# Matrix homeserver setup, using different endpoints for federation and client
# traffic. The main trick for this is defining two nginx servers endpoints for
# matrix.domain.com, each listening on different ports.
#
# Configuration inspired by :
#
# - https://github.com/delroth/infra.delroth.net/blob/master/roles/matrix-synapse.nix
# - https://nixos.org/manual/nixos/stable/index.html#module-services-matrix
#
{
config,
lib,
pkgs,
...
}: let
inherit
(lib)
mkEnableOption
mkIf
mkOption
optionals
;
cfg = config.my.services.matrix;
my = config.my;
federationPort = {
public = 8448;
private = 11338;
};
clientPort = {
public = 443;
private = 11339;
};
domain = config.networking.domain;
hostname = config.networking.hostName;
fqdn = "${hostname}.${domain}";
in {
options.my.services.matrix = let
inherit (lib) types;
in {
enable = mkEnableOption "Matrix Synapse";
secretConfigFile = mkOption {
type = types.nullOr types.path;
default = null;
example = "/var/run/my_secrets/config.secret";
description = "Secrets file included in configuration";
};
};
config = mkIf cfg.enable {
services.postgresql = {
enable = true;
ensureDatabases = ["matrix-synapse"];
ensureUsers = [
{
name = "matrix-synapse";
ensureDBOwnership = true;
}
];
};
services.postgresqlBackup = {
databases = ["matrix-synapse"];
};
services.matrix-synapse = {
enable = true;
extraConfigFiles = optionals (cfg.secretConfigFile != null) [
cfg.secretConfigFile
];
settings = let
logConfig = ''
version: 1
# In systemd's journal, loglevel is implicitly stored, so let's omit it
# from the message text.
formatters:
journal_fmt:
format: '%(name)s: [%(request)s] %(message)s'
filters:
context:
(): synapse.util.logcontext.LoggingContextFilter
request: ""
handlers:
journal:
class: systemd.journal.JournalHandler
formatter: journal_fmt
filters: [context]
SYSLOG_IDENTIFIER: synapse
root:
level: WARN
handlers: [journal]
disable_existing_loggers: False
'';
in {
server_name = domain;
public_baseurl = "https://matrix.${domain}";
account_threepid_delegates = {
msisdn = "https://vector.im";
};
listeners = [
# Federation
{
bind_addresses = ["::1"];
port = federationPort.private;
tls = false; # Terminated by nginx.
x_forwarded = true;
resources = [
{
names = ["federation"];
compress = false;
}
];
}
# Client
{
bind_addresses = ["::1"];
port = clientPort.private;
tls = false; # Terminated by nginx.
x_forwarded = true;
resources = [
{
names = ["client"];
compress = false;
}
];
}
];
experimental_features = {
spaces_enabled = true;
};
use_presence = true;
email = {
require_transport_security = true;
};
log_config = pkgs.writeText "log_config.yaml" logConfig;
};
};
services.nginx = {
virtualHosts = {
"matrix.${domain}" = {
onlySSL = true;
useACMEHost = fqdn;
locations = let
proxyToClientPort = {
proxyPass = "http://[::1]:${toString clientPort.private}";
};
in {
# Or do a redirect instead of the 404, or whatever is appropriate
# for you. But do not put a Matrix Web client here! See the
# Element web section below.
"/".return = "404";
"/_matrix" = proxyToClientPort;
"/_synapse/client" = proxyToClientPort;
"/health" = proxyToClientPort;
};
listen = [
{
addr = "0.0.0.0";
port = clientPort.public;
ssl = true;
}
{
addr = "[::]";
port = clientPort.public;
ssl = true;
}
];
};
# same as above, but listening on the federation port
"matrix.${domain}_federation" = rec {
onlySSL = true;
serverName = "matrix.${domain}";
useACMEHost = fqdn;
locations."/".return = "404";
locations."/_matrix" = {
proxyPass = "http://[::1]:${toString federationPort.private}";
};
listen = [
{
addr = "0.0.0.0";
port = federationPort.public;
ssl = true;
}
{
addr = "[::]";
port = federationPort.public;
ssl = true;
}
];
};
"${domain}" = {
forceSSL = true;
useACMEHost = fqdn;
locations."= /.well-known/matrix/server".extraConfig = let
server = {"m.server" = "matrix.${domain}:${toString federationPort.public}";};
in ''
add_header Content-Type application/json;
return 200 '${builtins.toJSON server}';
'';
locations."= /.well-known/matrix/client".extraConfig = let
client = {
"m.homeserver" = {"base_url" = "https://matrix.${domain}";};
"m.identity_server" = {"base_url" = "https://vector.im";};
};
# ACAO required to allow element-web on any URL to request this json file
in ''
add_header Content-Type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON client}';
'';
};
# Element Web app deployment
#
"chat.${domain}" = {
useACMEHost = fqdn;
forceSSL = true;
root = pkgs.element-web.override {
conf = {
default_server_config = {
"m.homeserver" = {
"base_url" = "https://matrix.${domain}";
"server_name" = "${domain}";
};
"m.identity_server" = {
"base_url" = "https://vector.im";
};
};
showLabsSettings = true;
defaultCountryCode = "FR"; # cocorico
roomDirectory = {
"servers" = [
"matrix.org"
"mozilla.org"
"prologin.org"
];
};
};
};
};
};
};
security.acme.certs.${fqdn}.extraDomainNames = ["chat.${domain}" "matrix.${domain}" domain];
# For administration tools.
environment.systemPackages = [pkgs.matrix-synapse];
networking.firewall.allowedTCPPorts = [
clientPort.public
federationPort.public
];
my.services.restic-backup = let
dataDir = config.services.matrix-synapse.dataDir;
in {
paths = [dataDir];
# this is just caching for other servers media, doesn't need backup
exclude = ["${dataDir}/media/remote_*"];
};
};
}