From c377598d5ccd827bc4a101a09f5a4be298e58665 Mon Sep 17 00:00:00 2001
From: andromeda <andromeda@lenovo>
Date: Tue, 13 Jan 2026 06:16:27 +0100
Subject: [PATCH] conduit setup?

---
 machines.nix                     |  4 ++
 modules/nixos/matrix-conduit.nix | 81 +++++++++++++++++++++++++++++---
 2 files changed, 79 insertions(+), 6 deletions(-)

diff --git a/machines.nix b/machines.nix
index 4c63f53..6d64a80 100644
--- a/machines.nix
+++ b/machines.nix
@@ -69,6 +69,10 @@
       # webmail.domain
       ./modules/nixos/roundcube.nix
 
+      # matrix homeserver
+      # matrix.domain
+      ./modules/nixos/matrix-conduit.nix
+
       # BROKEN
       # forgejo
       # git.domain
diff --git a/modules/nixos/matrix-conduit.nix b/modules/nixos/matrix-conduit.nix
index 595d48c..726f377 100644
--- a/modules/nixos/matrix-conduit.nix
+++ b/modules/nixos/matrix-conduit.nix
@@ -1,13 +1,82 @@
-{config, ...}: {
+{
+  config,
+  pkgs,
+  ...
+}: let
+  well_known_server = pkgs.writeText "well-known-matrix-server" ''
+    {
+      "m.server": "matrix.${config.services.matrix-conduit.settings.global.server_name}"
+    }
+  '';
+  well_known_client = pkgs.writeText "well-known-matrix-client" ''
+    {
+      "m.homeserver": {
+        "base_url": "https://matrix.${config.services.matrix-conduit.settings.global.server_name}"
+      }
+  '';
+in {
   services.matrix-conduit = {
     enable = true;
     settings.global = {
       server_name = "${config.networking.domain}";
-      address = "localhost";
-      database_backend = "rocksdb";
-      allow_registration = true;
-      allow_federation = true;
     };
-    secretFile = config.age.secrets.conduit-secretFile.path;
   };
+  services.nginx = {
+    enable = true;
+    virtualHosts = {
+      "matrix.${config.services.matrix-conduit.settings.global.server_name}" = {
+        forceSSL = true;
+        enableACME = true;
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 443;
+            ssl = true;
+          }
+          {
+            addr = "0.0.0.0";
+            port = 8448;
+            ssl = true;
+          }
+        ];
+        locations."/_matrix/" = {
+          proxyPass = "http://backend_conduit$request_uri";
+          proxyWebsockets = true;
+          extraConfig = ''
+            proxy_set_header Host $host;
+            proxy_buffering off;
+          '';
+        };
+        extraConfig = ''
+          merge_slashes off;
+        '';
+      };
+      "${config.services.matrix-conduit.settings.global.server_name}" = {
+        forceSSL = true;
+        enableACME = true;
+        locations."/.well-known/matrix/server" = {
+          alias = "${well_known_server}";
+          extraConfig = ''
+            default_type application/json;
+          '';
+        };
+        locations."/.well-known/matrix/client" = {
+          alias = "${well_known_client}";
+          extraConfig = ''
+            default_type application/json;
+            add_header Access-Control-Allow-Origin "";
+          '';
+        };
+      };
+    };
+    upstreams = {
+      backend-conduit = {
+        servers = {
+          "localhost:${builtins.toString config.services.matrix-conduit.settings.global.port}" = {};
+        };
+      };
+    };
+  };
+  networking.firewall.allowedTCPPorts = [8448];
+  networking.firewall.allowedUDPPorts = [8448];
 }