{ config, pkgs, inputs', ... }: let # The hostname that will appear in your user and room IDs server_name = "stranger.systems"; # The hostname that Conduit actually runs on # # This can be the same as `server_name` if you want. This is only necessary # when Conduit is running on a different machine than the one hosting your # root domain. This configuration also assumes this is all running on a single # machine, some tweaks will need to be made if this is not the case. matrix_hostname = "matrix.${server_name}"; # An admin email for TLS certificate notifications admin_email = "admin@${server_name}"; in { # Configure Conduit itself services.matrix-conduit = { enable = true; settings.global = { inherit server_name; allow_registration = false; }; }; # Configure automated TLS acquisition/renewal security.acme = { acceptTerms = true; defaults = { email = admin_email; }; }; # ACME data must be readable by the NGINX user users.users.nginx.extraGroups = [ "acme" ]; # Configure NGINX as a reverse proxy services.nginx = { enable = true; recommendedProxySettings = true; virtualHosts = { "${matrix_hostname}" = { forceSSL = true; enableACME = true; listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } { addr = "[::]"; port = 443; ssl = true; } { addr = "0.0.0.0"; port = 80; ssl = false; } { addr = "[::]"; port = 80; ssl = false; } { addr = "0.0.0.0"; port = 8448; ssl = true; } { addr = "[::]"; port = 8448; ssl = true; } ]; locations."/_matrix/" = { proxyPass = "http://backend_conduit$request_uri"; proxyWebsockets = true; extraConfig = '' proxy_set_header Host $host; proxy_buffering off; ''; }; extraConfig = '' merge_slashes off; ''; }; }; upstreams = { "backend_conduit" = { servers = { "[::1]:${toString config.services.matrix-conduit.settings.global.port}" = {}; }; }; }; }; # Open firewall ports for HTTP, HTTPS, and Matrix federation networking.firewall.allowedTCPPorts = [80 443 8448]; networking.firewall.allowedUDPPorts = [80 443 8448]; }