# # System notifications # { config, lib, pkgs, ... }: let fqdn = "matrix.${config.networking.domain}"; clientConfig = { "m.homeserver".base_url = "https://${fqdn}"; "m.identity_server" = {}; }; serverConfig."m.server" = "${config.services.matrix-synapse.settings.server_name}:443"; mkWellKnown = data: '' add_header Content-Type application/json; add_header Access-Control-Allow-Origin *; return 200 '${builtins.toJSON data}'; ''; in { services.nginx = { enable = true; recommendedTlsSettings = true; recommendedOptimisation = true; recommendedGzipSettings = true; recommendedProxySettings = true; virtualHosts = { "${config.networking.domain}" = { enableACME = true; forceSSL = true; locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig; locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig; }; "${fqdn}" = { enableACME = true; forceSSL = true; locations."/".extraConfig = '' return 404; ''; locations."/_matrix".proxyPass = "http://[::1]:8008"; locations."/_synapse/client".proxyPass = "http://[::1]:8008"; }; }; }; services.matrix-synapse = { enable = true; settings = { server_name = config.networking.domain; listeners = [ { port = 8008; bind_addresses = [ "::1" ]; type = "http"; tls = false; x_forwarded = true; resources = [ { names = [ "client" "federation" ]; compress = true; } ]; } ]; database.args.user = "synapse"; database.args.database = "synapsedb"; extraConfigFiles = [ config.age.secrets."services/matrix/synapse.yml".path ]; }; }; security.acme.certs.${config.services.matrix-synapse.server_name} = { /* insert here the right configuration to obtain a certificate */ postRun = "systemctl restart synapse.service"; group = "synapse"; }; age.secrets."services/matrix/synapse.yml" = { file = ../../../secrets/services/matrix/synapse.age; owner = "synapse"; }; }