Ajout configuration matrix

2024-12-07 19:52:45 +01:00 · 2024-12-07 19:52:45 +01:00 · 29bc3235bb
parent 7e2be3f107
commit 29bc3235bb
3 changed files with 206 additions and 42 deletions
--- a/hosts/vm/neo/default.nix
+++ b/hosts/vm/neo/default.nix
@ -6,6 +6,7 @@
    ./networking.nix

    ../../../modules
+    ../../../modules/services/matrix.nix
  ];

  boot.loader.grub.devices = [ "/dev/sda" ];
--- a/hosts/vm/neo/hardware-configuration.nix
+++ b/hosts/vm/neo/hardware-configuration.nix
@ -1,7 +1,3 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-<<<<<<< HEAD
 {
  config,
  lib,
@ -23,31 +19,14 @@
    "sd_mod"
    "sr_mod"
  ];
-=======
-{ config, lib, pkgs, modulesPath, ... }:
-
-{
-  imports =
-    [ (modulesPath + "/profiles/qemu-guest.nix")
-    ];
-
-  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
->>>>>>> c9096a8 (neo secrets et hardware-configuration)
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];

-<<<<<<< HEAD
  fileSystems."/" = {
-    device = "/dev/disk/by-uuid/89589639-21f1-4899-97e9-d1de6eb16d45";
+    device = "/dev/disk/by-uuid/d7e64c03-51b3-415c-8e6f-241a996b16f5";
    fsType = "ext4";
  };
-=======
-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/d7e64c03-51b3-415c-8e6f-241a996b16f5";
-      fsType = "ext4";
-    };
->>>>>>> c9096a8 (neo secrets et hardware-configuration)

  swapDevices = [ ];

@ -61,7 +40,3 @@

  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }
-<<<<<<< HEAD
-=======
-
->>>>>>> c9096a8 (neo secrets et hardware-configuration)
--- a/modules/services/matrix.nix
+++ b/modules/services/matrix.nix
@ -1,44 +1,232 @@
 { config, ... }:

 {
-  services.postgresql = {
-    enable = true;
-    ensureUsers = [
-      {
-        name = "matrix-synapse";
-        ensureDBOwnership = true;
-      }
+  sops.secrets = {
+    ldap_synapse_passwd = {
+      sopsFile = ../../secrets/neo.yaml;
+    };
+
+    neo_extra_config = {
+      format = "yaml";
+      sopsFile = ../../secrets/neo_extra_config.yaml;
+      key = "";
+    };
+
+    matrix_appservice_irc_db = {
+      sopsFile = ../../secrets/neo.yaml;
+    };
+
+    coturn_auth_secret = {
+      sopsFile = ../../secrets/neo.yaml;
+    };
+  };
+
+  networking.firewall = {
+    allowedTCPPorts = [
+      80
+      443
+      8008
+      8448
    ];
-    ensureDatabases = [ "matrix-synapse" ];
  };

  services.matrix-synapse = {
-    enable = false;
+    enable = true;
+
+    plugins = with config.services.matrix-synapse.package.plugins; [
+      matrix-synapse-ldap3
+    ];

    settings = {
      server_name = "crans.org";

+      report_stats = false;
+
      listeners = [
        {
          port = 8008;
+          tls = false;
          bind_addresses = [
-            "127.0.0.1"
-            "::1"
+            "::"
+            "0.0.0.0"
          ];
          type = "http";
-          tls = false;
          x_forwarded = true;
          resources = [
            {
-              name = [
-                "client"
-                "federation"
-              ];
+              names = [ "client" ];
              compress = true;
            }
+            {
+              names = [ "federation" ];
+              compress = false;
+            }
          ];
        }
      ];
+
+      database = {
+        name = "psycopg2";
+        args = {
+          user = "synapse";
+          database = "synapse";
+          # Password is declared in extra config
+          host = "172.16.10.1";
+          cp_min = 5;
+          cp_max = 10;
+        };
+      };
+
+      modules = [
+        {
+          module = "ldap_auth_provider.LdapAuthProviderModule";
+          config = {
+            enabled = true;
+            uri = "ldap://172.16.10.157:389";
+            start_tls = false;
+            base = "dc=crans,dc=org";
+            attributes = {
+              uid = "uid";
+              mail = "mail";
+              name = "sn";
+            };
+            binddn = "cn=synapse,ou=service-users,dc=crans,dc=org";
+            bind_password_file = config.sops.secrets.ldap_synapse_passwd.path;
+            filter = "(&(objectclass=inetOrgPerson)(objectclass=posixAccount))";
+          };
+        }
+      ];
+
+      turn_uris = [
+        "turn:${config.services.coturn.realm}:3478?transport=udp"
+        "turn:${config.services.coturn.realm}:3478?transport=tcp"
+      ];
+      turn_shared_secret = config.sops.secrets.coturn_auth_secret.path;
+      turn_user_lifetime = "1h";
+
+      app_service_config_files = [
+        "/var/lib/matrix-appservice-irc/registration.yml"
+      ];
+    };
+
+    extraConfigFiles = [
+      config.sops.secrets.neo_extra_config.path
+    ];
+  };
+
+  services.matrix-appservice-irc = {
+    enable = true;
+
+    registrationUrl = "http://localhost:9999";
+    settings = {
+      homeserver = {
+        url = "https://matrix.crans.org:443";
+        domain = "crans.org";
+
+        dropMatrixMessagesAfterSecs = 3000;
+        enablePresence = true;
+      };
+
+      database = {
+        engine = "postgres";
+        connectionString = config.sops.secrets.matrix_appservice_irc_db.path;
+      };
+
+      ircService = {
+        servers = {
+          "irc.crans.org" = {
+            name = "Crans";
+            onlyAdditionalAddresses = false;
+            networkId = "crans";
+            port = 6697;
+            ssl = true;
+            sslselfsign = true;
+            sasl = false;
+            allowExpiredCerts = false;
+            sendConnectionMessages = true;
+            passwordEncryptionKeyPath = "/var/lib/matrix-appservice-irc/passkey.pem";
+
+            modePowerMap = {
+              o = 50;
+              v = 1;
+            };
+
+            dynamicChannels = {
+              enabled = true;
+              useHomeserverDirectory = true;
+              aliasTemplate = "$CHANNEL";
+            };
+
+            membershipLists = {
+              enabled = true;
+              floodDelayMs = 100;
+              global = {
+                ircToMatrix = {
+                  initial = true;
+                  incremental = true;
+                  requireMatrixJoined = true;
+                };
+                matrixToIrc = {
+                  initial = true;
+                  incremental = true;
+                };
+              };
+
+              ignoreIdleUsersOnStartup = {
+                enabled = true;
+                idleForHours = 720;
+              };
+            };
+
+            matrixClients = {
+              userTemplate = "@irc_$NICK";
+              idisplayName = "$NICK";
+            };
+
+            ircClients = {
+              nickTemplate = "$DISPLAY";
+              allowNickChanges = true;
+              maxClients = 300;
+              ipv6.enabled = false;
+              idleTimeout = 10800;
+              realnameFormat = "mxid";
+              kickOn = {
+                channelJoinFailure = true;
+                ircConnectionFailure = true;
+                userQuit = true;
+              };
+            };
+          };
+        };
+
+        bridgeInfoState = {
+          enabled = false;
+        };
+
+        logging = {
+          level = "info";
+          logging = "debug.log";
+          errfile = "error.log";
+          toConsole = true;
+          maxFiles = 2;
+        };
+
+        metrics = {
+          enabled = false;
+        };
+
+        matrixHandler = {
+          eventCacheSize = 4096;
+          shortReplyTemplate = "$NICK: $REPLY";
+          longReplyTemplate = "<$NICK> \"$ORIGINAL\" <- $REPLY";
+          shortReplyTresholdSeconds = 300;
+        };
+      };
+
+      advanced = {
+        maxHttpSockets = 1000;
+        maxTxnSize = 10000000;
+      };
    };
  };
 }