nixos-config/hosts/defiant/services/matrix/synapse.nix

{ config, pkgs, lib, ... }:
{
  sops.secrets."matrix/synapse/registrationsecret" = {
    restartUnits = [ "matrix-synapse.service" ];
    owner = "matrix-synapse";
    group = "matrix-synapse";
  };

  sops.secrets."matrix/synapse/oidcsecret" = {
    restartUnits = [ "matrix-synapse.service" ];
    owner = "matrix-synapse";
    group = "matrix-synapse";
  };

  services.matrix-synapse-next = {
    enable = true;
    enableNginx = true;

    workers = {
      federationSenders = 1;
      federationReceivers = 2;
      initialSyncers = 1;
      normalSyncers = 1;
      eventPersisters = 1;
      useUserDirectoryWorker = true;
    };

    extraConfigFiles = [
      config.sops.secrets."matrix/synapse/registrationsecret".path
    ];

    settings = {
      server_name = "feal.no";
      public_baseurl = "https://matrix.feal.no";
      database.name = "psycopg2";
      autocreate_auto_join_rooms = false;
      max_upload_size = "50M";

      #registration_shared_secret = "do_not_put_secret_here_use_extraConfigFiles";

      trusted_key_servers = [
        {
          server_name = "matrix.org";
          verify_keys = {};
        }
      ];

      enable_registration = false;
      use_presence = true;

      url_preview_enabled = true;
      url_preview_ip_range_blacklist = [
        # synapse example config
        "127.0.0.0/8"
        "10.0.0.0/8"
        "172.16.0.0/12"
        "192.168.0.0/16"
        "100.64.0.0/10"
        "192.0.0.0/24"
        "169.254.0.0/16"
        "192.88.99.0/24"
        "198.18.0.0/15"
        "192.0.2.0/24"
        "198.51.100.0/24"
        "203.0.113.0/24"
        "224.0.0.0/4"
        "::1/128"
        "fe80::/10"
        "fc00::/7"
        "2001:db8::/32"
        "ff00::/8"
        "fec0::/10"
      ];

      tls_certificate_path = "/etc/ssl-snakeoil/matrix_feal_no.crt";
      tls_private_key_path = "/etc/ssl-snakeoil/matrix_feal_no.key";

      enableSlidingSync = true;

      oidc_providers = [
        {
          idp_id = "keycloak";
          idp_name = "Keycloak";
          issuer = "https://iam.feal.no/realms/feal.no";
          client_id = "matrix-synapse";
          client_secret_path = config.sops.secrets."matrix/synapse/oidcsecret".path;
          user_mapping_provider.config = {
            localpart_template = "{{ user.preferred_username }}";
            display_name_template = "{{ user.name }}";
          };
          attribute_requirements = [{
            attribute = "matrix-roles";
            value = "matrix-user";
          }];
          backchannel_logout_enabled = true;
          enable_registration = false;
        }
      ];
    };
  };

  services.redis.servers."".enable = true;

  services.postgresqlBackup.databases = [ "matrix-synapse" ];

  services.nginx.virtualHosts."matrix.feal.no" = {
    listen = [
      { addr = "192.168.10.175"; port = 43443; ssl = true; }
      { addr = "192.168.10.175"; port = 43080; ssl = false; }
    ];
  };

}