module for synapse-matrix

2025-03-08 20:00:09 -06:00
parent c526970745
commit a0efbc5188
5 changed files with 95 additions and 3 deletions
--- a/modules/modules.nix
+++ b/modules/modules.nix
@@ -120,6 +120,10 @@ in
      enable = config.my.enableProxy;
      clientMaxBodySize = "4096m";
      sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
+      recommendedTlsSettings = true;
+      recommendedOptimisation = true;
+      recommendedGzipSettings = true;
+      recommendedProxySettings = true;
    };
    networking.firewall =
      let
--- a/modules/servers/postgres.nix
+++ b/modules/servers/postgres.nix
@@ -33,6 +33,7 @@ let
    "shiori"
    "mealie"
    "firefly-iii"
+    "matrix-synapse"
  ];
 in
 {
--- a/modules/servers/synapse.nix
+++ b/modules/servers/synapse.nix
@@ -0,0 +1,82 @@
+{ lib, config, ... }:
+let
+  cfg = config.my.servers.synapse;
+  setup = import ./setup.nix { inherit lib config; };
+  clientConfig."m.homeserver".base_url = cfg.url;
+  serverConfig."m.server" = "${cfg.host}:443";
+  mkWellKnown = data: ''
+    default_type application/json;
+    add_header Access-Control-Allow-Origin *;
+    return 200 '${builtins.toJSON data}';
+  '';
+in
+{
+  options.my.servers.synapse = setup.mkOptions "synapse" "pYLemuAfsrzNBaH77xSu" 8008;
+  config = {
+    my.servers.synapse.domain = "wedsgk5ac2qcaf9yb.click";
+    sops.secrets = lib.mkIf cfg.enable {
+      synapse = {
+        sopsFile = ../../secrets/env.yaml;
+        owner = "matrix-synapse";
+        group = "matrix-synapse";
+      };
+    };
+    networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal) [ cfg.port ];
+    services = {
+      matrix-synapse = {
+        enable = true;
+        extraConfigFiles = [
+          config.sops.secrets.synapse.path
+        ];
+        settings = {
+          server_name = cfg.domain;
+          public_baseurl = cfg.url;
+          federation_domain_whitelist = [ cfg.domain ];
+          allow_public_rooms_without_auth = false;
+          allow_public_rooms_over_federation = false;
+          max_upload_size = "4096M";
+          listeners = [
+            {
+              inherit (cfg) port;
+              bind_addresses = [ "::1" ];
+              type = "http";
+              tls = false;
+              x_forwarded = true;
+              resources = [
+                {
+                  names = [
+                    "client"
+                    "media"
+                  ];
+                  compress = true;
+                }
+              ];
+            }
+          ];
+        };
+      };
+      nginx.virtualHosts = lib.mkIf cfg.enableProxy {
+        "${cfg.domain}" = {
+          enableACME = true;
+          forceSSL = true;
+          locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
+          locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
+        };
+        "${cfg.host}" = {
+          enableACME = true;
+          forceSSL = true;
+          locations."/".extraConfig = ''
+            return 404;
+          '';
+          locations."/_matrix".proxyPass = "http://[::1]:${toString cfg.port}";
+          locations."/_synapse/client".proxyPass = "http://[::1]:${toString cfg.port}";
+          extraConfig = ''
+            ssl_verify_client on;
+            ssl_client_certificate ${config.sops.secrets."iqQCY4iAWO-ca/pem".path};
+            error_page 403 /403.html;
+          '';
+        };
+      };
+    };
+  };
+}