3 files changed, 30 insertions, 2 deletions

diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix
index 0a754a86..0115412c 100644
--- a/hosts/surtr/dns/default.nix
+++ b/hosts/surtr/dns/default.nix
@@ -171,7 +171,7 @@ in {
             addACLs = { "xmpp.li" = ["ymir_acme_acl"]; };
           }
           { domain = "synapse.li";
-            acmeDomains = ["element.synapse.li" "turn.synapse.li" "synapse.li"];
+            acmeDomains = ["element.synapse.li" "turn.synapse.li" "admin.synapse.li" "synapse.li"];
           }
           { domain = "dirty-haskell.org";
             addACLs = { "dirty-haskell.org" = ["ymir_acme_acl"]; };
diff --git a/hosts/surtr/dns/zones/li.synapse.soa b/hosts/surtr/dns/zones/li.synapse.soa
index 44d4e22e..8991b8ea 100644
--- a/hosts/surtr/dns/zones/li.synapse.soa
+++ b/hosts/surtr/dns/zones/li.synapse.soa
@@ -1,7 +1,7 @@
 $ORIGIN synapse.li.
 $TTL 3600
 @ IN SOA ns.yggdrasil.li. root.yggdrasil.li. (
-  2022022602 ; serial
+  2022022700 ; serial
   10800      ; refresh
   3600       ; retry
   604800     ; expire
@@ -27,6 +27,10 @@ element                 IN      A       202.61.241.61
 element                 IN      AAAA    2a03:4000:52:ada::
 _acme-challenge.element IN      NS      ns.yggdrasil.li.
 
+admin                   IN      A       202.61.241.61
+admin                   IN      AAAA    2a03:4000:52:ada::
+_acme-challenge.admin   IN      NS      ns.yggdrasil.li.
+
 turn                    IN      CAA     128 issue "letsencrypt.org; validationmethods=dns-01"
 turn                    IN      CAA     128 issue "sectigo.com; validationmethods=dns-01"
 turn                    IN      CAA     128 iodef "mailto:caa@yggdrasil.li"
diff --git a/hosts/surtr/matrix/default.nix b/hosts/surtr/matrix/default.nix
index 01ea2aee..a5811612 100644
--- a/hosts/surtr/matrix/default.nix
+++ b/hosts/surtr/matrix/default.nix
@@ -138,6 +138,18 @@
           };
         };
       };
+
+      virtualHosts."admin.synapse.li" = {
+        forceSSL = true;
+        sslCertificate = "/run/credentials/nginx.service/admin.synapse.li.pem";
+        sslCertificateKey = "/run/credentials/nginx.service/admin.synapse.li.key.pem";
+        sslTrustedCertificate = "/run/credentials/nginx.service/admin.synapse.li.chain.pem";
+        extraConfig = ''
+          add_header Strict-Transport-Security "max-age=63072000" always;
+        '';
+
+        root = pkgs.synapse-admin;
+      };
     };
 
     security.acme.domains = {
@@ -149,6 +161,14 @@
           '';
         };
       };
+      "admin.synapse.li" = {
+        zone = "synapse.li";
+        certCfg = {
+          postRun = ''
+            ${pkgs.systemd}/bin/systemctl try-restart nginx.service
+          '';
+        };
+      };
       "turn.synapse.li" = {
         zone = "synapse.li";
         certCfg = {
@@ -178,6 +198,10 @@
           "element.synapse.li.key.pem:${config.security.acme.certs."element.synapse.li".directory}/key.pem"
           "element.synapse.li.pem:${config.security.acme.certs."element.synapse.li".directory}/fullchain.pem"
           "element.synapse.li.chain.pem:${config.security.acme.certs."element.synapse.li".directory}/chain.pem"
+
+          "admin.synapse.li.key.pem:${config.security.acme.certs."admin.synapse.li".directory}/key.pem"
+          "admin.synapse.li.pem:${config.security.acme.certs."admin.synapse.li".directory}/fullchain.pem"
+          "admin.synapse.li.chain.pem:${config.security.acme.certs."admin.synapse.li".directory}/chain.pem"
         ];
       };
     };