servius/dotfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: Matrix server fix
Some checks failed
Flake checker / Build Nix targets (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Servius
2026-02-11 03:55:29 +05:30
parent 66b7a31943
commit 3a97de6af2
7 changed files with 64 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

131
nixos/tako/services/matrix/tuwunel.nix Normal file
View File

@@ -0,0 +1,131 @@
{
config,
pkgs,
...
}: let
port = 6167;
base_domain = "darksailor.dev";
client_id = "tuwunel";
elementConfig = builtins.toJSON {
default_server_config = {
"m.homeserver" = {
base_url = "https://matrix.${base_domain}";
};
};
sso_redirect_options = {
immediate = false;
on_welcome_page = true;
on_login_page = true;
};
};
elementConfigFile = pkgs.writeText "element-config.json" elementConfig;
in {
sops = {
secrets."tuwunel/client_id" = {
owner = config.services.matrix-tuwunel.user;
group = config.systemd.services.authelia-darksailor.serviceConfig.Group;
mode = "0440";
};
secrets."tuwunel/client_secret" = {
owner = config.services.matrix-tuwunel.user;
group = config.systemd.services.authelia-darksailor.serviceConfig.Group;
mode = "0440";
};
secrets."tuwunel/registration_token".owner = config.services.matrix-tuwunel.user;
};
services.matrix-tuwunel = {
enable = true;
settings.global = {
server_name = "${base_domain}";
address = ["127.0.0.1"];
port = [port];
allow_registration = true;
registration_token_file = config.sops.secrets."tuwunel/registration_token".path;
single_sso = true;
identity_provider = [
{
inherit client_id;
brand = "Authelia";
name = "Authelia";
default = true;
issuer_url = "https://auth.${base_domain}";
client_secret_file = config.sops.secrets."tuwunel/client_secret".path;
callback_url = "https://matrix.${base_domain}/_matrix/client/unstable/login/sso/callback/${client_id}";
}
];
well_known = {
client = "https://matrix.${base_domain}";
server = "matrix.${base_domain}:443";
};
};
package = pkgs.matrix-tuwunel;
};
services.caddy.virtualHosts = {
"matrix.${base_domain}".extraConfig = ''
reverse_proxy /_matrix/* localhost:${toString port}
handle_path /config.json {
file_server
root ${elementConfigFile}
}
root * ${pkgs.element-web}
file_server
'';
"${base_domain}".extraConfig = ''
reverse_proxy /.well-known/* localhost:${toString port}
'';
# "matrix.${base_domain}:8448".extraConfig = ''
# reverse_proxy /_matrix/* localhost:${toString port}
# '';
};
networking.firewall.allowedTCPPorts = [8448];
users.users.${config.services.caddy.user}.extraGroups = [config.services.matrix-tuwunel.group];
services = {
authelia = {
instances.darksailor = {
settings = {
identity_providers = {
oidc = {
claims_policies = {
tuwunel = {
id_token = [
"email"
"name"
"groups"
"preferred_username"
];
};
};
clients = [
{
inherit client_id;
client_name = "Matrix: Darksailor";
client_secret = ''{{ secret "${config.sops.secrets."tuwunel/client_secret".path}" }}'';
public = false;
authorization_policy = "one_factor";
require_pkce = false;
# pkce_challenge_method = "S256";
redirect_uris = [
"https://matrix.${base_domain}/_matrix/client/unstable/login/sso/callback/${client_id}"
];
scopes = [
"openid"
"groups"
"email"
"profile"
];
response_types = ["code"];
response_modes = ["form_post"];
grant_types = ["refresh_token" "authorization_code"];
userinfo_signed_response_alg = "none";
token_endpoint_auth_method = "client_secret_post";
}
];
};
};
};
};
};
};
}