bonfire/nixosConfigurations/catarina/services/matrix.nix

{
  config,
  lib,
  pkgs,
  ...
}: {
  services.conduit = {
    enable = true;
    settings.global = {
      allow_registration = true;
      server_name = "elnafo.ru";
      address = "127.0.0.1";
      database_backend = "sqlite";
      well_known.client = "https://matrix.elnafo.ru";
      well_known.server = "matrix.elnafo.ru:443";
      turn_uris = ["turn:elnafo.ru?transport=udp" "turn:elnafo.ru?transport=tcp"];
    };
    turn_secret_file = config.sops.secrets.turn-secret.path;
  };

  services.nginx = {
    virtualHosts."matrix.elnafo.ru" = {
      forceSSL = true;
      http2 = true;
      useACMEHost = "elnafo.ru";
      locations."/" = {
        proxyPass = "http://127.0.0.1:6167";
        extraConfig = ''
          proxy_http_version 1.0;
          client_max_body_size 50M;
        '';
      };
    };
    virtualHosts."element.elnafo.ru" = {
      forceSSL = true;
      http2 = true;
      useACMEHost = "elnafo.ru";
      root = pkgs.element-web.override {
        conf = {
          default_theme = "dark";
          default_server_name = "https://matrix.elnafo.ru";
          brand = "Elnafo Matrix";
          permalink_prefix = "https://element.elnafo.ru";
        };
      };
    };
    virtualHosts."matrix-federation" = {
      serverName = "elnafo.ru";
      forceSSL = true;
      useACMEHost = "elnafo.ru";
      listen = [
        {
          port = 8448;
          addr = "0.0.0.0";
          ssl = true;
        }
        {
          port = 443;
          addr = "0.0.0.0";
          ssl = true;
        }
      ];
      locations."~ ^/(_matrix|.well_known)" = {
        proxyPass = "http://127.0.0.1:6167";
        extraConfig = ''
          proxy_http_version 1.0;
          client_max_body_size 50M;
        '';
      };
    };
  };

  services.coturn = rec {
    enable = true;
    no-cli = true;
    no-tcp-relay = true;
    min-port = 49000;
    max-port = 50000;
    use-auth-secret = true;
    static-auth-secret-file = config.sops.secrets.coturn-secret.path;
    realm = "elnafo.ru";
    cert = "${config.security.acme.certs."elnafo.ru".directory}/full.pem";
    pkey = "${config.security.acme.certs."elnafo.ru".directory}/key.pem";
    extraConfig = ''
      # for debugging
      verbose
      # ban private IP ranges
      no-multicast-peers

    '';
  };

  networking.firewall = {
    allowedUDPPortRanges = lib.singleton {
      from = config.services.coturn.min-port;
      to = config.services.coturn.max-port;
    };
    allowedUDPPorts = [3478 5349];
    allowedTCPPorts = [8448 3478 5349];
  };
}