From 4648d6b51ad8baf3e0818fb15bd8404acc9eb567 Mon Sep 17 00:00:00 2001 From: Dominik Polakovics Date: Fri, 6 Feb 2026 21:33:57 +0100 Subject: [PATCH] add placeholder for matrix implementation --- hosts/fw/modules/web/matrix.nix | 168 +++++++++++++++++---------- hosts/nb/modules/desktop/default.nix | 32 ++--- hosts/web-arm/modules/authelia.nix | 15 +++ 3 files changed, 136 insertions(+), 79 deletions(-) diff --git a/hosts/fw/modules/web/matrix.nix b/hosts/fw/modules/web/matrix.nix index 4c9cb7f..64735af 100644 --- a/hosts/fw/modules/web/matrix.nix +++ b/hosts/fw/modules/web/matrix.nix @@ -10,22 +10,104 @@ let add_header Access-Control-Allow-Origin *; return 200 '${builtins.toJSON data}'; ''; + + # Shared settings format for bridges + settingsFormat = pkgs.formats.json {}; in { - sops.secrets.matrix-shared-secret = { - }; - sops.secrets.dendrite-private-key = { + # Secrets for Synapse + sops.secrets.synapse-oidc-client-secret = { + owner = "matrix-synapse"; }; + # PostgreSQL database for Synapse services.postgresql = { enable = true; - ensureDatabases = [ "dendrite" ]; + ensureDatabases = [ "matrix-synapse" ]; ensureUsers = [ { - name = "dendrite"; + name = "matrix-synapse"; + ensureDBOwnership = true; } ]; }; + services.postgresqlBackup.enable = true; + services.postgresqlBackup.databases = [ "matrix-synapse" ]; + + # Synapse homeserver + services.matrix-synapse = { + enable = true; + settings = { + server_name = "cloonar.com"; + public_baseurl = baseUrl; + + listeners = [ + { + port = 8008; + bind_addresses = [ "::1" ]; + type = "http"; + tls = false; + x_forwarded = true; + resources = [ + { + compress = true; + names = [ "client" "federation" ]; + } + ]; + } + ]; + + database = { + name = "psycopg2"; + args = { + host = "/run/postgresql"; + database = "matrix-synapse"; + user = "matrix-synapse"; + }; + }; + + # Disable registration - users created via OIDC + enable_registration = false; + allow_guest_access = false; + + # OIDC SSO via Authelia + oidc_providers = [ + { + idp_id = "authelia"; + idp_name = "Authelia"; + discover = true; + issuer = "https://auth.cloonar.com"; + user_profile_method = "userinfo_endpoint"; + client_id = "synapse"; + client_secret_path = config.sops.secrets.synapse-oidc-client-secret.path; + scopes = [ "openid" "profile" "email" ]; + allow_existing_users = true; + user_mapping_provider.config = { + subject_claim = "sub"; + localpart_template = "{{ user.preferred_username }}"; + display_name_template = "{{ user.name }}"; + email_template = "{{ user.email }}"; + }; + } + ]; + + # Appservice registrations for bridges + app_service_config_files = [ + "/var/lib/mautrix-whatsapp/whatsapp-registration.yaml" + "/var/lib/mautrix-signal/signal-registration.yaml" + "/var/lib/mautrix-discord/discord-registration.yaml" + ]; + }; + }; + + # Allow bridge users to read registration files + systemd.services.matrix-synapse.serviceConfig.SupplementaryGroups = [ + "mautrix-whatsapp" + "mautrix-signal" + "mautrix-discord" + ]; + + # Element Web client services.nginx.virtualHosts."element.cloonar.com" = { forceSSL = true; enableACME = true; @@ -45,10 +127,8 @@ in { }; }; }; - - services.postgresqlBackup.enable = true; - services.postgresqlBackup.databases = [ "dendrite" ]; + # Synapse nginx reverse proxy services.nginx.virtualHosts."${fqdn}" = { forceSSL = true; enableACME = true; @@ -56,60 +136,28 @@ in { locations."/".extraConfig = '' return 404; ''; - locations."/_dendrite".proxyPass = "http://[::1]:8008"; locations."/_matrix".proxyPass = "http://[::1]:8008"; locations."/_synapse/client".proxyPass = "http://[::1]:8008"; }; + # + # Mautrix bridges + # - services.dendrite = { - enable = true; - settings = { - global = { - server_name = "cloonar.com"; - private_key = "$CREDENTIALS_DIRECTORY/private_key"; - database.connection_string = "postgresql:///dendrite?host=/run/postgresql"; - }; - client_api.registration_shared_secret = "$REGISTRATION_SHARED_SECRET"; - app_service_api.config_files = [ - "$CREDENTIALS_DIRECTORY/whatsapp_registration" - "$CREDENTIALS_DIRECTORY/signal_registration" - "$CREDENTIALS_DIRECTORY/discord_registration" - ]; - app_service_api.database.connection_string = ""; - federation_api.database.connection_string = ""; - key_server.database.connection_string = ""; - relay_api.database.connection_string = ""; - media_api.database.connection_string = ""; - room_server.database.connection_string = ""; - sync_api.database.connection_string = ""; - user_api.account_database.connection_string = ""; - user_api.device_database.connection_string = ""; - mscs.database.connection_string = ""; - }; - loadCredential = [ - "private_key:${config.sops.secrets.dendrite-private-key.path}" - "whatsapp_registration:/var/lib/mautrix-whatsapp/whatsapp-registration.yaml" - "signal_registration:/var/lib/mautrix-signal/signal-registration.yaml" - "discord_registration:/var/lib/mautrix-discord/discord-registration.yaml" - ]; - environmentFile = config.sops.secrets.matrix-shared-secret.path; - }; - + # WhatsApp bridge users.users.mautrix-whatsapp = { isSystemUser = true; group = "mautrix-whatsapp"; home = "/var/lib/mautrix-whatsapp"; description = "Mautrix-WhatsApp bridge user"; }; - users.groups.mautrix-whatsapp = {}; + systemd.services.mautrix-whatsapp = let dataDir = "/var/lib/mautrix-whatsapp"; registrationFile = "${dataDir}/whatsapp-registration.yaml"; settingsFile = "${dataDir}/config.json"; settingsFileUnsubstituted = settingsFormat.generate "mautrix-whatsapp-config-unsubstituted.json" defaultConfig; - settingsFormat = pkgs.formats.json {}; appservicePort = 29318; defaultConfig = { homeserver = { @@ -154,10 +202,9 @@ in { }; in { description = "Mautrix-WhatsApp Service - A WhatsApp bridge for Matrix"; - wantedBy = ["multi-user.target"]; - wants = ["network-online.target"]; - after = ["network-online.target"]; + wants = ["network-online.target" "matrix-synapse.service"]; + after = ["network-online.target" "matrix-synapse.service"]; preStart = '' test -f '${settingsFile}' && rm -f '${settingsFile}' @@ -189,7 +236,6 @@ in { serviceConfig = { User = "mautrix-whatsapp"; Group = "mautrix-whatsapp"; - # EnvironmentFile = cfg.environmentFile; StateDirectory = baseNameOf dataDir; WorkingDirectory = dataDir; ExecStart = '' @@ -225,19 +271,19 @@ in { restartTriggers = [settingsFileUnsubstituted]; }; + # Signal bridge users.users.mautrix-signal = { isSystemUser = true; group = "mautrix-signal"; home = "/var/lib/mautrix-signal"; description = "Mautrix-Signal bridge user"; }; - users.groups.mautrix-signal = {}; + systemd.services.mautrix-signal = let pkgswithsignal = import (fetchTarball "https://github.com/NixOS/nixpkgs/archive/fd698a4ab779fb7fb95425f1b56974ba9c2fa16c.tar.gz") { config = { permittedInsecurePackages = [ - # needed for matrix "olm-3.2.16" ]; }; @@ -246,7 +292,6 @@ in { registrationFile = "${dataDir}/signal-registration.yaml"; settingsFile = "${dataDir}/config.json"; settingsFileUnsubstituted = settingsFormat.generate "mautrix-signal-config-unsubstituted.json" defaultConfig; - settingsFormat = pkgs.formats.json {}; appservicePort = 29328; defaultConfig = { homeserver = { @@ -295,10 +340,9 @@ in { }; in { description = "Mautrix-Signal Service - A Signal bridge for Matrix"; - wantedBy = ["multi-user.target"]; - wants = ["network-online.target"]; - after = ["network-online.target"]; + wants = ["network-online.target" "matrix-synapse.service"]; + after = ["network-online.target" "matrix-synapse.service"]; preStart = '' test -f '${settingsFile}' && rm -f '${settingsFile}' @@ -331,7 +375,6 @@ in { serviceConfig = { User = "mautrix-signal"; Group = "mautrix-signal"; - # EnvironmentFile = cfg.environmentFile; StateDirectory = baseNameOf dataDir; WorkingDirectory = dataDir; ExecStart = '' @@ -367,20 +410,19 @@ in { restartTriggers = [settingsFileUnsubstituted]; }; - + # Discord bridge users.users.mautrix-discord = { isSystemUser = true; group = "mautrix-discord"; home = "/var/lib/mautrix-discord"; description = "Mautrix-Discord bridge user"; }; - users.groups.mautrix-discord = {}; + systemd.services.mautrix-discord = let pkgswithdiscord = import (fetchTarball "https://github.com/NixOS/nixpkgs/archive/5ed627539ac84809c78b2dd6d26a5cebeb5ae269.tar.gz") { config = { permittedInsecurePackages = [ - # needed for matrix "olm-3.2.16" ]; }; @@ -389,7 +431,6 @@ in { registrationFile = "${dataDir}/discord-registration.yaml"; settingsFile = "${dataDir}/config.json"; settingsFileUnsubstituted = settingsFormat.generate "mautrix-discord-config-unsubstituted.json" defaultConfig; - settingsFormat = pkgs.formats.json {}; appservicePort = 29329; defaultConfig = { homeserver = { @@ -436,10 +477,9 @@ in { }; in { description = "Mautrix-Discord Service - A Discord bridge for Matrix"; - wantedBy = ["multi-user.target"]; - wants = ["network-online.target"]; - after = ["network-online.target"]; + wants = ["network-online.target" "matrix-synapse.service"]; + after = ["network-online.target" "matrix-synapse.service"]; preStart = '' test -f '${settingsFile}' && rm -f '${settingsFile}' @@ -472,7 +512,6 @@ in { serviceConfig = { User = "mautrix-discord"; Group = "mautrix-discord"; - # EnvironmentFile = cfg.environmentFile; StateDirectory = baseNameOf dataDir; WorkingDirectory = dataDir; ExecStart = '' @@ -506,4 +545,5 @@ in { }; restartTriggers = [settingsFileUnsubstituted]; }; + } diff --git a/hosts/nb/modules/desktop/default.nix b/hosts/nb/modules/desktop/default.nix index f09fbc3..4661440 100644 --- a/hosts/nb/modules/desktop/default.nix +++ b/hosts/nb/modules/desktop/default.nix @@ -1,5 +1,20 @@ { config, pkgs, lib, ... }: let + sddmTheme = pkgs.where-is-my-sddm-theme.override { + themeConfig.General = { + showUsersByDefault = true; + background = "/nix/persist/system/wallpaper.png"; + backgroundFill = "#252525"; + backgroundFillMode = "Image.Pad"; + passwordInputWidth = 0.25; + passwordInputBackground = "#60ffffff"; + passwordFontSize = 28; + showSessionsByDefault = true; + sessionsFontSize = 24; + usersFontSize = 32; + }; + variants = ["qt5"]; + }; in { imports = [ ../sway/sway.nix @@ -23,21 +38,7 @@ in { openscad orca-slicer - (where-is-my-sddm-theme.override { - themeConfig.General = { - showUsersByDefault = true; - background = "/nix/persist/system/wallpaper.png"; - backgroundFill = "#252525"; - backgroundFillMode="Image.Pad"; - passwordInputWidth = 0.25; - passwordInputBackground = "#60ffffff"; - passwordFontSize = 28; - showSessionsByDefault = true; - sessionsFontSize=24; - usersFontSize=32; - }; - variants = ["qt5"]; - }) + sddmTheme dracula-theme foot @@ -86,6 +87,7 @@ in { enable = true; wayland.enable = true; theme = "where_is_my_sddm_theme_qt5"; + extraPackages = [ sddmTheme ]; }; xdg.portal = { diff --git a/hosts/web-arm/modules/authelia.nix b/hosts/web-arm/modules/authelia.nix index 4f0d5d9..263e7b1 100644 --- a/hosts/web-arm/modules/authelia.nix +++ b/hosts/web-arm/modules/authelia.nix @@ -254,6 +254,21 @@ in { ]; userinfo_signing_algorithm = "none"; } + # { + # id = "synapse"; + # description = "Matrix Synapse homeserver"; + # secret = "$pbkdf2-sha512$310000$PLACEHOLDER_NEEDS_UPDATING$PLACEHOLDER_NEEDS_UPDATING"; + # public = false; + # authorization_policy = "one_factor"; + # redirect_uris = [ "https://matrix.cloonar.com/_synapse/client/oidc/callback" ]; + # consent_mode = "implicit"; + # scopes = [ + # "openid" + # "profile" + # "email" + # ]; + # userinfo_signing_algorithm = "none"; + # } ]; }; };