1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
{ inputs, config, lib, pkgs, ... }:
{
dns.zones."ctu.cx".subdomains.matrix.CNAME = [ "${config.networking.fqdn}." ];
age.secrets = {
restic-matrix-synapse.file = ./. + "/../../../secrets/${config.networking.hostName}/restic/matrix-synapse.age";
matrix-registration_shared_secret = {
file = ./. + "/../../../secrets/${config.networking.hostName}/matrix-synapse/registration_shared_secret.age";
owner = "matrix-synapse";
};
};
restic-backups.matrix-synapse = {
user = "matrix-synapse";
passwordFile = config.age.secrets.restic-matrix-synapse.path;
postgresDatabases = [ "matrix-synapse" ];
paths = [ "/var/lib/matrix-synapse" ];
};
systemd.services.matrix-synapse = {
onFailure = [ "email-notify@%i.service" ];
};
services = {
postgresql = {
enable = true;
initialScript = pkgs.writeText "synapse-init.sql" ''
CREATE ROLE "matrix-synapse" WITH LOGIN;
CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
'';
};
matrix-synapse = {
enable = true;
withJemalloc = true;
settings = {
server_name = "ctu.cx";
public_baseurl = "https://matrix.ctu.cx/";
max_upload_size = "100M";
dynamic_thumbnails = true;
enable_registration = false;
enable_registration_without_verification = false;
registration_shared_secret_file = config.age.secrets.matrix-registration_shared_secret.path;
listeners = [{
bind_addresses = [ "::1" ];
port = 8008;
type = "http";
tls = false;
x_forwarded = true;
resources = [
{ names = [ "client" ]; compress = true; }
{ names = [ "federation" ]; compress = false; }
];
}];
};
};
nginx = {
enable = true;
virtualHosts = let
matrixServerConfig = { "m.server" = "matrix.ctu.cx:443"; };
matrixClientConfig = { "m.homeserver" = { "base_url" = "https://matrix.ctu.cx"; }; "org.matrix.msc3575.proxy" = { "url" = "https://matrix.ctu.cx"; }; };
in {
"ctu.cx" = {
enableACME = true;
forceSSL = true;
kTLS = true;
locations."/.well-known/matrix/server".extraConfig = ''
add_header Content-Type application/json;
return 200 '${builtins.toJSON matrixServerConfig}';
'';
locations."/.well-known/matrix/client".extraConfig = ''
add_header Content-Type application/json;
return 200 '${builtins.toJSON matrixClientConfig}';
'';
};
"matrix.ctu.cx" = {
enableACME = true;
forceSSL = true;
kTLS = true;
locations = {
"/_matrix".proxyPass = "http://[::1]:8008";
# "/_synapse".proxyPass = "http://[::1]:8008";
# "/admin/".alias = "${pkgs.synapse-admin}/";
"/.well-known/matrix/server".extraConfig = ''
add_header Content-Type application/json;
return 200 '${builtins.toJSON matrixServerConfig}';
'';
"/.well-known/matrix/client".extraConfig = ''
add_header Content-Type application/json;
return 200 '${builtins.toJSON matrixClientConfig}';
'';
"/".root = pkgs.cinny.override {
conf = {
defaultHomeserver = 0;
homeserverList = [
"matrix.ctu.cx"
];
allowCustomHomeservers = false;
hashRouter.enabled = true;
};
};
};
};
};
};
};
}