{ config, pkgs, ... }: let domain = "itamar.site"; matrixDomain = "matrix.${domain}"; in { networking.firewall = { allowedTCPPorts = [80 443 8448]; allowedUDPPorts = [3478 5349]; allowedUDPPortRanges = [ { from = 49152; to = 65535; } ]; }; security.acme = { acceptTerms = true; defaults.email = "admin@${domain}"; certs = { "${domain}" = {}; "${matrixDomain}" = {}; }; }; services.postgresql = { enable = true; ensureDatabases = ["matrix-synapse" "mautrix-whatsapp"]; ensureUsers = [ { name = "matrix-synapse"; ensureDBOwnership = true; } { name = "mautrix-whatsapp"; ensureDBOwnership = true; } ]; }; services.matrix-synapse = { enable = true; settings = { server_name = domain; suppress_key_server_warning = true; database = { name = "psycopg2"; allow_unsafe_locale = true; args = { database = "matrix-synapse"; user = "matrix-synapse"; host = "/run/postgresql"; }; }; enable_registration = false; registration_shared_secret_path = "/var/lib/matrix-synapse/registration_secret"; turn_uris = [ "turns:${domain}:5349?transport=udp" "turns:${domain}:5349?transport=tcp" "turn:${domain}:3478?transport=udp" "turn:${domain}:3478?transport=tcp" ]; turn_shared_secret_path = "/var/lib/matrix-synapse/turn_secret"; turn_user_lifetime = "1d"; listeners = [ { port = 8008; bind_addresses = ["127.0.0.1" "::1"]; type = "http"; tls = false; x_forwarded = true; resources = [ { names = ["client" "federation"]; compress = false; } ]; } ]; }; }; services.mautrix-whatsapp = { enable = true; registerToSynapse = true; settings = { homeserver = { address = "http://localhost:8008"; domain = domain; }; appservice = { id = "whatsapp"; bot = { username = "whatsappbot"; displayname = "WhatsApp Bridge Bot"; }; }; database = { type = "postgres"; uri = "postgres://mautrix-whatsapp@/mautrix-whatsapp?host=/run/postgresql"; }; bridge = { permissions = { "*" = "relay"; "*@${domain}" = "user"; "@itamar:${domain}" = "admin"; }; encryption.allow = true; private_chat_portal_meta = true; }; encryption = { pickle_key = "$ENCRYPTION_PICKLE_KEY"; }; provisioning.shared_secret = "disable"; }; environmentFile = "/var/lib/mautrix-whatsapp/secrets.env"; }; services.nginx = { enable = true; recommendedTlsSettings = true; recommendedOptimisation = true; recommendedGzipSettings = true; recommendedProxySettings = true; virtualHosts = { "${domain}" = { enableACME = true; forceSSL = true; root = "/var/www/${domain}"; locations."= /.well-known/matrix/server".extraConfig = '' add_header Content-Type application/json; return 200 '{"m.server": "${matrixDomain}:443"}'; ''; locations."= /.well-known/matrix/client".extraConfig = '' add_header Content-Type application/json; add_header Access-Control-Allow-Origin *; return 200 '{"m.homeserver":{"base_url":"https://${matrixDomain}"},"m.identity_server":{"base_url":"https://vector.im"}}'; ''; }; "${matrixDomain}" = { enableACME = true; forceSSL = true; listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } { addr = "0.0.0.0"; port = 8448; ssl = true; } ]; locations."/_matrix" = { proxyPass = "http://[::1]:8008"; proxyWebsockets = true; }; locations."/_synapse/client" = { proxyPass = "http://[::1]:8008"; proxyWebsockets = true; }; locations."/".extraConfig = "return 404;"; }; }; }; services.coturn = { enable = true; realm = domain; listening-ips = ["0.0.0.0"]; listening-port = 3478; tls-listening-port = 5349; min-port = 49152; max-port = 65535; lt-cred-mech = true; use-auth-secret = true; static-auth-secret-file = "/var/lib/coturn/static-auth-secret"; cert = "/var/lib/acme/${domain}/fullchain.pem"; pkey = "/var/lib/acme/${domain}/key.pem"; no-cli = true; no-tcp-relay = true; secure-stun = true; }; systemd.tmpfiles.rules = [ "d /var/lib/matrix-synapse 0750 matrix-synapse matrix-synapse -" "d /var/lib/coturn 0750 turnserver turnserver -" ]; }