From 11ab6de3052d855cd8cfd8645f6387380a798d18 Mon Sep 17 00:00:00 2001 From: Simon Gardling Date: Tue, 10 Feb 2026 12:45:40 -0500 Subject: [PATCH] re-add matrix --- configuration.nix | 2 ++ flake.nix | 7 ++++ secrets/matrix_reg_token | Bin 0 -> 87 bytes services/matrix.nix | 68 +++++++++++++++++++++++++++++++++++++++ 4 files changed, 77 insertions(+) create mode 100644 secrets/matrix_reg_token create mode 100644 services/matrix.nix diff --git a/configuration.nix b/configuration.nix index 7ce700a..c7350cb 100644 --- a/configuration.nix +++ b/configuration.nix @@ -38,6 +38,8 @@ ./services/bitwarden.nix + ./services/matrix.nix + ./services/monero.nix ./services/xmrig.nix diff --git a/flake.nix b/flake.nix index 0123adf..f9e5f8f 100644 --- a/flake.nix +++ b/flake.nix @@ -118,6 +118,8 @@ syncthing_protocol = 22000; syncthing_discovery = 21027; minecraft = 25565; + matrix = 6167; + matrix_federation = 8448; }; https = { @@ -168,6 +170,11 @@ dataDir = services_dir + "/monero"; }; + matrix = { + dataDir = "/var/lib/private/matrix-conduit"; + domain = "matrix.${https.domain}"; + }; + syncthing = { dataDir = services_dir + "/syncthing"; signalBackupDir = "/${zpool_ssds}/bak/signal"; diff --git a/secrets/matrix_reg_token b/secrets/matrix_reg_token new file mode 100644 index 0000000000000000000000000000000000000000..87488e9777643b7a6cb749275069f0782431bc4d GIT binary patch literal 87 zcmZQ@_Y83kiVO&0m@B>Ve10(Nq>w53ZX)J;fA2XVaAJv8l+bn0d)Gvw_XuveA9=WI u=CJ_3>dcPU0c#eTrSR}Ix~<@@{=30+*5hjr_HJ*=x$jfB&}H+{cYFYT@+pM? literal 0 HcmV?d00001 diff --git a/services/matrix.nix b/services/matrix.nix new file mode 100644 index 0000000..41849da --- /dev/null +++ b/services/matrix.nix @@ -0,0 +1,68 @@ +{ + pkgs, + config, + service_configs, + lib, + ... +}: +{ + imports = [ + (lib.serviceMountWithZpool "matrix-conduit" service_configs.zpool_ssds [ + service_configs.matrix.dataDir + ]) + ]; + + services.matrix-conduit = { + enable = true; + package = pkgs.matrix-continuwuity; + + settings.global = { + port = service_configs.ports.matrix; + server_name = service_configs.https.domain; + database_backend = "rocksdb"; + allow_registration = true; + registration_token = builtins.readFile ../secrets/matrix_reg_token; + + new_user_displayname_suffix = ""; + + trusted_servers = [ + "matrix.org" + "constellatory.net" + "tchncs.de" + "envs.net" + ]; + + # without this, conduit fails to start + address = "0.0.0.0"; + }; + }; + + services.caddy.virtualHosts.${service_configs.https.domain}.extraConfig = lib.mkBefore '' + header /.well-known/matrix/* Content-Type application/json + header /.well-known/matrix/* Access-Control-Allow-Origin * + respond /.well-known/matrix/server `{"m.server": "${service_configs.matrix.domain}:${builtins.toString service_configs.ports.https}"}` + respond /.well-known/matrix/client `{"m.server":{"base_url":"https://${service_configs.matrix.domain}"},"m.homeserver":{"base_url":"https://${service_configs.matrix.domain}"},"org.matrix.msc3575.proxy":{"base_url":"https://${config.services.matrix-conduit.settings.global.server_name}"}}` + ''; + + services.caddy.virtualHosts."${service_configs.matrix.domain}".extraConfig = '' + reverse_proxy :${builtins.toString service_configs.ports.matrix} + ''; + + # Exact duplicate for federation port + services.caddy.virtualHosts."${service_configs.matrix.domain}:${builtins.toString service_configs.ports.matrix_federation}".extraConfig = + config.services.caddy.virtualHosts."${service_configs.matrix.domain}".extraConfig; + + systemd.tmpfiles.rules = [ + "Z ${service_configs.matrix.dataDir} 0770 ${config.systemd.services.conduit.serviceConfig.User} ${config.systemd.services.conduit.serviceConfig.User}" + ]; + + # for federation + networking.firewall.allowedTCPPorts = [ + service_configs.ports.matrix_federation + ]; + + # for federation + networking.firewall.allowedUDPPorts = [ + service_configs.ports.matrix_federation + ]; +}