38 lines
1.6 KiB
Nix
38 lines
1.6 KiB
Nix
{ config, ... }:
|
|
{
|
|
services.dendrite = {
|
|
enable = true;
|
|
httpsPort = 44443;
|
|
tlsCert = "${config.security.acme.certs.${config.domainName}.directory}/fullchain.pem";
|
|
tlsKey = "${config.security.acme.certs.${config.domainName}.directory}/key.pem";
|
|
environmentFile = config.sops.secrets."matrix/registration".path;
|
|
settings = {
|
|
global = {
|
|
private_key = config.sops.secrets."matrix/private_key".path;
|
|
server_name = "matrix.${config.domainName}";
|
|
};
|
|
};
|
|
};
|
|
|
|
users.users.matrix.isNormalUser = true;
|
|
systemd.services.dendrite.serviceConfig.User = "matrix";
|
|
sops.secrets."matrix/registration" = { owner = "matrix"; };
|
|
sops.secrets."matrix/private_key" = { owner = "matrix"; };
|
|
systemd.services.dendrite.serviceConfig.Group = "nginx";
|
|
security.acme.certs."${config.domainName}".extraDomainNames = [ config.services.dendrite.settings.global.server_name ];
|
|
services.nginx.virtualHosts.${config.services.dendrite.settings.global.server_name} = {
|
|
useACMEHost = config.domainName;
|
|
addSSL = true;
|
|
locations."/".proxyPass = "https://localhost:${toString config.services.dendrite.httpsPort}";
|
|
locations."/.well-known/matrix/server".extraConfig =
|
|
let inherit (config.services.dendrite) httpsPort settings;
|
|
in ''
|
|
add_header Content-Type application/json;
|
|
add_header Access-Control-Allow-Origin *;
|
|
return 200 '{"m.server":"${settings.global.server_name}:${toString httpsPort}"}';
|
|
'';
|
|
};
|
|
# reachability via ip required for federation
|
|
networking.firewall.allowedTCPPorts = [ config.services.dendrite.httpsPort ];
|
|
}
|