fixup! WIP: add jujutsu (w/ Delta)

This is to serve as a reminder of _how_ to add a local configuration
file.

flake.lock

@@ -14,11 +14,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1750173260,
-        "narHash": "sha256-9P1FziAwl5+3edkfFcr5HeGtQUtrSdk/MksX39GieoA=",
+        "lastModified": 1754433428,
+        "narHash": "sha256-NA/FT2hVhKDftbHSwVnoRTFhes62+7dxZbxj5Gxvghs=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "531beac616433bac6f9e2a19feb8e99a22a66baf",
+        "rev": "9edb1787864c4f59ae5074ad498b6272b3ec308d",
         "type": "github"
       },
       "original": {
@@ -53,11 +53,11 @@
     "flake-compat": {
       "flake": false,
       "locked": {
-        "lastModified": 1696426674,
-        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "lastModified": 1747046372,
+        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
         "owner": "edolstra",
         "repo": "flake-compat",
-        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
         "type": "github"
       },
       "original": {
@@ -73,11 +73,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1753121425,
-        "narHash": "sha256-TVcTNvOeWWk1DXljFxVRp+E0tzG1LhrVjOGGoMHuXio=",
+        "lastModified": 1754487366,
+        "narHash": "sha256-pHYj8gUBapuUzKV/kN/tR3Zvqc7o6gdFB9XKXIp1SQ8=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "644e0fc48951a860279da645ba77fe4a6e814c5e",
+        "rev": "af66ad14b28a127c5c0f3bbb298218fc63528a18",
         "type": "github"
       },
       "original": {
@@ -117,11 +117,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1750779888,
-        "narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=",
+        "lastModified": 1755446520,
+        "narHash": "sha256-I0Ok1OGDwc1jPd8cs2VvAYZsHriUVFGIUqW+7uSsOUM=",
         "owner": "cachix",
         "repo": "git-hooks.nix",
-        "rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d",
+        "rev": "4b04db83821b819bbbe32ed0a025b31e7971f22e",
         "type": "github"
       },
       "original": {
@@ -159,11 +159,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1753617834,
-        "narHash": "sha256-WEVfKrdIdu5CpppJ0Va3vzP0DKlS+ZTLbBjugMO2Drg=",
+        "lastModified": 1755491080,
+        "narHash": "sha256-ib1Xi13NEalrFqQAHceRsb+6aIPANFuQq80SS/bY10M=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "72cc1e3134a35005006f06640724319caa424737",
+        "rev": "f8af2cbe386f9b96dd9efa57ab15a09377f38f4d",
         "type": "github"
       },
       "original": {
@@ -175,11 +175,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1753429684,
-        "narHash": "sha256-9h7+4/53cSfQ/uA3pSvCaBepmZaz/dLlLVJnbQ+SJjk=",
+        "lastModified": 1755186698,
+        "narHash": "sha256-wNO3+Ks2jZJ4nTHMuks+cxAiVBGNuEBXsT29Bz6HASo=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "7fd36ee82c0275fb545775cc5e4d30542899511d",
+        "rev": "fbcf476f790d8a217c3eab4e12033dc4a0f6d23c",
         "type": "github"
       },
       "original": {
@@ -200,11 +200,11 @@
         "treefmt-nix": "treefmt-nix"
       },
       "locked": {
-        "lastModified": 1741294988,
-        "narHash": "sha256-3408u6q615kVTb23WtDriHRmCBBpwX7iau6rvfipcu4=",
+        "lastModified": 1753980880,
+        "narHash": "sha256-aj1pbYxL6N+XFqBHjB4B1QP0bnKRcg1AfpgT5zUFsW8=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "b30c245e2c44c7352a27485bfd5bc483df660f0e",
+        "rev": "16db3e61da7606984a05b4dfc33cd1d26d22fb22",
         "type": "github"
       },
       "original": {

modules/home/atuin/default.nix

@@ -6,7 +6,6 @@ in
   options.my.home.atuin = with lib; {
     enable = my.mkDisableOption "atuin configuration";
 
-    # I want the full experience by default
     package = mkPackageOption pkgs "atuin" { };
 
     daemon = {

modules/home/default.nix

@@ -24,6 +24,7 @@
     ./gtk
     ./htop
     ./jq
+    ./jujutsu
     ./keyboard
     ./mail
     ./mpv

modules/home/delta/default.nix

@@ -1,6 +1,9 @@
 { config, pkgs, lib, ... }:
 let
   cfg = config.my.home.delta;
+
+  configFormat = pkgs.formats.gitIni { };
+  configPath = "${config.xdg.configHome}/delta/config";
 in
 {
   options.my.home.delta = with lib; {
@@ -11,6 +14,10 @@ in
     git = {
       enable = my.mkDisableOption "git integration";
     };
+
+    jujutsu = {
+      enable = my.mkDisableOption "jujutsu integration";
+    };
   };
 
   config = lib.mkIf cfg.enable {
@@ -34,33 +41,59 @@ in
 
     home.packages = [ cfg.package ];
 
+    xdg.configFile."delta/config".source = configFormat.generate "delta-config" {
+      delta = {
+        features = "diff-highlight decorations";
+
+        # Less jarring style for `diff-highlight` emulation
+        diff-highlight = {
+          minus-style = "red";
+          minus-non-emph-style = "red";
+          minus-emph-style = "bold red 52";
+
+          plus-style = "green";
+          plus-non-emph-style = "green";
+          plus-emph-style = "bold green 22";
+
+          whitespace-error-style = "reverse red";
+        };
+
+        # Personal preference for easier reading
+        decorations = {
+          commit-style = "raw"; # Do not recolor meta information
+          keep-plus-minus-markers = true;
+          paging = "always";
+        };
+      };
+    };
+
     programs.git = lib.mkIf cfg.git.enable {
       delta = {
         enable = true;
         inherit (cfg) package;
+      };
 
-        options = {
-          features = "diff-highlight decorations";
+      includes = [
+        {
+          path = configPath;
+        }
+      ];
+    };
 
-          # Less jarring style for `diff-highlight` emulation
-          diff-highlight = {
-            minus-style = "red";
-            minus-non-emph-style = "red";
-            minus-emph-style = "bold red 52";
-
-            plus-style = "green";
-            plus-non-emph-style = "green";
-            plus-emph-style = "bold green 22";
-
-            whitespace-error-style = "reverse red";
+    programs.jujutsu = lib.mkIf cfg.jujutsu.enable {
+      settings = {
+        merge-tools = {
+          delta = {
+            # Errors are signaled with exit codes greater or equal to 2
+            diff-expected-exit-codes = [ 0 1 ];
           };
+        };
 
-          # Personal preference for easier reading
-          decorations = {
-            commit-style = "raw"; # Do not recolor meta information
-            keep-plus-minus-markers = true;
-            paging = "always";
-          };
+        ui = {
+          # Delta expects a `git diff` input
+          diff-formatter = ":git";
+
+          pager = [ (lib.getExe cfg.package) "--config=${configPath}" ];
         };
       };
     };

modules/home/jujutsu/default.nix

@@ -0,0 +1,130 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.my.home.jujutsu;
+
+  inherit (lib.my) mkMailAddress;
+in
+{
+  options.my.home.jujutsu = with lib; {
+    enable = my.mkDisableOption "jujutsu configuration";
+
+    package = mkPackageOption pkgs "jujutsu" { };
+  };
+
+  config = lib.mkIf cfg.enable {
+    assertions = [
+      {
+        # For `jj git` commands
+        assertion = cfg.enable -> config.my.home.git.enable;
+        message = ''
+          `config.my.home.jujutsu` relies on `config.my.home.git` being enabled.
+        '';
+      }
+    ];
+
+    programs.jujutsu = {
+      enable = true;
+
+      inherit (cfg) package;
+
+      settings = {
+        # Who am I?
+        user = {
+          name = "Bruno BELANYI";
+          email = mkMailAddress "bruno" "belanyi.fr";
+        };
+
+        aliases = {
+          jj = [ ];
+          # FIXME:
+          # * still not a big fan of the template
+          lol = [ "log" "-r" "..@" "-T" "builtin_log_oneline" ];
+          lola = [ "lol" "-r" "all()" ];
+          # FIXME: equivalent to `git switch -`
+          # See https://github.com/jj-vcs/jj/issues/2871
+          # Might be broken recently https://discord.com/channels/968932220549103686/1380272574709366989/1380432041983606855
+          # TODO:
+          # * `pick` (https://github.com/jj-vcs/jj/issues/5446): [ "util" "exec" "--" "bash" "-c" "jj log -p -r \"diff_contains($1)\"" "" ]
+          # * `root`: `jj workspace root` (barely necessary then)
+        };
+
+        # FIXME: git equivalents
+        # blame = {
+        #   coloring = "repeatedLines";
+        #   markIgnoredLines = true;
+        #   markUnblamables = true;
+        # };
+        # FIXME: log colors should probably match git
+        # FIXME: patience diff?
+        # FIXME: fetch prune/pruneTags?
+        # FIXME: pull.rebase=true? Probably true TBH
+        # FIXME: push.default=simple? Probably true TBH
+        # FIXME: conflict style? ui.conflict-marker-style=git is diff3, not zdiff3. Default looks fine-ish
+
+        # FIXME: from ma_9's config, plus my own stuff
+        # snapshot = {
+        #   auto-track = "none()";
+        # };
+        #
+        # ui = {
+        #   diff-editor = ":builtin"; # To silence hints
+        #   movement = {
+        #     edit = false;
+        #   };
+        # };
+
+        templates = {
+          # Equivalent to `commit.verbose = true` in Git
+          draft_commit_description = "commit_description_verbose(self)";
+        };
+
+        template-aliases = {
+          "commit_description_verbose(commit)" = ''
+            concat(
+              commit_description(commit),
+              "JJ: ignore-rest\n",
+              diff.git(),
+            )
+          '';
+          # FIXME: use `diff.summary()` instead? Supported by syntax highlighting
+          # See https://github.com/jj-vcs/jj/issues/1946#issuecomment-2572986485
+          # FIXME: tree-sitter grammar isn't in `nvim-treesitter` (https://github.com/kareigu/tree-sitter-jjdescription)
+          "commit_description(commit)" = ''
+            concat(
+              commit.description(), "\n",
+              "JJ: This commit contains the following changes:\n",
+              indent("JJ:    ", diff.stat(72)),
+            )
+          '';
+        };
+
+        "--scope" = [
+          # Multiple identities
+          {
+            "--when" = {
+              repositories = [ "~/git/EPITA/" ];
+            };
+            user = {
+              name = "Bruno BELANYI";
+              email = mkMailAddress "bruno.belanyi" "epita.fr";
+            };
+          }
+          {
+            "--when" = {
+              repositories = [ "~/git/work/" ];
+            };
+            user = {
+              name = "Bruno BELANYI";
+              email = mkMailAddress "ambroisie" "google.com";
+            };
+          }
+        ];
+      };
+    };
+
+    # To drop in a `local.toml` configuration, not-versioned
+    xdg.configFile = {
+      "jj/conf.d/.keep".text = "";
+    };
+  };
+}

modules/home/tmux/default.nix

@@ -61,8 +61,8 @@ in
       pain-control
       # Better session management
       sessionist
+      # X clipboard integration
       {
-        # X clipboard integration
         plugin = yank;
         extraConfig = ''
           # Use 'clipboard' because of misbehaving apps (e.g: firefox)
@@ -71,8 +71,8 @@ in
           set -g @yank_action 'copy-pipe'
         '';
       }
+      # Show when prefix has been pressed
       {
-        # Show when prefix has been pressed
         plugin = prefix-highlight;
         extraConfig = ''
           # Also show when I'm in copy or sync mode

modules/home/xdg/default.nix

@@ -56,4 +56,7 @@ in
     XCOMPOSECACHE = "${dataHome}/X11/xcompose";
     _JAVA_OPTIONS = "-Djava.util.prefs.userRoot=${configHome}/java";
   };
+
+  # Some modules *optionally* use `XDG_*_HOME` when told to
+  config.home.preferXdgDirectories = lib.mkIf cfg.enable true;
 }

modules/home/zsh/default.nix

@@ -14,10 +14,12 @@ in
       exclude = mkOption {
         type = with types; listOf str;
         default = [
+          "bat"
           "delta"
           "direnv reload"
           "fg"
           "git (?!push|pull|fetch)"
+          "home-manager (?!switch|build|news)"
           "htop"
           "less"
           "man"

modules/nixos/services/default.nix

@@ -38,6 +38,7 @@
     ./servarr
     ./ssh-server
     ./tandoor-recipes
+    ./thelounge
     ./tlp
     ./transmission
     ./vikunja

modules/nixos/services/matrix/bridges.nix

@@ -0,0 +1,143 @@
+# Matrix bridges for some services I use
+{ config, lib, ... }:
+let
+  cfg = config.my.services.matrix.bridges;
+  synapseCfg = config.services.matrix-synapse;
+
+  domain = config.networking.domain;
+  serverName = synapseCfg.settings.server_name;
+
+  mkBridgeOption = n: lib.mkEnableOption "${n} bridge" // { default = cfg.enable; };
+  mkPortOption = n: default: lib.mkOption {
+    type = lib.types.port;
+    inherit default;
+    example = 8080;
+    description = "${n} bridge port";
+  };
+  mkEnvironmentFileOption = n: lib.mkOption {
+    type = lib.types.str;
+    example = "/run/secret/matrix/${lib.toLower n}-bridge-secrets.env";
+    description = ''
+      Path to a file which should contain the secret values for ${n} bridge.
+
+      Using through the following format:
+
+      ```
+      MATRIX_APPSERVICE_AS_TOKEN=<the_as_value>
+      MATRIX_APPSERVICE_HS_TOKEN=<the_hs_value>
+      ```
+
+      Each bridge should use a different set of secrets, as they each register
+      their own independent double-puppetting appservice.
+    '';
+  };
+in
+{
+  options.my.services.matrix.bridges = with lib; {
+    enable = mkEnableOption "bridges configuration";
+
+    admin = mkOption {
+      type = types.str;
+      default = "ambroisie";
+      example = "admin";
+      description = "Local username for the admin";
+    };
+
+    facebook = {
+      enable = mkBridgeOption "Facebook";
+
+      port = mkPortOption "Facebook" 29321;
+
+      environmentFile = mkEnvironmentFileOption "Facebook";
+    };
+  };
+
+  config = lib.mkMerge [
+    (lib.mkIf cfg.facebook.enable {
+      services.mautrix-meta.instances.facebook = {
+        enable = true;
+        # Automatically register the bridge with synapse
+        registerToSynapse = true;
+
+        # Provide `AS_TOKEN`, `HS_TOKEN`
+        inherit (cfg.facebook) environmentFile;
+
+        settings = {
+          homeserver = {
+            domain = serverName;
+            address = "http://localhost:${toString config.my.services.matrix.port}";
+          };
+
+          appservice = {
+            hostname = "localhost";
+            inherit (cfg.facebook) port;
+            address = "http://localhost:${toString cfg.facebook.port}";
+            public_address = "https://facebook-bridge.${domain}";
+
+            as_token = "$MATRIX_APPSERVICE_AS_TOKEN";
+            hs_token = "$MATRIX_APPSERVICE_HS_TOKEN";
+
+            bot = {
+              username = "fbbot";
+            };
+          };
+
+          backfill = {
+            enabled = true;
+          };
+
+          bridge = {
+            delivery_receipts = true;
+            permissions = {
+              "*" = "relay";
+              ${serverName} = "user";
+              "@${cfg.admin}:${serverName}" = "admin";
+            };
+          };
+
+          database = {
+            type = "postgres";
+            uri = "postgres:///mautrix-meta-facebook?host=/var/run/postgresql/";
+          };
+
+          double_puppet = {
+            secrets = {
+              ${serverName} = "as_token:$MATRIX_APPSERVICE_AS_TOKEN";
+            };
+          };
+
+          network = {
+            # Don't be picky on Facebook/Messenger
+            allow_messenger_com_on_fb = true;
+            displayname_template = ''{{or .DisplayName .Username "Unknown user"}} (FB)'';
+          };
+
+          provisioning = {
+            shared_secret = "disable";
+          };
+        };
+      };
+
+      services.postgresql = {
+        enable = true;
+        ensureDatabases = [ "mautrix-meta-facebook" ];
+        ensureUsers = [{
+          name = "mautrix-meta-facebook";
+          ensureDBOwnership = true;
+        }];
+      };
+
+      systemd.services.mautrix-meta-facebook = {
+        wants = [ "postgres.service" ];
+        after = [ "postgres.service" ];
+      };
+
+      my.services.nginx.virtualHosts = {
+        # Proxy to the bridge
+        "facebook-bridge" = {
+          inherit (cfg.facebook) port;
+        };
+      };
+    })
+  ];
+}

modules/nixos/services/matrix/default.nix

@@ -1,24 +1,49 @@
-# Matrix homeserver setup, using different endpoints for federation and client
-# traffic. The main trick for this is defining two nginx servers endpoints for
-# matrix.domain.com, each listening on different ports.
-#
-# Configuration shamelessly stolen from [1]
-#
-# [1]: https://github.com/alarsyo/nixos-config/blob/main/services/matrix.nix
+# Matrix homeserver setup.
 { config, lib, pkgs, ... }:
 
 let
   cfg = config.my.services.matrix;
 
-  federationPort = { public = 8448; private = 11338; };
-  clientPort = { public = 443; private = 11339; };
+  adminPkg = pkgs.synapse-admin-etkecc;
+
   domain = config.networking.domain;
   matrixDomain = "matrix.${domain}";
+
+  serverConfig = {
+    "m.server" = "${matrixDomain}:443";
+  };
+  clientConfig = {
+    "m.homeserver" = {
+      "base_url" = "https://${matrixDomain}";
+      "server_name" = domain;
+    };
+    "m.identity_server" = {
+      "base_url" = "https://vector.im";
+    };
+  };
+
+  # ACAO required to allow element-web on any URL to request this json file
+  mkWellKnown = data: ''
+    default_type application/json;
+    add_header Access-Control-Allow-Origin *;
+    return 200 '${builtins.toJSON data}';
+  '';
 in
 {
+  imports = [
+    ./bridges.nix
+  ];
+
   options.my.services.matrix = with lib; {
     enable = mkEnableOption "Matrix Synapse";
 
+    port = mkOption {
+      type = types.port;
+      default = 8448;
+      example = 8008;
+      description = "Internal port for listeners";
+    };
+
     secretFile = mkOption {
       type = with types; nullOr str;
       default = null;
@@ -58,22 +83,22 @@ in
         enable_registration = false;
 
         listeners = [
-          # Federation
           {
+            inherit (cfg) port;
             bind_addresses = [ "::1" ];
-            port = federationPort.private;
-            tls = false; # Terminated by nginx.
+            type = "http";
+            tls = false;
             x_forwarded = true;
-            resources = [{ names = [ "federation" ]; compress = false; }];
-          }
-
-          # Client
-          {
-            bind_addresses = [ "::1" ];
-            port = clientPort.private;
-            tls = false; # Terminated by nginx.
-            x_forwarded = true;
-            resources = [{ names = [ "client" ]; compress = false; }];
+            resources = [
+              {
+                names = [ "client" ];
+                compress = true;
+              }
+              {
+                names = [ "federation" ];
+                compress = false;
+              }
+            ];
           }
         ];
 
@@ -96,19 +121,12 @@ in
       chat = {
         root = pkgs.element-web.override {
           conf = {
-            default_server_config = {
-              "m.homeserver" = {
-                "base_url" = "https://${matrixDomain}";
-                "server_name" = domain;
-              };
-              "m.identity_server" = {
-                "base_url" = "https://vector.im";
-              };
-            };
-            showLabsSettings = true;
-            defaultCountryCode = "FR"; # cocorico
-            roomDirectory = {
+            default_server_config = clientConfig;
+            show_labs_settings = true;
+            default_country_code = "FR"; # cocorico
+            room_directory = {
               "servers" = [
+                domain
                 "matrix.org"
                 "mozilla.org"
               ];
@@ -116,99 +134,54 @@ in
           };
         };
       };
-      # Dummy VHosts for port collision detection
-      matrix-federation = {
-        port = federationPort.private;
-      };
-      matrix-client = {
-        port = clientPort.private;
+      matrix = {
+        # Somewhat unused, but necessary for port collision detection
+        inherit (cfg) port;
+
+        extraConfig = {
+          locations = {
+            # Or do a redirect instead of the 404, or whatever is appropriate
+            # for you. But do not put a Matrix Web client here! See the
+            # Element web section above.
+            "/".return = "404";
+
+            "/_matrix".proxyPass = "http://[::1]:${toString cfg.port}";
+            "/_synapse".proxyPass = "http://[::1]:${toString cfg.port}";
+
+            "= /admin".return = "307 /admin/";
+            "/admin/" = {
+              alias = "${adminPkg}/";
+              priority = 500;
+              tryFiles = "$uri $uri/ /index.html";
+            };
+            "~ ^/admin/.*\\.(?:css|js|jpg|jpeg|gif|png|svg|ico|woff|woff2|ttf|eot|webp)$" = {
+              priority = 400;
+              root = adminPkg;
+              extraConfig = ''
+                rewrite ^/admin/(.*)$ /$1 break;
+                expires 30d;
+                more_set_headers "Cache-Control: public";
+              '';
+            };
+          };
+        };
       };
     };
 
-    # Those are too complicated to use my wrapper...
+    # Setup well-known locations
     services.nginx.virtualHosts = {
-      ${matrixDomain} = {
-        onlySSL = true;
-        useACMEHost = domain;
-
-        locations =
-          let
-            proxyToClientPort = {
-              proxyPass = "http://[::1]:${toString clientPort.private}";
-            };
-          in
-          {
-            # Or do a redirect instead of the 404, or whatever is appropriate
-            # for you. But do not put a Matrix Web client here! See the
-            # Element web section below.
-            "/".return = "404";
-
-            "/_matrix" = proxyToClientPort;
-            "/_synapse/client" = proxyToClientPort;
-          };
-
-        listen = [
-          { addr = "0.0.0.0"; port = clientPort.public; ssl = true; }
-          { addr = "[::]"; port = clientPort.public; ssl = true; }
-        ];
-
-      };
-
-      # same as above, but listening on the federation port
-      "${matrixDomain}_federation" = {
-        onlySSL = true;
-        serverName = matrixDomain;
-        useACMEHost = domain;
-
-        locations."/".return = "404";
-
-        locations."/_matrix" = {
-          proxyPass = "http://[::1]:${toString federationPort.private}";
-        };
-
-        listen = [
-          { addr = "0.0.0.0"; port = federationPort.public; ssl = true; }
-          { addr = "[::]"; port = federationPort.public; ssl = true; }
-        ];
-      };
-
       "${domain}" = {
         forceSSL = true;
         useACMEHost = domain;
 
-        locations."= /.well-known/matrix/server".extraConfig =
-          let
-            server = { "m.server" = "${matrixDomain}:${toString federationPort.public}"; };
-          in
-          ''
-            add_header Content-Type application/json;
-            return 200 '${builtins.toJSON server}';
-          '';
-
-        locations."= /.well-known/matrix/client".extraConfig =
-          let
-            client = {
-              "m.homeserver" = { "base_url" = "https://${matrixDomain}"; };
-              "m.identity_server" = { "base_url" = "https://vector.im"; };
-            };
-            # ACAO required to allow element-web on any URL to request this json file
-          in
-          ''
-            add_header Content-Type application/json;
-            add_header Access-Control-Allow-Origin *;
-            return 200 '${builtins.toJSON client}';
-          '';
+        locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
+        locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
       };
     };
 
     # For administration tools.
     environment.systemPackages = [ pkgs.matrix-synapse ];
 
-    networking.firewall.allowedTCPPorts = [
-      clientPort.public
-      federationPort.public
-    ];
-
     my.services.backup = {
       paths = [
         config.services.matrix-synapse.dataDir

modules/nixos/services/thelounge/default.nix

@@ -0,0 +1,59 @@
+# Web IRC client
+{ config, lib, ... }:
+let
+  cfg = config.my.services.thelounge;
+in
+{
+  options.my.services.thelounge = with lib; {
+    enable = mkEnableOption "The Lounge, a self-hosted web IRC client";
+
+    port = mkOption {
+      type = types.port;
+      default = 9050;
+      example = 4242;
+      description = "The port on which The Lounge will listen for incoming HTTP traffic.";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.thelounge = {
+      enable = true;
+      inherit (cfg) port;
+
+      extraConfig = {
+        reverseProxy = true;
+      };
+    };
+
+    my.services.nginx.virtualHosts = {
+      irc = {
+        inherit (cfg) port;
+        # Proxy websockets for RPC
+        websocketsLocations = [ "/" ];
+
+        extraConfig = {
+          locations."/".extraConfig = ''
+            proxy_read_timeout 1d;
+          '';
+        };
+      };
+    };
+
+    services.fail2ban.jails = {
+      thelounge = ''
+        enabled = true
+        filter = thelounge
+        port = http,https
+      '';
+    };
+
+    environment.etc = {
+      "fail2ban/filter.d/thelounge.conf".text = ''
+        [Definition]
+        failregex = Authentication failed for user .* from <HOST>$
+                    Authentication for non existing user attempted from <HOST>$
+        journalmatch = _SYSTEMD_UNIT=thelounge.service
+      '';
+    };
+  };
+}

pkgs/lohr/default.nix

@@ -10,7 +10,6 @@ rustPlatform.buildRustPackage rec {
     hash = "sha256-dunQgtap+XCK5LoSyOqIY/6p6HizBeiyPWNuCffwjDU=";
   };
 
-  useFetchCargoVendor = true;
   cargoHash = "sha256-R3/N/43+bGx6acE/rhBcrk6kS5zQu8NJ1sVvKJJkK9w=";
 
   meta = with lib; {