# NixOps configuration for the hosts running a Matrix server (synapse)

{ config, pkgs, lib, ... }:

{

  services = {

    matrix-synapse = {
      enable = true;                                   # Enable the synapse server
      server_name = "mcwhirter.io";                    # Server's public domain name
      public_baseurl = "https://mcwhirter.io:443/";    # Matrix target URL
      web_client = true;                               # Whether to serve a web client
      create_local_database = true;                    # Whether to create a local database
      enable_registration = true;                      # Toggle user registration
      listeners = [ {
        bind_address = "::1";                          # Listen on localhost only
        port = 8008;                                   # Port to listen on
        resources = [
          {
            compress = true;
            names = [ "client" "webclient" ];
          } {
            compress = false;
            names = [ "federation" ];
        } ];
        tls = true;
        type = "http";
        x_forwarded = true;
      } ];
      tls_certificate_path = "/var/lib/acme/mcwhirter.io/fullchain.pem";
      tls_private_key_path = "/var/lib/acme/mcwhirter.io/key.pem";
    };

    nginx = {
      enable = true;
      recommendedTlsSettings = true;
      recommendedOptimisation = true;
      recommendedGzipSettings = true;
      recommendedProxySettings = true;
      virtualHosts = {
        "mcwhirter.io" = {
          forceSSL = true;
          enableACME = true;
          serverAliases = [
            "chat.mcwhirter.io"
          ];
          root = pkgs.riot-web;   # Install RIOT web in the nginx root
          locations = {
            "/_matrix" = {
              proxyPass = "https://[::1]:8008";
            };
            "/.well-known/matrix/server".extraConfig =
              let
                # use 443 instead of the default 8448 port to unite
                # the client-server and server-server port for simplicity
                server = { "m.server" = "mcwhirter.io:443"; };
              in ''
                add_header Content-Type application/json;
                return 200 '${builtins.toJSON server}';
              '';
            "= /.well-known/matrix/client".extraConfig =
              let
                client = {
                  "m.homeserver" =  { "base_url" = "https://mcwhirter.io"; };
                  "m.identity_server" =  { "base_url" = "https://vector.im"; };
                };
              # ACAO required to allow riot-web on any URL to request this json file
              in ''
                add_header Content-Type application/json;
                add_header Access-Control-Allow-Origin *;
                return 200 '${builtins.toJSON client}';
              '';
          };
        };
      };
    };
  };

  security.acme.certs = {
    "mcwhirter.io" = {
      group = "matrix-synapse";
      allowKeysForGroup = true;
      postRun = "systemctl reload nginx.service; systemctl restart matrix-synapse.service";
      email = "acme@mcwhirter.io";
    };
  };

  networking.firewall = {
    enable = true;
    allowedTCPPorts = [
      443   # HTTPS
    ];
  };

}