nixos/modules/services/matrix.nix

{ config, ... }:

{
  imports = [
    ./acme.nix
    ./coturn.nix
    ./matrix-appservice-irc.nix
    ./nginx.nix
  ];

  age.secrets = {
    ldap_synapse_password = {
      file = ../../secrets/neo/ldap_synapse_password.age;
    };

    database_extra_config = {
      file = ../../secrets/neo/database_extra_config.age;
      owner = "matrix-synapse";
    };

    appservice_irc_db_env = {
      file = ../../secrets/neo/appservice_irc_db_env.age;
    };

    coturn_auth_secret = {
      file = ../../secrets/neo/coturn_auth_secret.age;
      owner = "turnserver";
    };
  };

  networking.firewall = {
    allowedTCPPorts = [
      80
      443
      8008
      8448
    ];
  };

  services.matrix-synapse = {
    enable = true;

    plugins = with config.services.matrix-synapse.package.plugins; [
      matrix-synapse-ldap3
    ];

    settings = {
      server_name = "crans.org";

      report_stats = false;

      listeners = [
        {
          port = 8008;
          tls = false;
          bind_addresses = [
            "::"
            "0.0.0.0"
          ];
          type = "http";
          x_forwarded = true;
          resources = [
            {
              names = [ "client" ];
              compress = true;
            }
            {
              names = [ "federation" ];
              compress = false;
            }
          ];
        }
      ];

      database = {
        name = "psycopg2";
        args = {
          user = "synapse";
          database = "synapse";
          # Password is declared in extra config
          host = "172.16.10.1";
          cp_min = 5;
          cp_max = 10;
        };
      };

      modules = [
        {
          module = "ldap_auth_provider.LdapAuthProviderModule";
          config = {
            enabled = true;
            uri = "ldap://172.16.10.157:389";
            start_tls = false;
            base = "cn=Utilisateurs,dc=crans,dc=org";
            attributes = {
              uid = "uid";
              mail = "mail";
              name = "sn";
            };
            binddn = "cn=synapse,ou=service-users,dc=crans,dc=org";
            bind_password_file = config.age.secrets.ldap_synapse_password.path;
            filter = "(&(objectclass=inetOrgPerson)(objectclass=posixAccount))";
          };
        }
      ];

      turn_uris = [
        "turn:${config.services.coturn.realm}:3478?transport=udp"
        "turn:${config.services.coturn.realm}:3478?transport=tcp"
      ];
      turn_shared_secret = config.age.secrets.coturn_auth_secret.path;
      turn_user_lifetime = "1h";

      app_service_config_files = [
        "/var/lib/matrix-appservice-irc/registration.yml"
      ];
    };

    extraConfigFiles = [
      config.age.secrets.database_extra_config
    ];
  };

  services.nginx.virtualHosts."matrix.crans.org" = {
    enableACME = true;
    forceSSL = true;

    listen = [
      {
        addr = "0.0.0.0";
        port = 80;
        ssl = false;
      }
      {
        addr = "0.0.0.0";
        port = 443;
        ssl = true;
      }
      {
        addr = "0.0.0.0";
        port = 8448;
        ssl = true;
      }
    ];

    locations."/_matrix" = {
      proxyPass = "http://localhost:8008";
      extraConfig = ''
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $host;
      '';
    };

    locations."/_synapse/client" = {
      proxyPass = "http://localhost:8008";
      extraConfig = ''
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $host;
      '';
    };
  };
}