{ config, pkgs, lib, ... }: let cfg = config.vhack.matrix; clientConfig."m.homeserver".base_url = "https://${cfg.fqdn}"; serverConfig."m.server" = "${cfg.fqdn}:443"; mkWellKnown = data: '' add_header Content-Type application/json; add_header Access-Control-Allow-Origin *; return 200 '${builtins.toJSON data}'; ''; in { options.vhack.matrix = { enable = lib.mkEnableOption "matrix setup based on synapse"; fqdn = lib.mkOption { type = lib.types.str; description = "The FQDN on which matrix-synapse should be served."; example = "matrix.vhack.eu"; }; url = lib.mkOption { type = lib.types.str; description = "The url the matrix-server should be known under."; }; }; config = lib.mkIf cfg.enable { age.secrets.matrix-synapse_registration_shared_secret = { file = ./passwd.age; mode = "700"; owner = "matrix-synapse"; group = "matrix-synapse"; }; networking.firewall.allowedTCPPorts = [80 443]; vhack.persist.directories = [ { directory = "/var/lib/matrix"; user = "matrix-synapse"; group = "matrix-synapse"; mode = "0700"; } { directory = "/var/lib/mautrix-whatsapp"; user = "mautrix-whatsapp"; group = "matrix-synapse"; mode = "0750"; } ]; systemd.tmpfiles.rules = [ "d /etc/matrix 0755 matrix-synapse matrix-synapse" ]; vhack.postgresql.enable = true; vhack.nginx.enable = true; services = { postgresql = { enable = true; initialScript = pkgs.writeText "synapse-init.sql" '' --Matrix: CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" TEMPLATE template0 LC_COLLATE = "C" LC_CTYPE = "C"; --Whatsapp-bridge: CREATE ROLE "mautrix-whatsapp" WITH LOGIN PASSWORD 'whatsapp'; CREATE DATABASE "mautrix-whatsapp" WITH OWNER "mautrix-whatsapp" TEMPLATE template0 LC_COLLATE = "C" LC_CTYPE = "C"; ''; }; nginx = { enable = true; recommendedTlsSettings = true; recommendedOptimisation = true; recommendedGzipSettings = true; recommendedProxySettings = true; virtualHosts = { "${cfg.url}" = { enableACME = true; forceSSL = true; locations = { "/.well-known/matrix/server".extraConfig = mkWellKnown serverConfig; "/.well-known/matrix/client".extraConfig = mkWellKnown clientConfig; }; }; "${cfg.fqdn}" = { enableACME = true; forceSSL = true; locations = { "/".return = "404"; "/_matrix".proxyPass = "http://[::1]:8008"; "/_synapse/client".proxyPass = "http://[::1]:8008"; }; }; }; }; mautrix-whatsapp = { # FIXME(@bpeetz): This was disabled because `mautrix-whatsapp` dependends on libolm. # Re-enable it, when this has changed. <2024-09-06> enable = false; settings = { appservice = { database = { type = "postgres"; uri = "postgres:///mautrix-whatsapp?host=/run/postgresql"; }; whatsapp = { # TODO: See https://github.com/tulir/whatsmeow/blob/efc632c008604016ddde63bfcfca8de4e5304da9/binary/proto/def.proto#L43-L64 for a list. # This also determines the WhatsApp icon browser_name = "unknown"; }; }; homeserver.address = "https://${cfg.fqdn}"; bridge.permissions = { "@soispha:vhack.eu" = "admin"; "@sils:vhack.eu" = "admin"; "@nightingale:vhack.eu" = "admin"; }; }; }; matrix-synapse = { enable = true; dataDir = "/var/lib/matrix"; configFile = "/etc/matrix/matrix.conf"; settings = { media_store_path = "/var/lib/matrix/media_store"; registration_shared_secret_path = "${config.age.secrets.matrix-synapse_registration_shared_secret.path}"; server_name = cfg.url; listeners = [ { port = 8008; bind_addresses = ["::1"]; type = "http"; tls = false; x_forwarded = true; resources = [ { names = ["client" "federation"]; compress = true; } ]; } ]; }; }; }; users = { users = { matrix-synapse.uid = config.vhack.constants.ids.uids.matrix-synapse; mautrix-whatsapp = { uid = config.vhack.constants.ids.uids.mautrix-whatsapp; group = "matrix-synapse"; }; }; groups.matrix-synapse.gid = config.vhack.constants.ids.gids.matrix-synapse; }; }; }