{ config, pkgs, lib, ... }: { imports = [ ../../modules/base-server.nix ]; networking = { hostName = "Rory-synapse"; interfaces.ens18.ipv4.addresses = [ { address = "192.168.1.5"; prefixLength = 24; } ]; interfaces.ens19.ipv4.addresses = [ { address = "10.10.10.5"; prefixLength = 16; } ]; }; # coturn (WebRTC) services.coturn = rec { enable = false; # Alicia - figure out secret first... no-cli = true; no-tcp-relay = true; min-port = 49000; max-port = 50000; use-auth-secret = true; static-auth-secret = "will be world readable for local users :("; realm = "turn.example.com"; # Alicia - figure out how to get this to work, since nginx runs on separate machine... #cert = "${config.security.acme.certs.${realm}.directory}/full.pem"; #pkey = "${config.security.acme.certs.${realm}.directory}/key.pem"; extraConfig = '' # for debugging verbose # ban private IP ranges no-multicast-peers denied-peer-ip=0.0.0.0-0.255.255.255 denied-peer-ip=10.0.0.0-10.255.255.255 denied-peer-ip=100.64.0.0-100.127.255.255 denied-peer-ip=127.0.0.0-127.255.255.255 denied-peer-ip=169.254.0.0-169.254.255.255 denied-peer-ip=172.16.0.0-172.31.255.255 denied-peer-ip=192.0.0.0-192.0.0.255 denied-peer-ip=192.0.2.0-192.0.2.255 denied-peer-ip=192.88.99.0-192.88.99.255 denied-peer-ip=192.168.0.0-192.168.255.255 denied-peer-ip=198.18.0.0-198.19.255.255 denied-peer-ip=198.51.100.0-198.51.100.255 denied-peer-ip=203.0.113.0-203.0.113.255 denied-peer-ip=240.0.0.0-255.255.255.255 denied-peer-ip=::1 denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255 denied-peer-ip=100::-100::ffff:ffff:ffff:ffff denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff ''; }; #services.matrix-synapse = with config.services.coturn; { # turn_uris = ["turn:${realm}:3478?transport=udp" "turn:${realm}:3478?transport=tcp"]; # turn_shared_secret = static-auth-secret; # turn_user_lifetime = "1h"; #}; # Discord bridge services.matrix-appservice-discord = { enable = false; # Alicia - figure out secret first... environmentFile = /etc/keyring/matrix-appservice-discord/tokens.env; # The appservice is pre-configured to use SQLite by default. # It's also possible to use PostgreSQL. settings = { bridge = { domain = "rory.gay"; homeserverUrl = "https://matrix.rory.gay"; }; # The service uses SQLite by default, but it's also possible to use # PostgreSQL instead: database = { # filename = ""; # empty value to disable sqlite connString = "postgres://postgres@192.168.1.3/matrix-appservice-discord"; }; }; }; services.matrix-synapse = { enable = true; settings = { server_name = "rory.gay"; enable_registration = false; # Alicia - figure this out later... #registration_shared_secret = builtins.exec ["cat" "/dev/urandom" "|" "tr" "-dc" "a-zA-Z0-9" "|" "fold" "-w" "256" "|" "head" "-n" "1"]; # Alicia - types: https://github.com/NixOS/nixpkgs/blob/release-22.11/nixos/modules/services/matrix/synapse.nix#L410 listeners = [ { port = 8008; bind_addresses = [ "192.168.1.5" ]; type = "http"; tls = false; x_forwarded = true; resources = [ { names = [ "client" "federation" ]; compress = true; } ]; } ]; dynamic_thumbnails = true; presence = { enable = true; update_interval = 60; }; url_preview_enabled = true; database = { name = "psycopg2"; args = { user = "matrix-synapse-rory-gay"; #passwordFile = "/run/secrets/matrix-synapse-password"; password = "somepassword"; database = "matrix-synapse-rory-gay"; host = "192.168.1.3"; }; }; app_service_config_files = [ #"/etc/matrix-synapse/appservice-registration.yaml" ]; }; plugins = with pkgs.matrix-synapse-plugins; [ # Alicia - need to port draupnir... #matrix-synapse-mjolnir-antispam matrix-synapse-pam ]; extraConfigFiles = [ (pkgs.writeTextFile { name = "matrix-synapse-extra-config.yml"; text = '' modules: - module: "pam_auth_provider.PAMAuthProvider" config: create_users: true skip_user_check: false ''; }) ]; }; # Alicia - doesnt work yet... until in nixpkgs... #services.draupnir = { # enable = true; # pantalaimon = { # enable = true; # username = "draupnir"; # passwordFile = "/run/secrets/draupnir-password"; # options = { # homeserver = "http://localhost:8008"; # ssl = false; # }; # # }; # managementRoom = "#draupnir-mgmt:rory.gay"; #}; system.stateVersion = "22.11"; # DO NOT EDIT! }