{ pkgs, config, tmp, ... }:
with import ./network.nix;
{
services = {
matrix-synapse = {
enable = true;
server_name = "${matrixdomain}";
database_name = "synapse";
public_baseurl = "https://${matrixdomain}";
registration_shared_secret = "runas!";
dynamic_thumbnails = true;
# enable_registration = true;
app_service_config_files = [
"/var/lib/matrix-synapse/discord-registration.yaml"
"/var/lib/matrix-synapse/telegram-registration.yaml"
];
extraConfig = ''
auto_join_rooms:
- "#infra:matrix.giugl.io"
- "#general:matrix.giugl.io"
- "#gaming:matrix.giugl.io"
- "#movies:matrix.giugl.io"
'';
listeners = [
{
port = 8008;
bind_address = "::1";
type = "http";
tls = false;
x_forwarded = true;
resources = [
{
names = [ "client" "federation" ];
compress = false;
}
];
}
];
turn_uris = [
"turns:turn.giugl.io:5349?transport=udp"
"turns:turn.giugl.io:5349?transport=tcp"
];
turn_shared_secret = "69duck duck fuck420";
turn_user_lifetime = "1h";
};
postgresql = {
enable = true;
ensureDatabases = [ "synapse" ];
ensureUsers = [
{
name = "matrix-synapse";
ensurePermissions = {
"DATABASE synapse" = "ALL PRIVILEGES";
};
}
];
};
nginx.virtualHosts = {
# server
${matrixdomain} = {
enableACME = true;
forceSSL = true;
locations."= /.well-known/matrix/server".extraConfig =
let
server = { "m.server" = "${matrixdomain}:443"; };
in ''
add_header Content-Type application/json;
return 200 '${builtins.toJSON server}';
'';
locations."= /.well-known/matrix/client".extraConfig =
let
client = {
"m.homeserver" = { "base_url" = "https://${matrixdomain}:443"; };
"m.identity_server" = { "base_url" = "https://vector.im"; };
};
# ACAO required to allow element-web on any URL to request this json file
in ''
add_header Content-Type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON client}';
'';
locations."/".extraConfig = ''
return 404;
'';
# forward all Matrix API calls to the synapse Matrix homeserver
locations."/_matrix" = {
proxyPass = "http://[::1]:8008"; # without a trailing /
};
};
# web client
"${matrixwebdomain}" = {
enableACME = true;
forceSSL = true;
root = pkgs.unstable.element-web.override {
conf = {
default_server_config."m.homeserver" = {
"base_url" = "https://${matrixdomain}";
"server_name" = "${matrixdomain}";
};
};
};
};
};
# discord bridge
matrix-appservice-discord = {
enable = true;
environmentFile = /secrets/matrix-appservice-discord/tokens.env;
# The appservice is pre-configured to use SQLite by default.
# It's also possible to use PostgreSQL.
settings = {
bridge = {
domain = matrixdomain;
homeserverUrl = "https://${matrixdomain}";
disablePresence = true;
};
};
};
# telegram bridge
mautrix-telegram = {
enable = true;
environmentFile = /secrets/mautrix-telegram/mautrix-telegram.env;
settings = {
homeserver = {
address = "https://${matrixdomain}";
domain = "${matrixdomain}";
};
appservice = {
provisioning.enabled = false;
id = "telegram";
};
bridge = {
permissions = {
"@pepe:${matrixdomain}" = "admin";
"${matrixdomain}" = "puppeting";
};
# Animated stickers conversion requires additional packages in the
# service's path.
# If this isn't a fresh installation, clearing the bridge's uploaded
# file cache might be necessary (make a database backup first!):
# delete from telegram_file where \
# mime_type in ('application/gzip', 'application/octet-stream')
animated_sticker = {
target = "gif";
args = {
width = 256;
height = 256;
fps = 30; # only for webm
background = "020202"; # only for gif, transparency not supported
};
};
encryption = {
allow = true;
default = true;
};
};
};
};
};
systemd.services.mautrix-telegram.path = with pkgs; [
lottieconverter # for animated stickers conversion, unfree package
ffmpeg # if converting animated stickers to webm (very slow!)
];
networking.extraHosts = ''
${architect-lan} ${matrixdomain} ${matrixwebdomain}
${architect-wg} ${matrixdomain} ${matrixwebdomain}
'';
}