diff --git a/.gitattributes b/.gitattributes index 4910fb3..59bbd76 100644 --- a/.gitattributes +++ b/.gitattributes @@ -3,3 +3,4 @@ secrets/hashedPass filter=git-crypt diff=git-crypt secrets/minecraft-whitelist.nix filter=git-crypt diff=git-crypt secrets/wg0.conf filter=git-crypt diff=git-crypt secrets/caddy_auth.nix filter=git-crypt diff=git-crypt +secrets/matrix_reg_token.nix filter=git-crypt diff=git-crypt diff --git a/configuration.nix b/configuration.nix index 4c2e6d1..78f947f 100644 --- a/configuration.nix +++ b/configuration.nix @@ -19,6 +19,8 @@ ./services/wg.nix ./services/qbittorrent.nix ./services/bitmagnet.nix + + ./services/matrix.nix ]; systemd.targets = { diff --git a/flake.lock b/flake.lock index 0365f42..754ba3c 100644 --- a/flake.lock +++ b/flake.lock @@ -43,11 +43,11 @@ ] }, "locked": { - "lastModified": 1732499634, - "narHash": "sha256-RFtqNl1OOi5uKxP2UwYKz4zknpG7CnaocqOf7jcp1AY=", + "lastModified": 1733104667, + "narHash": "sha256-77V9I6NiwUaDswdsc5TilIREd7OFs8UAVQ3+++cIPN0=", "owner": "Infinidoge", "repo": "nix-minecraft", - "rev": "6f29ed33273eef383a33ac7e10e6cfb4949ef3d4", + "rev": "5747ec35c936d9d9f58c281111f5ab7115fe13cc", "type": "github" }, "original": { @@ -58,11 +58,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1732483221, - "narHash": "sha256-kF6rDeCshoCgmQz+7uiuPdREVFuzhIorGOoPXMalL2U=", + "lastModified": 1733139194, + "narHash": "sha256-PVQW9ovo0CJbhuhCsrhFJGGdD1euwUornspKpBIgdok=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "45348ad6fb8ac0e8415f6e5e96efe47dd7f39405", + "rev": "c6c90887f84c02ce9ebf33b95ca79ef45007bf88", "type": "github" }, "original": { @@ -74,11 +74,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1732014248, - "narHash": "sha256-y/MEyuJ5oBWrWAic/14LaIr/u5E0wRVzyYsouYY3W6w=", + "lastModified": 1733015953, + "narHash": "sha256-t4BBVpwG9B4hLgc6GUBuj3cjU7lP/PJfpTHuSqE+crk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "23e89b7da85c3640bbc2173fe04f4bd114342367", + "rev": "ac35b104800bff9028425fec3b6e8a41de2bbfff", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 1cf68f3..1264196 100644 --- a/flake.nix +++ b/flake.nix @@ -3,7 +3,6 @@ inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; - # nixpkgs.url = "github:NixOS/nixpkgs/master"; nixos-hardware.url = "github:NixOS/nixos-hardware/master"; @@ -97,14 +96,11 @@ # import the `services.qbittorrent` module (nixpkgs-qbt + "/nixos/modules/services/torrent/qbittorrent.nix") - # get nix-minercaft working! + # get nix-minecraft working! nix-minecraft.nixosModules.minecraft-servers - ( - { ... }: - { - nixpkgs.overlays = [ nix-minecraft.overlay ]; - } - ) + { + nixpkgs.overlays = [ nix-minecraft.overlay ]; + } ] ++ (with nixos-hardware.nixosModules; [ common-cpu-amd-pstate diff --git a/secrets/matrix_reg_token.nix b/secrets/matrix_reg_token.nix new file mode 100644 index 0000000..52490c1 Binary files /dev/null and b/secrets/matrix_reg_token.nix differ diff --git a/services/caddy.nix b/services/caddy.nix index 4869d17..6eb6d61 100644 --- a/services/caddy.nix +++ b/services/caddy.nix @@ -51,25 +51,43 @@ root * ${service_configs.minecraft.parent_dir}/${service_configs.minecraft.server_name}/squaremap/web file_server browse ''; + + "${config.services.matrix-conduit.settings.global.server_name}".extraConfig = '' + reverse_proxy :${builtins.toString config.services.matrix-conduit.settings.global.port} + ''; + + # Exact duplicate of matrix.gardling.com + "${config.services.matrix-conduit.settings.global.server_name}:8448".extraConfig = + config.services.caddy.virtualHosts."${config.services.matrix-conduit.settings.global.server_name + }".extraConfig; }; }; systemd.tmpfiles.rules = [ - "d ${service_configs.https.data_dir} 0755 ${config.services.caddy.user} ${config.services.caddy.group}" + "d ${service_configs.https.data_dir} 0750 ${config.services.caddy.user} ${config.services.caddy.group}" ]; systemd.packages = with pkgs; [ nssTools ]; networking.firewall.allowedTCPPorts = [ service_configs.ports.https + + # http (but really acmeCA challenges) 80 + + # for matrix federation + 8448 ]; networking.firewall.allowedUDPPorts = [ service_configs.ports.https + + # for matrix federation + 8448 ]; users.users.${config.services.caddy.user}.extraGroups = [ + # for `map.gardling.com` "minecraft" ]; diff --git a/services/matrix.nix b/services/matrix.nix new file mode 100644 index 0000000..c9433bd --- /dev/null +++ b/services/matrix.nix @@ -0,0 +1,38 @@ +{ + pkgs, + config, + service_configs, + ... +}: +{ + imports = [ + ../secrets/matrix_reg_token.nix + ]; + + services.matrix-conduit = { + enable = true; + package = pkgs.conduwuit; + # package = pkgs.conduwuit.overrideAttrs (old: { + # cargoBuildFeatures = pkgs.lib.remove "release_max_log_level" old.cargoBuildFeatures; + # }); + + settings.global = { + port = 6167; + server_name = "matrix.${service_configs.https.domain}"; + database_backend = "rocksdb"; + allow_registration = true; + + trusted_servers = [ + "matrix.org" + "envs.net" + ]; + + # without this, conduit fails to start + address = "0.0.0.0"; + }; + }; + + systemd.tmpfiles.rules = [ + "d /var/lib/private/matrix-conduit 0750 conduit conduit" + ]; +}