NixOS/modules/servers/synapse.nix

{
  lib,
  config,
  pkgs,
  ...
}:
let
  setup = import ../factories/mkserver.nix { inherit lib config; };
  cfg = config.my.servers.synapse;
  cfgE = config.my.servers.element;
  domain = "wedsgk5ac2qcaf9yb.click";
  clientConfig."m.homeserver".base_url = cfg.url;
  serverConfig."m.server" = "${cfg.host}:443";
  mkWellKnown = data: ''
    default_type application/json;
    add_header Access-Control-Allow-Origin *;
    return 200 '${builtins.toJSON data}';
  '';
  id = 224;
  gid = id;
  uid = id;
in
{
  options.my.servers = {
    synapse = setup.mkOptions "synapse" "pYLemuAfsrzNBaH77xSu" 8008;
    element = setup.mkOptions "element" "55a608953f6d64c199" 5345;
  };
  config = lib.mkMerge [
    (lib.mkIf (cfg.enable && config.my.secureHost) {
      my.servers = {
        synapse = { inherit domain; };
        element = { inherit domain; };
      };
      users.groups.matrix-synapse = { inherit gid; };
      users.users.matrix-synapse = {
        inherit uid;
        isSystemUser = true;
        group = "matrix-synapse";
      };
      sops.secrets = {
        synapse = {
          sopsFile = ../../secrets/env.yaml;
          owner = "matrix-synapse";
          group = "matrix-synapse";
        };
        "matrix/key" = {
          sopsFile = ../../secrets/certs.yaml;
          owner = "matrix-synapse";
          group = "matrix-synapse";
        };
        "matrix/cert" = {
          sopsFile = ../../secrets/certs.yaml;
          owner = "matrix-synapse";
          group = "matrix-synapse";
        };
      };
      networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal) [ cfg.port ];
      services.matrix-synapse = {
        inherit (cfg) enable;
        extraConfigFiles = [
          config.sops.secrets.synapse.path
        ];
        settings = {
          server_name = cfg.domain;
          public_baseurl = "http://${config.my.ips.wg-server}:${toString cfg.port}";
          federation_domain_whitelist = [ ];
          allow_public_rooms_without_auth = false;
          allow_public_rooms_over_federation = false;
          registration_shared_secret = config.sops.secrets.synapse.path;
          max_upload_size = "4096M";
          tls_private_key_path = config.sops.secrets."matrix/key".path;
          tls_certificate_path = config.sops.secrets."matrix/cert".path;
          listeners = [
            {
              inherit (cfg) port;
              bind_addresses = [
                config.my.localhost
                config.my.localhost6
                config.my.ips.server
                config.my.ips.wg-server
              ];
              type = "http";
              tls = false;
              x_forwarded = true;
              resources = [
                {
                  names = [
                    "client"
                    "media"
                  ];
                  compress = true;
                }
              ];
            }
          ];
        };
      };
    })
    (lib.mkIf (cfg.enableProxy && config.my.enableProxy) {
      sops.secrets."iqQCY4iAWO-ca/pem" = {
        sopsFile = ../../secrets/certs.yaml;
        owner = "nginx";
        group = "nginx";
      };
      my.servers.synapse = {
        useDefaultProxy = false;
        certPath = config.sops.secrets."iqQCY4iAWO-ca/pem".path;
      };
      services.nginx.virtualHosts = {
        "${cfgE.host}" = {
          enableACME = true;
          forceSSL = true;
          serverAliases = [
            cfgE.host
          ];
          root = pkgs.element-web;
        };
        "${cfg.domain}" = {
          enableACME = true;
          forceSSL = true;
          locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
          locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
        };
        "${cfg.host}" = {
          enableACME = true;
          forceSSL = true;
          locations = {
            "/".extraConfig = ''
              return 404;
            '';
            "/_matrix".proxyPass = "http://[${config.my.localhost6}]:${toString cfg.port}";
            "/_synapse/client".proxyPass = "http://[${config.my.localhost6}]:${toString cfg.port}";
          };
        };
      };
    })
  ];
}