Expose matrix admin api on management VPN

2026-01-18 17:56:04 +01:00 · 2026-01-18 17:56:04 +01:00 · 4bfcfe355c
commit 4bfcfe355c
parent 8fe546c3fe
1 changed files with 25 additions and 2 deletions
--- a/config/hosts/matrix/nginx.nix
+++ b/config/hosts/matrix/nginx.nix
@ -34,6 +34,19 @@
              client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size};
            '';
          };
+          "~ ^/_synapse/admin" = {
+            # Only proxy to the local host on IPv4, because localhost doesn't seem to work
+            # even if matrix-synapse is listening on ::1 as well.
+            proxyPass = "http://127.0.0.1:8008";
+            extraConfig = ''
+              # Restrict access to admin API.
+              allow 172.21.87.0/24; # management VPN
+              deny all;
+              # Nginx by default only allows file uploads up to 1M in size
+              # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
+              client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size};
+            '';
+          };
        };
        extraConfig = ''
          listen 0.0.0.0:8443 http2 ssl proxy_protocol;
@ -51,8 +64,18 @@
            port = 80;
          }
        ];
-        locations."/" = {
-          proxyPass = "http://localhost:8080";
+        locations = {
+          "/" = {
+            proxyPass = "http://localhost:8080";
+          };
+          "~ ^/api/admin" = {
+            proxyPass = "http://localhost:8082";
+            extraConfig = ''
+              # Restrict access to admin API.
+              allow 172.21.87.0/24; # management VPN
+              deny all;
+            '';
+          };
        };
        extraConfig = ''
          listen 0.0.0.0:8443 http2 ssl proxy_protocol;