wip fixing synapse ssl

2025-09-21 14:42:32 -06:00
parent 3c93a761ef
commit 41cfe4b2fd
3 changed files with 19 additions and 3 deletions
--- a/modules/servers/synapse.nix
+++ b/modules/servers/synapse.nix
@@ -38,6 +38,16 @@ in
        owner = "nginx";
        group = "nginx";
      };
+      "matrix/key" = {
+        sopsFile = ../../secrets/certs.yaml;
+        owner = "matrix-synapse";
+        group = "matrix-synapse";
+      };
+      "matrix/cert" = {
+        sopsFile = ../../secrets/certs.yaml;
+        owner = "matrix-synapse";
+        group = "matrix-synapse";
+      };
    };
    networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal) [ cfg.port ];
    services = lib.mkIf cfg.enable {
@@ -49,10 +59,12 @@ in
        settings = {
          server_name = cfg.domain;
          public_baseurl = cfg.url;
-          federation_domain_whitelist = [ cfg.domain ];
+          federation_domain_whitelist = [ ];
          allow_public_rooms_without_auth = false;
          allow_public_rooms_over_federation = false;
          max_upload_size = "4096M";
+          tls_private_key_path = config.sops.secrets."matrix/key".path;
+          tls_certificate_path = config.sops.secrets."matrix/cert".path;
          listeners = [
            {
              inherit (cfg) port;