{ config, pkgs, ... }: let fqdn = "matrix.vhack.eu"; clientConfig."m.homeserver".base_url = "https://${fqdn}"; serverConfig."m.server" = "${fqdn}:443"; mkWellKnown = data: '' add_header Content-Type application/json; add_header Access-Control-Allow-Origin *; return 200 '${builtins.toJSON data}'; ''; in { networking.firewall.allowedTCPPorts = [80 443]; services.postgresql.enable = true; services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" '' CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" TEMPLATE template0 LC_COLLATE = "C" LC_CTYPE = "C"; ''; services.nginx = { enable = true; recommendedTlsSettings = true; recommendedOptimisation = true; recommendedGzipSettings = true; recommendedProxySettings = true; virtualHosts = { "vhack.eu" = { enableACME = true; forceSSL = true; locations = { "/.well-known/matrix/server".extraConfig = mkWellKnown serverConfig; "/.well-known/matrix/client".extraConfig = mkWellKnown clientConfig; }; }; "matrix.vhack.eu" = { enableACME = true; forceSSL = true; locations."/".extraConfig = '' return 404; ''; locations = { "/_matrix".proxyPass = "http://[::1]:8008"; "/_synapse/client".proxyPass = "http://[::1]:8008"; }; }; }; }; services.matrix-synapse = { enable = true; dataDir = "/var/lib/matrix"; configFile = "/etc/matrix/matrix.conf"; settings = { media_store_path = "/var/lib/matrix/media_store"; registration_shared_secret_path = "${config.age.secrets.matrix-synapse_registration_shared_secret.path}"; server_name = "vhack.eu"; listeners = [ { port = 8008; bind_addresses = ["::1"]; type = "http"; tls = false; x_forwarded = true; resources = [ { names = ["client" "federation"]; compress = true; } ]; } ]; }; }; }