diff --git a/hosts/by-name/servo/services/default.nix b/hosts/by-name/servo/services/default.nix index db3e4895..8ec917bb 100644 --- a/hosts/by-name/servo/services/default.nix +++ b/hosts/by-name/servo/services/default.nix @@ -18,8 +18,9 @@ ./lemmy.nix ./matrix ./navidrome.nix - ./nixserve.nix ./nginx.nix + ./nixserve.nix + ./ntfy.nix ./pict-rs.nix ./pleroma.nix ./postgres.nix diff --git a/hosts/by-name/servo/services/matrix/default.nix b/hosts/by-name/servo/services/matrix/default.nix index 0031dbf6..8442ab7a 100644 --- a/hosts/by-name/servo/services/matrix/default.nix +++ b/hosts/by-name/servo/services/matrix/default.nix @@ -14,39 +14,47 @@ { user = "matrix-synapse"; group = "matrix-synapse"; path = "/var/lib/matrix-synapse"; } ]; services.matrix-synapse.enable = true; - # this changes the default log level from INFO to WARN. - # maybe there's an easier way? - services.matrix-synapse.settings.log_config = ./synapse-log_level.yaml; - services.matrix-synapse.settings.server_name = "uninsane.org"; + services.matrix-synapse.settings = { + # this changes the default log level from INFO to WARN. + # maybe there's an easier way? + log_config = ./synapse-log_level.yaml; + server_name = "uninsane.org"; - # services.matrix-synapse.enable_registration_captcha = true; - # services.matrix-synapse.enable_registration_without_verification = true; - services.matrix-synapse.settings.enable_registration = true; - # services.matrix-synapse.registration_shared_secret = ""; + # services.matrix-synapse.enable_registration_captcha = true; + # services.matrix-synapse.enable_registration_without_verification = true; + enable_registration = true; + # services.matrix-synapse.registration_shared_secret = ""; - # default for listeners is port = 8448, tls = true, x_forwarded = false. - # we change this because the server is situated behind nginx. - services.matrix-synapse.settings.listeners = [ - { - port = 8008; - bind_addresses = [ "127.0.0.1" ]; - type = "http"; - tls = false; - x_forwarded = true; - resources = [ - { - names = [ "client" "federation" ]; - compress = false; - } - ]; - } - ]; + # default for listeners is port = 8448, tls = true, x_forwarded = false. + # we change this because the server is situated behind nginx. + listeners = [ + { + port = 8008; + bind_addresses = [ "127.0.0.1" ]; + type = "http"; + tls = false; + x_forwarded = true; + resources = [ + { + names = [ "client" "federation" ]; + compress = false; + } + ]; + } + ]; - services.matrix-synapse.settings.x_forwarded = true; # because we proxy matrix behind nginx - services.matrix-synapse.settings.max_upload_size = "100M"; # default is "50M" + ip_range_whitelist = [ + # to communicate with ntfy.uninsane.org push notifs. + # TODO: move this to some non-shared loopback device: we don't want Matrix spouting http requests to *anything* on this machine + "10.78.79.51" + ]; - services.matrix-synapse.settings.admin_contact = "admin.matrix@uninsane.org"; - services.matrix-synapse.settings.registrations_require_3pid = [ "email" ]; + x_forwarded = true; # because we proxy matrix behind nginx + max_upload_size = "100M"; # default is "50M" + + admin_contact = "admin.matrix@uninsane.org"; + registrations_require_3pid = [ "email" ]; + }; services.matrix-synapse.extraConfigFiles = [ config.sops.secrets."matrix_synapse_secrets.yaml".path diff --git a/hosts/by-name/servo/services/ntfy.nix b/hosts/by-name/servo/services/ntfy.nix new file mode 100644 index 00000000..21aa315b --- /dev/null +++ b/hosts/by-name/servo/services/ntfy.nix @@ -0,0 +1,55 @@ +# ntfy: UnifiedPush notification delivery system +# - used to get push notifications out of Matrix and onto a Phone (iOS, Android, or a custom client) +# +# config options: +# - +# +# usage: +# - ntfy sub https://ntfy.uninsane.org/TOPIC +# - ntfy pub https://ntfy.uninsane.org/TOPIC "my message" +# in production, TOPIC is a shared secret between the publisher (Matrix homeserver) and the subscriber (phone) +# +# matrix integration: +# - the user must manually point synapse to the ntfy endpoint: +# - `curl --header "Authorization: " --data '{ "app_display_name": "sane-nix moby", "app_id": "ntfy.uninsane.org", "data": { "url": "https://ntfy.uninsane.org/_matrix/push/v1/notify", "format": "event_id_only" }, "device_display_name": "sane-nix moby", "kind": "http", "lang": "en-US", "profile_tag": "", "pushkey": "https://ntfy.uninsane.org/TOPIC" }' localhost:8008/_matrix/client/v3/pushers/set` +# where the token is grabbed from Element's help&about page when logged in +# - to remove, send this `curl` with `"kind": null` +{ lib, ... }: +{ + sane.persist.sys.plaintext = [ + # not sure if it's really necessary + { user = "ntfy-sh"; group ="ntfy-sh"; path = "/var/lib/ntfy-sh"; } + ]; + + services.ntfy-sh.enable = true; + services.ntfy-sh.settings = { + base-url = "https://ntfy.uninsane.org"; + # behind-proxy = true; # not sure if needed + # keepalive interval is a ntfy-specific keepalive thing, where it sends actual data down the wire. + # it's not simple TCP keepalive. + # defaults to 45s. + # note that the client may still do its own TCP-level keepalives, typically every 30s + keepalive-interval = "15m"; + log-level = "trace"; # trace, debug, info (default), warn, error + }; + + systemd.services.ntfy-sh.serviceConfig.DynamicUser = lib.mkForce false; + + services.nginx.virtualHosts."ntfy.uninsane.org" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://127.0.0.1:2586"; + # proxyWebsockets = true; #< before simplifying to this, ensure it doesn't add keepalives to the subscriber + # support websocket upgrades. without that, `ntfy sub` hangs silently + extraConfig = '' + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + proxy_buffering off; + proxy_read_timeout 7d; + ''; + }; + }; + sane.dns.zones."uninsane.org".inet.CNAME."ntfy" = "native"; +} diff --git a/hosts/common/ids.nix b/hosts/common/ids.nix index 7b28ff19..e20da3c4 100644 --- a/hosts/common/ids.nix +++ b/hosts/common/ids.nix @@ -47,6 +47,8 @@ sane.ids.export.gid = 2412; sane.ids.nfsuser.uid = 2413; sane.ids.media.gid = 2414; + sane.ids.ntfy-sh.uid = 2415; + sane.ids.ntfy-sh.gid = 2415; sane.ids.colin.uid = 1000; sane.ids.guest.uid = 1100;