{ config, pkgs, ... }: let main_ip = "127.0.1.2"; in { sops.secrets."matrix/synapse/registrationsecret" = { restartUnits = [ "matrix-synapse.service" ]; owner = "matrix-synapse"; group = "matrix-synapse"; }; services.matrix-synapse = { enable = true; package = pkgs.matrix-synapse; extraConfigFiles = [ config.sops.secrets."matrix/synapse/registrationsecret".path ]; settings = { server_name = "feal.no"; public_baseurl = "https://matrix.feal.no"; database.name = "psycopg2"; autocreate_auto_join_rooms = false; max_upload_size = "50M"; #registration_shared_secret = "do_not_put_secret_here_use_extraConfigFiles"; trusted_key_servers = [ { server_name = "matrix.org"; verify_keys = {}; } ]; enable_registration = false; use_presence = true; url_preview_enabled = true; url_preview_ip_range_blacklist = [ # synapse example config "127.0.0.0/8" "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" "100.64.0.0/10" "192.0.0.0/24" "169.254.0.0/16" "192.88.99.0/24" "198.18.0.0/15" "192.0.2.0/24" "198.51.100.0/24" "203.0.113.0/24" "224.0.0.0/4" "::1/128" "fe80::/10" "fc00::/7" "2001:db8::/32" "ff00::/8" "fec0::/10" ]; tls_certificate_path = "/etc/ssl-snakeoil/matrix_feal_no.crt"; tls_private_key_path = "/etc/ssl-snakeoil/matrix_feal_no.key"; listeners = [ { port = 8008; bind_addresses = [ main_ip ]; type = "http"; tls = false; x_forwarded = true; resources = [ { names = [ "client" ]; compress = true; } { names = [ "federation" ]; compress = true; } ]; } ]; }; }; networking.firewall.allowedTCPPorts = [ 80 443 ]; services.nginx = { enable = true; enableReload = true; recommendedOptimisation = true; recommendedGzipSettings = true; recommendedProxySettings = true; virtualHosts."matrix.feal.no" = { locations."/_matrix" = { proxyPass = "http://${main_ip}:8008"; extraConfig = '' client_max_body_size 50M; ''; }; # locations."/_synapse/client".proxyPass = "http://${main_ip}:8008"; locations."/" = { proxyPass = "http://${main_ip}:8008"; }; }; }; }