flakes/server/matrix.nix

{
  config,
  pkgs,
  ...
}: let
  domain = "itamar.site";
  matrixDomain = "matrix.${domain}";
in {
  networking.firewall = {
    allowedTCPPorts = [80 443 8448];
    allowedUDPPorts = [3478 5349];
    allowedUDPPortRanges = [
      {
        from = 49152;
        to = 65535;
      }
    ];
  };

  security.acme = {
    acceptTerms = true;
    defaults.email = "admin@${domain}";
    certs = {
      "${domain}" = {};
      "${matrixDomain}" = {};
    };
  };

  services.postgresql = {
    enable = true;
    ensureDatabases = ["matrix-synapse" "mautrix-whatsapp"];
    ensureUsers = [
      {
        name = "matrix-synapse";
        ensureDBOwnership = true;
      }
      {
        name = "mautrix-whatsapp";
        ensureDBOwnership = true;
      }
    ];
  };

  services.matrix-synapse = {
    enable = true;
    settings = {
      server_name = domain;
      suppress_key_server_warning = true;
      database = {
        name = "psycopg2";
        allow_unsafe_locale = true;
        args = {
          database = "matrix-synapse";
          user = "matrix-synapse";
          host = "/run/postgresql";
        };
      };
      enable_registration = false;
      registration_shared_secret_path = "/var/lib/matrix-synapse/registration_secret";
      turn_uris = [
        "turns:${domain}:5349?transport=udp"
        "turns:${domain}:5349?transport=tcp"
        "turn:${domain}:3478?transport=udp"
        "turn:${domain}:3478?transport=tcp"
      ];
      turn_shared_secret_path = "/var/lib/matrix-synapse/turn_secret";
      turn_user_lifetime = "1d";
      listeners = [
        {
          port = 8008;
          bind_addresses = ["127.0.0.1" "::1"];
          type = "http";
          tls = false;
          x_forwarded = true;
          resources = [
            {
              names = ["client" "federation"];
              compress = false;
            }
          ];
        }
      ];
    };
  };

  services.mautrix-whatsapp = {
    enable = true;
    registerToSynapse = true;
    settings = {
      homeserver = {
        address = "http://localhost:8008";
        domain = domain;
      };
      appservice = {
        id = "whatsapp";
        bot = {
          username = "whatsappbot";
          displayname = "WhatsApp Bridge Bot";
        };
      };
      database = {
        type = "postgres";
        uri = "postgres://mautrix-whatsapp@/mautrix-whatsapp?host=/run/postgresql";
      };
      bridge = {
        permissions = {
          "*" = "relay";
          "*@${domain}" = "user";
          "@itamar:${domain}" = "admin";
        };
        encryption.allow = true;
        private_chat_portal_meta = true;
      };
      encryption = {
        pickle_key = "$ENCRYPTION_PICKLE_KEY";
      };
      provisioning.shared_secret = "disable";
    };
    environmentFile = "/var/lib/mautrix-whatsapp/secrets.env";
  };

  services.nginx = {
    enable = true;
    recommendedTlsSettings = true;
    recommendedOptimisation = true;
    recommendedGzipSettings = true;
    recommendedProxySettings = true;

    virtualHosts = {
      "${domain}" = {
        enableACME = true;
        forceSSL = true;
        root = "/var/www/${domain}";
        locations."= /.well-known/matrix/server".extraConfig = ''
          add_header Content-Type application/json;
          return 200 '{"m.server": "${matrixDomain}:443"}';
        '';
        locations."= /.well-known/matrix/client".extraConfig = ''
          add_header Content-Type application/json;
          add_header Access-Control-Allow-Origin *;
          return 200 '{"m.homeserver":{"base_url":"https://${matrixDomain}"},"m.identity_server":{"base_url":"https://vector.im"}}';
        '';
      };

      "${matrixDomain}" = {
        enableACME = true;
        forceSSL = true;
        listen = [
          {
            addr = "0.0.0.0";
            port = 443;
            ssl = true;
          }
          {
            addr = "0.0.0.0";
            port = 8448;
            ssl = true;
          }
        ];
        locations."/_matrix" = {
          proxyPass = "http://[::1]:8008";
          proxyWebsockets = true;
        };
        locations."/_synapse/client" = {
          proxyPass = "http://[::1]:8008";
          proxyWebsockets = true;
        };
        locations."/".extraConfig = "return 404;";
      };
    };
  };

  services.coturn = {
    enable = true;
    realm = domain;
    listening-ips = ["0.0.0.0"];
    listening-port = 3478;
    tls-listening-port = 5349;
    min-port = 49152;
    max-port = 65535;
    lt-cred-mech = true;
    use-auth-secret = true;
    static-auth-secret-file = "/var/lib/coturn/static-auth-secret";
    cert = "/var/lib/acme/${domain}/fullchain.pem";
    pkey = "/var/lib/acme/${domain}/key.pem";
    no-cli = true;
    no-tcp-relay = true;
    secure-stun = true;
  };

  systemd.tmpfiles.rules = [
    "d /var/lib/matrix-synapse 0750 matrix-synapse matrix-synapse -"
    "d /var/lib/coturn 0750 turnserver turnserver -"
  ];
}