From 80fe8c2641d5e727fb1b2486ba43456709ffa091 Mon Sep 17 00:00:00 2001
From: Dominik Polakovics <dominik.polakovics@cloonar.com>
Date: Wed, 4 Mar 2026 13:44:05 +0100
Subject: [PATCH] fix: matrix auth routes

---
 hosts/fw/modules/web/matrix.nix | 24 +++++++++++++++++++-----
 1 file changed, 19 insertions(+), 5 deletions(-)

diff --git a/hosts/fw/modules/web/matrix.nix b/hosts/fw/modules/web/matrix.nix
index 4d0db10..bb249b2 100644
--- a/hosts/fw/modules/web/matrix.nix
+++ b/hosts/fw/modules/web/matrix.nix
@@ -363,8 +363,8 @@ in {
     locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
 
     # MAS compatibility endpoints (must be before /_matrix catch-all)
-    locations."~ ^/_matrix/client/(r0|v3)/login$".proxyPass = "http://127.0.0.1:8081";
-    locations."~ ^/_matrix/client/(r0|v3)/logout$".proxyPass = "http://127.0.0.1:8081";
+    locations."~ ^/_matrix/client/(r0|v3)/login".proxyPass = "http://127.0.0.1:8081";
+    locations."~ ^/_matrix/client/(r0|v3)/logout".proxyPass = "http://127.0.0.1:8081";
     locations."~ ^/_matrix/client/(r0|v3)/refresh$".proxyPass = "http://127.0.0.1:8081";
 
     # MAS own endpoints
@@ -381,6 +381,8 @@ in {
     locations."/recovery".proxyPass = "http://127.0.0.1:8081";
     locations."/login".proxyPass = "http://127.0.0.1:8081";
     locations."/change-password".proxyPass = "http://127.0.0.1:8081";
+    locations."/complete-compat-sso".proxyPass = "http://127.0.0.1:8081";
+    locations."/logout".proxyPass = "http://127.0.0.1:8081";
 
     # LiveKit JWT service for MatrixRTC
     locations."^~ /livekit/jwt/" = {
@@ -399,7 +401,15 @@ in {
 
     # Synapse endpoints
     locations."/_matrix".proxyPass = "http://[::1]:8008";
-    locations."/_synapse/client".proxyPass = "http://[::1]:8008";
+    locations."/_synapse/client" = {
+      proxyPass = "http://[::1]:8008";
+      extraConfig = ''
+        # MSC4108 rendezvous relies on strong ETag comparison;
+        # gzip can break it, so disable compression here.
+        gzip off;
+      '';
+    };
+    locations."/_synapse/mas".proxyPass = "http://[::1]:8008";
   };
 
   # Internal proxy for bridges: routes login/auth to MAS, everything else to Synapse.
@@ -407,8 +417,8 @@ in {
   # /_matrix/client/v3/login when MAS is enabled.
   services.nginx.virtualHosts."matrix-internal" = {
     listen = [{ addr = "127.0.0.1"; port = 8009; }];
-    locations."~ ^/_matrix/client/(r0|v3)/login$".proxyPass = "http://127.0.0.1:8081";
-    locations."~ ^/_matrix/client/(r0|v3)/logout$".proxyPass = "http://127.0.0.1:8081";
+    locations."~ ^/_matrix/client/(r0|v3)/login".proxyPass = "http://127.0.0.1:8081";
+    locations."~ ^/_matrix/client/(r0|v3)/logout".proxyPass = "http://127.0.0.1:8081";
     locations."~ ^/_matrix/client/(r0|v3)/refresh$".proxyPass = "http://127.0.0.1:8081";
     locations."/_matrix".proxyPass = "http://[::1]:8008";
     locations."/_synapse/client".proxyPass = "http://[::1]:8008";
@@ -444,6 +454,7 @@ in {
         allow = true;
         default = true;
         require = true;
+        self_sign = true;
         pickle_key = "$MAUTRIX_WHATSAPP_PICKLE_KEY";
         msc4190 = true;
       };
@@ -474,6 +485,7 @@ in {
         allow = true;
         default = true;
         require = true;
+        self_sign = true;
         pickle_key = "$MAUTRIX_SIGNAL_PICKLE_KEY";
         msc4190 = true;
       };
@@ -520,6 +532,7 @@ in {
         allow = true;
         default = true;
         require = true;
+        self_sign = true;
         pickle_key = "$MAUTRIX_DISCORD_PICKLE_KEY";
         msc4190 = true;
       };
@@ -610,6 +623,7 @@ in {
         allow = true;
         default = true;
         require = true;
+        self_sign = true;
         pickle_key = "$MAUTRIX_MATTERMOST_PICKLE_KEY";
         msc4190 = true;
       };