{ nglib, nixpkgs }: let logConfig = pkgs: (pkgs.formats.yaml {}).generate "log.yaml" { version = 1; formatters.precise.format = "%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s"; handlers.console = { class = "logging.StreamHandler"; formatter = "precise"; }; loggers."synapse.storage.SQL" = { level = "INFO"; }; root = { level = "INFO"; handlers = [ "console" ]; }; disable_existing_loggers = false; }; commonConfig = pkgs: (pkgs.formats.yaml {}).generate "common.yaml" { server_name = "matrix.redalder.org"; report_stats = "yes"; pid_file = "/homeserver.pid"; log_config = logConfig pkgs; trusted_key_servers = [ { server_name = "matrix.org"; } ]; media_store_path = "/var/lib/synapse/media_store"; signing_key_path = "/var/lib/synapse/signing.key"; enable_registration = false; enable_registration_without_verification = false; federation_sender_instances = [ "worker-federation-sender-0" ]; }; genericWorker = { listener_resources, name }: nglib.makeSystem { system = "x86_64-linux"; name = "synapse-worker-${name}"; inherit nixpkgs; config = ({ pkgs, ... }: { dumb-init = { enable = true; type.services = { }; }; services.synapse.workers.${name} = { settings = { worker_app = "synapse.app.generic_worker"; # The replication listener on the main synapse process. worker_replication_host = "127.0.0.1"; worker_replication_http_port = 9093; worker_listeners = [ { port = 6167; tls = false; type = "http"; x_forwarded = true; bind_adrresses = [ "0.0.0.0" ]; resources = [ { names = listener_resources; compress = false; } ]; } ]; worker_log_config = logConfig pkgs; }; arguments = { config-path = [ (commonConfig pkgs) "/secrets/extra.yaml" "/var/lib/registrations/extra.yaml" ]; keys-directory = [ "/var/lib/synapse/keys" ]; }; }; }); }; in { postgresql = nglib.makeSystem { system = "x86_64-linux"; name = "nixng-synapse-postgresql"; inherit nixpkgs; config = { pkgs, config, ... }: { config = { dumb-init = { enable = true; type.services = {}; }; services.postgresql = { enable = true; package = pkgs.postgresql_12; initialScript = "/secrets/init.sql"; enableTCPIP = true; authentication = "host all all all md5"; ensureDatabases = { "synapse" = { ENCODING = "UTF8"; TEMPLATE = "template0"; }; "mautrix-facebook" = { ENCODING = "UTF8"; TEMPLATE = "template0"; }; "mautrix-signal" = { ENCODING = "UTF8"; TEMPLATE = "template0"; }; "mautrix-whatsapp" = { ENCODING = "UTF8"; TEMPLATE = "template0"; }; "mautrix-discord" = { ENCODING = "UTF8"; TEMPLATE = "template0"; }; }; ensureExtensions = {}; ensureUsers = [ { name = "synapse"; ensurePermissions."DATABASE \"synapse\"" = "ALL PRIVILEGES"; } { name = "mautrix-facebook"; ensurePermissions."DATABASE \"mautrix-facebook\"" = "ALL PRIVILEGES"; } { name = "mautrix-signal"; ensurePermissions."DATABASE \"mautrix-signal\"" = "ALL PRIVILEGES"; } { name = "mautrix-whatsapp"; ensurePermissions."DATABASE \"mautrix-whatsapp\"" = "ALL PRIVILEGES"; } { name = "mautrix-discord"; ensurePermissions."DATABASE \"mautrix-discord\"" = "ALL PRIVILEGES"; } ]; }; }; }; }; redis = nglib.makeSystem { system = "x86_64-linux"; name = "redis"; inherit nixpkgs; config = ({ pkgs, ... }: { dumb-init = { enable = true; type.services = { }; }; users.users."redis" = { home = "/var/empty"; uid = 9001; group = "redis"; }; users.groups."redis" = { gid = 9001; }; init.services.redis = { enabled = true; shutdownOnExit = true; script = pkgs.writeShellScript "redis-run" '' cd /var/lib/redis chpst -U redis:redis ${pkgs.redis}/bin/redis-server ${./redis.conf} ''; }; init.services.redis-setup = { enabled = true; script = pkgs.writeShellScript "redis-run" '' export PATH="${pkgs.redis}/bin:$PATH" nc -z 127.0.0.1 6379 -w 10 -v || exit 1 redis-cli acl setuser default on '>'"$(cat /secrets/redis_password)" allcommands allkeys sleep 86400 ''; }; }); }; synapseFederationSender = genericWorker { name = "generic"; listener_resources = [ "health" ]; }; synapseFederationReceiver = genericWorker { name = "generic"; listener_resources = [ "health" "federation" ]; }; synapseClient = genericWorker { name = "generic"; listener_resources = [ "client" "health" ]; }; synapseSync = genericWorker { name = "generic"; listener_resources = [ "client" "health" ]; }; synapse = nglib.makeSystem { system = "x86_64-linux"; name = "synapse"; inherit nixpkgs; config = ({ pkgs, ... }: { dumb-init = { enable = true; type.services = { }; }; init.services.synapse = { enabled = true; shutdownOnExit = true; script = let synapseConfig = (pkgs.formats.yaml {}).generate "synapse.yaml" { listeners = [ # The HTTP replication port { port = 9093; bind_addresses = [ "0.0.0.0" ]; type = "http"; resources = [ { names = [ "replication" ]; } ]; } { port = 6167; tls = false; type = "http"; x_forwarded = true; bind_adrresses = [ "0.0.0.0" ]; resources = [ { names = [ "client" "federation" ]; compress = false; } ]; } ]; public_baseurl = "https://matrix.redalder.org/"; # Add a random shared secret to authenticate traffic. worker_replication_secret = ""; }; in pkgs.writeShellScript "synapse" '' [ -e /var/lib/synapse/signing.key ] || \ ${pkgs.matrix-synapse}/bin/synapse_homeserver \ --config-path ${synapseConfig} \ --config-path ${commonConfig pkgs} \ --config-path /secrets/extra.yaml \ --config-path /var/lib/registrations/extra.yaml \ --keys-directory /var/lib/synapse/keys \ --generate-keys ${pkgs.matrix-synapse}/bin/synapse_homeserver \ --config-path ${synapseConfig} \ --config-path ${commonConfig pkgs} \ --config-path /secrets/extra.yaml \ --config-path /var/lib/registrations/extra.yaml \ --keys-directory /var/lib/synapse/keys ''; }; }); }; }