{ config, lib, pkgs, ... }: let cfg = config.services.matrix-synapse.settings; fqdn = "matrix.sbruder.de"; domain = "sbruder.de"; in { sops.secrets = { synapse-registration-shared-secret = { owner = "matrix-synapse"; sopsFile = ../../secrets.yaml; }; synapse-turn-shared-secret = { owner = "matrix-synapse"; sopsFile = ../../secrets.yaml; }; }; systemd.services.matrix-synapse.serviceConfig.SupplementaryGroups = lib.singleton "keys"; services.matrix-synapse = { enable = true; settings = { server_name = domain; public_baseurl = "https://${fqdn}"; listeners = lib.singleton { port = 8008; bind_addresses = [ "127.0.0.1" ]; type = "http"; tls = false; x_forwarded = true; resources = lib.singleton { names = [ "client" "federation" "metrics" ]; compress = false; }; }; turn_uris = [ "turns:turn.sbruder.de:5349?transport=udp" "turns:turn.sbruder.de:5349?transport=tcp" "turn:turn.sbruder.de:3478?transport=udp" "turn:turn.sbruder.de:3478?transport=tcp" ]; turn_user_lifetime = "3600000"; # 1h enable_metrics = true; # adapted from https://github.com/NixOS/nixpkgs/blob/7e10bf4327491a6ebccbe1aaa8e6c6c0aca4663a/nixos/modules/services/misc/matrix-synapse-log_config.yaml # - set root.level to WARNING instead of INFO log_config = pkgs.writeText "log_config.yaml" (builtins.toJSON { version = 1; formatters.journal_fmt.format = "%(name)s: [%(request)s] %(message)s"; filters.context = { "()" = "synapse.util.logcontext.LoggingContextFilter"; request = ""; }; handlers.journal = { class = "systemd.journal.JournalHandler"; formatter = "journal_fmt"; filters = [ "context" ]; SYSLOG_IDENTIFIER = "synapse"; }; root = { level = "WARNING"; handlers = [ "journal" ]; }; disable_existing_loggers = false; }); max_upload_size = "50M"; # I’m okay with using matrix.org as trusted key server suppress_key_server_warning = true; # For mautrix-whatsapp backfilling experimental_features.msc2716_enabled = true; }; extraConfigFiles = with config.sops.secrets; [ synapse-registration-shared-secret.path synapse-turn-shared-secret.path ]; }; services.postgresql = { enable = true; # synapse requires custom databse configuration: # CREATE DATABASE "matrix-synapse" TEMPLATE template0 LC_COLLATE "C" LC_CTYPE "C"; # as the databse is not created with NixOS, # the ownership can’t be ensured here. }; services.nginx.virtualHosts = { "${fqdn}" = { enableACME = true; forceSSL = true; locations."/".return = "301 https://chat.sbruder.de"; locations."/_matrix" = let listenerCfg = (lib.elemAt cfg.listeners 0); in { proxyPass = "http://${lib.elemAt listenerCfg.bind_addresses 0}:${toString listenerCfg.port}"; extraConfig = '' client_max_body_size ${cfg.max_upload_size}; ''; }; }; "${domain}" = { enableACME = true; forceSSL = true; locations = let # workaround for nginx dropping parent headers # see https://github.com/yandex/gixy/blob/master/docs/en/plugins/addheaderredefinition.md parentHeaders = lib.concatStringsSep "\n" (lib.filter (lib.hasPrefix "add_header ") (lib.splitString "\n" config.services.nginx.commonHttpConfig)); in { "=/.well-known/matrix/server".extraConfig = '' ${parentHeaders} add_header Content-Type application/json; return 200 '${builtins.toJSON { "m.server" = "${fqdn}:443"; }}'; ''; "=/.well-known/matrix/client".extraConfig = '' ${parentHeaders} add_header Content-Type application/json; add_header Access-Control-Allow-Origin *; return 200 '${builtins.toJSON { "m.homeserver"."base_url" = "https://${fqdn}"; }}'; ''; }; }; }; }