sliding sync

2023-06-30 22:48:35 +02:00 · 2023-06-30 22:48:35 +02:00 · 158a5cef7b
commit 158a5cef7b
parent 061293e537
4 changed files with 46 additions and 0 deletions
--- a/hosts/picard/default.nix
+++ b/hosts/picard/default.nix
@ -43,6 +43,7 @@
  ragon.agenix.secrets."picardResticPassword" = { };
  ragon.agenix.secrets."picardResticSSHKey" = { };
  ragon.agenix.secrets."picardResticHealthCheckUrl" = { };
+  ragon.agenix.secrets."picardSlidingSyncSecret" = { };

  services.nginx.recommendedOptimisation = true;
  services.nginx.virtualHosts."xyno.space" = {
--- a/nixos-modules/services/synapse.nix
+++ b/nixos-modules/services/synapse.nix
@ -49,6 +49,22 @@ in

    };
    ragon.agenix.secrets."matrixSecrets" = { owner = "matrix-synapse"; };
+    users.users.slidingsync = { isSystemUser = true; group = "slidingsync"; };
+    users.groups.slidingsync = { };
+    virtualisation.oci-containers.containers."matrix-sliding-sync" = {
+      image = "ghcr.io/matrix-org/sliding-sync:latest";
+      ports = [ "8008:localhost:8008" ];
+      user = "slidingsync";
+      volumes = [
+        "/run/postgresql:/run/postgresql"
+      ];
+      environmentFiles = [ config.age.secrets.picardSlidingSyncSecret.path ];
+      environment = {
+        SYNCV3_SERVER = "https://m.ragon.xyz";
+        SYNCV3_BINDADDR = ":8008";
+        SYNCV3_DB = "user=slidingsync dbname=slidingsync";
+      };
+    };
    services.postgresql = {
      enable = true;
    };
@ -94,6 +110,7 @@ in
              "m.homeserver" = { "base_url" = "https://${fqdn}"; };
              "m.identity_server" = { "base_url" = "https://vector.im"; };
              "im.vector.riot.jitsi" = { "preferredDomain" = "jitsi.${domain}"; };
+              "org.matrix.msc3575.proxy" = { "url" = "https://slidingsync.${domain}"; };
            };
            # ACAO required to allow element-web on any URL to request this json file
          in
@ -118,7 +135,15 @@ in
        locations."/_matrix" = {
          proxyPass = "http://[::1]:8008"; # without a trailing /
        };
+        locations."/synapse" = {
+          proxyPass = "http://[::1]:8008"; # without a trailing /
+        };
      };
+      "slidingsync.${domain}" = {
+        forceSSL = true;
+        useACMEHost = "${domain}";
+      };
+


    };
--- a/secrets/picardSlidingSyncSecret.age
+++ b/secrets/picardSlidingSyncSecret.age
@ -0,0 +1,19 @@
+age-encryption.org/v1
+-> ssh-ed25519 WceKOQ k1QWll/UhwFimwaNQsRNBaC0jGMe9CuWT++NoaDOWls
+0pFCbGRD92Mr24+0nKctK0PfBzqfIeAPLediW4hyrJY
+-> ssh-ed25519 ugHWWw WJGfuJutC/WgRVY8aHBbdk/1nOePJ7Y746S3LENU8Dk
+ZSqiM3RrDmGWkjkBWcBgeQL2vnAb75LKZiarUF0eJ3s
+-> ssh-ed25519 UU9RSA rRGXYKLQCXFImGvf+3epkwjDjuCdwlxTTOjRKJU54Q4
+YU93DYI1M6CVhi+A4EWy6B+AfOU6DCiVqS8CpGSV2bE
+-> ssh-ed25519 RJI3BA leq5XHaA7RqvaWbH2BN1hOVTCIWF1fK0ub9eu97NRQg
+VS1KBtunKNT8Ch2otaZol5DR/DiGfk29KQAnFGNAt/I
+-> ssh-ed25519 XnvJKw Akl9u1D+tb/lHiI2IPCcGgulPadq88bSR68MiKb22DA
+nQg+hA0+KZ1I5MJqzRfz4MUjOGcNmNs2IBsS0+pVpbc
+-> ssh-ed25519 7NL5Ng ihP6nlLLPGJD9CzrNNA6q0ro+H/6RGeZt1w7Ech8yGc
+UYc+U7n9ewx5X/yO8dZiTYBLTfTzkX5wMGTsmOkjwWc
+-> q~!"mE}Y-grease N ';')'4
+uCh5hcJgcGIhsZ6zUQexrz1rImaI06SEtZwHlDDNfzvT0+QJBloTNhQWeiRm4wMh
+XKE7Lo5+Ux6NxyajD6D/m/ZXzaK1iQktWoOergGA
+--- FSkiTmwqJaDXXDKsCkn4sgUWXReQ//dQTgzhoZlbQUk
+`ü
+©ä”Î®è@"²9^É€Ž”V˜ñÒ¸ƒE‚ì07HðåI{röI=ÏrÍº›ˆ‹ZŽŸ#]ÄmÕúÙ=Œcž˜<C5BE>F³OˆO*OÛ®Ã_y ©g,':§0•nÀ€þ©†ôèû(ê{T
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -27,6 +27,7 @@ in
  "gitlabJWSFile.age".publicKeys = pubkeys.ragon.host "picard";
  "nextcloudAdminPass.age".publicKeys = pubkeys.ragon.host "picard";
  "picardResticSSHKey.age".publicKeys = pubkeys.ragon.host "picard";
+  "picardSlidingSyncSecret.age".publicKeys = pubkeys.ragon.host "picard";
  "picardResticPassword.age".publicKeys = pubkeys.ragon.host "picard";
  "picardResticHealthCheckUrl.age".publicKeys = pubkeys.ragon.host "picard";
 }