magic_rb/dotfiles
1
0
Fork 0
mirror of https://git.sr.ht/~magic_rb/dotfiles synced 2024-11-29 03:26:13 +01:00
Code Issues Packages Projects Releases Wiki Activity

Move Matrix Synapse into kubernetes

Browse source 
Signed-off-by: magic_rb <magic_rb@redalder.org>
This commit is contained in:
magic_rb 2024-11-23 20:17:44 +01:00
parent acba18ed6a
commit 8a341b2012
No known key found for this signature in database
GPG key ID: 08D5287CC5DDCA0E
7 changed files with 232 additions and 390 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
nixng/containers/matrix/synapse/common_config.nix
View file

@ -17,7 +17,7 @@
enable_registration_without_verification = false;
federation_sender_instances = [
"worker-federation-sender-0"
"worker-federation-sender"
];
instance_map.main = {
host = "localhost";

9
nixng/containers/matrix/synapse/default.nix
View file

@ -28,12 +28,12 @@
};
in {
flake.nixngConfigurations.synapseFederationSender = callPackage ./generic_worker.nix {
name = "generic";
name = "federation-sender";
listener_resources = singleton "health";
port = 6171;
};
flake.nixngConfigurations.synapseFederationReceiver = callPackage ./generic_worker.nix {
name = "generic";
name = "federation-receiver";
listener_resources = [
"health"
"federation"
@ -41,7 +41,7 @@ in {
port = 6170;
};
flake.nixngConfigurations.synapseClient = callPackage ./generic_worker.nix {
name = "generic";
name = "client";
listener_resources = [
"client"
"health"
@ -49,7 +49,7 @@ in {
port = 6168;
};
flake.nixngConfigurations.synapseSync = callPackage ./generic_worker.nix {
name = "generic";
name = "sync";
listener_resources = [
"client"
"health"
@ -59,4 +59,5 @@ in {
flake.nixngConfigurations.synapseRedis = callPackage ./redis.nix {};
flake.nixngConfigurations.synapsePostgreSQL = callPackage ./postgresql.nix {};
flake.nixngConfigurations.synapse = callPackage ./synapse.nix {};
flake.nixngConfigurations.synapseRouter = callPackage ./router.nix {};
}

175
nixng/containers/matrix/synapse/router.nix Normal file
View file

@ -0,0 +1,175 @@
{
makeSystem,
nixpkgs,
}:
makeSystem {
system = "x86_64-linux";
name = "synapse-router";
inherit nixpkgs;
config = {pkgs, ...}: {
dinit.enable = true;
init.services.nginx.shutdownOnExit = true;
services.nginx = {
enable = true;
envsubst = true;
configuration = [
{
daemon = "off";
worker_processes = 2;
user = "nginx";
events."" = {
use = "epoll";
worker_connections = 128;
};
error_log = ["/dev/stderr" "warn"];
pid = "/nginx.pid";
http."" = {
server_tokens = "off";
include = [
["${pkgs.nginx}/conf/mime.types"]
];
charset = "utf-8";
access_log = ["/dev/stdout" "combined"];
upstream."synapse_master" = {
server = "127.0.0.1:6167";
};
upstream."synapse_federation_receiver" = {
server = "127.0.0.1:6170";
};
upstream."synapse_client" = {
server = "127.0.0.1:6168";
};
upstream."synapse_sync" = {
server = "127.0.0.1:6169";
};
map."$$uri $$synapse_backend" = {
default = "synapse_master";
# Sync requests
"~*^/_matrix/client/(r0|v3)/sync$" = "synapse_sync";
"~*^/_matrix/client/(api/v1|r0|v3)/events$" = "synapse_sync";
"~*^/_matrix/client/(api/v1|r0|v3)/initialSync$" = "synapse_sync";
"~*^/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$" = "synapse_sync";
# Federation requests
"~*^/_matrix/federation/v1/event/" = "synapse_federation_receiver";
"~*^/_matrix/federation/v1/state/" = "synapse_federation_receiver";
"~*^/_matrix/federation/v1/state_ids/" = "synapse_federation_receiver";
"~*^/_matrix/federation/v1/backfill/" = "synapse_federation_receiver";
"~*^/_matrix/federation/v1/get_missing_events/" = "synapse_federation_receiver";
"~*^/_matrix/federation/v1/publicRooms" = "synapse_federation_receiver";
"~*^/_matrix/federation/v1/query/" = "synapse_federation_receiver";
"~*^/_matrix/federation/v1/make_join/" = "synapse_federation_receiver";
"~*^/_matrix/federation/v1/make_leave/" = "synapse_federation_receiver";
"~*^/_matrix/federation/(v1|v2)/send_join/" = "synapse_federation_receiver";
"~*^/_matrix/federation/(v1|v2)/send_leave/" = "synapse_federation_receiver";
"~*^/_matrix/federation/v1/make_knock/" = "synapse_federation_receiver";
"~*^/_matrix/federation/v1/send_knock/" = "synapse_federation_receiver";
"~*^/_matrix/federation/(v1|v2)/invite/" = "synapse_federation_receiver";
"~*^/_matrix/federation/v1/event_auth/" = "synapse_federation_receiver";
"~*^/_matrix/federation/v1/timestamp_to_event/" = "synapse_federation_receiver";
"~*^/_matrix/federation/v1/exchange_third_party_invite/" = "synapse_federation_receiver";
"~*^/_matrix/federation/v1/user/devices/" = "synapse_federation_receiver";
"~*^/_matrix/key/v2/query" = "synapse_federation_receiver";
"~*^/_matrix/federation/v1/hierarchy/" = "synapse_federation_receiver";
# Inbound federation transaction request
"~*^/_matrix/federation/v1/send/" = "synapse_federation_receiver";
# Client API requests
"~*^/_matrix/client/(api/v1|r0|v3|unstable)/createRoom$" = "synapse_client";
"~*^/_matrix/client/(api/v1|r0|v3|unstable)/publicRooms$" = "synapse_client";
"~*^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/joined_members$" = "synapse_client";
"~*^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/context/.*$" = "synapse_client";
"~*^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/members$" = "synapse_client";
"~*^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state$" = "synapse_client";
"~*^/_matrix/client/v1/rooms/.*/hierarchy$" = "synapse_client";
"~*^/_matrix/client/(v1|unstable)/rooms/.*/relations/" = "synapse_client";
"~*^/_matrix/client/v1/rooms/.*/threads$" = "synapse_client";
"~*^/_matrix/client/unstable/im.nheko.summary/summary/.*$" = "synapse_client";
"~*^/_matrix/client/(r0|v3|unstable)/account/3pid$" = "synapse_client";
"~*^/_matrix/client/(r0|v3|unstable)/account/whoami$" = "synapse_client";
"~*^/_matrix/client/(r0|v3|unstable)/devices$" = "synapse_client";
"~*^/_matrix/client/versions$" = "synapse_client";
"~*^/_matrix/client/(api/v1|r0|v3|unstable)/voip/turnServer$" = "synapse_client";
"~*^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/event/" = "synapse_client";
"~*^/_matrix/client/(api/v1|r0|v3|unstable)/joined_rooms$" = "synapse_client";
"~*^/_matrix/client/v1/rooms/.*/timestamp_to_event$" = "synapse_client";
"~*^/_matrix/client/(api/v1|r0|v3|unstable/.*)/rooms/.*/aliases" = "synapse_client";
"~*^/_matrix/client/(api/v1|r0|v3|unstable)/search$" = "synapse_client";
"~*^/_matrix/client/(r0|v3|unstable)/user/.*/filter(/|$)" = "synapse_client";
"~*^/_matrix/client/(api/v1|r0|v3|unstable)/directory/room/.*$" = "synapse_client";
"~*^/_matrix/client/(r0|v3|unstable)/capabilities$" = "synapse_client";
"~*^/_matrix/client/(r0|v3|unstable)/notifications$" = "synapse_client";
# Encryption requests
"~*^/_matrix/client/(r0|v3|unstable)/keys/query$" = "synapse_client";
"~*^/_matrix/client/(r0|v3|unstable)/keys/changes$" = "synapse_client";
"~*^/_matrix/client/(r0|v3|unstable)/keys/claim$" = "synapse_client";
"~*^/_matrix/client/(r0|v3|unstable)/room_keys/" = "synapse_client";
"~*^/_matrix/client/(r0|v3|unstable)/keys/upload/" = "synapse_client";
# Registration/login requests
"~*^/_matrix/client/(api/v1|r0|v3|unstable)/login$" = "synapse_client";
"~*^/_matrix/client/(r0|v3|unstable)/register$" = "synapse_client";
"~*^/_matrix/client/(r0|v3|unstable)/register/available$" = "synapse_client";
"~*^/_matrix/client/v1/register/m.login.registration_token/validity$" = "synapse_client";
"~*^/_matrix/client/(r0|v3|unstable)/password_policy$" = "synapse_client";
# Event sending requests
"~*^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/redact" = "synapse_client";
"~*^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/send" = "synapse_client";
"~*^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state/" = "synapse_client";
"~*^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick)$" = "synapse_client";
"~*^/_matrix/client/(api/v1|r0|v3|unstable)/join/" = "synapse_client";
"~*^/_matrix/client/(api/v1|r0|v3|unstable)/knock/" = "synapse_client";
"~*^/_matrix/client/(api/v1|r0|v3|unstable)/profile/" = "synapse_client";
# Account data requests
"~*^/_matrix/client/(r0|v3|unstable)/.*/tags" = "synapse_client";
"~*^/_matrix/client/(r0|v3|unstable)/.*/account_data" = "synapse_client";
# Receipts requests
"~*^/_matrix/client/(r0|v3|unstable)/rooms/.*/receipt" = "synapse_client";
"~*^/_matrix/client/(r0|v3|unstable)/rooms/.*/read_markers" = "synapse_client";
# Presence requests
"~*^/_matrix/client/(api/v1|r0|v3|unstable)/presence/" = "synapse_client";
# User directory search requests
"~*^/_matrix/client/(r0|v3|unstable)/user_directory/search$" = "synapse_client";
};
server."" = {
listen = ["80" "default_server"];
server_name = [
"matrix.redalder.org"
];
location."/_matrix" = {
proxy_http_version = "1.1";
proxy_pass = "http://$$synapse_backend";
client_max_body_size = "50M";
add_header = ["Backend-Server" "$$synapse_backend"];
};
location."/" = {
return = ["404"];
};
};
};
}
];
};
};
}

247
terranix/main/containers/ingress-toothpick/upstreams.conf
View file

@ -11,19 +11,7 @@ upstream website {
}
upstream matrix-synapse {
server {{ env "NOMAD_UPSTREAM_ADDR_matrix_synapse" }};
}
upstream matrix-synapse-federation-receiver {
server {{ env "NOMAD_UPSTREAM_ADDR_matrix_synapse_federation_receiver" }};
}
upstream matrix-synapse-client {
server {{ env "NOMAD_UPSTREAM_ADDR_matrix_synapse_client" }};
}
upstream matrix-synapse-sync {
server {{ env "NOMAD_UPSTREAM_ADDR_matrix_synapse_sync" }};
server 10.64.2.1:8344;
}
server {
@ -100,236 +88,15 @@ server {
listen 8448 ssl http2;
server_name matrix.redalder.org;
merge_slashes off;
# sync
location ~ ^/_matrix/client/(r0|v3)/sync$|^/_matrix/client/(api/v1|r0|v3)/events$|^/_matrix/client/(api/v1|r0|v3)/initialSync$|^/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$ {
# note: do not add a path (even a single /) after the port in `proxy_pass`,
# otherwise nginx will canonicalise the URI and cause signature verification
# errors.
proxy_pass http://matrix-synapse-sync;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
# Nginx by default only allows file uploads up to 1M in size
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
client_max_body_size 50M;
# Synapse responses may be chunked, which is an HTTP/1.1 feature.
proxy_http_version 1.1;
}
# federation
location ~ ^/_matrix/federation/v1/event/|^/_matrix/federation/v1/state/|^/_matrix/federation/v1/state_ids/|^/_matrix/federation/v1/backfill/|^/_matrix/federation/v1/get_missing_events/|^/_matrix/federation/v1/publicRooms|^/_matrix/federation/v1/query/|^/_matrix/federation/v1/make_join/|^/_matrix/federation/v1/make_leave/|^/_matrix/federation/(v1|v2)/send_join/|^/_matrix/federation/(v1|v2)/send_leave/|^/_matrix/federation/(v1|v2)/invite/|^/_matrix/federation/v1/event_auth/|^/_matrix/federation/v1/timestamp_to_event/|^/_matrix/federation/v1/exchange_third_party_invite/|^/_matrix/federation/v1/user/devices/|^/_matrix/key/v2/query|^/_matrix/federation/v1/hierarchy/ {
# note: do not add a path (even a single /) after the port in `proxy_pass`,
# otherwise nginx will canonicalise the URI and cause signature verification
# errors.
proxy_pass http://matrix-synapse-federation-receiver;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
# Nginx by default only allows file uploads up to 1M in size
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
client_max_body_size 50M;
# Synapse responses may be chunked, which is an HTTP/1.1 feature.
proxy_http_version 1.1;
}
# inbound federation requests
location ~ ^/_matrix/federation/v1/send/ {
# note: do not add a path (even a single /) after the port in `proxy_pass`,
# otherwise nginx will canonicalise the URI and cause signature verification
# errors.
proxy_pass http://matrix-synapse-federation-receiver;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
# Nginx by default only allows file uploads up to 1M in size
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
client_max_body_size 50M;
# Synapse responses may be chunked, which is an HTTP/1.1 feature.
proxy_http_version 1.1;
}
# client api
location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/createRoom$|^/_matrix/client/(api/v1|r0|v3|unstable)/publicRooms$|^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/joined_members$|^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/context/.*$|^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/members$|^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state$|^/_matrix/client/v1/rooms/.*/hierarchy$|^/_matrix/client/(v1|unstable)/rooms/.*/relations/|^/_matrix/client/v1/rooms/.*/threads$|^/_matrix/client/unstable/org.matrix.msc2716/rooms/.*/batch_send$|^/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$|^/_matrix/client/(r0|v3|unstable)/account/3pid$|^/_matrix/client/(r0|v3|unstable)/account/whoami$|^/_matrix/client/(r0|v3|unstable)/devices$|^/_matrix/client/versions$|^/_matrix/client/(api/v1|r0|v3|unstable)/voip/turnServer$|^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/event/|^/_matrix/client/(api/v1|r0|v3|unstable)/joined_rooms$|^/_matrix/client/v1/rooms/.*/timestamp_to_event$|^/_matrix/client/(api/v1|r0|v3|unstable/.*)/rooms/.*/aliases|^/_matrix/client/(api/v1|r0|v3|unstable)/search$|^/_matrix/client/(r0|v3|unstable)/user/.*/filter(/|$) {
# note: do not add a path (even a single /) after the port in `proxy_pass`,
# otherwise nginx will canonicalise the URI and cause signature verification
# errors.
proxy_pass http://matrix-synapse-client;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
# Nginx by default only allows file uploads up to 1M in size
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
client_max_body_size 50M;
# Synapse responses may be chunked, which is an HTTP/1.1 feature.
proxy_http_version 1.1;
}
# encryption
location ~ ^/_matrix/client/(r0|v3|unstable)/keys/query$|^/_matrix/client/(r0|v3|unstable)/keys/changes$|^/_matrix/client/(r0|v3|unstable)/keys/claim$|^/_matrix/client/(r0|v3|unstable)/room_keys/|^/_matrix/client/(r0|v3|unstable)/keys/upload/ {
# note: do not add a path (even a single /) after the port in `proxy_pass`,
# otherwise nginx will canonicalise the URI and cause signature verification
# errors.
proxy_pass http://matrix-synapse-client;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
# Nginx by default only allows file uploads up to 1M in size
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
client_max_body_size 50M;
# Synapse responses may be chunked, which is an HTTP/1.1 feature.
proxy_http_version 1.1;
}
# registration login
location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/login$|^/_matrix/client/(r0|v3|unstable)/register$|^/_matrix/client/(r0|v3|unstable)/register/available$|^/_matrix/client/v1/register/m.login.registration_token/validity$|^/_matrix/client/(r0|v3|unstable)/password_policy$ {
# note: do not add a path (even a single /) after the port in `proxy_pass`,
# otherwise nginx will canonicalise the URI and cause signature verification
# errors.
proxy_pass http://matrix-synapse-client;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
# Nginx by default only allows file uploads up to 1M in size
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
client_max_body_size 50M;
# Synapse responses may be chunked, which is an HTTP/1.1 feature.
proxy_http_version 1.1;
}
# event sending
location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/redact|^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/send|^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state/|^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick)$|^/_matrix/client/(api/v1|r0|v3|unstable)/join/|^/_matrix/client/(api/v1|r0|v3|unstable)/knock/|^/_matrix/client/(api/v1|r0|v3|unstable)/profile/ {
# note: do not add a path (even a single /) after the port in `proxy_pass`,
# otherwise nginx will canonicalise the URI and cause signature verification
# errors.
proxy_pass http://matrix-synapse-client;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
# Nginx by default only allows file uploads up to 1M in size
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
client_max_body_size 50M;
# Synapse responses may be chunked, which is an HTTP/1.1 feature.
proxy_http_version 1.1;
}
# account data
location ~ ^/_matrix/client/(r0|v3|unstable)/.*/tags|^/_matrix/client/(r0|v3|unstable)/.*/account_data {
# note: do not add a path (even a single /) after the port in `proxy_pass`,
# otherwise nginx will canonicalise the URI and cause signature verification
# errors.
proxy_pass http://matrix-synapse;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
# Nginx by default only allows file uploads up to 1M in size
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
client_max_body_size 50M;
# Synapse responses may be chunked, which is an HTTP/1.1 feature.
proxy_http_version 1.1;
}
# receipts requests
location ~ ^/_matrix/client/(r0|v3|unstable)/rooms/.*/receipt|^/_matrix/client/(r0|v3|unstable)/rooms/.*/read_markers {
# note: do not add a path (even a single /) after the port in `proxy_pass`,
# otherwise nginx will canonicalise the URI and cause signature verification
# errors.
proxy_pass http://matrix-synapse;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
# Nginx by default only allows file uploads up to 1M in size
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
client_max_body_size 50M;
# Synapse responses may be chunked, which is an HTTP/1.1 feature.
proxy_http_version 1.1;
}
# presence requests
location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/presence/ {
# note: do not add a path (even a single /) after the port in `proxy_pass`,
# otherwise nginx will canonicalise the URI and cause signature verification
# errors.
proxy_pass http://matrix-synapse;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
# Nginx by default only allows file uploads up to 1M in size
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
client_max_body_size 50M;
# Synapse responses may be chunked, which is an HTTP/1.1 feature.
proxy_http_version 1.1;
}
# user directory search
location ~ ^/_matrix/client/(r0|v3|unstable)/user_directory/search$ {
# note: do not add a path (even a single /) after the port in `proxy_pass`,
# otherwise nginx will canonicalise the URI and cause signature verification
# errors.
proxy_pass http://matrix-synapse-client;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
# Nginx by default only allows file uploads up to 1M in size
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
client_max_body_size 50M;
# Synapse responses may be chunked, which is an HTTP/1.1 feature.
proxy_http_version 1.1;
}
# the rest
location ~ ^(/.well-known|/_matrix|/_synapse/client) {
# note: do not add a path (even a single /) after the port in `proxy_pass`,
# otherwise nginx will canonicalise the URI and cause signature verification
# errors.
proxy_pass http://matrix-synapse;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
# Nginx by default only allows file uploads up to 1M in size
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
client_max_body_size 50M;
# Synapse responses may be chunked, which is an HTTP/1.1 feature.
proxy_http_version 1.1;
}
location /mufb/ {
proxy_pass http://matrix-mautrix-facebook$request_uri;
proxy_set_header Host $http_host;
proxy_buffering off;
}
location / {
return 404;
}
include /local/security.conf;
include /local/ssl.conf;
location / {
include /local/headers.conf;
proxy_pass http://matrix-synapse;
proxy_http_version 1.1;
}
}
server {

8
terranix/main/default.nix
View file

@ -75,10 +75,10 @@ in {
name = "hydra";
source = ./containers/hydra;
})
(terraformModule {
name = "matrix";
source = ./containers/matrix;
})
# (terraformModule {
# name = "matrix";
# source = ./containers/matrix;
# })
(terraformModule {
name = "home-assistant";
source = ./containers/home-assistant;

2
terranix/main/kubernetes/default.nix
View file

@ -83,7 +83,7 @@ in {
./website.nix
./jellyfin.nix
./gitea.nix
# ./matrix.nix
./matrix.nix
# ./mautrix-discord.nix
(copyNixNGImage {

179
terranix/main/kubernetes/matrix.nix
View file

@ -30,6 +30,19 @@ in {
"blowhole.hosts.in.redalder.org"
];
})
(copyNixNGImage {
name = "synapse-router";
image =
(inputs.nix-snapshotter.packages.${pkgs.stdenv.system}.nix-snapshotter.buildImage {
name = "synapse-router";
resolvedByNix = true;
config.entrypoint = ["${inputs.self.nixngConfigurations.synapseRouter.config.system.build.toplevel}/init"];
})
.image;
hosts = [
"blowhole.hosts.in.redalder.org"
];
})
(copyNixNGImage {
name = "synapse-client";
image =
@ -368,6 +381,25 @@ in {
};
spec = {
containers = [
{
name = "router";
image =
tf "data.external.nixng-image-synapse-router.result.out";
ports = [
{
name = "routed-http";
containerPort = 80;
}
];
resources.limits = {
cpu = "400m";
memory = "128Mi";
};
resources.requests = {
cpu = "200m";
memory = "96Mi";
};
}
{
name = "redis";
image =
@ -609,6 +641,12 @@ in {
protocol = "TCP";
targetPort = "postgresql";
}
{
name = "routed-http";
port = 80;
protocol = "TCP";
targetPort = "routed-http";
}
{
name = "master-http";
port = 6167;
@ -662,151 +700,12 @@ in {
];
hostnames = ["matrix.redalder.org"];
rules = [
# Client Worker
{
matches = lib.singleton {
path.type = "RegularExpression";
path.value = lib.concatStringsSep "|" [
# Federation requests
"(/_matrix/federation/v1/event/.*)"
"(/_matrix/federation/v1/state/.*)"
"(/_matrix/federation/v1/state_ids/.*)"
"(/_matrix/federation/v1/backfill/.*)"
"(/_matrix/federation/v1/get_missing_events/.*)"
"(/_matrix/federation/v1/publicRooms.*)"
"(/_matrix/federation/v1/query/.*)"
"(/_matrix/federation/v1/make_join/.*)"
"(/_matrix/federation/v1/make_leave/.*)"
"(/_matrix/federation/(v1|v2)/send_join/.*)"
"(/_matrix/federation/(v1|v2)/send_leave/.*)"
"(/_matrix/federation/(v1|v2)/invite/.*)"
"(/_matrix/federation/v1/event_auth/.*)"
"(/_matrix/federation/v1/exchange_third_party_invite/.*)"
"(/_matrix/federation/v1/user/devices/.*)"
"(/_matrix/key/v2/query.*)"
"(/_matrix/federation/v1/hierarchy/.*)"
# Inbound federation transaction request
"(/_matrix/federation/v1/send/.*)"
];
};
backendRefs = [
{
name = "synapse";
namespace = "matrix";
port = 6170;
}
];
}
# Client Worker
{
matches =
map (value: {
path.type = "RegularExpression";
path.value = value;
}) [
(lib.concatStringsSep "|" [
# Client API requests
"(/_matrix/client/(api/v1|r0|v3|unstable)/createRoom)"
"(/_matrix/client/(api/v1|r0|v3|unstable)/publicRooms)"
"(/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/joined_members)"
"(/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/context/.*)"
"(/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/members)"
"(/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state)"
"(/_matrix/client/v1/rooms/.*/hierarchy)"
"(/_matrix/client/(v1|unstable)/rooms/.*/relations/.*)"
"(/_matrix/client/v1/rooms/.*/threads.*)"
"(/_matrix/client/unstable/im.nheko.summary/summary/.*)"
"(/_matrix/client/(r0|v3|unstable)/account/3pid)"
"(/_matrix/client/(r0|v3|unstable)/account/whoami)"
"(/_matrix/client/(r0|v3|unstable)/devices)"
"(/_matrix/client/versions)"
"(/_matrix/client/(api/v1|r0|v3|unstable)/voip/turnServer)"
"(/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/event/.*)"
"(/_matrix/client/(api/v1|r0|v3|unstable)/joined_rooms)"
])
(lib.concatStringsSep "|" [
# Client API requests
"(/_matrix/client/v1/rooms/.*/timestamp_to_event)"
"(/_matrix/client/(api/v1|r0|v3|unstable/.*)/rooms/.*/aliases.*)"
"(/_matrix/client/(api/v1|r0|v3|unstable)/search)"
"(/_matrix/client/(r0|v3|unstable)/user/.*/filter/?.*)"
"(/_matrix/client/(api/v1|r0|v3|unstable)/directory/room/.*)"
"(/_matrix/client/(r0|v3|unstable)/capabilities)"
"(/_matrix/client/(r0|v3|unstable)/notifications)"
# Encryption requests
"(/_matrix/client/(r0|v3|unstable)/keys/query)"
"(/_matrix/client/(r0|v3|unstable)/keys/changes)"
"(/_matrix/client/(r0|v3|unstable)/keys/claim)"
"(/_matrix/client/(r0|v3|unstable)/room_keys/.*)"
"(/_matrix/client/(r0|v3|unstable)/keys/upload/.*)"
# Registration/login requests
"(/_matrix/client/(api/v1|r0|v3|unstable)/login)"
"(/_matrix/client/(r0|v3|unstable)/register)"
"(/_matrix/client/(r0|v3|unstable)/register/available)"
"(/_matrix/client/v1/register/m.login.registration_token/validity)"
"(/_matrix/client/(r0|v3|unstable)/password_policy)"
])
(lib.concatStringsSep "|" [
# Event sending requests
"(/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/redact.*)"
"(/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/send.*)"
"(/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state/.*)"
"(/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick))"
"(/_matrix/client/(api/v1|r0|v3|unstable)/join/.*)"
"(/_matrix/client/(api/v1|r0|v3|unstable)/knock/.*)"
"(/_matrix/client/(api/v1|r0|v3|unstable)/profile/.*)"
# Account data requests
"(/_matrix/client/(r0|v3|unstable)/.*/tags.*)"
"(/_matrix/client/(r0|v3|unstable)/.*/account_data.*)"
# Receipts requests
"(/_matrix/client/(r0|v3|unstable)/rooms/.*/receipt.*)"
"(/_matrix/client/(r0|v3|unstable)/rooms/.*/read_markers.*)"
# Presence requests
"(/_matrix/client/(api/v1|r0|v3|unstable)/presence/.*)"
# User directory search requests
"(/_matrix/client/(r0|v3|unstable)/user_directory/search)"
])
];
backendRefs = [
{
name = "synapse";
namespace = "matrix";
port = 6168;
}
];
}
# Sync Worker
{
matches = lib.singleton {
path.type = "RegularExpression";
path.value = lib.concatStringsSep "|" [
"(/_matrix/client/(r0|v3)/sync)"
"(/_matrix/client/(api/v1|r0|v3)/events)"
"(/_matrix/client/(api/v1|r0|v3)/initialSync)"
"(/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync)"
];
};
backendRefs = [
{
name = "synapse";
namespace = "matrix";
port = 6169;
}
];
}
{
backendRefs = [
{
name = "synapse";
namespace = "matrix";
port = 6167;
port = 80;
}
];
}