{ config, pkgs, ... }: { config = { services.matrix-synapse = { enable = true; enable_metrics = true; enable_registration = false; allow_guest_access = false; server_name = "synapse.li"; listeners = [ { bind_address = "localhost"; port = 8008; resources = [ { names = [ "client" ]; compress = true; } { names = [ "federation" ]; compress = false; } ]; tls = false; type = "http"; x_forwarded = true; } ]; tls_certificate_path = "/run/credentials/matrix-synapse.service/synapse.li.pem"; tls_private_key_path = "/run/credentials/matrix-synapse.service/synapse.li.key.pem"; tls_dh_params_path = config.security.dhparams.params.matrix-synapse.path; extraConfigFiles = ["/run/credentials/matrix-synapse.service/registration.yaml"]; }; sops.secrets."matrix-synapse-registration.yaml" = { format = "binary"; sopsFile = ./registration.yaml; }; systemd.services.matrix-synapse = { serviceConfig = { LoadCredential = [ "synapse.li.key.pem:${config.security.acme.certs."synapse.li".directory}/key.pem" "synapse.li.pem:${config.security.acme.certs."synapse.li".directory}/fullchain.pem" "registration.yaml:${config.sops.secrets."matrix-synapse-registration.yaml".path}" ]; }; }; services.nginx = { recommendedProxySettings = true; upstreams."matrix-synapse" = { servers = { "127.0.0.1:8008" = {}; }; }; virtualHosts."synapse.li" = { forceSSL = true; sslCertificate = "/run/credentials/nginx.service/synapse.li.pem"; sslCertificateKey = "/run/credentials/nginx.service/synapse.li.key.pem"; sslTrustedCertificate = "/run/credentials/nginx.service/synapse.li.chain.pem"; listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } { addr = "[::0]"; port = 443; ssl = true; } { addr = "0.0.0.0"; port = 8448; ssl = true; } { addr = "[::0]"; port = 8448; ssl = true; } ]; locations = let synapse = { proxyPass = "http://matrix-synapse"; extraConfig = '' add_header Strict-Transport-Security "max-age=63072000" always; ''; }; in { "/_matrix" = synapse; "/_synapse/client" = synapse; "/".return = "301 https://element.synapse.li$request_uri"; }; }; virtualHosts."element.synapse.li" = { forceSSL = true; sslCertificate = "/run/credentials/nginx.service/element.synapse.li.pem"; sslCertificateKey = "/run/credentials/nginx.service/element.synapse.li.key.pem"; sslTrustedCertificate = "/run/credentials/nginx.service/element.synapse.li.chain.pem"; root = pkgs.element-web.override { conf = { default_server_config."m.homeserver" = { "base_url" = "https://synapse.li"; "server_name" = "synapse.li"; }; }; }; }; }; security.acme.domains = { "element.synapse.li" = { zone = "synapse.li"; certCfg = { postRun = '' ${pkgs.systemd}/bin/systemctl try-restart nginx.service ''; }; }; "turn.synapse.li" = { zone = "synapse.li"; }; "synapse.li".certCfg = { postRun = '' ${pkgs.systemd}/bin/systemctl try-restart nginx.service ''; }; }; systemd.services.nginx = { serviceConfig = { LoadCredential = [ "synapse.li.key.pem:${config.security.acme.certs."synapse.li".directory}/key.pem" "synapse.li.pem:${config.security.acme.certs."synapse.li".directory}/fullchain.pem" "synapse.li.chain.pem:${config.security.acme.certs."synapse.li".directory}/chain.pem" "element.synapse.li.key.pem:${config.security.acme.certs."element.synapse.li".directory}/key.pem" "element.synapse.li.pem:${config.security.acme.certs."element.synapse.li".directory}/fullchain.pem" "element.synapse.li.chain.pem:${config.security.acme.certs."element.synapse.li".directory}/chain.pem" ]; }; }; }; }