diff --git a/modules/services/matrix/default.nix b/modules/services/matrix/default.nix index 9e04e27..563f3ad 100644 --- a/modules/services/matrix/default.nix +++ b/modules/services/matrix/default.nix @@ -34,7 +34,7 @@ in { enable = true; recommendedTlsSettings = true; recommendedOptimisation = true; - recommendedGzipSettings = true; + recommendedGzipSettings = false; recommendedProxySettings = true; # Hardened TLS and HSTS preloading @@ -47,7 +47,7 @@ in { add_header Strict-Transport-Security $hsts_header; # Enable CSP for your services. - #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; # Minimize information leaked to other domains add_header 'Referrer-Policy' 'origin-when-cross-origin'; @@ -73,26 +73,28 @@ in { "${fqdn}" = { enableACME = true; forceSSL = true; - # This section is not needed if the server_name of matrix-synapse is equal to - # the domain (i.e. example.org from @foo:example.org) and the federation port - # is 8448. - # Further reference can be found in the docs about delegation under - # https://element-hq.github.io/synapse/latest/delegate.html - locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig; - # This is usually needed for homeserver discovery (from e.g. other Matrix clients). - # Further reference can be found in the upstream docs at - # https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixclient - locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig; - # It's also possible to do a redirect here or something else, this vhost is not - # needed for Matrix. It's recommended though to *not put* element - # here, see also the section about Element. - locations."/".proxyPass = "http://127.0.0.1:4321"; - # Forward all Matrix API calls to the synapse Matrix homeserver. A trailing slash - # *must not* be used here. - locations."/_matrix".proxyPass = "http://[::1]:8008"; - # Forward requests for e.g. SSO and password-resets. - locations."/_synapse/client".proxyPass = "http://[::1]:8008"; - locations."wp-login.php".return = "301 https://hil-speed.hetzner.com/10GB.bin"; + locations = { + # This section is not needed if the server_name of matrix-synapse is equal to + # the domain (i.e. example.org from @foo:example.org) and the federation port + # is 8448. + # Further reference can be found in the docs about delegation under + # https://element-hq.github.io/synapse/latest/delegate.html + "= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig; + # This is usually needed for homeserver discovery (from e.g. other Matrix clients). + # Further reference can be found in the upstream docs at + # https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixclient + "= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig; + # It's also possible to do a redirect here or something else, this vhost is not + # needed for Matrix. It's recommended though to *not put* element + # here, see also the section about Element. + "/".proxyPass = "http://127.0.0.1:4321"; + # Forward all Matrix API calls to the synapse Matrix homeserver. A trailing slash + # *must not* be used here. + "/_matrix".proxyPass = "http://[::1]:8008"; + # Forward requests for e.g. SSO and password-resets. + "/_synapse/client".proxyPass = "http://[::1]:8008"; + "wp-login.php".return = "301 https://hil-speed.hetzner.com/10GB.bin"; + }; }; }; };