1 files changed, 24 insertions, 4 deletions

diff --git a/host/Rory-nginx/services/matrix/synapse/workers/module.nix b/host/Rory-nginx/services/matrix/synapse/workers/module.nix

index 32f2095..3b6456b 100644
--- a/host/Rory-nginx/services/matrix/synapse/workers/module.nix
+++ b/host/Rory-nginx/services/matrix/synapse/workers/module.nix
@@ -33,7 +33,7 @@ in
     ./stream-writers/to_device-stream-writer.nix
     ./stream-writers/typing-stream-writer.nix
 
-#    ./stream-writers/shared-stream-writer.nix
+    #    ./stream-writers/shared-stream-writer.nix
   ];
   options.services.matrix-synapse = {
     enableWorkers = lib.mkEnableOption "Enable dedicated workers";
@@ -60,7 +60,7 @@ in
     receiptStreamWriters = mkIntOption "Number of read receipt stream writers";
     presenceStreamWriters = mkIntOption "Number of presence stream writers";
     pushRuleStreamWriters = mkIntOption "Number of push rule stream writers";
-    
+
     sharedStreamWriters = mkIntOption "Number of shared stream writers";
 
     nginxVirtualHostName = lib.mkOption {
@@ -68,6 +68,12 @@ in
       default = null;
       description = "The virtual host name for the nginx server";
     };
+
+    allowedRemoteInviteOrigins = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      default = [ ];
+      description = "List of allowed remote invite origins";
+    };
   };
 
   config = {
@@ -77,7 +83,6 @@ in
         message = "nginxVirtualHostName must be set when enableWorkers is true";
       }
 
-
       # Stream types and count limitations: https://github.com/element-hq/synapse/blob/develop/synapse/config/workers.py#L344
       {
         assertion = cfg.typingStreamWriters <= 1;
@@ -104,11 +109,26 @@ in
         assertion = cfg.pushRuleStreamWriters <= 1;
         message = "Only one push rule stream writer is supported";
       }
-      
+
       {
         assertion = cfg.sharedStreamWriters <= 1;
         message = "Only one shared stream writer is supported";
       }
     ];
+
+    # Matrix utility maps
+    services.nginx.appendHttpConfig = ''
+      # Map authorization header to origin name
+      map $http_authorization $mx_origin_name {
+        default "";
+        "~*X-Matrix origin=(?<origin>[^,]+)" $origin;
+      }
+
+      # Map origin name to whether it can invite
+      map $mx_origin_name $mx_can_invite {
+        default 0;
+        ${lib.concatMapStringsSep "\n" (origin: "        \"${origin}\" 1;") cfg.allowedRemoteInviteOrigins}
+      }
+    '';
   };
 }