feat: add coturn to matrix

hosts/fw/modules/web/matrix.nix

@@ -28,6 +28,8 @@ let
       endpoint: "http://127.0.0.1:8081"
       secret_path: ${config.sops.secrets.mas-matrix-secret-synapse.path}
   '';
+
+  synapseVoipConfig = "/run/matrix-synapse/voip-config.yaml";
 in {
   # Secrets for MAS
   sops.secrets.mas-encryption-key = { owner = "mas"; };
@@ -40,6 +42,12 @@ in {
     key = "mas-matrix-secret";
   };
 
+  # TURN shared secret (for Synapse VoIP config)
+  sops.secrets.coturn-static-secret = {
+    sopsFile = ./secrets.yaml;
+    owner = "matrix-synapse";
+  };
+
   sops.secrets.mautrix-whatsapp-env = { };
   sops.secrets.mautrix-signal-env = { };
   sops.secrets.mautrix-discord-env = { };
@@ -177,7 +185,7 @@ in {
   # Synapse homeserver
   services.matrix-synapse = {
     enable = true;
-    extraConfigFiles = [ "${synapseMasConfig}" ];
+    extraConfigFiles = [ "${synapseMasConfig}" synapseVoipConfig ];
     settings = {
       server_name = "cloonar.com";
       public_baseurl = baseUrl;
@@ -224,6 +232,19 @@ in {
   systemd.services.matrix-synapse.after = [ "matrix-authentication-service.service" ];
   systemd.services.matrix-synapse.wants = [ "matrix-authentication-service.service" ];
   systemd.services.matrix-synapse.serviceConfig.PrivateUsers = lib.mkForce false;
+  systemd.services.matrix-synapse.preStart = lib.mkAfter ''
+    install -m 0600 -o matrix-synapse /dev/null ${synapseVoipConfig}
+    TURN_SECRET=$(cat ${config.sops.secrets.coturn-static-secret.path})
+    cat > ${synapseVoipConfig} <<EOF
+    turn_uris:
+      - "turns:turn.cloonar.com?transport=udp"
+      - "turns:turn.cloonar.com?transport=tcp"
+      - "turn:turn.cloonar.com?transport=udp"
+      - "turn:turn.cloonar.com?transport=tcp"
+    turn_shared_secret: "$TURN_SECRET"
+    turn_user_lifetime: 86400000
+    EOF
+  '';
 
   # Element Web client
   services.nginx.virtualHosts."element.cloonar.com" = {
@@ -378,9 +399,18 @@ in {
         permissions."cloonar.com" = "user";
         relay.enabled = true;
       };
-      # Override dummy token defaults so env var substitution writes real tokens
-      # into the config and registration file (module defaults are placeholder strings)
+      # Override token defaults so env var substitution writes real tokens.
+      # Must include database/address/port since setting appservice replaces the whole default.
       appservice = {
+        address = "http://localhost:29334";
+        hostname = "0.0.0.0";
+        port = 29334;
+        database = {
+          type = "sqlite3";
+          uri = "file:/var/lib/mautrix-discord/mautrix-discord.db?_txlock=immediate";
+        };
+        id = "discord";
+        bot.username = "discordbot";
         as_token = "$MAUTRIX_DISCORD_AS_TOKEN";
         hs_token = "$MAUTRIX_DISCORD_HS_TOKEN";
       };
@@ -394,14 +424,14 @@ in {
     };
   };
 
-  # Mattermost bridge
+  # Mattermost bridge (bridgev2 — attrs replace entirely, so include all needed fields)
   services.mautrix-mattermost = {
     enable = true;
     registerToSynapse = true;
     environmentFile = config.sops.secrets.mautrix-mattermost-env.path;
     settings = {
       homeserver = {
-        address = "http://[::1]:8008";
+        address = "http://127.0.0.1:8009";
         domain = "cloonar.com";
       };
       bridge = {
@@ -411,6 +441,13 @@ in {
         relay.enabled = true;
       };
       appservice = {
+        address = "http://localhost:29335";
+        hostname = "0.0.0.0";
+        port = 29335;
+        id = "mattermost";
+        bot.username = "mattermostbot";
+        ephemeral_events = true;
+        username_template = "mattermost_{{.}}";
         as_token = "$MAUTRIX_MATTERMOST_AS_TOKEN";
         hs_token = "$MAUTRIX_MATTERMOST_HS_TOKEN";
       };
@@ -419,6 +456,7 @@ in {
         default = true;
         require = true;
         pickle_key = "$MAUTRIX_MATTERMOST_PICKLE_KEY";
+        msc4190 = true;
       };
     };
   };