diff --git a/host/Rory-ovh/services/containers/draupnir-ansible/container.nix b/host/Rory-ovh/services/containers/draupnir-ansible/container.nix
index 5ab1aed..ef35488 100644
--- a/host/Rory-ovh/services/containers/draupnir-ansible/container.nix
+++ b/host/Rory-ovh/services/containers/draupnir-ansible/container.nix
@@ -1,6 +1,6 @@
{
-# nixpkgs-Draupnir,
-# nixpkgs-DraupnirPkg,
+ # nixpkgs-Draupnir,
+ # nixpkgs-DraupnirPkg,
...
}:
@@ -8,8 +8,8 @@
privateNetwork = true;
autoStart = true;
specialArgs = {
-# inherit nixpkgs-Draupnir;
-# inherit nixpkgs-DraupnirPkg;
+ # inherit nixpkgs-Draupnir;
+ # inherit nixpkgs-DraupnirPkg;
};
config =
{ lib, pkgs, ... }:
@@ -18,13 +18,13 @@
../shared.nix
./root.nix
./services/draupnir.nix
-# "${nixpkgs-Draupnir}/nixos/modules/services/matrix/draupnir.nix"
+ # "${nixpkgs-Draupnir}/nixos/modules/services/matrix/draupnir.nix"
];
-# nixpkgs.overlays = [
-# (final: prev: {
-# draupnir = nixpkgs-DraupnirPkg.legacyPackages.${pkgs.stdenv.hostPlatform.system}.draupnir;
-# })
-# ];
+ # nixpkgs.overlays = [
+ # (final: prev: {
+ # draupnir = nixpkgs-DraupnirPkg.legacyPackages.${pkgs.stdenv.hostPlatform.system}.draupnir;
+ # })
+ # ];
};
hostAddress = "192.168.100.1";
localAddress = "192.168.100.19";
diff --git a/host/Rory-ovh/services/containers/draupnir-cme/container.nix b/host/Rory-ovh/services/containers/draupnir-cme/container.nix
index b1ee74b..4b2d0da 100755
--- a/host/Rory-ovh/services/containers/draupnir-cme/container.nix
+++ b/host/Rory-ovh/services/containers/draupnir-cme/container.nix
@@ -1,4 +1,4 @@
-{
+{
#nixpkgs-Draupnir,
#nixpkgs-DraupnirPkg,
...
@@ -20,11 +20,11 @@
./services/draupnir.nix
#"${nixpkgs-Draupnir}/nixos/modules/services/matrix/draupnir.nix"
];
-# nixpkgs.overlays = [
-# (final: prev: {
-# draupnir = nixpkgs-DraupnirPkg.legacyPackages.${pkgs.stdenv.hostPlatform.system}.draupnir;
-# })
-# ];
+ # nixpkgs.overlays = [
+ # (final: prev: {
+ # draupnir = nixpkgs-DraupnirPkg.legacyPackages.${pkgs.stdenv.hostPlatform.system}.draupnir;
+ # })
+ # ];
};
hostAddress = "192.168.100.1";
localAddress = "192.168.100.17";
diff --git a/host/Rory-ovh/services/containers/draupnir-fedora/container.nix b/host/Rory-ovh/services/containers/draupnir-fedora/container.nix
index 5ba9765..fe4571e 100644
--- a/host/Rory-ovh/services/containers/draupnir-fedora/container.nix
+++ b/host/Rory-ovh/services/containers/draupnir-fedora/container.nix
@@ -1,6 +1,6 @@
{
-# nixpkgs-Draupnir,
-# nixpkgs-DraupnirPkg,
+ # nixpkgs-Draupnir,
+ # nixpkgs-DraupnirPkg,
...
}:
@@ -8,8 +8,8 @@
privateNetwork = true;
autoStart = true;
specialArgs = {
-# inherit nixpkgs-Draupnir;
-# inherit nixpkgs-DraupnirPkg;
+ # inherit nixpkgs-Draupnir;
+ # inherit nixpkgs-DraupnirPkg;
};
config =
{ lib, pkgs, ... }:
@@ -18,13 +18,13 @@
../shared.nix
./root.nix
./services/draupnir.nix
-# "${nixpkgs-Draupnir}/nixos/modules/services/matrix/draupnir.nix"
+ # "${nixpkgs-Draupnir}/nixos/modules/services/matrix/draupnir.nix"
];
-# nixpkgs.overlays = [
-# (final: prev: {
-# draupnir = nixpkgs-DraupnirPkg.legacyPackages.${pkgs.stdenv.hostPlatform.system}.draupnir;
-# })
-# ];
+ # nixpkgs.overlays = [
+ # (final: prev: {
+ # draupnir = nixpkgs-DraupnirPkg.legacyPackages.${pkgs.stdenv.hostPlatform.system}.draupnir;
+ # })
+ # ];
};
hostAddress = "192.168.100.1";
localAddress = "192.168.100.18";
diff --git a/host/Rory-ovh/services/containers/shared.nix b/host/Rory-ovh/services/containers/shared.nix
index f267ff0..7bad188 100644
--- a/host/Rory-ovh/services/containers/shared.nix
+++ b/host/Rory-ovh/services/containers/shared.nix
@@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ pkgs, lib, config, ... }:
{
environment.systemPackages = with pkgs; [
neofetch
@@ -14,4 +14,30 @@
jq
dig
];
+
+ networking.resolvconf.enable = false;
+ networking.nameservers = [
+ "1.1.1.1"
+ "1.0.0.1"
+ "8.8.8.8"
+ "8.4.4.8"
+ ];
+
+ environment.etc."resolv.conf" = lib.mkDefault {
+ text = lib.concatStringsSep "\n" (
+ lib.optionals (config.networking ? nameservers) (map (nameserver: "nameserver ${nameserver}") (config.networking.nameservers))
+ #++ lib.optionals (config.networking ? enableIPv6 && !config.networking.enableIPv6) [ "options no-aaaa" ]
+ ++ lib.optionals (config.networking ? enableIPv6 && config.networking.enableIPv6) [
+ "options single-request"
+ "options single-request-reopen"
+ "options inet6"
+ ]
+ );
+ };
+
+ services.resolved = {
+ enable = lib.mkForce false;
+ dnssec = lib.mkForce "false";
+ dnsovertls = lib.mkForce "false";
+ };
}
diff --git a/host/Rory-ovh/services/containers/syntest1/container.nix b/host/Rory-ovh/services/containers/syntest1/container.nix
new file mode 100644
index 0000000..da77a2d
--- /dev/null
+++ b/host/Rory-ovh/services/containers/syntest1/container.nix
@@ -0,0 +1,68 @@
+{
+ nixpkgs-master,
+ matrix-synapse-unwrapped-patched,
+ ...
+}:
+
+{
+ privateNetwork = true;
+ autoStart = true;
+ specialArgs = {
+ inherit matrix-synapse-unwrapped-patched;
+ };
+ nixpkgs = nixpkgs-master;
+ config =
+ {
+ lib,
+ pkgs,
+ matrix-synapse-unwrapped-patched,
+ ...
+ }:
+ {
+ imports = [
+ ../shared.nix
+ ./root.nix
+ ./services/synapse/synapse-main.nix
+ ./services/postgres.nix
+ (
+ {
+ pkgs,
+ lib,
+ config,
+ ...
+ }:
+
+ {
+ options.virtualisation = {
+ isVmVariant = lib.mkOption {
+ default = false;
+ example = true;
+ description = "Whether this build is a VM build.";
+ type = lib.types.bool;
+ };
+ };
+ config = {
+ virtualisation.vmVariant = {
+ virtualisation.isVmVariant = true;
+ };
+ };
+ }
+ )
+ ];
+
+ nixpkgs.overlays = [
+ (final: prev: {
+ matrix-synapse-unwrapped = matrix-synapse-unwrapped-patched;
+ })
+ ];
+ networking.firewall.allowedTCPPorts = [ 8008 ];
+ };
+ hostAddress = "192.168.100.1";
+ localAddress = "192.168.100.20";
+
+ bindMounts."postgres" = {
+ hostPath = "/data/dedicated/postgres-syntest1";
+ mountPoint = "/data/postgres";
+ isReadOnly = false;
+ };
+}
diff --git a/host/Rory-ovh/services/containers/syntest1/root.nix b/host/Rory-ovh/services/containers/syntest1/root.nix
new file mode 100644
index 0000000..0ebce9e
--- /dev/null
+++ b/host/Rory-ovh/services/containers/syntest1/root.nix
@@ -0,0 +1,16 @@
+{ ... }:
+
+{
+ networking.useHostResolvConf = true;
+
+ networking.hosts = {
+ "192.168.100.1" = [
+ "matrix.rory.gay"
+ "rory.gay"
+ ];
+ };
+
+ networking.firewall = {
+ enable = true;
+ };
+}
diff --git a/host/Rory-ovh/services/containers/syntest1/services/postgres.nix b/host/Rory-ovh/services/containers/syntest1/services/postgres.nix
new file mode 100755
index 0000000..98d7155
--- /dev/null
+++ b/host/Rory-ovh/services/containers/syntest1/services/postgres.nix
@@ -0,0 +1,99 @@
+{ config, pkgs, ... }:
+
+{
+ systemd.tmpfiles.rules = [ "d /data/postgres 0750 postgres postgres" ];
+
+ services.postgresql = {
+ enable = true;
+ package = pkgs.postgresql_17_jit;
+ enableTCPIP = true;
+ authentication = pkgs.lib.mkOverride 10 ''
+ # TYPE, DATABASE, USER, ADDRESS, METHOD
+ local all all trust
+ host all all 127.0.0.1/32 trust
+ host all all ::1/128 trust
+ host discordbots discordbots 192.168.1.2/32 trust
+ host matrix-synapse-rory-gay matrix-synapse-rory-gay 192.168.1.5/32 trust
+ host all all 0.0.0.0/0 md5
+ '';
+ # initialScript = pkgs.writeText "backend-initScript" ''
+ # CREATE ROLE nixcloud WITH LOGIN PASSWORD 'nixcloud' CREATEDB;
+ # CREATE DATABASE nixcloud;
+ # GRANT ALL PRIVILEGES ON DATABASE nixcloud TO nixcloud;
+ # '';
+ dataDir = "/data/postgres";
+ settings = {
+ # https://pgconfigurator.cybertec.at/
+ max_connections = 2500;
+ superuser_reserved_connections = 3;
+
+ shared_buffers = if config.virtualisation.isVmVariant then "128MB" else "64GB";
+ work_mem = if config.virtualisation.isVmVariant then "64MB" else "32GB";
+ maintenance_work_mem = if config.virtualisation.isVmVariant then "512MB" else "8GB";
+ huge_pages = "try";
+ effective_cache_size = if config.virtualisation.isVmVariant then "1GB" else "64GB"; # was 22
+ effective_io_concurrency = 100;
+ random_page_cost = 1.1;
+
+ # can use this to view stats: SELECT query, total_time, calls, rows FROM pg_stat_statements ORDER BY total_time DESC LIMIT 10;
+ shared_preload_libraries = "pg_stat_statements";
+ track_io_timing = "on";
+ track_functions = "pl";
+ "pg_stat_statements.max" = "10000"; # additional
+ "pg_stat_statements.track" = "all"; # additional
+
+ wal_level = "replica";
+ max_wal_senders = 0;
+ synchronous_commit = "on"; # was ond3
+
+ checkpoint_timeout = "15min";
+ checkpoint_completion_target = "0.9";
+ max_wal_size = "2GB";
+ min_wal_size = "1GB";
+
+ wal_compression = "off";
+ wal_buffers = "-1";
+ wal_writer_delay = "500ms"; # was 100
+ wal_writer_flush_after = "32MB"; # was 1
+ #checkpoint_segments = "64"; # additional
+ default_statistics_target = "250"; # additional
+
+ bgwriter_delay = "200ms";
+ bgwriter_lru_maxpages = "100";
+ bgwriter_lru_multiplier = "2.0";
+ bgwriter_flush_after = "0";
+
+ max_worker_processes = "64"; # was 14
+ max_parallel_workers_per_gather = "32"; # was 7
+ max_parallel_maintenance_workers = "32"; # was 7
+ max_parallel_workers = "64"; # was 14
+ parallel_leader_participation = "on";
+
+ enable_partitionwise_join = "on";
+ enable_partitionwise_aggregate = "on";
+ jit = "on";
+ max_slot_wal_keep_size = "1GB";
+ track_wal_io_timing = "on";
+ maintenance_io_concurrency = "4";
+ wal_recycle = "on";
+
+ };
+ };
+
+ # services.prometheus.exporters.postgres = {
+ # enable = true;
+ # port = 9187;
+ # extraFlags = [
+ # "--collector.database_wraparound"
+ # "--collector.long_running_transactions"
+ # "--collector.postmaster"
+ # "--collector.process_idle"
+ # "--collector.stat_activity_autovacuum"
+ # "--collector.stat_statements"
+ # #"--collector.stat_wal_receiver" #we dont have WAL receivers
+ # "--collector.statio_user_indexes"
+ # "--collector.xlog_location"
+ # ];
+ # };
+
+}
diff --git a/host/Rory-ovh/services/containers/syntest1/services/synapse/caches.nix b/host/Rory-ovh/services/containers/syntest1/services/synapse/caches.nix
new file mode 100644
index 0000000..7ddb804
--- /dev/null
+++ b/host/Rory-ovh/services/containers/syntest1/services/synapse/caches.nix
@@ -0,0 +1,25 @@
+{
+ gc_min_interval = [
+ "15m"
+ "30m"
+ "60m"
+ ];
+ gc_thresholds = [
+ 10000
+
+ 5000
+ 2500
+ ];
+ event_cache_size = "12000K"; # defaults to 10K
+ caches = {
+ global_factor = 500000.0;
+ cache_entry_ttl = "24h";
+ expire_caches = true;
+ sync_response_cache_duration = "15m";
+ cache_autotuning = {
+ max_cache_memory_usage = "65536M";
+ target_cache_memory_usage = "32768M";
+ min_cache_ttl = "6h";
+ };
+ };
+}
diff --git a/host/Rory-ovh/services/containers/syntest1/services/synapse/db.nix b/host/Rory-ovh/services/containers/syntest1/services/synapse/db.nix
new file mode 100644
index 0000000..28dc79f
--- /dev/null
+++ b/host/Rory-ovh/services/containers/syntest1/services/synapse/db.nix
@@ -0,0 +1,49 @@
+{
+ workerName ? null,
+ dbGroup ? null,
+}:
+{
+ name = "psycopg2";
+ args = {
+ user = "matrix-synapse";
+ password = "somepassword";
+ database = "matrix-synapse";
+ host = "/run/postgresql";
+ application_name = "matrix-synapse - ${if workerName == null then throw "synapse/db.nix: workerName unspecified" else workerName}";
+ cp_min =
+ if dbGroup == "solo" then
+ 1
+ else if dbGroup == "small" then
+ 2
+ else if dbGroup == "medium" then
+ 5
+ else if dbGroup == "large" then
+ 10
+ else
+ throw "synapse/db.nix: Invalid dbGroup: ${if dbGroup == null then "null" else dbGroup}";
+ cp_max =
+ if dbGroup == "solo" then
+ 1
+ else if dbGroup == "small" then
+ 2
+ else if dbGroup == "medium" then
+ 10
+ else if dbGroup == "large" then
+ 10
+ else
+ throw "synapse/db.nix: Invalid dbGroup: ${if dbGroup == null then "null" else dbGroup}";
+
+ # cp_reconnect - default=True - https://github.com/element-hq/synapse/blob/develop/synapse/storage/database.py#L129
+ # cp_noisy - default=False - https://docs.twisted.org/en/stable/api/twisted.enterprise.adbapi.ConnectionPool.html#__init__ - info logs during operation
+ # check_same_thread - default=False - https://github.com/element-hq/synapse/blob/develop/synapse/config/database.py#L65 - can this even be set?
+ };
+
+ # synchronous_commit - default=True - https://github.com/element-hq/synapse/blob/develop/synapse/storage/engines/postgres.py#L56
+ # statement_timeout - default=60 * 60 * 1000 ms - https://github.com/element-hq/synapse/blob/develop/synapse/storage/engines/postgres.py#L63
+ # allow_unsafe_locale - default=False - https://github.com/element-hq/synapse/blob/develop/synapse/storage/engines/postgres.py#L99
+ # allow_outdated_version - default=False - https://github.com/element-hq/synapse/blob/develop/synapse/storage/engines/postgres.py#L92 - needs source link
+ # txn_limit - default=0 - https://github.com/element-hq/synapse/blob/develop/synapse/storage/database.py#L564
+
+ statement_timeout = 24 * 60 * 60 * 1000; # 24 hours, good for bg jobs
+ txn_limit = 500; # maybe dropping old data from pg caches helps?
+}
diff --git a/host/Rory-ovh/services/containers/syntest1/services/synapse/ratelimits.nix b/host/Rory-ovh/services/containers/syntest1/services/synapse/ratelimits.nix
new file mode 100644
index 0000000..85f51f2
--- /dev/null
+++ b/host/Rory-ovh/services/containers/syntest1/services/synapse/ratelimits.nix
@@ -0,0 +1,97 @@
+{
+ # messages
+ rc_message = {
+ per_second = 1000000;
+ burst_count = 1000000;
+ };
+ rc_admin_redaction = {
+ per_second = 10000000;
+ burst_count = 10000000;
+ };
+
+ # room joins
+ rc_joins = {
+ local = {
+ per_second = 1000;
+ burst_count = 1000;
+ };
+ remote = {
+ per_second = 1000;
+ burst_count = 1000;
+ };
+ };
+ rc_joins_per_room = {
+ per_second = 1000;
+ burst_count = 1000;
+ };
+
+ # room invites
+ rc_invites = {
+ per_room = {
+ per_second = 1000;
+ burst_count = 1000;
+ };
+ per_user = {
+ per_second = 1000;
+ burst_count = 1000;
+ };
+ per_issuer = {
+ per_second = 1000;
+ burst_count = 1000;
+ };
+ };
+ rc_third_party_invite = {
+ per_second = 1000;
+ burst_count = 1000;
+ };
+
+ # federation
+ rc_federation = {
+ window_size = 10;
+ sleep_limit = 1000;
+ sleep_delay = 100;
+ reject_limit = 1000;
+ concurrent = 100;
+ };
+ federation_rr_transactions_per_room_per_second = 100;
+
+ # media
+ rc_media_create = {
+ per_second = 1000;
+ burst_count = 1000;
+ };
+ remote_media_download_burst_count = "512G";
+ remote_media_download_per_second = "512G";
+
+ # authentication
+ rc_login = {
+ address = {
+ per_second = 1000;
+ burst_count = 1000;
+ };
+ account = {
+ per_second = 1000;
+ burst_count = 1000;
+ };
+ failed_attempts = {
+ per_second = 0.1;
+ burst_count = 3;
+ };
+ };
+ rc_3pid_validation = {
+ per_second = 1000;
+ burst_count = 1000;
+ };
+
+ #presence
+ rc_presence.per_user = {
+ per_second = 1;
+ burst_count = 2;
+ };
+
+ #delayed events
+ rc_delayed_event_mgmt = {
+ per_second = 1000;
+ burst_count = 1000;
+ };
+}
diff --git a/host/Rory-ovh/services/containers/syntest1/services/synapse/synapse-main.nix b/host/Rory-ovh/services/containers/syntest1/services/synapse/synapse-main.nix
new file mode 100755
index 0000000..327d648
--- /dev/null
+++ b/host/Rory-ovh/services/containers/syntest1/services/synapse/synapse-main.nix
@@ -0,0 +1,212 @@
+{
+ config,
+ pkgs,
+ matrix-synapse-patched,
+ ...
+}:
+
+{
+ services.matrix-synapse = {
+ enable = true;
+ withJemalloc = true;
+ dataDir = "/data/matrix-synapse";
+
+ settings =
+ {
+ server_name = "syntest1.rory.gay";
+
+ dummy_events_threshold = 5;
+ cleanup_extremities_with_dummy_events = true;
+
+ enable_registration = true;
+ registration_requires_token = true;
+
+ require_membership_for_aliases = false;
+ redaction_retention_period = null;
+ user_ips_max_age = null;
+ allow_device_name_lookup_over_federation = true;
+
+ federation = {
+ client_timeout = "90s"; # 30 # default=60s
+ max_short_retries = 6; # 12
+ max_short_retry_delay = "10s"; # 5
+ max_long_retries = 5;
+ max_long_retry_delay = "30s";
+
+ # rapid retry, small increments
+ destination_min_retry_interval = "1m"; # default=10m
+ destination_max_retry_interval = "12h"; # default=7d
+ destination_retry_multiplier = 1.1; # 1.2 # default=2
+ };
+
+ registration_shared_secret_path = "/data/secrets/synapse-shared-secret";
+
+ listeners = [
+ {
+ port = 8008;
+ bind_addresses = [ "192.168.100.20" ];
+ type = "http";
+ tls = false;
+ x_forwarded = true;
+ resources = [
+ {
+ names = [
+ "client"
+ "federation"
+ ];
+ compress = false;
+ }
+ ];
+ }
+ {
+ type = "http";
+ path = "/run/matrix-synapse/main.sock";
+ resources = [
+ {
+ names = [ "replication" ];
+ compress = false;
+ }
+ ];
+ }
+ ];
+ presence = {
+ enable = true;
+ update_interval = 60;
+ };
+ database = (
+ import ./db.nix {
+ workerName = "main";
+ dbGroup = "medium";
+ }
+ );
+
+ #region Media
+ max_upload_size = "512M";
+
+ max_avatar_size = "512M";
+ max_image_pixels = "250M";
+
+ max_pending_media_uploads = 512;
+ dynamic_thumbnails = true;
+
+ prevent_media_downloads_from = [
+ # none, give me all the media
+ ];
+ enable_authenticated_media = false;
+
+ url_preview_enabled = true;
+ max_spider_size = "50M";
+
+ #endregion
+
+ ui_auth = {
+ session_timeout = "1m";
+ };
+
+ login_via_existing_session = {
+ enabled = true;
+ require_ui_auth = true;
+ token_timeout = "1y";
+ };
+
+ report_stats = false;
+
+ user_directory = {
+ enabled = true;
+ search_all_users = true;
+ prefer_local_users = true;
+ };
+
+ # https://github.com/element-hq/synapse/blob/master/synapse/config/experimental.py
+ experimental_features = {
+ "msc2409_to_device_messages_enabled" = true;
+ "msc2815_enabled" = true; # Redacted event content
+ "msc3026_enabled" = true; # Busy presence
+ "msc3202_transaction_extensions" = true; # appservice transaction extensions (device list/keys)
+ "msc3266_enabled" = true; # Room summary API
+ "msc3391_enabled" = true; # Remove account data
+ "msc3823_account_suspension" = true; # Account suspension
+ "msc3852_enabled" = true; # Last seen on /devices (CS-API/admin)
+ "msc3874_enabled" = true; # filtering /messages with rel_types / not_rel_types
+ "msc3890_enabled" = true; # communicate account data deletion to clients
+ "msc3912_enabled" = true; # /messages with rel_types / not_rel_types and event id
+ "msc3916_authenticated_media_enabled" = true; # Authenticated media
+ "msc4069_profile_inhibit_propagation" = true; # Inhibit profile update propagation
+ "msc4133_enabled" = true; # Custom profile fields
+ "msc4151_enabled" = true; # Report room API (CS-API)
+ "msc4210_enabled" = false; # Remove legacy mentions -- we want this *disabled* for moderation reasons
+ "msc4222_enabled" = true; # state_after in sync
+ };
+
+ redis = {
+ enabled = true;
+ path = "/run/redis-matrix-synapse/redis.sock";
+ };
+
+ instance_map = {
+ main = {
+ # replication listener
+ path = "/run/matrix-synapse/main.sock";
+ };
+ };
+ }
+ // import ./ratelimits.nix
+ // import ./caches.nix;
+ };
+
+ services.redis = {
+ package = pkgs.valkey;
+ servers.matrix-synapse = {
+ enable = true;
+ user = "matrix-synapse";
+ };
+ };
+
+ systemd.tmpfiles.rules = [
+ "D /run/redis-matrix-synapse 0755 matrix-synapse matrix-synapse"
+ "D /run/secrets 0755 nobody nobody"
+ ];
+
+ systemd.services."matrix-synapse-generate-token" = {
+ # generate /data/secrets/synapse-shared-secret
+ description = "Generate Synapse shared secret";
+ wantedBy = [ "multi-user.target" ];
+ after = [ "network.target" ];
+ before = [ "matrix-synapse.service" ];
+ script = ''
+ set -e -x -o pipefail
+ echo "Starting key generation"
+ if [ ! -f "/data/secrets/synapse-shared-secret" ]
+ then
+ echo "Generating new key"
+ ${pkgs.openssl}/bin/openssl rand -base64 32 > /data/secrets/synapse-shared-secret
+ echo "Key generation complete"
+ else
+ echo "Not generating key, key exists"
+ fi
+ echo "Script complete"
+ '';
+ };
+
+ systemd.services."matrix-synapse-postgres-init" = {
+ description = "Generate synapse postgres user";
+ wantedBy = [ "multi-user.target" ];
+ after = [
+ "network.target"
+ "postgresql.service"
+ ];
+ before = [ "matrix-synapse.service" ];
+
+ script = ''
+ set -e -x -o pipefail
+ ${pkgs.postgresql}/bin/createuser ${config.services.matrix-synapse.settings.database.args.user} || true
+ ${pkgs.postgresql}/bin/createdb --encoding=UTF8 --locale=C --template=template0 --owner=${config.services.matrix-synapse.settings.database.args.user} ${config.services.matrix-synapse.settings.database.args.database} || true
+ '';
+ serviceConfig = {
+ User = "postgres";
+ Group = "postgres";
+ WorkingDirectory = config.services.postgresql.dataDir;
+ RemainAfterExit = true;
+ };
+ };
+}
diff --git a/host/Rory-ovh/services/containers/syntest2/container.nix b/host/Rory-ovh/services/containers/syntest2/container.nix
new file mode 100644
index 0000000..7cea11f
--- /dev/null
+++ b/host/Rory-ovh/services/containers/syntest2/container.nix
@@ -0,0 +1,59 @@
+{
+ nixpkgs-master,
+ ...
+}:
+
+{
+ privateNetwork = true;
+ autoStart = true;
+ specialArgs = { };
+ nixpkgs = nixpkgs-master;
+ config =
+ {
+ lib,
+ pkgs,
+ ...
+ }:
+ {
+ imports = [
+ ../shared.nix
+ ./root.nix
+ ./services/synapse/synapse-main.nix
+ ./services/postgres.nix
+ (
+ {
+ pkgs,
+ lib,
+ config,
+ ...
+ }:
+
+ {
+ options.virtualisation = {
+ isVmVariant = lib.mkOption {
+ default = false;
+ example = true;
+ description = "Whether this build is a VM build.";
+ type = lib.types.bool;
+ };
+ };
+ config = {
+ virtualisation.vmVariant = {
+ virtualisation.isVmVariant = true;
+ };
+ };
+ }
+ )
+ ];
+
+ networking.firewall.allowedTCPPorts = [ 8008 ];
+ };
+ hostAddress = "192.168.100.1";
+ localAddress = "192.168.100.21";
+
+ bindMounts."postgres" = {
+ hostPath = "/data/dedicated/postgres-syntest2";
+ mountPoint = "/data/postgres";
+ isReadOnly = false;
+ };
+}
diff --git a/host/Rory-ovh/services/containers/syntest2/root.nix b/host/Rory-ovh/services/containers/syntest2/root.nix
new file mode 100644
index 0000000..0ebce9e
--- /dev/null
+++ b/host/Rory-ovh/services/containers/syntest2/root.nix
@@ -0,0 +1,16 @@
+{ ... }:
+
+{
+ networking.useHostResolvConf = true;
+
+ networking.hosts = {
+ "192.168.100.1" = [
+ "matrix.rory.gay"
+ "rory.gay"
+ ];
+ };
+
+ networking.firewall = {
+ enable = true;
+ };
+}
diff --git a/host/Rory-ovh/services/containers/syntest2/services/postgres.nix b/host/Rory-ovh/services/containers/syntest2/services/postgres.nix
new file mode 100755
index 0000000..98d7155
--- /dev/null
+++ b/host/Rory-ovh/services/containers/syntest2/services/postgres.nix
@@ -0,0 +1,99 @@
+{ config, pkgs, ... }:
+
+{
+ systemd.tmpfiles.rules = [ "d /data/postgres 0750 postgres postgres" ];
+
+ services.postgresql = {
+ enable = true;
+ package = pkgs.postgresql_17_jit;
+ enableTCPIP = true;
+ authentication = pkgs.lib.mkOverride 10 ''
+ # TYPE, DATABASE, USER, ADDRESS, METHOD
+ local all all trust
+ host all all 127.0.0.1/32 trust
+ host all all ::1/128 trust
+ host discordbots discordbots 192.168.1.2/32 trust
+ host matrix-synapse-rory-gay matrix-synapse-rory-gay 192.168.1.5/32 trust
+ host all all 0.0.0.0/0 md5
+ '';
+ # initialScript = pkgs.writeText "backend-initScript" ''
+ # CREATE ROLE nixcloud WITH LOGIN PASSWORD 'nixcloud' CREATEDB;
+ # CREATE DATABASE nixcloud;
+ # GRANT ALL PRIVILEGES ON DATABASE nixcloud TO nixcloud;
+ # '';
+ dataDir = "/data/postgres";
+ settings = {
+ # https://pgconfigurator.cybertec.at/
+ max_connections = 2500;
+ superuser_reserved_connections = 3;
+
+ shared_buffers = if config.virtualisation.isVmVariant then "128MB" else "64GB";
+ work_mem = if config.virtualisation.isVmVariant then "64MB" else "32GB";
+ maintenance_work_mem = if config.virtualisation.isVmVariant then "512MB" else "8GB";
+ huge_pages = "try";
+ effective_cache_size = if config.virtualisation.isVmVariant then "1GB" else "64GB"; # was 22
+ effective_io_concurrency = 100;
+ random_page_cost = 1.1;
+
+ # can use this to view stats: SELECT query, total_time, calls, rows FROM pg_stat_statements ORDER BY total_time DESC LIMIT 10;
+ shared_preload_libraries = "pg_stat_statements";
+ track_io_timing = "on";
+ track_functions = "pl";
+ "pg_stat_statements.max" = "10000"; # additional
+ "pg_stat_statements.track" = "all"; # additional
+
+ wal_level = "replica";
+ max_wal_senders = 0;
+ synchronous_commit = "on"; # was ond3
+
+ checkpoint_timeout = "15min";
+ checkpoint_completion_target = "0.9";
+ max_wal_size = "2GB";
+ min_wal_size = "1GB";
+
+ wal_compression = "off";
+ wal_buffers = "-1";
+ wal_writer_delay = "500ms"; # was 100
+ wal_writer_flush_after = "32MB"; # was 1
+ #checkpoint_segments = "64"; # additional
+ default_statistics_target = "250"; # additional
+
+ bgwriter_delay = "200ms";
+ bgwriter_lru_maxpages = "100";
+ bgwriter_lru_multiplier = "2.0";
+ bgwriter_flush_after = "0";
+
+ max_worker_processes = "64"; # was 14
+ max_parallel_workers_per_gather = "32"; # was 7
+ max_parallel_maintenance_workers = "32"; # was 7
+ max_parallel_workers = "64"; # was 14
+ parallel_leader_participation = "on";
+
+ enable_partitionwise_join = "on";
+ enable_partitionwise_aggregate = "on";
+ jit = "on";
+ max_slot_wal_keep_size = "1GB";
+ track_wal_io_timing = "on";
+ maintenance_io_concurrency = "4";
+ wal_recycle = "on";
+
+ };
+ };
+
+ # services.prometheus.exporters.postgres = {
+ # enable = true;
+ # port = 9187;
+ # extraFlags = [
+ # "--collector.database_wraparound"
+ # "--collector.long_running_transactions"
+ # "--collector.postmaster"
+ # "--collector.process_idle"
+ # "--collector.stat_activity_autovacuum"
+ # "--collector.stat_statements"
+ # #"--collector.stat_wal_receiver" #we dont have WAL receivers
+ # "--collector.statio_user_indexes"
+ # "--collector.xlog_location"
+ # ];
+ # };
+
+}
diff --git a/host/Rory-ovh/services/containers/syntest2/services/synapse/caches.nix b/host/Rory-ovh/services/containers/syntest2/services/synapse/caches.nix
new file mode 100644
index 0000000..7ddb804
--- /dev/null
+++ b/host/Rory-ovh/services/containers/syntest2/services/synapse/caches.nix
@@ -0,0 +1,25 @@
+{
+ gc_min_interval = [
+ "15m"
+ "30m"
+ "60m"
+ ];
+ gc_thresholds = [
+ 10000
+
+ 5000
+ 2500
+ ];
+ event_cache_size = "12000K"; # defaults to 10K
+ caches = {
+ global_factor = 500000.0;
+ cache_entry_ttl = "24h";
+ expire_caches = true;
+ sync_response_cache_duration = "15m";
+ cache_autotuning = {
+ max_cache_memory_usage = "65536M";
+ target_cache_memory_usage = "32768M";
+ min_cache_ttl = "6h";
+ };
+ };
+}
diff --git a/host/Rory-ovh/services/containers/syntest2/services/synapse/db.nix b/host/Rory-ovh/services/containers/syntest2/services/synapse/db.nix
new file mode 100644
index 0000000..28dc79f
--- /dev/null
+++ b/host/Rory-ovh/services/containers/syntest2/services/synapse/db.nix
@@ -0,0 +1,49 @@
+{
+ workerName ? null,
+ dbGroup ? null,
+}:
+{
+ name = "psycopg2";
+ args = {
+ user = "matrix-synapse";
+ password = "somepassword";
+ database = "matrix-synapse";
+ host = "/run/postgresql";
+ application_name = "matrix-synapse - ${if workerName == null then throw "synapse/db.nix: workerName unspecified" else workerName}";
+ cp_min =
+ if dbGroup == "solo" then
+ 1
+ else if dbGroup == "small" then
+ 2
+ else if dbGroup == "medium" then
+ 5
+ else if dbGroup == "large" then
+ 10
+ else
+ throw "synapse/db.nix: Invalid dbGroup: ${if dbGroup == null then "null" else dbGroup}";
+ cp_max =
+ if dbGroup == "solo" then
+ 1
+ else if dbGroup == "small" then
+ 2
+ else if dbGroup == "medium" then
+ 10
+ else if dbGroup == "large" then
+ 10
+ else
+ throw "synapse/db.nix: Invalid dbGroup: ${if dbGroup == null then "null" else dbGroup}";
+
+ # cp_reconnect - default=True - https://github.com/element-hq/synapse/blob/develop/synapse/storage/database.py#L129
+ # cp_noisy - default=False - https://docs.twisted.org/en/stable/api/twisted.enterprise.adbapi.ConnectionPool.html#__init__ - info logs during operation
+ # check_same_thread - default=False - https://github.com/element-hq/synapse/blob/develop/synapse/config/database.py#L65 - can this even be set?
+ };
+
+ # synchronous_commit - default=True - https://github.com/element-hq/synapse/blob/develop/synapse/storage/engines/postgres.py#L56
+ # statement_timeout - default=60 * 60 * 1000 ms - https://github.com/element-hq/synapse/blob/develop/synapse/storage/engines/postgres.py#L63
+ # allow_unsafe_locale - default=False - https://github.com/element-hq/synapse/blob/develop/synapse/storage/engines/postgres.py#L99
+ # allow_outdated_version - default=False - https://github.com/element-hq/synapse/blob/develop/synapse/storage/engines/postgres.py#L92 - needs source link
+ # txn_limit - default=0 - https://github.com/element-hq/synapse/blob/develop/synapse/storage/database.py#L564
+
+ statement_timeout = 24 * 60 * 60 * 1000; # 24 hours, good for bg jobs
+ txn_limit = 500; # maybe dropping old data from pg caches helps?
+}
diff --git a/host/Rory-ovh/services/containers/syntest2/services/synapse/ratelimits.nix b/host/Rory-ovh/services/containers/syntest2/services/synapse/ratelimits.nix
new file mode 100644
index 0000000..85f51f2
--- /dev/null
+++ b/host/Rory-ovh/services/containers/syntest2/services/synapse/ratelimits.nix
@@ -0,0 +1,97 @@
+{
+ # messages
+ rc_message = {
+ per_second = 1000000;
+ burst_count = 1000000;
+ };
+ rc_admin_redaction = {
+ per_second = 10000000;
+ burst_count = 10000000;
+ };
+
+ # room joins
+ rc_joins = {
+ local = {
+ per_second = 1000;
+ burst_count = 1000;
+ };
+ remote = {
+ per_second = 1000;
+ burst_count = 1000;
+ };
+ };
+ rc_joins_per_room = {
+ per_second = 1000;
+ burst_count = 1000;
+ };
+
+ # room invites
+ rc_invites = {
+ per_room = {
+ per_second = 1000;
+ burst_count = 1000;
+ };
+ per_user = {
+ per_second = 1000;
+ burst_count = 1000;
+ };
+ per_issuer = {
+ per_second = 1000;
+ burst_count = 1000;
+ };
+ };
+ rc_third_party_invite = {
+ per_second = 1000;
+ burst_count = 1000;
+ };
+
+ # federation
+ rc_federation = {
+ window_size = 10;
+ sleep_limit = 1000;
+ sleep_delay = 100;
+ reject_limit = 1000;
+ concurrent = 100;
+ };
+ federation_rr_transactions_per_room_per_second = 100;
+
+ # media
+ rc_media_create = {
+ per_second = 1000;
+ burst_count = 1000;
+ };
+ remote_media_download_burst_count = "512G";
+ remote_media_download_per_second = "512G";
+
+ # authentication
+ rc_login = {
+ address = {
+ per_second = 1000;
+ burst_count = 1000;
+ };
+ account = {
+ per_second = 1000;
+ burst_count = 1000;
+ };
+ failed_attempts = {
+ per_second = 0.1;
+ burst_count = 3;
+ };
+ };
+ rc_3pid_validation = {
+ per_second = 1000;
+ burst_count = 1000;
+ };
+
+ #presence
+ rc_presence.per_user = {
+ per_second = 1;
+ burst_count = 2;
+ };
+
+ #delayed events
+ rc_delayed_event_mgmt = {
+ per_second = 1000;
+ burst_count = 1000;
+ };
+}
diff --git a/host/Rory-ovh/services/containers/syntest2/services/synapse/synapse-main.nix b/host/Rory-ovh/services/containers/syntest2/services/synapse/synapse-main.nix
new file mode 100755
index 0000000..9c16039
--- /dev/null
+++ b/host/Rory-ovh/services/containers/syntest2/services/synapse/synapse-main.nix
@@ -0,0 +1,211 @@
+{
+ config,
+ pkgs,
+ ...
+}:
+
+{
+ services.matrix-synapse = {
+ enable = true;
+ withJemalloc = true;
+ dataDir = "/data/matrix-synapse";
+
+ settings =
+ {
+ server_name = "syntest2.rory.gay";
+
+ dummy_events_threshold = 5;
+ cleanup_extremities_with_dummy_events = true;
+
+ enable_registration = true;
+ registration_requires_token = true;
+
+ require_membership_for_aliases = false;
+ redaction_retention_period = null;
+ user_ips_max_age = null;
+ allow_device_name_lookup_over_federation = true;
+
+ federation = {
+ client_timeout = "90s"; # 30 # default=60s
+ max_short_retries = 6; # 12
+ max_short_retry_delay = "10s"; # 5
+ max_long_retries = 5;
+ max_long_retry_delay = "30s";
+
+ # rapid retry, small increments
+ destination_min_retry_interval = "1m"; # default=10m
+ destination_max_retry_interval = "12h"; # default=7d
+ destination_retry_multiplier = 1.1; # 1.2 # default=2
+ };
+
+ registration_shared_secret_path = "/data/secrets/synapse-shared-secret";
+
+ listeners = [
+ {
+ port = 8008;
+ bind_addresses = [ "192.168.100.21" ];
+ type = "http";
+ tls = false;
+ x_forwarded = true;
+ resources = [
+ {
+ names = [
+ "client"
+ "federation"
+ ];
+ compress = false;
+ }
+ ];
+ }
+ {
+ type = "http";
+ path = "/run/matrix-synapse/main.sock";
+ resources = [
+ {
+ names = [ "replication" ];
+ compress = false;
+ }
+ ];
+ }
+ ];
+ presence = {
+ enable = true;
+ update_interval = 60;
+ };
+ database = (
+ import ./db.nix {
+ workerName = "main";
+ dbGroup = "medium";
+ }
+ );
+
+ #region Media
+ max_upload_size = "512M";
+
+ max_avatar_size = "512M";
+ max_image_pixels = "250M";
+
+ max_pending_media_uploads = 512;
+ dynamic_thumbnails = true;
+
+ prevent_media_downloads_from = [
+ # none, give me all the media
+ ];
+ enable_authenticated_media = false;
+
+ url_preview_enabled = true;
+ max_spider_size = "50M";
+
+ #endregion
+
+ ui_auth = {
+ session_timeout = "1m";
+ };
+
+ login_via_existing_session = {
+ enabled = true;
+ require_ui_auth = true;
+ token_timeout = "1y";
+ };
+
+ report_stats = false;
+
+ user_directory = {
+ enabled = true;
+ search_all_users = true;
+ prefer_local_users = true;
+ };
+
+ # https://github.com/element-hq/synapse/blob/master/synapse/config/experimental.py
+ experimental_features = {
+ "msc2409_to_device_messages_enabled" = true;
+ "msc2815_enabled" = true; # Redacted event content
+ "msc3026_enabled" = true; # Busy presence
+ "msc3202_transaction_extensions" = true; # appservice transaction extensions (device list/keys)
+ "msc3266_enabled" = true; # Room summary API
+ "msc3391_enabled" = true; # Remove account data
+ "msc3823_account_suspension" = true; # Account suspension
+ "msc3852_enabled" = true; # Last seen on /devices (CS-API/admin)
+ "msc3874_enabled" = true; # filtering /messages with rel_types / not_rel_types
+ "msc3890_enabled" = true; # communicate account data deletion to clients
+ "msc3912_enabled" = true; # /messages with rel_types / not_rel_types and event id
+ "msc3916_authenticated_media_enabled" = true; # Authenticated media
+ "msc4069_profile_inhibit_propagation" = true; # Inhibit profile update propagation
+ "msc4133_enabled" = true; # Custom profile fields
+ "msc4151_enabled" = true; # Report room API (CS-API)
+ "msc4210_enabled" = false; # Remove legacy mentions -- we want this *disabled* for moderation reasons
+ "msc4222_enabled" = true; # state_after in sync
+ };
+
+ redis = {
+ enabled = true;
+ path = "/run/redis-matrix-synapse/redis.sock";
+ };
+
+ instance_map = {
+ main = {
+ # replication listener
+ path = "/run/matrix-synapse/main.sock";
+ };
+ };
+ }
+ // import ./ratelimits.nix
+ // import ./caches.nix;
+ };
+
+ services.redis = {
+ package = pkgs.valkey;
+ servers.matrix-synapse = {
+ enable = true;
+ user = "matrix-synapse";
+ };
+ };
+
+ systemd.tmpfiles.rules = [
+ "D /run/redis-matrix-synapse 0755 matrix-synapse matrix-synapse"
+ "D /run/secrets 0755 nobody nobody"
+ ];
+
+ systemd.services."matrix-synapse-generate-token" = {
+ # generate /data/secrets/synapse-shared-secret
+ description = "Generate Synapse shared secret";
+ wantedBy = [ "multi-user.target" ];
+ after = [ "network.target" ];
+ before = [ "matrix-synapse.service" ];
+ script = ''
+ set -e -x -o pipefail
+ echo "Starting key generation"
+ if [ ! -f "/data/secrets/synapse-shared-secret" ]
+ then
+ echo "Generating new key"
+ ${pkgs.openssl}/bin/openssl rand -base64 32 > /data/secrets/synapse-shared-secret
+ echo "Key generation complete"
+ else
+ echo "Not generating key, key exists"
+ fi
+ echo "Script complete"
+ '';
+ };
+
+ systemd.services."matrix-synapse-postgres-init" = {
+ description = "Generate synapse postgres user";
+ wantedBy = [ "multi-user.target" ];
+ after = [
+ "network.target"
+ "postgresql.service"
+ ];
+ before = [ "matrix-synapse.service" ];
+
+ script = ''
+ set -e -x -o pipefail
+ ${pkgs.postgresql}/bin/createuser ${config.services.matrix-synapse.settings.database.args.user} || true
+ ${pkgs.postgresql}/bin/createdb --encoding=UTF8 --locale=C --template=template0 --owner=${config.services.matrix-synapse.settings.database.args.user} ${config.services.matrix-synapse.settings.database.args.database} || true
+ '';
+ serviceConfig = {
+ User = "postgres";
+ Group = "postgres";
+ WorkingDirectory = config.services.postgresql.dataDir;
+ RemainAfterExit = true;
+ };
+ };
+}
|
