host/Rory-synapse/configuration.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100

{ config, pkgs, lib, ... }:

{
  imports =
    [
      ../../modules/base-server.nix
    ];

  networking = {
    hostName = "Rory-synapse";
    interfaces.ens18.ipv4.addresses = [ { 
      address = "192.168.1.5";
      prefixLength = 24;
    } ];
    interfaces.ens19.ipv4.addresses = [ {
      address = "10.10.10.5";
      prefixLength = 16;
    } ];
  };

  # coturn (WebRTC)
  services.coturn = rec {
    enable = false; # Alicia - figure out secret first...
    no-cli = true;
    no-tcp-relay = true;
    min-port = 49000;
    max-port = 50000;
    use-auth-secret = true;
    static-auth-secret = "will be world readable for local users :(";
    realm = "turn.example.com";
    # Alicia - figure out how to get this to work, since nginx runs on separate machine...
    #cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
    #pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
    extraConfig = ''
      # for debugging
      verbose
      # ban private IP ranges
      no-multicast-peers
      denied-peer-ip=0.0.0.0-0.255.255.255
      denied-peer-ip=10.0.0.0-10.255.255.255
      denied-peer-ip=100.64.0.0-100.127.255.255
      denied-peer-ip=127.0.0.0-127.255.255.255
      denied-peer-ip=169.254.0.0-169.254.255.255
      denied-peer-ip=172.16.0.0-172.31.255.255
      denied-peer-ip=192.0.0.0-192.0.0.255
      denied-peer-ip=192.0.2.0-192.0.2.255
      denied-peer-ip=192.88.99.0-192.88.99.255
      denied-peer-ip=192.168.0.0-192.168.255.255
      denied-peer-ip=198.18.0.0-198.19.255.255
      denied-peer-ip=198.51.100.0-198.51.100.255
      denied-peer-ip=203.0.113.0-203.0.113.255
      denied-peer-ip=240.0.0.0-255.255.255.255
      denied-peer-ip=::1
      denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
      denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
      denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
      denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
      denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
      denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
      denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
    '';
  };

  #services.matrix-synapse = with config.services.coturn; {
  #  turn_uris = ["turn:${realm}:3478?transport=udp" "turn:${realm}:3478?transport=tcp"];
  #  turn_shared_secret = static-auth-secret;
  #  turn_user_lifetime = "1h";
  #};

  # Discord bridge
   services.matrix-appservice-discord = {
    enable = false; # Alicia - figure out secret first...
    environmentFile = /etc/keyring/matrix-appservice-discord/tokens.env;
    # The appservice is pre-configured to use SQLite by default.
    # It's also possible to use PostgreSQL.
    settings = {
      bridge = {
        domain = "rory.gay";
        homeserverUrl = "https://matrix.rory.gay";
      };

      # The service uses SQLite by default, but it's also possible to use
      # PostgreSQL instead:
      database = {
        #  filename = ""; # empty value to disable sqlite
        connString = "postgres://postgres@192.168.1.3/matrix-appservice-discord";
      };
    };

  services.matrix-synapse = {
    enable = true;
    app_service_config_files = [
      #"/etc/matrix-synapse/appservice-registration.yaml"
    ];
    
  };

  system.stateVersion = "22.11"; # DO NOT EDIT!
}