workers/federation-reader.nix
@@ -21,14 +21,16 @@ let
"~ ^/_matrix/federation/(v1|v2)/send_leave/"
"~ ^/_matrix/federation/v1/make_knock/"
"~ ^/_matrix/federation/v1/send_knock/"
- "~ ^/_matrix/federation/(v1|v2)/invite/"
+ "~ ^/_matrix/federation/(v1|v2)/invite/" # Needs special handling, define manually
"~ ^/_matrix/federation/(v1|v2)/query_auth/"
"~ ^/_matrix/federation/(v1|v2)/event_auth/"
"~ ^/_matrix/federation/v1/timestamp_to_event/"
"~ ^/_matrix/federation/(v1|v2)/exchange_third_party_invite/"
"~ ^/_matrix/federation/(v1|v2)/user/devices/"
"~ ^/_matrix/federation/(v1|v2)/get_groups_publicised$"
+ "~ ^/_matrix/federation/v1/hierarchy/"
"~ ^/_matrix/key/v2/query"
+ "~ ^/_matrix/federation/v1/user/keys/query$"
# extra
"~ ^/_matrix/key/v2/server$"
];
@@ -110,6 +112,7 @@ in
name = "unix:/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
value = {
max_fails = 0;
+ fail_timeout = "0s";
};
}) workers
);
@@ -134,6 +137,14 @@ in
)
)
);
+
+ #virtualHosts."${cfg.nginxVirtualHostName}".locations."~ ^/_matrix/federation/(v1|v2)/invite/" = {
+ # proxyPass = "http://${workerName}-federation";
+ # extraConfig = ''
+ # proxy_http_version 1.1;
+ # proxy_set_header Connection "";
+ # '';
+ #};
};
};
}
diff --git a/host/Rory-nginx/services/matrix/synapse/workers/federation-sender.nix b/host/Rory-nginx/services/matrix/synapse/workers/federation-sender.nix
index 468916e..c2622be 100644
--- a/host/Rory-nginx/services/matrix/synapse/workers/federation-sender.nix
+++ b/host/Rory-nginx/services/matrix/synapse/workers/federation-sender.nix
@@ -88,6 +88,7 @@ in
name = "unix:/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
value = {
max_fails = 0;
+ fail_timeout = "0s";
};
}) workers
);
diff --git a/host/Rory-nginx/services/matrix/synapse/workers/media-repo.nix b/host/Rory-nginx/services/matrix/synapse/workers/media-repo.nix
index e52010c..25271a5 100644
--- a/host/Rory-nginx/services/matrix/synapse/workers/media-repo.nix
+++ b/host/Rory-nginx/services/matrix/synapse/workers/media-repo.nix
@@ -14,6 +14,7 @@ let
"~ ^/_synapse/admin/v1/purge_media_cache$"
"~ ^/_synapse/admin/v1/room/.*/media.*$"
"~ ^/_synapse/admin/v1/user/.*/media.*$"
+ "~ ^/_synapse/admin/v1/users/.*/media$"
"~ ^/_synapse/admin/v1/media/.*$"
"~ ^/_synapse/admin/v1/quarantine_media/.*$"
"~ ^/_matrix/media/"
@@ -106,6 +107,7 @@ in
name = "unix:/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
value = {
max_fails = 0;
+ fail_timeout = "0s";
};
}) workers
);
diff --git a/host/Rory-nginx/services/matrix/synapse/workers/module.nix b/host/Rory-nginx/services/matrix/synapse/workers/module.nix
index 32f2095..3b6456b 100644
--- a/host/Rory-nginx/services/matrix/synapse/workers/module.nix
+++ b/host/Rory-nginx/services/matrix/synapse/workers/module.nix
@@ -33,7 +33,7 @@ in
./stream-writers/to_device-stream-writer.nix
./stream-writers/typing-stream-writer.nix
-# ./stream-writers/shared-stream-writer.nix
+ # ./stream-writers/shared-stream-writer.nix
];
options.services.matrix-synapse = {
enableWorkers = lib.mkEnableOption "Enable dedicated workers";
@@ -60,7 +60,7 @@ in
receiptStreamWriters = mkIntOption "Number of read receipt stream writers";
presenceStreamWriters = mkIntOption "Number of presence stream writers";
pushRuleStreamWriters = mkIntOption "Number of push rule stream writers";
-
+
sharedStreamWriters = mkIntOption "Number of shared stream writers";
nginxVirtualHostName = lib.mkOption {
@@ -68,6 +68,12 @@ in
default = null;
description = "The virtual host name for the nginx server";
};
+
+ allowedRemoteInviteOrigins = lib.mkOption {
+ type = lib.types.listOf lib.types.str;
+ default = [ ];
+ description = "List of allowed remote invite origins";
+ };
};
config = {
@@ -77,7 +83,6 @@ in
message = "nginxVirtualHostName must be set when enableWorkers is true";
}
-
# Stream types and count limitations: https://github.com/element-hq/synapse/blob/develop/synapse/config/workers.py#L344
{
assertion = cfg.typingStreamWriters <= 1;
@@ -104,11 +109,26 @@ in
assertion = cfg.pushRuleStreamWriters <= 1;
message = "Only one push rule stream writer is supported";
}
-
+
{
assertion = cfg.sharedStreamWriters <= 1;
message = "Only one shared stream writer is supported";
}
];
+
+ # Matrix utility maps
+ services.nginx.appendHttpConfig = ''
+ # Map authorization header to origin name
+ map $http_authorization $mx_origin_name {
+ default "";
+ "~*X-Matrix origin=(?<origin>[^,]+)" $origin;
+ }
+
+ # Map origin name to whether it can invite
+ map $mx_origin_name $mx_can_invite {
+ default 0;
+ ${lib.concatMapStringsSep "\n" (origin: " \"${origin}\" 1;") cfg.allowedRemoteInviteOrigins}
+ }
+ '';
};
}
diff --git a/host/Rory-nginx/services/matrix/synapse/workers/pusher.nix b/host/Rory-nginx/services/matrix/synapse/workers/pusher.nix
index edf1632..05f8c1a 100644
--- a/host/Rory-nginx/services/matrix/synapse/workers/pusher.nix
+++ b/host/Rory-nginx/services/matrix/synapse/workers/pusher.nix
@@ -87,6 +87,7 @@ in
name = "unix:/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
value = {
max_fails = 0;
+ fail_timeout = "0s";
};
}) workers
);
diff --git a/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/account_data-stream-writer.nix b/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/account_data-stream-writer.nix
index 48649f6..ee9e8c9 100644
--- a/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/account_data-stream-writer.nix
+++ b/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/account_data-stream-writer.nix
@@ -92,6 +92,7 @@ in
name = "unix:/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
value = {
max_fails = 0;
+ fail_timeout = "0s";
};
}) workers
);
diff --git a/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/event-stream-writer.nix b/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/event-stream-writer.nix
index 5395aea..2772e0f 100644
--- a/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/event-stream-writer.nix
+++ b/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/event-stream-writer.nix
@@ -89,6 +89,7 @@ in
name = "unix:/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
value = {
max_fails = 0;
+ fail_timeout = "0s";
};
}) workers
);
diff --git a/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/presence-stream-writer.nix b/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/presence-stream-writer.nix
index e6487ca..e496715 100644
--- a/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/presence-stream-writer.nix
+++ b/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/presence-stream-writer.nix
@@ -89,6 +89,7 @@ in
name = "unix:/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
value = {
max_fails = 0;
+ fail_timeout = "0s";
};
}) workers
);
diff --git a/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/push_rule-stream-writer.nix b/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/push_rule-stream-writer.nix
index 4a4af04..4c44de5 100644
--- a/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/push_rule-stream-writer.nix
+++ b/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/push_rule-stream-writer.nix
@@ -89,6 +89,7 @@ in
name = "unix:/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
value = {
max_fails = 0;
+ fail_timeout = "0s";
};
}) workers
);
diff --git a/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/receipt-stream-writer.nix b/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/receipt-stream-writer.nix
index 54c31b4..ce7f028 100644
--- a/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/receipt-stream-writer.nix
+++ b/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/receipt-stream-writer.nix
@@ -92,6 +92,7 @@ in
name = "unix:/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
value = {
max_fails = 0;
+ fail_timeout = "0s";
};
}) workers
);
diff --git a/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/shared-stream-writer.nix b/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/shared-stream-writer.nix
index 5fd0bd0..1170613 100644
--- a/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/shared-stream-writer.nix
+++ b/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/shared-stream-writer.nix
@@ -95,6 +95,7 @@ in
name = "unix:/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
value = {
max_fails = 0;
+ fail_timeout = "0s";
};
}) workers
);
diff --git a/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/to_device-stream-writer.nix b/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/to_device-stream-writer.nix
index 2b487d6..689805b 100644
--- a/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/to_device-stream-writer.nix
+++ b/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/to_device-stream-writer.nix
@@ -89,6 +89,7 @@ in
name = "unix:/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
value = {
max_fails = 0;
+ fail_timeout = "0s";
};
}) workers
);
diff --git a/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/typing-stream-writer.nix b/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/typing-stream-writer.nix
index 5bff505..a046ca6 100644
--- a/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/typing-stream-writer.nix
+++ b/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/typing-stream-writer.nix
@@ -89,6 +89,7 @@ in
name = "unix:/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
value = {
max_fails = 0;
+ fail_timeout = "0s";
};
}) workers
);
diff --git a/host/Rory-nginx/services/matrix/synapse/workers/sync.nix b/host/Rory-nginx/services/matrix/synapse/workers/sync.nix
index 67b63dd..fbdb73e 100644
--- a/host/Rory-nginx/services/matrix/synapse/workers/sync.nix
+++ b/host/Rory-nginx/services/matrix/synapse/workers/sync.nix
@@ -11,6 +11,7 @@ let
"~ ^/_matrix/client/(api/v1|v2_alpha|r0|v3)/events$"
"~ ^/_matrix/client/(api/v1|r0|v3)/initialSync$"
"~ ^/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$"
+ "~ ^/_matrix/client/unstable/org.matrix.simplified_msc3575/sync$"
];
federation = [ ];
media = [ ];
@@ -91,6 +92,7 @@ in
name = "unix:/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
value = {
max_fails = 0;
+ fail_timeout = "0s";
};
}) workers
);
diff --git a/host/Rory-nginx/services/nginx/nginx.nix b/host/Rory-nginx/services/nginx/nginx.nix
index bd6e62d..24cce6e 100755..100644
--- a/host/Rory-nginx/services/nginx/nginx.nix
+++ b/host/Rory-nginx/services/nginx/nginx.nix
@@ -18,11 +18,11 @@ in
package = pkgs.nginxQuic;
recommendedProxySettings = true;
recommendedTlsSettings = true;
- recommendedZstdSettings = true;
+ experimentalZstdSettings = true;
#recommendedGzipSettings = true;
recommendedBrotliSettings = true;
recommendedOptimisation = true;
- defaultMimeTypes = ../../../../modules/packages/nginx/mime.types;
+ defaultMimeTypes = ../../../../packages/nginx/mime.types;
appendConfig = ''
worker_processes 16;
'';
@@ -38,23 +38,13 @@ in
'';
additionalModules = with pkgs.nginxModules; [ moreheaders ];
virtualHosts = {
- "boorunav.com" = serveDir { path = "/data/nginx/html_boorunav"; };
- "catgirlsaresexy.com" = serveDir { path = "/data/nginx/html_catgirlsaresexy"; };
"sugarcanemc.org" = serveDir { path = "/data/nginx/html_sugarcanemc"; };
- "siliconheaven.thearcanebrony.net" = serveDir { path = "/data/nginx/html_siliconheaven"; };
- "lfs.thearcanebrony.net" = serveDir { path = "/data/nginx/html_lfs"; };
- "git.thearcanebrony.net" = serveDir { path = "/data/nginx/html_git"; };
- "files.thearcanebrony.net" = serveDir { path = "/data/nginx/html_files"; };
- "spigotav.thearcanebrony.net" = serveDir { path = "/data/nginx/html_spigotav"; };
- "terra.thearcanebrony.net" = serveDir { path = "/data/nginx/html_terrarchive"; };
- "vives.thearcanebrony.net" = serveDir { path = "/data/nginx/html_vives"; };
-
- "git.rory.gay" = serveDir { path = "/data/nginx/html_git"; };
- "wad.rory.gay" = serveDir { path = "/data/nginx/html_wad"; } // { locations."/".extraConfig = "autoindex on; try_files $uri $uri/ /index.html;"; };
+ "wad.rory.gay" = serveDir { path = "/data/nginx/html_wad"; } // {
+ locations."/".extraConfig = "autoindex on; try_files $uri $uri/ /index.html;";
+ };
"wad-api.rory.gay" = import ./rory.gay/wad-api.nix;
- "thearcanebrony.net" = import ./thearcanebrony.net/root.nix;
"sentry.thearcanebrony.net" = import ./thearcanebrony.net/sentry.nix;
"search.thearcanebrony.net" = import ./thearcanebrony.net/search.nix;
@@ -67,11 +57,9 @@ in
#matrix...
"conduit.rory.gay" = import ./rory.gay/conduit.nix;
- "matrix.rory.gay" = import ./rory.gay/matrix.nix;
"pcpoc.rory.gay" = import ./rory.gay/pcpoc.nix;
"matrixunittests.rory.gay" = import ./rory.gay/matrixunittests.nix;
"conduit.matrixunittests.rory.gay" = import ./rory.gay/conduit.matrixunittests.nix;
- "mru.rory.gay" = import ./rory.gay/mru.nix;
#bots...
"0bottests.bots.rory.gay" = import ./rory.gay/bots.nix;
@@ -101,7 +89,7 @@ in
};
systemd.services.nginx.requires = [ "data.mount" ];
security.acme.acceptTerms = true;
- security.acme.defaults.email = "root@thearcanebrony.net";
+ security.acme.defaults.email = "root@rory.gay";
networking.hosts."127.0.0.1" = builtins.attrNames config.services.nginx.virtualHosts;
}
diff --git a/host/Rory-nginx/services/nginx/rory.gay/bots.nix b/host/Rory-nginx/services/nginx/rory.gay/bots.nix
index 9bd18a8..9bd18a8 100755..100644
--- a/host/Rory-nginx/services/nginx/rory.gay/bots.nix
+++ b/host/Rory-nginx/services/nginx/rory.gay/bots.nix
diff --git a/host/Rory-nginx/services/nginx/rory.gay/cgit.nix b/host/Rory-nginx/services/nginx/rory.gay/cgit.nix
index 812e946..812e946 100755..100644
--- a/host/Rory-nginx/services/nginx/rory.gay/cgit.nix
+++ b/host/Rory-nginx/services/nginx/rory.gay/cgit.nix
diff --git a/host/Rory-nginx/services/nginx/rory.gay/conduit.matrixunittests.nix b/host/Rory-nginx/services/nginx/rory.gay/conduit.matrixunittests.nix
index 9503747..9503747 100755..100644
--- a/host/Rory-nginx/services/nginx/rory.gay/conduit.matrixunittests.nix
+++ b/host/Rory-nginx/services/nginx/rory.gay/conduit.matrixunittests.nix
diff --git a/host/Rory-nginx/services/nginx/rory.gay/conduit.nix b/host/Rory-nginx/services/nginx/rory.gay/conduit.nix
index 250a6b2..ef0fbd8 100755..100644
--- a/host/Rory-nginx/services/nginx/rory.gay/conduit.nix
+++ b/host/Rory-nginx/services/nginx/rory.gay/conduit.nix
@@ -26,7 +26,7 @@
proxy_send_timeout 54000;
'';
};
- #locations."/_synapse/client".proxyPass = "http://192.168.1.5:8008";
+ #locations."/_synapse/client".proxyPass = "http://192.168.1.5:8008";
locations."/_conduwuit/".extraConfig = ''
return 404;
'';
diff --git a/host/Rory-nginx/services/nginx/rory.gay/ec.nix b/host/Rory-nginx/services/nginx/rory.gay/ec.nix
new file mode 100644
index 0000000..0985503
--- /dev/null
+++ b/host/Rory-nginx/services/nginx/rory.gay/ec.nix
@@ -0,0 +1,26 @@
+{
+ enableACME = true;
+ addSSL = true;
+ kTLS = true;
+ root = "/data/nginx/html_ec";
+ reuseport = true;
+ extraConfig = ''
+ brotli off;
+ brotli_static off;
+ '';
+ locations = {
+ "/" = {
+ index = "index.html";
+ extraConfig = ''
+ more_set_headers 'Access-Control-Allow-Origin: *';
+ more_set_headers 'Access-Control-Allow-Methods: *';
+ more_set_headers 'Access-Control-Allow-Headers: *';
+ more_set_headers 'Access-Control-Expose-Headers: *';
+ more_set_headers 'Access-Control-Max-Age' 1728000;
+
+ # default to /index.html if file not found
+ try_files $uri $uri/ /index.html;
+ '';
+ };
+ };
+}
diff --git a/host/Rory-nginx/services/nginx/rory.gay/jitsi.nix b/host/Rory-nginx/services/nginx/rory.gay/jitsi.nix
index f6091bc..9469087 100755..100644
--- a/host/Rory-nginx/services/nginx/rory.gay/jitsi.nix
+++ b/host/Rory-nginx/services/nginx/rory.gay/jitsi.nix
@@ -39,7 +39,13 @@ in
proxy_set_header Host $host;
'';
};
- locations."=/external_api.js" = lib.mkDefault { alias = "${pkgs.jitsi-meet}/libs/external_api.min.js"; };
- locations."=/config.js" = lib.mkDefault { alias = overrideJs "${pkgs.jitsi-meet}/config.js" "config" (lib.recursiveUpdate defaultCfg cfg.config) cfg.extraConfig; };
- locations."=/interface_config.js" = lib.mkDefault { alias = overrideJs "${pkgs.jitsi-meet}/interface_config.js" "interfaceConfig" cfg.interfaceConfig ""; };
+ locations."=/external_api.js" = lib.mkDefault {
+ alias = "${pkgs.jitsi-meet}/libs/external_api.min.js";
+ };
+ locations."=/config.js" = lib.mkDefault {
+ alias = overrideJs "${pkgs.jitsi-meet}/config.js" "config" (lib.recursiveUpdate defaultCfg cfg.config) cfg.extraConfig;
+ };
+ locations."=/interface_config.js" = lib.mkDefault {
+ alias = overrideJs "${pkgs.jitsi-meet}/interface_config.js" "interfaceConfig" cfg.interfaceConfig "";
+ };
}
diff --git a/host/Rory-nginx/services/nginx/rory.gay/matrix-bak.nix b/host/Rory-nginx/services/nginx/rory.gay/matrix-bak.nix
index 5d44454..5d44454 100755..100644
--- a/host/Rory-nginx/services/nginx/rory.gay/matrix-bak.nix
+++ b/host/Rory-nginx/services/nginx/rory.gay/matrix-bak.nix
diff --git a/host/Rory-nginx/services/nginx/rory.gay/matrix.nix b/host/Rory-nginx/services/nginx/rory.gay/matrix.nix
index d48f4ca..d48f4ca 100755..100644
--- a/host/Rory-nginx/services/nginx/rory.gay/matrix.nix
+++ b/host/Rory-nginx/services/nginx/rory.gay/matrix.nix
diff --git a/host/Rory-nginx/services/nginx/rory.gay/matrixunittests.nix b/host/Rory-nginx/services/nginx/rory.gay/matrixunittests.nix
index edb1704..edb1704 100755..100644
--- a/host/Rory-nginx/services/nginx/rory.gay/matrixunittests.nix
+++ b/host/Rory-nginx/services/nginx/rory.gay/matrixunittests.nix
diff --git a/host/Rory-nginx/services/nginx/rory.gay/mru.nix b/host/Rory-nginx/services/nginx/rory.gay/mru.nix
index dd59830..6c7e2a1 100755..100644
--- a/host/Rory-nginx/services/nginx/rory.gay/mru.nix
+++ b/host/Rory-nginx/services/nginx/rory.gay/mru.nix
@@ -1,12 +1,12 @@
{
enableACME = true;
addSSL = true;
- quic = true;
+ # quic = true;
http3 = true;
http3_hq = true;
kTLS = true;
root = "/data/nginx/html_mru";
- reuseport = true;
+ # reuseport = true;
extraConfig = ''
brotli off;
brotli_static off;
diff --git a/host/Rory-nginx/services/nginx/rory.gay/pcpoc.nix b/host/Rory-nginx/services/nginx/rory.gay/pcpoc.nix
index b62c5fe..b62c5fe 100755..100644
--- a/host/Rory-nginx/services/nginx/rory.gay/pcpoc.nix
+++ b/host/Rory-nginx/services/nginx/rory.gay/pcpoc.nix
diff --git a/host/Rory-nginx/services/nginx/rory.gay/root.nix b/host/Rory-nginx/services/nginx/rory.gay/root.nix
index 11d06c0..11d06c0 100755..100644
--- a/host/Rory-nginx/services/nginx/rory.gay/root.nix
+++ b/host/Rory-nginx/services/nginx/rory.gay/root.nix
diff --git a/host/Rory-nginx/services/nginx/rory.gay/wad-api.nix b/host/Rory-nginx/services/nginx/rory.gay/wad-api.nix
index 65e9bdb..65e9bdb 100755..100644
--- a/host/Rory-nginx/services/nginx/rory.gay/wad-api.nix
+++ b/host/Rory-nginx/services/nginx/rory.gay/wad-api.nix
diff --git a/host/Rory-nginx/services/nginx/thearcanebrony.net/awooradio.nix b/host/Rory-nginx/services/nginx/thearcanebrony.net/awooradio.nix
index f13cb0c..f13cb0c 100755..100644
--- a/host/Rory-nginx/services/nginx/thearcanebrony.net/awooradio.nix
+++ b/host/Rory-nginx/services/nginx/thearcanebrony.net/awooradio.nix
diff --git a/host/Rory-nginx/services/nginx/thearcanebrony.net/root.nix b/host/Rory-nginx/services/nginx/thearcanebrony.net/root.nix
index 86dddac..86dddac 100755..100644
--- a/host/Rory-nginx/services/nginx/thearcanebrony.net/root.nix
+++ b/host/Rory-nginx/services/nginx/thearcanebrony.net/root.nix
diff --git a/host/Rory-nginx/services/nginx/thearcanebrony.net/search.nix b/host/Rory-nginx/services/nginx/thearcanebrony.net/search.nix
index cd655d8..cd655d8 100755..100644
--- a/host/Rory-nginx/services/nginx/thearcanebrony.net/search.nix
+++ b/host/Rory-nginx/services/nginx/thearcanebrony.net/search.nix
diff --git a/host/Rory-nginx/services/nginx/thearcanebrony.net/sentry.nix b/host/Rory-nginx/services/nginx/thearcanebrony.net/sentry.nix
index f496190..f496190 100755..100644
--- a/host/Rory-nginx/services/nginx/thearcanebrony.net/sentry.nix
+++ b/host/Rory-nginx/services/nginx/thearcanebrony.net/sentry.nix
diff --git a/host/Rory-nginx/services/ollama.nix b/host/Rory-nginx/services/ollama.nix
index c9709da..16f4e1c 100755..100644
--- a/host/Rory-nginx/services/ollama.nix
+++ b/host/Rory-nginx/services/ollama.nix
@@ -10,8 +10,10 @@
environmentVariables = {
OLLAMA_LLM_LIBRARY = "cpu_avx2";
};
- writablePaths = [ "/data/ollama/home" ];
- listenAddress = "0.0.0.0:11434";
- sandbox = false;
+ #listenAddress = "0.0.0.0:11434";
+ host = "0.0.0.0";
+ port = 11434;
+ user = "ollama";
+ group = "ollama";
};
}
diff --git a/host/Rory-nginx/services/postgres.nix b/host/Rory-nginx/services/postgres.nix
index c728151..f0fb3e7 100755..100644
--- a/host/Rory-nginx/services/postgres.nix
+++ b/host/Rory-nginx/services/postgres.nix
@@ -5,7 +5,7 @@
services.postgresql = {
enable = true;
- package = pkgs.postgresql_16;
+ package = pkgs.postgresql_16_jit;
enableTCPIP = true;
authentication = pkgs.lib.mkOverride 10 ''
# TYPE, DATABASE, USER, ADDRESS, METHOD
@@ -27,8 +27,8 @@
max_connections = 2500;
superuser_reserved_connections = 3;
- shared_buffers = "32GB";
- work_mem = "16GB";
+ shared_buffers = "64GB";
+ work_mem = "32GB";
maintenance_work_mem = "8GB";
huge_pages = "try";
effective_cache_size = "64GB"; # was 22
@@ -44,17 +44,17 @@
wal_level = "replica";
max_wal_senders = 0;
- synchronous_commit = "off"; # was ond3
+ synchronous_commit = "on"; # was ond3
checkpoint_timeout = "15min";
checkpoint_completion_target = "0.9";
max_wal_size = "2GB";
min_wal_size = "1GB";
- wal_compression = "on";
+ wal_compression = "off";
wal_buffers = "-1";
- wal_writer_delay = "200ms";
- wal_writer_flush_after = "1MB";
+ wal_writer_delay = "500ms"; # was 100
+ wal_writer_flush_after = "32MB"; # was 1
#checkpoint_segments = "64"; # additional
default_statistics_target = "250"; # additional
@@ -63,10 +63,10 @@
bgwriter_lru_multiplier = "2.0";
bgwriter_flush_after = "0";
- max_worker_processes = "32"; # was 14
- max_parallel_workers_per_gather = "16"; # was 7
- max_parallel_maintenance_workers = "16"; # was 7
- max_parallel_workers = "32"; # was 14
+ max_worker_processes = "64"; # was 14
+ max_parallel_workers_per_gather = "32"; # was 7
+ max_parallel_maintenance_workers = "32"; # was 7
+ max_parallel_workers = "64"; # was 14
parallel_leader_participation = "on";
enable_partitionwise_join = "on";
@@ -80,20 +80,20 @@
};
};
-# services.prometheus.exporters.postgres = {
-# enable = true;
-# port = 9187;
-# extraFlags = [
-# "--collector.database_wraparound"
-# "--collector.long_running_transactions"
-# "--collector.postmaster"
-# "--collector.process_idle"
-# "--collector.stat_activity_autovacuum"
-# "--collector.stat_statements"
-# #"--collector.stat_wal_receiver" #we dont have WAL receivers
-# "--collector.statio_user_indexes"
-# "--collector.xlog_location"
-# ];
-# };
+ # services.prometheus.exporters.postgres = {
+ # enable = true;
+ # port = 9187;
+ # extraFlags = [
+ # "--collector.database_wraparound"
+ # "--collector.long_running_transactions"
+ # "--collector.postmaster"
+ # "--collector.process_idle"
+ # "--collector.stat_activity_autovacuum"
+ # "--collector.stat_statements"
+ # #"--collector.stat_wal_receiver" #we dont have WAL receivers
+ # "--collector.statio_user_indexes"
+ # "--collector.xlog_location"
+ # ];
+ # };
}
|
