enable ntfy (and manually integrate with matrix)
This commit is contained in:
parent
7b38ec3f8f
commit
865777b7ba
|
@ -18,8 +18,9 @@
|
||||||
./lemmy.nix
|
./lemmy.nix
|
||||||
./matrix
|
./matrix
|
||||||
./navidrome.nix
|
./navidrome.nix
|
||||||
./nixserve.nix
|
|
||||||
./nginx.nix
|
./nginx.nix
|
||||||
|
./nixserve.nix
|
||||||
|
./ntfy.nix
|
||||||
./pict-rs.nix
|
./pict-rs.nix
|
||||||
./pleroma.nix
|
./pleroma.nix
|
||||||
./postgres.nix
|
./postgres.nix
|
||||||
|
|
|
@ -14,39 +14,47 @@
|
||||||
{ user = "matrix-synapse"; group = "matrix-synapse"; path = "/var/lib/matrix-synapse"; }
|
{ user = "matrix-synapse"; group = "matrix-synapse"; path = "/var/lib/matrix-synapse"; }
|
||||||
];
|
];
|
||||||
services.matrix-synapse.enable = true;
|
services.matrix-synapse.enable = true;
|
||||||
# this changes the default log level from INFO to WARN.
|
services.matrix-synapse.settings = {
|
||||||
# maybe there's an easier way?
|
# this changes the default log level from INFO to WARN.
|
||||||
services.matrix-synapse.settings.log_config = ./synapse-log_level.yaml;
|
# maybe there's an easier way?
|
||||||
services.matrix-synapse.settings.server_name = "uninsane.org";
|
log_config = ./synapse-log_level.yaml;
|
||||||
|
server_name = "uninsane.org";
|
||||||
|
|
||||||
# services.matrix-synapse.enable_registration_captcha = true;
|
# services.matrix-synapse.enable_registration_captcha = true;
|
||||||
# services.matrix-synapse.enable_registration_without_verification = true;
|
# services.matrix-synapse.enable_registration_without_verification = true;
|
||||||
services.matrix-synapse.settings.enable_registration = true;
|
enable_registration = true;
|
||||||
# services.matrix-synapse.registration_shared_secret = "<shared key goes here>";
|
# services.matrix-synapse.registration_shared_secret = "<shared key goes here>";
|
||||||
|
|
||||||
# default for listeners is port = 8448, tls = true, x_forwarded = false.
|
# default for listeners is port = 8448, tls = true, x_forwarded = false.
|
||||||
# we change this because the server is situated behind nginx.
|
# we change this because the server is situated behind nginx.
|
||||||
services.matrix-synapse.settings.listeners = [
|
listeners = [
|
||||||
{
|
{
|
||||||
port = 8008;
|
port = 8008;
|
||||||
bind_addresses = [ "127.0.0.1" ];
|
bind_addresses = [ "127.0.0.1" ];
|
||||||
type = "http";
|
type = "http";
|
||||||
tls = false;
|
tls = false;
|
||||||
x_forwarded = true;
|
x_forwarded = true;
|
||||||
resources = [
|
resources = [
|
||||||
{
|
{
|
||||||
names = [ "client" "federation" ];
|
names = [ "client" "federation" ];
|
||||||
compress = false;
|
compress = false;
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
|
||||||
services.matrix-synapse.settings.x_forwarded = true; # because we proxy matrix behind nginx
|
ip_range_whitelist = [
|
||||||
services.matrix-synapse.settings.max_upload_size = "100M"; # default is "50M"
|
# to communicate with ntfy.uninsane.org push notifs.
|
||||||
|
# TODO: move this to some non-shared loopback device: we don't want Matrix spouting http requests to *anything* on this machine
|
||||||
|
"10.78.79.51"
|
||||||
|
];
|
||||||
|
|
||||||
services.matrix-synapse.settings.admin_contact = "admin.matrix@uninsane.org";
|
x_forwarded = true; # because we proxy matrix behind nginx
|
||||||
services.matrix-synapse.settings.registrations_require_3pid = [ "email" ];
|
max_upload_size = "100M"; # default is "50M"
|
||||||
|
|
||||||
|
admin_contact = "admin.matrix@uninsane.org";
|
||||||
|
registrations_require_3pid = [ "email" ];
|
||||||
|
};
|
||||||
|
|
||||||
services.matrix-synapse.extraConfigFiles = [
|
services.matrix-synapse.extraConfigFiles = [
|
||||||
config.sops.secrets."matrix_synapse_secrets.yaml".path
|
config.sops.secrets."matrix_synapse_secrets.yaml".path
|
||||||
|
|
55
hosts/by-name/servo/services/ntfy.nix
Normal file
55
hosts/by-name/servo/services/ntfy.nix
Normal file
|
@ -0,0 +1,55 @@
|
||||||
|
# ntfy: UnifiedPush notification delivery system
|
||||||
|
# - used to get push notifications out of Matrix and onto a Phone (iOS, Android, or a custom client)
|
||||||
|
#
|
||||||
|
# config options:
|
||||||
|
# - <https://docs.ntfy.sh/config/#config-options>
|
||||||
|
#
|
||||||
|
# usage:
|
||||||
|
# - ntfy sub https://ntfy.uninsane.org/TOPIC
|
||||||
|
# - ntfy pub https://ntfy.uninsane.org/TOPIC "my message"
|
||||||
|
# in production, TOPIC is a shared secret between the publisher (Matrix homeserver) and the subscriber (phone)
|
||||||
|
#
|
||||||
|
# matrix integration:
|
||||||
|
# - the user must manually point synapse to the ntfy endpoint:
|
||||||
|
# - `curl --header "Authorization: <your_token>" --data '{ "app_display_name": "sane-nix moby", "app_id": "ntfy.uninsane.org", "data": { "url": "https://ntfy.uninsane.org/_matrix/push/v1/notify", "format": "event_id_only" }, "device_display_name": "sane-nix moby", "kind": "http", "lang": "en-US", "profile_tag": "", "pushkey": "https://ntfy.uninsane.org/TOPIC" }' localhost:8008/_matrix/client/v3/pushers/set`
|
||||||
|
# where the token is grabbed from Element's help&about page when logged in
|
||||||
|
# - to remove, send this `curl` with `"kind": null`
|
||||||
|
{ lib, ... }:
|
||||||
|
{
|
||||||
|
sane.persist.sys.plaintext = [
|
||||||
|
# not sure if it's really necessary
|
||||||
|
{ user = "ntfy-sh"; group ="ntfy-sh"; path = "/var/lib/ntfy-sh"; }
|
||||||
|
];
|
||||||
|
|
||||||
|
services.ntfy-sh.enable = true;
|
||||||
|
services.ntfy-sh.settings = {
|
||||||
|
base-url = "https://ntfy.uninsane.org";
|
||||||
|
# behind-proxy = true; # not sure if needed
|
||||||
|
# keepalive interval is a ntfy-specific keepalive thing, where it sends actual data down the wire.
|
||||||
|
# it's not simple TCP keepalive.
|
||||||
|
# defaults to 45s.
|
||||||
|
# note that the client may still do its own TCP-level keepalives, typically every 30s
|
||||||
|
keepalive-interval = "15m";
|
||||||
|
log-level = "trace"; # trace, debug, info (default), warn, error
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.services.ntfy-sh.serviceConfig.DynamicUser = lib.mkForce false;
|
||||||
|
|
||||||
|
services.nginx.virtualHosts."ntfy.uninsane.org" = {
|
||||||
|
forceSSL = true;
|
||||||
|
enableACME = true;
|
||||||
|
locations."/" = {
|
||||||
|
proxyPass = "http://127.0.0.1:2586";
|
||||||
|
# proxyWebsockets = true; #< before simplifying to this, ensure it doesn't add keepalives to the subscriber
|
||||||
|
# support websocket upgrades. without that, `ntfy sub` hangs silently
|
||||||
|
extraConfig = ''
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
|
proxy_set_header Connection $connection_upgrade;
|
||||||
|
proxy_buffering off;
|
||||||
|
proxy_read_timeout 7d;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
sane.dns.zones."uninsane.org".inet.CNAME."ntfy" = "native";
|
||||||
|
}
|
|
@ -47,6 +47,8 @@
|
||||||
sane.ids.export.gid = 2412;
|
sane.ids.export.gid = 2412;
|
||||||
sane.ids.nfsuser.uid = 2413;
|
sane.ids.nfsuser.uid = 2413;
|
||||||
sane.ids.media.gid = 2414;
|
sane.ids.media.gid = 2414;
|
||||||
|
sane.ids.ntfy-sh.uid = 2415;
|
||||||
|
sane.ids.ntfy-sh.gid = 2415;
|
||||||
|
|
||||||
sane.ids.colin.uid = 1000;
|
sane.ids.colin.uid = 1000;
|
||||||
sane.ids.guest.uid = 1100;
|
sane.ids.guest.uid = 1100;
|
||||||
|
|
Loading…
Reference in New Issue
Block a user