cluster/containers/conduit.nix

284 lines
8.6 KiB
Nix
Raw Permalink Normal View History

{ nglib, nixpkgs }:
let
logConfig = pkgs: (pkgs.formats.yaml {}).generate "log.yaml"
{
version = 1;
formatters.precise.format = "%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s";
handlers.console =
{
class = "logging.StreamHandler";
formatter = "precise";
};
loggers."synapse.storage.SQL" =
{
level = "INFO";
};
root =
{
level = "INFO";
handlers = [ "console" ];
};
disable_existing_loggers = false;
};
commonConfig = pkgs: (pkgs.formats.yaml {}).generate "common.yaml"
{
server_name = "matrix.redalder.org";
report_stats = "yes";
pid_file = "/homeserver.pid";
log_config = logConfig pkgs;
trusted_key_servers =
[
{
server_name = "matrix.org";
}
];
media_store_path = "/var/lib/synapse/media_store";
signing_key_path = "/var/lib/synapse/signing.key";
enable_registration = false;
enable_registration_without_verification = false;
federation_sender_instances = [
"worker-federation-sender-0"
];
};
genericWorker = { listener_resources, name }:
nglib.makeSystem {
system = "x86_64-linux";
name = "synapse-worker-${name}";
inherit nixpkgs;
config = ({ pkgs, ... }:
{
dumb-init = {
enable = true;
type.services = { };
};
services.synapse.workers.${name} = {
settings = {
worker_app = "synapse.app.generic_worker";
# The replication listener on the main synapse process.
worker_replication_host = "127.0.0.1";
worker_replication_http_port = 9093;
worker_listeners = [
{
port = 6167;
tls = false;
type = "http";
x_forwarded = true;
bind_adrresses = [ "0.0.0.0" ];
resources =
[
{
names = listener_resources;
compress = false;
}
];
}
];
worker_log_config = logConfig pkgs;
};
arguments = {
config-path = [
(commonConfig pkgs)
"/secrets/extra.yaml"
"/var/lib/registrations/extra.yaml"
];
keys-directory = [
"/var/lib/synapse/keys"
];
};
};
});
};
in
{
postgresql = nglib.makeSystem {
system = "x86_64-linux";
name = "nixng-synapse-postgresql";
inherit nixpkgs;
config = { pkgs, config, ... }:
{
config = {
dumb-init = {
enable = true;
type.services = {};
};
services.postgresql = {
enable = true;
package = pkgs.postgresql_12;
initialScript = "/secrets/init.sql";
enableTCPIP = true;
authentication = "host all all all md5";
ensureDatabases = {
"synapse" = { ENCODING = "UTF8"; TEMPLATE = "template0"; };
"mautrix-facebook" = { ENCODING = "UTF8"; TEMPLATE = "template0"; };
"mautrix-signal" = { ENCODING = "UTF8"; TEMPLATE = "template0"; };
"mautrix-whatsapp" = { ENCODING = "UTF8"; TEMPLATE = "template0"; };
"mautrix-discord" = { ENCODING = "UTF8"; TEMPLATE = "template0"; };
};
ensureExtensions = {};
ensureUsers = [
{
name = "synapse";
ensurePermissions."DATABASE \"synapse\"" = "ALL PRIVILEGES";
}
{
name = "mautrix-facebook";
ensurePermissions."DATABASE \"mautrix-facebook\"" = "ALL PRIVILEGES";
}
{
name = "mautrix-signal";
ensurePermissions."DATABASE \"mautrix-signal\"" = "ALL PRIVILEGES";
}
{
name = "mautrix-whatsapp";
ensurePermissions."DATABASE \"mautrix-whatsapp\"" = "ALL PRIVILEGES";
}
{
name = "mautrix-discord";
ensurePermissions."DATABASE \"mautrix-discord\"" = "ALL PRIVILEGES";
}
];
};
};
};
};
redis = nglib.makeSystem {
system = "x86_64-linux";
name = "redis";
inherit nixpkgs;
config = ({ pkgs, ... }:
{
dumb-init = {
enable = true;
type.services = { };
};
users.users."redis" = {
home = "/var/empty";
uid = 9001;
group = "redis";
};
users.groups."redis" = {
gid = 9001;
};
init.services.redis = {
enabled = true;
shutdownOnExit = true;
script =
pkgs.writeShellScript "redis-run" ''
cd /var/lib/redis
chpst -U redis:redis ${pkgs.redis}/bin/redis-server ${./redis.conf}
'';
};
init.services.redis-setup = {
enabled = true;
script =
pkgs.writeShellScript "redis-run" ''
export PATH="${pkgs.redis}/bin:$PATH"
nc -z 127.0.0.1 6379 -w 10 -v || exit 1
redis-cli acl setuser default on '>'"$(cat /secrets/redis_password)" allcommands allkeys
sleep 86400
'';
};
});
};
synapseFederationSender = genericWorker { name = "generic"; listener_resources = [ "health" ]; };
synapseFederationReceiver = genericWorker { name = "generic"; listener_resources = [ "health" "federation" ]; };
synapseClient = genericWorker { name = "generic"; listener_resources = [ "client" "health" ]; };
synapseSync = genericWorker { name = "generic"; listener_resources = [ "client" "health" ]; };
synapse = nglib.makeSystem {
system = "x86_64-linux";
name = "synapse";
inherit nixpkgs;
config = ({ pkgs, ... }:
{
dumb-init = {
enable = true;
type.services = { };
};
init.services.synapse = {
enabled = true;
shutdownOnExit = true;
script =
let
synapseConfig = (pkgs.formats.yaml {}).generate "synapse.yaml"
{
listeners =
[
# The HTTP replication port
{
port = 9093;
bind_addresses = [ "0.0.0.0" ];
type = "http";
resources = [
{
names = [ "replication" ];
}
];
}
{
port = 6167;
tls = false;
type = "http";
x_forwarded = true;
bind_adrresses = [ "0.0.0.0" ];
resources =
[
{
names = [ "client" "federation" ];
compress = false;
}
];
}
];
public_baseurl = "https://matrix.redalder.org/";
# Add a random shared secret to authenticate traffic.
worker_replication_secret = "";
};
in
pkgs.writeShellScript "synapse"
''
[ -e /var/lib/synapse/signing.key ] || \
${pkgs.matrix-synapse}/bin/synapse_homeserver \
--config-path ${synapseConfig} \
--config-path ${commonConfig pkgs} \
--config-path /secrets/extra.yaml \
--config-path /var/lib/registrations/extra.yaml \
--keys-directory /var/lib/synapse/keys \
--generate-keys
${pkgs.matrix-synapse}/bin/synapse_homeserver \
--config-path ${synapseConfig} \
--config-path ${commonConfig pkgs} \
--config-path /secrets/extra.yaml \
--config-path /var/lib/registrations/extra.yaml \
--keys-directory /var/lib/synapse/keys
'';
};
});
};
}