From 914eb35c5aff76ef25264807ff21ddf4a0d45af7 Mon Sep 17 00:00:00 2001
From: Daniel Olsen <daniel.olsen99@gmail.com>
Date: Sun, 1 Sep 2024 00:34:22 +0200
Subject: [PATCH] add a route for /_synapse/admin, point mjolnir at it

This is whitelisted to just bicep

As a side-effect it's also much easier to use synapse-admin now
---
 hosts/bicep/services/matrix/mjolnir.nix |  2 +-
 hosts/bicep/services/matrix/synapse.nix | 12 ++++++++++++
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/hosts/bicep/services/matrix/mjolnir.nix b/hosts/bicep/services/matrix/mjolnir.nix
index 270a2e9f..c547da27 100644
--- a/hosts/bicep/services/matrix/mjolnir.nix
+++ b/hosts/bicep/services/matrix/mjolnir.nix
@@ -11,7 +11,7 @@
   services.mjolnir = {
     enable = true;
     pantalaimon.enable = false;
-    homeserverUrl = "http://127.0.0.1:8008";
+    homeserverUrl = "https://matrix.pvv.ntnu.no";
     accessTokenFile = config.sops.secrets."matrix/mjolnir/access_token".path;
     managementRoom = "!gsdeCoWjvYRBrzuiRq:pvv.ntnu.no";
     protectedRooms = map (a: "https://matrix.to/#/${a}") [
diff --git a/hosts/bicep/services/matrix/synapse.nix b/hosts/bicep/services/matrix/synapse.nix
index 11f96498..38d0ead1 100644
--- a/hosts/bicep/services/matrix/synapse.nix
+++ b/hosts/bicep/services/matrix/synapse.nix
@@ -157,6 +157,18 @@ in {
       '';
     };
   }
+  {
+    locations."/_synapse/admin" = {
+      proxyPass = "http://$synapse_backend";
+      extraConfig = ''
+        allow 127.0.0.1;
+        allow ::1;
+        allow ${values.hosts.bicep.ipv4};
+        allow ${values.hosts.bicep.ipv6};
+        deny all;
+      '';
+    };
+  }
   {
     locations = let
       connectionInfo = w: matrix-lib.workerConnectionResource "metrics" w;