[nix,flake] Moves some container files around. Also updates the flake lock. [synapse] Gets the federation working

2025-06-24 16:57:38 -07:00
parent 514746686f
commit c74e40e69e
10 changed files with 89 additions and 70 deletions
--- a/system/hosts/mcp/containers/havenisms.com/chat.nix
+++ b/system/hosts/mcp/containers/havenisms.com/chat.nix
@@ -0,0 +1,83 @@
+{ config, ... }:
+let
+  inherit (import ../lib.nix config) hostRule havenisms;
+  syncRule = "(PathPrefix(`/client/`) || PathPrefix(`/_matrix/client/unstable/org.matrix.msc3575/sync`))";
+  wellKnownRule = "(Host(`havenisms.com`) || Host(`chat.havenisms.com`)) && PathPrefix(`/.well-known`)";
+in
+{
+
+  sops.secrets = {
+    "matrix/syncv3/db-password" = {
+      restartUnits = [ "podman-matrix-sliding-sync.service" ];
+    };
+    "matrix/syncv3/secret" = {
+      restartUnits = [ "podman-matrix-sliding-sync.service" ];
+    };
+  };
+
+  sops.templates."matrix-sliding-sync.env".content = ''
+    SYNCV3_SERVER=http://synapse:8008
+    SYNCV3_DB=postgres://syncv3:${
+      config.sops.placeholder."matrix/syncv3/db-password"
+    }@db:5432/syncv3?sslmode=disable
+    SYNCV3_SECRET=${config.sops.placeholder."matrix/syncv3/secret"}
+    SYNCV3_BINDADDR=:8009
+  '';
+
+  virtualisation.oci-containers.containers = {
+    synapse = {
+      image = "docker.io/matrixdotorg/synapse:latest";
+      autoStart = true;
+      dependsOn = [
+        "db"
+      ];
+      volumes = [
+        "/tank/config/synapse/data:/data"
+      ];
+      extraOptions = [
+        "-l=traefik.enable=true"
+        "-l=traefik.http.routers.synapse.rule=${hostRule "chat" havenisms} && !(${syncRule} || ${wellKnownRule})"
+        "-l=traefik.http.routers.synapse.service=synapse"
+        "-l=traefik.http.services.synapse.loadbalancer.server.port=8008"
+
+        # Federation forwarding
+        "-l=traefik.http.routers.synapse-federation.rule=${hostRule "chat" havenisms}"
+        "-l=traefik.http.routers.synapse-federation.service=synapse-federation"
+        "-l=traefik.http.routers.synapse-federation.entrypoints=matrix-federation"
+        "-l=traefik.http.services.synapse-federation.loadbalancer.server.port=8448"
+      ];
+    };
+
+    matrix-sliding-sync = {
+      image = "ghcr.io/matrix-org/sliding-sync:latest";
+      dependsOn = [
+        "db"
+        "synapse"
+      ];
+      environmentFiles = [
+        config.sops.templates."matrix-sliding-sync.env".path
+      ];
+      extraOptions = [
+        "-l=traefik.enable=true"
+        "-l=traefik.http.routers.syncv3.rule=${hostRule "chat" havenisms} && ${syncRule}"
+        "-l=traefik.http.services.syncv3.loadbalancer.server.port=8009"
+      ];
+    };
+
+    # This server helps to serve the .well-known files that are required by clients to find the sync server.
+    matrix-well-known = {
+      image = "nginx";
+      dependsOn = [ "synapse" ];
+      volumes = [
+        "/tank/config/synapse/static-files:/usr/share/nginx/html:ro"
+      ];
+      extraOptions = [
+        "-l=traefik.enable=true"
+        "-l=traefik.http.middlewares.strip-well-known.stripprefix.prefixes=/.well-known"
+        "-l=traefik.http.routers.matrix-well-known.rule=${wellKnownRule}"
+        "-l=traefik.http.routers.matrix-well-known.middlewares=strip-well-known"
+        "-l=traefik.http.services.matrix-well-known.loadbalancer.server.port=80"
+      ];
+    };
+  };
+}