diff --git a/hosts/vm/neo/default.nix b/hosts/vm/neo/default.nix index 261f796..8416710 100644 --- a/hosts/vm/neo/default.nix +++ b/hosts/vm/neo/default.nix @@ -6,6 +6,7 @@ ./networking.nix ../../../modules + ../../../modules/services/matrix.nix ]; boot.loader.grub.devices = [ "/dev/sda" ]; diff --git a/hosts/vm/neo/hardware-configuration.nix b/hosts/vm/neo/hardware-configuration.nix index 8045fee..065d77c 100644 --- a/hosts/vm/neo/hardware-configuration.nix +++ b/hosts/vm/neo/hardware-configuration.nix @@ -1,7 +1,3 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -<<<<<<< HEAD { config, lib, @@ -23,31 +19,14 @@ "sd_mod" "sr_mod" ]; -======= -{ config, lib, pkgs, modulesPath, ... }: - -{ - imports = - [ (modulesPath + "/profiles/qemu-guest.nix") - ]; - - boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; ->>>>>>> c9096a8 (neo secrets et hardware-configuration) boot.initrd.kernelModules = [ ]; boot.kernelModules = [ ]; boot.extraModulePackages = [ ]; -<<<<<<< HEAD fileSystems."/" = { - device = "/dev/disk/by-uuid/89589639-21f1-4899-97e9-d1de6eb16d45"; + device = "/dev/disk/by-uuid/d7e64c03-51b3-415c-8e6f-241a996b16f5"; fsType = "ext4"; }; -======= - fileSystems."/" = - { device = "/dev/disk/by-uuid/d7e64c03-51b3-415c-8e6f-241a996b16f5"; - fsType = "ext4"; - }; ->>>>>>> c9096a8 (neo secrets et hardware-configuration) swapDevices = [ ]; @@ -61,7 +40,3 @@ nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; } -<<<<<<< HEAD -======= - ->>>>>>> c9096a8 (neo secrets et hardware-configuration) diff --git a/modules/services/matrix.nix b/modules/services/matrix.nix index e2dcc12..e152b3b 100644 --- a/modules/services/matrix.nix +++ b/modules/services/matrix.nix @@ -1,44 +1,232 @@ { config, ... }: { - services.postgresql = { - enable = true; - ensureUsers = [ - { - name = "matrix-synapse"; - ensureDBOwnership = true; - } + sops.secrets = { + ldap_synapse_passwd = { + sopsFile = ../../secrets/neo.yaml; + }; + + neo_extra_config = { + format = "yaml"; + sopsFile = ../../secrets/neo_extra_config.yaml; + key = ""; + }; + + matrix_appservice_irc_db = { + sopsFile = ../../secrets/neo.yaml; + }; + + coturn_auth_secret = { + sopsFile = ../../secrets/neo.yaml; + }; + }; + + networking.firewall = { + allowedTCPPorts = [ + 80 + 443 + 8008 + 8448 ]; - ensureDatabases = [ "matrix-synapse" ]; }; services.matrix-synapse = { - enable = false; + enable = true; + + plugins = with config.services.matrix-synapse.package.plugins; [ + matrix-synapse-ldap3 + ]; settings = { server_name = "crans.org"; + report_stats = false; + listeners = [ { port = 8008; + tls = false; bind_addresses = [ - "127.0.0.1" - "::1" + "::" + "0.0.0.0" ]; type = "http"; - tls = false; x_forwarded = true; resources = [ { - name = [ - "client" - "federation" - ]; + names = [ "client" ]; compress = true; } + { + names = [ "federation" ]; + compress = false; + } ]; } ]; + + database = { + name = "psycopg2"; + args = { + user = "synapse"; + database = "synapse"; + # Password is declared in extra config + host = "172.16.10.1"; + cp_min = 5; + cp_max = 10; + }; + }; + + modules = [ + { + module = "ldap_auth_provider.LdapAuthProviderModule"; + config = { + enabled = true; + uri = "ldap://172.16.10.157:389"; + start_tls = false; + base = "dc=crans,dc=org"; + attributes = { + uid = "uid"; + mail = "mail"; + name = "sn"; + }; + binddn = "cn=synapse,ou=service-users,dc=crans,dc=org"; + bind_password_file = config.sops.secrets.ldap_synapse_passwd.path; + filter = "(&(objectclass=inetOrgPerson)(objectclass=posixAccount))"; + }; + } + ]; + + turn_uris = [ + "turn:${config.services.coturn.realm}:3478?transport=udp" + "turn:${config.services.coturn.realm}:3478?transport=tcp" + ]; + turn_shared_secret = config.sops.secrets.coturn_auth_secret.path; + turn_user_lifetime = "1h"; + + app_service_config_files = [ + "/var/lib/matrix-appservice-irc/registration.yml" + ]; + }; + + extraConfigFiles = [ + config.sops.secrets.neo_extra_config.path + ]; + }; + + services.matrix-appservice-irc = { + enable = true; + + registrationUrl = "http://localhost:9999"; + settings = { + homeserver = { + url = "https://matrix.crans.org:443"; + domain = "crans.org"; + + dropMatrixMessagesAfterSecs = 3000; + enablePresence = true; + }; + + database = { + engine = "postgres"; + connectionString = config.sops.secrets.matrix_appservice_irc_db.path; + }; + + ircService = { + servers = { + "irc.crans.org" = { + name = "Crans"; + onlyAdditionalAddresses = false; + networkId = "crans"; + port = 6697; + ssl = true; + sslselfsign = true; + sasl = false; + allowExpiredCerts = false; + sendConnectionMessages = true; + passwordEncryptionKeyPath = "/var/lib/matrix-appservice-irc/passkey.pem"; + + modePowerMap = { + o = 50; + v = 1; + }; + + dynamicChannels = { + enabled = true; + useHomeserverDirectory = true; + aliasTemplate = "$CHANNEL"; + }; + + membershipLists = { + enabled = true; + floodDelayMs = 100; + global = { + ircToMatrix = { + initial = true; + incremental = true; + requireMatrixJoined = true; + }; + matrixToIrc = { + initial = true; + incremental = true; + }; + }; + + ignoreIdleUsersOnStartup = { + enabled = true; + idleForHours = 720; + }; + }; + + matrixClients = { + userTemplate = "@irc_$NICK"; + idisplayName = "$NICK"; + }; + + ircClients = { + nickTemplate = "$DISPLAY"; + allowNickChanges = true; + maxClients = 300; + ipv6.enabled = false; + idleTimeout = 10800; + realnameFormat = "mxid"; + kickOn = { + channelJoinFailure = true; + ircConnectionFailure = true; + userQuit = true; + }; + }; + }; + }; + + bridgeInfoState = { + enabled = false; + }; + + logging = { + level = "info"; + logging = "debug.log"; + errfile = "error.log"; + toConsole = true; + maxFiles = 2; + }; + + metrics = { + enabled = false; + }; + + matrixHandler = { + eventCacheSize = 4096; + shortReplyTemplate = "$NICK: $REPLY"; + longReplyTemplate = "<$NICK> \"$ORIGINAL\" <- $REPLY"; + shortReplyTresholdSeconds = 300; + }; + }; + + advanced = { + maxHttpSockets = 1000; + maxTxnSize = 10000000; + }; }; }; }