conduit and other changes

2024-12-02 10:45:17 -05:00 · 2024-12-02 10:45:17 -05:00 · 9b5af0c075
commit 9b5af0c075
parent 9665c744cf
7 changed files with 73 additions and 18 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -3,3 +3,4 @@ secrets/hashedPass filter=git-crypt diff=git-crypt
 secrets/minecraft-whitelist.nix filter=git-crypt diff=git-crypt
 secrets/wg0.conf filter=git-crypt diff=git-crypt
 secrets/caddy_auth.nix filter=git-crypt diff=git-crypt
+secrets/matrix_reg_token.nix filter=git-crypt diff=git-crypt
--- a/configuration.nix
+++ b/configuration.nix
@ -19,6 +19,8 @@
    ./services/wg.nix
    ./services/qbittorrent.nix
    ./services/bitmagnet.nix
+
+    ./services/matrix.nix
  ];

  systemd.targets = {
--- a/flake.lock
+++ b/flake.lock
@ -43,11 +43,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1732499634,
-        "narHash": "sha256-RFtqNl1OOi5uKxP2UwYKz4zknpG7CnaocqOf7jcp1AY=",
+        "lastModified": 1733104667,
+        "narHash": "sha256-77V9I6NiwUaDswdsc5TilIREd7OFs8UAVQ3+++cIPN0=",
        "owner": "Infinidoge",
        "repo": "nix-minecraft",
-        "rev": "6f29ed33273eef383a33ac7e10e6cfb4949ef3d4",
+        "rev": "5747ec35c936d9d9f58c281111f5ab7115fe13cc",
        "type": "github"
      },
      "original": {
@ -58,11 +58,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1732483221,
-        "narHash": "sha256-kF6rDeCshoCgmQz+7uiuPdREVFuzhIorGOoPXMalL2U=",
+        "lastModified": 1733139194,
+        "narHash": "sha256-PVQW9ovo0CJbhuhCsrhFJGGdD1euwUornspKpBIgdok=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "45348ad6fb8ac0e8415f6e5e96efe47dd7f39405",
+        "rev": "c6c90887f84c02ce9ebf33b95ca79ef45007bf88",
        "type": "github"
      },
      "original": {
@ -74,11 +74,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1732014248,
-        "narHash": "sha256-y/MEyuJ5oBWrWAic/14LaIr/u5E0wRVzyYsouYY3W6w=",
+        "lastModified": 1733015953,
+        "narHash": "sha256-t4BBVpwG9B4hLgc6GUBuj3cjU7lP/PJfpTHuSqE+crk=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "23e89b7da85c3640bbc2173fe04f4bd114342367",
+        "rev": "ac35b104800bff9028425fec3b6e8a41de2bbfff",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -3,7 +3,6 @@

  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
-    # nixpkgs.url = "github:NixOS/nixpkgs/master";

    nixos-hardware.url = "github:NixOS/nixos-hardware/master";

@ -97,14 +96,11 @@
            # import the `services.qbittorrent` module
            (nixpkgs-qbt + "/nixos/modules/services/torrent/qbittorrent.nix")

-            # get nix-minercaft working!
+            # get nix-minecraft working!
            nix-minecraft.nixosModules.minecraft-servers
-            (
-              { ... }:
-              {
-                nixpkgs.overlays = [ nix-minecraft.overlay ];
-              }
-            )
+            {
+              nixpkgs.overlays = [ nix-minecraft.overlay ];
+            }
          ]
          ++ (with nixos-hardware.nixosModules; [
            common-cpu-amd-pstate
--- a/secrets/matrix_reg_token.nix
+++ b/secrets/matrix_reg_token.nix
--- a/services/caddy.nix
+++ b/services/caddy.nix
@ -51,25 +51,43 @@
        root * ${service_configs.minecraft.parent_dir}/${service_configs.minecraft.server_name}/squaremap/web
        file_server browse
      '';
+
+      "${config.services.matrix-conduit.settings.global.server_name}".extraConfig = ''
+        reverse_proxy :${builtins.toString config.services.matrix-conduit.settings.global.port}
+      '';
+
+      # Exact duplicate of matrix.gardling.com
+      "${config.services.matrix-conduit.settings.global.server_name}:8448".extraConfig =
+        config.services.caddy.virtualHosts."${config.services.matrix-conduit.settings.global.server_name
+        }".extraConfig;
    };
  };

  systemd.tmpfiles.rules = [
-    "d ${service_configs.https.data_dir} 0755 ${config.services.caddy.user} ${config.services.caddy.group}"
+    "d ${service_configs.https.data_dir} 0750 ${config.services.caddy.user} ${config.services.caddy.group}"
  ];

  systemd.packages = with pkgs; [ nssTools ];

  networking.firewall.allowedTCPPorts = [
    service_configs.ports.https
+
+    # http (but really acmeCA challenges)
    80
+
+    # for matrix federation
+    8448
  ];

  networking.firewall.allowedUDPPorts = [
    service_configs.ports.https
+
+    # for matrix federation
+    8448
  ];

  users.users.${config.services.caddy.user}.extraGroups = [
+    # for `map.gardling.com`
    "minecraft"
  ];

--- a/services/matrix.nix
+++ b/services/matrix.nix
@ -0,0 +1,38 @@
+{
+  pkgs,
+  config,
+  service_configs,
+  ...
+}:
+{
+  imports = [
+    ../secrets/matrix_reg_token.nix
+  ];
+
+  services.matrix-conduit = {
+    enable = true;
+    package = pkgs.conduwuit;
+    # package = pkgs.conduwuit.overrideAttrs (old: {
+    #   cargoBuildFeatures = pkgs.lib.remove "release_max_log_level" old.cargoBuildFeatures;
+    # });
+
+    settings.global = {
+      port = 6167;
+      server_name = "matrix.${service_configs.https.domain}";
+      database_backend = "rocksdb";
+      allow_registration = true;
+
+      trusted_servers = [
+        "matrix.org"
+        "envs.net"
+      ];
+
+      # without this, conduit fails to start
+      address = "0.0.0.0";
+    };
+  };
+
+  systemd.tmpfiles.rules = [
+    "d /var/lib/private/matrix-conduit 0750 conduit conduit"
+  ];
+}