Add matrix homeserver

2023-07-10 21:24:40 +00:00 · 2023-07-10 21:24:40 +00:00 · 7a8c0fc768
commit 7a8c0fc768
parent 3bdc570a9f
8 changed files with 262 additions and 4 deletions
--- a/hosts/iron/secrets.yaml
+++ b/hosts/iron/secrets.yaml
@ -7,6 +7,7 @@ rspamd-worker-controller: ENC[AES256_GCM,data:7tS8bEr9i5F+YZoj3uPQa6Xd2SCsuC+jE5
 dkim-keys:
    jalr.de.default: ENC[AES256_GCM,data:mnApsYKXYGtUAHddccmNmU9yZQtekDkTiTXbJ0UJxC0rFxzQCtGsinQslIROJdNUxsxciR1ilNzxawzjJD7AaWJbcAq2TYObGJJOQZBif7t/XEN/rIxEmnAFmdeAyrSONmFb9DiEn59m6DpsU+/9Y+hnc/uwwbzueO34WHJnTqmmsxFVNQZfGR+cbSckHS3wZrfjZSKKzCRt+9DU/xxJ4voyowXLO77w00LHVkyU5liwONi0v2XJ+QeP/jIMmJeKjujZcH+qvUm/kukijqyWKGrZoAYPC2cBlL/UrNECuVdSLMXvr4KBDDTCRZCSMRgUPJ0TAfpQPTPitKJ/0igK7qQl9n/6hckY7VyP8KDS7J7G2Z2XVxfZrAR4X/7ya9B2kneVr2CNx3w954EdTcV1/lD7rcKRjKynyl3ddf8gxJFJ21k1ybo2RLnftGCRVq25qNwhyfjU8x5c7AEs+YTPDrcnmxZ/Ui276eLwpMj61oZzTp8QQhiBVwS/+ruRLC+78pu2gb1gBF/Oo3nuvQD1SOpCRikLVewCYDvfXj/hrjo+oCsjTOj+9tWRcRAEDVlhkXWCMuPXDYrdt3HrIWbQuP8NW1ezd1Ll0r1ujjtPJeSwdd8cVcUSBIoA5gU+eXnYjFaSx9BZ+sIfKqG//W3S+aBYDqAEK/z4N5q66sReb5mtSQYfbZuIZDmox9bwNMG3tJmQX0lJZgEIiuJ5/ef4ra0sj9JsRFldmIn9KUmjW9OlIwzQ42cNNvQSMD/6haNiYsE6TPzVylJ/B2kNu9Qh5FfpCIPtVORv2BAGoNvZlyhjyEiXBEZ4x2hx1l5cBwGOaGhoJ0p+1wqn2zDalIBaEFjbBVdIB6DPC6/lccvpqSwF7HvW2ugyYhW+u92vgic71/BsI4i0OlsJV18gU/zVg0Yj8SK69kEwm4wkJTrkM/I4+kkUIc5OiSAknRfjOFJc0etkh3nO34xpHLOkSv9DrKfXSAGmGZtCLtVL5LGdZeCd/g6EK0JJh6bd9Gu9koSJVq5vjdDJJFf+sgk39TCvHAvk8k1/FgdK5jMJ+pR8heJtP8G96ay3DFVm5hpbjuNKqfBvbf2rkyV6++ywRFnAQGPUiMn9g6Q4F5Ks7CC1D0Ubl7b3dCUk6BDi8rHjxy9QS0/25Yz9cF0bFd6XQDfblnyRLMi9aB36M9Vp38Oh5aB16MyvNUHzcxpaAak0yknE6OuuEMBPQZgFVADCITfy9eUXl2FoXrMWEnBO78GybQ+cV8nhynn5t0U+3koMy2E8ju5kiEofQxXylys3Q76iKRRUbQqFkh/ndWtJVVfGNpi1GrUr1w1YZM0hBY9FqqeBjf7ckj+9BdiwWJ0XauuR70o7odm02mydk1/T3Hfzt3OE5nHIXnVbum9KyPx8wXj9qc6JGFm558pQOcRUgGUi+EzGoGckkoLx4Onl+XeGysW5sXP9dbYgMBug0Tjmdo9xkoBti6znDnN/zh93bbzWITNvxMgVs8zSWEhlM0c7F02UeUXSekbTFue5FOaMdYObMvPeb53jAKBOYLr34GVFvucJhKajIaNzDvfiI6fGCMxcSsWk+P3co7gdbRlWYZELsKDu2scktZsHr/gRwRiDZXAWOLiWZL4jswQ1vXSFXJgdblEV//hr2DwsAtCAsyFcgO/LGq30xi3xNqHTkUZXo6cZYSb6EVaIywMCI5ySEnTLAp/xedySANHuo8yyVqyLxkDPI7CnnSS7JcnQF3K5z+NZ0KnIpc1ewGupOhS0fKj31XxUkoSsHEY/iWJPLNA8+4VsBkADnGdkYXHTvy/yAGV6w1k1qtjiWhDAGcE9/o6NOHctYm3cx8CVsLpve/WFUaCkGgjWJdC8XP92xsUQoE6PENn6ZzFaqGHs7hgQqE1kBcEj8N5WkEqkoMo82giHE33iYoVUdkjOTkV4iDGEqyjg1BoM0GedR2A832LseDkP7u4DjIAQfpIDu7PaeiDh7xWkPRwIMV0oDTakXTdPkPGdgFikzTaxkTzRlpCbQuV769eITqVT04kJDp7+0Rb6dtjeXc0Ennv68wZSiyrlmXbrJntg7g1wrebq28q9NMIZETAPugfK6wNDu/Iw1q1kZn2ELo6xaDlcIxHDcpzK7e2VAYYuP1k3sYnSLU3oeq54j3/yS2z1me5FEqWlPOCrjdnLkE3/GjbeMsYo2YTYJEUEd2ncacSCoXUaUoxpBnjRYcHLRUV+6jy7Amp0/52rAPzSeVlBzc+SdNiKLYA2UQ74WrMU596Gkhw1SD8jSM5QqSBhH9sL+oE4GjhjLhstMUPdkNgiwxXDTZLKcIyjN1cn+RSmvNA2KXMH6MoXrkqSkJ9u2s0QAhla51zR/LZwWbzwGOO0dkh3rwh2x+pcCfuzvlk3lYr/x5XOF2k1n8yvehXY5zIX8nk6djjLbvAzzSr/yalS7R0WYIc6CjzoUl3qz+PlneMfKHcaX00hkOlIub/ZFQf1RE+JzZxi0qQq4M8Nt1XRKGDeS448Z6znDpedStUH29krZcnjMtyLmPX7ETTsjr3HLpCOd7MQ2K1rfhmvh5BtJkn1KSUf94puZbkLH7X+WnWN0hsc+KbSXnYZvqwJ8G0/7ptp/Q+wGljqhjv+HhOeA3NUwANv1xWgbiymVIlxCodXtQwn8mxS+jxSvslGwOnyUkTT76IbFbv/IpW6PNvj/xqwOqey8a/4WCGcqs403Y7TKQ+xCflG6K3tL7U5UbMnMgXTeZvoK+DooS2eIepF2WB5XqTuOZJV2OQ6GHfaBMjXN9iGVNLi6XgkbpmcMLQ4TZq+dVmgleJb14IaTFD3n74OfmbcT9lmRfPRJEpFEMNeL3ghH54P2a91zJFASgE7x+Uv2cGcmKFtMbyc/rrhH1F/Ixlv/R37huFo1T2dPMEZ/1ouuPpbUQ5oz/JlOWw3NOxd0O6oG0x9Xib+9KxSFOusLWcFEgx70jrBQKj8s2Jj+W0gZYv+BJtPMPY0KAkRj1amt4Fd6ZrPOEXJ392EHSAEv5jssO5ba52OHKA+QkYvPPL04rwkxSAQiTl57scnEj2WEIP+Lz0/qsMnwF+3rWuz856doJZcXX+U9iuzBCaYQqA1P3BojAYhEHnXBPeolHOA3BmhT9E2TJsZ6P9SQ+GaqyLm0i4vRXGlArlkLwRBs9EZv/l4DT8q0YHha53O4rhRzGJZKAOO252Dpha1YN7+FubYGAZjaUT5O0R/7xSPrGyBejddtM8asW8+NClAn4Y6xvj1IgUg6VRpEy7ZIpZEQ+UyDWt0A4nsipaz2NyZKZ5Vxza2v1qZDdYODK8nm/zj7fR/JykaNVEVj7ceTSHdaQlajfeEWWTs92msIBcqPUXqlaR005hoVvXm+WCnzIMIXLGiyRKRsAPIDYh2hGCtvfXLSq5TYm3bnGAImL0KW3Yllt1qSqSbOYsvm5QfDmTrrccvtSLGRj0rOU3Z8f4WXjf+1YgxjZ9h8fKL+LKA8x1S6M8fl0JVGBIAU8Xe8c4+r2F1VcygJp7h+0v8o8GudM6in4djAdeMLWBgXid7r0q744joFucP56opwYQp3Lu0oFEo0omS6Rh9yPfOjdGBU2eUdjcCNXXuEJD9yHSyebviSAvDw/KH1AxYSWYnjMWACCfcbOlXf3ej7PuQgq5MdFwF7+QawXm0john4YusUon4/0fqd/IFLd6oHYYesxcFdm1jN6DeS4SAqRgeEPuEWDFERgXjLHBxl5Xdi5n+NOR3Vc7ziJ9j9/CA1DKdwmsFBBDcVKMnr2FibXpN5WsSdlBng0L2zhkL22wRH9xbz8Xk5shN20/EHoxHB5HJvwfOgHIC7ooWKOUUuNTZH43+gVN+wzRzlMfiF4X71Edw+lTnQRp6Lh03M2k9do6JPoX2+UU0h6mOYiAFkhHKzCmK3DY12c4Smx+qLJNbUGhoMgthu/WnXObm0Hr+myCooTYSVNTJx6vVjI3GZtMcat2o8B9k38u/Y5/FxqTYmyXhROwS4v3W5fXwTAaxBqQy6Xj5s4V37omBBh/Z9a43nc2VlT7dKR1wIvNB/gqhiYyYrVMtYMJqGLkeCbu50LUWT4qXyR8uaqbZTVjyJCQRxZd6fd3Zfe9wIeYe3N5qKIXkFD3n1U2Q/EyRfb3TpiA+eYkAtl6JGK0vpeWpN5M2LJ3/V79e3cIG7B7/p6BrRxKxHDnBZcu57KKaN8XM+v2KTz7XdF8bjgeu1V/B9WoBwnpzCM+3s5ffNceuUcb2gJgRAUpZvcSDLYy+9aluGU2Tvsm49fCzr851p3VSEJepgPpnvuq874AX/MbPvqidF8Y21Kss1RUbl5wrlq5IihKdM+xCSq6mjvtSPVHRvw==,iv:2NBiTTW9slOH9BvM+kVbMB/+8EiS/Dc/eaqrtiwn4HY=,tag:0rc2+ZWy9XZYE7RK/oSo3g==,type:str]
 radicale-htpasswd: ENC[AES256_GCM,data:Q0WnleP9I4xozsL/H+5oV3Ag7khfalV40A6ub+DA07U8UKna3/ju533RmjWOnETzSNa6XK140nfCcfGZCiqGyF9tfuuXcKFu+j4=,iv:87PSvHyKF7QUQZmEuxM+IT0VKSGnS0MjoUmCqJ+6tzI=,tag:yrP3TgxE8aSZf0MrCF9dsQ==,type:str]
+synapse-turn-shared-secret: ENC[AES256_GCM,data:Q1XRds3Zud1kYkvD6s9WUzP+kNDNsxB5SHd6oCAaLCHhHhYENSAYTZOF+rGjCPNyKFL0e/A=,iv:zScRQrz+pXHNUh/BGOaV+TVnDR3wu1Z/UO1zXarKwtA=,tag:ckpVziE+yb0FjctcT7tAkg==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -22,8 +23,8 @@ sops:
            TjdZRldhSzVtMkVoTzY1NjdGbCswRVUK0pi+8UuLqRmytcR2ikxOAM02iccl8P1y
            ixv0PKPLd+vQ23QeeQy/TfoGx16XttaDUnUrPLZR3TUKtAcld8+m6w==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-06-30T16:16:00Z"
-    mac: ENC[AES256_GCM,data:o0OOVRNJOt3aMYcKoJHjy3nny1GVH9e7B8FMl7VSVYmxwkvdjtjG0ygF//D1T5b2G6SMgeAXyinVZCAYZipPD501K2h08rL0sZX7yl2jo8s09mzU1fiZRHVOINOmd2kn4jrMruukvo0zvcluJpaPPORE4osMLinhrYOoKSnLZGk=,iv:2YeZpOd7GO+EXLIjl2ZQ4wK56d6LF8Rnkd9aHGYJ60g=,tag:lld0Wv46peLWI8ENsQW11w==,type:str]
+    lastmodified: "2023-07-10T19:12:08Z"
+    mac: ENC[AES256_GCM,data:69VwkQHqDho4JMTyqRQSjSFdgKNdo0Vut9xp63FmPi1lD2EuKi78Mzt7tsGnRoilG8CS8LW+FSaSB/ywNJYK4bmkYMB2N0XbgAs3gAf4bzqDsEfR/WRRnhzO5eM7x4dE4hkknzv4R39e2ENzkWzpR5EBf7UUJUGZv9UcXSHGiRo=,iv:vRWo0J0BwTVJCriT0PZyNMTXlOTXnLBLAF0VJnADqcI=,tag:P3C6JaZahUsPG+FqnHmmQg==,type:str]
    pgp:
        - created_at: "2023-05-02T19:30:42Z"
          enc: |
--- a/hosts/iron/services/default.nix
+++ b/hosts/iron/services/default.nix
@ -4,6 +4,7 @@
    ./dyndns.nix
    ./jellyfin.nix
    ./mail.nix
+    ./matrix
    ./navidrome.nix
    ./nginx.nix
    ./public-ip-tunnel.nix
--- a/hosts/iron/services/matrix/default.nix
+++ b/hosts/iron/services/matrix/default.nix
@ -0,0 +1,5 @@
+{
+  imports = [
+    ./synapse.nix
+  ];
+}
--- a/hosts/iron/services/matrix/synapse.nix
+++ b/hosts/iron/services/matrix/synapse.nix
@ -0,0 +1,107 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.services.matrix-synapse.settings;
+  fqdn = "matrix.jalr.de";
+  domain = "jalr.de";
+  turnHost = "turn.jalr.de";
+in
+{
+  sops.secrets = {
+    synapse-turn-shared-secret = {
+      owner = "matrix-synapse";
+      sopsFile = ../../secrets.yaml;
+    };
+  };
+
+  services.matrix-synapse = {
+    enable = true;
+
+    settings = {
+      server_name = domain;
+      public_baseurl = "https://${fqdn}";
+
+      database.name = "sqlite3";
+
+      listeners = lib.singleton {
+        port = 8008;
+        bind_addresses = [ "127.0.0.1" "::1" ];
+        type = "http";
+        tls = false;
+        x_forwarded = true;
+        resources = lib.singleton {
+          names = [ "client" "federation" "metrics" ];
+          compress = false;
+        };
+      };
+
+      turn_uris = [
+        "turns:${turnHost}:5349?transport=udp"
+        "turns:${turnHost}:5349?transport=tcp"
+        "turn:${turnHost}:3478?transport=udp"
+        "turn:${turnHost}:3478?transport=tcp"
+      ];
+      turn_user_lifetime = "1h";
+
+      enable_metrics = true;
+
+      # adapted from https://github.com/NixOS/nixpkgs/blob/7e10bf4327491a6ebccbe1aaa8e6c6c0aca4663a/nixos/modules/services/misc/matrix-synapse-log_config.yaml
+      #  - set root.level to WARNING instead of INFO
+      log_config = pkgs.writeText "log_config.yaml" (builtins.toJSON {
+        version = 1;
+
+        formatters.journal_fmt.format = "%(name)s: [%(request)s] %(message)s";
+
+        filters.context = {
+          "()" = "synapse.util.logcontext.LoggingContextFilter";
+          request = "";
+        };
+
+        handlers.journal = {
+          class = "systemd.journal.JournalHandler";
+          formatter = "journal_fmt";
+          filters = [ "context" ];
+          SYSLOG_IDENTIFIER = "synapse";
+        };
+
+        root = {
+          level = "WARNING";
+          handlers = [ "journal" ];
+        };
+
+        disable_existing_loggers = false;
+      });
+
+      max_upload_size = "50M";
+
+      # I’m okay with using matrix.org as trusted key server
+      suppress_key_server_warning = true;
+
+      # For mautrix-whatsapp backfilling
+      experimental_features.msc2716_enabled = true;
+    };
+
+    extraConfigFiles = with config.sops.secrets; [
+      synapse-turn-shared-secret.path
+    ];
+  };
+
+  services.nginx.virtualHosts = {
+    "${fqdn}" = {
+      enableACME = true;
+      forceSSL = true;
+
+      locations."/_matrix" =
+        let
+          listenerCfg = (lib.elemAt cfg.listeners 0);
+        in
+        {
+          proxyPass = "http://${lib.elemAt listenerCfg.bind_addresses 0}:${toString listenerCfg.port}";
+
+          extraConfig = ''
+            client_max_body_size ${cfg.max_upload_size};
+          '';
+        };
+    };
+
+  };
+}
--- a/hosts/magnesium/secrets.yaml
+++ b/hosts/magnesium/secrets.yaml
@ -1,4 +1,5 @@
 wireguard_key_hetzner-ha: ENC[AES256_GCM,data:HEW+EalHg6/mq7pRKZkasGz0nqbkSppkf0H/uV5QMJnWwKw9a9W21Y77OSw=,iv:OA6yml1T5kVafX0RYd0Es7DHcGjJazUxP2M6a5Pwkag=,tag:lX5UPIseIQ136HLrHbzZyw==,type:str]
+turn-static-auth-secret: ENC[AES256_GCM,data:rzhixUemFPwKj1BcVPZd7KtUO9OA6A2R4qEQ1BZGVG0=,iv:uYHYe4Cywxovt3b/Ho1tQVHrpgVic+AKh9AjYMYSZcM=,tag:rr8RW/if06t38GpZCYQB4w==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -14,8 +15,8 @@ sops:
            Vlk3Y1luTTg3bkpqNTNPUGlNYmNtMW8K9dEUwAuzvDZZoVi8FPZQ7/h75EV0L+VM
            MlTGfEt38Hi7EOw+yfXvXYHse/OKypwcrPiJDT6IT/E+O9BJCjPKCA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-06-22T12:44:40Z"
-    mac: ENC[AES256_GCM,data:pyqtldMaMmQw7Qh5LsWGqD6QQhk7Ni+QzWrn7nqM+PtCwMDDccNp6ZWF70IwU5todmvRgLrW3Ke9SVlMTYCaHNQ8/W5iL4vrOJY1txrXSEqfwZ3ODGXKOFILqYNdi5fAMtkqu0rBHFo+ZQ44bPg/oEYp6V5idlkHRQnQWJifFtI=,iv:DQ4O9/8HKwLLSBz+BDS3FRUVG3HAA8tTpSRQ4BxZ8Uo=,tag:6W/PCbQiu/Q1f2Q3e0OtPQ==,type:str]
+    lastmodified: "2023-07-10T19:12:04Z"
+    mac: ENC[AES256_GCM,data:cDwrW1odloAedY7tdKLPg52UTehlTrs3+lAH0ksaGGDXzQCsVNlfzR86SRGQY2s98cu7+9j5azhWSU9slDZcTIk4VWL2i8ZtVpD8KFtut0WiwWaGf2/KLe80GGw3lr4Rm491YDvv7JcUsEuCG3lAQFZzAlZcfl0faFpzYvpTk30=,iv:yeyRjURArUaG0HzcVP0Wm9n0oVHb+u4zNdaQbrC+EaM=,tag:9uFNd3CSSFjToeawBtMNHg==,type:str]
    pgp:
        - created_at: "2023-06-22T12:44:23Z"
          enc: |
--- a/hosts/magnesium/services/coturn.nix
+++ b/hosts/magnesium/services/coturn.nix
@ -0,0 +1,98 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.services.coturn;
+
+  fqdn = "turn.jalr.de";
+in
+{
+  sops.secrets.turn-static-auth-secret = {
+    owner = "turnserver";
+    sopsFile = ../secrets.yaml;
+  };
+
+  services.coturn = {
+    enable = true;
+
+    # config adapted from synapse’s turn howto:
+    # https://github.com/matrix-org/synapse/blob/develop/docs/turn-howto.md
+    use-auth-secret = true;
+    realm = fqdn;
+    # the NixOS module does not support loading the secret from a dedicated file
+    static-auth-secret-file = config.sops.secrets.turn-static-auth-secret.path;
+
+    no-tcp-relay = true;
+
+    cert = "/run/turnserver/fullchain.pem";
+    pkey = "/run/turnserver/key.pem";
+
+    min-port = 49160;
+    max-port = 49200;
+
+    no-cli = true;
+
+    extraConfig = ''
+      denied-peer-ip=10.0.0.0-10.255.255.255
+      denied-peer-ip=192.168.0.0-192.168.255.255
+      denied-peer-ip=172.16.0.0-172.31.255.255
+
+      # https://www.rtcsec.com/article/cve-2020-26262-bypass-of-coturns-access-control-protection/
+      no-multicast-peers
+      denied-peer-ip=0.0.0.0-0.255.255.255
+      denied-peer-ip=10.0.0.0-10.255.255.255
+      denied-peer-ip=100.64.0.0-100.127.255.255
+      denied-peer-ip=127.0.0.0-127.255.255.255
+      denied-peer-ip=169.254.0.0-169.254.255.255
+      denied-peer-ip=172.16.0.0-172.31.255.255
+      denied-peer-ip=192.0.0.0-192.0.0.255
+      denied-peer-ip=192.0.2.0-192.0.2.255
+      denied-peer-ip=192.88.99.0-192.88.99.255
+      denied-peer-ip=192.168.0.0-192.168.255.255
+      denied-peer-ip=198.18.0.0-198.19.255.255
+      denied-peer-ip=198.51.100.0-198.51.100.255
+      denied-peer-ip=203.0.113.0-203.0.113.255
+      denied-peer-ip=240.0.0.0-255.255.255.255
+      denied-peer-ip=::1
+      denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
+      denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
+      denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
+      denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
+      denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+      denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+      denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+
+      user-quota=12
+      total-quota=1200
+    '';
+  };
+
+  systemd.services.coturn = {
+    after = [ "acme-finished-${fqdn}.target" ];
+    serviceConfig = {
+      ExecStartPre = lib.singleton "!${pkgs.writeShellScript "coturn-setup-tls" ''
+        cp ${config.security.acme.certs."${fqdn}".directory}/{fullchain,key}.pem /run/turnserver/
+        chgrp turnserver /run/turnserver/{fullchain,key}.pem
+      ''}";
+    };
+  };
+
+  security.acme.certs."${fqdn}".postRun = ''
+    if systemctl is-active coturn; then
+      systemctl --no-block restart coturn
+    fi
+  '';
+
+  services.nginx.virtualHosts."${fqdn}" = {
+    enableACME = true;
+    forceSSL = true;
+  };
+
+  networking.firewall = {
+    allowedTCPPorts = with cfg; [ listening-port alt-listening-port tls-listening-port ];
+    allowedUDPPorts = with cfg; [ listening-port alt-listening-port tls-listening-port ];
+
+    allowedUDPPortRanges = lib.singleton {
+      from = cfg.min-port;
+      to = cfg.max-port;
+    };
+  };
+}
--- a/hosts/magnesium/services/default.nix
+++ b/hosts/magnesium/services/default.nix
@ -1,5 +1,7 @@
 {
  imports = [
+    ./coturn.nix
    ./public-ip-tunnel.nix
+    ./webserver.nix
  ];
 }
--- a/hosts/magnesium/services/webserver.nix
+++ b/hosts/magnesium/services/webserver.nix
@ -0,0 +1,43 @@
+{ config, lib, pkgs, ... }:
+let
+  domain = "jalr.de";
+  matrixDomain = "matrix.jalr.de";
+in
+{
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+  services.nginx = {
+    enable = true;
+    virtualHosts = {
+      "${domain}" = {
+        enableACME = true;
+        forceSSL = true;
+
+        locations =
+          let
+            # workaround for nginx dropping parent headers
+            # see https://github.com/yandex/gixy/blob/master/docs/en/plugins/addheaderredefinition.md
+            parentHeaders = lib.concatStringsSep "\n" (lib.filter
+              (lib.hasPrefix "add_header ")
+              (lib.splitString "\n" config.services.nginx.commonHttpConfig));
+          in
+          {
+            "=/.well-known/matrix/server".extraConfig = ''
+              ${parentHeaders}
+              add_header Content-Type application/json;
+              return 200 '${builtins.toJSON {
+                "m.server" = "${matrixDomain}:443";
+                }}';
+            '';
+            "=/.well-known/matrix/client".extraConfig = ''
+              ${parentHeaders}
+              add_header Content-Type application/json;
+              add_header Access-Control-Allow-Origin *;
+              return 200 '${builtins.toJSON {
+                "m.homeserver"."base_url" = "https://${matrixDomain}";
+              }}';
+            '';
+          };
+      };
+    };
+  };
+}