machines/biotite: add matrix-synapse and backup

2024-12-03 16:37:42 +08:00 · 2024-12-03 16:37:42 +08:00 · bf74a01049
commit bf74a01049
parent 83f7700949
6 changed files with 224 additions and 2 deletions
--- a/machines/biotite/services/gotosocial.nix
+++ b/machines/biotite/services/gotosocial.nix
@ -27,6 +27,7 @@
      oidc-client-id = "gotosocial";
      oidc-link-existing = true;
    };
+    setupPostgresqlDB = true;
    environmentFile = config.sops.templates."gotosocial.env".path;
  };

--- a/machines/biotite/services/restic.nix
+++ b/machines/biotite/services/restic.nix
@ -0,0 +1,55 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  sqliteBackup = fromPath: toPath: file: ''
+    mkdir -p ${toPath}
+    ${lib.getExe pkgs.sqlite} ${fromPath} ".backup '${toPath}/${file}'"
+  '';
+in
+{
+  sops.secrets = {
+    "restic/repo_url" = {
+      sopsFile = ../secrets.yaml;
+    };
+    "restic/repo_password" = {
+      sopsFile = ../secrets.yaml;
+    };
+  };
+
+  custom.restic = {
+    enable = true;
+    paths = [
+      "/backup/db"
+      "/backup/var/lib"
+    ];
+    backupPrepareCommand = [
+      ''
+        mkdir -p /backup/var
+        ${pkgs.btrfs-progs}/bin/btrfs subvolume snapshot -r /var/lib /backup/var/lib
+      ''
+    ];
+    backupCleanupCommand = [
+      ''
+        ${pkgs.btrfs-progs}/bin/btrfs subvolume delete /backup/var/lib
+      ''
+    ];
+    btrfsRoots = [ ];
+  };
+
+  services.postgresqlBackup = {
+    enable = true;
+    compression = "zstd";
+    compressionLevel = 9;
+    location = "/backup/db/postgresql";
+  };
+
+  services.restic.backups.${config.networking.hostName} = {
+    extraBackupArgs = [
+      "--limit-upload=1024"
+    ];
+  };
+}
--- a/machines/biotite/services/synapse.nix
+++ b/machines/biotite/services/synapse.nix
@ -0,0 +1,113 @@
+{ config, pkgs, ... }:
+let
+  port-synapse = 6823;
+in
+{
+  sops.secrets."synapse/oidc_client_secret" = {
+    owner = "matrix-synapse";
+  };
+
+  nixpkgs.config.permittedInsecurePackages = [
+    "olm-3.2.16"
+  ];
+
+  services.postgresql = {
+    # Not using ensure here because LC_COLLATE and LC_CTYPE must be provided
+    # at db creation
+    initialScript = pkgs.writeText "synapse-init.sql" ''
+      CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
+      CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
+        TEMPLATE template0
+        LC_COLLATE = "C"
+        LC_CTYPE = "C";
+    '';
+  };
+
+  services.matrix-synapse = {
+    enable = true;
+    settings = {
+      server_name = "xiny.li";
+      public_baseurl = "https://synapse.xiny.li";
+      database = {
+        name = "psycopg2";
+        args = {
+          user = "matrix-synapse";
+        };
+      };
+      listeners = [
+        {
+          bind_addresses = [
+            "127.0.0.1"
+          ];
+          port = port-synapse;
+          resources = [
+            {
+              compress = true;
+              names = [
+                "client"
+                "federation"
+              ];
+            }
+          ];
+          tls = false;
+          type = "http";
+          x_forwarded = true;
+        }
+      ];
+      experimental_features = {
+        # Room summary api
+        msc3266_enabled = true;
+        # Removing account data
+        msc3391_enabled = true;
+        # Thread notifications
+        msc3773_enabled = true;
+        # Remotely toggle push notifications for another client
+        msc3881_enabled = true;
+        # Remotely silence local notifications
+        msc3890_enabled = true;
+        # Remove legacy mentions
+        msc4210_enabled = true;
+      };
+      oidc_providers = [
+        {
+          idp_id = "Kanidm";
+          idp_name = "auth.xinyang.life";
+          issuer = "https://auth.xinyang.life/oauth2/openid/synapse";
+          authorization_endpoint = "https://auth.xinyang.life/ui/oauth2";
+          token_endpoint = "https://auth.xinyang.life/oauth2/token";
+          userinfo_endpoint = "https://auth.xinyang.life/oauth2/openid/synapse/userinfo";
+          client_id = "synapse";
+          client_secret_path = config.sops.secrets."synapse/oidc_client_secret".path;
+          scopes = [
+            "openid"
+            "profile"
+          ];
+          allow_existing_users = true;
+          backchannel_logout_enabled = true;
+          user_mapping_provider.config = {
+            confirm_localpart = true;
+            localpart_template = "{{ user.preferred_username }}";
+            display_name_template = "{{ user.name }}";
+          };
+        }
+      ];
+    };
+  };
+
+  services.caddy = {
+    virtualHosts."https://xiny.li".extraConfig = ''
+      header /.well-known/matrix/* Content-Type application/json
+      header /.well-known/matrix/* Access-Control-Allow-Origin *
+      respond /.well-known/matrix/server `{"m.server":"synapse.xiny.li:443"}`
+      respond /.well-known/matrix/client `{"m.homeserver":{"base_url":"https://synapse.xiny.li/"}}`
+    '';
+    virtualHosts."https://synapse.xiny.li".extraConfig = ''
+      reverse_proxy /_matrix/* 127.0.0.1:${toString port-synapse}
+      reverse_proxy /_synapse/client/* 127.0.0.1:${toString port-synapse}
+    '';
+  };
+
+  networking.firewall.allowedTCPPorts = [
+    443
+  ];
+}