1 { pkgs, config, lib, ... }:
3 fqdn = "${config.networking.hostName}.${config.networking.domain}";
7 services.postgresql.enable = true;
8 services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" ''
9 CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
10 CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
18 clientMaxBodySize = lib.mkDefault "50M";
19 # only recommendedProxySettings and recommendedGzipSettings are strictly required,
20 # but the rest make sense as well
21 recommendedTlsSettings = true;
22 recommendedOptimisation = true;
23 recommendedGzipSettings = true;
24 recommendedProxySettings = true;
27 # This host section can be placed on a different host than the rest,
28 # i.e. to delegate from the host being accessible as ${config.networking.domain}
29 # to another host actually running the Matrix homeserver.
31 enableACME = config.security.acme.acceptTerms;
32 forceSSL = config.security.acme.acceptTerms;
33 locations."= /.well-known/matrix/server".extraConfig =
35 # use 443 instead of the default 8448 port to unite
36 # the client-server and server-server port for simplicity
37 server = { "m.server" = "matrix.${fqdn}:443"; };
39 add_header Content-Type application/json;
40 return 200 '${builtins.toJSON server}';
42 locations."= /.well-known/matrix/client".extraConfig =
45 "m.homeserver" = { "base_url" = "https://matrix.${fqdn}"; };
46 #"m.identity_server" = { "base_url" = "https://vector.im"; };
48 # ACAO required to allow element-web on any URL to request this json file
50 add_header Content-Type application/json;
51 add_header Access-Control-Allow-Origin *;
52 return 200 '${builtins.toJSON client}';
55 # Reverse proxy for Matrix client-server and server-server communication
57 enableACME = config.security.acme.acceptTerms;
58 forceSSL = config.security.acme.acceptTerms;
60 # Or do a redirect instead of the 404, or whatever is appropriate for you.
61 # But do not put a Matrix Web client here! See the Element web section below.
62 locations."/".extraConfig = ''
66 # forward all Matrix API calls to the synapse Matrix homeserver
67 locations."/_matrix" = {
68 proxyPass = "http://[::1]:8008"; # without a trailing /
73 services.matrix-synapse = {
75 server_name = "${fqdn}";
76 plugins = with config.services.matrix-synapse.package.plugins; [
77 # matrix-synapse-ldap3
89 names = [ "client" "federation" ];
96 public_baseurl: https://matrix.${fqdn}
98 - module: "pam_auth_provider.PAMAuthProvider"
101 skip_user_check: false
107 get_users_who_share_room_with_user: 2.0
108 sync_response_cache_duration: 2m
110 max_cache_memory_usage: 1024M
111 target_cache_memory_usage: 512M
117 services.nginx.virtualHosts."element.${fqdn}" = {
118 enableACME = config.security.acme.acceptTerms;
119 forceSSL = config.security.acme.acceptTerms;
121 root = pkgs.element-web.override {
123 default_server_config."m.homeserver" = {
124 "base_url" = "https://matrix.${fqdn}";
125 "server_name" = "${fqdn}";