feat: Added matrix

home/apps/default.nix

@@ -32,6 +32,7 @@ lib.optionalAttrs device.hasGui {
     ./lmstudio.nix
     ./mpv.nix
     ./nextcloud.nix
+    ./matrix.nix
     ./obs-studio.nix
     ./orcaslicer.nix
     ./prismlauncher.nix

home/apps/matrix.nix

@@ -0,0 +1,5 @@
+{pkgs, ...}: {
+  home.packages = [
+    pkgs.fluffychat
+  ];
+}

home/programs/default.nix

@@ -4,7 +4,25 @@
   ...
 }: {
   imports = [
+    # ./bluetui.nix
+    # ./goread.nix
+    # ./helix.nix
+    # ./magika.nix
+    # ./mpd.nix
+    # ./mpris-scrobbler.nix
+    # ./ncmpcpp.nix
+    # ./newsboat.nix
+    # ./nh.nix
+    # ./ryujinx.nix
+    # ./sxiv.nix
+    # ./tea.nix
+    # ./template.nix
+    # ./tuifeed.nix
+    # ./xh.nix
+    # ./zellij.nix
+
     ../../modules
+
     ./1password-cli.nix
     ./aichat.nix
     ./alejandra.nix
@@ -60,21 +78,5 @@
     ./yazi.nix
     ./yt-dlp.nix
     ./zoxide.nix
-    # ./bluetui.nix
-    # ./goread.nix
-    # ./helix.nix
-    # ./magika.nix
-    # ./mpd.nix
-    # ./mpris-scrobbler.nix
-    # ./ncmpcpp.nix
-    # ./newsboat.nix
-    # ./nh.nix
-    # ./ryujinx.nix
-    # ./sxiv.nix
-    # ./tea.nix
-    # ./template.nix
-    # ./tuifeed.nix
-    # ./xh.nix
-    # ./zellij.nix
   ];
 }

justfile

@@ -41,3 +41,5 @@ add program:
     alejandra fmt home/programs/{{program}}.nix home/programs/default.nix
     git add home/programs/{{program}}.nix 
 
+# add-secret secret:
+#     openssl rand -hex 32 | tr -d '\n' | jq -sR | sops set --value-stdin secrets/secrets.yaml {{secret}}

nixos/tako/services/excalidraw.nix

@@ -10,21 +10,20 @@
     };
   };
   services.caddy.virtualHosts."draw.darksailor.dev".extraConfig = ''
-    import auth
     reverse_proxy localhost:5959
   '';
-  services.authelia = {
+  # services.authelia = {
-    instances.darksailor = {
+  #   instances.darksailor = {
-      settings = {
+  #     settings = {
-        access_control = {
+  #       access_control = {
-          rules = [
+  #         rules = [
-            {
+  #           {
-              domain = "draw.darksailor.dev";
+  #             domain = "draw.darksailor.dev";
-              policy = "one_factor";
+  #             policy = "one_factor";
-            }
+  #           }
-          ];
+  #         ];
-        };
+  #       };
-      };
+  #     };
-    };
+  #   };
-  };
+  # };
 }

nixos/tako/services/monitoring.nix

@@ -382,21 +382,21 @@ in {
   };
 
   # Docker cAdvisor for container metrics
-  virtualisation.oci-containers.containers.cadvisor = {
+  # virtualisation.oci-containers.containers.cadvisor = {
-    image = "gcr.io/cadvisor/cadvisor:v0.49.1";
+  #   image = "gcr.io/cadvisor/cadvisor:v0.49.1";
-    ports = ["127.0.0.1:${toString ports.cadvisor}:8080"];
+  #   ports = ["127.0.0.1:${toString ports.cadvisor}:8080"];
-    volumes = [
+  #   volumes = [
-      "/:/rootfs:ro"
+  #     "/:/rootfs:ro"
-      "/var/run:/var/run:ro"
+  #     "/var/run:/var/run:ro"
-      "/sys:/sys:ro"
+  #     "/sys:/sys:ro"
-      "/var/lib/docker/:/var/lib/docker:ro"
+  #     "/var/lib/docker/:/var/lib/docker:ro"
-      "/dev/disk/:/dev/disk:ro"
+  #     "/dev/disk/:/dev/disk:ro"
-    ];
+  #   ];
-    extraOptions = [
+  #   extraOptions = [
-      "--privileged"
+  #     "--privileged"
-      "--device=/dev/kmsg"
+  #     "--device=/dev/kmsg"
-    ];
+  #   ];
-  };
+  # };
 
   # Link dashboard files from Nix store to Grafana's expected location
   systemd.tmpfiles.rules = let

nixos/tako/services/tuwunel.nix

@@ -1,13 +1,140 @@
-{config, ...}: {
+{
+  config,
+  pkgs,
+  ...
+}: let
+  port = 6167;
+  base_domain = "darksailor.dev";
+  client_id = "tuwunel";
+  elementConfig = builtins.toJSON {
+    default_server_config = {
+      "m.homeserver" = {
+        base_url = "https://matrix.${base_domain}";
+      };
+    };
+    sso_redirect_options = {
+      # immediate = false;
+      # on_welcome_page = true;
+      # on_login_page = true;
+    };
+  };
+  elementConfigFile = pkgs.writeText "element-config.json" elementConfig;
+in {
+  sops = {
+    secrets."tuwunel/client_id" = {
+      owner = config.services.matrix-tuwunel.user;
+      group = config.systemd.services.authelia-darksailor.serviceConfig.Group;
+      mode = "0440";
+    };
+    secrets."tuwunel/client_secret" = {
+      owner = config.services.matrix-tuwunel.user;
+      group = config.systemd.services.authelia-darksailor.serviceConfig.Group;
+      mode = "0440";
+    };
+    secrets."tuwunel/registration_token".owner = config.services.matrix-tuwunel.user;
+  };
   services.matrix-tuwunel = {
     enable = true;
     settings.global = {
-      server_name = "darksailor.dev";
+      server_name = "${base_domain}";
-      unix_socket_path = "/var/run/tuwunel/tuwunel.sock";
+      address = ["127.0.0.1"];
+      port = [port];
+      allow_registration = true;
+      registration_token_file = config.sops.secrets."tuwunel/registration_token".path;
+      single_sso = true;
+      identity_provider = [
+        {
+          inherit client_id;
+          brand = "Authelia";
+          name = "Authelia";
+          default = true;
+          issuer_url = "https://auth.${base_domain}";
+          client_secret_file = config.sops.secrets."tuwunel/client_secret".path;
+          callback_url = "https://matrix.${base_domain}/_matrix/client/unstable/login/sso/callback/${client_id}";
+        }
+      ];
+    };
+    package = pkgs.matrix-tuwunel;
+  };
+  services.caddy.virtualHosts."matrix.${base_domain}, matrix.${base_domain}:8448".extraConfig = ''
+    reverse_proxy /_matrix/* localhost:${toString port}
+    handle_path /config.json {
+        root ${elementConfigFile}
+        file_server
+    }
+    root * ${pkgs.element-web}
+    file_server
+  '';
+
+  users.users.${config.services.caddy.user}.extraGroups = [config.services.matrix-tuwunel.group];
+
+  services = {
+    authelia = {
+      instances.darksailor = {
+        settings = {
+          identity_providers = {
+            oidc = {
+              claims_policies = {
+                tuwunel = {
+                  id_token = [
+                    "email"
+                    "name"
+                    "groups"
+                    "preferred_username"
+                  ];
+                };
+              };
+              clients = [
+                {
+                  inherit client_id;
+                  client_name = "Matrix: Darksailor";
+                  client_secret = ''{{ secret "${config.sops.secrets."tuwunel/client_secret".path}" }}'';
+                  public = false;
+                  authorization_policy = "one_factor";
+                  require_pkce = false;
+                  # pkce_challenge_method = "S256";
+                  redirect_uris = [
+                    # "https://auth.${base_domain}/user/oauth2/authelia/callback"
+                    "https://matrix.${base_domain}/_matrix/client/v3/login/sso/redirect/${client_id}"
+                  ];
+                  scopes = [
+                    "email"
+                    "name"
+                    "groups"
+                    "preferred_username"
+                  ];
+                  response_types = ["code"];
+                  response_modes = ["form_post"];
+                  grant_types = ["refresh_token" "authorization_code"];
+                  userinfo_signed_response_alg = "none";
+                  token_endpoint_auth_method = "client_secret_post";
+                }
+              ];
+            };
+          };
+        };
+      };
     };
   };
-  services.caddy.virtualHosts."matrix.darksailor.dev".extraConfig = ''
-    reverse_proxy unix//var/run/tuwunel/tuwunel.sock
-  '';
-  users.users.caddy.extraGroups = ["tuwunel"];
 }
+# templates = {
+#   "tuwunel-auth.toml" = {
+#     content = ''
+#       [[global.identity_provider]]
+#       brand = "Authelia"
+#       name = "Authelia"
+#       default = true
+#       issuer_url = "https://auth.${base_domain}"
+#       client_id = "${config.sops.placeholder."tuwunel/client_id"}"
+#       client_secret = "${config.sops.placeholder."tuwunel/client_secret"}"
+#       callback_url = "https://matrix.${base_domain}/_matrix/client/v3/login/sso/redirect/${config.sops.placeholder."tuwunel/client_id"}"
+#     '';
+#     # callback_url = "https://auth.${base_domain}/_matrix/client/unstable/login/sso/callback/${config.sops.placeholder."tuwunel/client_id"}"
+#     owner = config.services.matrix-tuwunel.user;
+#     group = config.services.matrix-tuwunel.group;
+#   };
+# };
+# extraEnvironment = {
+#   CONDUIT_CONFIG = config.sops.templates."tuwunel-auth.toml".path;
+# };
+

secrets/secrets.yaml

@@ -83,6 +83,10 @@ nas:
 kellnr:
     token: ENC[AES256_GCM,data:te5psUTLr8+NLsliJAgz71j8AT3BUkJ8f0eGgnsRbbk2zF9fH3cCfZbry+mmxwvhmwL8ktNexaPUixatNDrWpA==,iv:Ao6Iqr3z8/3azo9H9lPUeVwto7nQMlMuAZp4Q9fIwJE=,tag:r2FXoxgrvlaCnQlngg12qg==,type:str]
     password: ENC[AES256_GCM,data:OZkfHckKHu/EM6+PquknU+aKmyyFw5o25ZENqNGc0d/vYiNBo4FBdCZwj1W0efo43+hTgsxVj7QCDSxFgROdOg==,iv:2G3fy5dIufL7tXEgRaOGBFNaVoKbfKqcFnRiZN1I1F4=,tag:iyHQD5oXy44tL18W7Fw35g==,type:str]
+tuwunel:
+    client_id: ENC[AES256_GCM,data:25wSM5POfSJTmAaP/3vVqqbqa46vF21hZgCuJ1qfh8pHl8K6fMLdd0Q4GeVH1tgsBHKY0zStqYIc/RIgmerSVw==,iv:tWCw4jWymrSWR+xj37Bt7Qx60bRhpWQ+UEZ2dDJRGQo=,tag:PBa/P66bWexmlUEIaCtEKw==,type:str]
+    client_secret: ENC[AES256_GCM,data:cH/zkBj46u/07XiSd/4DsLYImkQwxNT8jQDjOuESi5dED6KEXwCjNNPzVvQuEuM7r4enZeIfb3cQztcxQJwTSA==,iv:eD5DKLUvTaK0ce1MJCLJHEl44hwtKx8rQ93eohqcUNE=,tag:FkkYHjAOaEu2gs8v7+EVgA==,type:str]
+    registration_token: ENC[AES256_GCM,data:A0Wd9DTruGnCoPosKUHrd3AgN3T9JbkW/6fTJyzcryV0COqLSjOqCD4W2PXPwnk83MFeQ84RpJ3J4tuvYv2JuQ==,iv:7JIQUwfeEN03N0F35z6VipN66DpErqnY6aQrLznnw8g=,tag:RF2gB8kVKT3ioPVVRyj4aQ==,type:str]
 sops:
     age:
         - recipient: age1pw7kluxp7872c63ne4jecq75glj060jkmqwzkk6esatuyck9egfswufdpk
@@ -94,7 +98,7 @@ sops:
             VGZKdHpVeFRpQUxtSEkyaEhLMlBJcGsKLb0DvPNZosPBUuiX6qz1s5IO5INQh8CK
             ZtXTVClwMSmaUYhdSB2gKFrKVZHXTJZ4oAL5t/BpC0pOHyr+o96T3Q==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-02-01T23:10:21Z"
+    lastmodified: "2026-02-10T14:49:29Z"
-    mac: ENC[AES256_GCM,data:mwhesovdna7rekGUtT2AbM9ihGlX2hv3TjXMd894YyptHe/N5crPne+E2ti3O7yOIZhMIC4j09AeIRxEgi7Ygob0fpoH8LmbYul8JtcTwZYCFhs2f3RIMNcOSW358eZa4HK6UIx8i+nvSKXJEikep3rIYQlmhOwEXwP6Ltsls2s=,iv:mt6ZMfuOxjfg9gGPm4C1sNaXPUbanpdktNBplhiyTLU=,tag:qZMPp3RyLwfcgD9n44o24g==,type:str]
+    mac: ENC[AES256_GCM,data:ua8maqTc3KkkNni+fNnQLqP4PwRVVh5FuUjsAN5+w+ad3sD/+QunnAkHAMKUajAlwXKS/PIAqz6p0iwSn80ip3yXxMZPRG134+q729m5rwkGcV4FzyR2wIYVP5vRbZEMuMbfomMMjUyJk/Gsg4CY8iecgvvoMkWvK2INSH07TcE=,iv:GiyicPX4YAZAXuKXxJskuJyzi8ukQ/vv2aOncKf/Qew=,tag:tAmz6F6WMMzLLYmBlsrxvQ==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.11.0