diff options
Diffstat (limited to 'host/Rory-synapse/configuration.nix')
| -rwxr-xr-x | host/Rory-synapse/configuration.nix | 200 |
1 files changed, 1 insertions, 199 deletions
diff --git a/host/Rory-synapse/configuration.nix b/host/Rory-synapse/configuration.nix index 46da7b6..020a804 100755 --- a/host/Rory-synapse/configuration.nix +++ b/host/Rory-synapse/configuration.nix @@ -4,6 +4,7 @@ imports = [ ../../modules/base-server.nix + ./software.nix ]; networking = { @@ -18,205 +19,6 @@ } ]; }; - # coturn (WebRTC) - services.coturn = rec { - enable = false; # Alicia - figure out secret first... - no-cli = true; - no-tcp-relay = true; - min-port = 49000; - max-port = 50000; - use-auth-secret = true; - static-auth-secret = "will be world readable for local users :("; - realm = "turn.example.com"; - # Alicia - figure out how to get this to work, since nginx runs on separate machine... - #cert = "${config.security.acme.certs.${realm}.directory}/full.pem"; - #pkey = "${config.security.acme.certs.${realm}.directory}/key.pem"; - extraConfig = '' - # for debugging - verbose - # ban private IP ranges - no-multicast-peers - denied-peer-ip=0.0.0.0-0.255.255.255 - denied-peer-ip=10.0.0.0-10.255.255.255 - denied-peer-ip=100.64.0.0-100.127.255.255 - denied-peer-ip=127.0.0.0-127.255.255.255 - denied-peer-ip=169.254.0.0-169.254.255.255 - denied-peer-ip=172.16.0.0-172.31.255.255 - denied-peer-ip=192.0.0.0-192.0.0.255 - denied-peer-ip=192.0.2.0-192.0.2.255 - denied-peer-ip=192.88.99.0-192.88.99.255 - denied-peer-ip=192.168.0.0-192.168.255.255 - denied-peer-ip=198.18.0.0-198.19.255.255 - denied-peer-ip=198.51.100.0-198.51.100.255 - denied-peer-ip=203.0.113.0-203.0.113.255 - denied-peer-ip=240.0.0.0-255.255.255.255 - denied-peer-ip=::1 - denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff - denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255 - denied-peer-ip=100::-100::ffff:ffff:ffff:ffff - denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff - denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff - denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff - denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff - ''; - }; - - #services.matrix-synapse = with config.services.coturn; { - # turn_uris = ["turn:${realm}:3478?transport=udp" "turn:${realm}:3478?transport=tcp"]; - # turn_shared_secret = static-auth-secret; - # turn_user_lifetime = "1h"; - #}; - - # Discord bridge - services.matrix-appservice-discord = { - enable = false; # Alicia - figure out secret first... - environmentFile = /etc/keyring/matrix-appservice-discord/tokens.env; - # The appservice is pre-configured to use SQLite by default. - # It's also possible to use PostgreSQL. - settings = { - bridge = { - domain = "rory.gay"; - homeserverUrl = "https://matrix.rory.gay"; - }; - - # The service uses SQLite by default, but it's also possible to use - # PostgreSQL instead: - database = { - # filename = ""; # empty value to disable sqlite - connString = "postgres://postgres@192.168.1.3/matrix-appservice-discord"; - }; - }; - }; - - services.matrix-synapse = { - enable = true; - - settings = { - server_name = "rory.gay"; - - enable_registration = false; - # Alicia - figure this out later... - #registration_shared_secret = builtins.exec ["cat" "/dev/urandom" "|" "tr" "-dc" "a-zA-Z0-9" "|" "fold" "-w" "256" "|" "head" "-n" "1"]; - registration_shared_secret_path = "/var/lib/matrix-synapse/registration_shared_secret.txt"; - - # Alicia - types: https://github.com/NixOS/nixpkgs/blob/release-22.11/nixos/modules/services/matrix/synapse.nix#L410 - listeners = [ - { - port = 8008; - bind_addresses = [ "192.168.1.5" "127.0.0.1" ]; - type = "http"; - tls = false; - x_forwarded = true; - resources = [ { - names = [ "client" "federation" ]; - compress = true; - } ]; - } - ]; - dynamic_thumbnails = true; - - presence = { - enable = true; - update_interval = 60; - }; - url_preview_enabled = true; - - database = { - name = "psycopg2"; - args = { - user = "matrix-synapse-rory-gay"; - #passwordFile = "/run/secrets/matrix-synapse-password"; - password = "somepassword"; - database = "matrix-synapse-rory-gay"; - host = "192.168.1.3"; - }; - }; - app_service_config_files = [ - #"/etc/matrix-synapse/appservice-registration.yaml" - ]; - }; - - plugins = with pkgs.matrix-synapse-plugins; [ - # Alicia - need to port draupnir... - #matrix-synapse-mjolnir-antispam -# matrix-synapse-pam - ]; -# extraConfigFiles = [ -# (pkgs.writeTextFile { -# name = "matrix-synapse-extra-config.yml"; -# text = '' -# modules: -# - module: "pam_auth_provider.PAMAuthProvider" -# config: -# create_users: true -# skip_user_check: false -# ''; -# }) -# ]; - }; - - # Alicia - doesnt work yet... until in nixpkgs... - services.draupnir = { - enable = true; - - pantalaimon = { - enable = true; - username = "draupnir"; - passwordFile = "/etc/draupnir-password"; - options = { - homeserver = "http://localhost:8008"; - ssl = false; - }; - - }; - managementRoom = "#draupnir-mgmt:rory.gay"; - homeserverUrl = "http://localhost:8008"; - verboseLogging = false; - settings = { - recordIgnoredInvites = false; - automaticallyRedactForReasons = [ "*" ]; - fasterMembershipChecks = true; - backgroundDelayMS = 100; - pollReports = true; - admin.enableMakeRoomAdminCommand = true; - commands.ban.defaultReasons = [ - "spam" - "harassment" - "transphobia" - "scam" - ]; - protections = { - wordlist = { - words = [ - "tranny" - "faggot" - ]; - minutesBeforeTrusting = 0; - }; - }; - }; - }; - - systemd.services.matrix-synapse-reg-token = { - description = "Random registration token for Synapse."; - before = ["matrix-synapse.service"]; # So the registration can be used by Synapse - wantedBy = ["multi-user.target"]; - after = ["network.target"]; - - script = '' - - if [ ! -f "registration_shared_secret.txt" ] - then - cat /dev/urandom | tr -dc a-zA-Z0-9 | fold -w 256 | head -n 1 > registration_shared_secret.txt - else - echo Not generating key, key exists; - fi''; - serviceConfig = { - User = "matrix-synapse"; - Group = "matrix-synapse"; - WorkingDirectory = "/var/lib/matrix-synapse"; - }; - }; system.stateVersion = "22.11"; # DO NOT EDIT! } |