{ config, pkgs, ... }: # # a homeserver for matrix.org. # # this uses the config.networking.domain as the ACME host. be sure to add the # fqdn and element subdomains to security.acme.certs..extraDomainNames # # - nixos manual: https://nixos.org/nixos/manual/index.html#module-services-matrix # # to create new users: # # nix run nixpkgs.matrix-synapse # register_new_matrix_user -k http://localhost: # let fqdn = "matrix.${config.networking.domain}"; element = "chat.${config.networking.domain}"; matrix_port = 8448; in { # matrix-synapse server. for what the settings mean, see: # https://nixos.org/nixos/manual/index.html#module-services-matrix # services.matrix-synapse = { enable = false; settings.server_name = config.networking.domain; #registration_shared_secret = "AkGRWSQLga3RoKRFnHhKoeCEIeZzu31y4TRzMRkMyRbBnETkVTSxilf24qySLzQn"; settings.listeners = [ { port = matrix_port; bind_address = "::1"; type = "http"; tls = false; x_forwarded = true; resources = [ { names = [ "client" "federation" ]; compress = false; } ]; } ]; }; # matrix needs a database # services.postgresql.enable = true; # web proxy for the matrix server # services.nginx = { enable = true; recommendedTlsSettings = true; recommendedOptimisation = true; recommendedGzipSettings = true; recommendedProxySettings = true; virtualHosts = { # route to matrix-synapse "${config.networking.domain}" = { locations."= /.well-known/matrix/server".extraConfig = let server = { "m.server" = "${fqdn}:443"; }; in '' add_header Content-Type application/json; return 200 '${builtins.toJSON server}'; ''; locations."= /.well-known/matrix/client".extraConfig = let client = { "m.homeserver" = { "base_url" = "https://${fqdn}"; } ; "m.identity_server" = { "base_url" = "https://vector.im"; }; }; in '' add_header Content-Type application/json; add_header Access-Control-Allow-Origin *; return 200 '${builtins.toJSON client}'; ''; }; # reverse proxy for matrix client-server and server-server communication "${fqdn}" = { forceSSL = true; useACMEHost = config.networking.domain; locations."/".extraConfig = '' return 404; ''; locations."/_matrix" = { proxyPass = "http://[::1]:${toString matrix_port}"; }; }; }; }; # matrix client, available at chat.simatime.com # # note that element and matrix-synapse must be on separate fqdn's to # protect from XSS attacks: # https://github.com/vector-im/element-web#important-security-note # services.nginx.virtualHosts."${element}" = { useACMEHost = config.networking.domain; forceSSL = true; root = pkgs.element-web; }; }