diff --git a/host/Rory-laptop/configuration.nix b/host/Rory-laptop/configuration.nix
index b894208..6a7d8ed 100644
--- a/host/Rory-laptop/configuration.nix
+++ b/host/Rory-laptop/configuration.nix
@@ -124,6 +124,7 @@ args@{
(jetbrains.plugins.addPlugins jetbrains.webstorm [ "github-copilot" ])
(jetbrains.plugins.addPlugins jetbrains.idea-ultimate [ "github-copilot" ])
+ (jetbrains.plugins.addPlugins jetbrains.clion [ "github-copilot" ])
dbeaver-bin
vscode
@@ -266,7 +267,12 @@ args@{
#};
# };
- virtualisation.libvirtd.enable = true;
+ virtualisation.libvirtd = {
+ enable = true;
+ qemu = {
+ swtpm.enable = true;
+ };
+ };
programs.virt-manager.enable = true;
monitoring = {
diff --git a/host/Rory-nginx-old/configuration.nix b/host/Rory-nginx-old/configuration.nix
new file mode 100644
index 0000000..9096c4a
--- /dev/null
+++ b/host/Rory-nginx-old/configuration.nix
@@ -0,0 +1,114 @@
+{
+ pkgs,
+ config,
+ lib,
+ grapevine,
+ conduit,
+ conduwuit,
+ nixpkgs-Draupnir,
+ ...
+}:
+
+{
+ imports = [
+ ../../modules/base-server.nix
+ ../../modules/users/levi.nix
+ ../../modules/users/db2k.nix
+ ../../modules/users/ks.nix
+ ../../modules/users/Alice.nix
+
+ ./services/postgres.nix
+ ./services/matrix/root.nix
+ ./services/nginx/nginx.nix
+ #./services/jitsi.nix
+ ./services/cgit.nix
+ ./services/ollama.nix
+ ./services/deluge.nix
+ ./services/prometheus.nix
+ ./services/redpanda/root.nix
+
+ ./services/email/root.nix
+ ];
+
+ users.groups.ocp = { };
+ networking = {
+ hostName = "Rory-nginx";
+ interfaces.ens18.ipv4.addresses = [
+ {
+ address = "192.168.1.2";
+ prefixLength = 24;
+ }
+ ];
+ interfaces.ens19.ipv4.addresses = [
+ {
+ address = "10.10.10.2";
+ prefixLength = 16;
+ }
+ ];
+ defaultGateway.interface = "ens18";
+ nat = {
+ enable = true;
+ internalInterfaces = [
+ "ve-+"
+ "vb-+"
+ ];
+ externalInterface = "ens18";
+ enableIPv6 = false;
+ };
+ enableIPv6 = lib.mkForce false;
+ nameservers = lib.mkForce [ "192.168.1.1" ];
+ };
+
+ monitoring = {
+ monitorAll = true;
+ localPrometheus = true;
+ exposePrometheus = true;
+ localGrafana = true;
+ exposeGrafana = true;
+ nginxHost = "monitoring.rory.gay";
+ nginxSsl = true;
+ };
+
+ nixpkgs.config.permittedInsecurePackages = [
+ "olm-3.2.16"
+ "dotnet-runtime-wrapped-7.0.20"
+ "dotnet-runtime-7.0.20"
+ "dotnet-sdk-7.0.20"
+ ];
+ services.irqbalance.enable = true;
+
+ environment.memoryAllocator.provider = "jemalloc";
+
+ #containers."pluralcontactbotpoc" = import ./services/containers/pluralcontactbotpoc/container.nix {
+ # inherit pkgs lib;
+ # conduit = grapevine;
+ #};
+
+ containers."matrixunittests" = import ./services/containers/matrixunittests/container.nix {
+ inherit pkgs lib grapevine;
+ };
+ #
+ #containers."matrixunittests-conduit" = import ./services/containers/matrixunittests-conduit/container.nix {
+ # inherit pkgs lib;
+ # conduit = conduit;
+ #};
+
+ services.pgadmin = {
+ enable = false;
+ initialEmail = "root@localhost.localdomain";
+ initialPasswordFile = "/etc/matrix-user-pass";
+ };
+ containers."draupnir-cme" = import ./services/containers/draupnir-cme/container.nix {
+ inherit pkgs lib nixpkgs-Draupnir;
+ };
+ containers."draupnir-fedora" = import ./services/containers/draupnir-fedora/container.nix {
+ inherit pkgs lib nixpkgs-Draupnir;
+ };
+
+ #containers."draupnir-linux-mint" = import ./services/containers/draupnir-linux-mint/container.nix { inherit pkgs lib nixpkgs-Draupnir; };
+
+ system.stateVersion = "22.11"; # DO NOT EDIT!
+
+ environment.systemPackages = with pkgs; [ waypipe ];
+ nix.nrBuildUsers = 128;
+}
diff --git a/host/Rory-nginx-old/hooks/post-rebuild.sh b/host/Rory-nginx-old/hooks/post-rebuild.sh
new file mode 100644
index 0000000..9b0c17c
--- /dev/null
+++ b/host/Rory-nginx-old/hooks/post-rebuild.sh
@@ -0,0 +1,29 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p curl gnused nix coreutils jq openssl
+#set -x
+REG_KEY=`cat /var/lib/matrix-synapse/registration_shared_secret.txt`
+LOCALPART='rory.gay'
+REACHABLE_DOMAIN='http://localhost:8008'
+
+# -- LICENSE: CNPL v7+ - https://thufie.lain.haus/files/CNPLv7.md
+# Modified from Nyaaori (https://nyaaori.cat) <+@nyaaori.cat>
+# Explicit authorisation to use the code has been granted by the original author
+# for use by members of the Rory& system (https://rory.gay)
+
+# the magic function:
+register(){
+ echo "Registering $1"
+ _nonce=`curl -s http://localhost:8008/_synapse/admin/v1/register | jq -r .nonce`
+ #data: nonce, domain, username, password
+ _hmac=`printf '%s\0%s\0%s\0%s' "$_nonce" "$1" "$2" "admin" | openssl dgst -sha1 -hmac "$REG_KEY" | awk '{print $2}'`
+ curl -s -XPOST -d '{"nonce": "'"$_nonce"'", "username": "'"$1"'", "displayname": "'"$1"'", "password": "'"$2"'", "admin": true, "mac": "'"$_hmac"'"}' $REACHABLE_DOMAIN/_synapse/admin/v1/register | tee -a matrix-user-tokens.txt
+ echo
+}
+
+# -- END OF LICENSED CODE
+
+PASSWD=`cat /etc/matrix-user-pass`
+for u in {draupnir,Alicia,Emma,Rory,root,Quetzelle}
+do
+ register $u $PASSWD
+done
diff --git a/host/Rory-nginx-old/services/cgit.nix b/host/Rory-nginx-old/services/cgit.nix
new file mode 100644
index 0000000..fb762d1
--- /dev/null
+++ b/host/Rory-nginx-old/services/cgit.nix
@@ -0,0 +1,58 @@
+{ pkgs, lib, ... }:
+
+let
+ base_cgit_config = {
+ enable = true;
+ nginx.virtualHost = "cgit.rory.gay";
+ package = pkgs.cgit-pink;
+ scanPath = "/data/nginx/html_git";
+ settings = {
+ css = "/cgit.css";
+ logo = "/cgit.png";
+ favicon = "/favicon.ico";
+ readme = ":README.MD";
+ about-filter = "${pkgs.cgit-pink}/lib/cgit/filters/about-formatting.sh";
+ source-filter = "${pkgs.cgit-pink}/lib/cgit/filters/syntax-highlighting.py";
+ clone-url = (
+ lib.concatStringsSep " " [
+ "https://cgit.rory.gay/$CGIT_REPO_URL"
+ "ssh://<user>@git.rory.gay:$CGIT_REPO_URL"
+ ]
+ );
+ enable-log-filecount = 1;
+ enable-log-linecount = 1;
+ enable-git-config = 1;
+ #testing
+ enable-blame = 1;
+ enable-commit-graph = 1;
+ enable-follow-links = 1;
+ enable-http-clone = 1;
+ enable-index-links = 1;
+ enable-remote-branches = 1;
+ enable-subject-links = 1;
+ enable-tree-linenumbers = 1;
+ max-atom-items = 100;
+ max-commit-count = 250;
+ max-repo-count = 500;
+ snapshots = "tar.xz";
+ #side-by-side-diffs = 1;
+
+ root-title = "cgit.rory.gay";
+ root-desc = "Rory&s Git Repositories";
+ };
+ };
+in
+{
+ services.cgit."main" = base_cgit_config;
+
+ services.cgit."ocp" = lib.attrsets.recursiveUpdate base_cgit_config {
+ scanPath = "/data/nginx/html_git/.ocp";
+ nginx.location = "/.ocp/";
+ settings.clone-url = (
+ lib.concatStringsSep " " [
+ "https://cgit.rory.gay/.ocp/$CGIT_REPO_URL"
+ "ssh://<user>@git.rory.gay:.ocp/$CGIT_REPO_URL"
+ ]
+ );
+ };
+}
diff --git a/host/Rory-nginx-old/services/containers/draupnir-cme/container.nix b/host/Rory-nginx-old/services/containers/draupnir-cme/container.nix
new file mode 100644
index 0000000..7b87264
--- /dev/null
+++ b/host/Rory-nginx-old/services/containers/draupnir-cme/container.nix
@@ -0,0 +1,32 @@
+{ nixpkgs-Draupnir, ... }:
+
+{
+ privateNetwork = true;
+ autoStart = true;
+ specialArgs = {
+ inherit nixpkgs-Draupnir;
+ };
+ config =
+ { lib, pkgs, ... }:
+ {
+ imports = [
+ ../shared.nix
+ ./root.nix
+ ./services/draupnir.nix
+ "${nixpkgs-Draupnir}/nixos/modules/services/matrix/draupnir.nix"
+ ];
+ nixpkgs.overlays = [
+ (final: prev: {
+ draupnir = nixpkgs-Draupnir.legacyPackages.${pkgs.stdenv.hostPlatform.system}.draupnir;
+ })
+ ];
+ };
+ hostAddress = "192.168.100.1";
+ localAddress = "192.168.100.17";
+
+ bindMounts."draupnir-access-token" = {
+ hostPath = "/etc/draupnir-cme-access-token";
+ mountPoint = "/etc/draupnir-access-token";
+ isReadOnly = true;
+ };
+}
diff --git a/host/Rory-nginx-old/services/containers/draupnir-cme/root.nix b/host/Rory-nginx-old/services/containers/draupnir-cme/root.nix
new file mode 100644
index 0000000..0ebce9e
--- /dev/null
+++ b/host/Rory-nginx-old/services/containers/draupnir-cme/root.nix
@@ -0,0 +1,16 @@
+{ ... }:
+
+{
+ networking.useHostResolvConf = true;
+
+ networking.hosts = {
+ "192.168.100.1" = [
+ "matrix.rory.gay"
+ "rory.gay"
+ ];
+ };
+
+ networking.firewall = {
+ enable = true;
+ };
+}
diff --git a/host/Rory-nginx-old/services/containers/draupnir-cme/services/draupnir.nix b/host/Rory-nginx-old/services/containers/draupnir-cme/services/draupnir.nix
new file mode 100644
index 0000000..cf59809
--- /dev/null
+++ b/host/Rory-nginx-old/services/containers/draupnir-cme/services/draupnir.nix
@@ -0,0 +1,23 @@
+{ ... }:
+
+{
+ services.draupnir = {
+ enable = true;
+ accessTokenFile = "/etc/draupnir-access-token";
+ homeserverUrl = "https://matrix.rory.gay";
+
+ settings = {
+ managementRoom = "#draupnir-cme:rory.gay";
+ recordIgnoredInvites = true; # We want to be aware of invites
+ autojoinOnlyIfManager = true; # ... but we don't want the bot to be invited to eg. Matrix HQ...
+ automaticallyRedactForReasons = [ "*" ]; # Always autoredact
+ fasterMembershipChecks = true;
+
+ backgroundDelayMS = 10; # delay isn't needed, I don't mind the performance hit
+ pollReports = false;
+
+ admin.enableMakeRoomAdminCommand = false;
+ commands.ban.defaultReasons = [ "spam" ];
+ };
+ };
+}
diff --git a/host/Rory-nginx-old/services/containers/draupnir-fedora/container.nix b/host/Rory-nginx-old/services/containers/draupnir-fedora/container.nix
new file mode 100644
index 0000000..82683d7
--- /dev/null
+++ b/host/Rory-nginx-old/services/containers/draupnir-fedora/container.nix
@@ -0,0 +1,32 @@
+{ nixpkgs-Draupnir, ... }:
+
+{
+ privateNetwork = true;
+ autoStart = true;
+ specialArgs = {
+ inherit nixpkgs-Draupnir;
+ };
+ config =
+ { lib, pkgs, ... }:
+ {
+ imports = [
+ ../shared.nix
+ ./root.nix
+ ./services/draupnir.nix
+ "${nixpkgs-Draupnir}/nixos/modules/services/matrix/draupnir.nix"
+ ];
+ nixpkgs.overlays = [
+ (final: prev: {
+ draupnir = nixpkgs-Draupnir.legacyPackages.${pkgs.stdenv.hostPlatform.system}.draupnir;
+ })
+ ];
+ };
+ hostAddress = "192.168.100.1";
+ localAddress = "192.168.100.18";
+
+ bindMounts."draupnir-access-token" = {
+ hostPath = "/etc/draupnir-fedora-access-token";
+ mountPoint = "/etc/draupnir-access-token";
+ isReadOnly = true;
+ };
+}
diff --git a/host/Rory-nginx-old/services/containers/draupnir-fedora/root.nix b/host/Rory-nginx-old/services/containers/draupnir-fedora/root.nix
new file mode 100644
index 0000000..0ebce9e
--- /dev/null
+++ b/host/Rory-nginx-old/services/containers/draupnir-fedora/root.nix
@@ -0,0 +1,16 @@
+{ ... }:
+
+{
+ networking.useHostResolvConf = true;
+
+ networking.hosts = {
+ "192.168.100.1" = [
+ "matrix.rory.gay"
+ "rory.gay"
+ ];
+ };
+
+ networking.firewall = {
+ enable = true;
+ };
+}
diff --git a/host/Rory-nginx-old/services/containers/draupnir-fedora/services/draupnir.nix b/host/Rory-nginx-old/services/containers/draupnir-fedora/services/draupnir.nix
new file mode 100644
index 0000000..6573f4c
--- /dev/null
+++ b/host/Rory-nginx-old/services/containers/draupnir-fedora/services/draupnir.nix
@@ -0,0 +1,23 @@
+{ ... }:
+
+{
+ services.draupnir = {
+ enable = true;
+ accessTokenFile = "/etc/draupnir-access-token";
+ homeserverUrl = "https://matrix.rory.gay";
+
+ settings = {
+ managementRoom = "#draupnir-fedora-mgmt:rory.gay";
+ recordIgnoredInvites = true; # We want to be aware of invites
+ autojoinOnlyIfManager = true; # ... but we don't want the bot to be invited to eg. Matrix HQ...
+ automaticallyRedactForReasons = [ "*" ]; # Always autoredact
+ fasterMembershipChecks = true;
+
+ backgroundDelayMS = 10; # delay isn't needed, I don't mind the performance hit
+ pollReports = false;
+
+ admin.enableMakeRoomAdminCommand = false;
+ commands.ban.defaultReasons = [ "spam" ];
+ };
+ };
+}
diff --git a/host/Rory-nginx-old/services/containers/draupnir-linux-mint/container.nix b/host/Rory-nginx-old/services/containers/draupnir-linux-mint/container.nix
new file mode 100644
index 0000000..41d25c5
--- /dev/null
+++ b/host/Rory-nginx-old/services/containers/draupnir-linux-mint/container.nix
@@ -0,0 +1,32 @@
+{ nixpkgs-Draupnir, ... }:
+
+{
+ privateNetwork = true;
+ autoStart = true;
+ specialArgs = {
+ inherit nixpkgs-Draupnir;
+ };
+ config =
+ { lib, pkgs, ... }:
+ {
+ imports = [
+ ../shared.nix
+ ./root.nix
+ ./services/draupnir.nix
+ "${nixpkgs-Draupnir}/nixos/modules/services/matrix/draupnir.nix"
+ ];
+ nixpkgs.overlays = [
+ (final: prev: {
+ draupnir = nixpkgs-Draupnir.legacyPackages.${pkgs.stdenv.hostPlatform.system}.draupnir;
+ })
+ ];
+ };
+ hostAddress = "192.168.100.1";
+ localAddress = "192.168.100.19";
+
+ bindMounts."draupnir-access-token" = {
+ hostPath = "/etc/draupnir-linux-mint-access-token";
+ mountPoint = "/etc/draupnir-access-token";
+ isReadOnly = true;
+ };
+}
diff --git a/host/Rory-nginx-old/services/containers/draupnir-linux-mint/root.nix b/host/Rory-nginx-old/services/containers/draupnir-linux-mint/root.nix
new file mode 100644
index 0000000..2adac62
--- /dev/null
+++ b/host/Rory-nginx-old/services/containers/draupnir-linux-mint/root.nix
@@ -0,0 +1,16 @@
+{ pkgs, ... }:
+
+{
+ networking.useHostResolvConf = true;
+
+ networking.hosts = {
+ "192.168.100.18" = [
+ "matrix.rory.gay"
+ "rory.gay"
+ ];
+ };
+
+ networking.firewall = {
+ enable = true;
+ };
+}
diff --git a/host/Rory-nginx-old/services/containers/draupnir-linux-mint/services/draupnir.nix b/host/Rory-nginx-old/services/containers/draupnir-linux-mint/services/draupnir.nix
new file mode 100644
index 0000000..042651a
--- /dev/null
+++ b/host/Rory-nginx-old/services/containers/draupnir-linux-mint/services/draupnir.nix
@@ -0,0 +1,26 @@
+{ ... }:
+
+{
+ services.draupnir = {
+ enable = true;
+ accessTokenFile = "/etc/draupnir-access-token";
+ homeserverUrl = "https://matrix.rory.gay";
+
+ settings = {
+ managementRoom = "#draupnir-linux-mint:rory.gay";
+ recordIgnoredInvites = true; # We want to be aware of invites
+ autojoinOnlyIfManager = true; # ... but we don't want the bot to be invited to eg. Matrix HQ...
+ automaticallyRedactForReasons = [ "*" ]; # Always autoredact
+ fasterMembershipChecks = true;
+
+ backgroundDelayMS = 10; # delay isn't needed, I don't mind the performance hit
+ pollReports = false;
+
+ admin.enableMakeRoomAdminCommand = false;
+ commands.ban.defaultReasons = [
+ "spam"
+ "code of conduct violation"
+ ];
+ };
+ };
+}
diff --git a/host/Rory-nginx-old/services/containers/matrixunittests-conduit/container.nix b/host/Rory-nginx-old/services/containers/matrixunittests-conduit/container.nix
new file mode 100644
index 0000000..daefba1
--- /dev/null
+++ b/host/Rory-nginx-old/services/containers/matrixunittests-conduit/container.nix
@@ -0,0 +1,30 @@
+{ conduit, ... }:
+
+{
+ privateNetwork = true;
+ autoStart = true;
+ specialArgs = {
+ inherit conduit;
+ };
+ config =
+ {
+ lib,
+ pkgs,
+ conduit,
+ ...
+ }:
+ {
+ imports = [
+ ../shared.nix
+ ./services/nginx.nix
+ ./services/conduit.nix
+ ];
+ networking.useHostResolvConf = true;
+ networking.firewall = {
+ enable = true;
+ allowedTCPPorts = [ 80 ];
+ };
+ };
+ hostAddress = "192.168.100.1";
+ localAddress = "192.168.100.15";
+}
diff --git a/host/Rory-nginx-old/services/containers/matrixunittests-conduit/services/conduit.nix b/host/Rory-nginx-old/services/containers/matrixunittests-conduit/services/conduit.nix
new file mode 100644
index 0000000..3df71be
--- /dev/null
+++ b/host/Rory-nginx-old/services/containers/matrixunittests-conduit/services/conduit.nix
@@ -0,0 +1,20 @@
+{ pkgs, conduit, ... }:
+
+{
+ services.matrix-conduit = {
+ package = conduit.packages.${pkgs.system}.default;
+ enable = true;
+ settings.global = {
+ address = "127.0.0.1";
+ server_name = "conduit.matrixunittests.rory.gay";
+ database_backend = "rocksdb";
+ enable_lightning_bolt = true;
+ max_concurrent_requests = 1000;
+ allow_check_for_updates = false;
+ allow_registration = true;
+ yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse = true;
+ allow_guest_registration = true;
+ disable_federation = true;
+ };
+ };
+}
diff --git a/host/Rory-nginx-old/services/containers/matrixunittests-conduit/services/nginx.nix b/host/Rory-nginx-old/services/containers/matrixunittests-conduit/services/nginx.nix
new file mode 100644
index 0000000..0d7874e
--- /dev/null
+++ b/host/Rory-nginx-old/services/containers/matrixunittests-conduit/services/nginx.nix
@@ -0,0 +1,94 @@
+{ pkgs, ... }:
+
+{
+ services = {
+ nginx = {
+ enable = true;
+ package = pkgs.nginxQuic;
+ recommendedProxySettings = true;
+ recommendedTlsSettings = true;
+ recommendedZstdSettings = true;
+ recommendedGzipSettings = true;
+ recommendedBrotliSettings = true;
+ recommendedOptimisation = true;
+ appendConfig = ''
+ worker_processes 16;
+ '';
+ eventsConfig = ''
+ #use kqueue;
+ worker_connections 512;
+ '';
+ appendHttpConfig = ''
+ #sendfile on;
+ disable_symlinks off;
+ '';
+ additionalModules = with pkgs.nginxModules; [ moreheaders ];
+ virtualHosts = {
+ "conduit.matrixunittests.rory.gay" = {
+ locations."/" = {
+ proxyPass = "http://127.0.0.1:6167";
+ extraConfig = ''
+ if ($request_method = 'OPTIONS') {
+ more_set_headers 'Access-Control-Allow-Origin: *';
+ more_set_headers 'Access-Control-Allow-Methods: *';
+ #
+ # Custom headers and headers various browsers *should* be OK with but aren't
+ #
+ more_set_headers 'Access-Control-Allow-Headers: *';
+ #
+ # Tell client that this pre-flight info is valid for 20 days
+ #
+ more_set_headers 'Access-Control-Max-Age: 1728000';
+ more_set_headers 'Content-Type: text/plain; charset=utf-8';
+ more_set_headers 'Content-Length: 0';
+ return 204;
+ }
+ '';
+ };
+ locations."= /.well-known/matrix/server".extraConfig = ''
+ more_set_headers 'Content-Type application/json';
+ more_set_headers 'Access-Control-Allow-Origin *';
+ return 200 '${builtins.toJSON { "m.server" = "conduit.matrixunittests.rory.gay:443"; }}';
+ '';
+ locations."= /.well-known/matrix/client".extraConfig = ''
+ more_set_headers 'Content-Type application/json';
+ more_set_headers 'Access-Control-Allow-Origin *';
+ return 200 '${builtins.toJSON { "m.homeserver".base_url = "https://conduit.matrixunittests.rory.gay"; }}';
+ '';
+ locations."= /.well-known/matrix/support".extraConfig = ''
+ more_set_headers 'Content-Type application/json';
+ more_set_headers 'Access-Control-Allow-Origin *';
+ return 200 '${
+ builtins.toJSON {
+ admins = [
+ {
+ matrix_id = "@emma:rory.gay";
+ role = "admin";
+ }
+ {
+ matrix_id = "@alicia:rory.gay";
+ role = "admin";
+ }
+ {
+ matrix_id = "@root:rory.gay";
+ role = "admin";
+ }
+ {
+ matrix_id = "@rory:rory.gay";
+ role = "admin";
+ }
+ ];
+ }
+ }';
+ '';
+ };
+ };
+ };
+ };
+ systemd.services.nginx.serviceConfig = {
+ LimitNOFILE = 5000000;
+ };
+ security.acme.acceptTerms = true;
+ security.acme.defaults.email = "root@rory.gay";
+
+}
diff --git a/host/Rory-nginx-old/services/containers/matrixunittests/container.nix b/host/Rory-nginx-old/services/containers/matrixunittests/container.nix
new file mode 100644
index 0000000..cbd90f8
--- /dev/null
+++ b/host/Rory-nginx-old/services/containers/matrixunittests/container.nix
@@ -0,0 +1,31 @@
+{ grapevine, ... }:
+
+{
+ privateNetwork = true;
+ autoStart = true;
+ config =
+ {
+ lib,
+ pkgs,
+ ...
+ }:
+ {
+ imports = [
+ ../shared.nix
+ ./services/nginx.nix
+ ./services/conduit.nix
+ grapevine.nixosModules.default
+
+ ];
+ networking.useHostResolvConf = true;
+ networking.firewall = {
+ enable = true;
+ allowedTCPPorts = [
+ 80
+ 5432
+ ];
+ };
+ };
+ hostAddress = "192.168.100.1";
+ localAddress = "192.168.100.13";
+}
diff --git a/host/Rory-nginx-old/services/containers/matrixunittests/services/conduit.nix b/host/Rory-nginx-old/services/containers/matrixunittests/services/conduit.nix
new file mode 100644
index 0000000..cd5776f
--- /dev/null
+++ b/host/Rory-nginx-old/services/containers/matrixunittests/services/conduit.nix
@@ -0,0 +1,43 @@
+{ ... }:
+
+{
+ services.grapevine = {
+ # package = conduit.packages.${pkgs.system}.default;
+ enable = true;
+ settings = {
+ server_name = "matrixunittests.rory.gay";
+ allow_registration = true;
+
+ listen = [
+ {
+ type = "tcp";
+ address = "127.0.0.1";
+ port = 6167;
+ }
+ ];
+ federation.enable = false;
+ server_discovery.client.base_url = "https://matrixunittests.rory.gay"; # This is required for some reason
+
+ database = {
+ backend = "rocksdb";
+ };
+ };
+ };
+
+ systemd.services.matrix-conduit-reg-token = {
+ enable = true;
+ description = "Random registration token for Conduit.";
+ wantedBy = [ "grapevine.service" ]; # So the registration can be used by Conduit.
+
+ script = ''
+ rm -rfv /var/lib/grapevine/*
+ systemctl daemon-reload
+ systemctl try-restart grapevine.service'';
+ serviceConfig = {
+ User = "root";
+ Group = "root";
+ IgnoreSIGPIPE = true;
+ Restart = "on-failure";
+ };
+ };
+}
diff --git a/host/Rory-nginx-old/services/containers/matrixunittests/services/nginx.nix b/host/Rory-nginx-old/services/containers/matrixunittests/services/nginx.nix
new file mode 100644
index 0000000..0236182
--- /dev/null
+++ b/host/Rory-nginx-old/services/containers/matrixunittests/services/nginx.nix
@@ -0,0 +1,94 @@
+{ pkgs, ... }:
+
+{
+ services = {
+ nginx = {
+ enable = true;
+ package = pkgs.nginxQuic;
+ recommendedProxySettings = true;
+ recommendedTlsSettings = true;
+ recommendedZstdSettings = true;
+ recommendedGzipSettings = true;
+ recommendedBrotliSettings = true;
+ recommendedOptimisation = true;
+ appendConfig = ''
+ worker_processes 16;
+ '';
+ eventsConfig = ''
+ #use kqueue;
+ worker_connections 512;
+ '';
+ appendHttpConfig = ''
+ #sendfile on;
+ disable_symlinks off;
+ '';
+ additionalModules = with pkgs.nginxModules; [ moreheaders ];
+ virtualHosts = {
+ "matrixunittests.rory.gay" = {
+ locations."/" = {
+ proxyPass = "http://127.0.0.1:6167";
+ extraConfig = ''
+ if ($request_method = 'OPTIONS') {
+ more_set_headers 'Access-Control-Allow-Origin: *';
+ more_set_headers 'Access-Control-Allow-Methods: *';
+ #
+ # Custom headers and headers various browsers *should* be OK with but aren't
+ #
+ more_set_headers 'Access-Control-Allow-Headers: *';
+ #
+ # Tell client that this pre-flight info is valid for 20 days
+ #
+ more_set_headers 'Access-Control-Max-Age: 1728000';
+ more_set_headers 'Content-Type: text/plain; charset=utf-8';
+ more_set_headers 'Content-Length: 0';
+ return 204;
+ }
+ '';
+ };
+ locations."= /.well-known/matrix/server".extraConfig = ''
+ more_set_headers 'Content-Type application/json';
+ more_set_headers 'Access-Control-Allow-Origin *';
+ return 200 '${builtins.toJSON { "m.server" = "matrixunittests.rory.gay:443"; }}';
+ '';
+ locations."= /.well-known/matrix/client".extraConfig = ''
+ more_set_headers 'Content-Type application/json';
+ more_set_headers 'Access-Control-Allow-Origin *';
+ return 200 '${builtins.toJSON { "m.homeserver".base_url = "https://matrixunittests.rory.gay"; }}';
+ '';
+ locations."= /.well-known/matrix/support".extraConfig = ''
+ more_set_headers 'Content-Type application/json';
+ more_set_headers 'Access-Control-Allow-Origin *';
+ return 200 '${
+ builtins.toJSON {
+ admins = [
+ {
+ matrix_id = "@emma:rory.gay";
+ role = "admin";
+ }
+ {
+ matrix_id = "@alicia:rory.gay";
+ role = "admin";
+ }
+ {
+ matrix_id = "@root:rory.gay";
+ role = "admin";
+ }
+ {
+ matrix_id = "@rory:rory.gay";
+ role = "admin";
+ }
+ ];
+ }
+ }';
+ '';
+ };
+ };
+ };
+ };
+ systemd.services.nginx.serviceConfig = {
+ LimitNOFILE = 5000000;
+ };
+ security.acme.acceptTerms = true;
+ security.acme.defaults.email = "root@rory.gay";
+
+}
diff --git a/host/Rory-nginx-old/services/containers/pluralcontactbotpoc/container.nix b/host/Rory-nginx-old/services/containers/pluralcontactbotpoc/container.nix
new file mode 100644
index 0000000..6be7c83
--- /dev/null
+++ b/host/Rory-nginx-old/services/containers/pluralcontactbotpoc/container.nix
@@ -0,0 +1,29 @@
+{ conduit, ... }:
+
+{
+ privateNetwork = true;
+ autoStart = true;
+ specialArgs = {
+ inherit conduit;
+ };
+ config =
+ {
+ lib,
+ pkgs,
+ conduit,
+ ...
+ }:
+ {
+ imports = [
+ ./root.nix
+ ../shared.nix
+ ];
+ networking.useHostResolvConf = true;
+ networking.firewall = {
+ enable = true;
+ allowedTCPPorts = [ 80 ];
+ };
+ };
+ hostAddress = "192.168.100.1";
+ localAddress = "192.168.100.11";
+}
diff --git a/host/Rory-nginx-old/services/containers/pluralcontactbotpoc/root.nix b/host/Rory-nginx-old/services/containers/pluralcontactbotpoc/root.nix
new file mode 100644
index 0000000..11d0be3
--- /dev/null
+++ b/host/Rory-nginx-old/services/containers/pluralcontactbotpoc/root.nix
@@ -0,0 +1,10 @@
+{ ... }:
+
+{
+ imports = [
+ ./services/nginx.nix
+ ./services/conduit.nix
+ ./services/pantalaimon.nix
+ ];
+
+}
diff --git a/host/Rory-nginx-old/services/containers/pluralcontactbotpoc/services/conduit.nix b/host/Rory-nginx-old/services/containers/pluralcontactbotpoc/services/conduit.nix
new file mode 100644
index 0000000..db9df9a
--- /dev/null
+++ b/host/Rory-nginx-old/services/containers/pluralcontactbotpoc/services/conduit.nix
@@ -0,0 +1,39 @@
+{ pkgs, conduit, ... }:
+
+{
+ services.matrix-conduit = {
+ package = conduit.packages.${pkgs.system}.default;
+ enable = true;
+ settings.global = {
+ address = "127.0.0.1";
+ server_name = "pcpoc.rory.gay";
+ database_backend = "rocksdb";
+ enable_lightning_bolt = true;
+ max_concurrent_requests = 1000;
+ allow_check_for_updates = false;
+ allow_registration = false;
+ };
+ };
+
+ systemd.services.matrix-conduit-reg-token = {
+ enable = true;
+ description = "Random registration token for Conduit.";
+ wantedBy = [ "conduit.service" ]; # So the registration can be used by Conduit.
+
+ script = ''
+ reg_token=`cat /dev/urandom | tr -dc a-zA-Z0-9 | head -c 256`
+ mkdir -p /run/systemd/system/conduit.service.d
+ echo $reg_token > /run/conduit-registration-token
+ echo "[Service]" > /run/systemd/system/conduit.service.d/override.conf
+ echo Environment=\"CONDUIT_REGISTRATION_TOKEN=$reg_token\" >> /run/systemd/system/conduit.service.d/override.conf
+ systemctl daemon-reload
+ systemctl try-restart conduit.service'';
+ serviceConfig = {
+ User = "root";
+ Group = "root";
+ IgnoreSIGPIPE = true;
+ Restart = "on-failure";
+ };
+ };
+
+}
diff --git a/host/Rory-nginx-old/services/containers/pluralcontactbotpoc/services/nginx.nix b/host/Rory-nginx-old/services/containers/pluralcontactbotpoc/services/nginx.nix
new file mode 100644
index 0000000..9d8041a
--- /dev/null
+++ b/host/Rory-nginx-old/services/containers/pluralcontactbotpoc/services/nginx.nix
@@ -0,0 +1,94 @@
+{ pkgs, ... }:
+
+{
+ services = {
+ nginx = {
+ enable = true;
+ package = pkgs.nginxQuic;
+ recommendedProxySettings = true;
+ recommendedTlsSettings = true;
+ recommendedZstdSettings = true;
+ recommendedGzipSettings = true;
+ recommendedBrotliSettings = true;
+ recommendedOptimisation = true;
+ appendConfig = ''
+ worker_processes 16;
+ '';
+ eventsConfig = ''
+ #use kqueue;
+ worker_connections 512;
+ '';
+ appendHttpConfig = ''
+ #sendfile on;
+ disable_symlinks off;
+ '';
+ additionalModules = with pkgs.nginxModules; [ moreheaders ];
+ virtualHosts = {
+ "pcpoc.rory.gay" = {
+ locations."/" = {
+ proxyPass = "http://127.0.0.1:6167";
+ extraConfig = ''
+ if ($request_method = 'OPTIONS') {
+ more_set_headers 'Access-Control-Allow-Origin: *';
+ more_set_headers 'Access-Control-Allow-Methods: *';
+ #
+ # Custom headers and headers various browsers *should* be OK with but aren't
+ #
+ more_set_headers 'Access-Control-Allow-Headers: *';
+ #
+ # Tell client that this pre-flight info is valid for 20 days
+ #
+ more_set_headers 'Access-Control-Max-Age: 1728000';
+ more_set_headers 'Content-Type: text/plain; charset=utf-8';
+ more_set_headers 'Content-Length: 0';
+ return 204;
+ }
+ '';
+ };
+ locations."= /.well-known/matrix/server".extraConfig = ''
+ more_set_headers 'Content-Type application/json';
+ more_set_headers 'Access-Control-Allow-Origin *';
+ return 200 '${builtins.toJSON { "m.server" = "pcpoc.rory.gay:443"; }}';
+ '';
+ locations."= /.well-known/matrix/client".extraConfig = ''
+ more_set_headers 'Content-Type application/json';
+ more_set_headers 'Access-Control-Allow-Origin *';
+ return 200 '${builtins.toJSON { "m.homeserver".base_url = "https://pcpoc.rory.gay"; }}';
+ '';
+ locations."= /.well-known/matrix/support".extraConfig = ''
+ more_set_headers 'Content-Type application/json';
+ more_set_headers 'Access-Control-Allow-Origin *';
+ return 200 '${
+ builtins.toJSON {
+ admins = [
+ {
+ matrix_id = "@emma:rory.gay";
+ role = "admin";
+ }
+ {
+ matrix_id = "@alicia:rory.gay";
+ role = "admin";
+ }
+ {
+ matrix_id = "@root:rory.gay";
+ role = "admin";
+ }
+ {
+ matrix_id = "@rory:rory.gay";
+ role = "admin";
+ }
+ ];
+ }
+ }';
+ '';
+ };
+ };
+ };
+ };
+ systemd.services.nginx.serviceConfig = {
+ LimitNOFILE = 5000000;
+ };
+ security.acme.acceptTerms = true;
+ security.acme.defaults.email = "root@rory.gay";
+
+}
diff --git a/host/Rory-nginx-old/services/containers/pluralcontactbotpoc/services/pantalaimon.nix b/host/Rory-nginx-old/services/containers/pluralcontactbotpoc/services/pantalaimon.nix
new file mode 100644
index 0000000..335176f
--- /dev/null
+++ b/host/Rory-nginx-old/services/containers/pluralcontactbotpoc/services/pantalaimon.nix
@@ -0,0 +1,15 @@
+{ ... }:
+
+{
+ services.pantalaimon-headless = {
+ instances."localhost" = {
+ homeserver = "http://localhost:6167";
+ ssl = false;
+ extraSettings = {
+ "DropOldKeys" = true;
+ "UseKeyring" = false;
+ };
+ };
+ };
+
+}
diff --git a/host/Rory-nginx-old/services/containers/shared.nix b/host/Rory-nginx-old/services/containers/shared.nix
new file mode 100644
index 0000000..f267ff0
--- /dev/null
+++ b/host/Rory-nginx-old/services/containers/shared.nix
@@ -0,0 +1,17 @@
+{ pkgs, ... }:
+{
+ environment.systemPackages = with pkgs; [
+ neofetch
+ lnav
+ zsh
+ git
+ lsd
+ htop
+ btop
+ duf
+ kitty.terminfo
+ neovim
+ jq
+ dig
+ ];
+}
diff --git a/host/Rory-nginx/services/deluge.nix b/host/Rory-nginx-old/services/deluge.nix
index 4a499ed..4a499ed 100755..100644
--- a/host/Rory-nginx/services/deluge.nix
+++ b/host/Rory-nginx-old/services/deluge.nix
diff --git a/host/Rory-nginx-old/services/email/autoconfig.nix b/host/Rory-nginx-old/services/email/autoconfig.nix
new file mode 100644
index 0000000..d258046
--- /dev/null
+++ b/host/Rory-nginx-old/services/email/autoconfig.nix
@@ -0,0 +1,18 @@
+{ ... }:
+{
+ services.go-autoconfig = {
+ enable = true;
+ settings = {
+ service_addr = ":1323";
+ domain = "autoconfig.rory.gay";
+ imap = {
+ server = "rory.gay";
+ port = 993;
+ };
+ smtp = {
+ server = "rory.gay";
+ port = 587;
+ };
+ };
+ };
+}
diff --git a/host/Rory-nginx-old/services/email/maddy.conf b/host/Rory-nginx-old/services/email/maddy.conf
new file mode 100644
index 0000000..1d3eb2f
--- /dev/null
+++ b/host/Rory-nginx-old/services/email/maddy.conf
@@ -0,0 +1,124 @@
+
+# Minimal configuration with TLS disabled, adapted from upstream example
+# configuration here https://github.com/foxcpp/maddy/blob/master/maddy.conf
+# Do not use this in production!
+
+auth.pass_table local_authdb {
+ table sql_table {
+ driver sqlite3
+ dsn credentials.db
+ table_name passwords
+ }
+}
+
+storage.imapsql local_mailboxes {
+ driver sqlite3
+ dsn imapsql.db
+}
+
+table.chain local_rewrites {
+ optional_step regexp "(.+)\+(.+)@(.+)" "$1@$3"
+ optional_step static {
+ entry postmaster root@$(primary_domain)
+ }
+ optional_step file /etc/maddy/aliases
+}
+
+msgpipeline local_routing {
+ destination postmaster $(local_domains) {
+ modify {
+ replace_rcpt &local_rewrites
+ }
+ deliver_to &local_mailboxes
+ }
+ default_destination {
+ reject 550 5.1.1 "User doesn't exist"
+ }
+}
+
+smtp tcp://0.0.0.0:25 {
+ limits {
+ all rate 20 1s
+ all concurrency 10
+ }
+ dmarc yes
+ check {
+ require_mx_record
+ dkim
+ spf
+ }
+ source $(local_domains) {
+ reject 501 5.1.8 "Use Submission for outgoing SMTP"
+ }
+ default_source {
+ destination postmaster $(local_domains) {
+ deliver_to &local_routing
+ }
+ default_destination {
+ reject 550 5.1.1 "User doesn't exist"
+ }
+ }
+}
+
+submission tls://0.0.0.0:465 tcp://0.0.0.0:587 {
+ limits {
+ all rate 50 1s
+ }
+ auth &local_authdb
+ source $(local_domains) {
+ check {
+ authorize_sender {
+ prepare_email &local_rewrites
+ user_to_email identity
+ }
+ }
+ destination postmaster $(local_domains) {
+ deliver_to &local_routing
+ }
+ default_destination {
+ modify {
+ dkim $(primary_domain) $(local_domains) default
+ }
+ deliver_to &remote_queue
+ }
+ }
+ default_source {
+ reject 501 5.1.8 "Non-local sender domain"
+ }
+}
+
+target.remote outbound_delivery {
+ limits {
+ destination rate 20 1s
+ destination concurrency 10
+ }
+ mx_auth {
+ dane
+ mtasts {
+ cache fs
+ fs_dir mtasts_cache/
+ }
+ local_policy {
+ min_tls_level encrypted
+ min_mx_level none
+ }
+ }
+}
+
+target.queue remote_queue {
+ target &outbound_delivery
+ autogenerated_msg_domain $(primary_domain)
+ bounce {
+ destination postmaster $(local_domains) {
+ deliver_to &local_routing
+ }
+ default_destination {
+ reject 550 5.0.0 "Refusing to send DSNs to non-local addresses"
+ }
+ }
+}
+
+imap tls://0.0.0.0:993 tcp://0.0.0.0:143 {
+ auth &local_authdb
+ storage &local_mailboxes
+}
\ No newline at end of file
diff --git a/host/Rory-nginx-old/services/email/maddy.nix b/host/Rory-nginx-old/services/email/maddy.nix
new file mode 100644
index 0000000..07b6e72
--- /dev/null
+++ b/host/Rory-nginx-old/services/email/maddy.nix
@@ -0,0 +1,49 @@
+{
+ pkgs,
+ options,
+ config,
+ ...
+}:
+{
+ services.maddy = {
+ enable = true;
+ primaryDomain = "rory.gay";
+ hostname = "mail.rory.gay";
+ ensureAccounts = [
+ "root@rory.gay"
+ ];
+ ensureCredentials = {
+ "root@rory.gay".passwordFile = "/var/lib/maddy/passwd/root";
+ };
+ config = builtins.readFile ./maddy.conf;
+ # builtins.replaceStrings
+ # [
+ # "imap tcp://0.0.0.0:143"
+ # "submission tcp://0.0.0.0:587"
+ # "entry postmaster postmaster@$(primary_domain)"
+ # ]
+ # [
+ # "imap tls://0.0.0.0:993 tcp://0.0.0.0:143"
+ # "submission tls://0.0.0.0:465 tcp://0.0.0.0:587"
+ # "entry postmaster root@$(primary_domain)"
+ # ]
+ # options.services.maddy.config.default;
+
+ tls = {
+ loader = "file";
+ certificates = [
+ {
+ certPath = "/var/lib/acme/mail.rory.gay/fullchain.pem";
+ keyPath = "/var/lib/acme/mail.rory.gay/key.pem";
+ }
+ ];
+ };
+ };
+
+ networking.firewall.allowedTCPPorts = [
+ 993
+ 465
+ ];
+
+ users.users.maddy.extraGroups = [ "nginx" ];
+}
diff --git a/host/Rory-nginx-old/services/email/nginx.nix b/host/Rory-nginx-old/services/email/nginx.nix
new file mode 100644
index 0000000..812993a
--- /dev/null
+++ b/host/Rory-nginx-old/services/email/nginx.nix
@@ -0,0 +1,32 @@
+{ config, ... }:
+{
+ services.nginx.virtualHosts = {
+ "mta-sts.rory.gay" = {
+ enableACME = true;
+ forceSSL = true;
+ locations = {
+ "/.well-known/mta-sts.txt" = {
+ # age 604800
+ return = ''
+ 200 "version: STSv1
+ mode: enforce
+ max_age: 120
+ mx: mail.rory.gay
+ "'';
+ };
+ };
+ };
+ "mail.rory.gay" = {
+ enableACME = true;
+ forceSSL = true;
+ locations = {
+ "/".return = "200 'OK'";
+ };
+ };
+ "autoconfig.rory.gay" = {
+ enableACME = true;
+ forceSSL = true;
+ locations."/".proxyPass = "http://localhost:1323";
+ };
+ };
+}
diff --git a/host/Rory-nginx-old/services/email/root.nix b/host/Rory-nginx-old/services/email/root.nix
new file mode 100644
index 0000000..7db85d8
--- /dev/null
+++ b/host/Rory-nginx-old/services/email/root.nix
@@ -0,0 +1,8 @@
+{ ... }:
+{
+ imports = [
+ ./autoconfig.nix
+ ./maddy.nix
+ ./nginx.nix
+ ];
+}
diff --git a/host/Rory-nginx/services/jitsi.nix b/host/Rory-nginx-old/services/jitsi.nix
index 9fe8d73..9fe8d73 100755..100644
--- a/host/Rory-nginx/services/jitsi.nix
+++ b/host/Rory-nginx-old/services/jitsi.nix
diff --git a/host/Rory-nginx-old/services/mastodon.nix b/host/Rory-nginx-old/services/mastodon.nix
new file mode 100644
index 0000000..56f1808
--- /dev/null
+++ b/host/Rory-nginx-old/services/mastodon.nix
@@ -0,0 +1,12 @@
+{ ... }:
+
+{
+ services.mastodon = {
+ enable = true;
+ webProcesses = 8;
+ webThreads = 4;
+
+ streamingProcesses = 63;
+ localDomain = "rory.gay";
+ };
+}
diff --git a/host/Rory-nginx-old/services/matrix/coturn.nix b/host/Rory-nginx-old/services/matrix/coturn.nix
new file mode 100644
index 0000000..805faa9
--- /dev/null
+++ b/host/Rory-nginx-old/services/matrix/coturn.nix
@@ -0,0 +1,52 @@
+{ ... }:
+
+{
+ # coturn (WebRTC)
+ services.coturn = {
+ enable = false; # Alicia - figure out secret first...
+ no-cli = true;
+ no-tcp-relay = true;
+ min-port = 49000;
+ max-port = 50000;
+ use-auth-secret = true;
+ static-auth-secret = "will be world readable for local users :(";
+ realm = "turn.example.com";
+ # Alicia - figure out how to get this to work, since nginx runs on separate machine...
+ #cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
+ #pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
+ extraConfig = ''
+ # for debugging
+ verbose
+ # ban private IP ranges
+ no-multicast-peers
+ denied-peer-ip=0.0.0.0-0.255.255.255
+ denied-peer-ip=10.0.0.0-10.255.255.255
+ denied-peer-ip=100.64.0.0-100.127.255.255
+ denied-peer-ip=127.0.0.0-127.255.255.255
+ denied-peer-ip=169.254.0.0-169.254.255.255
+ denied-peer-ip=172.16.0.0-172.31.255.255
+ denied-peer-ip=192.0.0.0-192.0.0.255
+ denied-peer-ip=192.0.2.0-192.0.2.255
+ denied-peer-ip=192.88.99.0-192.88.99.255
+ denied-peer-ip=192.168.0.0-192.168.255.255
+ denied-peer-ip=198.18.0.0-198.19.255.255
+ denied-peer-ip=198.51.100.0-198.51.100.255
+ denied-peer-ip=203.0.113.0-203.0.113.255
+ denied-peer-ip=240.0.0.0-255.255.255.255
+ denied-peer-ip=::1
+ denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
+ denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
+ denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
+ denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
+ denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+ denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+ denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+ '';
+ };
+ #services.matrix-synapse = with config.services.coturn; {
+ # turn_uris = ["turn:${realm}:3478?transport=udp" "turn:${realm}:3478?transport=tcp"];
+ # turn_shared_secret = static-auth-secret;
+ # turn_user_lifetime = "1h";
+ #};
+
+}
diff --git a/host/Rory-nginx-old/services/matrix/draupnir.nix b/host/Rory-nginx-old/services/matrix/draupnir.nix
new file mode 100644
index 0000000..40d1489
--- /dev/null
+++ b/host/Rory-nginx-old/services/matrix/draupnir.nix
@@ -0,0 +1,55 @@
+{ pkgs, draupnirSrc, ... }:
+
+{
+ services.draupnir = {
+ #package = (pkgs.draupnir.overrideAttrs (oldAttrs: {
+ # src = draupnirSrc;
+ # version = draupnirSrc.rev;
+ #}));
+
+ enable = true;
+ homeserverUrl = "https://matrix.rory.gay";
+ accessTokenFile = "/etc/draupnir-access-token";
+
+ #pantalaimon = {
+ # enable = false;
+ # username = "draupnir";
+ # passwordFile = "/etc/draupnir-password";
+ # options = {
+ #homeserver = "http://localhost:8008";
+ #ssl = false;
+ # };
+ #};
+ settings = {
+ managementRoom = "#draupnir-mgmt:rory.gay";
+ verboseLogging = false;
+ recordIgnoredInvites = true; # Let's log ignored invites, just incase
+ autojoinOnlyIfManager = true; # Let's not open ourselves up to DoS attacks
+ automaticallyRedactForReasons = [ "*" ]; # I always want autoredact
+ fasterMembershipChecks = true;
+ #roomStateBackingStore.enabled = true; # broken under nix.
+
+ backgroundDelayMS = 10; # delay isn't needed, I don't mind the performance hit
+ pollReports = false; # this is a single person homeserver... let's save ourself the work
+
+ admin.enableMakeRoomAdminCommand = true;
+ commands.ban.defaultReasons = [
+ "spam"
+ "harassment"
+ "transphobia"
+ "scam"
+ ];
+ protections = {
+ wordlist = {
+ words = [
+ "tranny"
+ "faggot"
+ "ywnbaw"
+ "nigger"
+ ];
+ minutesBeforeTrusting = 0;
+ };
+ };
+ };
+ };
+}
diff --git a/host/Rory-nginx-old/services/matrix/grapevine.nix b/host/Rory-nginx-old/services/matrix/grapevine.nix
new file mode 100644
index 0000000..c73b48c
--- /dev/null
+++ b/host/Rory-nginx-old/services/matrix/grapevine.nix
@@ -0,0 +1,30 @@
+{ ... }:
+
+{
+ services.grapevine = {
+ enable = true;
+ settings = {
+ conduit_compat = true;
+ server_name = "conduit.rory.gay";
+ #trusted_servers = [ "rory.gay" ];
+
+ listen = [
+ {
+ type = "tcp";
+ address = "127.0.0.1";
+ port = 6167;
+ }
+ ];
+ server_discovery.client.base_url = "https://conduit.rory.gay"; # This is required for some reason
+
+ database = {
+ backend = "rocksdb";
+ };
+ allow_registration = false;
+
+ #log = "info";
+ #log_format = "full";
+ #log = "debug";
+ };
+ };
+}
diff --git a/host/Rory-nginx-old/services/matrix/matrix-appservice-discord.nix b/host/Rory-nginx-old/services/matrix/matrix-appservice-discord.nix
new file mode 100644
index 0000000..3041aaa
--- /dev/null
+++ b/host/Rory-nginx-old/services/matrix/matrix-appservice-discord.nix
@@ -0,0 +1,25 @@
+{ ... }:
+
+{
+ # Discord bridge
+ services.matrix-appservice-discord = {
+ enable = false; # Alicia - figure out secret first...
+ environmentFile = /etc/keyring/matrix-appservice-discord/tokens.env;
+ # The appservice is pre-configured to use SQLite by default.
+ # It's also possible to use PostgreSQL.
+ settings = {
+ bridge = {
+ domain = "rory.gay";
+ homeserverUrl = "https://matrix.rory.gay";
+ };
+
+ # The service uses SQLite by default, but it's also possible to use
+ # PostgreSQL instead:
+ database = {
+ # filename = ""; # empty value to disable sqlite
+ connString = "postgres://postgres@127.0.0.1/matrix-appservice-discord";
+ };
+ };
+ };
+
+}
diff --git a/host/Rory-nginx-old/services/matrix/ooye.nix b/host/Rory-nginx-old/services/matrix/ooye.nix
new file mode 100644
index 0000000..7b9c403
--- /dev/null
+++ b/host/Rory-nginx-old/services/matrix/ooye.nix
@@ -0,0 +1,10 @@
+{ ... }:
+
+{
+ services.matrix-ooye = {
+ enable = true;
+ homeserver = "https://matrix.rory.gay";
+ homeserverName = "rory.gay";
+ enableSynapseIntegration = true;
+ };
+}
diff --git a/host/Rory-nginx-old/services/matrix/root.nix b/host/Rory-nginx-old/services/matrix/root.nix
new file mode 100644
index 0000000..5bb3915
--- /dev/null
+++ b/host/Rory-nginx-old/services/matrix/root.nix
@@ -0,0 +1,14 @@
+{ ... }:
+
+{
+ imports = [
+ ./synapse/synapse-main.nix
+ ./coturn.nix
+ ./matrix-appservice-discord.nix
+ ./draupnir.nix
+ ./grapevine.nix
+ # ./sliding-sync.nix # removed from nixpkgs, use synapse support instead
+ ./ooye.nix
+ ];
+
+}
diff --git a/host/Rory-nginx/services/matrix/sliding-sync.nix b/host/Rory-nginx-old/services/matrix/sliding-sync.nix
index a8fbd0c..a8fbd0c 100644
--- a/host/Rory-nginx/services/matrix/sliding-sync.nix
+++ b/host/Rory-nginx-old/services/matrix/sliding-sync.nix
diff --git a/host/Rory-nginx-old/services/matrix/synapse/caches.nix b/host/Rory-nginx-old/services/matrix/synapse/caches.nix
new file mode 100644
index 0000000..9fa735e
--- /dev/null
+++ b/host/Rory-nginx-old/services/matrix/synapse/caches.nix
@@ -0,0 +1,24 @@
+{
+ gc_min_interval = [
+ "15m"
+ "30m"
+ "60m"
+ ];
+ gc_thresholds = [
+ 10000
+ 5000
+ 2500
+ ];
+ event_cache_size = "12000K"; # defaults to 10K
+ caches = {
+ global_factor = 500000.0;
+ cache_entry_ttl = "24h";
+ expire_caches = true;
+ sync_response_cache_duration = "15m";
+ cache_autotuning = {
+ max_cache_memory_usage = "65536M";
+ target_cache_memory_usage = "32768M";
+ min_cache_ttl = "6h";
+ };
+ };
+}
diff --git a/host/Rory-nginx-old/services/matrix/synapse/db.nix b/host/Rory-nginx-old/services/matrix/synapse/db.nix
new file mode 100644
index 0000000..409c039
--- /dev/null
+++ b/host/Rory-nginx-old/services/matrix/synapse/db.nix
@@ -0,0 +1,49 @@
+{
+ workerName ? null,
+ dbGroup ? null,
+}:
+{
+ name = "psycopg2";
+ args = {
+ user = "matrix-synapse-rory-gay";
+ password = "somepassword";
+ database = "matrix-synapse-rory-gay";
+ host = "/run/postgresql";
+ application_name = "matrix-synapse (rory.gay) - ${if workerName == null then throw "synapse/db.nix: workerName unspecified" else workerName}";
+ cp_min =
+ if dbGroup == "solo" then
+ 1
+ else if dbGroup == "small" then
+ 2
+ else if dbGroup == "medium" then
+ 5
+ else if dbGroup == "large" then
+ 10
+ else
+ throw "synapse/db.nix: Invalid dbGroup: ${if dbGroup == null then "null" else dbGroup}";
+ cp_max =
+ if dbGroup == "solo" then
+ 1
+ else if dbGroup == "small" then
+ 2
+ else if dbGroup == "medium" then
+ 10
+ else if dbGroup == "large" then
+ 10
+ else
+ throw "synapse/db.nix: Invalid dbGroup: ${if dbGroup == null then "null" else dbGroup}";
+
+ # cp_reconnect - default=True - https://github.com/element-hq/synapse/blob/develop/synapse/storage/database.py#L129
+ # cp_noisy - default=False - https://docs.twisted.org/en/stable/api/twisted.enterprise.adbapi.ConnectionPool.html#__init__ - info logs during operation
+ # check_same_thread - default=False - https://github.com/element-hq/synapse/blob/develop/synapse/config/database.py#L65 - can this even be set?
+ };
+
+ # synchronous_commit - default=True - https://github.com/element-hq/synapse/blob/develop/synapse/storage/engines/postgres.py#L56
+ # statement_timeout - default=60 * 60 * 1000 ms - https://github.com/element-hq/synapse/blob/develop/synapse/storage/engines/postgres.py#L63
+ # allow_unsafe_locale - default=False - https://github.com/element-hq/synapse/blob/develop/synapse/storage/engines/postgres.py#L99
+ # allow_outdated_version - default=False - https://github.com/element-hq/synapse/blob/develop/synapse/storage/engines/postgres.py#L92 - needs source link
+ # txn_limit - default=0 - https://github.com/element-hq/synapse/blob/develop/synapse/storage/database.py#L564
+
+ statement_timeout = 24 * 60 * 60 * 1000; # 24 hours, good for bg jobs
+ txn_limit = 500; # maybe dropping old data from pg caches helps?
+}
diff --git a/host/Rory-nginx-old/services/matrix/synapse/ratelimits.nix b/host/Rory-nginx-old/services/matrix/synapse/ratelimits.nix
new file mode 100644
index 0000000..ffce1cc
--- /dev/null
+++ b/host/Rory-nginx-old/services/matrix/synapse/ratelimits.nix
@@ -0,0 +1,85 @@
+{
+ # messages
+ rc_message = {
+ per_second = 1000000;
+ burst_count = 1000000;
+ };
+ rc_admin_redaction = {
+ per_second = 10000000;
+ burst_count = 10000000;
+ };
+
+ # room joins
+ rc_joins = {
+ local = {
+ per_second = 1000;
+ burst_count = 1000;
+ };
+ remote = {
+ per_second = 1000;
+ burst_count = 1000;
+ };
+ };
+ rc_joins_per_room = {
+ per_second = 1000;
+ burst_count = 1000;
+ };
+
+ # room invites
+ rc_invites = {
+ per_room = {
+ per_second = 1000;
+ burst_count = 1000;
+ };
+ per_user = {
+ per_second = 1000;
+ burst_count = 1000;
+ };
+ per_issuer = {
+ per_second = 1000;
+ burst_count = 1000;
+ };
+ };
+ rc_third_party_invite = {
+ per_second = 1000;
+ burst_count = 1000;
+ };
+
+ # federation
+ rc_federation = {
+ window_size = 10;
+ sleep_limit = 1000;
+ sleep_delay = 100;
+ reject_limit = 1000;
+ concurrent = 100;
+ };
+ federation_rr_transactions_per_room_per_second = 1;
+
+ # media
+ rc_media_create = {
+ per_second = 1000;
+ burst_count = 1000;
+ };
+ remote_media_download_burst_count = "512G";
+ remote_media_download_per_second = "512G";
+
+ # authentication
+ rc_login = {
+ address = {
+ per_second = 1000;
+ burst_count = 1000;
+ };
+ account = {
+ per_second = 1000;
+ burst_count = 1000;
+ };
+ failed_attempts = {
+ per_second = 0.1;
+ burst_count = 3;
+ };
+ };
+ rc_3pid_validation = {
+ per_second = 1000;
+ burst_count = 1000;
+ };
+}
diff --git a/host/Rory-nginx-old/services/matrix/synapse/synapse-main.nix b/host/Rory-nginx-old/services/matrix/synapse/synapse-main.nix
new file mode 100644
index 0000000..ae63b82
--- /dev/null
+++ b/host/Rory-nginx-old/services/matrix/synapse/synapse-main.nix
@@ -0,0 +1,221 @@
+{ pkgs, ... }:
+
+{
+ # Worker plumbing examples: https://github.com/element-hq/synapse/blob/master/docker/configure_workers_and_start.py
+ # Documentation: https://github.com/element-hq/synapse/blob/develop/docs/workers.md
+ imports = [ ./workers/module.nix ];
+
+ services.matrix-synapse = {
+ enable = true;
+ withJemalloc = true;
+
+ nginxVirtualHostName = "matrix.rory.gay";
+ enableWorkers = true;
+
+ federationSenders = 16; # 16
+ pushers = 1;
+ mediaRepoWorkers = 2; # 4
+ clientReaders = 2; # 4
+ syncWorkers = 2; # 4
+ authWorkers = 0;
+
+ eventCreators = 16;
+
+ federationReaders = 8; # 8
+ federationInboundWorkers = 16; # 8
+
+ enableAppserviceWorker = true;
+ enableBackgroundWorker = true;
+ enableUserDirWorker = true;
+
+ accountDataStreamWriters = 1;
+ eventStreamWriters = 2; # 8
+ presenceStreamWriters = 1;
+ pushRuleStreamWriters = 1;
+ receiptStreamWriters = 1;
+ toDeviceStreamWriters = 1;
+ typingStreamWriters = 1;
+
+ #untested:
+ #sharedStreamWriters = 1;
+
+ # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html
+ settings =
+ {
+ server_name = "rory.gay";
+
+ # use_frozen_dicts = true;
+ # user_agent_suffix = " (rory.gay)";
+
+ # look into later: replication_torture_level - https://github.com/element-hq/synapse/blob/develop/synapse/config/server.py#L560
+ # limit_remote_rooms ???
+ # cleanup_extremities_with_dummy_events - default=True
+ # dummy_devents_treshold - default=10 - required forward extremities to send dummy event
+ # enable_ephemeral_messages - default=False - ???
+ # rooms_to_exclude_from_sync - default=[] - room ids...
+ # third_party_event_rules - https://github.com/element-hq/synapse/blob/develop/synapse/config/third_party_event_rules.py - ???
+ # default_power_level_content_override - default=None - https://github.com/element-hq/synapse/blob/develop/synapse/config/room.py#L73
+
+ dummy_devents_treshold = 2;
+ cleanup_extremities_with_dummy_events = true;
+
+ enable_registration = true;
+ registration_requires_token = true;
+
+ require_membership_for_aliases = false;
+ redaction_retention_period = null;
+ user_ips_max_age = null;
+ allow_device_name_lookup_over_federation = true;
+
+ federation = {
+ client_timeout = "30s"; # default=60s
+ max_short_retries = 12;
+ max_short_retry_delay = "5s";
+ max_long_retries = 5;
+ max_long_retry_delay = "30s";
+
+ # rapid retry, small increments
+ destination_min_retry_interval = "5m"; # default=10m
+ destination_max_retry_interval = "12h"; # default=7d
+ destination_retry_multiplier = 1.2; # default=2
+ };
+
+ registration_shared_secret_path = "/var/lib/matrix-synapse/registration_shared_secret.txt";
+
+ listeners = [
+ {
+ port = 8008;
+ bind_addresses = [ "127.0.0.1" ];
+ type = "http";
+ tls = false;
+ x_forwarded = true;
+ resources = [
+ {
+ names = [
+ "client"
+ "federation"
+ ];
+ compress = false;
+ }
+ ];
+ }
+ {
+ type = "http";
+ path = "/run/matrix-synapse/main.sock";
+ resources = [
+ {
+ names = [ "replication" ];
+ compress = false;
+ }
+ ];
+ }
+ ];
+ presence = {
+ enablee = true;
+ update_interval = 60;
+ };
+ database = (
+ import ./db.nix {
+ workerName = "main";
+ dbGroup = "medium";
+ }
+ );
+ app_service_config_files = [
+ #"/etc/matrix-synapse/appservice-registration.yaml"
+ "/var/lib/matrix-synapse/modas-registration.yaml"
+ ];
+
+ #region Media
+ max_upload_size = "512M";
+
+ max_avatar_size = "512M";
+ max_image_pixels = "250M";
+
+ max_pending_media_uploads = 512;
+ dynamic_thumbnails = true;
+
+ prevent_media_downloads_from = [
+ # none, give me all the media
+ ];
+ enable_authenticated_media = false;
+
+ url_preview_enabled = true;
+ max_spider_size = "50M";
+
+ #endregion
+
+ ui_auth = {
+ session_timeout = "1m";
+ };
+
+ login_via_existing_session = {
+ enabled = true;
+ require_ui_auth = true;
+ token_timeout = "1y";
+ };
+
+ report_stats = false;
+
+ user_directory = {
+ enabled = true;
+ search_all_users = true;
+ prefer_local_users = true;
+ };
+
+ # https://github.com/element-hq/synapse/blob/master/synapse/config/experimental.py
+ experimental_features = {
+ "msc2815_enabled" = true; # Redacted event content
+ "msc3026_enabled" = true; # Busy presence
+ "msc3266_enabled" = true; # Room summary API
+ "msc3916_authenticated_media_enabled" = true; # Authenticated media
+ "msc3823_account_suspension" = true; # Account suspension
+ "msc4151_enabled" = true; # Report room API (CS-API)
+ };
+
+ redis = {
+ enabled = true;
+ path = "/run/redis-matrix-synapse/redis.sock";
+ };
+
+ instance_map = {
+ main = {
+ # replication listener
+ path = "/run/matrix-synapse/main.sock";
+ };
+ };
+ }
+ // import ./ratelimits.nix
+ // import ./caches.nix;
+ };
+
+ systemd.services.matrix-synapse-reg-token = {
+ description = "Random registration token for Synapse.";
+ before = [ "matrix-synapse.service" ]; # So the registration can be used by Synapse
+ wantedBy = [ "multi-user.target" ];
+ after = [ "network.target" ];
+
+ script = ''
+
+ if [ ! -f "registration_shared_secret.txt" ]
+ then
+ cat /dev/urandom | tr -dc a-zA-Z0-9 | fold -w 256 | head -n 1 > registration_shared_secret.txt
+ else
+ echo Not generating key, key exists;
+ fi'';
+ serviceConfig = {
+ User = "matrix-synapse";
+ Group = "matrix-synapse";
+ WorkingDirectory = "/var/lib/matrix-synapse";
+ };
+ };
+
+ services.redis = {
+ package = pkgs.keydb;
+ servers.matrix-synapse = {
+ enable = true;
+ user = "matrix-synapse";
+ };
+ };
+
+ systemd.tmpfiles.rules = [ "D /run/redis-matrix-synapse 0755 matrix-synapse matrix-synapse" ];
+}
diff --git a/host/Rory-nginx-old/services/matrix/synapse/workers/auth.nix b/host/Rory-nginx-old/services/matrix/synapse/workers/auth.nix
new file mode 100644
index 0000000..3c8d1e9
--- /dev/null
+++ b/host/Rory-nginx-old/services/matrix/synapse/workers/auth.nix
@@ -0,0 +1,126 @@
+{ config, lib, ... }:
+
+let
+ cfg = config.services.matrix-synapse;
+ dbGroup = "solo";
+ workers = lib.range 0 (cfg.authWorkers - 1);
+ workerName = "auth";
+ workerRoutes = {
+ client = [
+ "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/login$"
+ "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/account/3pid$"
+ "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/account/whoami$"
+ "~ ^/_matrix/client/versions$"
+ "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/voip/turnServer$"
+ "~ ^/_matrix/client/(r0|v3|unstable)/register$"
+ "~ ^/_matrix/client/(r0|v3|unstable)/register/available$"
+ "~ ^/_matrix/client/(r0|v3|unstable)/auth/.*/fallback/web$"
+ "~ ^/_matrix/client/(r0|v3|unstable)/password_policy$"
+ "~ ^/_matrix/client/(r0|v3|unstable)/capabilities$"
+ ];
+ federation = [ ];
+ media = [ ];
+ };
+in
+let
+ enabledResources =
+ lib.optionals (lib.length workerRoutes.client > 0) [ "client" ]
+ ++ lib.optionals (lib.length workerRoutes.federation > 0) [ "federation" ]
+ ++ lib.optionals (lib.length workerRoutes.media > 0) [ "media" ];
+in
+{
+ config = lib.mkIf (cfg.authWorkers > 0) {
+ monitoring.synapse.workerNames = lib.map (index: "${workerName}-${toString index}") workers;
+ services.matrix-synapse = {
+ settings = {
+ instance_map = lib.listToAttrs (
+ lib.map (index: {
+ name = "${workerName}-${toString index}";
+ value = {
+ path = "/run/matrix-synapse/${workerName}-${toString index}.sock";
+ };
+ }) workers
+ );
+ };
+
+ workers = lib.listToAttrs (
+ lib.map (index: {
+ name = "${workerName}-${toString index}";
+ value = {
+ worker_app = "synapse.app.generic_worker";
+ worker_listeners =
+ [
+ {
+ type = "http";
+ path = "/run/matrix-synapse/${workerName}-${toString index}.sock";
+ resources = [
+ {
+ names = [ "replication" ];
+ compress = false;
+ }
+ ];
+ }
+ ]
+ ++ lib.map (type: {
+ type = "http";
+ path = "/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
+ mode = "666";
+ resources = [
+ {
+ names = [ type ];
+ compress = false;
+ }
+ ];
+ }) enabledResources;
+ database = (
+ import ../db.nix {
+ inherit dbGroup;
+ workerName = "${workerName}-${toString index}";
+ }
+ );
+ };
+ }) workers
+ );
+ };
+
+ services.nginx = {
+ upstreams = lib.listToAttrs (
+ lib.map (type: {
+ name = "${workerName}-${type}";
+ value = {
+ extraConfig = ''
+ keepalive 32;
+ least_conn;
+ '';
+ servers = lib.listToAttrs (
+ lib.map (index: {
+ name = "unix:/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
+ value = {
+ max_fails = 0;
+ };
+ }) workers
+ );
+ };
+ }) enabledResources
+ );
+
+ virtualHosts."${cfg.nginxVirtualHostName}".locations = lib.listToAttrs (
+ lib.flatten (
+ lib.forEach enabledResources (
+ type:
+ lib.map (route: {
+ name = route;
+ value = {
+ proxyPass = "http://${workerName}-${type}";
+ extraConfig = ''
+ proxy_http_version 1.1;
+ proxy_set_header Connection "";
+ '';
+ };
+ }) workerRoutes.${type}
+ )
+ )
+ );
+ };
+ };
+}
diff --git a/host/Rory-nginx-old/services/matrix/synapse/workers/client-reader.nix b/host/Rory-nginx-old/services/matrix/synapse/workers/client-reader.nix
new file mode 100644
index 0000000..9a0aafa
--- /dev/null
+++ b/host/Rory-nginx-old/services/matrix/synapse/workers/client-reader.nix
@@ -0,0 +1,149 @@
+{ config, lib, ... }:
+
+let
+ cfg = config.services.matrix-synapse;
+ dbGroup = "medium";
+ workers = lib.range 0 (cfg.clientReaders - 1);
+ workerName = "client_reader";
+ workerRoutes = {
+ client =
+ [
+ "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/publicRooms$"
+ "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/joined_members$"
+ "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/context/.*$"
+ "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/members$"
+ "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state$"
+ "~ ^/_matrix/client/v1/rooms/.*/hierarchy$"
+ "~ ^/_matrix/client/(v1|unstable)/rooms/.*/relations/"
+ "~ ^/_matrix/client/v1/rooms/.*/threads$"
+ "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/messages$"
+ "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/event"
+ "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/joined_rooms"
+ "~ ^/_matrix/client/(api/v1|r0|v3|unstable/.*)/rooms/.*/aliases"
+ "~ ^/_matrix/client/v1/rooms/.*/timestamp_to_event$"
+ "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/search"
+ "~ ^/_matrix/client/(r0|v3|unstable)/user/.*/filter(/|$)"
+ "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/directory/room/.*$"
+ "~ ^/_matrix/client/(r0|v3|unstable)/notifications$"
+
+ # unstable
+ "~ ^/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$"
+ ]
+ ++ lib.optionals (cfg.authWorkers == 0) [
+ "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/login$"
+ "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/account/3pid$"
+ "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/account/whoami$"
+ "~ ^/_matrix/client/versions$"
+ "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/voip/turnServer$"
+ "~ ^/_matrix/client/(r0|v3|unstable)/register$"
+ "~ ^/_matrix/client/(r0|v3|unstable)/register/available$"
+ "~ ^/_matrix/client/(r0|v3|unstable)/auth/.*/fallback/web$"
+ "~ ^/_matrix/client/(r0|v3|unstable)/password_policy$"
+ "~ ^/_matrix/client/(r0|v3|unstable)/capabilities$"
+ ];
+ federation = [ ];
+ media = [ ];
+ };
+in
+let
+ enabledResources =
+ lib.optionals (lib.length workerRoutes.client > 0) [ "client" ]
+ ++ lib.optionals (lib.length workerRoutes.federation > 0) [ "federation" ]
+ ++ lib.optionals (lib.length workerRoutes.media > 0) [ "media" ];
+in
+{
+ config = lib.mkIf (cfg.clientReaders > 0) {
+ monitoring.synapse.workerNames = lib.map (index: "${workerName}-${toString index}") workers;
+ services.matrix-synapse = {
+ settings = {
+ instance_map = lib.listToAttrs (
+ lib.map (index: {
+ name = "${workerName}-${toString index}";
+ value = {
+ path = "/run/matrix-synapse/${workerName}-${toString index}.sock";
+ };
+ }) workers
+ );
+ };
+
+ workers = lib.listToAttrs (
+ lib.map (index: {
+ name = "${workerName}-${toString index}";
+ value = {
+ worker_app = "synapse.app.generic_worker";
+ worker_listeners =
+ [
+ {
+ type = "http";
+ path = "/run/matrix-synapse/${workerName}-${toString index}.sock";
+ resources = [
+ {
+ names = [ "replication" ];
+ compress = false;
+ }
+ ];
+ }
+ ]
+ ++ lib.map (type: {
+ type = "http";
+ path = "/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
+ mode = "666";
+ resources = [
+ {
+ names = [ type ];
+ compress = false;
+ }
+ ];
+ }) enabledResources;
+ database = (
+ import ../db.nix {
+ inherit dbGroup;
+ workerName = "${workerName}-${toString index}";
+ }
+ );
+ };
+ }) workers
+ );
+ };
+
+ services.nginx = {
+ upstreams = lib.listToAttrs (
+ lib.map (type: {
+ name = "${workerName}-${type}";
+ value = {
+ extraConfig = ''
+ keepalive 32;
+ least_conn;
+ '';
+ servers = lib.listToAttrs (
+ lib.map (index: {
+ name = "unix:/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
+ value = {
+ max_fails = 0;
+ };
+ }) workers
+ );
+ };
+ }) enabledResources
+ );
+
+ virtualHosts."${cfg.nginxVirtualHostName}".locations = lib.listToAttrs (
+ lib.flatten (
+ lib.forEach enabledResources (
+ type:
+ lib.map (route: {
+ name = route;
+ value = {
+ proxyPass = "http://${workerName}-${type}";
+ extraConfig = ''
+ proxy_http_version 1.1;
+ proxy_set_header Connection "";
+ '';
+ };
+ }) workerRoutes.${type}
+ )
+ )
+ );
+ };
+ };
+}
diff --git a/host/Rory-nginx-old/services/matrix/synapse/workers/event-creator.nix b/host/Rory-nginx-old/services/matrix/synapse/workers/event-creator.nix
new file mode 100644
index 0000000..2be7a5b
--- /dev/null
+++ b/host/Rory-nginx-old/services/matrix/synapse/workers/event-creator.nix
@@ -0,0 +1,122 @@
+{ config, lib, ... }:
+
+let
+ cfg = config.services.matrix-synapse;
+ dbGroup = "medium";
+ workers = lib.range 0 (cfg.eventCreators - 1);
+ workerName = "event_creator";
+ workerRoutes = {
+ client = [
+ "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/redact"
+ "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/send"
+ "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick)$"
+ "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/join/"
+ "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/knock/"
+ "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/profile/"
+ ];
+ federation = [ ];
+ media = [ ];
+ };
+in
+let
+ enabledResources =
+ lib.optionals (lib.length workerRoutes.client > 0) [ "client" ]
+ ++ lib.optionals (lib.length workerRoutes.federation > 0) [ "federation" ]
+ ++ lib.optionals (lib.length workerRoutes.media > 0) [ "media" ];
+in
+{
+ config = lib.mkIf (cfg.eventCreators > 0) {
+ monitoring.synapse.workerNames = lib.map (index: "${workerName}-${toString index}") workers;
+ services.matrix-synapse = {
+ settings = {
+ instance_map = lib.listToAttrs (
+ lib.map (index: {
+ name = "${workerName}-${toString index}";
+ value = {
+ path = "/run/matrix-synapse/${workerName}-${toString index}.sock";
+ };
+ }) workers
+ );
+ };
+
+ workers = lib.listToAttrs (
+ lib.map (index: {
+ name = "${workerName}-${toString index}";
+ value = {
+ worker_app = "synapse.app.generic_worker";
+ worker_listeners =
+ [
+ {
+ type = "http";
+ path = "/run/matrix-synapse/${workerName}-${toString index}.sock";
+ resources = [
+ {
+ names = [ "replication" ];
+ compress = false;
+ }
+ ];
+ }
+ ]
+ ++ lib.map (type: {
+ type = "http";
+ path = "/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
+ mode = "666";
+ resources = [
+ {
+ names = [ type ];
+ compress = false;
+ }
+ ];
+ }) enabledResources;
+ database = (
+ import ../db.nix {
+ inherit dbGroup;
+ workerName = "${workerName}-${toString index}";
+ }
+ );
+ };
+ }) workers
+ );
+ };
+
+ services.nginx = {
+ upstreams = lib.listToAttrs (
+ lib.map (type: {
+ name = "${workerName}-${type}";
+ value = {
+ extraConfig = ''
+ keepalive 32;
+ least_conn;
+ '';
+ servers = lib.listToAttrs (
+ lib.map (index: {
+ name = "unix:/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
+ value = {
+ max_fails = 0;
+ };
+ }) workers
+ );
+ };
+ }) enabledResources
+ );
+
+ virtualHosts."${cfg.nginxVirtualHostName}".locations = lib.listToAttrs (
+ lib.flatten (
+ lib.forEach enabledResources (
+ type:
+ lib.map (route: {
+ name = route;
+ value = {
+ proxyPass = "http://${workerName}-${type}";
+ extraConfig = ''
+ proxy_http_version 1.1;
+ proxy_set_header Connection "";
+ '';
+ };
+ }) workerRoutes.${type}
+ )
+ )
+ );
+ };
+ };
+}
diff --git a/host/Rory-nginx-old/services/matrix/synapse/workers/federation-inbound.nix b/host/Rory-nginx-old/services/matrix/synapse/workers/federation-inbound.nix
new file mode 100644
index 0000000..effaa69
--- /dev/null
+++ b/host/Rory-nginx-old/services/matrix/synapse/workers/federation-inbound.nix
@@ -0,0 +1,115 @@
+{ config, lib, ... }:
+
+let
+ cfg = config.services.matrix-synapse;
+ dbGroup = "medium";
+ workers = lib.range 0 (cfg.federationReaders - 1);
+ workerName = "federation_inbound";
+ workerRoutes = {
+ client = [ ];
+ federation = [ "~ /_matrix/federation/(v1|v2)/send/" ];
+ media = [ ];
+ };
+in
+let
+ enabledResources =
+ lib.optionals (lib.length workerRoutes.client > 0) [ "client" ]
+ ++ lib.optionals (lib.length workerRoutes.federation > 0) [ "federation" ]
+ ++ lib.optionals (lib.length workerRoutes.media > 0) [ "media" ];
+in
+{
+ config = lib.mkIf (cfg.federationInboundWorkers > 0) {
+ monitoring.synapse.workerNames = lib.map (index: "${workerName}-${toString index}") workers;
+ services.matrix-synapse = {
+ settings = {
+ instance_map = lib.listToAttrs (
+ lib.map (index: {
+ name = "${workerName}-${toString index}";
+ value = {
+ path = "/run/matrix-synapse/${workerName}-${toString index}.sock";
+ };
+ }) workers
+ );
+ };
+
+ workers = lib.listToAttrs (
+ lib.map (index: {
+ name = "${workerName}-${toString index}";
+ value = {
+ worker_app = "synapse.app.generic_worker";
+ worker_listeners =
+ [
+ {
+ type = "http";
+ path = "/run/matrix-synapse/${workerName}-${toString index}.sock";
+ resources = [
+ {
+ names = [ "replication" ];
+ compress = false;
+ }
+ ];
+ }
+ ]
+ ++ lib.map (type: {
+ type = "http";
+ path = "/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
+ mode = "666";
+ resources = [
+ {
+ names = [ type ];
+ compress = false;
+ }
+ ];
+ }) enabledResources;
+ database = (
+ import ../db.nix {
+ inherit dbGroup;
+ workerName = "${workerName}-${toString index}";
+ }
+ );
+ };
+ }) workers
+ );
+ };
+
+ services.nginx = {
+ upstreams = lib.listToAttrs (
+ lib.map (type: {
+ name = "${workerName}-${type}";
+ value = {
+ extraConfig = ''
+ keepalive 32;
+ least_conn;
+ '';
+ servers = lib.listToAttrs (
+ lib.map (index: {
+ name = "unix:/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
+ value = {
+ max_fails = 0;
+ };
+ }) workers
+ );
+ };
+ }) enabledResources
+ );
+
+ virtualHosts."${cfg.nginxVirtualHostName}".locations = lib.listToAttrs (
+ lib.flatten (
+ lib.forEach enabledResources (
+ type:
+ lib.map (route: {
+ name = route;
+ value = {
+ proxyPass = "http://${workerName}-${type}";
+ extraConfig = ''
+ proxy_http_version 1.1;
+ proxy_set_header Connection "";
+ '';
+ };
+ }) workerRoutes.${type}
+ )
+ )
+ );
+ };
+ };
+}
diff --git a/host/Rory-nginx-old/services/matrix/synapse/workers/federation-reader.nix b/host/Rory-nginx-old/services/matrix/synapse/workers/federation-reader.nix
new file mode 100644
index 0000000..04bfe7c
--- /dev/null
+++ b/host/Rory-nginx-old/services/matrix/synapse/workers/federation-reader.nix
@@ -0,0 +1,147 @@
+{ config, lib, ... }:
+
+let
+ cfg = config.services.matrix-synapse;
+ dbGroup = "medium";
+ workers = lib.range 0 (cfg.federationReaders - 1);
+ workerName = "federation_reader";
+ workerRoutes = {
+ client = [ ];
+ federation = [
+ "~ ^/_matrix/federation/(v1|v2)/event/"
+ "~ ^/_matrix/federation/(v1|v2)/state/"
+ "~ ^/_matrix/federation/(v1|v2)/state_ids/"
+ "~ ^/_matrix/federation/(v1|v2)/backfill/"
+ "~ ^/_matrix/federation/(v1|v2)/get_missing_events/"
+ "~ ^/_matrix/federation/(v1|v2)/publicRooms"
+ "~ ^/_matrix/federation/(v1|v2)/query/"
+ "~ ^/_matrix/federation/(v1|v2)/make_join/"
+ "~ ^/_matrix/federation/(v1|v2)/make_leave/"
+ "~ ^/_matrix/federation/(v1|v2)/send_join/"
+ "~ ^/_matrix/federation/(v1|v2)/send_leave/"
+ "~ ^/_matrix/federation/v1/make_knock/"
+ "~ ^/_matrix/federation/v1/send_knock/"
+ "~ ^/_matrix/federation/(v1|v2)/invite/" # Needs special handling, define manually
+ "~ ^/_matrix/federation/(v1|v2)/query_auth/"
+ "~ ^/_matrix/federation/(v1|v2)/event_auth/"
+ "~ ^/_matrix/federation/v1/timestamp_to_event/"
+ "~ ^/_matrix/federation/(v1|v2)/exchange_third_party_invite/"
+ "~ ^/_matrix/federation/(v1|v2)/user/devices/"
+ "~ ^/_matrix/federation/(v1|v2)/get_groups_publicised$"
+ "~ ^/_matrix/key/v2/query"
+ # extra
+ "~ ^/_matrix/key/v2/server$"
+ ];
+ media = [ ];
+ };
+in
+let
+ enabledResources =
+ lib.optionals (lib.length workerRoutes.client > 0) [ "client" ]
+ ++ lib.optionals (lib.length workerRoutes.federation > 0) [ "federation" ]
+ ++ lib.optionals (lib.length workerRoutes.media > 0) [ "media" ];
+in
+{
+ config = lib.mkIf (cfg.federationReaders > 0) {
+ monitoring.synapse.workerNames = lib.map (index: "${workerName}-${toString index}") workers;
+ services.matrix-synapse = {
+ settings = {
+ instance_map = lib.listToAttrs (
+ lib.map (index: {
+ name = "${workerName}-${toString index}";
+ value = {
+ path = "/run/matrix-synapse/${workerName}-${toString index}.sock";
+ };
+ }) workers
+ );
+ };
+
+ workers = lib.listToAttrs (
+ lib.map (index: {
+ name = "${workerName}-${toString index}";
+ value = {
+ worker_app = "synapse.app.generic_worker";
+ worker_listeners =
+ [
+ {
+ type = "http";
+ path = "/run/matrix-synapse/${workerName}-${toString index}.sock";
+ resources = [
+ {
+ names = [ "replication" ];
+ compress = false;
+ }
+ ];
+ }
+ ]
+ ++ lib.map (type: {
+ type = "http";
+ path = "/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
+ mode = "666";
+ resources = [
+ {
+ names = [ type ];
+ compress = false;
+ }
+ ];
+ }) enabledResources;
+ database = (
+ import ../db.nix {
+ inherit dbGroup;
+ workerName = "${workerName}-${toString index}";
+ }
+ );
+ };
+ }) workers
+ );
+ };
+
+ services.nginx = {
+ upstreams = lib.listToAttrs (
+ lib.map (type: {
+ name = "${workerName}-${type}";
+ value = {
+ extraConfig = ''
+ keepalive 32;
+ least_conn;
+ '';
+ servers = lib.listToAttrs (
+ lib.map (index: {
+ name = "unix:/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
+ value = {
+ max_fails = 0;
+ };
+ }) workers
+ );
+ };
+ }) enabledResources
+ );
+
+ virtualHosts."${cfg.nginxVirtualHostName}".locations = lib.listToAttrs (
+ lib.flatten (
+ lib.forEach enabledResources (
+ type:
+ lib.map (route: {
+ name = route;
+ value = {
+ proxyPass = "http://${workerName}-${type}";
+ extraConfig = ''
+ proxy_http_version 1.1;
+ proxy_set_header Connection "";
+ '';
+ };
+ }) workerRoutes.${type}
+ )
+ )
+ );
+
+ #virtualHosts."${cfg.nginxVirtualHostName}".locations."~ ^/_matrix/federation/(v1|v2)/invite/" = {
+ # proxyPass = "http://${workerName}-federation";
+ # extraConfig = ''
+ # proxy_http_version 1.1;
+ # proxy_set_header Connection "";
+ # '';
+ #};
+ };
+ };
+}
diff --git a/host/Rory-nginx-old/services/matrix/synapse/workers/federation-sender.nix b/host/Rory-nginx-old/services/matrix/synapse/workers/federation-sender.nix
new file mode 100644
index 0000000..468916e
--- /dev/null
+++ b/host/Rory-nginx-old/services/matrix/synapse/workers/federation-sender.nix
@@ -0,0 +1,117 @@
+{ config, lib, ... }:
+let
+ cfg = config.services.matrix-synapse;
+ dbGroup = "medium";
+ workers = lib.range 0 (cfg.federationSenders - 1);
+ workerName = "federation_sender";
+ workerRoutes = {
+ client = [ ];
+ federation = [ ];
+ media = [ ];
+ };
+in
+let
+ enabledResources =
+ lib.optionals (lib.length workerRoutes.client > 0) [ "client" ]
+ ++ lib.optionals (lib.length workerRoutes.federation > 0) [ "federation" ]
+ ++ lib.optionals (lib.length workerRoutes.media > 0) [ "media" ];
+in
+{
+ config = lib.mkIf (cfg.federationSenders > 0) {
+ monitoring.synapse.workerNames = lib.map (index: "${workerName}-${toString index}") workers;
+ services.matrix-synapse = {
+ settings = {
+ instance_map = lib.listToAttrs (
+ lib.map (index: {
+ name = "${workerName}-${toString index}";
+ value = {
+ path = "/run/matrix-synapse/${workerName}-${toString index}.sock";
+ };
+ }) workers
+ );
+ send_federation = false;
+ federation_sender_instances = lib.map (index: "${workerName}-${toString index}") workers;
+ outbound_federation_restricted_to = lib.map (index: "${workerName}-${toString index}") workers;
+ worker_replication_secret = "${workerName}_secret";
+ };
+
+ workers = lib.listToAttrs (
+ lib.map (index: {
+ name = "${workerName}-${toString index}";
+ value = {
+ worker_app = "synapse.app.generic_worker";
+ worker_listeners =
+ [
+ {
+ type = "http";
+ path = "/run/matrix-synapse/${workerName}-${toString index}.sock";
+ resources = [
+ {
+ names = [ "replication" ];
+ compress = false;
+ }
+ ];
+ }
+ ]
+ ++ lib.map (type: {
+ type = "http";
+ path = "/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
+ mode = "666";
+ resources = [
+ {
+ names = [ type ];
+ compress = false;
+ }
+ ];
+ }) enabledResources;
+ database = (
+ import ../db.nix {
+ inherit dbGroup;
+ workerName = "${workerName}-${toString index}";
+ }
+ );
+ };
+ }) workers
+ );
+ };
+ services.nginx = {
+ upstreams = lib.listToAttrs (
+ lib.map (type: {
+ name = "${workerName}-${type}";
+ value = {
+ extraConfig = ''
+ keepalive 32;
+ least_conn;
+ '';
+ servers = lib.listToAttrs (
+ lib.map (index: {
+ name = "unix:/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
+ value = {
+ max_fails = 0;
+ };
+ }) workers
+ );
+ };
+ }) enabledResources
+ );
+
+ virtualHosts."${cfg.nginxVirtualHostName}".locations = lib.listToAttrs (
+ lib.flatten (
+ lib.forEach enabledResources (
+ type:
+ lib.map (route: {
+ name = route;
+ value = {
+ proxyPass = "http://${workerName}-${type}";
+ extraConfig = ''
+ proxy_http_version 1.1;
+ proxy_set_header Connection "";
+ '';
+ };
+ }) workerRoutes.${type}
+ )
+ )
+ );
+ };
+ };
+}
diff --git a/host/Rory-nginx-old/services/matrix/synapse/workers/media-repo.nix b/host/Rory-nginx-old/services/matrix/synapse/workers/media-repo.nix
new file mode 100644
index 0000000..1e0c638
--- /dev/null
+++ b/host/Rory-nginx-old/services/matrix/synapse/workers/media-repo.nix
@@ -0,0 +1,137 @@
+{ config, lib, ... }:
+
+let
+ cfg = config.services.matrix-synapse;
+ dbGroup = "solo";
+ workers = lib.range 0 (cfg.mediaRepoWorkers - 1);
+ workerName = "media_repo";
+ workerRoutes = {
+ client = [ ];
+ federation = [ ];
+ media = [
+ "~ ^/_matrix/client/v1/media/"
+ "~ ^/_matrix/federation/v1/media/"
+ "~ ^/_synapse/admin/v1/purge_media_cache$"
+ "~ ^/_synapse/admin/v1/room/.*/media.*$"
+ "~ ^/_synapse/admin/v1/user/.*/media.*$"
+ "~ ^/_synapse/admin/v1/users/.*/media$"
+ "~ ^/_synapse/admin/v1/media/.*$"
+ "~ ^/_synapse/admin/v1/quarantine_media/.*$"
+ "~ ^/_matrix/media/"
+ ];
+ };
+in
+let
+ enabledResources =
+ lib.optionals (lib.length workerRoutes.client > 0) [ "client" ]
+ ++ lib.optionals (lib.length workerRoutes.federation > 0) [ "federation" ]
+ ++ lib.optionals (lib.length workerRoutes.media > 0) [ "media" ];
+in
+{
+ config = lib.mkIf (cfg.mediaRepoWorkers > 0) {
+ monitoring.synapse.workerNames = lib.map (index: "${workerName}-${toString index}") workers;
+ services.matrix-synapse = {
+ settings = {
+ instance_map = lib.listToAttrs (
+ lib.map (index: {
+ name = "${workerName}-${toString index}";
+ value = {
+ path = "/run/matrix-synapse/${workerName}-${toString index}.sock";
+ };
+ }) workers
+ );
+
+ media_instance_running_background_jobs = "${workerName}-0";
+ enable_media_repo = false;
+ };
+
+ workers = lib.listToAttrs (
+ lib.map (index: {
+ name = "${workerName}-${toString index}";
+ value = {
+ worker_app = "synapse.app.generic_worker";
+ worker_listeners =
+ [
+ {
+ type = "http";
+ path = "/run/matrix-synapse/${workerName}-${toString index}.sock";
+ resources = [
+ {
+ names = [ "replication" ];
+ compress = false;
+ }
+ ];
+ }
+ ]
+ ++ lib.map (type: {
+ type = "http";
+ path = "/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
+ mode = "666";
+ resources = [
+ {
+ names = [ type ];
+ compress = false;
+ }
+ ];
+ }) enabledResources;
+ database = (
+ import ../db.nix {
+ inherit dbGroup;
+ workerName = "${workerName}-${toString index}";
+ }
+ );
+ enable_media_repo = true;
+ rc_federation = {
+ window_size = 1;
+ sleep_limit = 1000;
+ sleep_delay = 1;
+ reject_limit = 1000;
+ concurrent = 100;
+ };
+ };
+ }) workers
+ );
+ };
+
+ services.nginx = {
+ upstreams = lib.listToAttrs (
+ lib.map (type: {
+ name = "${workerName}-${type}";
+ value = {
+ extraConfig = ''
+ keepalive 32;
+ least_conn;
+ '';
+ servers = lib.listToAttrs (
+ lib.map (index: {
+ name = "unix:/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
+ value = {
+ max_fails = 0;
+ };
+ }) workers
+ );
+ };
+ }) enabledResources
+ );
+
+ virtualHosts."${cfg.nginxVirtualHostName}".locations = lib.listToAttrs (
+ lib.flatten (
+ lib.forEach enabledResources (
+ type:
+ lib.map (route: {
+ name = route;
+ value = {
+ proxyPass = "http://${workerName}-${type}";
+ extraConfig = ''
+ client_max_body_size 512M;
+ proxy_http_version 1.1;
+ proxy_set_header Connection "";
+ '';
+ };
+ }) workerRoutes.${type}
+ )
+ )
+ );
+ };
+ };
+}
diff --git a/host/Rory-nginx-old/services/matrix/synapse/workers/module.nix b/host/Rory-nginx-old/services/matrix/synapse/workers/module.nix
new file mode 100644
index 0000000..3b6456b
--- /dev/null
+++ b/host/Rory-nginx-old/services/matrix/synapse/workers/module.nix
@@ -0,0 +1,134 @@
+{ config, lib, ... }:
+let
+ cfg = config.services.matrix-synapse;
+ mkIntOption =
+ description:
+ lib.mkOption {
+ type = lib.types.int;
+ default = 0;
+ description = description;
+ };
+in
+{
+ imports = [
+ ./single/appservice.nix
+ ./single/background.nix
+ ./single/user-dir.nix
+
+ ./auth.nix
+ ./client-reader.nix
+ ./event-creator.nix
+ ./federation-inbound.nix
+ ./federation-reader.nix
+ ./federation-sender.nix
+ ./media-repo.nix
+ ./pusher.nix
+ ./sync.nix
+
+ ./stream-writers/account_data-stream-writer.nix
+ ./stream-writers/event-stream-writer.nix
+ ./stream-writers/presence-stream-writer.nix
+ ./stream-writers/push_rule-stream-writer.nix
+ ./stream-writers/receipt-stream-writer.nix
+ ./stream-writers/to_device-stream-writer.nix
+ ./stream-writers/typing-stream-writer.nix
+
+ # ./stream-writers/shared-stream-writer.nix
+ ];
+ options.services.matrix-synapse = {
+ enableWorkers = lib.mkEnableOption "Enable dedicated workers";
+ enableStreamWriters = lib.mkEnableOption "Enable stream writers";
+ enableAppserviceWorker = lib.mkEnableOption "Enable dedicated appservice worker";
+ enableBackgroundWorker = lib.mkEnableOption "Enable dedicated background task worker";
+ enableUserDirWorker = lib.mkEnableOption "Enable dedicated user directory worker";
+
+ authWorkers = mkIntOption "Number of auth workers";
+ clientReaders = mkIntOption "Number of client readers";
+ eventCreators = mkIntOption "Number of auth workers";
+ federationInboundWorkers = mkIntOption "Number of federation inbound workers";
+ federationReaders = mkIntOption "Number of federation readers";
+ federationSenders = mkIntOption "Number of federation senders";
+ mediaRepoWorkers = mkIntOption "Number of media repo workers";
+ pushers = mkIntOption "Number of pushers";
+ syncWorkers = mkIntOption "Number of sync workers";
+
+ #stream writers
+ eventStreamWriters = mkIntOption "Number of event stream writers";
+ typingStreamWriters = mkIntOption "Number of typing stream writers";
+ toDeviceStreamWriters = mkIntOption "Number of to_device stream writers";
+ accountDataStreamWriters = mkIntOption "Number of account data stream writers";
+ receiptStreamWriters = mkIntOption "Number of read receipt stream writers";
+ presenceStreamWriters = mkIntOption "Number of presence stream writers";
+ pushRuleStreamWriters = mkIntOption "Number of push rule stream writers";
+
+ sharedStreamWriters = mkIntOption "Number of shared stream writers";
+
+ nginxVirtualHostName = lib.mkOption {
+ type = lib.types.str;
+ default = null;
+ description = "The virtual host name for the nginx server";
+ };
+
+ allowedRemoteInviteOrigins = lib.mkOption {
+ type = lib.types.listOf lib.types.str;
+ default = [ ];
+ description = "List of allowed remote invite origins";
+ };
+ };
+
+ config = {
+ assertions = [
+ {
+ assertion = cfg.enableWorkers -> cfg.nginxVirtualHostName != null;
+ message = "nginxVirtualHostName must be set when enableWorkers is true";
+ }
+
+ # Stream types and count limitations: https://github.com/element-hq/synapse/blob/develop/synapse/config/workers.py#L344
+ {
+ assertion = cfg.typingStreamWriters <= 1;
+ message = "Only one typing stream writer is supported";
+ }
+ {
+ assertion = cfg.toDeviceStreamWriters <= 1;
+ message = "Only one to_device stream writer is supported";
+ }
+ {
+ assertion = cfg.accountDataStreamWriters <= 1;
+ message = "Only one account data stream writer is supported";
+ }
+ # This may be outdated in the documentation...?
+ #{
+ # assertion = cfg.receiptStreamWriters <= 1;
+ # message = "Only one receipt stream writer is supported";
+ #}
+ {
+ assertion = cfg.presenceStreamWriters <= 1;
+ message = "Only one presence stream writer is supported";
+ }
+ {
+ assertion = cfg.pushRuleStreamWriters <= 1;
+ message = "Only one push rule stream writer is supported";
+ }
+
+ {
+ assertion = cfg.sharedStreamWriters <= 1;
+ message = "Only one shared stream writer is supported";
+ }
+ ];
+
+ # Matrix utility maps
+ services.nginx.appendHttpConfig = ''
+ # Map authorization header to origin name
+ map $http_authorization $mx_origin_name {
+ default "";
+ "~*X-Matrix origin=(?<origin>[^,]+)" $origin;
+ }
+
+ # Map origin name to whether it can invite
+ map $mx_origin_name $mx_can_invite {
+ default 0;
+ ${lib.concatMapStringsSep "\n" (origin: " \"${origin}\" 1;") cfg.allowedRemoteInviteOrigins}
+ }
+ '';
+ };
+}
diff --git a/host/Rory-nginx-old/services/matrix/synapse/workers/pusher.nix b/host/Rory-nginx-old/services/matrix/synapse/workers/pusher.nix
new file mode 100644
index 0000000..edf1632
--- /dev/null
+++ b/host/Rory-nginx-old/services/matrix/synapse/workers/pusher.nix
@@ -0,0 +1,116 @@
+{ config, lib, ... }:
+let
+ cfg = config.services.matrix-synapse;
+ dbGroup = "small";
+ workers = lib.range 0 (cfg.pushers - 1);
+ workerName = "pusher";
+ workerRoutes = {
+ client = [ ];
+ federation = [ ];
+ media = [ ];
+ };
+in
+let
+ enabledResources =
+ lib.optionals (lib.length workerRoutes.client > 0) [ "client" ]
+ ++ lib.optionals (lib.length workerRoutes.federation > 0) [ "federation" ]
+ ++ lib.optionals (lib.length workerRoutes.media > 0) [ "media" ];
+in
+{
+ config = lib.mkIf (cfg.pushers > 0) {
+ monitoring.synapse.workerNames = lib.map (index: "${workerName}-${toString index}") workers;
+ services.matrix-synapse = {
+ settings = {
+ instance_map = lib.listToAttrs (
+ lib.map (index: {
+ name = "pusher-${toString index}";
+ value = {
+ path = "/run/matrix-synapse/${workerName}-${toString index}.sock";
+ };
+ }) workers
+ );
+
+ pusher_instances = lib.map (index: "${workerName}-${toString index}") workers;
+ };
+
+ workers = lib.listToAttrs (
+ lib.map (index: {
+ name = "${workerName}-${toString index}";
+ value = {
+ worker_app = "synapse.app.generic_worker";
+ worker_listeners =
+ [
+ {
+ type = "http";
+ path = "/run/matrix-synapse/${workerName}-${toString index}.sock";
+ resources = [
+ {
+ names = [ "replication" ];
+ compress = false;
+ }
+ ];
+ }
+ ]
+ ++ lib.map (type: {
+ type = "http";
+ path = "/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
+ mode = "666";
+ resources = [
+ {
+ names = [ type ];
+ compress = false;
+ }
+ ];
+ }) enabledResources;
+ database = (
+ import ../db.nix {
+ inherit dbGroup;
+ workerName = "${workerName}-${toString index}";
+ }
+ );
+ };
+ }) workers
+ );
+ };
+
+ services.nginx = {
+ upstreams = lib.listToAttrs (
+ lib.map (type: {
+ name = "${workerName}-${type}";
+ value = {
+ extraConfig = ''
+ keepalive 32;
+ least_conn;
+ '';
+ servers = lib.listToAttrs (
+ lib.map (index: {
+ name = "unix:/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
+ value = {
+ max_fails = 0;
+ };
+ }) workers
+ );
+ };
+ }) enabledResources
+ );
+
+ virtualHosts."${cfg.nginxVirtualHostName}".locations = lib.listToAttrs (
+ lib.flatten (
+ lib.forEach enabledResources (
+ type:
+ lib.map (route: {
+ name = route;
+ value = {
+ proxyPass = "http://${workerName}-${type}";
+ extraConfig = ''
+ proxy_http_version 1.1;
+ proxy_set_header Connection "";
+ '';
+ };
+ }) workerRoutes.${type}
+ )
+ )
+ );
+ };
+ };
+}
diff --git a/host/Rory-nginx-old/services/matrix/synapse/workers/single/appservice.nix b/host/Rory-nginx-old/services/matrix/synapse/workers/single/appservice.nix
new file mode 100644
index 0000000..119fd04
--- /dev/null
+++ b/host/Rory-nginx-old/services/matrix/synapse/workers/single/appservice.nix
@@ -0,0 +1,82 @@
+{ config, lib, ... }:
+
+let
+ cfg = config.services.matrix-synapse;
+ dbGroup = "small";
+ workerName = "appservice";
+ workerRoutes = {
+ client = [ ];
+ federation = [ ];
+ media = [ ];
+ };
+in
+let
+ enabledResources =
+ lib.optionals (lib.length workerRoutes.client > 0) [ "client" ]
+ ++ lib.optionals (lib.length workerRoutes.federation > 0) [ "federation" ]
+ ++ lib.optionals (lib.length workerRoutes.media > 0) [ "media" ];
+in
+{
+ config = lib.mkIf cfg.enableAppserviceWorker {
+ monitoring.synapse.workerNames = [ workerName ];
+ services.matrix-synapse = {
+ settings = {
+ instance_map = {
+ ${workerName} = {
+ path = "/run/matrix-synapse/${workerName}.sock";
+ };
+ };
+
+ notify_appservices_from_worker = workerName;
+ };
+
+ workers = {
+ ${workerName} = {
+ worker_app = "synapse.app.generic_worker";
+ worker_listeners =
+ [
+ {
+ type = "http";
+ path = "/run/matrix-synapse/${workerName}.sock";
+ resources = [
+ {
+ names = [ "replication" ];
+ compress = false;
+ }
+ ];
+ }
+ ]
+ ++ lib.map (type: {
+ type = "http";
+ path = "/run/matrix-synapse/${workerName}-${type}.sock";
+ mode = "666";
+ resources = [
+ {
+ names = [ type ];
+ compress = false;
+ }
+ ];
+ }) enabledResources;
+
+ database = (import ../../db.nix { inherit workerName dbGroup; });
+ };
+ };
+ };
+
+ services.nginx = {
+ virtualHosts."${cfg.nginxVirtualHostName}".locations = lib.listToAttrs (
+ lib.flatten (
+ lib.forEach enabledResources (
+ type:
+ lib.map (route: {
+ name = route;
+ value = {
+ proxyPass = "http://unix:/run/matrix-synapse/${workerName}-${type}.sock";
+ };
+ }) workerRoutes.${type}
+ )
+ )
+ );
+ };
+ };
+}
diff --git a/host/Rory-nginx-old/services/matrix/synapse/workers/single/background.nix b/host/Rory-nginx-old/services/matrix/synapse/workers/single/background.nix
new file mode 100644
index 0000000..37fde10
--- /dev/null
+++ b/host/Rory-nginx-old/services/matrix/synapse/workers/single/background.nix
@@ -0,0 +1,84 @@
+{ config, lib, ... }:
+
+let
+ cfg = config.services.matrix-synapse;
+ dbGroup = "small";
+ hasClientResource = false;
+ hasFederationResource = false;
+ workerName = "background";
+ workerRoutes = {
+ client = [ ];
+ federation = [ ];
+ media = [ ];
+ };
+in
+let
+ enabledResources =
+ lib.optionals (lib.length workerRoutes.client > 0) [ "client" ]
+ ++ lib.optionals (lib.length workerRoutes.federation > 0) [ "federation" ]
+ ++ lib.optionals (lib.length workerRoutes.media > 0) [ "media" ];
+in
+{
+ config = lib.mkIf cfg.enableBackgroundWorker {
+ monitoring.synapse.workerNames = [ workerName ];
+ services.matrix-synapse = {
+ settings = {
+ instance_map = {
+ ${workerName} = {
+ path = "/run/matrix-synapse/${workerName}.sock";
+ };
+ };
+
+ run_background_tasks_on = workerName;
+ };
+
+ workers = {
+ ${workerName} = {
+ worker_app = "synapse.app.generic_worker";
+ worker_listeners =
+ [
+ {
+ type = "http";
+ path = "/run/matrix-synapse/${workerName}.sock";
+ resources = [
+ {
+ names = [ "replication" ];
+ compress = false;
+ }
+ ];
+ }
+ ]
+ ++ lib.map (type: {
+ type = "http";
+ path = "/run/matrix-synapse/${workerName}-${type}.sock";
+ mode = "666";
+ resources = [
+ {
+ names = [ type ];
+ compress = false;
+ }
+ ];
+ }) enabledResources;
+
+ database = (import ../../db.nix { inherit workerName dbGroup; });
+ };
+ };
+ };
+
+ services.nginx = {
+ virtualHosts."${cfg.nginxVirtualHostName}".locations = lib.listToAttrs (
+ lib.flatten (
+ lib.forEach enabledResources (
+ type:
+ lib.map (route: {
+ name = route;
+ value = {
+ proxyPass = "http://unix:/run/matrix-synapse/${workerName}-${type}.sock";
+ };
+ }) workerRoutes.${type}
+ )
+ )
+ );
+ };
+ };
+}
diff --git a/host/Rory-nginx-old/services/matrix/synapse/workers/single/user-dir.nix b/host/Rory-nginx-old/services/matrix/synapse/workers/single/user-dir.nix
new file mode 100644
index 0000000..f26f3ec
--- /dev/null
+++ b/host/Rory-nginx-old/services/matrix/synapse/workers/single/user-dir.nix
@@ -0,0 +1,87 @@
+{ config, lib, ... }:
+
+let
+ cfg = config.services.matrix-synapse;
+ dbGroup = "solo";
+ workerName = "user_dir";
+ workerRoutes = {
+ client =
+ [ "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/user_directory/search$" ]
+ ++ lib.optionals (cfg.authWorkers == 0) [
+ "~ ^/_matrix/client/v3/profile/.*$"
+ "~ ^/_matrix/client/v3/profile/.*/(displayname|avatar_url)$"
+ ];
+ federation = [ ];
+ media = [ ];
+ };
+in
+let
+ enabledResources =
+ lib.optionals (lib.length workerRoutes.client > 0) [ "client" ]
+ ++ lib.optionals (lib.length workerRoutes.federation > 0) [ "federation" ]
+ ++ lib.optionals (lib.length workerRoutes.media > 0) [ "media" ];
+in
+{
+ config = lib.mkIf cfg.enableUserDirWorker {
+ monitoring.synapse.workerNames = [ workerName ];
+ services.matrix-synapse = {
+ settings = {
+ instance_map = {
+ ${workerName} = {
+ path = "/run/matrix-synapse/${workerName}.sock";
+ };
+ };
+
+ update_user_directory_from_worker = workerName;
+ };
+
+ workers = {
+ ${workerName} = {
+ worker_app = "synapse.app.generic_worker";
+ worker_listeners =
+ [
+ {
+ type = "http";
+ path = "/run/matrix-synapse/${workerName}.sock";
+ resources = [
+ {
+ names = [ "replication" ];
+ compress = false;
+ }
+ ];
+ }
+ ]
+ ++ lib.map (type: {
+ type = "http";
+ path = "/run/matrix-synapse/${workerName}-${type}.sock";
+ mode = "666";
+ resources = [
+ {
+ names = [ type ];
+ compress = false;
+ }
+ ];
+ }) enabledResources;
+
+ database = (import ../../db.nix { inherit workerName dbGroup; });
+ };
+ };
+ };
+
+ services.nginx = {
+ virtualHosts."${cfg.nginxVirtualHostName}".locations = lib.listToAttrs (
+ lib.flatten (
+ lib.forEach enabledResources (
+ type:
+ lib.map (route: {
+ name = route;
+ value = {
+ proxyPass = "http://unix:/run/matrix-synapse/${workerName}-${type}.sock";
+ };
+ }) workerRoutes.${type}
+ )
+ )
+ );
+ };
+ };
+}
diff --git a/host/Rory-nginx-old/services/matrix/synapse/workers/stream-writers/account_data-stream-writer.nix b/host/Rory-nginx-old/services/matrix/synapse/workers/stream-writers/account_data-stream-writer.nix
new file mode 100644
index 0000000..48649f6
--- /dev/null
+++ b/host/Rory-nginx-old/services/matrix/synapse/workers/stream-writers/account_data-stream-writer.nix
@@ -0,0 +1,121 @@
+{ config, lib, ... }:
+
+let
+ cfg = config.services.matrix-synapse;
+ dbGroup = "medium";
+ streamWriterType = "account_data";
+ workers = lib.range 0 (cfg.accountDataStreamWriters - 1);
+ workerName = "account_data_stream_writer";
+ workerRoutes = {
+ client = [
+ "~ ^/_matrix/client/(r0|v3|unstable)/.*/tags"
+ "~ ^/_matrix/client/(r0|v3|unstable)/.*/account_data"
+ ];
+ federation = [ ];
+ media = [ ];
+ };
+in
+let
+ enabledResources =
+ lib.optionals (lib.length workerRoutes.client > 0) [ "client" ]
+ ++ lib.optionals (lib.length workerRoutes.federation > 0) [ "federation" ]
+ ++ lib.optionals (lib.length workerRoutes.media > 0) [ "media" ];
+in
+{
+ config = lib.mkIf (cfg.accountDataStreamWriters > 0) {
+ monitoring.synapse.workerNames = lib.map (index: "${workerName}-${toString index}") workers;
+ services.matrix-synapse = {
+ settings = {
+ instance_map = lib.listToAttrs (
+ lib.map (index: {
+ name = "${workerName}-${toString index}";
+ value = {
+ path = "/run/matrix-synapse/${workerName}-${toString index}.sock";
+ };
+ }) workers
+ );
+
+ stream_writers.${streamWriterType} = lib.map (index: "${workerName}-${toString index}") workers;
+ };
+
+ workers = lib.listToAttrs (
+ lib.map (index: {
+ name = "${workerName}-${toString index}";
+ value = {
+ worker_app = "synapse.app.generic_worker";
+ worker_listeners =
+ [
+ {
+ type = "http";
+ path = "/run/matrix-synapse/${workerName}-${toString index}.sock";
+ resources = [
+ {
+ names = [ "replication" ];
+ compress = false;
+ }
+ ];
+ }
+ ]
+ ++ lib.map (type: {
+ type = "http";
+ path = "/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
+ mode = "666";
+ resources = [
+ {
+ names = [ type ];
+ compress = false;
+ }
+ ];
+ }) enabledResources;
+ database = (
+ import ../../db.nix {
+ inherit dbGroup;
+ workerName = "${workerName}-${toString index}";
+ }
+ );
+ };
+ }) workers
+ );
+ };
+
+ services.nginx = {
+ upstreams = lib.listToAttrs (
+ lib.map (type: {
+ name = "${workerName}-${type}";
+ value = {
+ extraConfig = ''
+ keepalive 32;
+ least_conn;
+ '';
+ servers = lib.listToAttrs (
+ lib.map (index: {
+ name = "unix:/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
+ value = {
+ max_fails = 0;
+ };
+ }) workers
+ );
+ };
+ }) enabledResources
+ );
+
+ virtualHosts."${cfg.nginxVirtualHostName}".locations = lib.listToAttrs (
+ lib.flatten (
+ lib.forEach enabledResources (
+ type:
+ lib.map (route: {
+ name = route;
+ value = {
+ proxyPass = "http://${workerName}-${type}";
+ extraConfig = ''
+ proxy_http_version 1.1;
+ proxy_set_header Connection "";
+ '';
+ };
+ }) workerRoutes.${type}
+ )
+ )
+ );
+ };
+ };
+}
diff --git a/host/Rory-nginx-old/services/matrix/synapse/workers/stream-writers/event-stream-writer.nix b/host/Rory-nginx-old/services/matrix/synapse/workers/stream-writers/event-stream-writer.nix
new file mode 100644
index 0000000..5395aea
--- /dev/null
+++ b/host/Rory-nginx-old/services/matrix/synapse/workers/stream-writers/event-stream-writer.nix
@@ -0,0 +1,118 @@
+{ config, lib, ... }:
+
+let
+ cfg = config.services.matrix-synapse;
+ dbGroup = "medium";
+ streamWriterType = "events";
+ workers = lib.range 0 (cfg.eventStreamWriters - 1);
+ workerName = "event_stream_writer";
+ workerRoutes = {
+ client = [ ];
+ federation = [ ];
+ media = [ ];
+ };
+in
+let
+ enabledResources =
+ lib.optionals (lib.length workerRoutes.client > 0) [ "client" ]
+ ++ lib.optionals (lib.length workerRoutes.federation > 0) [ "federation" ]
+ ++ lib.optionals (lib.length workerRoutes.media > 0) [ "media" ];
+in
+{
+ config = lib.mkIf (cfg.eventStreamWriters > 0) {
+ monitoring.synapse.workerNames = lib.map (index: "${workerName}-${toString index}") workers;
+ services.matrix-synapse = {
+ settings = {
+ instance_map = lib.listToAttrs (
+ lib.map (index: {
+ name = "${workerName}-${toString index}";
+ value = {
+ path = "/run/matrix-synapse/${workerName}-${toString index}.sock";
+ };
+ }) workers
+ );
+
+ stream_writers.${streamWriterType} = lib.map (index: "${workerName}-${toString index}") workers;
+ };
+
+ workers = lib.listToAttrs (
+ lib.map (index: {
+ name = "${workerName}-${toString index}";
+ value = {
+ worker_app = "synapse.app.generic_worker";
+ worker_listeners =
+ [
+ {
+ type = "http";
+ path = "/run/matrix-synapse/${workerName}-${toString index}.sock";
+ resources = [
+ {
+ names = [ "replication" ];
+ compress = false;
+ }
+ ];
+ }
+ ]
+ ++ lib.map (type: {
+ type = "http";
+ path = "/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
+ mode = "666";
+ resources = [
+ {
+ names = [ type ];
+ compress = false;
+ }
+ ];
+ }) enabledResources;
+ database = (
+ import ../../db.nix {
+ inherit dbGroup;
+ workerName = "${workerName}-${toString index}";
+ }
+ );
+ };
+ }) workers
+ );
+ };
+
+ services.nginx = {
+ upstreams = lib.listToAttrs (
+ lib.map (type: {
+ name = "${workerName}-${type}";
+ value = {
+ extraConfig = ''
+ keepalive 32;
+ least_conn;
+ '';
+ servers = lib.listToAttrs (
+ lib.map (index: {
+ name = "unix:/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
+ value = {
+ max_fails = 0;
+ };
+ }) workers
+ );
+ };
+ }) enabledResources
+ );
+
+ virtualHosts."${cfg.nginxVirtualHostName}".locations = lib.listToAttrs (
+ lib.flatten (
+ lib.forEach enabledResources (
+ type:
+ lib.map (route: {
+ name = route;
+ value = {
+ proxyPass = "http://${workerName}-${type}";
+ extraConfig = ''
+ proxy_http_version 1.1;
+ proxy_set_header Connection "";
+ '';
+ };
+ }) workerRoutes.${type}
+ )
+ )
+ );
+ };
+ };
+}
diff --git a/host/Rory-nginx-old/services/matrix/synapse/workers/stream-writers/presence-stream-writer.nix b/host/Rory-nginx-old/services/matrix/synapse/workers/stream-writers/presence-stream-writer.nix
new file mode 100644
index 0000000..e6487ca
--- /dev/null
+++ b/host/Rory-nginx-old/services/matrix/synapse/workers/stream-writers/presence-stream-writer.nix
@@ -0,0 +1,118 @@
+{ config, lib, ... }:
+
+let
+ cfg = config.services.matrix-synapse;
+ dbGroup = "medium";
+ streamWriterType = "presence";
+ workers = lib.range 0 (cfg.presenceStreamWriters - 1);
+ workerName = "presence_stream_writer";
+ workerRoutes = {
+ client = [ "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/presence/" ];
+ federation = [ ];
+ media = [ ];
+ };
+in
+let
+ enabledResources =
+ lib.optionals (lib.length workerRoutes.client > 0) [ "client" ]
+ ++ lib.optionals (lib.length workerRoutes.federation > 0) [ "federation" ]
+ ++ lib.optionals (lib.length workerRoutes.media > 0) [ "media" ];
+in
+{
+ config = lib.mkIf (cfg.presenceStreamWriters > 0) {
+ monitoring.synapse.workerNames = lib.map (index: "${workerName}-${toString index}") workers;
+ services.matrix-synapse = {
+ settings = {
+ instance_map = lib.listToAttrs (
+ lib.map (index: {
+ name = "${workerName}-${toString index}";
+ value = {
+ path = "/run/matrix-synapse/${workerName}-${toString index}.sock";
+ };
+ }) workers
+ );
+
+ stream_writers.${streamWriterType} = lib.map (index: "${workerName}-${toString index}") workers;
+ };
+
+ workers = lib.listToAttrs (
+ lib.map (index: {
+ name = "${workerName}-${toString index}";
+ value = {
+ worker_app = "synapse.app.generic_worker";
+ worker_listeners =
+ [
+ {
+ type = "http";
+ path = "/run/matrix-synapse/${workerName}-${toString index}.sock";
+ resources = [
+ {
+ names = [ "replication" ];
+ compress = false;
+ }
+ ];
+ }
+ ]
+ ++ lib.map (type: {
+ type = "http";
+ path = "/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
+ mode = "666";
+ resources = [
+ {
+ names = [ type ];
+ compress = false;
+ }
+ ];
+ }) enabledResources;
+ database = (
+ import ../../db.nix {
+ inherit dbGroup;
+ workerName = "${workerName}-${toString index}";
+ }
+ );
+ };
+ }) workers
+ );
+ };
+
+ services.nginx = {
+ upstreams = lib.listToAttrs (
+ lib.map (type: {
+ name = "${workerName}-${type}";
+ value = {
+ extraConfig = ''
+ keepalive 32;
+ least_conn;
+ '';
+ servers = lib.listToAttrs (
+ lib.map (index: {
+ name = "unix:/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
+ value = {
+ max_fails = 0;
+ };
+ }) workers
+ );
+ };
+ }) enabledResources
+ );
+
+ virtualHosts."${cfg.nginxVirtualHostName}".locations = lib.listToAttrs (
+ lib.flatten (
+ lib.forEach enabledResources (
+ type:
+ lib.map (route: {
+ name = route;
+ value = {
+ proxyPass = "http://${workerName}-${type}";
+ extraConfig = ''
+ proxy_http_version 1.1;
+ proxy_set_header Connection "";
+ '';
+ };
+ }) workerRoutes.${type}
+ )
+ )
+ );
+ };
+ };
+}
diff --git a/host/Rory-nginx-old/services/matrix/synapse/workers/stream-writers/push_rule-stream-writer.nix b/host/Rory-nginx-old/services/matrix/synapse/workers/stream-writers/push_rule-stream-writer.nix
new file mode 100644
index 0000000..4a4af04
--- /dev/null
+++ b/host/Rory-nginx-old/services/matrix/synapse/workers/stream-writers/push_rule-stream-writer.nix
@@ -0,0 +1,118 @@
+{ config, lib, ... }:
+
+let
+ cfg = config.services.matrix-synapse;
+ dbGroup = "medium";
+ streamWriterType = "push_rules";
+ workers = lib.range 0 (cfg.pushRuleStreamWriters - 1);
+ workerName = "push_rule_stream_writer";
+ workerRoutes = {
+ client = [ "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/pushrules/" ];
+ federation = [ ];
+ media = [ ];
+ };
+in
+let
+ enabledResources =
+ lib.optionals (lib.length workerRoutes.client > 0) [ "client" ]
+ ++ lib.optionals (lib.length workerRoutes.federation > 0) [ "federation" ]
+ ++ lib.optionals (lib.length workerRoutes.media > 0) [ "media" ];
+in
+{
+ config = lib.mkIf (cfg.pushRuleStreamWriters > 0) {
+ monitoring.synapse.workerNames = lib.map (index: "${workerName}-${toString index}") workers;
+ services.matrix-synapse = {
+ settings = {
+ instance_map = lib.listToAttrs (
+ lib.map (index: {
+ name = "${workerName}-${toString index}";
+ value = {
+ path = "/run/matrix-synapse/${workerName}-${toString index}.sock";
+ };
+ }) workers
+ );
+
+ stream_writers.${streamWriterType} = lib.map (index: "${workerName}-${toString index}") workers;
+ };
+
+ workers = lib.listToAttrs (
+ lib.map (index: {
+ name = "${workerName}-${toString index}";
+ value = {
+ worker_app = "synapse.app.generic_worker";
+ worker_listeners =
+ [
+ {
+ type = "http";
+ path = "/run/matrix-synapse/${workerName}-${toString index}.sock";
+ resources = [
+ {
+ names = [ "replication" ];
+ compress = false;
+ }
+ ];
+ }
+ ]
+ ++ lib.map (type: {
+ type = "http";
+ path = "/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
+ mode = "666";
+ resources = [
+ {
+ names = [ type ];
+ compress = false;
+ }
+ ];
+ }) enabledResources;
+ database = (
+ import ../../db.nix {
+ inherit dbGroup;
+ workerName = "${workerName}-${toString index}";
+ }
+ );
+ };
+ }) workers
+ );
+ };
+
+ services.nginx = {
+ upstreams = lib.listToAttrs (
+ lib.map (type: {
+ name = "${workerName}-${type}";
+ value = {
+ extraConfig = ''
+ keepalive 32;
+ least_conn;
+ '';
+ servers = lib.listToAttrs (
+ lib.map (index: {
+ name = "unix:/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
+ value = {
+ max_fails = 0;
+ };
+ }) workers
+ );
+ };
+ }) enabledResources
+ );
+
+ virtualHosts."${cfg.nginxVirtualHostName}".locations = lib.listToAttrs (
+ lib.flatten (
+ lib.forEach enabledResources (
+ type:
+ lib.map (route: {
+ name = route;
+ value = {
+ proxyPass = "http://${workerName}-${type}";
+ extraConfig = ''
+ proxy_http_version 1.1;
+ proxy_set_header Connection "";
+ '';
+ };
+ }) workerRoutes.${type}
+ )
+ )
+ );
+ };
+ };
+}
diff --git a/host/Rory-nginx-old/services/matrix/synapse/workers/stream-writers/receipt-stream-writer.nix b/host/Rory-nginx-old/services/matrix/synapse/workers/stream-writers/receipt-stream-writer.nix
new file mode 100644
index 0000000..54c31b4
--- /dev/null
+++ b/host/Rory-nginx-old/services/matrix/synapse/workers/stream-writers/receipt-stream-writer.nix
@@ -0,0 +1,121 @@
+{ config, lib, ... }:
+
+let
+ cfg = config.services.matrix-synapse;
+ dbGroup = "medium";
+ streamWriterType = "receipts";
+ workers = lib.range 0 (cfg.receiptStreamWriters - 1);
+ workerName = "receipts_stream_writer";
+ workerRoutes = {
+ client = [
+ "~ ^/_matrix/client/(r0|v3|unstable)/rooms/.*/receipt"
+ "~ ^/_matrix/client/(r0|v3|unstable)/rooms/.*/read_markers"
+ ];
+ federation = [ ];
+ media = [ ];
+ };
+in
+let
+ enabledResources =
+ lib.optionals (lib.length workerRoutes.client > 0) [ "client" ]
+ ++ lib.optionals (lib.length workerRoutes.federation > 0) [ "federation" ]
+ ++ lib.optionals (lib.length workerRoutes.media > 0) [ "media" ];
+in
+{
+ config = lib.mkIf (cfg.receiptStreamWriters > 0) {
+ monitoring.synapse.workerNames = lib.map (index: "${workerName}-${toString index}") workers;
+ services.matrix-synapse = {
+ settings = {
+ instance_map = lib.listToAttrs (
+ lib.map (index: {
+ name = "${workerName}-${toString index}";
+ value = {
+ path = "/run/matrix-synapse/${workerName}-${toString index}.sock";
+ };
+ }) workers
+ );
+
+ stream_writers.${streamWriterType} = lib.map (index: "${workerName}-${toString index}") workers;
+ };
+
+ workers = lib.listToAttrs (
+ lib.map (index: {
+ name = "${workerName}-${toString index}";
+ value = {
+ worker_app = "synapse.app.generic_worker";
+ worker_listeners =
+ [
+ {
+ type = "http";
+ path = "/run/matrix-synapse/${workerName}-${toString index}.sock";
+ resources = [
+ {
+ names = [ "replication" ];
+ compress = false;
+ }
+ ];
+ }
+ ]
+ ++ lib.map (type: {
+ type = "http";
+ path = "/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
+ mode = "666";
+ resources = [
+ {
+ names = [ type ];
+ compress = false;
+ }
+ ];
+ }) enabledResources;
+ database = (
+ import ../../db.nix {
+ inherit dbGroup;
+ workerName = "${workerName}-${toString index}";
+ }
+ );
+ };
+ }) workers
+ );
+ };
+
+ services.nginx = {
+ upstreams = lib.listToAttrs (
+ lib.map (type: {
+ name = "${workerName}-${type}";
+ value = {
+ extraConfig = ''
+ keepalive 32;
+ least_conn;
+ '';
+ servers = lib.listToAttrs (
+ lib.map (index: {
+ name = "unix:/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
+ value = {
+ max_fails = 0;
+ };
+ }) workers
+ );
+ };
+ }) enabledResources
+ );
+
+ virtualHosts."${cfg.nginxVirtualHostName}".locations = lib.listToAttrs (
+ lib.flatten (
+ lib.forEach enabledResources (
+ type:
+ lib.map (route: {
+ name = route;
+ value = {
+ proxyPass = "http://${workerName}-${type}";
+ extraConfig = ''
+ proxy_http_version 1.1;
+ proxy_set_header Connection "";
+ '';
+ };
+ }) workerRoutes.${type}
+ )
+ )
+ );
+ };
+ };
+}
diff --git a/host/Rory-nginx-old/services/matrix/synapse/workers/stream-writers/shared-stream-writer.nix b/host/Rory-nginx-old/services/matrix/synapse/workers/stream-writers/shared-stream-writer.nix
new file mode 100644
index 0000000..5fd0bd0
--- /dev/null
+++ b/host/Rory-nginx-old/services/matrix/synapse/workers/stream-writers/shared-stream-writer.nix
@@ -0,0 +1,124 @@
+{ config, lib, ... }:
+
+let
+ cfg = config.services.matrix-synapse;
+ dbGroup = "medium";
+ streamWriterType = "shared"; # unused, from template
+ workers = lib.range 0 (cfg.presenceStreamWriters - 1);
+ workerName = "shared_stream_writer";
+ workerRoutes = {
+ client = [ ];
+ federation = [ ];
+ media = [ ];
+ };
+in
+let
+ enabledResources =
+ lib.optionals (lib.length workerRoutes.client > 0) [ "client" ]
+ ++ lib.optionals (lib.length workerRoutes.federation > 0) [ "federation" ]
+ ++ lib.optionals (lib.length workerRoutes.media > 0) [ "media" ];
+in
+{
+ config = lib.mkIf (cfg.sharedStreamWriters > 0) {
+ monitoring.synapse.workerNames = lib.map (index: "${workerName}-${toString index}") workers;
+ services.matrix-synapse = {
+ settings = {
+ instance_map = lib.listToAttrs (
+ lib.map (index: {
+ name = "${workerName}-${toString index}";
+ value = {
+ path = "/run/matrix-synapse/${workerName}-${toString index}.sock";
+ };
+ }) workers
+ );
+
+ stream_writers.account_data = lib.map (index: "${workerName}-${toString index}") workers;
+ stream_writers.events = lib.map (index: "${workerName}-${toString index}") workers;
+ stream_writers.presence = lib.map (index: "${workerName}-${toString index}") workers;
+ stream_writers.push_rules = lib.map (index: "${workerName}-${toString index}") workers;
+ stream_writers.receipts = lib.map (index: "${workerName}-${toString index}") workers;
+ stream_writers.to_device = lib.map (index: "${workerName}-${toString index}") workers;
+ stream_writers.typing = lib.map (index: "${workerName}-${toString index}") workers;
+ };
+
+ workers = lib.listToAttrs (
+ lib.map (index: {
+ name = "${workerName}-${toString index}";
+ value = {
+ worker_app = "synapse.app.generic_worker";
+ worker_listeners =
+ [
+ {
+ type = "http";
+ path = "/run/matrix-synapse/${workerName}-${toString index}.sock";
+ resources = [
+ {
+ names = [ "replication" ];
+ compress = false;
+ }
+ ];
+ }
+ ]
+ ++ lib.map (type: {
+ type = "http";
+ path = "/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
+ mode = "666";
+ resources = [
+ {
+ names = [ type ];
+ compress = false;
+ }
+ ];
+ }) enabledResources;
+ database = (
+ import ../../db.nix {
+ inherit dbGroup;
+ workerName = "${workerName}-${toString index}";
+ }
+ );
+ };
+ }) workers
+ );
+ };
+
+ services.nginx = {
+ upstreams = lib.listToAttrs (
+ lib.map (type: {
+ name = "${workerName}-${type}";
+ value = {
+ extraConfig = ''
+ keepalive 32;
+ least_conn;
+ '';
+ servers = lib.listToAttrs (
+ lib.map (index: {
+ name = "unix:/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
+ value = {
+ max_fails = 0;
+ };
+ }) workers
+ );
+ };
+ }) enabledResources
+ );
+
+ virtualHosts."${cfg.nginxVirtualHostName}".locations = lib.listToAttrs (
+ lib.flatten (
+ lib.forEach enabledResources (
+ type:
+ lib.map (route: {
+ name = route;
+ value = {
+ proxyPass = "http://${workerName}-${type}";
+ extraConfig = ''
+ proxy_http_version 1.1;
+ proxy_set_header Connection "";
+ '';
+ };
+ }) workerRoutes.${type}
+ )
+ )
+ );
+ };
+ };
+}
diff --git a/host/Rory-nginx-old/services/matrix/synapse/workers/stream-writers/to_device-stream-writer.nix b/host/Rory-nginx-old/services/matrix/synapse/workers/stream-writers/to_device-stream-writer.nix
new file mode 100644
index 0000000..2b487d6
--- /dev/null
+++ b/host/Rory-nginx-old/services/matrix/synapse/workers/stream-writers/to_device-stream-writer.nix
@@ -0,0 +1,118 @@
+{ config, lib, ... }:
+
+let
+ cfg = config.services.matrix-synapse;
+ dbGroup = "medium";
+ streamWriterType = "to_device";
+ workers = lib.range 0 (cfg.toDeviceStreamWriters - 1);
+ workerName = "to_device_stream_writer";
+ workerRoutes = {
+ client = [ "~ ^/_matrix/client/(r0|v3|unstable)/sendToDevice/" ];
+ federation = [ ];
+ media = [ ];
+ };
+in
+let
+ enabledResources =
+ lib.optionals (lib.length workerRoutes.client > 0) [ "client" ]
+ ++ lib.optionals (lib.length workerRoutes.federation > 0) [ "federation" ]
+ ++ lib.optionals (lib.length workerRoutes.media > 0) [ "media" ];
+in
+{
+ config = lib.mkIf (cfg.toDeviceStreamWriters > 0) {
+ monitoring.synapse.workerNames = lib.map (index: "${workerName}-${toString index}") workers;
+ services.matrix-synapse = {
+ settings = {
+ instance_map = lib.listToAttrs (
+ lib.map (index: {
+ name = "${workerName}-${toString index}";
+ value = {
+ path = "/run/matrix-synapse/${workerName}-${toString index}.sock";
+ };
+ }) workers
+ );
+
+ stream_writers.${streamWriterType} = lib.map (index: "${workerName}-${toString index}") workers;
+ };
+
+ workers = lib.listToAttrs (
+ lib.map (index: {
+ name = "${workerName}-${toString index}";
+ value = {
+ worker_app = "synapse.app.generic_worker";
+ worker_listeners =
+ [
+ {
+ type = "http";
+ path = "/run/matrix-synapse/${workerName}-${toString index}.sock";
+ resources = [
+ {
+ names = [ "replication" ];
+ compress = false;
+ }
+ ];
+ }
+ ]
+ ++ lib.map (type: {
+ type = "http";
+ path = "/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
+ mode = "666";
+ resources = [
+ {
+ names = [ type ];
+ compress = false;
+ }
+ ];
+ }) enabledResources;
+ database = (
+ import ../../db.nix {
+ inherit dbGroup;
+ workerName = "${workerName}-${toString index}";
+ }
+ );
+ };
+ }) workers
+ );
+ };
+
+ services.nginx = {
+ upstreams = lib.listToAttrs (
+ lib.map (type: {
+ name = "${workerName}-${type}";
+ value = {
+ extraConfig = ''
+ keepalive 32;
+ least_conn;
+ '';
+ servers = lib.listToAttrs (
+ lib.map (index: {
+ name = "unix:/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
+ value = {
+ max_fails = 0;
+ };
+ }) workers
+ );
+ };
+ }) enabledResources
+ );
+
+ virtualHosts."${cfg.nginxVirtualHostName}".locations = lib.listToAttrs (
+ lib.flatten (
+ lib.forEach enabledResources (
+ type:
+ lib.map (route: {
+ name = route;
+ value = {
+ proxyPass = "http://${workerName}-${type}";
+ extraConfig = ''
+ proxy_http_version 1.1;
+ proxy_set_header Connection "";
+ '';
+ };
+ }) workerRoutes.${type}
+ )
+ )
+ );
+ };
+ };
+}
diff --git a/host/Rory-nginx-old/services/matrix/synapse/workers/stream-writers/typing-stream-writer.nix b/host/Rory-nginx-old/services/matrix/synapse/workers/stream-writers/typing-stream-writer.nix
new file mode 100644
index 0000000..5bff505
--- /dev/null
+++ b/host/Rory-nginx-old/services/matrix/synapse/workers/stream-writers/typing-stream-writer.nix
@@ -0,0 +1,118 @@
+{ config, lib, ... }:
+
+let
+ cfg = config.services.matrix-synapse;
+ dbGroup = "medium";
+ streamWriterType = "typing";
+ workers = lib.range 0 (cfg.typingStreamWriters - 1);
+ workerName = "typing_stream_writer";
+ workerRoutes = {
+ client = [ "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/typing" ];
+ federation = [ ];
+ media = [ ];
+ };
+in
+let
+ enabledResources =
+ lib.optionals (lib.length workerRoutes.client > 0) [ "client" ]
+ ++ lib.optionals (lib.length workerRoutes.federation > 0) [ "federation" ]
+ ++ lib.optionals (lib.length workerRoutes.media > 0) [ "media" ];
+in
+{
+ config = lib.mkIf (cfg.typingStreamWriters > 0) {
+ monitoring.synapse.workerNames = lib.map (index: "${workerName}-${toString index}") workers;
+ services.matrix-synapse = {
+ settings = {
+ instance_map = lib.listToAttrs (
+ lib.map (index: {
+ name = "${workerName}-${toString index}";
+ value = {
+ path = "/run/matrix-synapse/${workerName}-${toString index}.sock";
+ };
+ }) workers
+ );
+
+ stream_writers.${streamWriterType} = lib.map (index: "${workerName}-${toString index}") workers;
+ };
+
+ workers = lib.listToAttrs (
+ lib.map (index: {
+ name = "${workerName}-${toString index}";
+ value = {
+ worker_app = "synapse.app.generic_worker";
+ worker_listeners =
+ [
+ {
+ type = "http";
+ path = "/run/matrix-synapse/${workerName}-${toString index}.sock";
+ resources = [
+ {
+ names = [ "replication" ];
+ compress = false;
+ }
+ ];
+ }
+ ]
+ ++ lib.map (type: {
+ type = "http";
+ path = "/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
+ mode = "666";
+ resources = [
+ {
+ names = [ type ];
+ compress = false;
+ }
+ ];
+ }) enabledResources;
+ database = (
+ import ../../db.nix {
+ inherit dbGroup;
+ workerName = "${workerName}-${toString index}";
+ }
+ );
+ };
+ }) workers
+ );
+ };
+
+ services.nginx = {
+ upstreams = lib.listToAttrs (
+ lib.map (type: {
+ name = "${workerName}-${type}";
+ value = {
+ extraConfig = ''
+ keepalive 32;
+ least_conn;
+ '';
+ servers = lib.listToAttrs (
+ lib.map (index: {
+ name = "unix:/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
+ value = {
+ max_fails = 0;
+ };
+ }) workers
+ );
+ };
+ }) enabledResources
+ );
+
+ virtualHosts."${cfg.nginxVirtualHostName}".locations = lib.listToAttrs (
+ lib.flatten (
+ lib.forEach enabledResources (
+ type:
+ lib.map (route: {
+ name = route;
+ value = {
+ proxyPass = "http://${workerName}-${type}";
+ extraConfig = ''
+ proxy_http_version 1.1;
+ proxy_set_header Connection "";
+ '';
+ };
+ }) workerRoutes.${type}
+ )
+ )
+ );
+ };
+ };
+}
diff --git a/host/Rory-nginx-old/services/matrix/synapse/workers/sync.nix b/host/Rory-nginx-old/services/matrix/synapse/workers/sync.nix
new file mode 100644
index 0000000..67b63dd
--- /dev/null
+++ b/host/Rory-nginx-old/services/matrix/synapse/workers/sync.nix
@@ -0,0 +1,120 @@
+{ config, lib, ... }:
+
+let
+ cfg = config.services.matrix-synapse;
+ dbGroup = "medium";
+ workers = lib.range 0 (cfg.syncWorkers - 1);
+ workerName = "sync";
+ workerRoutes = {
+ client = [
+ "~ ^/_matrix/client/(v2_alpha|r0|v3)/sync$"
+ "~ ^/_matrix/client/(api/v1|v2_alpha|r0|v3)/events$"
+ "~ ^/_matrix/client/(api/v1|r0|v3)/initialSync$"
+ "~ ^/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$"
+ ];
+ federation = [ ];
+ media = [ ];
+ };
+in
+let
+ enabledResources =
+ lib.optionals (lib.length workerRoutes.client > 0) [ "client" ]
+ ++ lib.optionals (lib.length workerRoutes.federation > 0) [ "federation" ]
+ ++ lib.optionals (lib.length workerRoutes.media > 0) [ "media" ];
+in
+{
+ config = lib.mkIf (cfg.syncWorkers > 0) {
+ monitoring.synapse.workerNames = lib.map (index: "${workerName}-${toString index}") workers;
+ services.matrix-synapse = {
+ settings = {
+ instance_map = lib.listToAttrs (
+ lib.map (index: {
+ name = "${workerName}-${toString index}";
+ value = {
+ path = "/run/matrix-synapse/${workerName}-${toString index}.sock";
+ };
+ }) workers
+ );
+ };
+
+ workers = lib.listToAttrs (
+ lib.map (index: {
+ name = "${workerName}-${toString index}";
+ value = {
+ worker_app = "synapse.app.generic_worker";
+ worker_listeners =
+ [
+ {
+ type = "http";
+ path = "/run/matrix-synapse/${workerName}-${toString index}.sock";
+ resources = [
+ {
+ names = [ "replication" ];
+ compress = false;
+ }
+ ];
+ }
+ ]
+ ++ lib.map (type: {
+ type = "http";
+ path = "/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
+ mode = "666";
+ resources = [
+ {
+ names = [ type ];
+ compress = false;
+ }
+ ];
+ }) enabledResources;
+ database = (
+ import ../db.nix {
+ inherit dbGroup;
+ workerName = "${workerName}-${toString index}";
+ }
+ );
+ };
+ }) workers
+ );
+ };
+
+ services.nginx = {
+ upstreams = lib.listToAttrs (
+ lib.map (type: {
+ name = "${workerName}-${type}";
+ value = {
+ extraConfig = ''
+ keepalive 32;
+ least_conn;
+ '';
+ servers = lib.listToAttrs (
+ lib.map (index: {
+ name = "unix:/run/matrix-synapse/${workerName}-${type}-${toString index}.sock";
+ value = {
+ max_fails = 0;
+ };
+ }) workers
+ );
+ };
+ }) enabledResources
+ );
+
+ virtualHosts."${cfg.nginxVirtualHostName}".locations = lib.listToAttrs (
+ lib.flatten (
+ lib.forEach enabledResources (
+ type:
+ lib.map (route: {
+ name = route;
+ value = {
+ proxyPass = "http://${workerName}-${type}";
+ extraConfig = ''
+ proxy_http_version 1.1;
+ proxy_set_header Connection "";
+ '';
+ };
+ }) workerRoutes.${type}
+ )
+ )
+ );
+ };
+ };
+}
diff --git a/host/Rory-nginx-old/services/nginx/nginx.nix b/host/Rory-nginx-old/services/nginx/nginx.nix
new file mode 100644
index 0000000..01eaac6
--- /dev/null
+++ b/host/Rory-nginx-old/services/nginx/nginx.nix
@@ -0,0 +1,110 @@
+{ config, pkgs, ... }:
+let
+ serveDir = config: {
+ enableACME = if config ? ssl then config.ssl else true;
+ addSSL = if config ? ssl then config.ssl else true;
+ root = if config ? path then config.path else builtins.throw "path is required";
+ locations = {
+ "/" = {
+ index = "index.html";
+ };
+ };
+ };
+in
+{
+ services = {
+ nginx = {
+ enable = true;
+ package = pkgs.nginxQuic;
+ recommendedProxySettings = true;
+ recommendedTlsSettings = true;
+ recommendedZstdSettings = true;
+ #recommendedGzipSettings = true;
+ recommendedBrotliSettings = true;
+ recommendedOptimisation = true;
+ defaultMimeTypes = ../../../../packages/nginx/mime.types;
+ appendConfig = ''
+ worker_processes 16;
+ '';
+ eventsConfig = ''
+ #use kqueue;
+ worker_connections 512;
+ '';
+ appendHttpConfig = ''
+ #sendfile on;
+ disable_symlinks off;
+ log_format combined_vhosts '$remote_addr - $remote_user [$time_local] {host="$host",server_name="$server_name",upstream=$upstream_addr,t=$request_time[u_conn=$upstream_connect_time,u_hdr=$upstream_header_time,u_resp=$upstream_response_time]} "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"';
+ access_log /var/log/nginx/access.log combined_vhosts;
+ '';
+ additionalModules = with pkgs.nginxModules; [ moreheaders ];
+ virtualHosts = {
+ #"boorunav.com" = serveDir { path = "/data/nginx/html_boorunav"; };
+ "catgirlsaresexy.com" = serveDir { path = "/data/nginx/html_catgirlsaresexy"; };
+ "sugarcanemc.org" = serveDir { path = "/data/nginx/html_sugarcanemc"; };
+
+ "siliconheaven.thearcanebrony.net" = serveDir { path = "/data/nginx/html_siliconheaven"; };
+ "lfs.thearcanebrony.net" = serveDir { path = "/data/nginx/html_lfs"; };
+ "git.thearcanebrony.net" = serveDir { path = "/data/nginx/html_git"; };
+ "files.thearcanebrony.net" = serveDir { path = "/data/nginx/html_files"; };
+ "spigotav.thearcanebrony.net" = serveDir { path = "/data/nginx/html_spigotav"; };
+ "terra.thearcanebrony.net" = serveDir { path = "/data/nginx/html_terrarchive"; };
+ "vives.thearcanebrony.net" = serveDir { path = "/data/nginx/html_vives"; };
+
+ "git.rory.gay" = serveDir { path = "/data/nginx/html_git"; };
+ "wad.rory.gay" = serveDir { path = "/data/nginx/html_wad"; } // {
+ locations."/".extraConfig = "autoindex on; try_files $uri $uri/ /index.html;";
+ };
+ "wad-api.rory.gay" = import ./rory.gay/wad-api.nix;
+
+ "thearcanebrony.net" = import ./thearcanebrony.net/root.nix;
+ "sentry.thearcanebrony.net" = import ./thearcanebrony.net/sentry.nix;
+ "search.thearcanebrony.net" = import ./thearcanebrony.net/search.nix;
+
+ "rory.gay" = import ./rory.gay/root.nix;
+ "lfs.rory.gay" = serveDir { path = "/data/nginx/html_lfs"; };
+
+ "awooradio.thearcanebrony.net" = import ./thearcanebrony.net/awooradio.nix;
+ "cgit.rory.gay" = import ./rory.gay/cgit.nix;
+ #"jitsi.rory.gay" = import ./rory.gay/jitsi.nix;
+
+ #matrix...
+ "conduit.rory.gay" = import ./rory.gay/conduit.nix;
+ "matrix.rory.gay" = import ./rory.gay/matrix.nix;
+ "pcpoc.rory.gay" = import ./rory.gay/pcpoc.nix;
+ "matrixunittests.rory.gay" = import ./rory.gay/matrixunittests.nix;
+ "conduit.matrixunittests.rory.gay" = import ./rory.gay/conduit.matrixunittests.nix;
+ "mru.rory.gay" = import ./rory.gay/mru.nix;
+ "ec.rory.gay" = import ./rory.gay/ec.nix;
+
+ #bots...
+ "0bottests.bots.rory.gay" = import ./rory.gay/bots.nix;
+ "catnipbot.bots.rory.gay" = import ./rory.gay/bots.nix;
+ "impulsyeeter.bots.rory.gay" = import ./rory.gay/bots.nix;
+ "omnibot.bots.rory.gay" = import ./rory.gay/bots.nix;
+ "yatopiawatchdog.bots.rory.gay" = import ./rory.gay/bots.nix;
+ "playground.bots.rory.gay" = import ./rory.gay/bots.nix;
+ "kinobot.bots.rory.gay" = import ./rory.gay/bots.nix;
+ "siliconbotpublic.bots.rory.gay" = import ./rory.gay/bots.nix;
+ "thearcanebot.bots.rory.gay" = import ./rory.gay/bots.nix;
+ "anonbot.bots.rory.gay" = import ./rory.gay/bots.nix;
+ "hericanbot.bots.rory.gay" = import ./rory.gay/bots.nix;
+ "siliconbot.bots.rory.gay" = import ./rory.gay/bots.nix;
+ "impulsbot.bots.rory.gay" = import ./rory.gay/bots.nix;
+ "studiobot.bots.rory.gay" = import ./rory.gay/bots.nix;
+ "carsnbots.bots.rory.gay" = import ./rory.gay/bots.nix;
+ "binsh.bots.rory.gay" = import ./rory.gay/bots.nix;
+ "fosscordbot.bots.rory.gay" = import ./rory.gay/bots.nix;
+ "sugarcanebot.bots.rory.gay" = import ./rory.gay/bots.nix;
+ "gradbot.bots.rory.gay" = import ./rory.gay/bots.nix;
+ };
+ };
+ };
+ systemd.services.nginx.serviceConfig = {
+ LimitNOFILE = 5000000;
+ };
+ systemd.services.nginx.requires = [ "data.mount" ];
+ security.acme.acceptTerms = true;
+ security.acme.defaults.email = "root@thearcanebrony.net";
+
+ networking.hosts."127.0.0.1" = builtins.attrNames config.services.nginx.virtualHosts;
+}
diff --git a/host/Rory-nginx-old/services/nginx/rory.gay/bots.nix b/host/Rory-nginx-old/services/nginx/rory.gay/bots.nix
new file mode 100644
index 0000000..9bd18a8
--- /dev/null
+++ b/host/Rory-nginx-old/services/nginx/rory.gay/bots.nix
@@ -0,0 +1,9 @@
+{
+ enableACME = true;
+ addSSL = true;
+ locations = {
+ "/" = {
+ proxyPass = "http://127.0.0.1:5033";
+ };
+ };
+}
diff --git a/host/Rory-nginx-old/services/nginx/rory.gay/cgit.nix b/host/Rory-nginx-old/services/nginx/rory.gay/cgit.nix
new file mode 100644
index 0000000..812e946
--- /dev/null
+++ b/host/Rory-nginx-old/services/nginx/rory.gay/cgit.nix
@@ -0,0 +1,13 @@
+{
+ root = "/data/nginx/html_git";
+ enableACME = true;
+ addSSL = true;
+ extraConfig = ''
+ autoindex on;
+ more_set_headers 'Access-Control-Allow-Origin: *';
+ more_set_headers 'Access-Control-Allow-Methods: GET, POST, OPTIONS';
+ more_set_headers 'Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
+ more_set_headers 'Access-Control-Expose-Headers: Content-Length,Content-Range';
+ more_set_headers 'Access-Control-Allow-Credentials: true';
+ '';
+}
diff --git a/host/Rory-nginx-old/services/nginx/rory.gay/conduit.matrixunittests.nix b/host/Rory-nginx-old/services/nginx/rory.gay/conduit.matrixunittests.nix
new file mode 100644
index 0000000..9503747
--- /dev/null
+++ b/host/Rory-nginx-old/services/nginx/rory.gay/conduit.matrixunittests.nix
@@ -0,0 +1,15 @@
+{
+ enableACME = true;
+ addSSL = true;
+ http3 = true;
+ http3_hq = true;
+ kTLS = true;
+ extraConfig = ''
+ brotli off;
+ '';
+ locations = {
+ "/" = {
+ proxyPass = "http://192.168.100.15:80";
+ };
+ };
+}
diff --git a/host/Rory-nginx-old/services/nginx/rory.gay/conduit.nix b/host/Rory-nginx-old/services/nginx/rory.gay/conduit.nix
new file mode 100644
index 0000000..ef0fbd8
--- /dev/null
+++ b/host/Rory-nginx-old/services/nginx/rory.gay/conduit.nix
@@ -0,0 +1,75 @@
+{
+ enableACME = true;
+ addSSL = true;
+ locations."/" = {
+ #proxyPass = "http://127.0.0.1:9002";
+ proxyPass = "http://127.0.0.1:6167";
+ extraConfig = ''
+ if ($request_method = 'OPTIONS') {
+ more_set_headers 'Access-Control-Allow-Origin: *';
+ more_set_headers 'Access-Control-Allow-Methods: *';
+ #
+ # Custom headers and headers various browsers *should* be OK with but aren't
+ #
+ more_set_headers 'Access-Control-Allow-Headers: *, Authorization';
+ #
+ # Tell client that this pre-flight info is valid for 20 days
+ #
+ more_set_headers 'Access-Control-Max-Age: 1728000';
+ more_set_headers 'Content-Type: text/plain; charset=utf-8';
+ more_set_headers 'Content-Length: 0';
+ return 204;
+ }
+ # We want to wait for 15 minutes here...
+ proxy_read_timeout 54000;
+ proxy_connect_timeout 54000;
+ proxy_send_timeout 54000;
+ '';
+ };
+ #locations."/_synapse/client".proxyPass = "http://192.168.1.5:8008";
+ locations."/_conduwuit/".extraConfig = ''
+ return 404;
+ '';
+
+ locations."= /.well-known/matrix/server".extraConfig = ''
+ more_set_headers 'Content-Type application/json';
+ more_set_headers 'Access-Control-Allow-Origin *';
+ return 200 '${builtins.toJSON { "m.server" = "conduit.rory.gay:443"; }}';
+ '';
+ locations."= /.well-known/matrix/client".extraConfig = ''
+ more_set_headers 'Content-Type application/json';
+ more_set_headers 'Access-Control-Allow-Origin *';
+ return 200 '${
+ builtins.toJSON {
+ "m.homeserver".base_url = "https://conduit.rory.gay";
+ "m.identity_server".base_url = "https://conduit.rory.gay";
+ }
+ }';
+ '';
+ locations."= /.well-known/matrix/support".extraConfig = ''
+ more_set_headers 'Content-Type application/json';
+ more_set_headers 'Access-Control-Allow-Origin *';
+ return 200 '${
+ builtins.toJSON {
+ admins = [
+ {
+ matrix_id = "@emma:rory.gay";
+ role = "admin";
+ }
+ {
+ matrix_id = "@alicia:rory.gay";
+ role = "admin";
+ }
+ {
+ matrix_id = "@root:rory.gay";
+ role = "admin";
+ }
+ {
+ matrix_id = "@rory:rory.gay";
+ role = "admin";
+ }
+ ];
+ }
+ }';
+ '';
+}
diff --git a/host/Rory-nginx-old/services/nginx/rory.gay/ec.nix b/host/Rory-nginx-old/services/nginx/rory.gay/ec.nix
new file mode 100644
index 0000000..0985503
--- /dev/null
+++ b/host/Rory-nginx-old/services/nginx/rory.gay/ec.nix
@@ -0,0 +1,26 @@
+{
+ enableACME = true;
+ addSSL = true;
+ kTLS = true;
+ root = "/data/nginx/html_ec";
+ reuseport = true;
+ extraConfig = ''
+ brotli off;
+ brotli_static off;
+ '';
+ locations = {
+ "/" = {
+ index = "index.html";
+ extraConfig = ''
+ more_set_headers 'Access-Control-Allow-Origin: *';
+ more_set_headers 'Access-Control-Allow-Methods: *';
+ more_set_headers 'Access-Control-Allow-Headers: *';
+ more_set_headers 'Access-Control-Expose-Headers: *';
+ more_set_headers 'Access-Control-Max-Age' 1728000;
+
+ # default to /index.html if file not found
+ try_files $uri $uri/ /index.html;
+ '';
+ };
+ };
+}
diff --git a/host/Rory-nginx-old/services/nginx/rory.gay/jitsi.nix b/host/Rory-nginx-old/services/nginx/rory.gay/jitsi.nix
new file mode 100644
index 0000000..9469087
--- /dev/null
+++ b/host/Rory-nginx-old/services/nginx/rory.gay/jitsi.nix
@@ -0,0 +1,51 @@
+{
+ config,
+ pkgs,
+ lib,
+ ...
+}:
+
+let
+ overrideJs =
+ filePath: varName: newContent: appendExtra:
+ let
+ oldContent = builtins.readFile filePath;
+ regex = "var ${varName} = {[^}]*};";
+ newJs = builtins.replaceStrings [ regex ] [ "var ${varName} = ${newContent};" ] oldContent;
+ in
+ builtins.writeFile filePath newJs;
+
+ cfg = config.services.jitsi-meet;
+in
+{
+ enableACME = true;
+ addSSL = true;
+ extraConfig = ''
+ ssi on;
+ '';
+ locations."@root_path".extraConfig = ''
+ rewrite ^/(.*)$ / break;
+ '';
+ locations."~ ^/([^/\\?&:'\"]+)$".tryFiles = "$uri @root_path";
+ locations."^~ /xmpp-websocket" = {
+ priority = 100;
+ proxyPass = "http://localhost:5280/xmpp-websocket";
+ proxyWebsockets = true;
+ };
+ locations."=/http-bind" = {
+ proxyPass = "http://localhost:5280/http-bind";
+ extraConfig = ''
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header Host $host;
+ '';
+ };
+ locations."=/external_api.js" = lib.mkDefault {
+ alias = "${pkgs.jitsi-meet}/libs/external_api.min.js";
+ };
+ locations."=/config.js" = lib.mkDefault {
+ alias = overrideJs "${pkgs.jitsi-meet}/config.js" "config" (lib.recursiveUpdate defaultCfg cfg.config) cfg.extraConfig;
+ };
+ locations."=/interface_config.js" = lib.mkDefault {
+ alias = overrideJs "${pkgs.jitsi-meet}/interface_config.js" "interfaceConfig" cfg.interfaceConfig "";
+ };
+}
diff --git a/host/Rory-nginx-old/services/nginx/rory.gay/matrix-bak.nix b/host/Rory-nginx-old/services/nginx/rory.gay/matrix-bak.nix
new file mode 100644
index 0000000..5d44454
--- /dev/null
+++ b/host/Rory-nginx-old/services/nginx/rory.gay/matrix-bak.nix
@@ -0,0 +1,25 @@
+{
+ enableACME = true;
+ addSSL = true;
+ locations."/_matrix" = {
+ proxyPass = "http://192.168.1.5:8008";
+ extraConfig = ''
+ if ($request_method = 'OPTIONS') {
+ more_set_headers 'Access-Control-Allow-Origin: *';
+ more_set_headers 'Access-Control-Allow-Methods: *';
+ #
+ # Custom headers and headers various browsers *should* be OK with but aren't
+ #
+ more_set_headers 'Access-Control-Allow-Headers: *';
+ #
+ # Tell client that this pre-flight info is valid for 20 days
+ #
+ more_set_headers 'Access-Control-Max-Age: 1728000';
+ more_set_headers 'Content-Type: text/plain; charset=utf-8';
+ more_set_headers 'Content-Length: 0';
+ return 204;
+ }
+ '';
+ };
+ locations."/_synapse/client".proxyPass = "http://192.168.1.5:8008";
+}
diff --git a/host/Rory-nginx-old/services/nginx/rory.gay/matrix.nix b/host/Rory-nginx-old/services/nginx/rory.gay/matrix.nix
new file mode 100644
index 0000000..d48f4ca
--- /dev/null
+++ b/host/Rory-nginx-old/services/nginx/rory.gay/matrix.nix
@@ -0,0 +1,71 @@
+{
+ enableACME = true;
+ addSSL = true;
+ locations."/" = {
+ #proxyPass = "http://127.0.0.1:9001";
+ proxyPass = "http://localhost:8008";
+ extraConfig = ''
+ if ($request_method = 'OPTIONS') {
+ more_set_headers 'Access-Control-Allow-Origin: *';
+ more_set_headers 'Access-Control-Allow-Methods: *';
+ #
+ # Custom headers and headers various browsers *should* be OK with but aren't
+ #
+ more_set_headers 'Access-Control-Allow-Headers: *, Authorization';
+ #
+ # Tell client that this pre-flight info is valid for 20 days
+ #
+ more_set_headers 'Access-Control-Max-Age: 1728000';
+ more_set_headers 'Content-Type: text/plain; charset=utf-8';
+ more_set_headers 'Content-Length: 0';
+ return 204;
+ }
+ '';
+ };
+
+ locations."= /.well-known/matrix/server".extraConfig = ''
+ more_set_headers 'Content-Type application/json';
+ more_set_headers 'Access-Control-Allow-Origin *';
+ return 200 '${builtins.toJSON { "m.server" = "matrix.rory.gay:443"; }}';
+ '';
+ locations."= /.well-known/matrix/client".extraConfig = ''
+ more_set_headers 'Content-Type application/json';
+ more_set_headers 'Access-Control-Allow-Origin *';
+ return 200 '${
+ builtins.toJSON {
+ "m.homeserver".base_url = "https://matrix.rory.gay";
+ "org.matrix.msc3575.proxy".url = "https://matrix.rory.gay";
+ }
+ }';
+ '';
+ locations."= /.well-known/matrix/support".extraConfig = ''
+ more_set_headers 'Content-Type application/json';
+ more_set_headers 'Access-Control-Allow-Origin *';
+ return 200 '${
+ builtins.toJSON {
+ admins = [
+ {
+ matrix_id = "@emma:rory.gay";
+ role = "admin";
+ }
+ {
+ matrix_id = "@alicia:rory.gay";
+ role = "admin";
+ }
+ {
+ matrix_id = "@root:rory.gay";
+ role = "admin";
+ }
+ {
+ matrix_id = "@rory:rory.gay";
+ role = "admin";
+ }
+ ];
+ }
+ }';
+ '';
+
+ locations."~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = {
+ proxyPass = "http://localhost:8100";
+ };
+}
diff --git a/host/Rory-nginx-old/services/nginx/rory.gay/matrixunittests.nix b/host/Rory-nginx-old/services/nginx/rory.gay/matrixunittests.nix
new file mode 100644
index 0000000..edb1704
--- /dev/null
+++ b/host/Rory-nginx-old/services/nginx/rory.gay/matrixunittests.nix
@@ -0,0 +1,15 @@
+{
+ enableACME = true;
+ addSSL = true;
+ http3 = true;
+ http3_hq = true;
+ kTLS = true;
+ extraConfig = ''
+ brotli off;
+ '';
+ locations = {
+ "/" = {
+ proxyPass = "http://192.168.100.13:80";
+ };
+ };
+}
diff --git a/host/Rory-nginx-old/services/nginx/rory.gay/mru.nix b/host/Rory-nginx-old/services/nginx/rory.gay/mru.nix
new file mode 100644
index 0000000..d1e1cd7
--- /dev/null
+++ b/host/Rory-nginx-old/services/nginx/rory.gay/mru.nix
@@ -0,0 +1,29 @@
+{
+ enableACME = true;
+ addSSL = true;
+# quic = true;
+ http3 = true;
+ http3_hq = true;
+ kTLS = true;
+ root = "/data/nginx/html_mru";
+# reuseport = true;
+ extraConfig = ''
+ brotli off;
+ brotli_static off;
+ '';
+ locations = {
+ "/" = {
+ index = "index.html";
+ extraConfig = ''
+ more_set_headers 'Access-Control-Allow-Origin: *';
+ more_set_headers 'Access-Control-Allow-Methods: *';
+ more_set_headers 'Access-Control-Allow-Headers: *';
+ more_set_headers 'Access-Control-Expose-Headers: *';
+ more_set_headers 'Access-Control-Max-Age' 1728000;
+
+ # default to /index.html if file not found
+ try_files $uri $uri/ /index.html;
+ '';
+ };
+ };
+}
diff --git a/host/Rory-nginx-old/services/nginx/rory.gay/pcpoc.nix b/host/Rory-nginx-old/services/nginx/rory.gay/pcpoc.nix
new file mode 100644
index 0000000..b62c5fe
--- /dev/null
+++ b/host/Rory-nginx-old/services/nginx/rory.gay/pcpoc.nix
@@ -0,0 +1,15 @@
+{
+ enableACME = true;
+ addSSL = true;
+ http3 = true;
+ http3_hq = true;
+ kTLS = true;
+ extraConfig = ''
+ brotli off;
+ '';
+ locations = {
+ "/" = {
+ proxyPass = "http://192.168.100.11:80";
+ };
+ };
+}
diff --git a/host/Rory-nginx-old/services/nginx/rory.gay/root.nix b/host/Rory-nginx-old/services/nginx/rory.gay/root.nix
new file mode 100644
index 0000000..11d06c0
--- /dev/null
+++ b/host/Rory-nginx-old/services/nginx/rory.gay/root.nix
@@ -0,0 +1,48 @@
+{
+ root = "/data/nginx/html_rory_gay";
+ enableACME = true;
+ addSSL = true;
+ extraConfig = ''autoindex on;'';
+
+ locations."= /.well-known/matrix/server".extraConfig = ''
+ more_set_headers 'Content-Type application/json';
+ more_set_headers 'Access-Control-Allow-Origin *';
+ return 200 '${builtins.toJSON { "m.server" = "matrix.rory.gay:443"; }}';
+ '';
+ locations."= /.well-known/matrix/client".extraConfig = ''
+ more_set_headers 'Content-Type application/json';
+ more_set_headers 'Access-Control-Allow-Origin *';
+ return 200 '${
+ builtins.toJSON {
+ "m.homeserver".base_url = "https://matrix.rory.gay";
+ "org.matrix.msc3575.proxy".url = "https://matrix.rory.gay";
+ }
+ }';
+ '';
+ locations."= /.well-known/matrix/support".extraConfig = ''
+ more_set_headers 'Content-Type application/json';
+ more_set_headers 'Access-Control-Allow-Origin *';
+ return 200 '${
+ builtins.toJSON {
+ admins = [
+ {
+ matrix_id = "@emma:rory.gay";
+ role = "admin";
+ }
+ {
+ matrix_id = "@alicia:rory.gay";
+ role = "admin";
+ }
+ {
+ matrix_id = "@root:rory.gay";
+ role = "admin";
+ }
+ {
+ matrix_id = "@rory:rory.gay";
+ role = "admin";
+ }
+ ];
+ }
+ }';
+ '';
+}
diff --git a/host/Rory-nginx-old/services/nginx/rory.gay/wad-api.nix b/host/Rory-nginx-old/services/nginx/rory.gay/wad-api.nix
new file mode 100644
index 0000000..65e9bdb
--- /dev/null
+++ b/host/Rory-nginx-old/services/nginx/rory.gay/wad-api.nix
@@ -0,0 +1,32 @@
+{
+ enableACME = true;
+ addSSL = true;
+ locations = {
+ "/" = {
+ proxyPass = "https://youthapp.inuits.dev";
+ recommendedProxySettings = false;
+ extraConfig = ''
+ proxy_ssl_verify off;
+ proxy_set_header Host youthapp.inuits.dev;
+ proxy_ssl_server_name on;
+
+ more_set_headers 'Access-Control-Allow-Origin: *';
+ more_set_headers 'Access-Control-Allow-Methods: *';
+ #
+ # Custom headers and headers various browsers *should* be OK with but aren't
+ #
+ more_set_headers 'Access-Control-Allow-Headers: *, Authorization';
+ #
+ # Tell client that this pre-flight info is valid for 20 days
+ #
+ more_set_headers 'Access-Control-Max-Age: 1728000';
+
+ if ($request_method = 'OPTIONS') {
+ more_set_headers 'Content-Type: text/plain; charset=utf-8';
+ more_set_headers 'Content-Length: 0';
+ return 204;
+ }
+ '';
+ };
+ };
+}
diff --git a/host/Rory-nginx-old/services/nginx/thearcanebrony.net/awooradio.nix b/host/Rory-nginx-old/services/nginx/thearcanebrony.net/awooradio.nix
new file mode 100644
index 0000000..f13cb0c
--- /dev/null
+++ b/host/Rory-nginx-old/services/nginx/thearcanebrony.net/awooradio.nix
@@ -0,0 +1,12 @@
+{
+ enableACME = true;
+ addSSL = true;
+ locations = {
+ "/" = {
+ extraConfig = ''
+ rewrite ^/api/(.*) /$1 break;
+ return 200 $request_uri;'';
+ proxyPass = "http://localhost:4998";
+ };
+ };
+}
diff --git a/host/Rory-nginx-old/services/nginx/thearcanebrony.net/root.nix b/host/Rory-nginx-old/services/nginx/thearcanebrony.net/root.nix
new file mode 100644
index 0000000..86dddac
--- /dev/null
+++ b/host/Rory-nginx-old/services/nginx/thearcanebrony.net/root.nix
@@ -0,0 +1,40 @@
+{
+ enableACME = true;
+ addSSL = true;
+ root = "/data/nginx/html_thearcanebrony";
+ extraConfig = ''autoindex on;'';
+ locations = {
+ "/" = {
+ #index = "index.html";
+ };
+ "/destroy" = {
+ return = "301 https://gitlab.com/KinoshitaProductions/SecureDestroyer/-/raw/master/run";
+ };
+ "= /.well-known/matrix/support".extraConfig = ''
+ more_set_headers 'Content-Type application/json';
+ more_set_headers 'Access-Control-Allow-Origin *';
+ return 200 '${
+ builtins.toJSON {
+ admins = [
+ {
+ matrix_id = "@emma:rory.gay";
+ role = "admin";
+ }
+ {
+ matrix_id = "@alicia:rory.gay";
+ role = "admin";
+ }
+ {
+ matrix_id = "@root:rory.gay";
+ role = "admin";
+ }
+ {
+ matrix_id = "@rory:rory.gay";
+ role = "admin";
+ }
+ ];
+ }
+ }';
+ '';
+ };
+}
diff --git a/host/Rory-nginx-old/services/nginx/thearcanebrony.net/search.nix b/host/Rory-nginx-old/services/nginx/thearcanebrony.net/search.nix
new file mode 100644
index 0000000..cd655d8
--- /dev/null
+++ b/host/Rory-nginx-old/services/nginx/thearcanebrony.net/search.nix
@@ -0,0 +1,9 @@
+{
+ enableACME = true;
+ addSSL = true;
+ locations = {
+ "/" = {
+ extraConfig = ''rewrite ^ https://thearcanebrony.net/unavailable.html break;'';
+ };
+ };
+}
diff --git a/host/Rory-nginx-old/services/nginx/thearcanebrony.net/sentry.nix b/host/Rory-nginx-old/services/nginx/thearcanebrony.net/sentry.nix
new file mode 100644
index 0000000..f496190
--- /dev/null
+++ b/host/Rory-nginx-old/services/nginx/thearcanebrony.net/sentry.nix
@@ -0,0 +1,9 @@
+{
+ enableACME = true;
+ addSSL = true;
+ locations = {
+ "/" = {
+ proxyPass = "http://192.168.1.4:9000";
+ };
+ };
+}
diff --git a/host/Rory-nginx-old/services/ollama.nix b/host/Rory-nginx-old/services/ollama.nix
new file mode 100644
index 0000000..16f4e1c
--- /dev/null
+++ b/host/Rory-nginx-old/services/ollama.nix
@@ -0,0 +1,19 @@
+{ ... }:
+
+{
+ # systemd.tmpfiles.rules = [ "d /data/ollama 0750 ostgres postgres" ];
+
+ services.ollama = {
+ enable = true;
+ home = "/data/ollama/home";
+ models = "/data/ollama/home/models";
+ environmentVariables = {
+ OLLAMA_LLM_LIBRARY = "cpu_avx2";
+ };
+ #listenAddress = "0.0.0.0:11434";
+ host = "0.0.0.0";
+ port = 11434;
+ user = "ollama";
+ group = "ollama";
+ };
+}
diff --git a/host/Rory-nginx-old/services/postgres.nix b/host/Rory-nginx-old/services/postgres.nix
new file mode 100644
index 0000000..f0fb3e7
--- /dev/null
+++ b/host/Rory-nginx-old/services/postgres.nix
@@ -0,0 +1,99 @@
+{ pkgs, ... }:
+
+{
+ systemd.tmpfiles.rules = [ "d /mnt/postgres/data 0750 postgres postgres" ];
+
+ services.postgresql = {
+ enable = true;
+ package = pkgs.postgresql_16_jit;
+ enableTCPIP = true;
+ authentication = pkgs.lib.mkOverride 10 ''
+ # TYPE, DATABASE, USER, ADDRESS, METHOD
+ local all all trust
+ host all all 127.0.0.1/32 trust
+ host all all ::1/128 trust
+ host discordbots discordbots 192.168.1.2/32 trust
+ host matrix-synapse-rory-gay matrix-synapse-rory-gay 192.168.1.5/32 trust
+ host all all 0.0.0.0/0 md5
+ '';
+ # initialScript = pkgs.writeText "backend-initScript" ''
+ # CREATE ROLE nixcloud WITH LOGIN PASSWORD 'nixcloud' CREATEDB;
+ # CREATE DATABASE nixcloud;
+ # GRANT ALL PRIVILEGES ON DATABASE nixcloud TO nixcloud;
+ # '';
+ dataDir = "/mnt/postgres/data";
+ settings = {
+ # https://pgconfigurator.cybertec.at/
+ max_connections = 2500;
+ superuser_reserved_connections = 3;
+
+ shared_buffers = "64GB";
+ work_mem = "32GB";
+ maintenance_work_mem = "8GB";
+ huge_pages = "try";
+ effective_cache_size = "64GB"; # was 22
+ effective_io_concurrency = 100;
+ random_page_cost = 1.1;
+
+ # can use this to view stats: SELECT query, total_time, calls, rows FROM pg_stat_statements ORDER BY total_time DESC LIMIT 10;
+ shared_preload_libraries = "pg_stat_statements";
+ track_io_timing = "on";
+ track_functions = "pl";
+ "pg_stat_statements.max" = "10000"; # additional
+ "pg_stat_statements.track" = "all"; # additional
+
+ wal_level = "replica";
+ max_wal_senders = 0;
+ synchronous_commit = "on"; # was ond3
+
+ checkpoint_timeout = "15min";
+ checkpoint_completion_target = "0.9";
+ max_wal_size = "2GB";
+ min_wal_size = "1GB";
+
+ wal_compression = "off";
+ wal_buffers = "-1";
+ wal_writer_delay = "500ms"; # was 100
+ wal_writer_flush_after = "32MB"; # was 1
+ #checkpoint_segments = "64"; # additional
+ default_statistics_target = "250"; # additional
+
+ bgwriter_delay = "200ms";
+ bgwriter_lru_maxpages = "100";
+ bgwriter_lru_multiplier = "2.0";
+ bgwriter_flush_after = "0";
+
+ max_worker_processes = "64"; # was 14
+ max_parallel_workers_per_gather = "32"; # was 7
+ max_parallel_maintenance_workers = "32"; # was 7
+ max_parallel_workers = "64"; # was 14
+ parallel_leader_participation = "on";
+
+ enable_partitionwise_join = "on";
+ enable_partitionwise_aggregate = "on";
+ jit = "on";
+ max_slot_wal_keep_size = "1GB";
+ track_wal_io_timing = "on";
+ maintenance_io_concurrency = "4";
+ wal_recycle = "on";
+
+ };
+ };
+
+ # services.prometheus.exporters.postgres = {
+ # enable = true;
+ # port = 9187;
+ # extraFlags = [
+ # "--collector.database_wraparound"
+ # "--collector.long_running_transactions"
+ # "--collector.postmaster"
+ # "--collector.process_idle"
+ # "--collector.stat_activity_autovacuum"
+ # "--collector.stat_statements"
+ # #"--collector.stat_wal_receiver" #we dont have WAL receivers
+ # "--collector.statio_user_indexes"
+ # "--collector.xlog_location"
+ # ];
+ # };
+
+}
diff --git a/host/Rory-nginx-old/services/prometheus.nix b/host/Rory-nginx-old/services/prometheus.nix
new file mode 100644
index 0000000..9409529
--- /dev/null
+++ b/host/Rory-nginx-old/services/prometheus.nix
@@ -0,0 +1,8 @@
+{ ... }:
+
+{
+ services.prometheus = {
+ enable = true;
+ port = 9001;
+ };
+}
diff --git a/host/Rory-nginx-old/services/redpanda/root.nix b/host/Rory-nginx-old/services/redpanda/root.nix
new file mode 100644
index 0000000..ef169a6
--- /dev/null
+++ b/host/Rory-nginx-old/services/redpanda/root.nix
@@ -0,0 +1,10 @@
+{ ... }:
+{
+ imports = [
+ ./systemd-services.nix
+ ];
+
+ services.redpanda-connect = {
+ enable = true;
+ };
+}
diff --git a/host/Rory-nginx-old/services/redpanda/systemd-services.nix b/host/Rory-nginx-old/services/redpanda/systemd-services.nix
new file mode 100644
index 0000000..c75a5be
--- /dev/null
+++ b/host/Rory-nginx-old/services/redpanda/systemd-services.nix
@@ -0,0 +1,109 @@
+{ pkgs, lib, ... }:
+{
+ services.redpanda-connect.pipelines.systemd-services = {
+ enable = true;
+ allowSudo = true;
+ config = {
+ http = {
+ enabled = true;
+ address = "127.0.0.1:5100";
+ };
+ input = {
+ label = "";
+ subprocess = {
+ name = "${pkgs.systemd}/bin/systemctl";
+ args = [
+ "-ojson"
+ "--recursive"
+ ];
+ restart_on_exit = true;
+ max_buffer = 1024 * 512;
+ };
+ };
+ pipeline = {
+ processors = [
+ { unarchive.format = "json_array"; }
+ {
+ mapping = ''
+ root = this
+ if this.load == "loaded" {
+ root.loaded_value = 1.0
+ } else {
+ root.loaded_value = 0.0
+ }
+ if this.active == "active" {
+ root.active_value = 1.0
+ } else if this.active == "activating" {
+ root.active_value = 0.5
+ } else {
+ root.active_value = 0.0
+ }
+ if this.sub == "active" {
+ root.sub_value = 1.0
+ } else if this.sub == "auto-restart" {
+ root.sub_value = 0.5
+ } else {
+ root.sub_value = 0.0
+ }
+ '';
+ }
+ {
+ metric = {
+ name = "systemd_service_status";
+ type = "gauge";
+ value = "\${!json(\"loaded_value\")}";
+ labels = {
+ field = "load";
+ service = "\${!json(\"unit\")}";
+ description = "\${!json(\"description\")}";
+ };
+ };
+ }
+ {
+ metric = {
+ name = "systemd_service_status";
+ type = "gauge";
+ value = "\${!json(\"active_value\")}";
+ labels = {
+ field = "active";
+ service = "\${!json(\"unit\")}";
+ description = "\${!json(\"description\")}";
+ };
+ };
+ }
+ {
+ metric = {
+ name = "systemd_service_status";
+ type = "gauge";
+ value = "\${!json(\"sub_value\")}";
+ labels = {
+ field = "sub";
+ service = "\${!json(\"unit\")}";
+ description = "\${!json(\"description\")}";
+ };
+ };
+ }
+ {
+ sleep.duration = "5s";
+ }
+ ];
+ };
+ metrics.prometheus = { };
+ output.drop = { };
+ };
+ };
+
+ services.prometheus.scrapeConfigs = [
+ {
+ job_name = "redpanda-connect";
+ scrape_interval = "5s";
+ static_configs = [
+ {
+ targets = [ "localhost:5100" ];
+ labels.instance = "redpanda-connect";
+ }
+ ];
+ metrics_path = "/metrics";
+ }
+ ];
+}
diff --git a/host/Rory-nginx/configuration.nix b/host/Rory-nginx/configuration.nix
index 9096c4a..912e6fe 100755
--- a/host/Rory-nginx/configuration.nix
+++ b/host/Rory-nginx/configuration.nix
@@ -23,7 +23,6 @@
#./services/jitsi.nix
./services/cgit.nix
./services/ollama.nix
- ./services/deluge.nix
./services/prometheus.nix
./services/redpanda/root.nix
diff --git a/host/Rory-nginx/services/mastodon.nix b/host/Rory-nginx/services/mastodon.nix
new file mode 100644
index 0000000..56f1808
--- /dev/null
+++ b/host/Rory-nginx/services/mastodon.nix
@@ -0,0 +1,12 @@
+{ ... }:
+
+{
+ services.mastodon = {
+ enable = true;
+ webProcesses = 8;
+ webThreads = 4;
+
+ streamingProcesses = 63;
+ localDomain = "rory.gay";
+ };
+}
diff --git a/host/Rory-nginx/services/matrix/root.nix b/host/Rory-nginx/services/matrix/root.nix
index 5bb3915..d32cc54 100755
--- a/host/Rory-nginx/services/matrix/root.nix
+++ b/host/Rory-nginx/services/matrix/root.nix
@@ -7,7 +7,6 @@
./matrix-appservice-discord.nix
./draupnir.nix
./grapevine.nix
- # ./sliding-sync.nix # removed from nixpkgs, use synapse support instead
./ooye.nix
];
diff --git a/host/Rory-nginx/services/matrix/synapse/synapse-main.nix b/host/Rory-nginx/services/matrix/synapse/synapse-main.nix
index ae63b82..c823846 100755
--- a/host/Rory-nginx/services/matrix/synapse/synapse-main.nix
+++ b/host/Rory-nginx/services/matrix/synapse/synapse-main.nix
@@ -17,7 +17,7 @@
mediaRepoWorkers = 2; # 4
clientReaders = 2; # 4
syncWorkers = 2; # 4
- authWorkers = 0;
+ #authWorkers = 0;
eventCreators = 16;
diff --git a/host/Rory-nginx/services/matrix/synapse/workers/auth.nix b/host/Rory-nginx/services/matrix/synapse/workers/auth.nix
index 3c8d1e9..3a4a697 100644
--- a/host/Rory-nginx/services/matrix/synapse/workers/auth.nix
+++ b/host/Rory-nginx/services/matrix/synapse/workers/auth.nix
@@ -2,31 +2,12 @@
let
cfg = config.services.matrix-synapse;
+ workerLib = import ./lib.nix;
dbGroup = "solo";
workers = lib.range 0 (cfg.authWorkers - 1);
workerName = "auth";
- workerRoutes = {
- client = [
- "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/login$"
- "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/account/3pid$"
- "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/account/whoami$"
- "~ ^/_matrix/client/versions$"
- "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/voip/turnServer$"
- "~ ^/_matrix/client/(r0|v3|unstable)/register$"
- "~ ^/_matrix/client/(r0|v3|unstable)/register/available$"
- "~ ^/_matrix/client/(r0|v3|unstable)/auth/.*/fallback/web$"
- "~ ^/_matrix/client/(r0|v3|unstable)/password_policy$"
- "~ ^/_matrix/client/(r0|v3|unstable)/capabilities$"
- ];
- federation = [ ];
- media = [ ];
- };
-in
-let
- enabledResources =
- lib.optionals (lib.length workerRoutes.client > 0) [ "client" ]
- ++ lib.optionals (lib.length workerRoutes.federation > 0) [ "federation" ]
- ++ lib.optionals (lib.length workerRoutes.media > 0) [ "media" ];
+ workerRoutes = workerLib.workerRoutes.auth;
+ enabledResources = lib.attrNames workerRoutes;
in
{
config = lib.mkIf (cfg.authWorkers > 0) {
diff --git a/host/Rory-nginx/services/matrix/synapse/workers/client-reader.nix b/host/Rory-nginx/services/matrix/synapse/workers/client-reader.nix
index 9a0aafa..758d6de 100644
--- a/host/Rory-nginx/services/matrix/synapse/workers/client-reader.nix
+++ b/host/Rory-nginx/services/matrix/synapse/workers/client-reader.nix
@@ -2,54 +2,12 @@
let
cfg = config.services.matrix-synapse;
+ workerLib = import ./lib.nix;
dbGroup = "medium";
workers = lib.range 0 (cfg.clientReaders - 1);
workerName = "client_reader";
- workerRoutes = {
- client =
- [
- "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/publicRooms$"
- "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/joined_members$"
- "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/context/.*$"
- "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/members$"
- "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state$"
- "~ ^/_matrix/client/v1/rooms/.*/hierarchy$"
- "~ ^/_matrix/client/(v1|unstable)/rooms/.*/relations/"
- "~ ^/_matrix/client/v1/rooms/.*/threads$"
- "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/messages$"
- "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/event"
- "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/joined_rooms"
- "~ ^/_matrix/client/(api/v1|r0|v3|unstable/.*)/rooms/.*/aliases"
- "~ ^/_matrix/client/v1/rooms/.*/timestamp_to_event$"
- "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/search"
- "~ ^/_matrix/client/(r0|v3|unstable)/user/.*/filter(/|$)"
- "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/directory/room/.*$"
- "~ ^/_matrix/client/(r0|v3|unstable)/notifications$"
-
- # unstable
- "~ ^/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$"
- ]
- ++ lib.optionals (cfg.authWorkers == 0) [
- "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/login$"
- "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/account/3pid$"
- "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/account/whoami$"
- "~ ^/_matrix/client/versions$"
- "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/voip/turnServer$"
- "~ ^/_matrix/client/(r0|v3|unstable)/register$"
- "~ ^/_matrix/client/(r0|v3|unstable)/register/available$"
- "~ ^/_matrix/client/(r0|v3|unstable)/auth/.*/fallback/web$"
- "~ ^/_matrix/client/(r0|v3|unstable)/password_policy$"
- "~ ^/_matrix/client/(r0|v3|unstable)/capabilities$"
- ];
- federation = [ ];
- media = [ ];
- };
-in
-let
- enabledResources =
- lib.optionals (lib.length workerRoutes.client > 0) [ "client" ]
- ++ lib.optionals (lib.length workerRoutes.federation > 0) [ "federation" ]
- ++ lib.optionals (lib.length workerRoutes.media > 0) [ "media" ];
+ workerRoutes = workerLib.workerRoutes.clientReader;
+ enabledResources = lib.attrNames workerRoutes;
in
{
config = lib.mkIf (cfg.clientReaders > 0) {
diff --git a/host/Rory-nginx/services/matrix/synapse/workers/event-creator.nix b/host/Rory-nginx/services/matrix/synapse/workers/event-creator.nix
index 2be7a5b..c9c084d 100644
--- a/host/Rory-nginx/services/matrix/synapse/workers/event-creator.nix
+++ b/host/Rory-nginx/services/matrix/synapse/workers/event-creator.nix
@@ -2,27 +2,12 @@
let
cfg = config.services.matrix-synapse;
+ workerLib = import ./lib.nix;
dbGroup = "medium";
workers = lib.range 0 (cfg.eventCreators - 1);
workerName = "event_creator";
- workerRoutes = {
- client = [
- "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/redact"
- "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/send"
- "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick)$"
- "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/join/"
- "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/knock/"
- "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/profile/"
- ];
- federation = [ ];
- media = [ ];
- };
-in
-let
- enabledResources =
- lib.optionals (lib.length workerRoutes.client > 0) [ "client" ]
- ++ lib.optionals (lib.length workerRoutes.federation > 0) [ "federation" ]
- ++ lib.optionals (lib.length workerRoutes.media > 0) [ "media" ];
+ workerRoutes = workerLib.workerRoutes.eventCreator;
+ enabledResources = lib.attrNames workerRoutes;
in
{
config = lib.mkIf (cfg.eventCreators > 0) {
diff --git a/host/Rory-nginx/services/matrix/synapse/workers/federation-inbound.nix b/host/Rory-nginx/services/matrix/synapse/workers/federation-inbound.nix
index effaa69..6997764 100644
--- a/host/Rory-nginx/services/matrix/synapse/workers/federation-inbound.nix
+++ b/host/Rory-nginx/services/matrix/synapse/workers/federation-inbound.nix
@@ -2,20 +2,12 @@
let
cfg = config.services.matrix-synapse;
+ workerLib = import ./lib.nix;
dbGroup = "medium";
workers = lib.range 0 (cfg.federationReaders - 1);
workerName = "federation_inbound";
- workerRoutes = {
- client = [ ];
- federation = [ "~ /_matrix/federation/(v1|v2)/send/" ];
- media = [ ];
- };
-in
-let
- enabledResources =
- lib.optionals (lib.length workerRoutes.client > 0) [ "client" ]
- ++ lib.optionals (lib.length workerRoutes.federation > 0) [ "federation" ]
- ++ lib.optionals (lib.length workerRoutes.media > 0) [ "media" ];
+ workerRoutes = workerLib.workerRoutes.federationInbound;
+ enabledResources = lib.attrNames workerRoutes;
in
{
config = lib.mkIf (cfg.federationInboundWorkers > 0) {
diff --git a/host/Rory-nginx/services/matrix/synapse/workers/federation-reader.nix b/host/Rory-nginx/services/matrix/synapse/workers/federation-reader.nix
index 04bfe7c..f231822 100644
--- a/host/Rory-nginx/services/matrix/synapse/workers/federation-reader.nix
+++ b/host/Rory-nginx/services/matrix/synapse/workers/federation-reader.nix
@@ -2,44 +2,12 @@
let
cfg = config.services.matrix-synapse;
+ workerLib = import ./lib.nix;
dbGroup = "medium";
workers = lib.range 0 (cfg.federationReaders - 1);
workerName = "federation_reader";
- workerRoutes = {
- client = [ ];
- federation = [
- "~ ^/_matrix/federation/(v1|v2)/event/"
- "~ ^/_matrix/federation/(v1|v2)/state/"
- "~ ^/_matrix/federation/(v1|v2)/state_ids/"
- "~ ^/_matrix/federation/(v1|v2)/backfill/"
- "~ ^/_matrix/federation/(v1|v2)/get_missing_events/"
- "~ ^/_matrix/federation/(v1|v2)/publicRooms"
- "~ ^/_matrix/federation/(v1|v2)/query/"
- "~ ^/_matrix/federation/(v1|v2)/make_join/"
- "~ ^/_matrix/federation/(v1|v2)/make_leave/"
- "~ ^/_matrix/federation/(v1|v2)/send_join/"
- "~ ^/_matrix/federation/(v1|v2)/send_leave/"
- "~ ^/_matrix/federation/v1/make_knock/"
- "~ ^/_matrix/federation/v1/send_knock/"
- "~ ^/_matrix/federation/(v1|v2)/invite/" # Needs special handling, define manually
- "~ ^/_matrix/federation/(v1|v2)/query_auth/"
- "~ ^/_matrix/federation/(v1|v2)/event_auth/"
- "~ ^/_matrix/federation/v1/timestamp_to_event/"
- "~ ^/_matrix/federation/(v1|v2)/exchange_third_party_invite/"
- "~ ^/_matrix/federation/(v1|v2)/user/devices/"
- "~ ^/_matrix/federation/(v1|v2)/get_groups_publicised$"
- "~ ^/_matrix/key/v2/query"
- # extra
- "~ ^/_matrix/key/v2/server$"
- ];
- media = [ ];
- };
-in
-let
- enabledResources =
- lib.optionals (lib.length workerRoutes.client > 0) [ "client" ]
- ++ lib.optionals (lib.length workerRoutes.federation > 0) [ "federation" ]
- ++ lib.optionals (lib.length workerRoutes.media > 0) [ "media" ];
+ workerRoutes = workerLib.workerRoutes.federationReader;
+ enabledResources = lib.attrNames workerRoutes;
in
{
config = lib.mkIf (cfg.federationReaders > 0) {
diff --git a/host/Rory-nginx/services/matrix/synapse/workers/federation-sender.nix b/host/Rory-nginx/services/matrix/synapse/workers/federation-sender.nix
index 468916e..1cedcbb 100644
--- a/host/Rory-nginx/services/matrix/synapse/workers/federation-sender.nix
+++ b/host/Rory-nginx/services/matrix/synapse/workers/federation-sender.nix
@@ -4,17 +4,8 @@ let
dbGroup = "medium";
workers = lib.range 0 (cfg.federationSenders - 1);
workerName = "federation_sender";
- workerRoutes = {
- client = [ ];
- federation = [ ];
- media = [ ];
- };
-in
-let
- enabledResources =
- lib.optionals (lib.length workerRoutes.client > 0) [ "client" ]
- ++ lib.optionals (lib.length workerRoutes.federation > 0) [ "federation" ]
- ++ lib.optionals (lib.length workerRoutes.media > 0) [ "media" ];
+ workerRoutes = {};
+ enabledResources = lib.attrNames workerRoutes;
in
{
config = lib.mkIf (cfg.federationSenders > 0) {
diff --git a/host/Rory-nginx/services/matrix/synapse/workers/lib.nix b/host/Rory-nginx/services/matrix/synapse/workers/lib.nix
new file mode 100644
index 0000000..c99e2ef
--- /dev/null
+++ b/host/Rory-nginx/services/matrix/synapse/workers/lib.nix
@@ -0,0 +1,147 @@
+{
+ workerRoutes = {
+ sync.client = [
+ "~ ^/_matrix/client/(v2_alpha|r0|v3)/sync$"
+ "~ ^/_matrix/client/(api/v1|v2_alpha|r0|v3)/events$"
+ "~ ^/_matrix/client/(api/v1|r0|v3)/initialSync$"
+ "~ ^/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$"
+ "~ ^/_matrix/client/unstable/org.matrix.simplified_msc3575/sync$"
+ ];
+
+ clientReader.client = [
+ "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/publicRooms$"
+ "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/joined_members$"
+ "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/context/.*$"
+ "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/members$"
+ "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state(/|$)"
+ "~ ^/_matrix/client/v1/rooms/.*/hierarchy$"
+ "~ ^/_matrix/client/(v1|unstable)/rooms/.*/relations/"
+ "~ ^/_matrix/client/v1/rooms/.*/threads$"
+ "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/messages$"
+ "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/event"
+ "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/joined_rooms"
+ "~ ^/_matrix/client/(api/v1|r0|v3|unstable/.*)/rooms/.*/aliases"
+ "~ ^/_matrix/client/v1/rooms/.*/timestamp_to_event$"
+ "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/search"
+ "~ ^/_matrix/client/(r0|v3|unstable)/user/.*/filter(/|$)"
+ "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/directory/room/.*$"
+ "~ ^/_matrix/client/(r0|v3|unstable)/notifications$"
+ # e2ee
+ "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/keys/query$"
+
+ # unstable
+ "~ ^/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$"
+
+ # auth
+ "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/login$"
+ "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/account/3pid$"
+ "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/account/whoami$"
+ "~ ^/_matrix/client/versions$"
+ "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/voip/turnServer$"
+ "~ ^/_matrix/client/(r0|v3|unstable)/register$"
+ "~ ^/_matrix/client/(r0|v3|unstable)/register/available$"
+ "~ ^/_matrix/client/(r0|v3|unstable)/auth/.*/fallback/web$"
+ "~ ^/_matrix/client/(r0|v3|unstable)/password_policy$"
+ "~ ^/_matrix/client/(r0|v3|unstable)/capabilities$"
+ ];
+
+ eventCreator.client = [
+ "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/redact"
+ "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/send"
+ "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick)$"
+ "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/join/"
+ "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/knock/"
+ "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/profile/"
+ ];
+
+ federationInbound.federation = [
+ "~ ^/_matrix/federation/(v1|v2)/send/"
+ ];
+
+ federationReader.federation = [
+ "~ ^/_matrix/federation/(v1|v2)/event/"
+ "~ ^/_matrix/federation/(v1|v2)/state/"
+ "~ ^/_matrix/federation/(v1|v2)/state_ids/"
+ "~ ^/_matrix/federation/(v1|v2)/backfill/"
+ "~ ^/_matrix/federation/(v1|v2)/get_missing_events/"
+ "~ ^/_matrix/federation/(v1|v2)/publicRooms"
+ "~ ^/_matrix/federation/(v1|v2)/query/"
+ "~ ^/_matrix/federation/(v1|v2)/make_join/"
+ "~ ^/_matrix/federation/(v1|v2)/make_leave/"
+ "~ ^/_matrix/federation/(v1|v2)/send_join/"
+ "~ ^/_matrix/federation/(v1|v2)/send_leave/"
+ "~ ^/_matrix/federation/v1/make_knock/"
+ "~ ^/_matrix/federation/v1/send_knock/"
+ "~ ^/_matrix/federation/(v1|v2)/invite/" # Needs special handling, define manually
+ "~ ^/_matrix/federation/(v1|v2)/query_auth/"
+ "~ ^/_matrix/federation/(v1|v2)/event_auth/"
+ "~ ^/_matrix/federation/v1/timestamp_to_event/"
+ "~ ^/_matrix/federation/(v1|v2)/exchange_third_party_invite/"
+ "~ ^/_matrix/federation/(v1|v2)/user/devices/"
+ "~ ^/_matrix/federation/(v1|v2)/get_groups_publicised$"
+ "~ ^/_matrix/key/v2/query"
+ # extra
+ "~ ^/_matrix/key/v2/server$"
+ ];
+
+ mediaRepo.media = [
+ "~ ^/_matrix/client/v1/media/"
+ "~ ^/_matrix/federation/v1/media/"
+ "~ ^/_synapse/admin/v1/purge_media_cache$"
+ "~ ^/_synapse/admin/v1/room/.*/media.*$"
+ "~ ^/_synapse/admin/v1/user/.*/media.*$"
+ "~ ^/_synapse/admin/v1/users/.*/media$"
+ "~ ^/_synapse/admin/v1/media/.*$"
+ "~ ^/_synapse/admin/v1/quarantine_media/.*$"
+ "~ ^/_matrix/media/"
+ ];
+
+ auth.client = [
+ "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/login$"
+ "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/account/3pid$"
+ "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/account/whoami$"
+ "~ ^/_matrix/client/versions$"
+ "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/voip/turnServer$"
+ "~ ^/_matrix/client/(r0|v3|unstable)/register$"
+ "~ ^/_matrix/client/(r0|v3|unstable)/register/available$"
+ "~ ^/_matrix/client/(r0|v3|unstable)/auth/.*/fallback/web$"
+ "~ ^/_matrix/client/(r0|v3|unstable)/password_policy$"
+ "~ ^/_matrix/client/(r0|v3|unstable)/capabilities$"
+ ];
+
+ typing.client = [
+ "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/typing"
+ ];
+
+ toDevice.client = [
+ "~ ^/_matrix/client/(r0|v3|unstable)/sendToDevice/"
+ ];
+
+ receipts.client = [
+ "~ ^/_matrix/client/(r0|v3|unstable)/rooms/.*/receipt"
+ "~ ^/_matrix/client/(r0|v3|unstable)/rooms/.*/read_markers"
+ ];
+
+ pushRules.client = [
+ "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/pushrules/"
+ ];
+
+ presence.client = [
+ "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/presence/"
+ ];
+
+ accountData.client = [
+ "~ ^/_matrix/client/(r0|v3|unstable)/account_data"
+ "~ ^/_matrix/client/(r0|v3|unstable)/rooms/.*/account_data"
+ "~ ^/_matrix/client/(r0|v3|unstable)/rooms/.*/tags"
+ ];
+
+ userDirectory.client = [
+ "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/user_directory/search$"
+
+ #profile
+ "~ ^/_matrix/client/v3/profile/.*$"
+ "~ ^/_matrix/client/v3/profile/.*/(displayname|avatar_url)$"
+ ];
+ };
+}
diff --git a/host/Rory-nginx/services/matrix/synapse/workers/media-repo.nix b/host/Rory-nginx/services/matrix/synapse/workers/media-repo.nix
index 1e0c638..46fd353 100644
--- a/host/Rory-nginx/services/matrix/synapse/workers/media-repo.nix
+++ b/host/Rory-nginx/services/matrix/synapse/workers/media-repo.nix
@@ -2,30 +2,12 @@
let
cfg = config.services.matrix-synapse;
+ workerLib = import ./lib.nix;
dbGroup = "solo";
workers = lib.range 0 (cfg.mediaRepoWorkers - 1);
workerName = "media_repo";
- workerRoutes = {
- client = [ ];
- federation = [ ];
- media = [
- "~ ^/_matrix/client/v1/media/"
- "~ ^/_matrix/federation/v1/media/"
- "~ ^/_synapse/admin/v1/purge_media_cache$"
- "~ ^/_synapse/admin/v1/room/.*/media.*$"
- "~ ^/_synapse/admin/v1/user/.*/media.*$"
- "~ ^/_synapse/admin/v1/users/.*/media$"
- "~ ^/_synapse/admin/v1/media/.*$"
- "~ ^/_synapse/admin/v1/quarantine_media/.*$"
- "~ ^/_matrix/media/"
- ];
- };
-in
-let
- enabledResources =
- lib.optionals (lib.length workerRoutes.client > 0) [ "client" ]
- ++ lib.optionals (lib.length workerRoutes.federation > 0) [ "federation" ]
- ++ lib.optionals (lib.length workerRoutes.media > 0) [ "media" ];
+ workerRoutes = workerLib.workerRoutes.mediaRepo;
+ enabledResources = lib.attrNames workerRoutes;
in
{
config = lib.mkIf (cfg.mediaRepoWorkers > 0) {
diff --git a/host/Rory-nginx/services/matrix/synapse/workers/pusher.nix b/host/Rory-nginx/services/matrix/synapse/workers/pusher.nix
index edf1632..5267838 100644
--- a/host/Rory-nginx/services/matrix/synapse/workers/pusher.nix
+++ b/host/Rory-nginx/services/matrix/synapse/workers/pusher.nix
@@ -4,17 +4,8 @@ let
dbGroup = "small";
workers = lib.range 0 (cfg.pushers - 1);
workerName = "pusher";
- workerRoutes = {
- client = [ ];
- federation = [ ];
- media = [ ];
- };
-in
-let
- enabledResources =
- lib.optionals (lib.length workerRoutes.client > 0) [ "client" ]
- ++ lib.optionals (lib.length workerRoutes.federation > 0) [ "federation" ]
- ++ lib.optionals (lib.length workerRoutes.media > 0) [ "media" ];
+ workerRoutes = {};
+ enabledResources = lib.attrNames workerRoutes;
in
{
config = lib.mkIf (cfg.pushers > 0) {
diff --git a/host/Rory-nginx/services/matrix/synapse/workers/single/appservice.nix b/host/Rory-nginx/services/matrix/synapse/workers/single/appservice.nix
index 119fd04..03a080b 100644
--- a/host/Rory-nginx/services/matrix/synapse/workers/single/appservice.nix
+++ b/host/Rory-nginx/services/matrix/synapse/workers/single/appservice.nix
@@ -2,22 +2,15 @@
let
cfg = config.services.matrix-synapse;
+ workerLib = import ../lib.nix;
dbGroup = "small";
workerName = "appservice";
- workerRoutes = {
- client = [ ];
- federation = [ ];
- media = [ ];
- };
-in
-let
- enabledResources =
- lib.optionals (lib.length workerRoutes.client > 0) [ "client" ]
- ++ lib.optionals (lib.length workerRoutes.federation > 0) [ "federation" ]
- ++ lib.optionals (lib.length workerRoutes.media > 0) [ "media" ];
+ tasks = [ "appservice" ];
+ workerRoutes = {};
+ enabledResources = lib.attrNames workerRoutes;
in
{
- config = lib.mkIf cfg.enableAppserviceWorker {
+ config = lib.mkIf (lib.length tasks > 0) {
monitoring.synapse.workerNames = [ workerName ];
services.matrix-synapse = {
settings = {
@@ -27,7 +20,9 @@ in
};
};
- notify_appservices_from_worker = workerName;
+ run_background_tasks_on = lib.mkIf (lib.elem "background" tasks) workerName;
+ notify_appservices_from_worker = lib.mkIf (lib.elem "appservice" tasks) workerName;
+ update_user_directory_from_worker = lib.mkIf (lib.elem "user_directory" tasks) workerName;
};
workers = {
diff --git a/host/Rory-nginx/services/matrix/synapse/workers/single/background.nix b/host/Rory-nginx/services/matrix/synapse/workers/single/background.nix
index 37fde10..741b88c 100644
--- a/host/Rory-nginx/services/matrix/synapse/workers/single/background.nix
+++ b/host/Rory-nginx/services/matrix/synapse/workers/single/background.nix
@@ -2,24 +2,15 @@
let
cfg = config.services.matrix-synapse;
+ workerLib = import ../lib.nix;
dbGroup = "small";
- hasClientResource = false;
- hasFederationResource = false;
workerName = "background";
- workerRoutes = {
- client = [ ];
- federation = [ ];
- media = [ ];
- };
-in
-let
- enabledResources =
- lib.optionals (lib.length workerRoutes.client > 0) [ "client" ]
- ++ lib.optionals (lib.length workerRoutes.federation > 0) [ "federation" ]
- ++ lib.optionals (lib.length workerRoutes.media > 0) [ "media" ];
+ tasks = [ "background" ];
+ workerRoutes = { };
+ enabledResources = lib.attrNames workerRoutes;
in
{
- config = lib.mkIf cfg.enableBackgroundWorker {
+ config = lib.mkIf (lib.length tasks > 0) {
monitoring.synapse.workerNames = [ workerName ];
services.matrix-synapse = {
settings = {
@@ -29,7 +20,9 @@ in
};
};
- run_background_tasks_on = workerName;
+ run_background_tasks_on = lib.mkIf (lib.elem "background" tasks) workerName;
+ notify_appservices_from_worker = lib.mkIf (lib.elem "appservice" tasks) workerName;
+ update_user_directory_from_worker = lib.mkIf (lib.elem "user_directory" tasks) workerName;
};
workers = {
diff --git a/host/Rory-nginx/services/matrix/synapse/workers/single/user-dir.nix b/host/Rory-nginx/services/matrix/synapse/workers/single/user-dir.nix
index f26f3ec..97ddf26 100644
--- a/host/Rory-nginx/services/matrix/synapse/workers/single/user-dir.nix
+++ b/host/Rory-nginx/services/matrix/synapse/workers/single/user-dir.nix
@@ -2,27 +2,15 @@
let
cfg = config.services.matrix-synapse;
- dbGroup = "solo";
+ workerLib = import ../lib.nix;
+ dbGroup = "small";
workerName = "user_dir";
- workerRoutes = {
- client =
- [ "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/user_directory/search$" ]
- ++ lib.optionals (cfg.authWorkers == 0) [
- "~ ^/_matrix/client/v3/profile/.*$"
- "~ ^/_matrix/client/v3/profile/.*/(displayname|avatar_url)$"
- ];
- federation = [ ];
- media = [ ];
- };
-in
-let
- enabledResources =
- lib.optionals (lib.length workerRoutes.client > 0) [ "client" ]
- ++ lib.optionals (lib.length workerRoutes.federation > 0) [ "federation" ]
- ++ lib.optionals (lib.length workerRoutes.media > 0) [ "media" ];
+ tasks = [ "user_directory" ];
+ workerRoutes = workerLib.workerRoutes.userDirectory;
+ enabledResources = lib.attrNames workerRoutes;
in
{
- config = lib.mkIf cfg.enableUserDirWorker {
+ config = lib.mkIf (lib.length tasks > 0) {
monitoring.synapse.workerNames = [ workerName ];
services.matrix-synapse = {
settings = {
@@ -32,7 +20,9 @@ in
};
};
- update_user_directory_from_worker = workerName;
+ run_background_tasks_on = lib.mkIf (lib.elem "background" tasks) workerName;
+ notify_appservices_from_worker = lib.mkIf (lib.elem "appservice" tasks) workerName;
+ update_user_directory_from_worker = lib.mkIf (lib.elem "user_directory" tasks) workerName;
};
workers = {
diff --git a/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/account_data-stream-writer.nix b/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/account_data-stream-writer.nix
index 48649f6..b1cc986 100644
--- a/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/account_data-stream-writer.nix
+++ b/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/account_data-stream-writer.nix
@@ -2,24 +2,13 @@
let
cfg = config.services.matrix-synapse;
+ workerLib = import ../lib.nix;
dbGroup = "medium";
streamWriterType = "account_data";
workers = lib.range 0 (cfg.accountDataStreamWriters - 1);
workerName = "account_data_stream_writer";
- workerRoutes = {
- client = [
- "~ ^/_matrix/client/(r0|v3|unstable)/.*/tags"
- "~ ^/_matrix/client/(r0|v3|unstable)/.*/account_data"
- ];
- federation = [ ];
- media = [ ];
- };
-in
-let
- enabledResources =
- lib.optionals (lib.length workerRoutes.client > 0) [ "client" ]
- ++ lib.optionals (lib.length workerRoutes.federation > 0) [ "federation" ]
- ++ lib.optionals (lib.length workerRoutes.media > 0) [ "media" ];
+ workerRoutes = workerLib.workerRoutes.accountData;
+ enabledResources = lib.attrNames workerRoutes;
in
{
config = lib.mkIf (cfg.accountDataStreamWriters > 0) {
diff --git a/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/event-stream-writer.nix b/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/event-stream-writer.nix
index 5395aea..1459d6b 100644
--- a/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/event-stream-writer.nix
+++ b/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/event-stream-writer.nix
@@ -6,17 +6,8 @@ let
streamWriterType = "events";
workers = lib.range 0 (cfg.eventStreamWriters - 1);
workerName = "event_stream_writer";
- workerRoutes = {
- client = [ ];
- federation = [ ];
- media = [ ];
- };
-in
-let
- enabledResources =
- lib.optionals (lib.length workerRoutes.client > 0) [ "client" ]
- ++ lib.optionals (lib.length workerRoutes.federation > 0) [ "federation" ]
- ++ lib.optionals (lib.length workerRoutes.media > 0) [ "media" ];
+ workerRoutes = {};
+ enabledResources = [];
in
{
config = lib.mkIf (cfg.eventStreamWriters > 0) {
diff --git a/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/presence-stream-writer.nix b/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/presence-stream-writer.nix
index e6487ca..a417ce5 100644
--- a/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/presence-stream-writer.nix
+++ b/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/presence-stream-writer.nix
@@ -2,21 +2,13 @@
let
cfg = config.services.matrix-synapse;
+ workerLib = import ../lib.nix;
dbGroup = "medium";
streamWriterType = "presence";
workers = lib.range 0 (cfg.presenceStreamWriters - 1);
workerName = "presence_stream_writer";
- workerRoutes = {
- client = [ "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/presence/" ];
- federation = [ ];
- media = [ ];
- };
-in
-let
- enabledResources =
- lib.optionals (lib.length workerRoutes.client > 0) [ "client" ]
- ++ lib.optionals (lib.length workerRoutes.federation > 0) [ "federation" ]
- ++ lib.optionals (lib.length workerRoutes.media > 0) [ "media" ];
+ workerRoutes = workerLib.workerRoutes.presence;
+ enabledResources = lib.attrNames workerRoutes;
in
{
config = lib.mkIf (cfg.presenceStreamWriters > 0) {
diff --git a/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/push_rule-stream-writer.nix b/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/push_rule-stream-writer.nix
index 4a4af04..f5210b2 100644
--- a/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/push_rule-stream-writer.nix
+++ b/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/push_rule-stream-writer.nix
@@ -2,21 +2,13 @@
let
cfg = config.services.matrix-synapse;
+ workerLib = import ../lib.nix;
dbGroup = "medium";
streamWriterType = "push_rules";
workers = lib.range 0 (cfg.pushRuleStreamWriters - 1);
workerName = "push_rule_stream_writer";
- workerRoutes = {
- client = [ "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/pushrules/" ];
- federation = [ ];
- media = [ ];
- };
-in
-let
- enabledResources =
- lib.optionals (lib.length workerRoutes.client > 0) [ "client" ]
- ++ lib.optionals (lib.length workerRoutes.federation > 0) [ "federation" ]
- ++ lib.optionals (lib.length workerRoutes.media > 0) [ "media" ];
+ workerRoutes = workerLib.workerRoutes.pushRules;
+ enabledResources = lib.attrNames workerRoutes;
in
{
config = lib.mkIf (cfg.pushRuleStreamWriters > 0) {
diff --git a/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/receipt-stream-writer.nix b/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/receipt-stream-writer.nix
index 54c31b4..3ef84dc 100644
--- a/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/receipt-stream-writer.nix
+++ b/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/receipt-stream-writer.nix
@@ -2,24 +2,13 @@
let
cfg = config.services.matrix-synapse;
+ workerLib = import ../lib.nix;
dbGroup = "medium";
streamWriterType = "receipts";
workers = lib.range 0 (cfg.receiptStreamWriters - 1);
workerName = "receipts_stream_writer";
- workerRoutes = {
- client = [
- "~ ^/_matrix/client/(r0|v3|unstable)/rooms/.*/receipt"
- "~ ^/_matrix/client/(r0|v3|unstable)/rooms/.*/read_markers"
- ];
- federation = [ ];
- media = [ ];
- };
-in
-let
- enabledResources =
- lib.optionals (lib.length workerRoutes.client > 0) [ "client" ]
- ++ lib.optionals (lib.length workerRoutes.federation > 0) [ "federation" ]
- ++ lib.optionals (lib.length workerRoutes.media > 0) [ "media" ];
+ workerRoutes = workerLib.workerRoutes.receipts;
+ enabledResources = lib.attrNames workerRoutes;
in
{
config = lib.mkIf (cfg.receiptStreamWriters > 0) {
diff --git a/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/shared-stream-writer.nix b/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/shared-stream-writer.nix
index 5fd0bd0..72ba834 100644
--- a/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/shared-stream-writer.nix
+++ b/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/shared-stream-writer.nix
@@ -11,12 +11,7 @@ let
federation = [ ];
media = [ ];
};
-in
-let
- enabledResources =
- lib.optionals (lib.length workerRoutes.client > 0) [ "client" ]
- ++ lib.optionals (lib.length workerRoutes.federation > 0) [ "federation" ]
- ++ lib.optionals (lib.length workerRoutes.media > 0) [ "media" ];
+ enabledResources = lib.attrNames workerRoutes;
in
{
config = lib.mkIf (cfg.sharedStreamWriters > 0) {
diff --git a/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/to_device-stream-writer.nix b/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/to_device-stream-writer.nix
index 2b487d6..bc32e0a 100644
--- a/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/to_device-stream-writer.nix
+++ b/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/to_device-stream-writer.nix
@@ -2,21 +2,13 @@
let
cfg = config.services.matrix-synapse;
+ workerLib = import ../lib.nix;
dbGroup = "medium";
streamWriterType = "to_device";
workers = lib.range 0 (cfg.toDeviceStreamWriters - 1);
workerName = "to_device_stream_writer";
- workerRoutes = {
- client = [ "~ ^/_matrix/client/(r0|v3|unstable)/sendToDevice/" ];
- federation = [ ];
- media = [ ];
- };
-in
-let
- enabledResources =
- lib.optionals (lib.length workerRoutes.client > 0) [ "client" ]
- ++ lib.optionals (lib.length workerRoutes.federation > 0) [ "federation" ]
- ++ lib.optionals (lib.length workerRoutes.media > 0) [ "media" ];
+ workerRoutes = workerLib.workerRoutes.toDevice;
+ enabledResources = lib.attrNames workerRoutes;
in
{
config = lib.mkIf (cfg.toDeviceStreamWriters > 0) {
diff --git a/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/typing-stream-writer.nix b/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/typing-stream-writer.nix
index 5bff505..a57d0d8 100644
--- a/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/typing-stream-writer.nix
+++ b/host/Rory-nginx/services/matrix/synapse/workers/stream-writers/typing-stream-writer.nix
@@ -2,21 +2,13 @@
let
cfg = config.services.matrix-synapse;
+ workerLib = import ../lib.nix;
dbGroup = "medium";
streamWriterType = "typing";
workers = lib.range 0 (cfg.typingStreamWriters - 1);
workerName = "typing_stream_writer";
- workerRoutes = {
- client = [ "~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/typing" ];
- federation = [ ];
- media = [ ];
- };
-in
-let
- enabledResources =
- lib.optionals (lib.length workerRoutes.client > 0) [ "client" ]
- ++ lib.optionals (lib.length workerRoutes.federation > 0) [ "federation" ]
- ++ lib.optionals (lib.length workerRoutes.media > 0) [ "media" ];
+ workerRoutes = workerLib.workerRoutes.typing;
+ enabledResources = lib.attrNames workerRoutes;
in
{
config = lib.mkIf (cfg.typingStreamWriters > 0) {
diff --git a/host/Rory-nginx/services/matrix/synapse/workers/sync.nix b/host/Rory-nginx/services/matrix/synapse/workers/sync.nix
index 67b63dd..6a64a7e 100644
--- a/host/Rory-nginx/services/matrix/synapse/workers/sync.nix
+++ b/host/Rory-nginx/services/matrix/synapse/workers/sync.nix
@@ -2,25 +2,12 @@
let
cfg = config.services.matrix-synapse;
+ workerLib = import ./lib.nix;
dbGroup = "medium";
workers = lib.range 0 (cfg.syncWorkers - 1);
workerName = "sync";
- workerRoutes = {
- client = [
- "~ ^/_matrix/client/(v2_alpha|r0|v3)/sync$"
- "~ ^/_matrix/client/(api/v1|v2_alpha|r0|v3)/events$"
- "~ ^/_matrix/client/(api/v1|r0|v3)/initialSync$"
- "~ ^/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$"
- ];
- federation = [ ];
- media = [ ];
- };
-in
-let
- enabledResources =
- lib.optionals (lib.length workerRoutes.client > 0) [ "client" ]
- ++ lib.optionals (lib.length workerRoutes.federation > 0) [ "federation" ]
- ++ lib.optionals (lib.length workerRoutes.media > 0) [ "media" ];
+ workerRoutes = workerLib.workerRoutes.sync;
+ enabledResources = lib.attrNames workerRoutes;
in
{
config = lib.mkIf (cfg.syncWorkers > 0) {
diff --git a/host/uISO/development.nix b/host/uISO/development.nix
new file mode 100644
index 0000000..90ffcfb
--- /dev/null
+++ b/host/uISO/development.nix
@@ -0,0 +1,51 @@
+{
+ config,
+ lib,
+ pkgs,
+
+ #params
+ #enableBios ? true,
+ #enableEfi ? true,
+ #enableUsb ? true,
+
+ ...
+}:
+
+#with lib;
+
+{
+ users.users.root.initialPassword = "root";
+ services.getty.autologinUser = "root";
+
+ isoImage = {
+ squashfsCompression = "gzip -Xcompression-level 1";
+ compressImage = false;
+ includeSystemBuildDependencies = false;
+ efiSplashImage = null;
+ #splashImage = null;
+ grubTheme = null;
+ };
+
+ boot = {
+ initrd = {
+ #systemd.enable = true;
+ systemd.emergencyAccess = true;
+ };
+ #consoleLogLevel = 1;
+ kernelParams = [
+ "console=ttyS0,115200"
+ "systemd.gpt_auto=0"
+ #"console=tty1"
+ #"quiet"
+ ];
+ };
+ environment.systemPackages = with pkgs; [
+ #xterm
+
+ (callPackage ./pkgs/resize.nix { })
+ #coreutils
+ htop
+ btop
+ neofetch
+ ];
+}
\ No newline at end of file
diff --git a/host/uISO/iso-root.nix b/host/uISO/iso-root.nix
new file mode 100644
index 0000000..6f02772
--- /dev/null
+++ b/host/uISO/iso-root.nix
@@ -0,0 +1,128 @@
+{
+ config,
+ lib,
+ pkgs,
+ nixpkgs,
+
+ #params
+ #enableBios ? true,
+ #enableEfi ? true,
+ #enableUsb ? true,
+
+ ...
+}:
+
+#with lib;
+
+{
+ imports = [
+ (nixpkgs + "/nixos/modules/installer/cd-dvd/iso-image.nix")
+ ];
+
+ fileSystems = lib.mkImageMediaOverride config.lib.isoFileSystems;# // {
+ # "/".device = lib.mkForce "/dev/disk/by-label/NIXOS_ISO";
+ # "/nix/.ro-store".device = lib.mkForce "/sysroot/iso/nix-store.squashfs";
+ #};
+
+ isoImage = {
+ isoName = "Spacebar-Selfhosting-Kit-${config.system.nixos.label}-${pkgs.stdenv.hostPlatform.system}.iso";
+
+ makeEfiBootable = false;
+ makeUsbBootable = false;
+ makeBiosBootable = true;
+ };
+
+
+ boot.supportedFilesystems = lib.mkForce [ ];
+ hardware.enableRedistributableFirmware = lib.mkForce false;
+ #environment.systemPackages = lib.mkForce [ ];
+ documentation.enable = lib.mkForce false;
+ documentation.nixos.enable = lib.mkForce false;
+ networking.wireless.enable = lib.mkForce false;
+
+ system.extraDependencies = lib.mkForce [];
+
+ boot = {
+ loader = {
+ grub.memtest86.enable = false;
+ #systemd-boot.enable = true;
+ grub.enable = false;
+ timeout = lib.mkForce 1;
+ };
+
+ #kernelPackages = pkgs.linuxPackages_latest;
+ systemdExecutable = "${pkgs.systemd}/bin/init";
+
+ enableContainers = lib.mkForce false;
+ };
+
+
+ #perlless profile
+ system.switch.enable = lib.mkForce false;
+
+ # Remove perl from activation
+ #system.etc.overlay.enable = lib.mkForce true;
+ #systemd.sysusers.enable = lib.mkForce true;
+
+ # Random perl remnants
+ programs.less.lessopen = lib.mkForce null;
+ programs.command-not-found.enable = lib.mkForce false;
+ environment.defaultPackages = lib.mkForce [ ];
+ documentation.info.enable = lib.mkForce false;
+ documentation.man.enable = false;
+
+ system = {
+ #activatable = false;
+ copySystemConfiguration = false;
+ includeBuildDependencies = false;
+ disableInstallerTools = lib.mkForce true;
+ build = {
+ separateActivationScript = true;
+ };
+ };
+
+ nix.enable = false;
+ networking.firewall.enable = false;
+ networking.networkmanager.enable = false;
+ systemd.coredump.enable = false;
+ services.timesyncd.enable = false;
+
+ services.nscd.enableNsncd = false;
+ networking.dhcpcd.enable = false;
+ services.udev.enable = false;
+ services.nscd.enable = false;
+ system.nssModules = lib.mkForce [];
+
+ systemd.oomd.enable = false;
+ #services.getty = {
+ # autologinUser = "root";
+ # loginProgram = "${pkgs.bash}/bin/bash";
+ # loginOptions = "--login";
+ #};
+
+ security = {
+ loginDefs = {
+ settings = {
+ ENCRYPT_METHOD = "MD5";
+ };
+ };
+ sudo.enable = false;
+ };
+
+ nixpkgs.overlays = [
+ (import ./overlays/systemd-overlay.nix)
+ (import ./overlays/grub-overlay.nix)
+ ];
+
+ services.lvm.enable = lib.mkForce false;
+ boot.initrd.services.lvm.enable = lib.mkForce false;
+ boot.initrd.systemd.suppressedUnits = [
+ "systemd-hibernate-clear.service"
+ ];
+
+ systemd.suppressedSystemUnits = [
+ "systemd-hibernate-clear.service"
+ "systemd-bootctl@.service"
+ "systemd-bootctl.socket"
+ ];
+}
\ No newline at end of file
diff --git a/host/uISO/overlays/grub-overlay.nix b/host/uISO/overlays/grub-overlay.nix
new file mode 100644
index 0000000..abbed8e
--- /dev/null
+++ b/host/uISO/overlays/grub-overlay.nix
@@ -0,0 +1,20 @@
+final: prev: {
+ grub2 = (prev.grub2.override {
+ zfsSupport = false;
+ efiSupport = false;
+ xenSupport = false;
+ }).overrideAttrs (oldAttrs: {
+ doCheck = false;
+ doInstallCheck = false;
+ #remove --enable-grub-mount
+ configureFlags = oldAttrs.configureFlags ++ [ "--disable-year2038 --disable-nls --disable-rpath --disable-dependency-tracking --disable-grub-mount --disable-grub-themes --disable-grub-mkfont" ];
+ # remove unnecessary commands
+ # postInstall = oldAttrs.postInstall + ''
+ # rm -rf $out/share/locale
+ # '';
+ });
+
+ grub2_light = final.grub2;
+ grub2_efi = final.grub2;
+ grub2_xen = final.grub2;
+}
diff --git a/host/uISO/overlays/systemd-overlay.nix b/host/uISO/overlays/systemd-overlay.nix
new file mode 100644
index 0000000..69a4d3f
--- /dev/null
+++ b/host/uISO/overlays/systemd-overlay.nix
@@ -0,0 +1,62 @@
+final: prev: {
+ systemd = prev.systemd.override {
+ #pname = "systemd-extra-minimal";
+ withSelinux = false;
+ withKexectools = false;
+ withLibseccomp = false;
+ withAcl = false;
+ withAudit = false;
+ withAnalyze = false;
+ withApparmor = false;
+ withBootloader = false;
+ withCompression = false;
+ withCoredump = false;
+ withCryptsetup = false;
+ withRepart = false;
+ withDocumentation = false;
+ withEfi = false;
+ withFido2 = false;
+ withHomed = false;
+ withHostnamed = false;
+ withHwdb = true; # required by nixos
+ withImportd = false;
+ withIptables = false;
+ withKmod = true; # required by nixos
+ withLibBPF = false;
+ withLibidn2 = false;
+ withLocaled = false;
+ withLogind = true; # required by nixos
+ withMachined = false;
+ withNetworkd = false;
+ withNss = false;
+ withOomd = false;
+ withPam = true; # required by nixos
+ withPCRE2 = false;
+ withPolkit = false;
+ withPortabled = false;
+ withQrencode = false;
+ withRemote = false;
+ withResolved = false;
+ withShellCompletions = false;
+ withSysusers = false;
+ withSysupdate = false;
+ withTimedated = false;
+ withTimesyncd = false;
+ withTpm2Tss = false;
+ withUkify = false;
+ withUserDb = false;
+ withUtmp = false;
+ withVmspawn = false;
+ withKernelInstall = false;
+ withTests = false;
+ withLogTrace = false;
+ };
+
+ systemd-minimal = final.systemd;
+
+ openssh = prev.openssh.overrideAttrs (oldAttrs: {
+ # Disable PAM support
+ doCheck = false;
+ doInstallCheck = false;
+ });
+}
diff --git a/host/uISO/pkgs/resize.nix b/host/uISO/pkgs/resize.nix
new file mode 100644
index 0000000..5dc3b77
--- /dev/null
+++ b/host/uISO/pkgs/resize.nix
@@ -0,0 +1,9 @@
+{ lib, pkgs, ... }:
+
+derivation {
+ name = "resize";
+ version = "1.0";
+ builder = "${pkgs.bash}/bin/bash";
+ args = [ "-c" "${pkgs.coreutils}/bin/mkdir -p $out/bin; ${pkgs.coreutils}/bin/cp ${pkgs.xterm}/bin/.resize-wrapped $out/bin/resize" ];
+ system = builtins.currentSystem;
+}
\ No newline at end of file
diff --git a/host/uISO/test.sh b/host/uISO/test.sh
new file mode 100644
index 0000000..9033b8c
--- /dev/null
+++ b/host/uISO/test.sh
@@ -0,0 +1,7 @@
+#!/usr/bin/env sh
+
+nom build .#nixosConfigurations.test-iso.config.system.build.isoImage --impure || exit 1
+clear
+du -sh result/iso/*.iso || exit 1
+sleep 2
+qemu-system-x86_64 -enable-kvm -m 256 -cdrom result/iso/*.iso -nographic -serial mon:stdio
\ No newline at end of file
|
