From ddb53d879e21b819cebeeac1ad58f12ed0fdeb74 Mon Sep 17 00:00:00 2001 From: servius Date: Tue, 10 Feb 2026 22:25:37 +0530 Subject: [PATCH] feat: Added matrix --- home/apps/default.nix | 1 + home/apps/matrix.nix | 5 + home/programs/default.nix | 34 +++---- justfile | 2 + nixos/tako/services/excalidraw.nix | 29 +++--- nixos/tako/services/monitoring.nix | 30 +++--- nixos/tako/services/tuwunel.nix | 141 +++++++++++++++++++++++++++-- secrets/secrets.yaml | 8 +- 8 files changed, 195 insertions(+), 55 deletions(-) create mode 100644 home/apps/matrix.nix diff --git a/home/apps/default.nix b/home/apps/default.nix index 0ca90f01..96ab2108 100644 --- a/home/apps/default.nix +++ b/home/apps/default.nix @@ -32,6 +32,7 @@ lib.optionalAttrs device.hasGui { ./lmstudio.nix ./mpv.nix ./nextcloud.nix + ./matrix.nix ./obs-studio.nix ./orcaslicer.nix ./prismlauncher.nix diff --git a/home/apps/matrix.nix b/home/apps/matrix.nix new file mode 100644 index 00000000..be590ef9 --- /dev/null +++ b/home/apps/matrix.nix @@ -0,0 +1,5 @@ +{pkgs, ...}: { + home.packages = [ + pkgs.fluffychat + ]; +} diff --git a/home/programs/default.nix b/home/programs/default.nix index 4b49cfc1..8bb87dec 100644 --- a/home/programs/default.nix +++ b/home/programs/default.nix @@ -4,7 +4,25 @@ ... }: { imports = [ + # ./bluetui.nix + # ./goread.nix + # ./helix.nix + # ./magika.nix + # ./mpd.nix + # ./mpris-scrobbler.nix + # ./ncmpcpp.nix + # ./newsboat.nix + # ./nh.nix + # ./ryujinx.nix + # ./sxiv.nix + # ./tea.nix + # ./template.nix + # ./tuifeed.nix + # ./xh.nix + # ./zellij.nix + ../../modules + ./1password-cli.nix ./aichat.nix ./alejandra.nix @@ -60,21 +78,5 @@ ./yazi.nix ./yt-dlp.nix ./zoxide.nix - # ./bluetui.nix - # ./goread.nix - # ./helix.nix - # ./magika.nix - # ./mpd.nix - # ./mpris-scrobbler.nix - # ./ncmpcpp.nix - # ./newsboat.nix - # ./nh.nix - # ./ryujinx.nix - # ./sxiv.nix - # ./tea.nix - # ./template.nix - # ./tuifeed.nix - # ./xh.nix - # ./zellij.nix ]; } diff --git a/justfile b/justfile index 0a19f335..e695b408 100644 --- a/justfile +++ b/justfile @@ -41,3 +41,5 @@ add program: alejandra fmt home/programs/{{program}}.nix home/programs/default.nix git add home/programs/{{program}}.nix +# add-secret secret: +# openssl rand -hex 32 | tr -d '\n' | jq -sR | sops set --value-stdin secrets/secrets.yaml {{secret}} diff --git a/nixos/tako/services/excalidraw.nix b/nixos/tako/services/excalidraw.nix index 08fb46fd..506ccc74 100644 --- a/nixos/tako/services/excalidraw.nix +++ b/nixos/tako/services/excalidraw.nix @@ -10,21 +10,20 @@ }; }; services.caddy.virtualHosts."draw.darksailor.dev".extraConfig = '' - import auth reverse_proxy localhost:5959 ''; - services.authelia = { - instances.darksailor = { - settings = { - access_control = { - rules = [ - { - domain = "draw.darksailor.dev"; - policy = "one_factor"; - } - ]; - }; - }; - }; - }; + # services.authelia = { + # instances.darksailor = { + # settings = { + # access_control = { + # rules = [ + # { + # domain = "draw.darksailor.dev"; + # policy = "one_factor"; + # } + # ]; + # }; + # }; + # }; + # }; } diff --git a/nixos/tako/services/monitoring.nix b/nixos/tako/services/monitoring.nix index 085c49d1..cfb3843e 100644 --- a/nixos/tako/services/monitoring.nix +++ b/nixos/tako/services/monitoring.nix @@ -382,21 +382,21 @@ in { }; # Docker cAdvisor for container metrics - virtualisation.oci-containers.containers.cadvisor = { - image = "gcr.io/cadvisor/cadvisor:v0.49.1"; - ports = ["127.0.0.1:${toString ports.cadvisor}:8080"]; - volumes = [ - "/:/rootfs:ro" - "/var/run:/var/run:ro" - "/sys:/sys:ro" - "/var/lib/docker/:/var/lib/docker:ro" - "/dev/disk/:/dev/disk:ro" - ]; - extraOptions = [ - "--privileged" - "--device=/dev/kmsg" - ]; - }; + # virtualisation.oci-containers.containers.cadvisor = { + # image = "gcr.io/cadvisor/cadvisor:v0.49.1"; + # ports = ["127.0.0.1:${toString ports.cadvisor}:8080"]; + # volumes = [ + # "/:/rootfs:ro" + # "/var/run:/var/run:ro" + # "/sys:/sys:ro" + # "/var/lib/docker/:/var/lib/docker:ro" + # "/dev/disk/:/dev/disk:ro" + # ]; + # extraOptions = [ + # "--privileged" + # "--device=/dev/kmsg" + # ]; + # }; # Link dashboard files from Nix store to Grafana's expected location systemd.tmpfiles.rules = let diff --git a/nixos/tako/services/tuwunel.nix b/nixos/tako/services/tuwunel.nix index fab9f0fa..e5d30231 100644 --- a/nixos/tako/services/tuwunel.nix +++ b/nixos/tako/services/tuwunel.nix @@ -1,13 +1,140 @@ -{config, ...}: { +{ + config, + pkgs, + ... +}: let + port = 6167; + base_domain = "darksailor.dev"; + client_id = "tuwunel"; + elementConfig = builtins.toJSON { + default_server_config = { + "m.homeserver" = { + base_url = "https://matrix.${base_domain}"; + }; + }; + sso_redirect_options = { + # immediate = false; + # on_welcome_page = true; + # on_login_page = true; + }; + }; + elementConfigFile = pkgs.writeText "element-config.json" elementConfig; +in { + sops = { + secrets."tuwunel/client_id" = { + owner = config.services.matrix-tuwunel.user; + group = config.systemd.services.authelia-darksailor.serviceConfig.Group; + mode = "0440"; + }; + secrets."tuwunel/client_secret" = { + owner = config.services.matrix-tuwunel.user; + group = config.systemd.services.authelia-darksailor.serviceConfig.Group; + mode = "0440"; + }; + secrets."tuwunel/registration_token".owner = config.services.matrix-tuwunel.user; + }; services.matrix-tuwunel = { enable = true; settings.global = { - server_name = "darksailor.dev"; - unix_socket_path = "/var/run/tuwunel/tuwunel.sock"; + server_name = "${base_domain}"; + address = ["127.0.0.1"]; + port = [port]; + allow_registration = true; + registration_token_file = config.sops.secrets."tuwunel/registration_token".path; + single_sso = true; + identity_provider = [ + { + inherit client_id; + brand = "Authelia"; + name = "Authelia"; + default = true; + issuer_url = "https://auth.${base_domain}"; + client_secret_file = config.sops.secrets."tuwunel/client_secret".path; + callback_url = "https://matrix.${base_domain}/_matrix/client/unstable/login/sso/callback/${client_id}"; + } + ]; + }; + package = pkgs.matrix-tuwunel; + }; + services.caddy.virtualHosts."matrix.${base_domain}, matrix.${base_domain}:8448".extraConfig = '' + reverse_proxy /_matrix/* localhost:${toString port} + handle_path /config.json { + root ${elementConfigFile} + file_server + } + root * ${pkgs.element-web} + file_server + ''; + + users.users.${config.services.caddy.user}.extraGroups = [config.services.matrix-tuwunel.group]; + + services = { + authelia = { + instances.darksailor = { + settings = { + identity_providers = { + oidc = { + claims_policies = { + tuwunel = { + id_token = [ + "email" + "name" + "groups" + "preferred_username" + ]; + }; + }; + clients = [ + { + inherit client_id; + client_name = "Matrix: Darksailor"; + client_secret = ''{{ secret "${config.sops.secrets."tuwunel/client_secret".path}" }}''; + public = false; + authorization_policy = "one_factor"; + require_pkce = false; + # pkce_challenge_method = "S256"; + redirect_uris = [ + # "https://auth.${base_domain}/user/oauth2/authelia/callback" + "https://matrix.${base_domain}/_matrix/client/v3/login/sso/redirect/${client_id}" + ]; + scopes = [ + "email" + "name" + "groups" + "preferred_username" + ]; + response_types = ["code"]; + response_modes = ["form_post"]; + grant_types = ["refresh_token" "authorization_code"]; + userinfo_signed_response_alg = "none"; + token_endpoint_auth_method = "client_secret_post"; + } + ]; + }; + }; + }; + }; }; }; - services.caddy.virtualHosts."matrix.darksailor.dev".extraConfig = '' - reverse_proxy unix//var/run/tuwunel/tuwunel.sock - ''; - users.users.caddy.extraGroups = ["tuwunel"]; } +# templates = { +# "tuwunel-auth.toml" = { +# content = '' +# [[global.identity_provider]] +# brand = "Authelia" +# name = "Authelia" +# default = true +# issuer_url = "https://auth.${base_domain}" +# client_id = "${config.sops.placeholder."tuwunel/client_id"}" +# client_secret = "${config.sops.placeholder."tuwunel/client_secret"}" +# callback_url = "https://matrix.${base_domain}/_matrix/client/v3/login/sso/redirect/${config.sops.placeholder."tuwunel/client_id"}" +# ''; +# # callback_url = "https://auth.${base_domain}/_matrix/client/unstable/login/sso/callback/${config.sops.placeholder."tuwunel/client_id"}" +# owner = config.services.matrix-tuwunel.user; +# group = config.services.matrix-tuwunel.group; +# }; +# }; +# extraEnvironment = { +# CONDUIT_CONFIG = config.sops.templates."tuwunel-auth.toml".path; +# }; + diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index d8db29f7..bcaf041d 100644 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -83,6 +83,10 @@ nas: kellnr: token: ENC[AES256_GCM,data:te5psUTLr8+NLsliJAgz71j8AT3BUkJ8f0eGgnsRbbk2zF9fH3cCfZbry+mmxwvhmwL8ktNexaPUixatNDrWpA==,iv:Ao6Iqr3z8/3azo9H9lPUeVwto7nQMlMuAZp4Q9fIwJE=,tag:r2FXoxgrvlaCnQlngg12qg==,type:str] password: ENC[AES256_GCM,data:OZkfHckKHu/EM6+PquknU+aKmyyFw5o25ZENqNGc0d/vYiNBo4FBdCZwj1W0efo43+hTgsxVj7QCDSxFgROdOg==,iv:2G3fy5dIufL7tXEgRaOGBFNaVoKbfKqcFnRiZN1I1F4=,tag:iyHQD5oXy44tL18W7Fw35g==,type:str] +tuwunel: + client_id: ENC[AES256_GCM,data:25wSM5POfSJTmAaP/3vVqqbqa46vF21hZgCuJ1qfh8pHl8K6fMLdd0Q4GeVH1tgsBHKY0zStqYIc/RIgmerSVw==,iv:tWCw4jWymrSWR+xj37Bt7Qx60bRhpWQ+UEZ2dDJRGQo=,tag:PBa/P66bWexmlUEIaCtEKw==,type:str] + client_secret: ENC[AES256_GCM,data:cH/zkBj46u/07XiSd/4DsLYImkQwxNT8jQDjOuESi5dED6KEXwCjNNPzVvQuEuM7r4enZeIfb3cQztcxQJwTSA==,iv:eD5DKLUvTaK0ce1MJCLJHEl44hwtKx8rQ93eohqcUNE=,tag:FkkYHjAOaEu2gs8v7+EVgA==,type:str] + registration_token: ENC[AES256_GCM,data:A0Wd9DTruGnCoPosKUHrd3AgN3T9JbkW/6fTJyzcryV0COqLSjOqCD4W2PXPwnk83MFeQ84RpJ3J4tuvYv2JuQ==,iv:7JIQUwfeEN03N0F35z6VipN66DpErqnY6aQrLznnw8g=,tag:RF2gB8kVKT3ioPVVRyj4aQ==,type:str] sops: age: - recipient: age1pw7kluxp7872c63ne4jecq75glj060jkmqwzkk6esatuyck9egfswufdpk @@ -94,7 +98,7 @@ sops: VGZKdHpVeFRpQUxtSEkyaEhLMlBJcGsKLb0DvPNZosPBUuiX6qz1s5IO5INQh8CK ZtXTVClwMSmaUYhdSB2gKFrKVZHXTJZ4oAL5t/BpC0pOHyr+o96T3Q== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-02-01T23:10:21Z" - mac: ENC[AES256_GCM,data:mwhesovdna7rekGUtT2AbM9ihGlX2hv3TjXMd894YyptHe/N5crPne+E2ti3O7yOIZhMIC4j09AeIRxEgi7Ygob0fpoH8LmbYul8JtcTwZYCFhs2f3RIMNcOSW358eZa4HK6UIx8i+nvSKXJEikep3rIYQlmhOwEXwP6Ltsls2s=,iv:mt6ZMfuOxjfg9gGPm4C1sNaXPUbanpdktNBplhiyTLU=,tag:qZMPp3RyLwfcgD9n44o24g==,type:str] + lastmodified: "2026-02-10T14:49:29Z" + mac: ENC[AES256_GCM,data:ua8maqTc3KkkNni+fNnQLqP4PwRVVh5FuUjsAN5+w+ad3sD/+QunnAkHAMKUajAlwXKS/PIAqz6p0iwSn80ip3yXxMZPRG134+q729m5rwkGcV4FzyR2wIYVP5vRbZEMuMbfomMMjUyJk/Gsg4CY8iecgvvoMkWvK2INSH07TcE=,iv:GiyicPX4YAZAXuKXxJskuJyzi8ukQ/vv2aOncKf/Qew=,tag:tAmz6F6WMMzLLYmBlsrxvQ==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0