3 files changed, 80 insertions, 5 deletions

diff --git a/sys/web/sites/default.nix b/sys/web/sites/default.nix
index a131aaf..15957c0 100644
--- a/sys/web/sites/default.nix
+++ b/sys/web/sites/default.nix
@@ -1,6 +1,7 @@
 {
   imports = [
     ./home.nix
+    ./matrix.nix
     ./portal.nix
   ];
 }
diff --git a/sys/web/sites/matrix.nix b/sys/web/sites/matrix.nix
new file mode 100644
index 0000000..d27c00c
--- /dev/null
+++ b/sys/web/sites/matrix.nix
@@ -0,0 +1,66 @@
+{ config, lib, ... }:
+with lib; let
+  cfg = config.local.web.sites.matrix;
+  inherit (config.local) domains;
+in
+{
+  options.local.web.sites.matrix = {
+    enable = mkEnableOption "matrix proxy site";
+
+    proxyUrl = mkOption {
+      type = types.str;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    local.web = {
+      enable = mkDefault true;
+      ownedCerts = [ "matrix" ];
+
+      sites.portal.enable = true;
+    };
+
+    services.nginx.virtualHosts = {
+      ${domains.exdev.www}.locations =
+        let
+          serverConfig."m.server" = "${domains.matrix.main}:443";
+          clientConfig."m.homeserver".base_url = "https://${domains.matrix.main}";
+
+          mkWellKnown = data: ''
+            default_type application/json;
+            add_header Access-Control-Allow-Origin *;
+            return 200 '${builtins.toJSON data}';
+          '';
+        in
+        {
+          "= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
+          "= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
+        };
+
+      ${domains.matrix.main} = {
+        forceSSL = true;
+        useACMEHost = domains.matrix.main;
+
+        locations =
+          let
+            proxyLocation =
+              throwIf (hasSuffix "/" cfg.proxyUrl)
+                "matrix site: a trailing slash *must not* be used here"
+                cfg.proxyUrl;
+          in
+          {
+            "/".extraConfig = ''
+              return 403;
+            '';
+
+            # Forward all Matrix API calls to the synapse Matrix homeserver. A trailing slash
+            # *must not* be used here.
+            "/_matrix".proxyPass = proxyLocation;
+
+            # Forward requests for e.g. SSO and password-resets.
+            "/_synapse/client".proxyPass = proxyLocation;
+          };
+      };
+    };
+  };
+}
diff --git a/sys/web/sites/portal.nix b/sys/web/sites/portal.nix
index c95e2ea..679a1da 100644
--- a/sys/web/sites/portal.nix
+++ b/sys/web/sites/portal.nix
@@ -11,14 +11,22 @@ in
   config = mkIf cfg.enable {
     local.web = {
       enable = mkDefault true;
-      ownedCerts = [ "host" ];
+      ownedCerts = [ "host" "exdev" ];
       defaultACMEHost = domains.host.main;
     };
 
-    services.nginx.virtualHosts.${domains.host.www} = {
-      forceSSL = true;
-      useACMEHost = domains.host.main;
-      serverAliases = [ domains.host.main ];
+    services.nginx.virtualHosts = {
+      ${domains.host.www} = {
+        forceSSL = true;
+        useACMEHost = domains.host.main;
+        serverAliases = [ domains.host.main ];
+      };
+
+      ${domains.exdev.www} = {
+        forceSSL = true;
+        useACMEHost = domains.exdev.main;
+        serverAliases = [ domains.exdev.main ];
+      };
     };
   };
 }