{ lib, config, pkgs, ... }: let inherit (config.networking) domain; inherit (config.serverConfig) vhosts; in { services.postgresql = { enable = true; ensureDatabases = [ "synapse" ]; ensureUsers = [ { name = "synapse"; passFile = config.age.secrets.synapse_db_pass.path; ensureDBOwnership = true; } ]; }; services.matrix-synapse-next = { enable = true; workers.federationSenders = 1; workers.federationReceivers = 1; workers.initialSyncers = 1; workers.normalSyncers = 1; workers.eventPersisters = 1; workers.useUserDirectoryWorker = true; mainLogConfig = ./matrix_synapse_log_config.yaml; enableNginx = true; enableSlidingSync = false; settings = { suppress_key_server_warning = true; server_name = domain; public_baseurl = "https://${vhosts.matrix_host.host}"; enable_registration = true; registration_requires_token = true; registration_shared_secret_path = config.age.secrets.synapse_registration_shared_secret.path; # enable_registration_without_verification = true; # mainLogConfig = ./matrix_synapse_log_config.yaml; # registrations_require_3pid = [ "email" ]; database = { name = "psycopg2"; args = { host = "localhost"; port = config.services.postgresql.settings.port; dbname = "synapse"; user = "synapse"; cp_min = 5; cp_max = 10; client_encoding = "auto"; passfile = config.age.secrets.synapse_db_pass_prepared.path; }; }; }; }; services.redis.servers."".enable = true; age.secrets.synapse_db_pass = { file = ../secrets/synapse_db_pass.age; owner = "postgres"; group = "postgres"; }; age.secrets.synapse_db_pass_prepared = { file = ../secrets/synapse_db_pass_prepared.age; owner = "matrix-synapse"; group = "matrix-synapse"; mode = "0600"; }; age.secrets.synapse_registration_shared_secret = { file = ../secrets/synapse_registration_shared_secret.age; owner = "matrix-synapse"; group = "matrix-synapse"; mode = "0600"; }; environment.systemPackages = with pkgs; [ matrix-synapse-tools.synadm matrix-synapse ]; services.nginx = { enable = true; virtualHosts."${domain}" = { forceSSL = true; enableACME = lib.mkForce false; # use the cert above, not some weird one that matrix-synapse module supplies useACMEHost = domain; locations."/.well-known/matrix/server" = { return = "200 '{\"m.server\":\"${vhosts.matrix_host.host}:443\"}'"; extraConfig = '' default_type application/json; add_header Access-Control-Allow-Origin *; add_header Accept-Ranges bytes;''; }; locations."/.well-known/matrix/client" = { return = "200 '{\"m.homeserver\": {\"base_url\": \"https://${vhosts.matrix_host.host}\"}}'"; extraConfig = '' add_header Access-Control-Allow-Origin *; default_type application/json; ''; }; locations."/_matrix" = { proxyPass = "http://$synapse_backend"; extraConfig = '' add_header X-debug-backend $synapse_backend; add_header X-debug-group $synapse_uri_group; client_max_body_size ${config.services.matrix-synapse-next.settings.max_upload_size}; proxy_read_timeout 10m; ''; }; locations."~ ^/_matrix/client/(r0|v3)/sync$" = { proxyPass = "http://$synapse_backend"; extraConfig = '' proxy_read_timeout 1h; ''; }; locations."~ ^/_matrix/client/(api/v1|r0|v3)/initialSync$" = { proxyPass = "http://synapse_worker_initial_sync"; extraConfig = '' proxy_read_timeout 1h; ''; }; locations."~ ^/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$" = { proxyPass = "http://synapse_worker_initial_sync"; extraConfig = '' proxy_read_timeout 1h; ''; }; locations."/_synapse/client" = { proxyPass = "http://$synapse_backend"; }; locations."/.well-known/matrix" = { proxyPass = "http://$synapse_backend"; }; }; }; # networking.firewall.allowedTCPPorts = [ 8448 8008 ]; }