{ config, lib, pkgs, ... }: let domain = "eurofusion.eu"; in { ### Reverse proxy locations # Setup for well-known on the bare domain services.nginx.virtualHosts.${domain} = let client = { "m.homeserver" = { "base_url" = "https://${config.var.hostname}"; }; "m.identity_server" = { "base_url" = "https://matrix.org"; }; }; server = { "m.server" = "${config.var.hostname}:443"; }; in { enableACME = true; forceSSL = true; # Needed for matrix federation locations."/.well-known/matrix/server".extraConfig = '' add_header Content-Type application/json; return 200 '${builtins.toJSON server}'; ''; # Needed for automatic homeserver # setup of matrix clients locations."/.well-known/matrix/client".extraConfig = '' add_header Content-Type application/json; add_header Access-Control-Allow-Origin *; return 200 '${builtins.toJSON client}'; ''; }; # Forward matrix/admin API calls to synapse services.nginx.virtualHosts.${config.var.hostname} = { locations."/_matrix".proxyPass = "http://localhost:8448"; locations."/_synapse".proxyPass = "http://localhost:8448"; }; ### Homeserver services.matrix-synapse.enable = true; services.matrix-synapse.settings = { server_name = domain; public_baseurl = "https://${config.var.hostname}/"; # Bind on localhost and used a reverse proxy listeners = [ { bind_addresses = [ "localhost" ]; port = 8448; type = "http"; tls = false; resources = [ { compress = true; names = [ "client" ] ; } { compress = false; names = [ "federation" ]; } ]; x_forwarded = true; } ]; # Connect to Postrges database_type = "psycopg2"; database_args = { user = "matrix-synapse"; database = "matrix-synapse"; }; # Make logging less verbose log_config = pkgs.writeText "synapse-log.yml" '' version: 1 formatters: journal_fmt: format: '%(name)s: [%(request)s] %(message)s' filters: context: (): synapse.util.logcontext.LoggingContextFilter request: "" handlers: journal: class: systemd.journal.JournalHandler formatter: journal_fmt filters: [context] SYSLOG_IDENTIFIER: synapse root: level: WARN handlers: [journal] disable_existing_loggers: False ''; allow_guest_access = true; expire_access_token = true; event_cache_size = "2K"; max_upload_size = "1000M"; dynamic_thumbnails = true; # bridges configuration app_service_config_files = [ "/var/lib/mautrix-whatsapp/whatsapp-registration.yaml" ]; }; # Secrets services.matrix-synapse.extraConfigFiles = [ # Password reset via email # Note: can't be put here, see NixOS/nixpkgs#158605 config.secrets.matrix.email.conf # Needed by the register_new_matrix_user script config.secrets.matrix.registration ]; ### Database services.postgresql.enable = true; # Create databases on the first run services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" '' CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" TEMPLATE template0 LC_COLLATE = "C" LC_CTYPE = "C"; CREATE ROLE "mautrix-whatsapp" WITH LOGIN PASSWORD 'whatsapp'; CREATE DATABASE "mautrix-whatsapp" WITH OWNER "mautrix-whatsapp" TEMPLATE template0 LC_COLLATE = "C" LC_CTYPE = "C"; ''; ### Whatsapp bridge # allow synapse to read the shared secrets users.users.matrix-synapse.extraGroups = [ "mautrix-whatsapp" ]; # Allow olm for mautrix-whatsapp nixpkgs.config.permittedInsecurePackages = [ "olm-3.2.16" ]; services.mautrix-whatsapp = { enable = true; serviceDependencies = [ "postgresql.service" ]; settings.appservice = { database.type = "postgres"; database.uri = "postgresql:///mautrix-whatsapp?host=/run/postgresql"; }; settings.bridge = { encryption = { allow = true; default = true; require = true; }; permissions = { "eurofusion.eu" = "user"; "@rnhmjoj:eurofusion.eu" = "admin"; }; relay.enabled = false; mute_bridging = true; }; settings.whatsapp = { os_name = "Chrome (Linux)"; browser_name = "chrome"; }; }; }