synapse: support sliding-sync

agenix/hosts/tanker/config.nix

@@ -128,6 +128,10 @@
       group = "matrix-synapse";
     };
 
+    synapse-sliding-sync-config = {
+      file = ./synapse/slidingSyncConfig.age;
+    };
+
     mautrix-whatsapp-config = {
       file = ./mautrix-whatsapp/config.age;
       symlink = false;

agenix/hosts/tanker/synapse/slidingSyncConfig.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 MtGp6g zhyMIQB98GvWL6S2Z6+rjOkwsfv5Fw1NbICtvbOz8HM
+vZAh7I5xP8RobeVS8NIZ58I9tm+cpiOZ7m+gLFKenjo
+-> ssh-ed25519 iO8/4g QycwplaVdS9CfKWpc2YXe6CAKlCNekT3+4b/+I+Fv0Q
+BHoeoRZr3MUbbrF5dSGWUtHOp5RGu6lImAFdcH+z4hE
+-> M-grease <tBIm-. 73d5m ?rf< |ZV<=edr
+8KF7r7ZTJWphTxl/u8SW8g38o7XZDe2CiQ
+--- MGWu4qXtsRCcLxRkpSEajwhu7yrhUVS/ub2oPJNGBXw
+0þœå¨oçÿúE¾:×gº‰]íñÐ<C3B1>G½Q~Š®¬vΡZRž­E^”Ô`œs\ܬ@‡F']
Lm‡¦LÜœº\Ç|ö\Ú¾òA;ȺKˆ¤6iÙ^ÞHú”«K°’ÑoGÀ#µ¡'	åØÓ‰¾°P»¿J

secrets.nix

@@ -52,6 +52,7 @@ in
   "agenix/hosts/tanker/proxitok/environment.age".publicKeys = tanker;
 
   "agenix/hosts/tanker/synapse/extraConfig.age".publicKeys = tanker;
+  "agenix/hosts/tanker/synapse/slidingSyncConfig.age".publicKeys = tanker;
 
   "agenix/hosts/tanker/mautrix-signal/config.age".publicKeys = tanker;
 

system/nixos/synapse.nix

@@ -1,5 +1,8 @@
 { config, ... }:
 
+let
+  fqdn = "matrix.kempkens.io";
+in
 {
   services.matrix-synapse = {
     enable = true;
@@ -8,7 +11,7 @@
 
     settings = {
       server_name = "kempkens.io";
-      public_baseurl = "https://matrix.kempkens.io/";
+      public_baseurl = "https://${fqdn}/";
 
       listeners = [
         {
@@ -87,13 +90,24 @@
     };
 
     extraConfigFiles = [ config.age.secrets.synapse-extra-config.path ];
+
+    sliding-sync = {
+      enable = true;
+
+      settings = {
+        SYNCV3_SERVER = "https://${fqdn}";
+        SYNCV3_BINDADDR = "127.0.0.1:8009";
+      };
+
+      environmentFile = config.age.secrets.synapse-sliding-sync-config.path;
+    };
   };
 
   systemd.services.matrix-synapse.after = [ "podman-wait-for-host-interface.service" ];
 
   networking.firewall.interfaces."podman+".allowedTCPPorts = [ 8008 ];
 
-  services.nginx.virtualHosts."matrix.kempkens.io" = {
+  services.nginx.virtualHosts."${fqdn}" = {
     quic = true;
     http3 = true;
 
@@ -102,17 +116,29 @@
 
     extraConfig = ''
       add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
-    '';
 
-    locations."~ ^(/_matrix|/_synapse/client)" = {
+      location ~* ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync) {
-      recommendedProxySettings = true;
+        proxy_pass http://127.0.0.1:8009;
-      proxyPass = "http://127.0.0.1:8008";
+        proxy_set_header Host $host;
-      proxyWebsockets = true;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Server $host;
+      }
+
+      location ~* ^(\/_matrix|\/_synapse\/client) {
+        proxy_pass http://127.0.0.1:8008;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Server $host;
 
-      extraConfig = ''
         client_max_body_size 50m;
         proxy_force_ranges on;
-      '';
+      }
-    };
+    '';
   };
 }