mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-12-22 05:33:23 +00:00
96190535e5
This reverts commit 095fe5b43d
.
Pointless renames considered harmful. All they do is force people to
spend extra work updating their configs for no benefit, and hindering
the ability to switch between unstable and stable versions of NixOS.
Like, what was the value of having the "nixos." there? I mean, by
definition anything in a NixOS module has something to do with NixOS...
699 lines
23 KiB
Nix
699 lines
23 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
with lib;
|
|
|
|
let
|
|
cfg = config.services.matrix-synapse;
|
|
pg = config.services.postgresql;
|
|
usePostgresql = cfg.database_type == "psycopg2";
|
|
logConfigFile = pkgs.writeText "log_config.yaml" cfg.logConfig;
|
|
mkResource = r: ''{names: ${builtins.toJSON r.names}, compress: ${boolToString r.compress}}'';
|
|
mkListener = l: ''{port: ${toString l.port}, bind_address: "${l.bind_address}", type: ${l.type}, tls: ${boolToString l.tls}, x_forwarded: ${boolToString l.x_forwarded}, resources: [${concatStringsSep "," (map mkResource l.resources)}]}'';
|
|
configFile = pkgs.writeText "homeserver.yaml" ''
|
|
${optionalString (cfg.tls_certificate_path != null) ''
|
|
tls_certificate_path: "${cfg.tls_certificate_path}"
|
|
''}
|
|
${optionalString (cfg.tls_private_key_path != null) ''
|
|
tls_private_key_path: "${cfg.tls_private_key_path}"
|
|
''}
|
|
${optionalString (cfg.tls_dh_params_path != null) ''
|
|
tls_dh_params_path: "${cfg.tls_dh_params_path}"
|
|
''}
|
|
no_tls: ${boolToString cfg.no_tls}
|
|
${optionalString (cfg.bind_port != null) ''
|
|
bind_port: ${toString cfg.bind_port}
|
|
''}
|
|
${optionalString (cfg.unsecure_port != null) ''
|
|
unsecure_port: ${toString cfg.unsecure_port}
|
|
''}
|
|
${optionalString (cfg.bind_host != null) ''
|
|
bind_host: "${cfg.bind_host}"
|
|
''}
|
|
server_name: "${cfg.server_name}"
|
|
pid_file: "/var/run/matrix-synapse.pid"
|
|
web_client: ${boolToString cfg.web_client}
|
|
${optionalString (cfg.public_baseurl != null) ''
|
|
public_baseurl: "${cfg.public_baseurl}"
|
|
''}
|
|
listeners: [${concatStringsSep "," (map mkListener cfg.listeners)}]
|
|
database: {
|
|
name: "${cfg.database_type}",
|
|
args: {
|
|
${concatStringsSep ",\n " (
|
|
mapAttrsToList (n: v: "\"${n}\": ${builtins.toJSON v}") cfg.database_args
|
|
)}
|
|
}
|
|
}
|
|
event_cache_size: "${cfg.event_cache_size}"
|
|
verbose: ${cfg.verbose}
|
|
log_config: "${logConfigFile}"
|
|
rc_messages_per_second: ${cfg.rc_messages_per_second}
|
|
rc_message_burst_count: ${cfg.rc_message_burst_count}
|
|
federation_rc_window_size: ${cfg.federation_rc_window_size}
|
|
federation_rc_sleep_limit: ${cfg.federation_rc_sleep_limit}
|
|
federation_rc_sleep_delay: ${cfg.federation_rc_sleep_delay}
|
|
federation_rc_reject_limit: ${cfg.federation_rc_reject_limit}
|
|
federation_rc_concurrent: ${cfg.federation_rc_concurrent}
|
|
media_store_path: "${cfg.dataDir}/media"
|
|
uploads_path: "${cfg.dataDir}/uploads"
|
|
max_upload_size: "${cfg.max_upload_size}"
|
|
max_image_pixels: "${cfg.max_image_pixels}"
|
|
dynamic_thumbnails: ${boolToString cfg.dynamic_thumbnails}
|
|
url_preview_enabled: ${boolToString cfg.url_preview_enabled}
|
|
${optionalString (cfg.url_preview_enabled == true) ''
|
|
url_preview_ip_range_blacklist: ${builtins.toJSON cfg.url_preview_ip_range_blacklist}
|
|
url_preview_ip_range_whitelist: ${builtins.toJSON cfg.url_preview_ip_range_whitelist}
|
|
url_preview_url_blacklist: ${builtins.toJSON cfg.url_preview_url_blacklist}
|
|
''}
|
|
recaptcha_private_key: "${cfg.recaptcha_private_key}"
|
|
recaptcha_public_key: "${cfg.recaptcha_public_key}"
|
|
enable_registration_captcha: ${boolToString cfg.enable_registration_captcha}
|
|
turn_uris: ${builtins.toJSON cfg.turn_uris}
|
|
turn_shared_secret: "${cfg.turn_shared_secret}"
|
|
enable_registration: ${boolToString cfg.enable_registration}
|
|
${optionalString (cfg.registration_shared_secret != null) ''
|
|
registration_shared_secret: "${cfg.registration_shared_secret}"
|
|
''}
|
|
recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify"
|
|
turn_user_lifetime: "${cfg.turn_user_lifetime}"
|
|
user_creation_max_duration: ${cfg.user_creation_max_duration}
|
|
bcrypt_rounds: ${cfg.bcrypt_rounds}
|
|
allow_guest_access: ${boolToString cfg.allow_guest_access}
|
|
trusted_third_party_id_servers: ${builtins.toJSON cfg.trusted_third_party_id_servers}
|
|
room_invite_state_types: ${builtins.toJSON cfg.room_invite_state_types}
|
|
${optionalString (cfg.macaroon_secret_key != null) ''
|
|
macaroon_secret_key: "${cfg.macaroon_secret_key}"
|
|
''}
|
|
expire_access_token: ${boolToString cfg.expire_access_token}
|
|
enable_metrics: ${boolToString cfg.enable_metrics}
|
|
report_stats: ${boolToString cfg.report_stats}
|
|
signing_key_path: "${cfg.dataDir}/homeserver.signing.key"
|
|
key_refresh_interval: "${cfg.key_refresh_interval}"
|
|
perspectives:
|
|
servers: {
|
|
${concatStringsSep "},\n" (mapAttrsToList (n: v: ''
|
|
"${n}": {
|
|
"verify_keys": {
|
|
${concatStringsSep "},\n" (mapAttrsToList (n: v: ''
|
|
"${n}": {
|
|
"key": "${v}"
|
|
}'') v)}
|
|
}
|
|
'') cfg.servers)}
|
|
}
|
|
}
|
|
app_service_config_files: ${builtins.toJSON cfg.app_service_config_files}
|
|
|
|
${cfg.extraConfig}
|
|
'';
|
|
in {
|
|
options = {
|
|
services.matrix-synapse = {
|
|
enable = mkEnableOption "matrix.org synapse";
|
|
package = mkOption {
|
|
type = types.package;
|
|
default = pkgs.matrix-synapse;
|
|
defaultText = "pkgs.matrix-synapse";
|
|
description = ''
|
|
Overridable attribute of the matrix synapse server package to use.
|
|
'';
|
|
};
|
|
no_tls = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = ''
|
|
Don't bind to the https port
|
|
'';
|
|
};
|
|
bind_port = mkOption {
|
|
type = types.nullOr types.int;
|
|
default = null;
|
|
example = 8448;
|
|
description = ''
|
|
DEPRECATED: Use listeners instead.
|
|
The port to listen for HTTPS requests on.
|
|
For when matrix traffic is sent directly to synapse.
|
|
'';
|
|
};
|
|
unsecure_port = mkOption {
|
|
type = types.nullOr types.int;
|
|
default = null;
|
|
example = 8008;
|
|
description = ''
|
|
DEPRECATED: Use listeners instead.
|
|
The port to listen for HTTP requests on.
|
|
For when matrix traffic passes through loadbalancer that unwraps TLS.
|
|
'';
|
|
};
|
|
bind_host = mkOption {
|
|
type = types.nullOr types.str;
|
|
default = null;
|
|
description = ''
|
|
DEPRECATED: Use listeners instead.
|
|
Local interface to listen on.
|
|
The empty string will cause synapse to listen on all interfaces.
|
|
'';
|
|
};
|
|
tls_certificate_path = mkOption {
|
|
type = types.nullOr types.str;
|
|
default = null;
|
|
example = "${cfg.dataDir}/homeserver.tls.crt";
|
|
description = ''
|
|
PEM encoded X509 certificate for TLS.
|
|
You can replace the self-signed certificate that synapse
|
|
autogenerates on launch with your own SSL certificate + key pair
|
|
if you like. Any required intermediary certificates can be
|
|
appended after the primary certificate in hierarchical order.
|
|
'';
|
|
};
|
|
tls_private_key_path = mkOption {
|
|
type = types.nullOr types.str;
|
|
default = null;
|
|
example = "${cfg.dataDir}/homeserver.tls.key";
|
|
description = ''
|
|
PEM encoded private key for TLS. Specify null if synapse is not
|
|
speaking TLS directly.
|
|
'';
|
|
};
|
|
tls_dh_params_path = mkOption {
|
|
type = types.nullOr types.str;
|
|
default = null;
|
|
example = "${cfg.dataDir}/homeserver.tls.dh";
|
|
description = ''
|
|
PEM dh parameters for ephemeral keys
|
|
'';
|
|
};
|
|
server_name = mkOption {
|
|
type = types.str;
|
|
example = "example.com";
|
|
default = config.networking.hostName;
|
|
description = ''
|
|
The domain name of the server, with optional explicit port.
|
|
This is used by remote servers to connect to this server,
|
|
e.g. matrix.org, localhost:8080, etc.
|
|
This is also the last part of your UserID.
|
|
'';
|
|
};
|
|
web_client = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = ''
|
|
Whether to serve a web client from the HTTP/HTTPS root resource.
|
|
'';
|
|
};
|
|
public_baseurl = mkOption {
|
|
type = types.nullOr types.str;
|
|
default = null;
|
|
example = "https://example.com:8448/";
|
|
description = ''
|
|
The public-facing base URL for the client API (not including _matrix/...)
|
|
'';
|
|
};
|
|
listeners = mkOption {
|
|
type = types.listOf (types.submodule {
|
|
options = {
|
|
port = mkOption {
|
|
type = types.int;
|
|
example = 8448;
|
|
description = ''
|
|
The port to listen for HTTP(S) requests on.
|
|
'';
|
|
};
|
|
bind_address = mkOption {
|
|
type = types.str;
|
|
default = "";
|
|
example = "203.0.113.42";
|
|
description = ''
|
|
Local interface to listen on.
|
|
The empty string will cause synapse to listen on all interfaces.
|
|
'';
|
|
};
|
|
type = mkOption {
|
|
type = types.str;
|
|
default = "http";
|
|
description = ''
|
|
Type of listener.
|
|
'';
|
|
};
|
|
tls = mkOption {
|
|
type = types.bool;
|
|
default = true;
|
|
description = ''
|
|
Whether to listen for HTTPS connections rather than HTTP.
|
|
'';
|
|
};
|
|
x_forwarded = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = ''
|
|
Use the X-Forwarded-For (XFF) header as the client IP and not the
|
|
actual client IP.
|
|
'';
|
|
};
|
|
resources = mkOption {
|
|
type = types.listOf (types.submodule {
|
|
options = {
|
|
names = mkOption {
|
|
type = types.listOf types.str;
|
|
description = ''
|
|
List of resources to host on this listener.
|
|
'';
|
|
example = ["client" "webclient" "federation"];
|
|
};
|
|
compress = mkOption {
|
|
type = types.bool;
|
|
description = ''
|
|
Should synapse compress HTTP responses to clients that support it?
|
|
This should be disabled if running synapse behind a load balancer
|
|
that can do automatic compression.
|
|
'';
|
|
};
|
|
};
|
|
});
|
|
description = ''
|
|
List of HTTP resources to serve on this listener.
|
|
'';
|
|
};
|
|
};
|
|
});
|
|
default = [{
|
|
port = 8448;
|
|
bind_address = "";
|
|
type = "http";
|
|
tls = true;
|
|
x_forwarded = false;
|
|
resources = [
|
|
{ names = ["client" "webclient"]; compress = true; }
|
|
{ names = ["federation"]; compress = false; }
|
|
];
|
|
}];
|
|
description = ''
|
|
List of ports that Synapse should listen on, their purpose and their configuration.
|
|
'';
|
|
};
|
|
verbose = mkOption {
|
|
type = types.str;
|
|
default = "0";
|
|
description = "Logging verbosity level.";
|
|
};
|
|
rc_messages_per_second = mkOption {
|
|
type = types.str;
|
|
default = "0.2";
|
|
description = "Number of messages a client can send per second";
|
|
};
|
|
rc_message_burst_count = mkOption {
|
|
type = types.str;
|
|
default = "10.0";
|
|
description = "Number of message a client can send before being throttled";
|
|
};
|
|
federation_rc_window_size = mkOption {
|
|
type = types.str;
|
|
default = "1000";
|
|
description = "The federation window size in milliseconds";
|
|
};
|
|
federation_rc_sleep_limit = mkOption {
|
|
type = types.str;
|
|
default = "10";
|
|
description = ''
|
|
The number of federation requests from a single server in a window
|
|
before the server will delay processing the request.
|
|
'';
|
|
};
|
|
federation_rc_sleep_delay = mkOption {
|
|
type = types.str;
|
|
default = "500";
|
|
description = ''
|
|
The duration in milliseconds to delay processing events from
|
|
remote servers by if they go over the sleep limit.
|
|
'';
|
|
};
|
|
federation_rc_reject_limit = mkOption {
|
|
type = types.str;
|
|
default = "50";
|
|
description = ''
|
|
The maximum number of concurrent federation requests allowed
|
|
from a single server
|
|
'';
|
|
};
|
|
federation_rc_concurrent = mkOption {
|
|
type = types.str;
|
|
default = "3";
|
|
description = "The number of federation requests to concurrently process from a single server";
|
|
};
|
|
database_type = mkOption {
|
|
type = types.enum [ "sqlite3" "psycopg2" ];
|
|
default = if versionAtLeast config.system.stateVersion "18.03"
|
|
then "psycopg2"
|
|
else "sqlite3";
|
|
description = ''
|
|
The database engine name. Can be sqlite or psycopg2.
|
|
'';
|
|
};
|
|
create_local_database = mkOption {
|
|
type = types.bool;
|
|
default = true;
|
|
description = ''
|
|
Whether to create a local database automatically.
|
|
'';
|
|
};
|
|
database_name = mkOption {
|
|
type = types.str;
|
|
default = "matrix-synapse";
|
|
description = "Database name.";
|
|
};
|
|
database_user = mkOption {
|
|
type = types.str;
|
|
default = "matrix-synapse";
|
|
description = "Database user name.";
|
|
};
|
|
database_args = mkOption {
|
|
type = types.attrs;
|
|
default = {
|
|
sqlite3 = { database = "${cfg.dataDir}/homeserver.db"; };
|
|
psycopg2 = {
|
|
user = cfg.database_user;
|
|
database = cfg.database_name;
|
|
};
|
|
}."${cfg.database_type}";
|
|
description = ''
|
|
Arguments to pass to the engine.
|
|
'';
|
|
};
|
|
event_cache_size = mkOption {
|
|
type = types.str;
|
|
default = "10K";
|
|
description = "Number of events to cache in memory.";
|
|
};
|
|
url_preview_enabled = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = ''
|
|
Is the preview URL API enabled? If enabled, you *must* specify an
|
|
explicit url_preview_ip_range_blacklist of IPs that the spider is
|
|
denied from accessing.
|
|
'';
|
|
};
|
|
url_preview_ip_range_blacklist = mkOption {
|
|
type = types.listOf types.str;
|
|
default = [
|
|
"127.0.0.0/8"
|
|
"10.0.0.0/8"
|
|
"172.16.0.0/12"
|
|
"192.168.0.0/16"
|
|
"100.64.0.0/10"
|
|
"169.254.0.0/16"
|
|
];
|
|
description = ''
|
|
List of IP address CIDR ranges that the URL preview spider is denied
|
|
from accessing.
|
|
'';
|
|
};
|
|
url_preview_ip_range_whitelist = mkOption {
|
|
type = types.listOf types.str;
|
|
default = [];
|
|
description = ''
|
|
List of IP address CIDR ranges that the URL preview spider is allowed
|
|
to access even if they are specified in
|
|
url_preview_ip_range_blacklist.
|
|
'';
|
|
};
|
|
url_preview_url_blacklist = mkOption {
|
|
type = types.listOf types.str;
|
|
default = [];
|
|
description = ''
|
|
Optional list of URL matches that the URL preview spider is
|
|
denied from accessing.
|
|
'';
|
|
};
|
|
recaptcha_private_key = mkOption {
|
|
type = types.str;
|
|
default = "";
|
|
description = ''
|
|
This Home Server's ReCAPTCHA private key.
|
|
'';
|
|
};
|
|
recaptcha_public_key = mkOption {
|
|
type = types.str;
|
|
default = "";
|
|
description = ''
|
|
This Home Server's ReCAPTCHA public key.
|
|
'';
|
|
};
|
|
enable_registration_captcha = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = ''
|
|
Enables ReCaptcha checks when registering, preventing signup
|
|
unless a captcha is answered. Requires a valid ReCaptcha
|
|
public/private key.
|
|
'';
|
|
};
|
|
turn_uris = mkOption {
|
|
type = types.listOf types.str;
|
|
default = [];
|
|
description = ''
|
|
The public URIs of the TURN server to give to clients
|
|
'';
|
|
};
|
|
turn_shared_secret = mkOption {
|
|
type = types.str;
|
|
default = "";
|
|
description = ''
|
|
The shared secret used to compute passwords for the TURN server
|
|
'';
|
|
};
|
|
turn_user_lifetime = mkOption {
|
|
type = types.str;
|
|
default = "1h";
|
|
description = "How long generated TURN credentials last";
|
|
};
|
|
enable_registration = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = ''
|
|
Enable registration for new users.
|
|
'';
|
|
};
|
|
registration_shared_secret = mkOption {
|
|
type = types.nullOr types.str;
|
|
default = null;
|
|
description = ''
|
|
If set, allows registration by anyone who also has the shared
|
|
secret, even if registration is otherwise disabled.
|
|
'';
|
|
};
|
|
enable_metrics = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = ''
|
|
Enable collection and rendering of performance metrics
|
|
'';
|
|
};
|
|
report_stats = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = ''
|
|
'';
|
|
};
|
|
servers = mkOption {
|
|
type = types.attrsOf (types.attrsOf types.str);
|
|
default = {
|
|
"matrix.org" = {
|
|
"ed25519:auto" = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw";
|
|
};
|
|
};
|
|
description = ''
|
|
The trusted servers to download signing keys from.
|
|
'';
|
|
};
|
|
max_upload_size = mkOption {
|
|
type = types.str;
|
|
default = "10M";
|
|
description = "The largest allowed upload size in bytes";
|
|
};
|
|
max_image_pixels = mkOption {
|
|
type = types.str;
|
|
default = "32M";
|
|
description = "Maximum number of pixels that will be thumbnailed";
|
|
};
|
|
dynamic_thumbnails = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = ''
|
|
Whether to generate new thumbnails on the fly to precisely match
|
|
the resolution requested by the client. If true then whenever
|
|
a new resolution is requested by the client the server will
|
|
generate a new thumbnail. If false the server will pick a thumbnail
|
|
from a precalculated list.
|
|
'';
|
|
};
|
|
user_creation_max_duration = mkOption {
|
|
type = types.str;
|
|
default = "1209600000";
|
|
description = ''
|
|
Sets the expiry for the short term user creation in
|
|
milliseconds. The default value is two weeks.
|
|
'';
|
|
};
|
|
bcrypt_rounds = mkOption {
|
|
type = types.str;
|
|
default = "12";
|
|
description = ''
|
|
Set the number of bcrypt rounds used to generate password hash.
|
|
Larger numbers increase the work factor needed to generate the hash.
|
|
'';
|
|
};
|
|
allow_guest_access = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = ''
|
|
Allows users to register as guests without a password/email/etc, and
|
|
participate in rooms hosted on this server which have been made
|
|
accessible to anonymous users.
|
|
'';
|
|
};
|
|
trusted_third_party_id_servers = mkOption {
|
|
type = types.listOf types.str;
|
|
default = ["matrix.org"];
|
|
description = ''
|
|
The list of identity servers trusted to verify third party identifiers by this server.
|
|
'';
|
|
};
|
|
room_invite_state_types = mkOption {
|
|
type = types.listOf types.str;
|
|
default = ["m.room.join_rules" "m.room.canonical_alias" "m.room.avatar" "m.room.name"];
|
|
description = ''
|
|
A list of event types that will be included in the room_invite_state
|
|
'';
|
|
};
|
|
macaroon_secret_key = mkOption {
|
|
type = types.nullOr types.str;
|
|
default = null;
|
|
description = ''
|
|
Secret key for authentication tokens
|
|
'';
|
|
};
|
|
expire_access_token = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = ''
|
|
Whether to enable access token expiration.
|
|
'';
|
|
};
|
|
key_refresh_interval = mkOption {
|
|
type = types.str;
|
|
default = "1d";
|
|
description = ''
|
|
How long key response published by this server is valid for.
|
|
Used to set the valid_until_ts in /key/v2 APIs.
|
|
Determines how quickly servers will query to check which keys
|
|
are still valid.
|
|
'';
|
|
};
|
|
app_service_config_files = mkOption {
|
|
type = types.listOf types.path;
|
|
default = [ ];
|
|
description = ''
|
|
A list of application service config file to use
|
|
'';
|
|
};
|
|
extraConfig = mkOption {
|
|
type = types.lines;
|
|
default = "";
|
|
description = ''
|
|
Extra config options for matrix-synapse.
|
|
'';
|
|
};
|
|
extraConfigFiles = mkOption {
|
|
type = types.listOf types.path;
|
|
default = [];
|
|
description = ''
|
|
Extra config files to include.
|
|
|
|
The configuration files will be included based on the command line
|
|
argument --config-path. This allows to configure secrets without
|
|
having to go through the Nix store, e.g. based on deployment keys if
|
|
NixOPS is in use.
|
|
'';
|
|
};
|
|
logConfig = mkOption {
|
|
type = types.lines;
|
|
default = readFile ./matrix-synapse-log_config.yaml;
|
|
description = ''
|
|
A yaml python logging config file
|
|
'';
|
|
};
|
|
dataDir = mkOption {
|
|
type = types.str;
|
|
default = "/var/lib/matrix-synapse";
|
|
description = ''
|
|
The directory where matrix-synapse stores its stateful data such as
|
|
certificates, media and uploads.
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
users.users = [
|
|
{ name = "matrix-synapse";
|
|
group = "matrix-synapse";
|
|
home = cfg.dataDir;
|
|
createHome = true;
|
|
shell = "${pkgs.bash}/bin/bash";
|
|
uid = config.ids.uids.matrix-synapse;
|
|
} ];
|
|
|
|
users.groups = [
|
|
{ name = "matrix-synapse";
|
|
gid = config.ids.gids.matrix-synapse;
|
|
} ];
|
|
|
|
services.postgresql.enable = mkIf usePostgresql (mkDefault true);
|
|
|
|
systemd.services.matrix-synapse = {
|
|
description = "Synapse Matrix homeserver";
|
|
after = [ "network.target" "postgresql.service" ];
|
|
wantedBy = [ "multi-user.target" ];
|
|
preStart = ''
|
|
${cfg.package}/bin/homeserver \
|
|
--config-path ${configFile} \
|
|
--keys-directory ${cfg.dataDir} \
|
|
--generate-keys
|
|
'' + optionalString (usePostgresql && cfg.create_local_database) ''
|
|
if ! test -e "${cfg.dataDir}/db-created"; then
|
|
${pkgs.sudo}/bin/sudo -u ${pg.superUser} \
|
|
${pg.package}/bin/createuser \
|
|
--login \
|
|
--no-createdb \
|
|
--no-createrole \
|
|
--encrypted \
|
|
${cfg.database_user}
|
|
${pkgs.sudo}/bin/sudo -u ${pg.superUser} \
|
|
${pg.package}/bin/createdb \
|
|
--owner=${cfg.database_user} \
|
|
--encoding=UTF8 \
|
|
--lc-collate=C \
|
|
--lc-ctype=C \
|
|
--template=template0 \
|
|
${cfg.database_name}
|
|
touch "${cfg.dataDir}/db-created"
|
|
fi
|
|
'';
|
|
serviceConfig = {
|
|
Type = "simple";
|
|
User = "matrix-synapse";
|
|
Group = "matrix-synapse";
|
|
WorkingDirectory = cfg.dataDir;
|
|
PermissionsStartOnly = true;
|
|
ExecStart = ''
|
|
${cfg.package}/bin/homeserver \
|
|
${ concatMapStringsSep "\n " (x: "--config-path ${x} \\") ([ configFile ] ++ cfg.extraConfigFiles) }
|
|
--keys-directory ${cfg.dataDir}
|
|
'';
|
|
Restart = "on-failure";
|
|
};
|
|
};
|
|
};
|
|
}
|