diff --git a/config/hosts/matrix/mas.nix b/config/hosts/matrix/mas.nix index 4fd4963..0b8c98a 100644 --- a/config/hosts/matrix/mas.nix +++ b/config/hosts/matrix/mas.nix @@ -33,6 +33,17 @@ let }]; proxy_protocol = false; } + { + name = "admin"; + resources = [{ + name = "adminapi"; + }]; + binds = [{ + host = "localhost"; + port = 8082; + }]; + proxy_protocol = false; + } ]; trusted_proxies = [ "127.0.0.1/8" diff --git a/config/hosts/matrix/nginx.nix b/config/hosts/matrix/nginx.nix index bb7883b..5a4f716 100644 --- a/config/hosts/matrix/nginx.nix +++ b/config/hosts/matrix/nginx.nix @@ -65,6 +65,24 @@ ''; }; + locations."~ ^/_synapse/admin" = { + # Only proxy to the local host on IPv4, because localhost doesn't seem to work + # even if matrix-synapse is listening on ::1 as well. + proxyPass = "http://127.0.0.1:8008"; + extraConfig = '' + # Restrict access to admin API. + allow 185.161.129.132/32; # z9 + allow 2a07:c480:0:100::/56; # z9 + allow 2a07:c481:1::/48; # z9 new ipv6 + allow 213.240.180.39/32; # stbe home + allow 2a01:170:118b::1/64; # stbe home + deny all; + # Nginx by default only allows file uploads up to 1M in size + # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml + client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size}; + ''; + }; + extraConfig = '' # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy @@ -94,6 +112,19 @@ proxyPass = "http://localhost:8080"; }; + locations."~ ^/api/admin" = { + proxyPass = "http://localhost:8082"; + extraConfig = '' + # Restrict access to admin API. + allow 185.161.129.132/32; # z9 + allow 2a07:c480:0:100::/56; # z9 + allow 2a07:c481:1::/48; # z9 new ipv6 + allow 213.240.180.39/32; # stbe home + allow 2a01:170:118b::1/64; # stbe home + deny all; + ''; + }; + extraConfig = '' # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy