Add matrix (tuwunel) to nimbus

2026-03-26 11:56:00 +01:00 · 2026-03-26 11:56:00 +01:00 · f3bb93c783
commit f3bb93c783
parent 6413bbefba
5 changed files with 67 additions and 1 deletions
--- a/modules/home-manager/shell/default.nix
+++ b/modules/home-manager/shell/default.nix
@ -7,7 +7,8 @@

  home = {
    shellAliases = {
-      "deploy" = "ssh -t galanthus 'cd ~/.config/nix; git pull --rebase; nh os switch'";
+      "deploy-galanthus" = "ssh -t galanthus 'cd ~/.config/nix; git pull --rebase; nh os switch'";
+      "deploy-nimbus" = "ssh -t nimbus 'cd ~/.config/nix; git pull --rebase; nh os switch'";
      "mv" = "mv -i";
      "rm" = "trash";
      "zz" = "z -";
--- a/modules/nixos/matrix.nix
+++ b/modules/nixos/matrix.nix
@ -0,0 +1,52 @@
+{ config, ... }:
+{
+  age.secrets."matrix-registration-token" = {
+    file = ../secrets/matrix-registration-token.age;
+    mode = "400";
+    owner = "tuwunel";
+  };
+
+  services.matrix-tuwunel = {
+    enable = true;
+    settings = {
+      global = {
+        server_name = "jankremer.de";
+        allow_registration = true;
+        registration_token_file = config.age.secrets.matrix-registration-token.path;
+        # trusted_servers = [ "matrix.org" ];
+      };
+    };
+  };
+
+  services.caddy = {
+    enable = true;
+    ## Matrix federation
+    virtualHosts = {
+      "jankremer.de:8448" = {
+        extraConfig = ''
+          reverse_proxy localhost:6167
+        '';
+      };
+      "jankremer.de" = {
+        extraConfig = ''
+          handle /_matrix/* {
+            reverse_proxy localhost:6167
+          }
+
+          handle /.well-known/matrix/server {
+            respond `{"m.server": "jankremer.de:443"}` 200 {
+              header Content-Type application/json
+            }
+          }
+
+          handle /.well-known/matrix/client {
+            respond `{"m.homeserver": {"base_url": "https://jankremer.de"}}` 200 {
+              header Content-Type application/json
+              header Access-Control-Allow-Origin *
+            }
+          }
+        '';
+      };
+    };
+  };
+}
--- a/modules/secrets/matrix-registration-token.age
+++ b/modules/secrets/matrix-registration-token.age
@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 2otpcg EZB4DtzCNS9CjhdskX5T3RpQ5VXcDtBiVPpaPEnRWiE
+dtjqqiPhYTmaFXc+hvHPtXSaltZThE7kwUyBnnTsJr0
+-> ssh-ed25519 40YjXQ tRUAvVqdiNcjzynjfKoQtKsMFcHecd7VKbviG8A+1xI
+5mfrrAei2T5s80oJ/Bu8Tv2G2mrp9CkvWEzlZCeEW58
+-> ssh-ed25519 wbs2Dw h1EZVsV7E0P1UmXfI9dDP5TOdBuxIzSUzOi4EhQw+Qw
+DcjKABIqchtmu93tCmqtpngOmVgkknduayG7KXIurtU
+--- XlEECZrSdZxm+B0uMH9WgR/QXnRi+ZWXJzS1n0G/vhM
+Â}™&w^¬ öÀ-ÿ18Æ}6 †²rw?ÎÔW‚©¸HcM±¥,D‡P:ùfà'Ëw
--- a/modules/secrets/secrets.nix
+++ b/modules/secrets/secrets.nix
@ -1,13 +1,16 @@
 let
  malus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTpgedzJ7vs3GMOjUeQGkAzGhNZRhvMMz9Z1whaWieE";
  galanthus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIZYQao2OKQxyic+I327VZ7lQECh9hSS9cgsls3e/a1u";
+  nimbus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDIjr3r9RVTzMPNvfBWxVei8aGMlay3smMhhuGxEMRaj";
  all = [
    malus
    galanthus
+    nimbus
  ];
 in
 {
  "copyparty-jan.age".publicKeys = all;
  "paperless-admin.age".publicKeys = all;
  "tailscale.age".publicKeys = all;
+  "matrix-registration-token.age".publicKeys = all;
 }