{config, pkgs, lib, ...}: { networking.firewall.allowedTCPPorts = [ 80 443 8448 ]; services.nginx = { enable = true; # Enable Nginx recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; virtualHosts = { "entr0py.de" = { enableACME = true; forceSSL = true; locations."= /.well-known/matrix/server".extraConfig = let # use 443 instead of the default 8448 port to unite # the client-server and server-server port for simplicity server = { "m.server" = "matrix.entr0py.de:443"; }; in '' add_header Content-Type application/json; return 200 '${builtins.toJSON server}'; ''; locations."= /.well-known/matrix/client".extraConfig = let client = { "m.homeserver" = { "base_url" = "https://matrix.entr0py.de"; }; "m.identity_server" = { "base_url" = "https://element.io"; }; }; # ACAO required to allow element-web on any URL to request this json file in '' add_header Content-Type application/json; add_header Access-Control-Allow-Origin *; return 200 '${builtins.toJSON client}'; ''; }; # Reverse proxy for Matrix client-server and server-server communication "matrix.entr0py.de" = { enableACME = true; forceSSL = true; # Or do a redirect instead of the 404, or whatever is appropriate for you. # But do not put a Matrix Web client here! See the Element web section below. locations."/".extraConfig = '' return 404; ''; # forward all Matrix API calls to the synapse Matrix homeserver locations."/_matrix" = { proxyPass = "http://[::1]:8008"; # without a trailing / }; }; }; }; services.matrix-synapse = { enable = true; server_name = "entr0py.de"; enable_registration = true; database_type = "psycopg2"; database_name = "matrix_synapse"; database_user = "matrix-synapse"; max_upload_size = "100M"; enable_metrics = true; extraConfig = '' admin_contact: "mailto:admin@entr0py.de" ''; turn_uris = ["turn:turn.entr0py.de:3478?transport=udp" "turn:turn.entr0py.de:3478?transport=tcp"]; turn_user_lifetime = "1d"; turn_shared_secret = (builtins.readFile ../dyon/turn.secret); app_service_config_files = [ "/var/lib/matrix-appservice-irc/registration.yml" ]; listeners = [{ port = 8008; bind_address = "::1"; type = "http"; tls = false; x_forwarded = true; resources = [{ names = [ "client" "federation" ]; compress = false; }]; }{ port = 9123; bind_address = "[::]"; #does not work right now type = "metrics"; tls = false; resources = [{ names = [ "metric" ]; compress = false; }]; }]; }; services.postgresql = { ensureDatabases = [ "matrix_irc" ]; ensureUsers = [ { name = "matrix-synapse"; } { name = "matrix-appservice-irc"; ensurePermissions."DATABASE matrix_irc" = "ALL PRIVILEGES"; } ]; initialScript = pkgs.writeText "synapse-init.sql" '' CREATE DATABASE "matrix_synapse" WITH OWNER "matrix-synapse" TEMPLATE template0 LC_COLLATE = "C" LC_CTYPE = "C"; ''; }; services.matrix-appservice-irc = { enable = true; registrationUrl = "http://localhost:8009"; # Everything from here is passed to the appservice settings = { homeserver.url = "https://matrix.entr0py.de"; # Or localhost homeserver.domain = "entr0py.de"; database = { engine = "postgres"; connectionString = "postgres:///matrix_irc?host=/run/postgresql"; }; ircService.ircHandler.mapIrcMentionsToMatrix = "on"; ircService.servers."irc.hackint.org" = { name = "HackInt"; port = 6697; ssl = true; dynamicChannels = { enabled = true; createAlias = true; aliasTemplate = "#hackint_$CHANNEL"; groupId = "+hackint:entr0py.de"; }; matrixClients = { userTemplate = "@hackint_$NICK"; displayName = "$NICK (HackInt)"; }; ircClients = { nickTemplate = "$DISPLAY[m]"; allowNickChanges = true; lineLimit = 15; idleTimeout = 0; }; membershipLists = { enabled = true; global = { ircToMatrix = { initial = true; incremental = true; }; matrixToIrc = { initial = true; incremental = true; }; }; }; }; }; }; }