xengi/infra
0
1
Fork 0
Code Pull requests Activity Actions

improve synapse

Browse source
This commit is contained in:
XenGi 2026-02-08 12:37:17 +01:00
parent 4c9e01e754
commit 0b041cc949
Signed by: xengi
SSH key fingerprint: SHA256:dM+fLZGsDvyv6kunjE8bGduL24VsCFB4LEOSdmRHdG0
5 changed files with 53 additions and 39 deletions
Download patch file Download diff file Expand all files Collapse all files

5
hosts/matrix/default.nix
View file

@ -5,9 +5,10 @@
../common.nix ../common.nix
../../services/openssh.nix ../../services/openssh.nix
../../services/nginx.nix ../../services/nginx.nix
./nginx.nix
./synapse.nix
./draupnir.nix
../../services/postgres.nix ../../services/postgres.nix
../../services/synapse.nix
../../services/draupnir.nix
../../services/prometheus.nix ../../services/prometheus.nix
../../services/grafana.nix ../../services/grafana.nix
]; ];

0
services/draupnir.nix → hosts/matrix/draupnir.nix
View file

24
hosts/matrix/nginx.nix Normal file
View file

@ -0,0 +1,24 @@
{ config, pkgs, ... }:
{
services.nginx.virtualHosts."matrix.berlin.ccc.de" = {
default = true;
quic = true;
kTLS = true;
forceSSL = true;
enableACME = true;
locations = {
#"/.well-known/acme-challenge".root = config.security.acme.defaults.webroot;
"/".return = "418 \"🫖\"";
"~ ^(/_matrix|/_synapse/client)" = {
recommendedProxySettings = true;
proxyPass = "http://[::1]:8008";
extraConfig = ''
client_max_body_size 64M;
proxy_set_header X-Request-ID $request_id;
proxy_http_version 1.1;
'';
};
};
};
}

7
services/synapse.nix → hosts/matrix/synapse.nix
View file

@ -4,6 +4,11 @@ let
domain = "berlin.ccc.de"; domain = "berlin.ccc.de";
in in
{ {
networking.firewall.extraInputRules = ''
ip saddr 195.160.173.14 tcp dport 9009 accept
ip6 saddr 2001:678:760:cccb::14 tcp dport 9009 accept
'';
services = { services = {
matrix-synapse = { matrix-synapse = {
enable = true; enable = true;
@ -42,7 +47,7 @@ in
type = "metrics"; type = "metrics";
tls = false; tls = false;
port = 9009; port = 9009;
bind_addresses = [ "::1" ]; bind_addresses = ["::" "0.0.0.0"];
resources = [ resources = [
{ {
compress = false; compress = false;

56
services/nginx.nix
View file

@ -1,44 +1,28 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
let
fqdn = "matrix.berlin.ccc.de";
in
{ {
users.users.nginx.extraGroups = [ "acme" ]; users.users.nginx.extraGroups = [ "acme" ];
services.nginx = { services = {
enable = true; nginx = {
resolver.addresses = [ enable = true;
"[2606:4700:4700::1111]" resolver.addresses = [
"[2620:fe::fe]" "[2606:4700:4700::1111]"
"1.1.1.1" "[2620:fe::fe]"
"9.9.9.9" "1.1.1.1"
]; "9.9.9.9"
statusPage = true; # http://127.0.0.1/nginx_status ];
sslProtocols = "TLSv1.3"; statusPage = true; # http://127.0.0.1/nginx_status
recommendedTlsSettings = true; sslProtocols = "TLSv1.3";
recommendedOptimisation = true; recommendedTlsSettings = true;
recommendedGzipSettings = true; recommendedOptimisation = true;
recommendedBrotliSettings = true; recommendedGzipSettings = true;
virtualHosts."${fqdn}" = { recommendedBrotliSettings = true;
default = true; };
quic = true; prometheus.exporters.nginx = {
kTLS = true; enable = true;
forceSSL = true; firewallRules = config.services.prometheus.exporters.node.firewallRules;
enableACME = true; openFirewall = true;
locations = {
#"/.well-known/acme-challenge".root = config.security.acme.defaults.webroot;
"/".return = "418 \"🫖\"";
"~ ^(/_matrix|/_synapse/client)" = {
recommendedProxySettings = true;
proxyPass = "http://[::1]:8008";
extraConfig = ''
client_max_body_size 64M;
proxy_set_header X-Request-ID $request_id;
proxy_http_version 1.1;
'';
};
};
}; };
}; };
} }