{ lib, config, inputs, pkgs, ... }: let inherit (config.networking) domain; matrix_host = "matrix.${domain}"; in { services.postgresql = { enable = true; # CREATE DATABASE synapse ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' template=template0 OWNER synapse; ensureDatabases = [ "synapse" ]; package = pkgs.postgresql_15; ensureUsers = [ { name = "synapse"; ensureDBOwnership = true; } ]; authentication = pkgs.lib.mkOverride 10 '' #type database DBuser auth-method local all postgres peer local all all peer host all all 127.0.0.1/32 md5 host synapse matrix-synapse ::1/128 md5 host nextcloud nextcloud ::1/128 md5 host all all ::1/128 md5 local replication all peer host replication all 127.0.0.1/32 md5 host replication all ::1/128 md5 ''; identMap = '' # ArbitraryMapName systemUser DBUser superuser_map root postgres superuser_map matrix-synapse synapse superuser_map nextcloud nextcloud superuser_map postgres postgres # Let other names login as themselves superuser_map /^(.*)$ \1 ''; }; systemd.services.postgresql.postStart = let password_file_path = config.age.secrets.synapse_db_pass.path; in '' $PSQL -tA <<'EOF' DO $$ DECLARE password TEXT; BEGIN password := trim(both from replace(pg_read_file('${password_file_path}'), E'\n', ''')); EXECUTE format('ALTER ROLE synapse WITH PASSWORD '''%s''';', password); END $$; EOF ''; services.matrix-synapse-next = { enable = true; workers.federationSenders = 1; workers.federationReceivers = 1; workers.initialSyncers = 1; workers.normalSyncers = 1; workers.eventPersisters = 2; workers.useUserDirectoryWorker = true; mainLogConfig = ./matrix_synapse_log_config.yaml; enableNginx = true; enableSlidingSync = false; settings = { suppress_key_server_warning = true; server_name = domain; public_baseurl = "https://${domain}"; enable_registration = true; registration_requires_token = true; registration_shared_secret_path = config.age.secrets.synapse_registration_shared_secret.path; # enable_registration_without_verification = true; # mainLogConfig = ./matrix_synapse_log_config.yaml; # registrations_require_3pid = [ "email" ]; database = { name = "psycopg2"; args = { host = "localhost"; port = 5432; dbname = "synapse"; user = "synapse"; cp_min = 5; cp_max = 10; client_encoding = "auto"; passfile = config.age.secrets.synapse_db_pass_prepared.path; }; }; }; }; services.redis.servers."".enable = true; age.secrets.synapse_db_pass = { file = ../secrets/synapse_db_pass.age; owner = "postgres"; group = "postgres"; }; age.secrets.synapse_db_pass_prepared = { file = ../secrets/synapse_db_pass_prepared.age; owner = "matrix-synapse"; group = "matrix-synapse"; mode = "0600"; }; age.secrets.synapse_registration_shared_secret = { file = ../secrets/synapse_registration_shared_secret.age; owner = "matrix-synapse"; group = "matrix-synapse"; mode = "0600"; }; services.nginx = { enable = true; virtualHosts."${domain}" = { forceSSL = true; enableACME = false; # use the cert above, not some weird one that matrix-synapse module supplies useACMEHost = domain; locations."/.well-known/matrix/server" = { return = "200 '{\"m.server\":\"${matrix_host}:443\"}'"; extraConfig = '' default_type application/json; add_header Access-Control-Allow-Origin *; add_header Accept-Ranges bytes;''; }; locations."/.well-known/matrix/client" = { return = "200 '{\"m.homeserver\": {\"base_url\": \"https://${matrix_host}\"}}'"; extraConfig = '' add_header Access-Control-Allow-Origin *; default_type application/json; ''; }; locations."/_matrix" = { proxyPass = "http://$synapse_backend"; extraConfig = '' add_header X-debug-backend $synapse_backend; add_header X-debug-group $synapse_uri_group; client_max_body_size ${config.services.matrix-synapse-next.settings.max_upload_size}; proxy_read_timeout 10m; ''; }; locations."~ ^/_matrix/client/(r0|v3)/sync$" = { proxyPass = "http://$synapse_backend"; extraConfig = '' proxy_read_timeout 1h; ''; }; locations."~ ^/_matrix/client/(api/v1|r0|v3)/initialSync$" = { proxyPass = "http://synapse_worker_initial_sync"; extraConfig = '' proxy_read_timeout 1h; ''; }; locations."~ ^/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$" = { proxyPass = "http://synapse_worker_initial_sync"; extraConfig = '' proxy_read_timeout 1h; ''; }; locations."/_synapse/client" = { proxyPass = "http://$synapse_backend"; }; locations."/.well-known/matrix" = { proxyPass = "http://$synapse_backend"; }; }; }; # networking.firewall.allowedTCPPorts = [ 8448 8008 ]; }