{ config, ... }: { imports = [ ./coturn.nix ./matrix-appservice-irc.nix ]; sops.secrets = { ldap_synapse_passwd = { sopsFile = ../../secrets/neo/base.yaml; }; neo_extra_config = { format = "yaml"; sopsFile = ../../secrets/neo/extra_config.yaml; key = ""; owner = "matrix-synapse"; }; matrix_appservice_irc_db_env = { sopsFile = ../../secrets/neo/appservice_irc_db.env; format = "dotenv"; }; coturn_auth_secret = { sopsFile = ../../secrets/neo/base.yaml; owner = "turnserver"; }; }; networking.firewall = { allowedTCPPorts = [ 80 443 8008 8448 ]; }; services.matrix-synapse = { enable = true; plugins = with config.services.matrix-synapse.package.plugins; [ matrix-synapse-ldap3 ]; settings = { server_name = "crans.org"; report_stats = false; listeners = [ { port = 8008; tls = false; bind_addresses = [ "::" "0.0.0.0" ]; type = "http"; x_forwarded = true; resources = [ { names = [ "client" ]; compress = true; } { names = [ "federation" ]; compress = false; } ]; } ]; database = { name = "psycopg2"; args = { user = "synapse"; database = "synapse"; # Password is declared in extra config host = "172.16.10.1"; cp_min = 5; cp_max = 10; }; }; modules = [ { module = "ldap_auth_provider.LdapAuthProviderModule"; config = { enabled = true; uri = "ldap://172.16.10.157:389"; start_tls = false; base = "dc=crans,dc=org"; attributes = { uid = "uid"; mail = "mail"; name = "sn"; }; binddn = "cn=synapse,ou=service-users,dc=crans,dc=org"; bind_password_file = config.sops.secrets.ldap_synapse_passwd.path; filter = "(&(objectclass=inetOrgPerson)(objectclass=posixAccount))"; }; } ]; turn_uris = [ "turn:${config.services.coturn.realm}:3478?transport=udp" "turn:${config.services.coturn.realm}:3478?transport=tcp" ]; turn_shared_secret = config.sops.secrets.coturn_auth_secret.path; turn_user_lifetime = "1h"; app_service_config_files = [ "/var/lib/matrix-appservice-irc/registration.yml" ]; }; extraConfigFiles = [ config.sops.secrets.neo_extra_config.path ]; }; }