matrix: fix assertion

modules/matrix.nix

@@ -119,7 +119,7 @@ in
     virtualHosts."${cfge.domain}" = {
       forceSSL = true;
       enableACME = lib.mkDefault true;
-      root = (cfge.package.override {
+      locations."/".root = (cfge.package.override {
         conf = with config.services.matrix-synapse.settings; {
           default_server_config."m.homeserver" = {
             "base_url" = public_baseurl;

modules/nginx.nix

@@ -71,10 +71,9 @@ in
 
           locations = lib.mkOption {
             type = with lib.types; attrsOf (submodule {
-              options.extraConfig = lib.mkOption {};
-              config.extraConfig = lib.optionalString cfg.setHSTSHeader /* nginx */ ''
+              config.extraConfig = lib.mkIf cfg.setHSTSHeader (/* nginx */ ''
                 more_set_headers "Strict-Transport-Security: max-age=63072000; includeSubDomains; preload";
-              '' + cfg.commonServerConfig + cfgv.commonLocationsConfig;
+              '' + cfg.commonServerConfig + cfgv.commonLocationsConfig);
             });
           };
         };
@@ -89,6 +88,13 @@ in
   ];
 
   config = lib.mkIf cfg.enable {
+    assertions = lib.mkIf cfg.setHSTSHeader (lib.attrValues (lib.mapAttrs (host: hostConfig: {
+      assertion = hostConfig.root == null;
+      message = let
+        name = ''services.nginx.virtualHosts."${host}"'';
+      in "Use ${name}.locations./.root instead of ${name}.root to properly apply .locations.*.extraConfig set by services.nginx.setHSTSHeader";
+    }) cfg.virtualHosts));
+
     boot.kernel.sysctl = lib.mkIf cfg.tcpFastOpen {
       # enable tcp fastopen for outgoing and incoming connections
       "net.ipv4.tcp_fastopen" = 3;