ambroisie/nix-config
ambroisie/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Compare commits

base: ambroisie:dd7b6135315c51812e6928087b20235c9fb7638d
Branches Tags
ambroisie:main
ambroisie:add-jj
ambroisie:xdg-mime-apps
ambroisie:tmux-undercurls
ambroisie:add-nixgl
ambroisie:export-nixos-homes
ambroisie:native-vim-snippets
ambroisie:add-impermanence
ambroisie:add-typos-hook
ambroisie:add-bazel-template
ambroisie:nvim-lua-lsp
ambroisie:xdg-nix
...
compare: ambroisie:b1c9279c637956d134793431e0760d71a0e8bd97
Branches Tags
ambroisie:add-jj
ambroisie:main
ambroisie:xdg-mime-apps
ambroisie:tmux-undercurls
ambroisie:add-nixgl
ambroisie:export-nixos-homes
ambroisie:native-vim-snippets
ambroisie:add-impermanence
ambroisie:add-typos-hook
ambroisie:add-bazel-template
ambroisie:nvim-lua-lsp
ambroisie:xdg-nix

9 commits
dd7b613531 ... b1c9279c63

Author SHA1 Message Date
Bruno BELANYI
b1c9279c63 nixos: services: add thelounge
All checks were successful
ci/woodpecker/push/check Pipeline was successful
Details
2025-08-05 15:53:21 +02:00
Bruno BELANYI
30348a1e19 nixos: services: matrix: add Facebook bridge 
I probably won't actually use it, after test-driving it quickly.

But now that the effort has been expanded, might as well keep it if only
as a future reference.
 2025-08-05 15:53:21 +02:00
Bruno BELANYI
7a85a44407 nixos: services: matrix: remove obsolete comment 2025-08-05 15:53:21 +02:00
Bruno BELANYI
9cadbe6256 nixos: services: matrix: add admin interface 2025-08-05 15:53:21 +02:00
Bruno BELANYI
fa7b4910f5 nixos: services: matrix: fix proxy to synapse 
I want to make use of the `/_synapse/matrix/` sub-path, so just proxy
the whole of `/_synapse/`.
 2025-08-05 15:53:21 +02:00
Bruno BELANYI
1e31b2dfea nixos: services: matrix: simplify VHost 2025-08-05 15:53:21 +02:00
Bruno BELANYI
bd019258cb nixos: services: matrix: simplify listeners 2025-08-05 15:53:21 +02:00
Bruno BELANYI
0792e8c7cb nixos: services: matrix: fix element-web config 2025-08-05 15:53:21 +02:00
Bruno BELANYI
f1d7da7fcb nixos: services: matrix: refactor well-knowns 2025-08-05 15:53:21 +02:00
4 changed files with 283 additions and 107 deletions
Download patch file Download diff file Expand all files Collapse all files

1
modules/nixos/services/default.nix
View file

@ -38,6 +38,7 @@
./servarr
./ssh-server
./tandoor-recipes
./thelounge
./tlp
./transmission
./vikunja

143
modules/nixos/services/matrix/bridges.nix Normal file
View file

@ -0,0 +1,143 @@
# Matrix bridges for some services I use
{ config, lib, ... }:
let
cfg = config.my.services.matrix.bridges;
synapseCfg = config.services.matrix-synapse;
domain = config.networking.domain;
serverName = synapseCfg.settings.server_name;
mkBridgeOption = n: lib.mkEnableOption "${n} bridge" // { default = cfg.enable; };
mkPortOption = n: default: lib.mkOption {
type = lib.types.port;
inherit default;
example = 8080;
description = "${n} bridge port";
};
mkEnvironmentFileOption = n: lib.mkOption {
type = lib.types.str;
example = "/run/secret/matrix/${lib.toLower n}-bridge-secrets.env";
description = ''
Path to a file which should contain the secret values for ${n} bridge.
Using through the following format:
```
MATRIX_APPSERVICE_AS_TOKEN=<the_as_value>
MATRIX_APPSERVICE_HS_TOKEN=<the_hs_value>
```
Each bridge should use a different set of secrets, as they each register
their own independent double-puppetting appservice.
'';
};
in
{
options.my.services.matrix.bridges = with lib; {
enable = mkEnableOption "bridges configuration";
admin = mkOption {
type = types.str;
default = "ambroisie";
example = "admin";
description = "Local username for the admin";
};
facebook = {
enable = mkBridgeOption "Facebook";
port = mkPortOption "Facebook" 29321;
environmentFile = mkEnvironmentFileOption "Facebook";
};
};
config = lib.mkMerge [
(lib.mkIf cfg.facebook.enable {
services.mautrix-meta.instances.facebook = {
enable = true;
# Automatically register the bridge with synapse
registerToSynapse = true;
# Provide `AS_TOKEN`, `HS_TOKEN`
inherit (cfg.facebook) environmentFile;
settings = {
homeserver = {
domain = serverName;
address = "http://localhost:${toString config.my.services.matrix.port}";
};
appservice = {
hostname = "localhost";
inherit (cfg.facebook) port;
address = "http://localhost:${toString cfg.facebook.port}";
public_address = "https://facebook-bridge.${domain}";
as_token = "$MATRIX_APPSERVICE_AS_TOKEN";
hs_token = "$MATRIX_APPSERVICE_HS_TOKEN";
bot = {
username = "fbbot";
};
};
backfill = {
enabled = true;
};
bridge = {
delivery_receipts = true;
permissions = {
"*" = "relay";
${serverName} = "user";
"@${cfg.admin}:${serverName}" = "admin";
};
};
database = {
type = "postgres";
uri = "postgres:///mautrix-meta-facebook?host=/var/run/postgresql/";
};
double_puppet = {
secrets = {
${serverName} = "as_token:$MATRIX_APPSERVICE_AS_TOKEN";
};
};
network = {
# Don't be picky on Facebook/Messenger
allow_messenger_com_on_fb = true;
displayname_template = ''{{or .DisplayName .Username "Unknown user"}} (FB)'';
};
provisioning = {
shared_secret = "disable";
};
};
};
services.postgresql = {
enable = true;
ensureDatabases = [ "mautrix-meta-facebook" ];
ensureUsers = [{
name = "mautrix-meta-facebook";
ensureDBOwnership = true;
}];
};
systemd.services.mautrix-meta-facebook = {
wants = [ "postgres.service" ];
after = [ "postgres.service" ];
};
my.services.nginx.virtualHosts = {
# Proxy to the bridge
"facebook-bridge" = {
inherit (cfg.facebook) port;
};
};
})
];
}

187
modules/nixos/services/matrix/default.nix
View file

@ -1,24 +1,49 @@
# Matrix homeserver setup, using different endpoints for federation and client
# traffic. The main trick for this is defining two nginx servers endpoints for
# matrix.domain.com, each listening on different ports.
#
# Configuration shamelessly stolen from [1]
#
# [1]: https://github.com/alarsyo/nixos-config/blob/main/services/matrix.nix
# Matrix homeserver setup.
{ config, lib, pkgs, ... }:
let
cfg = config.my.services.matrix;
federationPort = { public = 8448; private = 11338; };
clientPort = { public = 443; private = 11339; };
adminPkg = pkgs.synapse-admin-etkecc;
domain = config.networking.domain;
matrixDomain = "matrix.${domain}";
serverConfig = {
"m.server" = "${matrixDomain}:443";
};
clientConfig = {
"m.homeserver" = {
"base_url" = "https://${matrixDomain}";
"server_name" = domain;
};
"m.identity_server" = {
"base_url" = "https://vector.im";
};
};
# ACAO required to allow element-web on any URL to request this json file
mkWellKnown = data: ''
default_type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON data}';
'';
in
{
imports = [
./bridges.nix
];
options.my.services.matrix = with lib; {
enable = mkEnableOption "Matrix Synapse";
port = mkOption {
type = types.port;
default = 8448;
example = 8008;
description = "Internal port for listeners";
};
secretFile = mkOption {
type = with types; nullOr str;
default = null;
@ -58,22 +83,22 @@ in
enable_registration = false;
listeners = [
# Federation
{
inherit (cfg) port;
bind_addresses = [ "::1" ];
port = federationPort.private;
tls = false; # Terminated by nginx.
type = "http";
tls = false;
x_forwarded = true;
resources = [{ names = [ "federation" ]; compress = false; }];
}
# Client
{
bind_addresses = [ "::1" ];
port = clientPort.private;
tls = false; # Terminated by nginx.
x_forwarded = true;
resources = [{ names = [ "client" ]; compress = false; }];
resources = [
{
names = [ "client" ];
compress = true;
}
{
names = [ "federation" ];
compress = false;
}
];
}
];
@ -96,19 +121,12 @@ in
chat = {
root = pkgs.element-web.override {
conf = {
default_server_config = {
"m.homeserver" = {
"base_url" = "https://${matrixDomain}";
"server_name" = domain;
};
"m.identity_server" = {
"base_url" = "https://vector.im";
};
};
showLabsSettings = true;
defaultCountryCode = "FR"; # cocorico
roomDirectory = {
default_server_config = clientConfig;
show_labs_settings = true;
default_country_code = "FR"; # cocorico
room_directory = {
"servers" = [
domain
"matrix.org"
"mozilla.org"
];
@ -116,99 +134,54 @@ in
};
};
};
# Dummy VHosts for port collision detection
matrix-federation = {
port = federationPort.private;
};
matrix-client = {
port = clientPort.private;
};
};
matrix = {
# Somewhat unused, but necessary for port collision detection
inherit (cfg) port;
# Those are too complicated to use my wrapper...
services.nginx.virtualHosts = {
${matrixDomain} = {
onlySSL = true;
useACMEHost = domain;
locations =
let
proxyToClientPort = {
proxyPass = "http://[::1]:${toString clientPort.private}";
};
in
{
extraConfig = {
locations = {
# Or do a redirect instead of the 404, or whatever is appropriate
# for you. But do not put a Matrix Web client here! See the
# Element web section below.
"/".return = "404";
"/_matrix" = proxyToClientPort;
"/_synapse/client" = proxyToClientPort;
"/_matrix".proxyPass = "http://[::1]:${toString cfg.port}";
"/_synapse".proxyPass = "http://[::1]:${toString cfg.port}";
"= /admin".return = "307 /admin/";
"/admin/" = {
alias = "${adminPkg}/";
priority = 500;
tryFiles = "$uri $uri/ /index.html";
};
"~ ^/admin/.*\\.(?:css|js|jpg|jpeg|gif|png|svg|ico|woff|woff2|ttf|eot|webp)$" = {
priority = 400;
root = adminPkg;
extraConfig = ''
rewrite ^/admin/(.*)$ /$1 break;
expires 30d;
more_set_headers "Cache-Control: public";
'';
};
};
listen = [
{ addr = "0.0.0.0"; port = clientPort.public; ssl = true; }
{ addr = "[::]"; port = clientPort.public; ssl = true; }
];
};
# same as above, but listening on the federation port
"${matrixDomain}_federation" = {
onlySSL = true;
serverName = matrixDomain;
useACMEHost = domain;
locations."/".return = "404";
locations."/_matrix" = {
proxyPass = "http://[::1]:${toString federationPort.private}";
};
listen = [
{ addr = "0.0.0.0"; port = federationPort.public; ssl = true; }
{ addr = "[::]"; port = federationPort.public; ssl = true; }
];
};
};
# Those are too complicated to use my wrapper...
services.nginx.virtualHosts = {
"${domain}" = {
forceSSL = true;
useACMEHost = domain;
locations."= /.well-known/matrix/server".extraConfig =
let
server = { "m.server" = "${matrixDomain}:${toString federationPort.public}"; };
in
''
add_header Content-Type application/json;
return 200 '${builtins.toJSON server}';
'';
locations."= /.well-known/matrix/client".extraConfig =
let
client = {
"m.homeserver" = { "base_url" = "https://${matrixDomain}"; };
"m.identity_server" = { "base_url" = "https://vector.im"; };
};
# ACAO required to allow element-web on any URL to request this json file
in
''
add_header Content-Type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON client}';
'';
locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
};
};
# For administration tools.
environment.systemPackages = [ pkgs.matrix-synapse ];
networking.firewall.allowedTCPPorts = [
clientPort.public
federationPort.public
];
my.services.backup = {
paths = [
config.services.matrix-synapse.dataDir

59
modules/nixos/services/thelounge/default.nix Normal file
View file

@ -0,0 +1,59 @@
# Web IRC client
{ config, lib, ... }:
let
cfg = config.my.services.thelounge;
in
{
options.my.services.thelounge = with lib; {
enable = mkEnableOption "The Lounge, a self-hosted web IRC client";
port = mkOption {
type = types.port;
default = 9050;
example = 4242;
description = "The port on which The Lounge will listen for incoming HTTP traffic.";
};
};
config = lib.mkIf cfg.enable {
services.thelounge = {
enable = true;
inherit (cfg) port;
extraConfig = {
reverseProxy = true;
};
};
my.services.nginx.virtualHosts = {
irc = {
inherit (cfg) port;
# Proxy websockets for RPC
websocketsLocations = [ "/" ];
extraConfig = {
locations."/".extraConfig = ''
proxy_read_timeout 1d;
'';
};
};
};
services.fail2ban.jails = {
thelounge = ''
enabled = true
filter = thelounge
port = http,https
'';
};
environment.etc = {
"fail2ban/filter.d/thelounge.conf".text = ''
[Definition]
failregex = Authentication failed for user .* from <HOST>$
Authentication for non existing user attempted from <HOST>$
journalmatch = _SYSTEMD_UNIT=thelounge.service
'';
};
};
}