servius/dotfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Added matrix

Browse Source
This commit is contained in:
Servius
2026-02-10 22:25:37 +05:30
parent e403e47c28
commit ddb53d879e
8 changed files with 195 additions and 55 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
nixos/tako/services/excalidraw.nix
View File

@@ -10,21 +10,20 @@
};
};
services.caddy.virtualHosts."draw.darksailor.dev".extraConfig = ''
import auth
reverse_proxy localhost:5959
'';
services.authelia = {
instances.darksailor = {
settings = {
access_control = {
rules = [
{
domain = "draw.darksailor.dev";
policy = "one_factor";
}
];
};
};
};
};
# services.authelia = {
# instances.darksailor = {
# settings = {
# access_control = {
# rules = [
# {
# domain = "draw.darksailor.dev";
# policy = "one_factor";
# }
# ];
# };
# };
# };
# };
}

30
nixos/tako/services/monitoring.nix
View File

@@ -382,21 +382,21 @@ in {
};
# Docker cAdvisor for container metrics
virtualisation.oci-containers.containers.cadvisor = {
image = "gcr.io/cadvisor/cadvisor:v0.49.1";
ports = ["127.0.0.1:${toString ports.cadvisor}:8080"];
volumes = [
"/:/rootfs:ro"
"/var/run:/var/run:ro"
"/sys:/sys:ro"
"/var/lib/docker/:/var/lib/docker:ro"
"/dev/disk/:/dev/disk:ro"
];
extraOptions = [
"--privileged"
"--device=/dev/kmsg"
];
};
# virtualisation.oci-containers.containers.cadvisor = {
# image = "gcr.io/cadvisor/cadvisor:v0.49.1";
# ports = ["127.0.0.1:${toString ports.cadvisor}:8080"];
# volumes = [
# "/:/rootfs:ro"
# "/var/run:/var/run:ro"
# "/sys:/sys:ro"
# "/var/lib/docker/:/var/lib/docker:ro"
# "/dev/disk/:/dev/disk:ro"
# ];
# extraOptions = [
# "--privileged"
# "--device=/dev/kmsg"
# ];
# };
# Link dashboard files from Nix store to Grafana's expected location
systemd.tmpfiles.rules = let

141
nixos/tako/services/tuwunel.nix
View File

@@ -1,13 +1,140 @@
{config, ...}: {
{
config,
pkgs,
...
}: let
port = 6167;
base_domain = "darksailor.dev";
client_id = "tuwunel";
elementConfig = builtins.toJSON {
default_server_config = {
"m.homeserver" = {
base_url = "https://matrix.${base_domain}";
};
};
sso_redirect_options = {
# immediate = false;
# on_welcome_page = true;
# on_login_page = true;
};
};
elementConfigFile = pkgs.writeText "element-config.json" elementConfig;
in {
sops = {
secrets."tuwunel/client_id" = {
owner = config.services.matrix-tuwunel.user;
group = config.systemd.services.authelia-darksailor.serviceConfig.Group;
mode = "0440";
};
secrets."tuwunel/client_secret" = {
owner = config.services.matrix-tuwunel.user;
group = config.systemd.services.authelia-darksailor.serviceConfig.Group;
mode = "0440";
};
secrets."tuwunel/registration_token".owner = config.services.matrix-tuwunel.user;
};
services.matrix-tuwunel = {
enable = true;
settings.global = {
server_name = "darksailor.dev";
unix_socket_path = "/var/run/tuwunel/tuwunel.sock";
server_name = "${base_domain}";
address = ["127.0.0.1"];
port = [port];
allow_registration = true;
registration_token_file = config.sops.secrets."tuwunel/registration_token".path;
single_sso = true;
identity_provider = [
{
inherit client_id;
brand = "Authelia";
name = "Authelia";
default = true;
issuer_url = "https://auth.${base_domain}";
client_secret_file = config.sops.secrets."tuwunel/client_secret".path;
callback_url = "https://matrix.${base_domain}/_matrix/client/unstable/login/sso/callback/${client_id}";
}
];
};
package = pkgs.matrix-tuwunel;
};
services.caddy.virtualHosts."matrix.${base_domain}, matrix.${base_domain}:8448".extraConfig = ''
reverse_proxy /_matrix/* localhost:${toString port}
handle_path /config.json {
root ${elementConfigFile}
file_server
}
root * ${pkgs.element-web}
file_server
'';
users.users.${config.services.caddy.user}.extraGroups = [config.services.matrix-tuwunel.group];
services = {
authelia = {
instances.darksailor = {
settings = {
identity_providers = {
oidc = {
claims_policies = {
tuwunel = {
id_token = [
"email"
"name"
"groups"
"preferred_username"
];
};
};
clients = [
{
inherit client_id;
client_name = "Matrix: Darksailor";
client_secret = ''{{ secret "${config.sops.secrets."tuwunel/client_secret".path}" }}'';
public = false;
authorization_policy = "one_factor";
require_pkce = false;
# pkce_challenge_method = "S256";
redirect_uris = [
# "https://auth.${base_domain}/user/oauth2/authelia/callback"
"https://matrix.${base_domain}/_matrix/client/v3/login/sso/redirect/${client_id}"
];
scopes = [
"email"
"name"
"groups"
"preferred_username"
];
response_types = ["code"];
response_modes = ["form_post"];
grant_types = ["refresh_token" "authorization_code"];
userinfo_signed_response_alg = "none";
token_endpoint_auth_method = "client_secret_post";
}
];
};
};
};
};
};
};
services.caddy.virtualHosts."matrix.darksailor.dev".extraConfig = ''
reverse_proxy unix//var/run/tuwunel/tuwunel.sock
'';
users.users.caddy.extraGroups = ["tuwunel"];
}
# templates = {
# "tuwunel-auth.toml" = {
# content = ''
# [[global.identity_provider]]
# brand = "Authelia"
# name = "Authelia"
# default = true
# issuer_url = "https://auth.${base_domain}"
# client_id = "${config.sops.placeholder."tuwunel/client_id"}"
# client_secret = "${config.sops.placeholder."tuwunel/client_secret"}"
# callback_url = "https://matrix.${base_domain}/_matrix/client/v3/login/sso/redirect/${config.sops.placeholder."tuwunel/client_id"}"
# '';
# # callback_url = "https://auth.${base_domain}/_matrix/client/unstable/login/sso/callback/${config.sops.placeholder."tuwunel/client_id"}"
# owner = config.services.matrix-tuwunel.user;
# group = config.services.matrix-tuwunel.group;
# };
# };
# extraEnvironment = {
# CONDUIT_CONFIG = config.sops.templates."tuwunel-auth.toml".path;
# };