diff options
Diffstat (limited to 'sys/web/sites/matrix.nix')
| -rw-r--r-- | sys/web/sites/matrix.nix | 66 |
1 files changed, 66 insertions, 0 deletions
diff --git a/sys/web/sites/matrix.nix b/sys/web/sites/matrix.nix new file mode 100644 index 0000000..d27c00c --- /dev/null +++ b/sys/web/sites/matrix.nix @@ -0,0 +1,66 @@ +{ config, lib, ... }: +with lib; let + cfg = config.local.web.sites.matrix; + inherit (config.local) domains; +in +{ + options.local.web.sites.matrix = { + enable = mkEnableOption "matrix proxy site"; + + proxyUrl = mkOption { + type = types.str; + }; + }; + + config = mkIf cfg.enable { + local.web = { + enable = mkDefault true; + ownedCerts = [ "matrix" ]; + + sites.portal.enable = true; + }; + + services.nginx.virtualHosts = { + ${domains.exdev.www}.locations = + let + serverConfig."m.server" = "${domains.matrix.main}:443"; + clientConfig."m.homeserver".base_url = "https://${domains.matrix.main}"; + + mkWellKnown = data: '' + default_type application/json; + add_header Access-Control-Allow-Origin *; + return 200 '${builtins.toJSON data}'; + ''; + in + { + "= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig; + "= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig; + }; + + ${domains.matrix.main} = { + forceSSL = true; + useACMEHost = domains.matrix.main; + + locations = + let + proxyLocation = + throwIf (hasSuffix "/" cfg.proxyUrl) + "matrix site: a trailing slash *must not* be used here" + cfg.proxyUrl; + in + { + "/".extraConfig = '' + return 403; + ''; + + # Forward all Matrix API calls to the synapse Matrix homeserver. A trailing slash + # *must not* be used here. + "/_matrix".proxyPass = proxyLocation; + + # Forward requests for e.g. SSO and password-resets. + "/_synapse/client".proxyPass = proxyLocation; + }; + }; + }; + }; +} |