magic_rb/dotfiles
1
0
Fork 0
mirror of https://git.sr.ht/~magic_rb/dotfiles synced 2024-11-21 23:54:22 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add terranix config for Matrix

Browse source 
Signed-off-by: Magic_RB <magic_rb@redalder.org>
This commit is contained in:
Magic_RB 2023-06-15 23:06:12 +02:00
parent a13865213f
commit 32a9ea4f78
7 changed files with 1546 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

183
terranix/containers/matrix/default.nix Normal file
View file

@ -0,0 +1,183 @@
{ config, elib, ... }:
let
inherit (elib)
nfsVolume
nomadJob;
flake_host = "";
flake_sha = "";
flake_ref = "";
flake_rev= "";
in
{
resource."nomad_volume"."matrix-synapse" = nfsVolume {
volume_name = "matrix-synapse";
access_mode = "multi-node-multi-writer";
server = "blowhole.hosts.in.redalder.org";
share = "/mnt/kyle/infrastructure/matrix/synapse";
mount_flags = [ "hard" "vers=4.2" "rsize=16384" "wsize=16384" "async" ];
};
resource."nomad_volume"."matrix-postgresql" = nfsVolume {
volume_name = "matrix-postgresql";
access_mode = "single-node-writer";
server = "blowhole.hosts.in.redalder.org";
share = "/mnt/kyle/infrastructure/matrix/postgresql";
mount_flags = [ "hard" "vers=4.2" "rsize=16384" "wsize=16384" "async" ];
};
resource."nomad_volume"."matrix-registrations" = nfsVolume {
volume_name = "matrix-registrations";
access_mode = "multi-node-multi-writer";
server = "blowhole.hosts.in.redalder.org";
share = "/mnt/kyle/infrastructure/matrix/registrations";
mount_flags = [ "hard" "vers=4.2" "rsize=16384" "wsize=16384" "async" ];
};
resource."nomad_volume"."matrix-mautrix-discord" = nfsVolume {
volume_name = "matrix-mautrix-discord";
access_mode = "single-node-writer";
server = "blowhole.hosts.in.redalder.org";
share = "/mnt/kyle/infrastructure/matrix/mautrix-discord";
mount_flags = [ "hard" "vers=4.2" "rsize=16384" "wsize=16384" "async" ];
};
resource."nomad_volume"."matrix-mautrix-facebook" = nfsVolume {
volume_name = "matrix-mautrix-facebook";
access_mode = "single-node-writer";
server = "blowhole.hosts.in.redalder.org";
share = "/mnt/kyle/infrastructure/matrix/mautrix-facebook";
mount_flags = [ "hard" "vers=4.2" "rsize=16384" "wsize=16384" "async" ];
};
resource."nomad_volume"."matrix-mautrix-signal" = nfsVolume {
volume_name = "matrix-mautrix-signal";
access_mode = "single-node-writer";
server = "blowhole.hosts.in.redalder.org";
share = "/mnt/kyle/infrastructure/matrix/mautrix-signal";
mount_flags = [ "hard" "vers=4.2" "rsize=16384" "wsize=16384" "async" ];
};
resource."nomad_volume"."matrix-signald" = nfsVolume {
volume_name = "matrix-signald";
access_mode = "single-node-writer";
server = "blowhole.hosts.in.redalder.org";
share = "/mnt/kyle/infrastructure/matrix/signald";
mount_flags = [ "hard" "vers=4.2" "rsize=16384" "wsize=16384" "async" ];
};
resource."nomad_volume"."matrix-redis" = nfsVolume {
volume_name = "matrix-redis";
access_mode = "single-node-writer";
server = "blowhole.hosts.in.redalder.org";
share = "/mnt/kyle/infrastructure/matrix/redis";
mount_flags = [ "hard" "vers=4.2" "rsize=16384" "wsize=16384" "async" ];
};
resource."vault_policy"."matrix-mautrix-signal-policy" = {
name = "matrix-mautrix-signal-policy";
policy = ''
path "kv/data/cluster/matrix/mautrix-signal/main" {
capabilities = ["read"]
}
path "kv/data/cluster/matrix/mautrix-signal/postgresql" {
capabilities = ["read"]
}
'';
};
resource."vault_policy"."matrix-mautrix-discord-policy" = {
name = "matrix-mautrix-discord-policy";
policy = ''
path "kv/data/cluster/matrix/mautrix-discord/main" {
capabilities = ["read"]
}
path "kv/data/cluster/matrix/mautrix-discord/postgresql" {
capabilities = ["read"]
}
'';
};
resource."vault_policy"."matrix-mautrix-facebook-policy" = {
name = "matrix-mautrix-facebook-policy";
policy = ''
path "kv/data/cluster/matrix/mautrix-facebook/main" {
capabilities = ["read"]
}
path "kv/data/cluster/matrix/mautrix-facebook/postgresql" {
capabilities = ["read"]
}
'';
};
resource."vault_policy"."matrix-synapse-policy" = {
name = "matrix-synapse-policy";
policy = ''
path "kv/data/cluster/matrix/synapse" {
capabilities = ["read"]
}
'';
};
resource."vault_policy"."matrix-postgresql-policy" = {
name = "matrix-postgresql-policy";
policy = ''
path "kv/data/cluster/matrix/synapse" {
capabilities = ["read"]
}
path "kv/data/cluster/matrix/mautrix-facebook/postgresql" {
capabilities = ["read"]
}
path "kv/data/cluster/matrix/mautrix-signal/postgresql" {
capabilities = ["read"]
}
path "kv/data/cluster/matrix/mautrix-discord/postgresql" {
capabilities = ["read"]
}
'';
};
resource."nomad_job"."matrix-synapse" = nomadJob {
jobspec = ./matrix-synapse.hcl;
vars = {
flake_ref = "${flake_host}?ref=${flake_ref}&rev=${flake_rev}";
flake_sha = flake_sha;
};
};
resource."nomad_job"."matrix-mautrix-discord" = nomadJob {
jobspec = ./matrix-mautrix-discord.hcl;
vars = {
flake_ref = "${flake_host}?ref=${flake_ref}&rev=${flake_rev}";
flake_sha = flake_sha;
};
};
resource."nomad_job"."matrix-mautrix-facebook" = nomadJob {
jobspec = ./matrix-mautrix-facebook.hcl;
vars = {
flake_ref = "${flake_host}?ref=${flake_ref}&rev=${flake_rev}";
flake_sha = flake_sha;
};
};
resource."nomad_job"."matrix-mautrix-signal" = nomadJob {
jobspec = ./matrix-mautrix-signal.hcl;
vars = {
flake_ref = "${flake_host}?ref=${flake_ref}&rev=${flake_rev}";
flake_sha = flake_sha;
};
};
resource."nomad_job"."matrix-heisenbridge" = nomadJob {
jobspec = ./matrix-heisenbridge.hcl;
vars = {
flake_ref = "${flake_host}?ref=${flake_ref}&rev=${flake_rev}";
flake_sha = flake_sha;
};
};
}

64
terranix/containers/matrix/matrix-heisenbridge.hcl Normal file
View file

@ -0,0 +1,64 @@
variable "flake_ref" {
type = string
}
variable "flake_sha" {
type = string
}
job "matrix-heisenbridge" {
datacenters = [ "homelab-1" ]
type = "service"
group "heisenbridge" {
count = 1
volume "matrix-registrations" {
type = "csi"
source = "matrix-registrations"
read_only = false
attachment_mode = "file-system"
access_mode = "multi-node-multi-writer"
}
restart {
attempts = 5
delay = "5s"
}
network {
mode = "bridge"
}
service {
name = "matrix-heisenbridge"
port = "9898"
connect {
sidecar_service {}
}
}
task "heisenbridge" {
driver = "docker"
volume_mount {
volume = "matrix-registrations"
destination = "/var/lib/registrations"
read_only = false
}
config {
nix_flake_ref = "${var.flake_ref}#nixngSystems.heisenbridge.config.system.build.toplevel"
nix_flake_sha = var.flake_sha
entrypoint = [ "init" ]
}
resources {
cpu = 128
memory = 128
}
}
}
}

113
terranix/containers/matrix/matrix-mautrix-discord.hcl Normal file
View file

@ -0,0 +1,113 @@
variable "flake_ref" {
type = string
}
variable "flake_sha" {
type = string
}
job "matrix-mautrix-discord" {
datacenters = [ "homelab-1" ]
type = "service"
group "mautrix-discord" {
count = 1
volume "matrix-mautrix-discord" {
type = "csi"
source = "matrix-mautrix-discord"
read_only = false
attachment_mode = "file-system"
access_mode = "single-node-writer"
}
volume "matrix-registrations" {
type = "csi"
source = "matrix-registrations"
read_only = false
attachment_mode = "file-system"
access_mode = "multi-node-multi-writer"
}
restart {
attempts = 5
delay = "5s"
}
network {
mode = "bridge"
}
service {
name = "matrix-mautrix-discord"
port = "29334"
# check {
# type = "http"
# address_mode = "alloc"
# path = "/public"
# port = "29319"
# interval = "2s"
# timeout = "2s"
# }
connect {
sidecar_service {
proxy {
upstreams {
destination_name = "matrix-postgresql"
local_bind_port = 5432
}
}
}
}
}
task "mautrix-discord" {
driver = "docker"
volume_mount {
volume = "matrix-mautrix-discord"
destination = "/var/lib/mautrix-discord"
read_only = false
}
volume_mount {
volume = "matrix-registrations"
destination = "/var/lib/registrations"
read_only = false
}
config {
nix_flake_ref = "${var.flake_ref}#nixngSystems.mautrix-discord.config.system.build.toplevel"
nix_flake_sha = var.flake_sha
entrypoint = [ "init" ]
}
vault {
policies = ["matrix-mautrix-discord-policy"]
}
template {
data = <<EOF
{{ with secret "kv/data/cluster/matrix/mautrix-discord/main" }}
MAUTRIX_DISCORD_APPSERVICE_AS_TOKEN={{ .Data.data.as_token }}
MAUTRIX_DISCORD_APPSERVICE_HS_TOKEN={{ .Data.data.hs_token }}
{{ end }}
{{ with secret "kv/data/cluster/matrix/mautrix-discord/postgresql" }}
MAUTRIX_DISCORD_APPSERVICE_DATABASE_PASSWORD={{ .Data.data.pgpass }}
{{ end }}
EOF
destination = "secrets/environment"
env = true
}
resources {
cpu = 256
memory = 256
}
}
}
}

106
terranix/containers/matrix/matrix-mautrix-facebook.hcl Normal file
View file

@ -0,0 +1,106 @@
variable "flake_ref" {
type = string
}
variable "flake_sha" {
type = string
}
job "matrix-mautrix-facebook" {
datacenters = [ "homelab-1" ]
type = "service"
group "mautrix-facebook" {
count = 1
volume "matrix-mautrix-facebook" {
type = "csi"
source = "matrix-mautrix-facebook"
read_only = false
attachment_mode = "file-system"
access_mode = "single-node-writer"
}
volume "matrix-registrations" {
type = "csi"
source = "matrix-registrations"
read_only = false
attachment_mode = "file-system"
access_mode = "multi-node-multi-writer"
}
restart {
attempts = 5
delay = "5s"
}
network {
mode = "bridge"
}
service {
name = "matrix-mautrix-facebook"
port = "29319"
# check {
# type = "http"
# address_mode = "alloc"
# path = "/public"
# port = "29319"
# interval = "2s"
# timeout = "2s"
# }
connect {
sidecar_service {}
}
}
task "mautrix-facebook" {
driver = "docker"
volume_mount {
volume = "matrix-mautrix-facebook"
destination = "/var/lib/mautrix-facebook"
read_only = false
}
volume_mount {
volume = "matrix-registrations"
destination = "/var/lib/registrations"
read_only = false
}
config {
nix_flake_ref = "${var.flake_ref}#nixngSystems.mautrix-facebook.config.system.build.toplevel"
nix_flake_sha = var.flake_sha
entrypoint = [ "init" ]
}
vault {
policies = ["matrix-mautrix-facebook-policy"]
}
template {
data = <<EOF
{{ with secret "kv/data/cluster/matrix/mautrix-facebook/main" }}
MAUTRIX_FACEBOOK_APPSERVICE_AS_TOKEN={{ .Data.data.as_token }}
MAUTRIX_FACEBOOK_APPSERVICE_HS_TOKEN={{ .Data.data.hs_token }}
{{ end }}
EOF
# {{ with secret "kv/data/cluster/matrix/mautrix-facebook/postgresql" }}
# MAUTRIX_FACEBOOK_APPSERVICE_DATABASE_OPTS={{ .Data.data.pgpass }}
# {{ end }}
destination = "secrets/environment"
env = true
}
resources {
cpu = 256
memory = 256
}
}
}
}

128
terranix/containers/matrix/matrix-mautrix-signal.hcl Normal file
View file

@ -0,0 +1,128 @@
variable "flake_ref" {
type = string
}
variable "flake_sha" {
type = string
}
job "matrix-mautrix-signal" {
datacenters = [ "homelab-1" ]
type = "service"
group "mautrix-signal" {
count = 1
volume "matrix-mautrix-signal" {
type = "csi"
source = "matrix-mautrix-signal"
read_only = false
attachment_mode = "file-system"
access_mode = "single-node-writer"
}
volume "matrix-signald" {
type = "csi"
source = "matrix-signald"
read_only = false
attachment_mode = "file-system"
access_mode = "single-node-writer"
}
volume "matrix-registrations" {
type = "csi"
source = "matrix-registrations"
read_only = false
attachment_mode = "file-system"
access_mode = "multi-node-multi-writer"
}
restart {
attempts = 5
delay = "5s"
}
network {
mode = "bridge"
}
service {
name = "matrix-mautrix-signal"
port = "29328"
# check {
# type = "http"
# address_mode = "alloc"
# path = "/public"
# port = "29319"
# interval = "2s"
# timeout = "2s"
# }
connect {
sidecar_service {
proxy {
upstreams {
destination_name = "matrix-postgresql"
local_bind_port = 5432
}
}
}
}
}
task "mautrix-signal" {
driver = "docker"
volume_mount {
volume = "matrix-mautrix-signal"
destination = "/var/lib/mautrix-signal"
read_only = false
}
volume_mount {
volume = "matrix-signald"
destination = "/var/lib/signald"
read_only = false
}
volume_mount {
volume = "matrix-registrations"
destination = "/var/lib/registrations"
read_only = false
}
config {
nix_flake_ref = "${var.flake_ref}#nixngSystems.mautrix-signal.config.system.build.toplevel"
nix_flake_sha = var.flake_sha
entrypoint = [ "init" ]
}
vault {
policies = ["matrix-mautrix-signal-policy"]
}
template {
data = <<EOF
{{ with secret "kv/data/cluster/matrix/mautrix-signal/main" }}
MAUTRIX_SIGNAL_APPSERVICE_AS_TOKEN={{ .Data.data.as_token }}
MAUTRIX_SIGNAL_APPSERVICE_HS_TOKEN={{ .Data.data.hs_token }}
{{ end }}
{{ with secret "kv/data/cluster/matrix/mautrix-signal/postgresql" }}
PGPASSWORD={{ .Data.data.pgpass }}
{{ end }}
EOF
destination = "secrets/environment"
env = true
}
resources {
cpu = 256
memory = 256
}
}
}
}

82
terranix/containers/matrix/matrix-prometheus.hcl Normal file
View file

@ -0,0 +1,82 @@
variable "flake_ref" {
type = string
}
variable "flake_sha" {
type = string
}
job "matrix-prometheus" {
datacenters = [ "homelab-1" ]
type = "service"
group "matrix-prometheus" {
count = 1
restart {
attempts = 5
delay = "5s"
}
network {
mode = "bridge"
}
service {
name = "matrix-prometheus"
port = "0"
}
task "matrix-prometheus" {
driver = "docker"
config {
nix_flake_ref = "${var.flake_ref}#nixngSystems.matrixPrometheus.config.system.build.toplevel"
nix_flake_sha = var.flake_sha
entrypoint = [ "init" ]
}
}
task "matrix-prometheus-connect-nginx" {
driver = "docker"
config {
nix_flake_ref = "${var.flake_ref}#nixngSystems.matrixPrometheusConnectNginx.config.system.build.toplevel"
nix_flake_sha = var.flake_sha
entrypoint = [ "init" ]
template {
data = <<EOF
upstream matrix-synapse-metrics {
{{- range connect "matrix-synapse-metrics" }}
proxy_pass {{ .Address }}:{{ .Port }}
{{- end -}}
}
EOF
destination = "/local/upsteams.conf"
}
template {
data = <<EOF
{{ range caRoots }}{{ .RootCertPEM }}{{ end }}
EOF
destination = "/secrets/ca.pem"
}
template {
data = <<EOF
{{ with caLeaf "nginx" }}{{ .CertPEM }}{{ end }}
EOF
destination = "/secrets/crt.pem"
}
template {
data = <<EOF
{{ with caLeaf "nginx" }}{{.PrivateKeyPEM }}{{ end }}
EOF
destination = "/secrets/key.pem"
}
}
}
}
}

870
terranix/containers/matrix/matrix-synapse.hcl Normal file
View file

@ -0,0 +1,870 @@
variable "flake_ref" {
type = string
}
variable "flake_sha" {
type = string
}
job "matrix-synapse" {
datacenters = [ "homelab-1" ]
type = "service"
group "redis" {
count = 1
volume "matrix-redis" {
type = "csi"
source = "matrix-redis"
read_only = false
attachment_mode = "file-system"
access_mode = "single-node-writer"
}
restart {
attempts = 5
delay = "5s"
}
network {
mode = "bridge"
}
vault {
policies = ["matrix-synapse-policy"]
}
service {
name = "matrix-redis"
port = "6379"
# check {
# type = "http"
# address_mode = "alloc"
# path = "/health"
# port = "6167"
# interval = "2s"
# timeout = "2s"
# }
connect {
sidecar_service {}
}
}
task "redis" {
driver = "docker"
volume_mount {
volume = "matrix-redis"
destination = "/var/lib/redis"
read_only = false
}
config {
nix_flake_ref = "${var.flake_ref}#nixngSystems.conduitRedis.config.system.build.toplevel"
nix_flake_sha = var.flake_sha
entrypoint = [ "init" ]
}
template {
data = <<EOF
{{ with secret "kv/data/cluster/matrix/synapse" -}}
{{ .Data.data.redis_password }}
{{ end -}}
EOF
destination = "/secrets/redis_password"
}
}
}
group "synapse-client" {
count = 1
restart {
attempts = 5
delay = "5s"
}
network {
mode = "bridge"
}
vault {
policies = ["matrix-synapse-policy"]
}
volume "matrix-synapse" {
type = "csi"
source = "matrix-synapse"
read_only = false
attachment_mode = "file-system"
access_mode = "multi-node-multi-writer"
}
volume "matrix-registrations" {
type = "csi"
source = "matrix-registrations"
read_only = false
attachment_mode = "file-system"
access_mode = "multi-node-multi-writer"
}
service {
name = "matrix-synapse-client"
port = "6167"
check {
type = "http"
address_mode = "alloc"
path = "/health"
port = "6167"
interval = "2s"
timeout = "2s"
}
connect {
sidecar_service {
proxy {
upstreams {
destination_name = "matrix-mautrix-facebook"
local_bind_port = 29319
}
upstreams {
destination_name = "matrix-mautrix-signal"
local_bind_port = 29328
}
upstreams {
destination_name = "matrix-mautrix-discord"
local_bind_port = 29334
}
upstreams {
destination_name = "matrix-heisenbridge"
local_bind_port = 9898
}
upstreams {
destination_name = "matrix-postgresql"
local_bind_port = 5432
}
upstreams {
destination_name = "matrix-redis"
local_bind_port = 6379
}
upstreams {
destination_name = "matrix-synapse-replication"
local_bind_port = 9093
}
}
}
}
}
task "synapse-client" {
driver = "docker"
volume_mount {
volume = "matrix-synapse"
destination = "/var/lib/synapse"
read_only = false
}
volume_mount {
volume = "matrix-registrations"
destination = "/var/lib/registrations"
read_only = false
}
config {
nix_flake_ref = "${var.flake_ref}#nixngSystems.synapseClient.config.system.build.toplevel"
nix_flake_sha = var.flake_sha
entrypoint = [ "init" ]
}
resources {
cpu = 1024
memory = 2048
}
template {
data = <<EOF
{{ with secret "kv/data/cluster/matrix/synapse" }}
worker_name: "worker-client-{{ env "NOMAD_ALLOC_INDEX" }}"
registration_shared_secret: "{{ .Data.data.registration_shared_secret }}"
macaroon_secret_key: "{{ .Data.data.macaroon_secret_key }}"
form_secret: "{{ .Data.data.form_secret }}"
database:
name: "psycopg2"
args:
user: "synapse"
password: "{{ .Data.data.pgpass }}"
database: "synapse"
host: "127.0.0.1"
cp_min: 5
cp_max: 10
redis:
enabled: true
password: "{{ .Data.data.redis_password }}"
{{ end }}
EOF
destination = "/secrets/extra.yaml"
}
}
}
group "synapse-sync" {
count = 1
restart {
attempts = 5
delay = "5s"
}
network {
mode = "bridge"
}
vault {
policies = ["matrix-synapse-policy"]
}
volume "matrix-synapse" {
type = "csi"
source = "matrix-synapse"
read_only = false
attachment_mode = "file-system"
access_mode = "multi-node-multi-writer"
}
volume "matrix-registrations" {
type = "csi"
source = "matrix-registrations"
read_only = false
attachment_mode = "file-system"
access_mode = "multi-node-multi-writer"
}
service {
name = "matrix-synapse-sync"
port = "6167"
check {
type = "http"
address_mode = "alloc"
path = "/health"
port = "6167"
interval = "2s"
timeout = "2s"
}
connect {
sidecar_service {
proxy {
upstreams {
destination_name = "matrix-mautrix-facebook"
local_bind_port = 29319
}
upstreams {
destination_name = "matrix-mautrix-signal"
local_bind_port = 29328
}
upstreams {
destination_name = "matrix-mautrix-discord"
local_bind_port = 29334
}
upstreams {
destination_name = "matrix-heisenbridge"
local_bind_port = 9898
}
upstreams {
destination_name = "matrix-postgresql"
local_bind_port = 5432
}
upstreams {
destination_name = "matrix-redis"
local_bind_port = 6379
}
upstreams {
destination_name = "matrix-synapse-replication"
local_bind_port = 9093
}
}
}
}
}
task "synapse-sync" {
driver = "docker"
volume_mount {
volume = "matrix-synapse"
destination = "/var/lib/synapse"
read_only = false
}
volume_mount {
volume = "matrix-registrations"
destination = "/var/lib/registrations"
read_only = false
}
config {
nix_flake_ref = "${var.flake_ref}#nixngSystems.synapseSync.config.system.build.toplevel"
nix_flake_sha = var.flake_sha
entrypoint = [ "init" ]
}
resources {
cpu = 1024
memory = 512
}
template {
data = <<EOF
{{ with secret "kv/data/cluster/matrix/synapse" }}
worker_name: "worker-sync-{{ env "NOMAD_ALLOC_INDEX" }}"
registration_shared_secret: "{{ .Data.data.registration_shared_secret }}"
macaroon_secret_key: "{{ .Data.data.macaroon_secret_key }}"
form_secret: "{{ .Data.data.form_secret }}"
database:
name: "psycopg2"
args:
user: "synapse"
password: "{{ .Data.data.pgpass }}"
database: "synapse"
host: "127.0.0.1"
cp_min: 5
cp_max: 10
redis:
enabled: true
password: "{{ .Data.data.redis_password }}"
{{ end }}
EOF
destination = "/secrets/extra.yaml"
}
}
}
group "synapse-federation-receiver" {
count = 1
restart {
attempts = 5
delay = "5s"
}
network {
mode = "bridge"
}
vault {
policies = ["matrix-synapse-policy"]
}
volume "matrix-synapse" {
type = "csi"
source = "matrix-synapse"
read_only = false
attachment_mode = "file-system"
access_mode = "multi-node-multi-writer"
}
volume "matrix-registrations" {
type = "csi"
source = "matrix-registrations"
read_only = false
attachment_mode = "file-system"
access_mode = "multi-node-multi-writer"
}
service {
name = "matrix-synapse-federation-receiver"
port = "6167"
check {
type = "http"
address_mode = "alloc"
path = "/health"
port = "6167"
interval = "2s"
timeout = "2s"
}
connect {
sidecar_service {
proxy {
upstreams {
destination_name = "matrix-mautrix-facebook"
local_bind_port = 29319
}
upstreams {
destination_name = "matrix-mautrix-signal"
local_bind_port = 29328
}
upstreams {
destination_name = "matrix-mautrix-discord"
local_bind_port = 29334
}
upstreams {
destination_name = "matrix-heisenbridge"
local_bind_port = 9898
}
upstreams {
destination_name = "matrix-postgresql"
local_bind_port = 5432
}
upstreams {
destination_name = "matrix-redis"
local_bind_port = 6379
}
upstreams {
destination_name = "matrix-synapse-replication"
local_bind_port = 9093
}
}
}
}
}
task "synapse-federation-receiver" {
driver = "docker"
volume_mount {
volume = "matrix-synapse"
destination = "/var/lib/synapse"
read_only = false
}
volume_mount {
volume = "matrix-registrations"
destination = "/var/lib/registrations"
read_only = false
}
config {
nix_flake_ref = "${var.flake_ref}#nixngSystems.synapseFederationReceiver.config.system.build.toplevel"
nix_flake_sha = var.flake_sha
entrypoint = [ "init" ]
}
resources {
cpu = 1024
memory = 1024
}
template {
data = <<EOF
{{ with secret "kv/data/cluster/matrix/synapse" }}
worker_name: "worker-federation-receiver-{{ env "NOMAD_ALLOC_INDEX" }}"
registration_shared_secret: "{{ .Data.data.registration_shared_secret }}"
macaroon_secret_key: "{{ .Data.data.macaroon_secret_key }}"
form_secret: "{{ .Data.data.form_secret }}"
database:
name: "psycopg2"
args:
user: "synapse"
password: "{{ .Data.data.pgpass }}"
database: "synapse"
host: "127.0.0.1"
cp_min: 5
cp_max: 10
redis:
enabled: true
password: "{{ .Data.data.redis_password }}"
{{ end }}
EOF
destination = "/secrets/extra.yaml"
}
}
}
group "synapse-federation-sender" {
count = 1
restart {
attempts = 5
delay = "5s"
}
network {
mode = "bridge"
}
vault {
policies = ["matrix-synapse-policy"]
}
volume "matrix-synapse" {
type = "csi"
source = "matrix-synapse"
read_only = false
attachment_mode = "file-system"
access_mode = "multi-node-multi-writer"
}
volume "matrix-registrations" {
type = "csi"
source = "matrix-registrations"
read_only = false
attachment_mode = "file-system"
access_mode = "multi-node-multi-writer"
}
service {
name = "matrix-synapse-federation-sender"
port = "6167"
check {
type = "http"
address_mode = "alloc"
path = "/health"
port = "6167"
interval = "2s"
timeout = "2s"
}
connect {
sidecar_service {
proxy {
upstreams {
destination_name = "matrix-mautrix-facebook"
local_bind_port = 29319
}
upstreams {
destination_name = "matrix-mautrix-signal"
local_bind_port = 29328
}
upstreams {
destination_name = "matrix-mautrix-discord"
local_bind_port = 29334
}
upstreams {
destination_name = "matrix-heisenbridge"
local_bind_port = 9898
}
upstreams {
destination_name = "matrix-postgresql"
local_bind_port = 5432
}
upstreams {
destination_name = "matrix-redis"
local_bind_port = 6379
}
upstreams {
destination_name = "matrix-synapse-replication"
local_bind_port = 9093
}
}
}
}
}
task "synapse-federation-sender" {
driver = "docker"
volume_mount {
volume = "matrix-synapse"
destination = "/var/lib/synapse"
read_only = false
}
volume_mount {
volume = "matrix-registrations"
destination = "/var/lib/registrations"
read_only = false
}
config {
nix_flake_ref = "${var.flake_ref}#nixngSystems.synapseFederationSender.config.system.build.toplevel"
nix_flake_sha = var.flake_sha
entrypoint = [ "init" ]
}
resources {
cpu = 1024
memory = 1024
}
template {
data = <<EOF
{{ with secret "kv/data/cluster/matrix/synapse" }}
worker_name: "worker-federation-sender-{{ env "NOMAD_ALLOC_INDEX" }}"
registration_shared_secret: "{{ .Data.data.registration_shared_secret }}"
macaroon_secret_key: "{{ .Data.data.macaroon_secret_key }}"
form_secret: "{{ .Data.data.form_secret }}"
database:
name: "psycopg2"
args:
user: "synapse"
password: "{{ .Data.data.pgpass }}"
database: "synapse"
host: "127.0.0.1"
cp_min: 5
cp_max: 10
redis:
enabled: true
password: "{{ .Data.data.redis_password }}"
{{ end }}
EOF
destination = "/secrets/extra.yaml"
}
}
}
group "postgresql" {
count = 1
volume "matrix-postgresql" {
type = "csi"
source = "matrix-postgresql"
read_only = false
attachment_mode = "file-system"
access_mode = "single-node-writer"
}
restart {
attempts = 5
delay = "5s"
}
network {
mode = "bridge"
}
service {
name = "matrix-postgresql"
port = "5432"
# check {
# }
connect {
sidecar_service {}
}
}
task "postgresql" {
driver = "docker"
volume_mount {
volume = "matrix-postgresql"
destination = "/var/lib/postgresql"
read_only = false
}
config {
nix_flake_ref = "${var.flake_ref}#nixngSystems.conduitPostgresql.config.system.build.toplevel"
nix_flake_sha = var.flake_sha
entrypoint = [ "init" ]
}
resources {
cpu = 500
memory = 1024
memory_max = 1536
}
template {
data = <<EOF
alter user "synapse" with password '{{ with secret "kv/data/cluster/matrix/synapse" }}{{ .Data.data.pgpass }}{{ end }}';
alter user "mautrix-facebook" with password '{{ with secret "kv/data/cluster/matrix/mautrix-facebook/postgresql" }}{{ .Data.data.pgpass }}{{ end }}';
alter user "mautrix-signal" with password '{{ with secret "kv/data/cluster/matrix/mautrix-signal/postgresql" }}{{ .Data.data.pgpass }}{{ end }}';
alter user "mautrix-discord" with password '{{ with secret "kv/data/cluster/matrix/mautrix-discord/postgresql" }}{{ .Data.data.pgpass }}{{ end }}';
EOF
destination = "secrets/init.sql"
change_mode = "noop"
}
vault {
policies = ["matrix-postgresql-policy"]
}
}
}
group "synapse" {
count = 1
volume "matrix-synapse" {
type = "csi"
source = "matrix-synapse"
read_only = false
attachment_mode = "file-system"
access_mode = "multi-node-multi-writer"
}
volume "matrix-registrations" {
type = "csi"
source = "matrix-registrations"
read_only = false
attachment_mode = "file-system"
access_mode = "multi-node-multi-writer"
}
restart {
attempts = 5
delay = "5s"
}
network {
mode = "bridge"
}
service {
name = "matrix-synapse"
port = "6167"
check {
type = "http"
address_mode = "alloc"
path = "/health"
port = "6167"
interval = "2s"
timeout = "2s"
}
connect {
sidecar_service {
proxy {
upstreams {
destination_name = "matrix-mautrix-facebook"
local_bind_port = 29319
}
upstreams {
destination_name = "matrix-mautrix-signal"
local_bind_port = 29328
}
upstreams {
destination_name = "matrix-mautrix-discord"
local_bind_port = 29334
}
upstreams {
destination_name = "matrix-heisenbridge"
local_bind_port = 9898
}
upstreams {
destination_name = "matrix-postgresql"
local_bind_port = 5432
}
upstreams {
destination_name = "matrix-redis"
local_bind_port = 6379
}
}
}
}
}
service {
name = "matrix-synapse-replication"
port = "9093"
# check {
# type = "http"
# address_mode = "alloc"
# path = "/"
# port = "9093"
# interval = "2s"
# timeout = "2s"
# }
connect {
sidecar_service {}
}
}
task "synapse" {
driver = "docker"
volume_mount {
volume = "matrix-synapse"
destination = "/var/lib/synapse"
read_only = false
}
volume_mount {
volume = "matrix-registrations"
destination = "/var/lib/registrations"
read_only = false
}
config {
nix_flake_ref = "${var.flake_ref}#nixngSystems.conduit.config.system.build.toplevel"
nix_flake_sha = var.flake_sha
entrypoint = [ "init" ]
}
resources {
cpu = 2048
memory = 768
}
vault {
policies = ["matrix-synapse-policy"]
}
template {
data = <<EOF
{{ with secret "kv/data/cluster/matrix/synapse" }}
registration_shared_secret: "{{ .Data.data.registration_shared_secret }}"
macaroon_secret_key: "{{ .Data.data.macaroon_secret_key }}"
form_secret: "{{ .Data.data.form_secret }}"
database:
name: "psycopg2"
args:
user: "synapse"
password: "{{ .Data.data.pgpass }}"
database: "synapse"
host: "127.0.0.1"
cp_min: 5
cp_max: 10
redis:
enabled: true
password: "{{ .Data.data.redis_password }}"
{{ end }}
EOF
destination = "/secrets/extra.yaml"
}
}
}
}