services: matrix-synapse: migrate to new config format

2022-03-11 16:26:28 +01:00 · 2022-03-11 16:26:28 +01:00 · aa72401909
parent 3edac96be2
commit aa72401909
4 changed files with 68 additions and 84 deletions
--- a/hosts/poseidon/default.nix
+++ b/hosts/poseidon/default.nix
@ -100,7 +100,6 @@ in

    matrix = {
      enable = true;
-      registration_shared_secret = secrets.matrix-registration-shared-secret;
      emailConfig = secrets.matrixEmailConfig;
    };

--- a/secrets/default.nix
+++ b/secrets/default.nix
@ -10,7 +10,6 @@ in {
  };

  config.my.secrets = {
-    matrix-registration-shared-secret = fileContents ./matrix-registration-shared-secret.secret;
    shadow-hashed-password-alarsyo = fileContents ./shadow-hashed-password-alarsyo.secret;
    shadow-hashed-password-root = fileContents ./shadow-hashed-password-root.secret;
    miniflux-admin-credentials = fileContents ./miniflux-admin-credentials.secret;
--- a/secrets/matrix-registration-shared-secret.secret
+++ b/secrets/matrix-registration-shared-secret.secret
--- a/services/matrix.nix
+++ b/services/matrix.nix
@ -26,11 +26,11 @@ in {
  options.my.services.matrix = let inherit (lib) types; in {
    enable = mkEnableOption "Matrix Synapse";

-    registration_shared_secret = mkOption {
-      type = types.str;
+    secretConfigFile = mkOption {
+      type = types.nullOr types.path;
      default = null;
-      example = "deadbeef";
-      description = "Shared secret to register users";
+      example = "/var/run/my_secrets/config.secret";
+      description = "Secrets file included in configuration";
    };

    emailConfig = mkOption {
@ -76,72 +76,12 @@ in {

    services.matrix-synapse = {
      enable = true;
-      server_name = domain;
-      public_baseurl = "https://matrix.${domain}";

-      registration_shared_secret = cfg.registration_shared_secret;
-
-      listeners = [
-        # Federation
-        {
-          bind_address = "::1";
-          port = federationPort.private;
-          tls = false;  # Terminated by nginx.
-          x_forwarded = true;
-          resources = [ { names = [ "federation" ]; compress = false; } ];
-        }
-
-        # Client
-        {
-          bind_address = "::1";
-          port = clientPort.private;
-          tls = false;  # Terminated by nginx.
-          x_forwarded = true;
-          resources = [ { names = [ "client" ]; compress = false; } ];
-        }
+      extraConfigFiles = lib.optionals (cfg.secretConfigFile != null) [
+        cfg.secretConfigFile
      ];

-      account_threepid_delegates.msisdn = "https://vector.im";
-
-      extraConfig = ''
-        experimental_features: { spaces_enabled: true }
-        use_presence: false
-
-        email:
-          # The hostname of the outgoing SMTP server to use. Defaults to 'localhost'.
-          #
-          smtp_host: "${cfg.emailConfig.smtpHost}"
-
-          # The port on the mail server for outgoing SMTP. Defaults to 25.
-          #
-          smtp_port: ${toString cfg.emailConfig.smtpPort}
-
-          # Username/password for authentication to the SMTP server. By default, no
-          # authentication is attempted.
-          #
-          smtp_user: "${cfg.emailConfig.smtpUser}"
-          smtp_pass: "${cfg.emailConfig.smtpPass}"
-
-          # Uncomment the following to require TLS transport security for SMTP.
-          # By default, Synapse will connect over plain text, and will then switch to
-          # TLS via STARTTLS *if the SMTP server supports it*. If this option is set,
-          # Synapse will refuse to connect unless the server supports STARTTLS.
-          #
-          require_transport_security: true
-
-          # notif_from defines the "From" address to use when sending emails.
-          # It must be set if email sending is enabled.
-          #
-          # The placeholder '%(app)s' will be replaced by the application name,
-          # which is normally 'app_name' (below), but may be overridden by the
-          # Matrix client application.
-          #
-          # Note that the placeholder must be written '%(app)s', including the
-          # trailing 's'.
-          #
-          notif_from: "${cfg.emailConfig.notifFrom}"
-      '';
-
+      settings = let
        logConfig = ''
          version: 1

@ -169,6 +109,52 @@ in {

          disable_existing_loggers: False
        '';
+      in {
+        server_name = domain;
+        public_baseurl = "https://matrix.${domain}";
+
+        account_threepid_delegates = {
+          msisdn = "https://vector.im";
+        };
+
+        listeners = [
+          # Federation
+          {
+            bind_addresses = [ "::1" ];
+            port = federationPort.private;
+            tls = false;  # Terminated by nginx.
+            x_forwarded = true;
+            resources = [ { names = [ "federation" ]; compress = false; } ];
+          }
+
+          # Client
+          {
+            bind_addresses = [ "::1" ];
+            port = clientPort.private;
+            tls = false;  # Terminated by nginx.
+            x_forwarded = true;
+            resources = [ { names = [ "client" ]; compress = false; } ];
+          }
+        ];
+
+        experimental_features = {
+          spaces_enabled = true;
+        };
+
+        use_presence = false;
+
+        email = {
+          smtp_host = cfg.emailConfig.smtpHost;
+          smtp_port = cfg.emailConfig.smtpPort;
+          smtp_user = cfg.emailConfig.smtpUser;
+          smtp_pass = cfg.emailConfig.smtpPass;
+
+          require_transport_security = true;
+          notif_from = cfg.emailConfig.notifFrom;
+        };
+
+        log_config = pkgs.writeText "log_config.yaml" logConfig;
+      };
    };

    services.nginx = {