config.nix/modules/server/social/synapse.nix

{
  config,
  lib,
  pkgs,
  ...
}:

let
  fqdn = "${config.server.synapse.subdomain}.${config.networking.domain}";
  baseUrl = "https://${fqdn}";
  clientConfig."m.homeserver".base_url = baseUrl;
  serverConfig."m.server" = "${fqdn}:443";
  mkWellKnown = data: ''
    default_type application/json;
    add_header Access-Control-Allow-Origin *;
    return 200 '${builtins.toJSON data}';
  '';
in

{
  options = {
    server.synapse = {
      enable = lib.mkEnableOption "enable synapse";
      subdomain = lib.mkOption {
        default = "yap";
        description = "synapse subdomain";
      };
      port = lib.mkOption {
        default = 8008;
        description = "synapse port";
      };
    };
  };
  config = {
    services =
      if config.server.synapse.enable then
        {
          postgresql.enable = true;
          matrix-synapse = {
            enable = true;
            configureRedisLocally = true;
            extras = [
              "cache-memory" # Provide statistics about caching memory consumption
              "jwt" # JSON Web Token authentication
              "oidc" # OpenID Connect authentication
              "postgres" # PostgreSQL database backend
              "redis" # Redis support for the replication stream between worker processes
              #"saml2"        # SAML2 authentication
              "sentry" # Error tracking and performance metrics
              "systemd" # Provide the JournalHandler used in the default log_config
              "url-preview" # Support for oEmbed URL previews
            ];
            settings = {
              url_preview_enabled = true;
              server_name = "${config.networking.domain}";
              public_baseurl = baseUrl;
              media_store_path = "/mnt/Data/Matrix/Media";
              max_upload_size = "10G";
              enable_registration = false;
              generic = {
                enabled = true;
                outbound = true;
                urlPrefix = "https://https://yap.marty.tf/webhooks/";
                allowJsTransformationFunctions = false;
                waitForComplete = false;
                enableHttpGet = false;
              };
              listeners = [
                {
                  port = config.server.synapse.port;
                  bind_addresses = [ "127.0.0.1" ];
                  type = "http";
                  tls = false;
                  x_forwarded = true;
                  resources = [
                    {
                      names = [
                        "client"
                        "federation"
                      ];
                      compress = true;
                    }
                  ];
                }
              ];
            };
          };
          nginx = {
            virtualHosts = {
              "${config.networking.domain}" = {
                enableACME = true;
                forceSSL = true;
                locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
                locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
              };
              "${config.server.synapse.subdomain}.${config.networking.domain}" = {
                enableACME = true;
                forceSSL = true;
                locations = {
                  "~ ^(/_matrix|/_synapse/client|/)" = {
                    proxyPass = "http://127.0.0.1:${toString config.server.synapse.port}";
                    proxyWebsockets = true;
                    extraConfig =
                      "proxy_set_header X-Forwarded-For $remote_addr;"
                      + "proxy_set_header X-Forwarded-Proto $scheme;"
                      + "proxy_set_header Host $host:$server_port;";
                  };
                };
              };
            };
          };
        }
      else
        { };
  };
}