{ config, pkgs, lib, ... }: { sops.secrets."matrix/synapse/registrationsecret" = { restartUnits = [ "matrix-synapse.service" ]; owner = "matrix-synapse"; group = "matrix-synapse"; }; sops.secrets."matrix/synapse/oidcsecret" = { restartUnits = [ "matrix-synapse.service" ]; owner = "matrix-synapse"; group = "matrix-synapse"; }; services.matrix-synapse-next = { enable = true; enableNginx = true; workers = { federationSenders = 1; federationReceivers = 2; initialSyncers = 1; normalSyncers = 1; eventPersisters = 1; useUserDirectoryWorker = true; }; extraConfigFiles = [ config.sops.secrets."matrix/synapse/registrationsecret".path ]; settings = { server_name = "feal.no"; public_baseurl = "https://matrix.feal.no"; database.name = "psycopg2"; autocreate_auto_join_rooms = false; max_upload_size = "50M"; #registration_shared_secret = "do_not_put_secret_here_use_extraConfigFiles"; trusted_key_servers = [ { server_name = "matrix.org"; verify_keys = {}; } ]; enable_registration = false; use_presence = true; url_preview_enabled = true; url_preview_ip_range_blacklist = [ # synapse example config "127.0.0.0/8" "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" "100.64.0.0/10" "192.0.0.0/24" "169.254.0.0/16" "192.88.99.0/24" "198.18.0.0/15" "192.0.2.0/24" "198.51.100.0/24" "203.0.113.0/24" "224.0.0.0/4" "::1/128" "fe80::/10" "fc00::/7" "2001:db8::/32" "ff00::/8" "fec0::/10" ]; tls_certificate_path = "/etc/ssl-snakeoil/matrix_feal_no.crt"; tls_private_key_path = "/etc/ssl-snakeoil/matrix_feal_no.key"; oidc_providers = [ { idp_id = "keycloak"; idp_name = "Keycloak"; issuer = "https://iam.feal.no/realms/feal.no"; client_id = "matrix-synapse"; client_secret_path = config.sops.secrets."matrix/synapse/oidcsecret".path; user_mapping_provicer.config = { localpart_template = "{{ user.preferred_username }}"; display_name_template = "{{ user.name }}"; }; backchannel_logout_enabled = true; enable_registration = false; } ]; }; }; services.postgresqlBackup.databases = [ "matrix-synapse" ]; services.redis.servers."".enable = true; services.nginx.virtualHosts."matrix.feal.no" = { listen = [ { addr = "192.168.10.175"; port = 43443; ssl = true; } { addr = "192.168.10.175"; port = 43080; ssl = false; } ]; }; }