diff options
-rw-r--r-- | flake.lock | 143 | ||||
-rwxr-xr-x | flake.nix | 13 | ||||
-rwxr-xr-x | host/Rory-nginx/services/matrix/root.nix | 2 | ||||
-rwxr-xr-x | host/Rory-nginx/services/matrix/synapse.monolith.nix | 212 | ||||
-rwxr-xr-x | host/Rory-nginx/services/matrix/synapse.nix | 115 | ||||
-rwxr-xr-x | host/Rory-nginx/services/postgres.nix | 2 |
6 files changed, 352 insertions, 135 deletions
diff --git a/flake.lock b/flake.lock index b0dab21..b6b4e0c 100644 --- a/flake.lock +++ b/flake.lock @@ -1,30 +1,11 @@ { "nodes": { - "MatrixMediaGate": { - "inputs": { - "flake-utils": "flake-utils", - "nixpkgs": "nixpkgs" - }, - "locked": { - "lastModified": 1709199781, - "narHash": "sha256-OH9OSnRNj9zHkKMBRwBaa0pMA0yOzibt3h6i3M4KIKw=", - "ref": "refs/heads/master", - "rev": "a3bce27ac19dfd940a34c4c148c0f617f513feed", - "revCount": 18, - "type": "git", - "url": "https://cgit.rory.gay/matrix/tools/MatrixMediaGate.git/" - }, - "original": { - "type": "git", - "url": "https://cgit.rory.gay/matrix/tools/MatrixMediaGate.git/" - } - }, "attic": { "inputs": { "crane": "crane", "flake-compat": "flake-compat", - "flake-utils": "flake-utils_2", - "nixpkgs": "nixpkgs_3", + "flake-utils": "flake-utils", + "nixpkgs": "nixpkgs_2", "nixpkgs-stable": "nixpkgs-stable" }, "locked": { @@ -46,8 +27,8 @@ "inputs": { "crane": "crane_3", "flake-compat": "flake-compat_3", - "flake-utils": "flake-utils_4", - "nixpkgs": "nixpkgs_5", + "flake-utils": "flake-utils_3", + "nixpkgs": "nixpkgs_4", "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { @@ -67,7 +48,7 @@ }, "botcore-v4": { "inputs": { - "nixpkgs": "nixpkgs_2" + "nixpkgs": "nixpkgs" }, "locked": { "lastModified": 1683656302, @@ -108,9 +89,9 @@ "crane": "crane_2", "fenix": "fenix", "flake-compat": "flake-compat_2", - "flake-utils": "flake-utils_3", + "flake-utils": "flake-utils_2", "nix-filter": "nix-filter", - "nixpkgs": "nixpkgs_4", + "nixpkgs": "nixpkgs_3", "rocksdb": "rocksdb" }, "locked": { @@ -134,9 +115,9 @@ "crane": "crane_4", "fenix": "fenix_2", "flake-compat": "flake-compat_4", - "flake-utils": "flake-utils_5", + "flake-utils": "flake-utils_4", "nix-filter": "nix-filter_2", - "nixpkgs": "nixpkgs_6" + "nixpkgs": "nixpkgs_5" }, "locked": { "lastModified": 1714631281, @@ -367,24 +348,6 @@ } }, "flake-utils": { - "inputs": { - "systems": "systems" - }, - "locked": { - "lastModified": 1705309234, - "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_2": { "locked": { "lastModified": 1667395993, "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", @@ -399,9 +362,9 @@ "type": "github" } }, - "flake-utils_3": { + "flake-utils_2": { "inputs": { - "systems": "systems_2" + "systems": "systems" }, "locked": { "lastModified": 1710146030, @@ -418,7 +381,7 @@ "type": "github" } }, - "flake-utils_4": { + "flake-utils_3": { "locked": { "lastModified": 1667395993, "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", @@ -433,9 +396,9 @@ "type": "github" } }, - "flake-utils_5": { + "flake-utils_4": { "inputs": { - "systems": "systems_3" + "systems": "systems_2" }, "locked": { "lastModified": 1709126324, @@ -451,9 +414,9 @@ "type": "github" } }, - "flake-utils_6": { + "flake-utils_5": { "inputs": { - "systems": "systems_4" + "systems": "systems_3" }, "locked": { "lastModified": 1710146030, @@ -471,7 +434,7 @@ }, "home-manager": { "inputs": { - "nixpkgs": "nixpkgs_7" + "nixpkgs": "nixpkgs_6" }, "locked": { "lastModified": 1714515075, @@ -556,8 +519,8 @@ "nixos-wsl": { "inputs": { "flake-compat": "flake-compat_5", - "flake-utils": "flake-utils_6", - "nixpkgs": "nixpkgs_8" + "flake-utils": "flake-utils_5", + "nixpkgs": "nixpkgs_7" }, "locked": { "lastModified": 1714355896, @@ -575,11 +538,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1708807242, - "narHash": "sha256-sRTRkhMD4delO/hPxxi+XwLqPn8BuUq6nnj4JqLwOu0=", + "lastModified": 1683408522, + "narHash": "sha256-9kcPh6Uxo17a3kK3XCHhcWiV1Yu1kYj22RHiymUhMkU=", "owner": "nixos", "repo": "nixpkgs", - "rev": "73de017ef2d18a04ac4bfd0c02650007ccb31c2a", + "rev": "897876e4c484f1e8f92009fd11b7d988a121a4e7", "type": "github" }, "original": { @@ -607,14 +570,18 @@ }, "nixpkgs-rory": { "locked": { - "lastModified": 0, - "narHash": "sha256-0h4yzifkBwp7AtFBW62wtJmFrZW12Ge9SeyL6AWIV7M=", - "path": "/Rory-Open-Architecture/nixpkgs", - "type": "path" + "lastModified": 1714857654, + "narHash": "sha256-lHLhAap5HklB1yQhUldJNjnFX6AVuKpEsYHtaYin9nc=", + "owner": "TheArcaneBrony", + "repo": "nixpkgs", + "rev": "5f577ce369c55b5774fd7a766693d705a31391e4", + "type": "github" }, "original": { - "path": "/Rory-Open-Architecture/nixpkgs", - "type": "path" + "owner": "TheArcaneBrony", + "ref": "master", + "repo": "nixpkgs", + "type": "github" } }, "nixpkgs-stable": { @@ -651,22 +618,6 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1683408522, - "narHash": "sha256-9kcPh6Uxo17a3kK3XCHhcWiV1Yu1kYj22RHiymUhMkU=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "897876e4c484f1e8f92009fd11b7d988a121a4e7", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_3": { - "locked": { "lastModified": 1711401922, "narHash": "sha256-QoQqXoj8ClGo0sqD/qWKFWezgEwUL0SUh37/vY2jNhc=", "owner": "NixOS", @@ -681,7 +632,7 @@ "type": "github" } }, - "nixpkgs_4": { + "nixpkgs_3": { "locked": { "lastModified": 1713537308, "narHash": "sha256-XtTSSIB2DA6tOv+l0FhvfDMiyCmhoRbNB+0SeInZkbk=", @@ -697,7 +648,7 @@ "type": "github" } }, - "nixpkgs_5": { + "nixpkgs_4": { "locked": { "lastModified": 1702539185, "narHash": "sha256-KnIRG5NMdLIpEkZTnN5zovNYc0hhXjAgv6pfd5Z4c7U=", @@ -713,7 +664,7 @@ "type": "github" } }, - "nixpkgs_6": { + "nixpkgs_5": { "locked": { "lastModified": 1709479366, "narHash": "sha256-n6F0n8UV6lnTZbYPl1A9q1BS0p4hduAv1mGAP17CVd0=", @@ -729,7 +680,7 @@ "type": "github" } }, - "nixpkgs_7": { + "nixpkgs_6": { "locked": { "lastModified": 1714076141, "narHash": "sha256-Drmja/f5MRHZCskS6mvzFqxEaZMeciScCTFxWVLqWEY=", @@ -745,7 +696,7 @@ "type": "github" } }, - "nixpkgs_8": { + "nixpkgs_7": { "locked": { "lastModified": 1714272655, "narHash": "sha256-3/ghIWCve93ngkx5eNPdHIKJP/pMzSr5Wc4rNKE1wOc=", @@ -761,7 +712,7 @@ "type": "github" } }, - "nixpkgs_9": { + "nixpkgs_8": { "locked": { "lastModified": 1714253743, "narHash": "sha256-mdTQw2XlariysyScCv2tTE45QSU9v/ezLcHJ22f0Nxc=", @@ -796,7 +747,6 @@ }, "root": { "inputs": { - "MatrixMediaGate": "MatrixMediaGate", "botcore-v4": "botcore-v4", "conduit": "conduit", "conduit-vanilla": "conduit-vanilla", @@ -804,7 +754,7 @@ "mtxclientSrc": "mtxclientSrc", "nhekoSrc": "nhekoSrc", "nixos-wsl": "nixos-wsl", - "nixpkgs": "nixpkgs_9", + "nixpkgs": "nixpkgs_8", "nixpkgs-RoryNix": "nixpkgs-RoryNix", "nixpkgs-rory": "nixpkgs-rory" } @@ -887,21 +837,6 @@ "repo": "default", "type": "github" } - }, - "systems_4": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 02f2297..30f4826 100755 --- a/flake.nix +++ b/flake.nix @@ -7,8 +7,8 @@ #url="path:/Rory-Open-Architecture/nixpkgs"; }; nixpkgs-rory = { - url = "path:/Rory-Open-Architecture/nixpkgs"; - #url = "github:TheArcaneBrony/nixpkgs/master"; + #url = "path:/Rory-Open-Architecture/nixpkgs"; + url = "github:TheArcaneBrony/nixpkgs/master"; }; nixpkgs-RoryNix = { #url = "github:NixOS/nixpkgs/nixos-23.05"; @@ -39,9 +39,9 @@ url = "gitlab:BotCore-Devs/BotCore-v4/staging"; }; - MatrixMediaGate = { - url = "git+https://cgit.rory.gay/matrix/tools/MatrixMediaGate.git/"; - }; + #MatrixMediaGate = { + # url = "git+https://cgit.rory.gay/matrix/tools/MatrixMediaGate.git/"; + #}; # Sources... nhekoSrc = { @@ -55,7 +55,7 @@ }; }; - outputs = { self, nixpkgs, nixpkgs-RoryNix, nixpkgs-rory, home-manager, botcore-v4, MatrixMediaGate, conduit, conduit-vanilla, nixos-wsl, ... }@inputs: { + outputs = { self, nixpkgs, nixpkgs-RoryNix, nixpkgs-rory, home-manager, botcore-v4, conduit, conduit-vanilla, nixos-wsl, ... }@inputs: { nixosConfigurations = { #NIXPKGS FORK Rory-nginx = nixpkgs-rory.lib.nixosSystem { @@ -70,7 +70,6 @@ inherit home-manager; inherit conduit; inherit conduit-vanilla; - inherit MatrixMediaGate; }; }; diff --git a/host/Rory-nginx/services/matrix/root.nix b/host/Rory-nginx/services/matrix/root.nix index 2c0df53..be9386e 100755 --- a/host/Rory-nginx/services/matrix/root.nix +++ b/host/Rory-nginx/services/matrix/root.nix @@ -8,7 +8,7 @@ ./matrix-appservice-discord.nix ./draupnir.nix ./conduit.nix - ./matrix-media-gate.nix + #./matrix-media-gate.nix ]; } \ No newline at end of file diff --git a/host/Rory-nginx/services/matrix/synapse.monolith.nix b/host/Rory-nginx/services/matrix/synapse.monolith.nix new file mode 100755 index 0000000..26c61a1 --- /dev/null +++ b/host/Rory-nginx/services/matrix/synapse.monolith.nix @@ -0,0 +1,212 @@ +{ config, pkgs, lib, ... }: + +{ + services.matrix-synapse = { + enable = true; + withJemalloc = true; + + # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html + settings = { + server_name = "rory.gay"; + + enable_registration = true; + registration_requires_token = true; + + require_membership_for_aliases = false; + redaction_retention_period = null; + user_ips_max_age = null; + allow_device_name_lookup_over_federation = true; + + federation = { + client_timeout = "60s"; + max_short_retries = 6; + max_short_retry_delay = "10s"; + max_long_retries = 5; + max_long_retry_delay = "30s"; + }; + + event_cache_size = "1200K"; #defaults to 10K + caches = { + global_factor = 5000.0; + cache_entry_ttl = "12h"; + expire_caches = true; + sync_response_cache_duration = "6h"; + cache_autotuning = { + max_cache_memory_usage = "65536M"; + target_cache_memory_usage = "32768M"; + min_cache_ttl = "6h"; + }; + }; + + # Alicia - figure this out later... + #registration_shared_secret = builtins.exec ["cat" "/dev/urandom" "|" "tr" "-dc" "a-zA-Z0-9" "|" "fold" "-w" "256" "|" "head" "-n" "1"]; + registration_shared_secret_path = "/var/lib/matrix-synapse/registration_shared_secret.txt"; + + listeners = [ + { + port = 8008; + bind_addresses = [ "192.168.1.2" "127.0.0.1" ]; + type = "http"; + tls = false; + x_forwarded = true; + resources = [ { + names = [ "client" "federation" ]; + compress = true; + } ]; + } + ]; + dynamic_thumbnails = true; + presence = { + enable = true; + update_interval = 60; + }; + url_preview_enabled = true; + database = { + name = "psycopg2"; + args = { + user = "matrix-synapse-rory-gay"; + #passwordFile = "/run/secrets/matrix-synapse-password"; + password = "somepassword"; + database = "matrix-synapse-rory-gay"; + host = "127.0.0.1"; + application_name = "matrix-synapse (rory.gay)"; + cp_min = 5; + cp_max = 50; + #cp_reconnect_interval = "True"; + }; + }; + app_service_config_files = [ + #"/etc/matrix-synapse/appservice-registration.yaml" + "/var/lib/matrix-synapse/modas-registration.yaml" + ]; + + rc_message = { + per_second = 1000; + burst_count = 1000; + }; + rc_login = { + address = { + per_second = 1000; + burst_count = 1000; + }; + account = { + per_second = 1000; + burst_count = 1000; + }; + failed_attempts = { + per_second = 0.1; + burst_count = 3; + }; + }; + rc_joins = { + local = { + per_second = 1000; + burst_count = 1000; + }; + remote = { + per_second = 1000; + burst_count = 1000; + }; + }; + rc_joins_per_room = { + per_second = 1000; + burst_count = 1000; + }; + rc_invites = { + per_room = { + per_second = 1000; + burst_count = 1000; + }; + per_user = { + per_second = 1000; + burst_count = 1000; + }; + per_issuer = { + per_second = 1000; + burst_count = 1000; + }; + }; + rc_federation = { + window_size = 10; + sleep_limit = 1000; + sleep_delay = 100; + reject_limit = 1000; + concurrent = 100; + }; + federation_rr_transactions_per_room_per_second = 1; + + max_image_pixels = "100M"; + + ui_auth = { + session_timeout = "1m"; + }; + + login_via_existing_session = { + enabled = true; + require_ui_auth = true; + token_timeout = "1y"; + }; + + #sentry = { + # dsn = "https://77c8de07855d4e0c90dbcf0945a04f01@sentry.thearcanebrony.net/14"; + #}; + + report_stats = false; + + user_directory = { + enabled = true; + search_all_users = true; + prefer_local_users = true; + }; + + experimental_features = { + "org.matrix.msc3026.busy_presence" = true; + "fi.mau.msc2815" = true; + "org.matrix.msc3881" = true; + "org.matrix.msc3874" = true; + "org.matrix.msc3912" = true; + }; + }; + + plugins = with pkgs.matrix-synapse-plugins; [ + # Alicia - need to port draupnir... + #matrix-synapse-mjolnir-antispam +# matrix-synapse-pam + ]; +# extraConfigFiles = [ +# (pkgs.writeTextFile { +# name = "matrix-synapse-extra-config.yml"; +# text = '' +# modules: +# - module: "pam_auth_provider.PAMAuthProvider" +# config: +# create_users: true +# skip_user_check: false +# ''; +# }) +# ]; + }; + + systemd.services.matrix-synapse-reg-token = { + description = "Random registration token for Synapse."; + before = ["matrix-synapse.service"]; # So the registration can be used by Synapse + wantedBy = ["multi-user.target"]; + after = ["network.target"]; + + script = '' + + if [ ! -f "registration_shared_secret.txt" ] + then + cat /dev/urandom | tr -dc a-zA-Z0-9 | fold -w 256 | head -n 1 > registration_shared_secret.txt + else + echo Not generating key, key exists; + fi''; + serviceConfig = { + User = "matrix-synapse"; + Group = "matrix-synapse"; + WorkingDirectory = "/var/lib/matrix-synapse"; + }; + }; + +} + diff --git a/host/Rory-nginx/services/matrix/synapse.nix b/host/Rory-nginx/services/matrix/synapse.nix index 26c61a1..6e0f537 100755 --- a/host/Rory-nginx/services/matrix/synapse.nix +++ b/host/Rory-nginx/services/matrix/synapse.nix @@ -1,5 +1,12 @@ { config, pkgs, lib, ... }: +let + federationSenders = lib.range 0 31; + federationReceivers = lib.range 10000 10000; + initialSyncWorkers = lib.range 10100 10100; + syncWorkers = lib.range 10150 10150; + streamWriters = lib.range 10200 10200; +in { services.matrix-synapse = { enable = true; @@ -51,7 +58,18 @@ x_forwarded = true; resources = [ { names = [ "client" "federation" ]; - compress = true; + compress = false; + } ]; + } + { + port = 8009; + bind_addresses = [ "127.0.0.1" ]; + type = "http"; + tls = false; + x_forwarded = true; + resources = [ { + names = [ "replication" ]; + compress = false; } ]; } ]; @@ -147,10 +165,6 @@ token_timeout = "1y"; }; - #sentry = { - # dsn = "https://77c8de07855d4e0c90dbcf0945a04f01@sentry.thearcanebrony.net/14"; - #}; - report_stats = false; user_directory = { @@ -166,25 +180,69 @@ "org.matrix.msc3874" = true; "org.matrix.msc3912" = true; }; + + + redis = { + enabled = true; + path = "/run/redis-matrix-synapse/redis.sock"; + }; + + + instance_map = { + main = { + host = "127.0.0.1"; + port = 8009; + }; + } // builtins.listToAttrs (map (port: { + name = "federation_sender-${toString port}"; + value = { + path = "/run/synapse/federation_sender-${toString port}.sock"; + }; + }) federationSenders); + #} // builtins.listToAttrs (map (port: { + # name = "federation_receiver-${toString port}"; + # value = { + # path = "/run/synapse/federation_receiver-${toString port}.sock"; + # }; + #}) federationReceivers); + + # by type: + + #map to list + federation_sender_instances = map (port: "federation_sender-${toString port}") federationSenders; + }; - plugins = with pkgs.matrix-synapse-plugins; [ - # Alicia - need to port draupnir... - #matrix-synapse-mjolnir-antispam -# matrix-synapse-pam - ]; -# extraConfigFiles = [ -# (pkgs.writeTextFile { -# name = "matrix-synapse-extra-config.yml"; -# text = '' -# modules: -# - module: "pam_auth_provider.PAMAuthProvider" -# config: -# create_users: true -# skip_user_check: false -# ''; -# }) -# ]; + ## TODO: INVESTIGATE + # worker_listeners: + # - type: metrics + # bind_address: '' + # port: 9101 + + workers = + #builtins.listToAttrs (map (port: { + # name = "federation_receiver-${toString port}"; + # value = { + # worker_app = "synapse.app.generic_worker"; + # worker_listeners = [ + # { + # port = port; + # type = "http"; + # resources = [ { + # names = [ "federation" ]; + # compress = false; + # } ]; + # } + # ]; + # }; + #}) federationReceivers) + builtins.listToAttrs (map (port: { + name = "federation_sender-${toString port}"; + value = { + worker_app = "synapse.app.generic_worker"; + worker_listeners = [ ]; + }; + }) federationSenders); }; systemd.services.matrix-synapse-reg-token = { @@ -208,5 +266,18 @@ }; }; + + services.redis = { + package = pkgs.keydb; + servers.matrix-synapse = { + enable = true; + user = "matrix-synapse"; + }; + }; + + systemd.tmpfiles.rules = [ + "D /run/redis-matrix-synapse 0755 matrix-synapse matrix-synapse" + ]; + } diff --git a/host/Rory-nginx/services/postgres.nix b/host/Rory-nginx/services/postgres.nix index 3545a31..7ac3619 100755 --- a/host/Rory-nginx/services/postgres.nix +++ b/host/Rory-nginx/services/postgres.nix @@ -5,7 +5,7 @@ services.postgresql = { enable = true; - package = pkgs.postgresql_14; + package = pkgs.postgresql_16; enableTCPIP = true; authentication = pkgs.lib.mkOverride 10 '' # TYPE, DATABASE, USER, ADDRESS, METHOD |