mirror of
https://git.sr.ht/~magic_rb/dotfiles
synced 2024-11-29 11:36:16 +01:00
Move Matrix Synapse into kubernetes
Signed-off-by: magic_rb <magic_rb@redalder.org>
This commit is contained in:
parent
acba18ed6a
commit
8a341b2012
|
@ -17,7 +17,7 @@
|
|||
enable_registration_without_verification = false;
|
||||
|
||||
federation_sender_instances = [
|
||||
"worker-federation-sender-0"
|
||||
"worker-federation-sender"
|
||||
];
|
||||
instance_map.main = {
|
||||
host = "localhost";
|
||||
|
|
|
@ -28,12 +28,12 @@
|
|||
};
|
||||
in {
|
||||
flake.nixngConfigurations.synapseFederationSender = callPackage ./generic_worker.nix {
|
||||
name = "generic";
|
||||
name = "federation-sender";
|
||||
listener_resources = singleton "health";
|
||||
port = 6171;
|
||||
};
|
||||
flake.nixngConfigurations.synapseFederationReceiver = callPackage ./generic_worker.nix {
|
||||
name = "generic";
|
||||
name = "federation-receiver";
|
||||
listener_resources = [
|
||||
"health"
|
||||
"federation"
|
||||
|
@ -41,7 +41,7 @@ in {
|
|||
port = 6170;
|
||||
};
|
||||
flake.nixngConfigurations.synapseClient = callPackage ./generic_worker.nix {
|
||||
name = "generic";
|
||||
name = "client";
|
||||
listener_resources = [
|
||||
"client"
|
||||
"health"
|
||||
|
@ -49,7 +49,7 @@ in {
|
|||
port = 6168;
|
||||
};
|
||||
flake.nixngConfigurations.synapseSync = callPackage ./generic_worker.nix {
|
||||
name = "generic";
|
||||
name = "sync";
|
||||
listener_resources = [
|
||||
"client"
|
||||
"health"
|
||||
|
@ -59,4 +59,5 @@ in {
|
|||
flake.nixngConfigurations.synapseRedis = callPackage ./redis.nix {};
|
||||
flake.nixngConfigurations.synapsePostgreSQL = callPackage ./postgresql.nix {};
|
||||
flake.nixngConfigurations.synapse = callPackage ./synapse.nix {};
|
||||
flake.nixngConfigurations.synapseRouter = callPackage ./router.nix {};
|
||||
}
|
||||
|
|
175
nixng/containers/matrix/synapse/router.nix
Normal file
175
nixng/containers/matrix/synapse/router.nix
Normal file
|
@ -0,0 +1,175 @@
|
|||
{
|
||||
makeSystem,
|
||||
nixpkgs,
|
||||
}:
|
||||
makeSystem {
|
||||
system = "x86_64-linux";
|
||||
name = "synapse-router";
|
||||
inherit nixpkgs;
|
||||
config = {pkgs, ...}: {
|
||||
dinit.enable = true;
|
||||
init.services.nginx.shutdownOnExit = true;
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
envsubst = true;
|
||||
configuration = [
|
||||
{
|
||||
daemon = "off";
|
||||
worker_processes = 2;
|
||||
user = "nginx";
|
||||
|
||||
events."" = {
|
||||
use = "epoll";
|
||||
worker_connections = 128;
|
||||
};
|
||||
|
||||
error_log = ["/dev/stderr" "warn"];
|
||||
|
||||
pid = "/nginx.pid";
|
||||
|
||||
http."" = {
|
||||
server_tokens = "off";
|
||||
include = [
|
||||
["${pkgs.nginx}/conf/mime.types"]
|
||||
];
|
||||
charset = "utf-8";
|
||||
access_log = ["/dev/stdout" "combined"];
|
||||
|
||||
upstream."synapse_master" = {
|
||||
server = "127.0.0.1:6167";
|
||||
};
|
||||
|
||||
upstream."synapse_federation_receiver" = {
|
||||
server = "127.0.0.1:6170";
|
||||
};
|
||||
|
||||
upstream."synapse_client" = {
|
||||
server = "127.0.0.1:6168";
|
||||
};
|
||||
|
||||
upstream."synapse_sync" = {
|
||||
server = "127.0.0.1:6169";
|
||||
};
|
||||
|
||||
map."$$uri $$synapse_backend" = {
|
||||
default = "synapse_master";
|
||||
|
||||
# Sync requests
|
||||
"~*^/_matrix/client/(r0|v3)/sync$" = "synapse_sync";
|
||||
"~*^/_matrix/client/(api/v1|r0|v3)/events$" = "synapse_sync";
|
||||
"~*^/_matrix/client/(api/v1|r0|v3)/initialSync$" = "synapse_sync";
|
||||
"~*^/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$" = "synapse_sync";
|
||||
|
||||
# Federation requests
|
||||
"~*^/_matrix/federation/v1/event/" = "synapse_federation_receiver";
|
||||
"~*^/_matrix/federation/v1/state/" = "synapse_federation_receiver";
|
||||
"~*^/_matrix/federation/v1/state_ids/" = "synapse_federation_receiver";
|
||||
"~*^/_matrix/federation/v1/backfill/" = "synapse_federation_receiver";
|
||||
"~*^/_matrix/federation/v1/get_missing_events/" = "synapse_federation_receiver";
|
||||
"~*^/_matrix/federation/v1/publicRooms" = "synapse_federation_receiver";
|
||||
"~*^/_matrix/federation/v1/query/" = "synapse_federation_receiver";
|
||||
"~*^/_matrix/federation/v1/make_join/" = "synapse_federation_receiver";
|
||||
"~*^/_matrix/federation/v1/make_leave/" = "synapse_federation_receiver";
|
||||
"~*^/_matrix/federation/(v1|v2)/send_join/" = "synapse_federation_receiver";
|
||||
"~*^/_matrix/federation/(v1|v2)/send_leave/" = "synapse_federation_receiver";
|
||||
"~*^/_matrix/federation/v1/make_knock/" = "synapse_federation_receiver";
|
||||
"~*^/_matrix/federation/v1/send_knock/" = "synapse_federation_receiver";
|
||||
"~*^/_matrix/federation/(v1|v2)/invite/" = "synapse_federation_receiver";
|
||||
"~*^/_matrix/federation/v1/event_auth/" = "synapse_federation_receiver";
|
||||
"~*^/_matrix/federation/v1/timestamp_to_event/" = "synapse_federation_receiver";
|
||||
"~*^/_matrix/federation/v1/exchange_third_party_invite/" = "synapse_federation_receiver";
|
||||
"~*^/_matrix/federation/v1/user/devices/" = "synapse_federation_receiver";
|
||||
"~*^/_matrix/key/v2/query" = "synapse_federation_receiver";
|
||||
"~*^/_matrix/federation/v1/hierarchy/" = "synapse_federation_receiver";
|
||||
|
||||
# Inbound federation transaction request
|
||||
"~*^/_matrix/federation/v1/send/" = "synapse_federation_receiver";
|
||||
|
||||
# Client API requests
|
||||
"~*^/_matrix/client/(api/v1|r0|v3|unstable)/createRoom$" = "synapse_client";
|
||||
"~*^/_matrix/client/(api/v1|r0|v3|unstable)/publicRooms$" = "synapse_client";
|
||||
"~*^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/joined_members$" = "synapse_client";
|
||||
"~*^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/context/.*$" = "synapse_client";
|
||||
"~*^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/members$" = "synapse_client";
|
||||
"~*^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state$" = "synapse_client";
|
||||
"~*^/_matrix/client/v1/rooms/.*/hierarchy$" = "synapse_client";
|
||||
"~*^/_matrix/client/(v1|unstable)/rooms/.*/relations/" = "synapse_client";
|
||||
"~*^/_matrix/client/v1/rooms/.*/threads$" = "synapse_client";
|
||||
"~*^/_matrix/client/unstable/im.nheko.summary/summary/.*$" = "synapse_client";
|
||||
"~*^/_matrix/client/(r0|v3|unstable)/account/3pid$" = "synapse_client";
|
||||
"~*^/_matrix/client/(r0|v3|unstable)/account/whoami$" = "synapse_client";
|
||||
"~*^/_matrix/client/(r0|v3|unstable)/devices$" = "synapse_client";
|
||||
"~*^/_matrix/client/versions$" = "synapse_client";
|
||||
"~*^/_matrix/client/(api/v1|r0|v3|unstable)/voip/turnServer$" = "synapse_client";
|
||||
"~*^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/event/" = "synapse_client";
|
||||
"~*^/_matrix/client/(api/v1|r0|v3|unstable)/joined_rooms$" = "synapse_client";
|
||||
"~*^/_matrix/client/v1/rooms/.*/timestamp_to_event$" = "synapse_client";
|
||||
"~*^/_matrix/client/(api/v1|r0|v3|unstable/.*)/rooms/.*/aliases" = "synapse_client";
|
||||
"~*^/_matrix/client/(api/v1|r0|v3|unstable)/search$" = "synapse_client";
|
||||
"~*^/_matrix/client/(r0|v3|unstable)/user/.*/filter(/|$)" = "synapse_client";
|
||||
"~*^/_matrix/client/(api/v1|r0|v3|unstable)/directory/room/.*$" = "synapse_client";
|
||||
"~*^/_matrix/client/(r0|v3|unstable)/capabilities$" = "synapse_client";
|
||||
"~*^/_matrix/client/(r0|v3|unstable)/notifications$" = "synapse_client";
|
||||
|
||||
# Encryption requests
|
||||
"~*^/_matrix/client/(r0|v3|unstable)/keys/query$" = "synapse_client";
|
||||
"~*^/_matrix/client/(r0|v3|unstable)/keys/changes$" = "synapse_client";
|
||||
"~*^/_matrix/client/(r0|v3|unstable)/keys/claim$" = "synapse_client";
|
||||
"~*^/_matrix/client/(r0|v3|unstable)/room_keys/" = "synapse_client";
|
||||
"~*^/_matrix/client/(r0|v3|unstable)/keys/upload/" = "synapse_client";
|
||||
|
||||
# Registration/login requests
|
||||
"~*^/_matrix/client/(api/v1|r0|v3|unstable)/login$" = "synapse_client";
|
||||
"~*^/_matrix/client/(r0|v3|unstable)/register$" = "synapse_client";
|
||||
"~*^/_matrix/client/(r0|v3|unstable)/register/available$" = "synapse_client";
|
||||
"~*^/_matrix/client/v1/register/m.login.registration_token/validity$" = "synapse_client";
|
||||
"~*^/_matrix/client/(r0|v3|unstable)/password_policy$" = "synapse_client";
|
||||
|
||||
# Event sending requests
|
||||
"~*^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/redact" = "synapse_client";
|
||||
"~*^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/send" = "synapse_client";
|
||||
"~*^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state/" = "synapse_client";
|
||||
"~*^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick)$" = "synapse_client";
|
||||
"~*^/_matrix/client/(api/v1|r0|v3|unstable)/join/" = "synapse_client";
|
||||
"~*^/_matrix/client/(api/v1|r0|v3|unstable)/knock/" = "synapse_client";
|
||||
"~*^/_matrix/client/(api/v1|r0|v3|unstable)/profile/" = "synapse_client";
|
||||
|
||||
# Account data requests
|
||||
"~*^/_matrix/client/(r0|v3|unstable)/.*/tags" = "synapse_client";
|
||||
"~*^/_matrix/client/(r0|v3|unstable)/.*/account_data" = "synapse_client";
|
||||
|
||||
# Receipts requests
|
||||
"~*^/_matrix/client/(r0|v3|unstable)/rooms/.*/receipt" = "synapse_client";
|
||||
"~*^/_matrix/client/(r0|v3|unstable)/rooms/.*/read_markers" = "synapse_client";
|
||||
|
||||
# Presence requests
|
||||
"~*^/_matrix/client/(api/v1|r0|v3|unstable)/presence/" = "synapse_client";
|
||||
|
||||
# User directory search requests
|
||||
"~*^/_matrix/client/(r0|v3|unstable)/user_directory/search$" = "synapse_client";
|
||||
};
|
||||
|
||||
server."" = {
|
||||
listen = ["80" "default_server"];
|
||||
server_name = [
|
||||
"matrix.redalder.org"
|
||||
];
|
||||
|
||||
location."/_matrix" = {
|
||||
proxy_http_version = "1.1";
|
||||
proxy_pass = "http://$$synapse_backend";
|
||||
client_max_body_size = "50M";
|
||||
add_header = ["Backend-Server" "$$synapse_backend"];
|
||||
};
|
||||
|
||||
location."/" = {
|
||||
return = ["404"];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
|
@ -11,19 +11,7 @@ upstream website {
|
|||
}
|
||||
|
||||
upstream matrix-synapse {
|
||||
server {{ env "NOMAD_UPSTREAM_ADDR_matrix_synapse" }};
|
||||
}
|
||||
|
||||
upstream matrix-synapse-federation-receiver {
|
||||
server {{ env "NOMAD_UPSTREAM_ADDR_matrix_synapse_federation_receiver" }};
|
||||
}
|
||||
|
||||
upstream matrix-synapse-client {
|
||||
server {{ env "NOMAD_UPSTREAM_ADDR_matrix_synapse_client" }};
|
||||
}
|
||||
|
||||
upstream matrix-synapse-sync {
|
||||
server {{ env "NOMAD_UPSTREAM_ADDR_matrix_synapse_sync" }};
|
||||
server 10.64.2.1:8344;
|
||||
}
|
||||
|
||||
server {
|
||||
|
@ -100,236 +88,15 @@ server {
|
|||
listen 8448 ssl http2;
|
||||
|
||||
server_name matrix.redalder.org;
|
||||
merge_slashes off;
|
||||
|
||||
# sync
|
||||
location ~ ^/_matrix/client/(r0|v3)/sync$|^/_matrix/client/(api/v1|r0|v3)/events$|^/_matrix/client/(api/v1|r0|v3)/initialSync$|^/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$ {
|
||||
# note: do not add a path (even a single /) after the port in `proxy_pass`,
|
||||
# otherwise nginx will canonicalise the URI and cause signature verification
|
||||
# errors.
|
||||
proxy_pass http://matrix-synapse-sync;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header Host $host;
|
||||
|
||||
# Nginx by default only allows file uploads up to 1M in size
|
||||
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
|
||||
client_max_body_size 50M;
|
||||
|
||||
# Synapse responses may be chunked, which is an HTTP/1.1 feature.
|
||||
proxy_http_version 1.1;
|
||||
}
|
||||
|
||||
# federation
|
||||
location ~ ^/_matrix/federation/v1/event/|^/_matrix/federation/v1/state/|^/_matrix/federation/v1/state_ids/|^/_matrix/federation/v1/backfill/|^/_matrix/federation/v1/get_missing_events/|^/_matrix/federation/v1/publicRooms|^/_matrix/federation/v1/query/|^/_matrix/federation/v1/make_join/|^/_matrix/federation/v1/make_leave/|^/_matrix/federation/(v1|v2)/send_join/|^/_matrix/federation/(v1|v2)/send_leave/|^/_matrix/federation/(v1|v2)/invite/|^/_matrix/federation/v1/event_auth/|^/_matrix/federation/v1/timestamp_to_event/|^/_matrix/federation/v1/exchange_third_party_invite/|^/_matrix/federation/v1/user/devices/|^/_matrix/key/v2/query|^/_matrix/federation/v1/hierarchy/ {
|
||||
# note: do not add a path (even a single /) after the port in `proxy_pass`,
|
||||
# otherwise nginx will canonicalise the URI and cause signature verification
|
||||
# errors.
|
||||
proxy_pass http://matrix-synapse-federation-receiver;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header Host $host;
|
||||
|
||||
# Nginx by default only allows file uploads up to 1M in size
|
||||
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
|
||||
client_max_body_size 50M;
|
||||
|
||||
# Synapse responses may be chunked, which is an HTTP/1.1 feature.
|
||||
proxy_http_version 1.1;
|
||||
}
|
||||
|
||||
# inbound federation requests
|
||||
location ~ ^/_matrix/federation/v1/send/ {
|
||||
# note: do not add a path (even a single /) after the port in `proxy_pass`,
|
||||
# otherwise nginx will canonicalise the URI and cause signature verification
|
||||
# errors.
|
||||
proxy_pass http://matrix-synapse-federation-receiver;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header Host $host;
|
||||
|
||||
# Nginx by default only allows file uploads up to 1M in size
|
||||
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
|
||||
client_max_body_size 50M;
|
||||
|
||||
# Synapse responses may be chunked, which is an HTTP/1.1 feature.
|
||||
proxy_http_version 1.1;
|
||||
}
|
||||
|
||||
# client api
|
||||
location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/createRoom$|^/_matrix/client/(api/v1|r0|v3|unstable)/publicRooms$|^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/joined_members$|^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/context/.*$|^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/members$|^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state$|^/_matrix/client/v1/rooms/.*/hierarchy$|^/_matrix/client/(v1|unstable)/rooms/.*/relations/|^/_matrix/client/v1/rooms/.*/threads$|^/_matrix/client/unstable/org.matrix.msc2716/rooms/.*/batch_send$|^/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$|^/_matrix/client/(r0|v3|unstable)/account/3pid$|^/_matrix/client/(r0|v3|unstable)/account/whoami$|^/_matrix/client/(r0|v3|unstable)/devices$|^/_matrix/client/versions$|^/_matrix/client/(api/v1|r0|v3|unstable)/voip/turnServer$|^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/event/|^/_matrix/client/(api/v1|r0|v3|unstable)/joined_rooms$|^/_matrix/client/v1/rooms/.*/timestamp_to_event$|^/_matrix/client/(api/v1|r0|v3|unstable/.*)/rooms/.*/aliases|^/_matrix/client/(api/v1|r0|v3|unstable)/search$|^/_matrix/client/(r0|v3|unstable)/user/.*/filter(/|$) {
|
||||
# note: do not add a path (even a single /) after the port in `proxy_pass`,
|
||||
# otherwise nginx will canonicalise the URI and cause signature verification
|
||||
# errors.
|
||||
proxy_pass http://matrix-synapse-client;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header Host $host;
|
||||
|
||||
# Nginx by default only allows file uploads up to 1M in size
|
||||
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
|
||||
client_max_body_size 50M;
|
||||
|
||||
# Synapse responses may be chunked, which is an HTTP/1.1 feature.
|
||||
proxy_http_version 1.1;
|
||||
}
|
||||
|
||||
# encryption
|
||||
location ~ ^/_matrix/client/(r0|v3|unstable)/keys/query$|^/_matrix/client/(r0|v3|unstable)/keys/changes$|^/_matrix/client/(r0|v3|unstable)/keys/claim$|^/_matrix/client/(r0|v3|unstable)/room_keys/|^/_matrix/client/(r0|v3|unstable)/keys/upload/ {
|
||||
# note: do not add a path (even a single /) after the port in `proxy_pass`,
|
||||
# otherwise nginx will canonicalise the URI and cause signature verification
|
||||
# errors.
|
||||
proxy_pass http://matrix-synapse-client;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header Host $host;
|
||||
|
||||
# Nginx by default only allows file uploads up to 1M in size
|
||||
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
|
||||
client_max_body_size 50M;
|
||||
|
||||
# Synapse responses may be chunked, which is an HTTP/1.1 feature.
|
||||
proxy_http_version 1.1;
|
||||
}
|
||||
|
||||
# registration login
|
||||
location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/login$|^/_matrix/client/(r0|v3|unstable)/register$|^/_matrix/client/(r0|v3|unstable)/register/available$|^/_matrix/client/v1/register/m.login.registration_token/validity$|^/_matrix/client/(r0|v3|unstable)/password_policy$ {
|
||||
# note: do not add a path (even a single /) after the port in `proxy_pass`,
|
||||
# otherwise nginx will canonicalise the URI and cause signature verification
|
||||
# errors.
|
||||
proxy_pass http://matrix-synapse-client;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header Host $host;
|
||||
|
||||
# Nginx by default only allows file uploads up to 1M in size
|
||||
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
|
||||
client_max_body_size 50M;
|
||||
|
||||
# Synapse responses may be chunked, which is an HTTP/1.1 feature.
|
||||
proxy_http_version 1.1;
|
||||
}
|
||||
|
||||
# event sending
|
||||
location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/redact|^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/send|^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state/|^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick)$|^/_matrix/client/(api/v1|r0|v3|unstable)/join/|^/_matrix/client/(api/v1|r0|v3|unstable)/knock/|^/_matrix/client/(api/v1|r0|v3|unstable)/profile/ {
|
||||
# note: do not add a path (even a single /) after the port in `proxy_pass`,
|
||||
# otherwise nginx will canonicalise the URI and cause signature verification
|
||||
# errors.
|
||||
proxy_pass http://matrix-synapse-client;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header Host $host;
|
||||
|
||||
# Nginx by default only allows file uploads up to 1M in size
|
||||
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
|
||||
client_max_body_size 50M;
|
||||
|
||||
# Synapse responses may be chunked, which is an HTTP/1.1 feature.
|
||||
proxy_http_version 1.1;
|
||||
}
|
||||
|
||||
# account data
|
||||
location ~ ^/_matrix/client/(r0|v3|unstable)/.*/tags|^/_matrix/client/(r0|v3|unstable)/.*/account_data {
|
||||
# note: do not add a path (even a single /) after the port in `proxy_pass`,
|
||||
# otherwise nginx will canonicalise the URI and cause signature verification
|
||||
# errors.
|
||||
proxy_pass http://matrix-synapse;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header Host $host;
|
||||
|
||||
# Nginx by default only allows file uploads up to 1M in size
|
||||
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
|
||||
client_max_body_size 50M;
|
||||
|
||||
# Synapse responses may be chunked, which is an HTTP/1.1 feature.
|
||||
proxy_http_version 1.1;
|
||||
}
|
||||
|
||||
# receipts requests
|
||||
location ~ ^/_matrix/client/(r0|v3|unstable)/rooms/.*/receipt|^/_matrix/client/(r0|v3|unstable)/rooms/.*/read_markers {
|
||||
# note: do not add a path (even a single /) after the port in `proxy_pass`,
|
||||
# otherwise nginx will canonicalise the URI and cause signature verification
|
||||
# errors.
|
||||
proxy_pass http://matrix-synapse;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header Host $host;
|
||||
|
||||
# Nginx by default only allows file uploads up to 1M in size
|
||||
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
|
||||
client_max_body_size 50M;
|
||||
|
||||
# Synapse responses may be chunked, which is an HTTP/1.1 feature.
|
||||
proxy_http_version 1.1;
|
||||
}
|
||||
|
||||
# presence requests
|
||||
location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/presence/ {
|
||||
# note: do not add a path (even a single /) after the port in `proxy_pass`,
|
||||
# otherwise nginx will canonicalise the URI and cause signature verification
|
||||
# errors.
|
||||
proxy_pass http://matrix-synapse;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header Host $host;
|
||||
|
||||
# Nginx by default only allows file uploads up to 1M in size
|
||||
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
|
||||
client_max_body_size 50M;
|
||||
|
||||
# Synapse responses may be chunked, which is an HTTP/1.1 feature.
|
||||
proxy_http_version 1.1;
|
||||
}
|
||||
|
||||
# user directory search
|
||||
location ~ ^/_matrix/client/(r0|v3|unstable)/user_directory/search$ {
|
||||
# note: do not add a path (even a single /) after the port in `proxy_pass`,
|
||||
# otherwise nginx will canonicalise the URI and cause signature verification
|
||||
# errors.
|
||||
proxy_pass http://matrix-synapse-client;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header Host $host;
|
||||
|
||||
# Nginx by default only allows file uploads up to 1M in size
|
||||
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
|
||||
client_max_body_size 50M;
|
||||
|
||||
# Synapse responses may be chunked, which is an HTTP/1.1 feature.
|
||||
proxy_http_version 1.1;
|
||||
}
|
||||
|
||||
# the rest
|
||||
location ~ ^(/.well-known|/_matrix|/_synapse/client) {
|
||||
# note: do not add a path (even a single /) after the port in `proxy_pass`,
|
||||
# otherwise nginx will canonicalise the URI and cause signature verification
|
||||
# errors.
|
||||
proxy_pass http://matrix-synapse;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header Host $host;
|
||||
|
||||
# Nginx by default only allows file uploads up to 1M in size
|
||||
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
|
||||
client_max_body_size 50M;
|
||||
|
||||
# Synapse responses may be chunked, which is an HTTP/1.1 feature.
|
||||
proxy_http_version 1.1;
|
||||
}
|
||||
|
||||
location /mufb/ {
|
||||
proxy_pass http://matrix-mautrix-facebook$request_uri;
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_buffering off;
|
||||
}
|
||||
|
||||
location / {
|
||||
return 404;
|
||||
}
|
||||
|
||||
include /local/security.conf;
|
||||
include /local/ssl.conf;
|
||||
|
||||
location / {
|
||||
include /local/headers.conf;
|
||||
proxy_pass http://matrix-synapse;
|
||||
proxy_http_version 1.1;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
|
|
|
@ -75,10 +75,10 @@ in {
|
|||
name = "hydra";
|
||||
source = ./containers/hydra;
|
||||
})
|
||||
(terraformModule {
|
||||
name = "matrix";
|
||||
source = ./containers/matrix;
|
||||
})
|
||||
# (terraformModule {
|
||||
# name = "matrix";
|
||||
# source = ./containers/matrix;
|
||||
# })
|
||||
(terraformModule {
|
||||
name = "home-assistant";
|
||||
source = ./containers/home-assistant;
|
||||
|
|
|
@ -83,7 +83,7 @@ in {
|
|||
./website.nix
|
||||
./jellyfin.nix
|
||||
./gitea.nix
|
||||
# ./matrix.nix
|
||||
./matrix.nix
|
||||
# ./mautrix-discord.nix
|
||||
|
||||
(copyNixNGImage {
|
||||
|
|
|
@ -30,6 +30,19 @@ in {
|
|||
"blowhole.hosts.in.redalder.org"
|
||||
];
|
||||
})
|
||||
(copyNixNGImage {
|
||||
name = "synapse-router";
|
||||
image =
|
||||
(inputs.nix-snapshotter.packages.${pkgs.stdenv.system}.nix-snapshotter.buildImage {
|
||||
name = "synapse-router";
|
||||
resolvedByNix = true;
|
||||
config.entrypoint = ["${inputs.self.nixngConfigurations.synapseRouter.config.system.build.toplevel}/init"];
|
||||
})
|
||||
.image;
|
||||
hosts = [
|
||||
"blowhole.hosts.in.redalder.org"
|
||||
];
|
||||
})
|
||||
(copyNixNGImage {
|
||||
name = "synapse-client";
|
||||
image =
|
||||
|
@ -368,6 +381,25 @@ in {
|
|||
};
|
||||
spec = {
|
||||
containers = [
|
||||
{
|
||||
name = "router";
|
||||
image =
|
||||
tf "data.external.nixng-image-synapse-router.result.out";
|
||||
ports = [
|
||||
{
|
||||
name = "routed-http";
|
||||
containerPort = 80;
|
||||
}
|
||||
];
|
||||
resources.limits = {
|
||||
cpu = "400m";
|
||||
memory = "128Mi";
|
||||
};
|
||||
resources.requests = {
|
||||
cpu = "200m";
|
||||
memory = "96Mi";
|
||||
};
|
||||
}
|
||||
{
|
||||
name = "redis";
|
||||
image =
|
||||
|
@ -609,6 +641,12 @@ in {
|
|||
protocol = "TCP";
|
||||
targetPort = "postgresql";
|
||||
}
|
||||
{
|
||||
name = "routed-http";
|
||||
port = 80;
|
||||
protocol = "TCP";
|
||||
targetPort = "routed-http";
|
||||
}
|
||||
{
|
||||
name = "master-http";
|
||||
port = 6167;
|
||||
|
@ -662,151 +700,12 @@ in {
|
|||
];
|
||||
hostnames = ["matrix.redalder.org"];
|
||||
rules = [
|
||||
# Client Worker
|
||||
{
|
||||
matches = lib.singleton {
|
||||
path.type = "RegularExpression";
|
||||
path.value = lib.concatStringsSep "|" [
|
||||
# Federation requests
|
||||
"(/_matrix/federation/v1/event/.*)"
|
||||
"(/_matrix/federation/v1/state/.*)"
|
||||
"(/_matrix/federation/v1/state_ids/.*)"
|
||||
"(/_matrix/federation/v1/backfill/.*)"
|
||||
"(/_matrix/federation/v1/get_missing_events/.*)"
|
||||
"(/_matrix/federation/v1/publicRooms.*)"
|
||||
"(/_matrix/federation/v1/query/.*)"
|
||||
"(/_matrix/federation/v1/make_join/.*)"
|
||||
"(/_matrix/federation/v1/make_leave/.*)"
|
||||
"(/_matrix/federation/(v1|v2)/send_join/.*)"
|
||||
"(/_matrix/federation/(v1|v2)/send_leave/.*)"
|
||||
"(/_matrix/federation/(v1|v2)/invite/.*)"
|
||||
"(/_matrix/federation/v1/event_auth/.*)"
|
||||
"(/_matrix/federation/v1/exchange_third_party_invite/.*)"
|
||||
"(/_matrix/federation/v1/user/devices/.*)"
|
||||
"(/_matrix/key/v2/query.*)"
|
||||
"(/_matrix/federation/v1/hierarchy/.*)"
|
||||
|
||||
# Inbound federation transaction request
|
||||
"(/_matrix/federation/v1/send/.*)"
|
||||
];
|
||||
};
|
||||
backendRefs = [
|
||||
{
|
||||
name = "synapse";
|
||||
namespace = "matrix";
|
||||
port = 6170;
|
||||
}
|
||||
];
|
||||
}
|
||||
# Client Worker
|
||||
{
|
||||
matches =
|
||||
map (value: {
|
||||
path.type = "RegularExpression";
|
||||
path.value = value;
|
||||
}) [
|
||||
(lib.concatStringsSep "|" [
|
||||
# Client API requests
|
||||
"(/_matrix/client/(api/v1|r0|v3|unstable)/createRoom)"
|
||||
"(/_matrix/client/(api/v1|r0|v3|unstable)/publicRooms)"
|
||||
"(/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/joined_members)"
|
||||
"(/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/context/.*)"
|
||||
"(/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/members)"
|
||||
"(/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state)"
|
||||
"(/_matrix/client/v1/rooms/.*/hierarchy)"
|
||||
"(/_matrix/client/(v1|unstable)/rooms/.*/relations/.*)"
|
||||
"(/_matrix/client/v1/rooms/.*/threads.*)"
|
||||
"(/_matrix/client/unstable/im.nheko.summary/summary/.*)"
|
||||
"(/_matrix/client/(r0|v3|unstable)/account/3pid)"
|
||||
"(/_matrix/client/(r0|v3|unstable)/account/whoami)"
|
||||
"(/_matrix/client/(r0|v3|unstable)/devices)"
|
||||
"(/_matrix/client/versions)"
|
||||
"(/_matrix/client/(api/v1|r0|v3|unstable)/voip/turnServer)"
|
||||
"(/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/event/.*)"
|
||||
"(/_matrix/client/(api/v1|r0|v3|unstable)/joined_rooms)"
|
||||
])
|
||||
(lib.concatStringsSep "|" [
|
||||
# Client API requests
|
||||
"(/_matrix/client/v1/rooms/.*/timestamp_to_event)"
|
||||
"(/_matrix/client/(api/v1|r0|v3|unstable/.*)/rooms/.*/aliases.*)"
|
||||
"(/_matrix/client/(api/v1|r0|v3|unstable)/search)"
|
||||
"(/_matrix/client/(r0|v3|unstable)/user/.*/filter/?.*)"
|
||||
"(/_matrix/client/(api/v1|r0|v3|unstable)/directory/room/.*)"
|
||||
"(/_matrix/client/(r0|v3|unstable)/capabilities)"
|
||||
"(/_matrix/client/(r0|v3|unstable)/notifications)"
|
||||
# Encryption requests
|
||||
"(/_matrix/client/(r0|v3|unstable)/keys/query)"
|
||||
"(/_matrix/client/(r0|v3|unstable)/keys/changes)"
|
||||
"(/_matrix/client/(r0|v3|unstable)/keys/claim)"
|
||||
"(/_matrix/client/(r0|v3|unstable)/room_keys/.*)"
|
||||
"(/_matrix/client/(r0|v3|unstable)/keys/upload/.*)"
|
||||
|
||||
# Registration/login requests
|
||||
"(/_matrix/client/(api/v1|r0|v3|unstable)/login)"
|
||||
"(/_matrix/client/(r0|v3|unstable)/register)"
|
||||
"(/_matrix/client/(r0|v3|unstable)/register/available)"
|
||||
"(/_matrix/client/v1/register/m.login.registration_token/validity)"
|
||||
"(/_matrix/client/(r0|v3|unstable)/password_policy)"
|
||||
])
|
||||
|
||||
(lib.concatStringsSep "|" [
|
||||
# Event sending requests
|
||||
"(/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/redact.*)"
|
||||
"(/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/send.*)"
|
||||
"(/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state/.*)"
|
||||
"(/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick))"
|
||||
"(/_matrix/client/(api/v1|r0|v3|unstable)/join/.*)"
|
||||
"(/_matrix/client/(api/v1|r0|v3|unstable)/knock/.*)"
|
||||
"(/_matrix/client/(api/v1|r0|v3|unstable)/profile/.*)"
|
||||
|
||||
# Account data requests
|
||||
"(/_matrix/client/(r0|v3|unstable)/.*/tags.*)"
|
||||
"(/_matrix/client/(r0|v3|unstable)/.*/account_data.*)"
|
||||
|
||||
# Receipts requests
|
||||
"(/_matrix/client/(r0|v3|unstable)/rooms/.*/receipt.*)"
|
||||
"(/_matrix/client/(r0|v3|unstable)/rooms/.*/read_markers.*)"
|
||||
|
||||
# Presence requests
|
||||
"(/_matrix/client/(api/v1|r0|v3|unstable)/presence/.*)"
|
||||
|
||||
# User directory search requests
|
||||
"(/_matrix/client/(r0|v3|unstable)/user_directory/search)"
|
||||
])
|
||||
];
|
||||
backendRefs = [
|
||||
{
|
||||
name = "synapse";
|
||||
namespace = "matrix";
|
||||
port = 6168;
|
||||
}
|
||||
];
|
||||
}
|
||||
# Sync Worker
|
||||
{
|
||||
matches = lib.singleton {
|
||||
path.type = "RegularExpression";
|
||||
path.value = lib.concatStringsSep "|" [
|
||||
"(/_matrix/client/(r0|v3)/sync)"
|
||||
"(/_matrix/client/(api/v1|r0|v3)/events)"
|
||||
"(/_matrix/client/(api/v1|r0|v3)/initialSync)"
|
||||
"(/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync)"
|
||||
];
|
||||
};
|
||||
backendRefs = [
|
||||
{
|
||||
name = "synapse";
|
||||
namespace = "matrix";
|
||||
port = 6169;
|
||||
}
|
||||
];
|
||||
}
|
||||
{
|
||||
backendRefs = [
|
||||
{
|
||||
name = "synapse";
|
||||
namespace = "matrix";
|
||||
port = 6167;
|
||||
port = 80;
|
||||
}
|
||||
];
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue