nixos-config/profiles/servers/synapse/default.nix

{ config, ... }:
let
  cert-fqdn = "ataraxiadev.com";
  guest-ip = "10.10.10.20";
in {
  virtualisation.libvirt.guests.debian-matrix = {
    autoStart = true;
    user = config.mainuser;
    group = "libvirtd";
    xmlFile = ./vm.xml;
  };

  networking.firewall = {
    allowedTCPPorts = [ 443 8448 ];
    allowedUDPPorts = [ 443 8448 ];
  };

  services.nginx.virtualHosts = let
    proxySettings = ''
      client_max_body_size 50M;
      proxy_set_header Host $host;
      proxy_set_header X-Forwarded-For $remote_addr;
      proxy_set_header X-Forwarded-Proto $scheme;
    '';
    default = {
      useACMEHost = cert-fqdn;
      enableACME = false;
      forceSSL = true;
    };
  in {
    "ataraxiadev.com" = {
      locations."/.well-known/matrix" = {
        proxyPass = "http://${guest-ip}:8080";
        extraConfig = ''
          proxy_set_header X-Forwarded-For $remote_addr;
          proxy_set_header X-Forwarded-Proto $scheme;
          proxy_set_header Host matrix.$host;
        '';
      };
    };
    "matrix:443" = {
      serverAliases = [
        "matrix.ataraxiadev.com"
        "element.ataraxiadev.com"
      ];
      listen = [{
        addr = "0.0.0.0";
        port = 443;
        ssl = true;
      } {
        addr = "[::]";
        port = 443;
        ssl = true;
      }];
      locations."/" = {
        proxyPass = "http://${guest-ip}:8080";
        extraConfig = proxySettings + ''
          proxy_set_header X-Real-IP $remote_addr;

          # required for browsers to direct them to quic port
          add_header Alt-Svc 'h3=":443"; ma=86400';
        '';
      };
      locations."/synapse-admin" = {
        proxyPass = "http://${guest-ip}:8080";
        extraConfig = proxySettings + ''
          proxy_set_header X-Real-IP $remote_addr;
          allow 10.10.10.1/24;
          allow 100.64.0.1/24;
          deny all;
        '';
      };
      reuseport = true;
      quic = true;
    } // default;
    "matrix:8448" = {
      serverAliases = [ "matrix.ataraxiadev.com" ];
      listen = [{
        addr = "0.0.0.0";
        port = 8448;
        ssl = true;
      } {
        addr = "[::]";
        port = 8448;
        ssl = true;
      }];
      locations."/" = {
        proxyPass = "http://${guest-ip}:8448";
        extraConfig = proxySettings + ''
          # required for browsers to direct them to quic port
          add_header Alt-Svc 'h3=":8448"; ma=86400';
        '';
      };
      reuseport = true;
      quic = true;
    } // default;
  };
}