NixOS/modules/servers/synapse.nix

{ lib, config, ... }:
let
  cfg = config.my.servers.synapse;
  setup = import ./setup.nix { inherit lib config; };
  clientConfig."m.homeserver".base_url = cfg.url;
  serverConfig."m.server" = "${cfg.host}:443";
  mkWellKnown = data: ''
    default_type application/json;
    add_header Access-Control-Allow-Origin *;
    return 200 '${builtins.toJSON data}';
  '';
in
{
  options.my.servers.synapse = setup.mkOptions "synapse" "pYLemuAfsrzNBaH77xSu" 8008;
  config = {
    my.servers.synapse.domain = "wedsgk5ac2qcaf9yb.click";
    sops.secrets = lib.mkIf cfg.enable {
      synapse = {
        sopsFile = ../../secrets/env.yaml;
        owner = "matrix-synapse";
        group = "matrix-synapse";
      };
    };
    networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal) [ cfg.port ];
    services = {
      matrix-synapse = {
        enable = true;
        extraConfigFiles = [
          config.sops.secrets.synapse.path
        ];
        settings = {
          server_name = cfg.domain;
          public_baseurl = cfg.url;
          federation_domain_whitelist = [ cfg.domain ];
          allow_public_rooms_without_auth = false;
          allow_public_rooms_over_federation = false;
          max_upload_size = "4096M";
          listeners = [
            {
              inherit (cfg) port;
              bind_addresses = [ "::1" ];
              type = "http";
              tls = false;
              x_forwarded = true;
              resources = [
                {
                  names = [
                    "client"
                    "media"
                  ];
                  compress = true;
                }
              ];
            }
          ];
        };
      };
      nginx.virtualHosts = lib.mkIf cfg.enableProxy {
        "${cfg.domain}" = {
          enableACME = true;
          forceSSL = true;
          locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
          locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
        };
        "${cfg.host}" = {
          enableACME = true;
          forceSSL = true;
          locations."/".extraConfig = ''
            return 404;
          '';
          locations."/_matrix".proxyPass = "http://[::1]:${toString cfg.port}";
          locations."/_synapse/client".proxyPass = "http://[::1]:${toString cfg.port}";
          extraConfig = ''
            ssl_verify_client on;
            ssl_client_certificate ${config.sops.secrets."iqQCY4iAWO-ca/pem".path};
            error_page 403 /403.html;
          '';
        };
      };
    };
  };
}