{ pkgs, config, lib, ... }: let fqdn = "${config.networking.hostName}.${config.networking.domain}"; in { services.postgresql.enable = true; services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" '' CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" TEMPLATE template0 LC_COLLATE = "C" LC_CTYPE = "C"; ''; services.nginx = { enable = true; clientMaxBodySize = lib.mkDefault "50M"; # only recommendedProxySettings and recommendedGzipSettings are strictly required, # but the rest make sense as well recommendedTlsSettings = true; recommendedOptimisation = true; recommendedGzipSettings = true; recommendedProxySettings = true; virtualHosts = { # This host section can be placed on a different host than the rest, # i.e. to delegate from the host being accessible as ${config.networking.domain} # to another host actually running the Matrix homeserver. "${fqdn}" = { enableACME = config.security.acme.acceptTerms; forceSSL = config.security.acme.acceptTerms; locations."= /.well-known/matrix/server".extraConfig = let # use 443 instead of the default 8448 port to unite # the client-server and server-server port for simplicity server = { "m.server" = "matrix.${fqdn}:443"; }; in '' add_header Content-Type application/json; return 200 '${builtins.toJSON server}'; ''; locations."= /.well-known/matrix/client".extraConfig = let client = { "m.homeserver" = { "base_url" = "https://matrix.${fqdn}"; }; #"m.identity_server" = { "base_url" = "https://vector.im"; }; }; # ACAO required to allow element-web on any URL to request this json file in '' add_header Content-Type application/json; add_header Access-Control-Allow-Origin *; return 200 '${builtins.toJSON client}'; ''; }; # Reverse proxy for Matrix client-server and server-server communication "matrix.${fqdn}" = { enableACME = config.security.acme.acceptTerms; forceSSL = config.security.acme.acceptTerms; # Or do a redirect instead of the 404, or whatever is appropriate for you. # But do not put a Matrix Web client here! See the Element web section below. locations."/".extraConfig = '' return 404; ''; # forward all Matrix API calls to the synapse Matrix homeserver locations."/_matrix" = { proxyPass = "http://[::1]:8008"; # without a trailing / }; }; }; }; services.matrix-synapse = { enable = true; server_name = "${fqdn}"; plugins = with config.services.matrix-synapse.package.plugins; [ # matrix-synapse-ldap3 matrix-synapse-pam ]; listeners = [ { port = 8008; bind_address = "::1"; type = "http"; tls = false; x_forwarded = true; resources = [ { names = [ "client" "federation" ]; compress = false; } ]; } ]; extraConfig = '' public_baseurl: https://matrix.${fqdn} password_providers: - module: "pam_auth_provider.PAMAuthProvider" config: create_users: true skip_user_check: false max_upload_size: 50M caches: global_factor: 1.0 per_cache_factors: get_users_who_share_room_with_user: 2.0 sync_response_cache_duration: 2m cache_autotuning: max_cache_memory_usage: 1024M target_cache_memory_usage: 512M min_cache_ttl: 5m ''; }; # Element web client services.nginx.virtualHosts."element.${fqdn}" = { enableACME = config.security.acme.acceptTerms; forceSSL = config.security.acme.acceptTerms; root = pkgs.element-web.override { conf = { default_server_config."m.homeserver" = { "base_url" = "https://matrix.${fqdn}"; "server_name" = "${fqdn}"; }; }; }; }; }