From 3a4c268f016bb1dc61d398239bbd112ecd888d00 Mon Sep 17 00:00:00 2001
From: Dominik Polakovics <dominik.polakovics@cloonar.com>
Date: Thu, 19 Mar 2026 14:34:32 +0100
Subject: [PATCH] fix: matrix proxy

---
 hosts/fw/modules/web/matrix.nix | 23 +++--------------------
 1 file changed, 3 insertions(+), 20 deletions(-)

diff --git a/hosts/fw/modules/web/matrix.nix b/hosts/fw/modules/web/matrix.nix
index bb249b2..967a6b1 100644
--- a/hosts/fw/modules/web/matrix.nix
+++ b/hosts/fw/modules/web/matrix.nix
@@ -356,9 +356,9 @@ in {
     forceSSL = true;
     enableACME = true;
     acmeRoot = null;
-    locations."/".extraConfig = ''
-      return 404;
-    '';
+    # Default: proxy to MAS for all its routes (/login, /register, /account,
+    # /device, /link, /consent, /authorize, /oauth2, /assets, /graphql, etc.)
+    locations."/".proxyPass = "http://127.0.0.1:8081";
     locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
     locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
 
@@ -367,23 +367,6 @@ in {
     locations."~ ^/_matrix/client/(r0|v3)/logout".proxyPass = "http://127.0.0.1:8081";
     locations."~ ^/_matrix/client/(r0|v3)/refresh$".proxyPass = "http://127.0.0.1:8081";
 
-    # MAS own endpoints
-    locations."/authorize".proxyPass = "http://127.0.0.1:8081";
-    locations."/oauth2".proxyPass = "http://127.0.0.1:8081";
-    locations."/.well-known/openid-configuration".proxyPass = "http://127.0.0.1:8081";
-    locations."/.well-known/webfinger".proxyPass = "http://127.0.0.1:8081";
-    locations."/assets".proxyPass = "http://127.0.0.1:8081";
-    locations."/graphql".proxyPass = "http://127.0.0.1:8081";
-    locations."/account".proxyPass = "http://127.0.0.1:8081";
-    locations."/upstream".proxyPass = "http://127.0.0.1:8081";
-    locations."/register".proxyPass = "http://127.0.0.1:8081";
-    locations."/consent".proxyPass = "http://127.0.0.1:8081";
-    locations."/recovery".proxyPass = "http://127.0.0.1:8081";
-    locations."/login".proxyPass = "http://127.0.0.1:8081";
-    locations."/change-password".proxyPass = "http://127.0.0.1:8081";
-    locations."/complete-compat-sso".proxyPass = "http://127.0.0.1:8081";
-    locations."/logout".proxyPass = "http://127.0.0.1:8081";
-
     # LiveKit JWT service for MatrixRTC
     locations."^~ /livekit/jwt/" = {
       proxyPass = "http://127.0.0.1:8082/";