diff --git a/hosts/fw/modules/web/matrix.nix b/hosts/fw/modules/web/matrix.nix index 475bab1..e44fce2 100644 --- a/hosts/fw/modules/web/matrix.nix +++ b/hosts/fw/modules/web/matrix.nix @@ -207,6 +207,12 @@ in { }; allow_guest_access = false; + + # MSC4190: device management for appservices (required for encrypted bridges with MAS) + experimental_features = { + msc4190_enabled = true; + msc3202_device_masquerading = true; + }; }; }; @@ -284,6 +290,18 @@ in { locations."/_synapse/client".proxyPass = "http://[::1]:8008"; }; + # Internal proxy for bridges: routes login/auth to MAS, everything else to Synapse. + # Bridges connect here instead of directly to Synapse, which no longer serves + # /_matrix/client/v3/login when MAS is enabled. + services.nginx.virtualHosts."matrix-internal" = { + listen = [{ addr = "127.0.0.1"; port = 8009; }]; + locations."~ ^/_matrix/client/(r0|v3)/login$".proxyPass = "http://127.0.0.1:8081"; + locations."~ ^/_matrix/client/(r0|v3)/logout$".proxyPass = "http://127.0.0.1:8081"; + locations."~ ^/_matrix/client/(r0|v3)/refresh$".proxyPass = "http://127.0.0.1:8081"; + locations."/_matrix".proxyPass = "http://[::1]:8008"; + locations."/_synapse/client".proxyPass = "http://[::1]:8008"; + }; + # # Mautrix bridges (using NixOS modules) # Modules handle users, groups, registration files, Synapse integration, @@ -297,7 +315,7 @@ in { environmentFile = config.sops.secrets.mautrix-whatsapp-env.path; settings = { homeserver = { - address = "http://[::1]:8008"; + address = "http://127.0.0.1:8009"; domain = "cloonar.com"; }; bridge = { @@ -311,6 +329,7 @@ in { default = true; require = true; pickle_key = "$MAUTRIX_WHATSAPP_PICKLE_KEY"; + msc4190 = true; }; }; }; @@ -322,7 +341,7 @@ in { environmentFile = config.sops.secrets.mautrix-signal-env.path; settings = { homeserver = { - address = "http://[::1]:8008"; + address = "http://127.0.0.1:8009"; domain = "cloonar.com"; }; bridge = { @@ -336,6 +355,7 @@ in { default = true; require = true; pickle_key = "$MAUTRIX_SIGNAL_PICKLE_KEY"; + msc4190 = true; }; matrix.sync_direct_chat_list = true; }; @@ -348,7 +368,7 @@ in { environmentFile = config.sops.secrets.mautrix-discord-env.path; settings = { homeserver = { - address = "http://[::1]:8008"; + address = "http://127.0.0.1:8009"; domain = "cloonar.com"; }; bridge = { @@ -368,6 +388,7 @@ in { default = true; require = true; pickle_key = "$MAUTRIX_DISCORD_PICKLE_KEY"; + msc4190 = true; }; }; }; diff --git a/hosts/web-arm/sites/cloonar.com.nix b/hosts/web-arm/sites/cloonar.com.nix index e11af1a..5aac37c 100644 --- a/hosts/web-arm/sites/cloonar.com.nix +++ b/hosts/web-arm/sites/cloonar.com.nix @@ -2,6 +2,15 @@ let domain = config.networking.domain; dataDir = "/var/www/${domain}"; + # Matrix well-known for homeserver and auth issuer discovery + matrixClientConfig = { + "m.homeserver".base_url = "https://matrix.cloonar.com"; + "org.matrix.msc2965.authentication" = { + issuer = "https://matrix.cloonar.com/"; + account = "https://matrix.cloonar.com/account"; + }; + }; + matrixServerConfig."m.server" = "matrix.cloonar.com:443"; in { services.webstack.instances."${domain}" = { @@ -15,6 +24,18 @@ in { index index.html; ''; + # Matrix well-known endpoints for server/client discovery + locations."= /.well-known/matrix/server".extraConfig = '' + default_type application/json; + add_header Access-Control-Allow-Origin *; + return 200 '${builtins.toJSON matrixServerConfig}'; + ''; + locations."= /.well-known/matrix/client".extraConfig = '' + default_type application/json; + add_header Access-Control-Allow-Origin *; + return 200 '${builtins.toJSON matrixClientConfig}'; + ''; + locations."~* \.(jpe?g|png)$".extraConfig = '' set $img_format Z;