{ config, tools, pkgs, ... }: let container = "matrix"; hostname = tools.build_hostname container; admin_handle = "@${config.globals.master.login}:${hostname}"; db_host = tools.build_hostname "db"; auth_host = tools.build_hostname "auth"; db_pass = config.my-lxc.matrix.db.password; sec = import ../config/_matrix_secrets.nix; in { environment = { etc."alloy/logs-synapse.alloy".text = (import ./alloy/default-journal-logger.alloy.nix { inherit tools container; service = "matrix-synapse"; additional_stages = '' stage.regex { expression = "^(?P\\S+): \\[(?P[^\\]]+)\\] (?P.*)$" } stage.labels { values = { facility = "", worker = "", } } stage.output { source = "message" } ''; }).out; }; services.matrix-synapse = { enable = true; extras = [ "oidc" "postgres" "systemd" "url-preview" ]; settings = { admin_users = [ admin_handle ]; enable_metrics = true; server_name = hostname; database = { name = "psycopg2"; args = { user = container; password = db_pass; database = container; host = db_host; port = 5432; cp_min = 5; cp_max = 10; }; allow_unsafe_locale = true; }; listeners = [ { bind_addresses = [ "0.0.0.0" ]; port = 8008; resources = [ { compress = true; names = [ "client" "federation" ]; } ]; tls = false; type = "http"; x_forwarded = true; } ]; matrix-authentication-service = { enable = true; endpoint = "http://localhost:8080/"; secret = sec.mas_secret; }; jwt_config = { enabled = true; secret = sec.jwt_secret; algorithm = sec.jwt_algo; }; oidc_providers = [ { idp_id = "authentik"; idp_name = "authentik"; discover = true; issuer = "https://${auth_host}/application/o/chat/"; client_id = sec.oidc_client_id; client_secret = sec.oidc_client_secret; scopes = [ "openid" "profile" "email" ]; user_mapping_provider.config = { localpart_template = "{{ user.preferred_username }}"; display_name_template = "{{ user.name }}"; }; } ]; }; }; }