{ lib, pkgs, ... }: let commonHeaders = '' add_header Permissions-Policy interest-cohort=() always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-XSS-Protection "1; mode=block"; ''; clientConfig = import ./matrix/element-client-config.nix; wellKnownClient."m.homeserver".base_url = "https://matrix.pub.solar"; wellKnownServer."m.server" = "matrix.pub.solar:8448"; mkWellKnown = data: '' add_header Content-Type application/json; add_header Access-Control-Allow-Origin *; return 200 '${builtins.toJSON data}'; ''; wellKnownLocations = { "= /.well-known/matrix/server".extraConfig = mkWellKnown wellKnownServer; "= /.well-known/matrix/client".extraConfig = mkWellKnown wellKnownClient; }; in { services.nginx.virtualHosts = { "pub.solar" = { locations = wellKnownLocations; }; "chat.test.pub.solar" = { forceSSL = true; enableACME = true; root = pkgs.element-web.override { conf = clientConfig; }; }; "matrix.test.pub.solar" = { root = "/dev/null"; forceSSL = lib.mkDefault true; enableACME = lib.mkDefault true; extraConfig = '' server_tokens off; gzip on; gzip_types text/plain application/json; ''; locations = wellKnownLocations // { # TODO: Configure metrics # "/metrics" = { # }; "/c3c3f34b-29fb-5feb-86e5-98c75ec8214b" = { proxyPass = "http://127.0.0.1:8009"; extraConfig = commonHeaders; }; "~* ^(/_matrix|/_synapse/client|/_synapse/oidc)" = { proxyPass = "http://127.0.0.1:8008"; extraConfig = '' ${commonHeaders} proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; client_body_buffer_size 25M; client_max_body_size 50M; proxy_max_temp_file_size 0; ''; }; }; }; "matrix.pub.solar-federation" = { serverName = "matrix.test.pub.solar"; forceSSL = lib.mkDefault true; enableACME = lib.mkDefault true; listen = [{ port = 8448; addr = "0.0.0.0"; ssl = true; } { port = 8448; addr = "[::]"; ssl = true; }]; root = "/dev/null"; extraConfig = '' server_tokens off; gzip on; gzip_types text/plain application/json; ''; locations."/" = { proxyPass = "http://127.0.0.1:8008"; extraConfig = '' proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; client_body_buffer_size 25M; client_max_body_size 150M; proxy_max_temp_file_size 0; ''; }; }; }; networking.firewall.allowedTCPPorts = [8448]; }