From e7219ae9886f86488cbc39a69eac5eb6dd0b099f Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Tue, 13 Jul 2021 13:54:18 +0200 Subject: [PATCH] services: matrix: enable SSL traffic only This is a requirement anyway for homeservers, and the `forceSSL` option tried to create a redirect for non-SSL traffic, except the `listen` option only provided SSL endpoints anyway, so this resulted in additional rules in the nginx config looking like this: server { server_name matrix.alarsyo.net ; location /.well-known/acme-challenge { root /var/lib/acme/acme-challenge; auth_basic off; } location / { return 301 https://$host$request_uri; } } Which led to nginx listening on port 8000 (the default port in this situation, I imagine) --- services/matrix.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/matrix.nix b/services/matrix.nix index 7cf1807..c4e55ef 100644 --- a/services/matrix.nix +++ b/services/matrix.nix @@ -170,7 +170,7 @@ in { services.nginx = { virtualHosts = { "matrix.${domain}" = { - forceSSL = true; + onlySSL = true; useACMEHost = domain; locations = @@ -197,7 +197,7 @@ in { # same as above, but listening on the federation port "matrix.${domain}_federation" = rec { - forceSSL = true; + onlySSL = true; serverName = "matrix.${domain}"; useACMEHost = domain;