diff --git a/hosts/bicep/services/matrix/default.nix b/hosts/bicep/services/matrix/default.nix index 190b3cb..a1b735e 100644 --- a/hosts/bicep/services/matrix/default.nix +++ b/hosts/bicep/services/matrix/default.nix @@ -1,8 +1,9 @@ { config, ... }: { imports = [ - ./synapse.nix ./synapse-admin.nix + ./synapse-auto-compressor.nix + ./synapse.nix ./element.nix ./coturn.nix ./livekit.nix diff --git a/hosts/bicep/services/matrix/synapse-auto-compressor.nix b/hosts/bicep/services/matrix/synapse-auto-compressor.nix new file mode 100644 index 0000000..5f77092 --- /dev/null +++ b/hosts/bicep/services/matrix/synapse-auto-compressor.nix @@ -0,0 +1,56 @@ +{ config, lib, utils, ... }: +let + cfg = config.services.synapse-auto-compressor; +in +{ + services.synapse-auto-compressor = { + # enable = true; + postgresUrl = "postgresql://matrix-synapse@/synapse?host=/run/postgresql"; + }; + + # NOTE: nixpkgs has some broken asserts, vendored the entire unit + systemd.services.synapse-auto-compressor = { + description = "synapse-auto-compressor"; + requires = [ + "postgresql.target" + ]; + inherit (cfg) startAt; + serviceConfig = { + Type = "oneshot"; + DynamicUser = true; + User = "matrix-synapse"; + PrivateTmp = true; + ExecStart = utils.escapeSystemdExecArgs [ + "${cfg.package}/bin/synapse_auto_compressor" + "-p" + cfg.postgresUrl + "-c" + cfg.settings.chunk_size + "-n" + cfg.settings.chunks_to_compress + "-l" + (lib.concatStringsSep "," (map toString cfg.settings.levels)) + ]; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateMounts = true; + PrivateUsers = true; + RemoveIPC = true; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + ProcSubset = "pid"; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + ProtectHome = true; + ProtectHostname = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + }; + }; +}