{ config, ... }: { config = { services.matrix-synapse = { enable = true; enable_metrics = true; enable_registration = false; allow_guest_access = false; server_name = "synapse.li"; listeners = [ { bind_address = "localhost"; port = 8008; resources = [ { names = [ "client" ]; compress = true; } { names = [ "federation" ]; compress = false; } ]; tls = false; type = "http"; x_forwarded = true; } ]; tls_certificate_path = "/run/credentials/matrix-synapse/synapse.li.pem"; tls_private_key_path = "/run/credentials/matrix-synapse/synapse.li.key.pem"; tls_dh_params_path = config.security.dhparams.params.matrix-synapse.path; }; systemd.services.matrix-synapse = { serviceConfig = { LoadCredential = [ "synapse.li.key.pem:${config.security.acme.certs."synapse.li".directory}/key.pem" "synapse.li.pem:${config.security.acme.certs."synapse.li".directory}/fullchain.pem" ]; }; }; services.nginx = { recommendedProxySettings = true; upstreams."matrix-synapse" = { servers = { "127.0.0.1:8008" = {}; }; }; virtualHosts."synapse.li" = { forceSSL = true; sslCertificate = "/run/credentials/nginx.service/synapse.li.pem"; sslCertificateKey = "/run/credentials/nginx.service/synapse.li.key.pem"; sslTrustedCertificate = "/run/credentials/nginx.service/synapse.li.chain.pem"; listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } { addr = "[::]"; port = 443; ssl = true; } { addr = "0.0.0.0"; port = 8448; ssl = true; } { addr = "[::]"; port = 8448; ssl = true; } ]; locations = let synapse = { proxyPass = "http://matrix-synapse"; extraConfig = '' add_header Strict-Transport-Security "max-age=63072000" always; ''; }; in { "/_matrix" = synapse; "/_synapse/client" = synapse; }; }; }; systemd.services.nginx = { serviceConfig = { LoadCredential = [ "synapse.li.key.pem:${config.security.acme.certs."synapse.li".directory}/key.pem" "synapse.li.pem:${config.security.acme.certs."synapse.li".directory}/fullchain.pem" "synapse.li.chain.pem:${config.security.acme.certs."synapse.li".directory}/chain.pem" ]; }; }; }; }