{ config, pkgs, lib, ... }: { sops.secrets."matrix/synapse/registrationsecret" = { restartUnits = [ "matrix-synapse.service" ]; owner = "matrix-synapse"; group = "matrix-synapse"; }; services.matrix-synapse-next = { enable = true; enableNginx = true; workers = { federationSenders = 1; federationReceivers = 2; initialSyncers = 1; normalSyncers = 1; eventPersisters = 1; useUserDirectoryWorker = true; }; extraConfigFiles = [ config.sops.secrets."matrix/synapse/registrationsecret".path ]; settings = { server_name = "feal.no"; public_baseurl = "https://matrix.feal.no"; database.name = "psycopg2"; autocreate_auto_join_rooms = false; max_upload_size = "50M"; #registration_shared_secret = "do_not_put_secret_here_use_extraConfigFiles"; trusted_key_servers = [ { server_name = "matrix.org"; verify_keys = {}; } ]; enable_registration = false; use_presence = true; url_preview_enabled = true; url_preview_ip_range_blacklist = [ # synapse example config "127.0.0.0/8" "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" "100.64.0.0/10" "192.0.0.0/24" "169.254.0.0/16" "192.88.99.0/24" "198.18.0.0/15" "192.0.2.0/24" "198.51.100.0/24" "203.0.113.0/24" "224.0.0.0/4" "::1/128" "fe80::/10" "fc00::/7" "2001:db8::/32" "ff00::/8" "fec0::/10" ]; tls_certificate_path = "/etc/ssl-snakeoil/matrix_feal_no.crt"; tls_private_key_path = "/etc/ssl-snakeoil/matrix_feal_no.key"; }; }; services.redis.servers."".enable = true; networking.firewall.allowedTCPPorts = [ 80 443 ]; services.nginx.virtualHosts."matrix.feal.no" = { enableACME = lib.mkForce false; forceSSL = lib.mkForce false; }; }