server/services/matrix-nginx.nix

{ config, pkgs, domains, ... }:

let
  clientConfig = { 
    "m.homeserver".base_url = "https://${domains.root}";
    "org.matrix.msc3575.proxy".url = "https://${domains.syncv3}";
    "org.matrix.msc2965.authentication" = {
      "issuer" = "https://${domains.auth}";
      "account" = "https://${domains.auth}/account";
    };
  };
  serverConfig = {
    "m.server" = "${domains.root}";
  };
  mkWellKnown = data: ''
    add_header Content-Type application/json;
    add_header Access-Control-Allow-Origin *;
    return 200 '${builtins.toJSON data}';
  '';
in
{
  services.nginx = {
    clientMaxBodySize = "100m";
    virtualHosts = {
      "${domains.root}" = {
        enableACME = true;
        forceSSL = true;

        locations."=/.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
        locations."=/.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;

        locations = {
          "~ ^/_matrix/client/(.*)/(login|logout|refresh)" = {
            priority = 100;
            proxyPass = "http://0.0.0.0:8080";
            proxyWebsockets = true;
            extraConfig = ''
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            '';
          };
          "~ ^(/_matrix|/_synapse/client)" = {
            priority= 200;
            proxyPass = "http://[::1]:8008";
            proxyWebsockets = true;
            extraConfig = ''
              proxy_set_header X-Forwarded-For $remote_addr;
              proxy_set_header X-Forwarded-Proto $scheme;
              proxy_set_header Host $host;
              proxy_buffering off;
            '';
          };
        };

        listen = [
          {
            addr = "[::1]";
            port = 443;
            ssl = true;
          }
          {
            addr = "0.0.0.0";
            port = 443;
            ssl = true;
          }
          {
            addr = "0.0.0.0";
            port = 8448;
            ssl = true;
            extraParameters = [ "default_server" ];
          }
        ];
      };
      "${domains.auth}" = {
        enableACME = true;
        forceSSL = true;

        locations."/" = {
          proxyPass = "http://0.0.0.0:8080";
          proxyWebsockets = true;
          extraConfig = ''
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          '';
        };

        listen = [
          {
            addr = "[::1]";
            port = 443;
            ssl = true;
          }
          {
            addr = "0.0.0.0";
            port = 443;
            ssl = true;
          }
        ];
      };
      "${domains.syncv3}" = {
        enableACME = true;
        forceSSL = true;

        locations."/_matrix/client/unstable/org.matrix.msc3575/sync" = {
          proxyPass = "http://[::1]:8010";
          proxyWebsockets = true;
        };

        extraConfig = ''
          large_client_header_buffers 4 64k;
        '';
      };
    };
  };
}
initial commit 2024-09-24 20:36:31 +01:00			`{ config, pkgs, domains, ... }:`

			`let`
			`clientConfig = {`
			`"m.homeserver".base_url = "https://${domains.root}";`
			`"org.matrix.msc3575.proxy".url = "https://${domains.syncv3}";`
			`"org.matrix.msc2965.authentication" = {`
			`"issuer" = "https://${domains.auth}";`
			`"account" = "https://${domains.auth}/account";`
			`};`
			`};`
			`serverConfig = {`
			`"m.server" = "${domains.root}";`
			`};`
			`mkWellKnown = data: ''`
			`add_header Content-Type application/json;`
			`add_header Access-Control-Allow-Origin *;`
			`return 200 '${builtins.toJSON data}';`
			`'';`
			`in`
			`{`
			`services.nginx = {`
			`clientMaxBodySize = "100m";`
			`virtualHosts = {`
			`"${domains.root}" = {`
			`enableACME = true;`
			`forceSSL = true;`

			`locations."=/.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;`
			`locations."=/.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;`

			`locations = {`
			`"~ ^/_matrix/client/(.*)/(login\|logout\|refresh)" = {`
			`priority = 100;`
			`proxyPass = "http://0.0.0.0:8080";`
			`proxyWebsockets = true;`
			`extraConfig = ''`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`'';`
			`};`
			`"~ ^(/_matrix\|/_synapse/client)" = {`
			`priority= 200;`
			`proxyPass = "http://[::1]:8008";`
			`proxyWebsockets = true;`
			`extraConfig = ''`
			`proxy_set_header X-Forwarded-For $remote_addr;`
			`proxy_set_header X-Forwarded-Proto $scheme;`
			`proxy_set_header Host $host;`
			`proxy_buffering off;`
			`'';`
			`};`
			`};`

			`listen = [`
			`{`
			`addr = "[::1]";`
			`port = 443;`
			`ssl = true;`
			`}`
			`{`
			`addr = "0.0.0.0";`
			`port = 443;`
			`ssl = true;`
			`}`
			`{`
			`addr = "0.0.0.0";`
			`port = 8448;`
			`ssl = true;`
			`extraParameters = [ "default_server" ];`
			`}`
			`];`
			`};`
			`"${domains.auth}" = {`
			`enableACME = true;`
			`forceSSL = true;`

			`locations."/" = {`
			`proxyPass = "http://0.0.0.0:8080";`
			`proxyWebsockets = true;`
			`extraConfig = ''`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`'';`
			`};`

			`listen = [`
			`{`
			`addr = "[::1]";`
			`port = 443;`
			`ssl = true;`
			`}`
			`{`
			`addr = "0.0.0.0";`
			`port = 443;`
			`ssl = true;`
			`}`
			`];`
			`};`
			`"${domains.syncv3}" = {`
			`enableACME = true;`
			`forceSSL = true;`

			`locations."/_matrix/client/unstable/org.matrix.msc3575/sync" = {`
			`proxyPass = "http://[::1]:8010";`
			`proxyWebsockets = true;`
			`};`

			`extraConfig = ''`
			`large_client_header_buffers 4 64k;`
			`'';`
			`};`
			`};`
			`};`
			`}`