server.nix/services/matrix/synapse.nix

{ config, settings, ... }: {
  services = {
    # /var/lib/matrix-synapse
    matrix-synapse = {
      enable = true;

      extraConfigFiles = [
        "/etc/secrets/synapse.yaml"
      ];

      settings = {
        enable_registration = true;
        registration_requires_token = true;
        max_upload_size = "250M";
        server_name = "catnip.ee";
        public_baseurl = "https://matrix.catnip.ee/";

        # Note: email submodule is defined in /etc/secrets/synapse.yaml as matrix doesnt merge the fields and it will fail to run
        # email = {
        #   smtp_host = "mx1.sly.ee";
        #   smtp_user = "matrix@catnip.ee";
        #   smtp_pass = "";
        #   force_tls = true;
        #   notif_from = "Matrix <matrix@catnip.ee>";
        #   app_name = "Catnip.ee matrix";
        # };

        server_notices = {
          system_mxid_localpart = "server";
          system_mxid_display_name = "Server Notices";
          system_mxid_avatar_url = "mxc://catnip.ee/LhehrbXOjfnhaJvFEWsXPtnm";
          room_name = "Server Notices";
          auto_join = true;
        };
        database = {
          name = "psycopg2";
          args = {
            database = "matrix-synapse";
            user = "matrix-synapse";
          };
        };
        listeners = [
          {
            bind_addresses = [ "127.0.0.1" ];
            port = settings.ports.synapse;
            resources = [
              {
                compress = true;
                names = [ "client" "federation" ];
              }
            ];
            tls = false;
            type = "http";
            x_forwarded = true;
          }
        ];
        turn_uris = [
          "turn:${config.services.coturn.realm}:3478?transport=udp"
          "turn:${config.services.coturn.realm}:3478?transport=tcp"
        ];

        turn_user_lifetime = "1h";
      };
    };

    caddy.virtualHosts."matrix.catnip.ee".extraConfig = ''
      tls {
        dns cloudflare {env.CLOUDFLARE_API_TOKEN}
        resolvers 1.1.1.1
      }

      reverse_proxy :${toString settings.ports.synapse}

      redir /telegram /telegram/

      handle /.well-known/matrix/client {
        header Content-Type application/json
        header Access-Control-Allow-Origin *
        respond `{"m.homeserver":{"base_url":"https://matrix.catnip.ee/"}}`
      }
      handle /.well-known/matrix/server {
        header Content-Type application/json
        header Access-Control-Allow-Origin *
        respond `{"m.server": "matrix.catnip.ee:443"}`
      }

      handle /telegram/* {
        reverse_proxy :${toString config.services.mautrix-telegram.settings.appservice.port}
      }
    '';

    borgbackup.jobs."borgbase" = {
      paths = [
        "/var/lib/matrix-synapse"
      ];

      exclude = [
        "/var/lib/matrix-synapse/media_store/remote_content"
        "/var/lib/matrix-synapse/media_store/remote_thumbnail"
      ];
    };
  };
}