nixos-selfhost/matrix.nix

{
  config,
  pkgs,
  ...
}: let
  domain = "sondell.org";
  hostName = "matrix";
  fqdn = "${hostName}.${domain}";
  baseUrl = "https://${fqdn}";
  clientConfig."m.homeserver".base_url = baseUrl;
  serverConfig."m.server" = "${fqdn}:443";
  mkWellKnown = data: ''
    default_type application/json;
    add_header Access-Control-Allow-Origin *;
    return 200 '${builtins.toJSON data}';
  '';
in {
  #
  services.matrix-synapse = {
    enable = true;
    settings.enable_registration = true;
    settings.enable_registration_without_verification = true;
    settings.server_name = domain;
    settings.public_baseurl = baseUrl;
    settings.listeners = [
      {
        port = 8008;
        type = "http";
        tls = false;
        x_forwarded = true;
        resources = [
          {
            names = ["client" "federation"];
            compress = true;
          }
        ];
      }
    ];
  };

  services.postgresql = {
    enable = true;
    initialScript = pkgs.writeText "synapse-init.sql" ''
      CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
      CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
        TEMPLATE template0
        LC_COLLATE = "C"
        LC_CTYPE = "C";
    '';
  };

  services.nginx.virtualHosts = {
    ${fqdn} = {
      # locations."/".extraConfig = ''
      #   return 404;
      # '';
      # Forward all Matrix API calls to the synapse Matrix homeserver. A trailing slash
      # *must not* be used here.
      locations."/_matrix".proxyPass = "http://[::1]:8008";
      # Forward requests for e.g. SSO and password-resets.
      locations."/_synapse/client".proxyPass = "http://[::1]:8008";
    };

    ${domain} = {
      enableACME = true;
      # locations."/" = {
      #   proxyPass = "http://localhost:8008";
      # };
      # This section is not needed if the server_name of matrix-synapse is equal to
      # the domain (i.e. example.org from @foo:example.org) and the federation port
      # is 8448.
      # Further reference can be found in the docs about delegation under
      # https://element-hq.github.io/synapse/latest/delegate.html
      locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
      # This is usually needed for homeserver discovery (from e.g. other Matrix clients).
      # Further reference can be found in the upstream docs at
      # https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixclient
      locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
    };
  };
}
defer tls/ssl to hyperserver 2025-01-14 15:17:47 +01:00			`{`
			`config,`
			`pkgs,`
			`...`
			`}: let`
matrix_init 2024-03-10 21:30:39 +01:00			`domain = "sondell.org";`
			`hostName = "matrix";`
			`fqdn = "${hostName}.${domain}";`
			`baseUrl = "https://${fqdn}";`
			`clientConfig."m.homeserver".base_url = baseUrl;`
			`serverConfig."m.server" = "${fqdn}:443";`
			`mkWellKnown = data: ''`
			`default_type application/json;`
			`add_header Access-Control-Allow-Origin *;`
			`return 200 '${builtins.toJSON data}';`
			`'';`
defer tls/ssl to hyperserver 2025-01-14 15:17:47 +01:00			`in {`
			`#`
matrix_init 2024-03-10 21:30:39 +01:00			`services.matrix-synapse = {`
			`enable = true;`
			`settings.enable_registration = true;`
			`settings.enable_registration_without_verification = true;`
			`settings.server_name = domain;`
			`settings.public_baseurl = baseUrl;`
			`settings.listeners = [`
			`{`
			`port = 8008;`
			`type = "http";`
			`tls = false;`
			`x_forwarded = true;`
defer tls/ssl to hyperserver 2025-01-14 15:17:47 +01:00			`resources = [`
matrix_init 2024-03-10 21:30:39 +01:00			`{`
defer tls/ssl to hyperserver 2025-01-14 15:17:47 +01:00			`names = ["client" "federation"];`
matrix_init 2024-03-10 21:30:39 +01:00			`compress = true;`
defer tls/ssl to hyperserver 2025-01-14 15:17:47 +01:00			`}`
matrix_init 2024-03-10 21:30:39 +01:00			`];`
			`}`
			`];`
			`};`

defer tls/ssl to hyperserver 2025-01-14 15:17:47 +01:00			`services.postgresql = {`
			`enable = true;`
			`initialScript = pkgs.writeText "synapse-init.sql" ''`
			`CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';`
			`CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"`
			`TEMPLATE template0`
			`LC_COLLATE = "C"`
			`LC_CTYPE = "C";`
			`'';`
			`};`
matrix_init 2024-03-10 21:30:39 +01:00
			`services.nginx.virtualHosts = {`
			`${fqdn} = {`
homepage back up again :) 2024-04-04 13:40:20 +02:00			`# locations."/".extraConfig = ''`
			`# return 404;`
			`# '';`
matrix_init 2024-03-10 21:30:39 +01:00			`# Forward all Matrix API calls to the synapse Matrix homeserver. A trailing slash`
			`# must not be used here.`
			`locations."/_matrix".proxyPass = "http://[::1]:8008";`
			`# Forward requests for e.g. SSO and password-resets.`
			`locations."/_synapse/client".proxyPass = "http://[::1]:8008";`
			`};`

revert: flake.lock matrix 2024-04-02 13:52:13 +02:00			`${domain} = {`
			`enableACME = true;`
homepage back up again :) 2024-04-04 13:40:20 +02:00			`# locations."/" = {`
			`# proxyPass = "http://localhost:8008";`
			`# };`
revert: flake.lock matrix 2024-04-02 13:52:13 +02:00			`# This section is not needed if the server_name of matrix-synapse is equal to`
			`# the domain (i.e. example.org from @foo:example.org) and the federation port`
			`# is 8448.`
			`# Further reference can be found in the docs about delegation under`
			`# https://element-hq.github.io/synapse/latest/delegate.html`
disable dubble tls 2024-03-27 15:30:23 +01:00			`locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;`
revert: flake.lock matrix 2024-04-02 13:52:13 +02:00			`# This is usually needed for homeserver discovery (from e.g. other Matrix clients).`
			`# Further reference can be found in the upstream docs at`
			`# https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixclient`
disable dubble tls 2024-03-27 15:30:23 +01:00			`locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;`
			`};`
matrix_init 2024-03-10 21:30:39 +01:00			`};`
			`}`