{ pkgs, config, tmp, ... }: with import ./network.nix; { services = { matrix-synapse = { enable = true; server_name = "${matrixdomain}"; database_name = "synapse"; public_baseurl = "https://${matrixdomain}"; registration_shared_secret = "runas!"; dynamic_thumbnails = true; # enable_registration = true; app_service_config_files = [ "/var/lib/matrix-synapse/discord-registration.yaml" "/var/lib/matrix-synapse/telegram-registration.yaml" ]; extraConfig = '' auto_join_rooms: - "#infra:matrix.giugl.io" - "#general:matrix.giugl.io" - "#gaming:matrix.giugl.io" - "#movies:matrix.giugl.io" ''; listeners = [ { port = 8008; bind_address = "::1"; type = "http"; tls = false; x_forwarded = true; resources = [ { names = [ "client" "federation" ]; compress = false; } ]; } ]; turn_uris = [ "turns:turn.giugl.io:5349?transport=udp" "turns:turn.giugl.io:5349?transport=tcp" ]; turn_shared_secret = "69duck duck fuck420"; turn_user_lifetime = "1h"; }; postgresql = { enable = true; ensureDatabases = [ "synapse" ]; ensureUsers = [ { name = "matrix-synapse"; ensurePermissions = { "DATABASE synapse" = "ALL PRIVILEGES"; }; } ]; }; nginx.virtualHosts = { # server ${matrixdomain} = { enableACME = true; forceSSL = true; locations."= /.well-known/matrix/server".extraConfig = let server = { "m.server" = "${matrixdomain}:443"; }; in '' add_header Content-Type application/json; return 200 '${builtins.toJSON server}'; ''; locations."= /.well-known/matrix/client".extraConfig = let client = { "m.homeserver" = { "base_url" = "https://${matrixdomain}:443"; }; "m.identity_server" = { "base_url" = "https://vector.im"; }; }; # ACAO required to allow element-web on any URL to request this json file in '' add_header Content-Type application/json; add_header Access-Control-Allow-Origin *; return 200 '${builtins.toJSON client}'; ''; locations."/".extraConfig = '' return 404; ''; # forward all Matrix API calls to the synapse Matrix homeserver locations."/_matrix" = { proxyPass = "http://[::1]:8008"; # without a trailing / }; }; # web client "${matrixwebdomain}" = { enableACME = true; forceSSL = true; root = pkgs.unstable.element-web.override { conf = { default_server_config."m.homeserver" = { "base_url" = "https://${matrixdomain}"; "server_name" = "${matrixdomain}"; }; }; }; }; }; # discord bridge matrix-appservice-discord = { enable = true; environmentFile = /secrets/matrix-appservice-discord/tokens.env; # The appservice is pre-configured to use SQLite by default. # It's also possible to use PostgreSQL. settings = { bridge = { domain = matrixdomain; homeserverUrl = "https://${matrixdomain}"; disablePresence = true; }; }; }; # telegram bridge mautrix-telegram = { enable = true; environmentFile = /secrets/mautrix-telegram/mautrix-telegram.env; settings = { homeserver = { address = "https://${matrixdomain}"; domain = "${matrixdomain}"; }; appservice = { provisioning.enabled = false; id = "telegram"; }; bridge = { permissions = { "@pepe:${matrixdomain}" = "admin"; "${matrixdomain}" = "puppeting"; }; # Animated stickers conversion requires additional packages in the # service's path. # If this isn't a fresh installation, clearing the bridge's uploaded # file cache might be necessary (make a database backup first!): # delete from telegram_file where \ # mime_type in ('application/gzip', 'application/octet-stream') animated_sticker = { target = "gif"; args = { width = 256; height = 256; fps = 30; # only for webm background = "020202"; # only for gif, transparency not supported }; }; encryption = { allow = true; default = true; }; }; }; }; }; systemd.services.mautrix-telegram.path = with pkgs; [ lottieconverter # for animated stickers conversion, unfree package ffmpeg # if converting animated stickers to webm (very slow!) ]; networking.extraHosts = '' ${architect-lan} ${matrixdomain} ${matrixwebdomain} ${architect-wg} ${matrixdomain} ${matrixwebdomain} ''; }