From e7219ae9886f86488cbc39a69eac5eb6dd0b099f Mon Sep 17 00:00:00 2001
From: Antoine Martin <antoine@alarsyo.net>
Date: Tue, 13 Jul 2021 13:54:18 +0200
Subject: [PATCH] services: matrix: enable SSL traffic only

This is a requirement anyway for homeservers, and the `forceSSL` option
tried to create a redirect for non-SSL traffic, except the `listen`
option only provided SSL endpoints anyway, so this resulted in
additional rules in the nginx config looking like this:

server {
        server_name matrix.alarsyo.net ;
        location /.well-known/acme-challenge {
                root /var/lib/acme/acme-challenge;
                auth_basic off;
        }
        location / {
                return 301 https://$host$request_uri;
        }
}

Which led to nginx listening on port 8000 (the default port in this
situation, I imagine)
---
 services/matrix.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/services/matrix.nix b/services/matrix.nix
index 7cf1807..c4e55ef 100644
--- a/services/matrix.nix
+++ b/services/matrix.nix
@@ -170,7 +170,7 @@ in {
     services.nginx = {
       virtualHosts = {
         "matrix.${domain}" = {
-          forceSSL = true;
+          onlySSL = true;
           useACMEHost = domain;
 
           locations =
@@ -197,7 +197,7 @@ in {
 
         # same as above, but listening on the federation port
         "matrix.${domain}_federation" = rec {
-          forceSSL = true;
+          onlySSL = true;
           serverName = "matrix.${domain}";
           useACMEHost = domain;