fix: mautrix bridges

hosts/fw/modules/web/matrix.nix

@@ -207,6 +207,12 @@ in {
       };
 
       allow_guest_access = false;
+
+      # MSC4190: device management for appservices (required for encrypted bridges with MAS)
+      experimental_features = {
+        msc4190_enabled = true;
+        msc3202_device_masquerading = true;
+      };
     };
   };
 
@@ -284,6 +290,18 @@ in {
     locations."/_synapse/client".proxyPass = "http://[::1]:8008";
   };
 
+  # Internal proxy for bridges: routes login/auth to MAS, everything else to Synapse.
+  # Bridges connect here instead of directly to Synapse, which no longer serves
+  # /_matrix/client/v3/login when MAS is enabled.
+  services.nginx.virtualHosts."matrix-internal" = {
+    listen = [{ addr = "127.0.0.1"; port = 8009; }];
+    locations."~ ^/_matrix/client/(r0|v3)/login$".proxyPass = "http://127.0.0.1:8081";
+    locations."~ ^/_matrix/client/(r0|v3)/logout$".proxyPass = "http://127.0.0.1:8081";
+    locations."~ ^/_matrix/client/(r0|v3)/refresh$".proxyPass = "http://127.0.0.1:8081";
+    locations."/_matrix".proxyPass = "http://[::1]:8008";
+    locations."/_synapse/client".proxyPass = "http://[::1]:8008";
+  };
+
   #
   # Mautrix bridges (using NixOS modules)
   # Modules handle users, groups, registration files, Synapse integration,
@@ -297,7 +315,7 @@ in {
     environmentFile = config.sops.secrets.mautrix-whatsapp-env.path;
     settings = {
       homeserver = {
-        address = "http://[::1]:8008";
+        address = "http://127.0.0.1:8009";
         domain = "cloonar.com";
       };
       bridge = {
@@ -311,6 +329,7 @@ in {
         default = true;
         require = true;
         pickle_key = "$MAUTRIX_WHATSAPP_PICKLE_KEY";
+        msc4190 = true;
       };
     };
   };
@@ -322,7 +341,7 @@ in {
     environmentFile = config.sops.secrets.mautrix-signal-env.path;
     settings = {
       homeserver = {
-        address = "http://[::1]:8008";
+        address = "http://127.0.0.1:8009";
         domain = "cloonar.com";
       };
       bridge = {
@@ -336,6 +355,7 @@ in {
         default = true;
         require = true;
         pickle_key = "$MAUTRIX_SIGNAL_PICKLE_KEY";
+        msc4190 = true;
       };
       matrix.sync_direct_chat_list = true;
     };
@@ -348,7 +368,7 @@ in {
     environmentFile = config.sops.secrets.mautrix-discord-env.path;
     settings = {
       homeserver = {
-        address = "http://[::1]:8008";
+        address = "http://127.0.0.1:8009";
         domain = "cloonar.com";
       };
       bridge = {
@@ -368,6 +388,7 @@ in {
         default = true;
         require = true;
         pickle_key = "$MAUTRIX_DISCORD_PICKLE_KEY";
+        msc4190 = true;
       };
     };
   };

hosts/web-arm/sites/cloonar.com.nix

@@ -2,6 +2,15 @@
 let
   domain = config.networking.domain;
   dataDir = "/var/www/${domain}";
+  # Matrix well-known for homeserver and auth issuer discovery
+  matrixClientConfig = {
+    "m.homeserver".base_url = "https://matrix.cloonar.com";
+    "org.matrix.msc2965.authentication" = {
+      issuer = "https://matrix.cloonar.com/";
+      account = "https://matrix.cloonar.com/account";
+    };
+  };
+  matrixServerConfig."m.server" = "matrix.cloonar.com:443";
 in {
 
   services.webstack.instances."${domain}" = {
@@ -15,6 +24,18 @@ in {
       index index.html;
     '';
 
+    # Matrix well-known endpoints for server/client discovery
+    locations."= /.well-known/matrix/server".extraConfig = ''
+      default_type application/json;
+      add_header Access-Control-Allow-Origin *;
+      return 200 '${builtins.toJSON matrixServerConfig}';
+    '';
+    locations."= /.well-known/matrix/client".extraConfig = ''
+      default_type application/json;
+      add_header Access-Control-Allow-Origin *;
+      return 200 '${builtins.toJSON matrixClientConfig}';
+    '';
+
     locations."~* \.(jpe?g|png)$".extraConfig = ''
       set $img_format Z;