diff --git a/config/hosts/imxyy-nix-server/matrix.nix b/config/hosts/imxyy-nix-server/matrix.nix index 3a86d3d..4c564fd 100644 --- a/config/hosts/imxyy-nix-server/matrix.nix +++ b/config/hosts/imxyy-nix-server/matrix.nix @@ -1,45 +1,68 @@ { - services.matrix-synapse = { + config, + secrets, + ... +}: +{ + sops.secrets.tuwunel-reg-token = { + sopsFile = secrets.tuwunel-reg-token; + format = "binary"; + owner = config.services.matrix-tuwunel.user; + group = config.services.matrix-tuwunel.group; + }; + services.matrix-tuwunel = { enable = true; - settings = { - server_name = "matrix.imxyy.top"; - public_baseurl = "https://matrix.imxyy.top"; - listeners = [ - { - port = 8094; - bind_addresses = [ "127.0.0.1" ]; - type = "http"; - tls = false; - x_forwarded = true; - resources = [ - { - names = [ - "client" - "federation" - ]; - compress = true; - } - ]; - } - ]; - turn_uris = [ "turns:vkvm.imxyy.top:5349" ]; - turn_shared_secret = "ac779a48c03bb451839569d295a29aa6ab8c264277bec2df9c9c7f5e22936288"; - turn_user_lifetime = "1h"; - database_type = "psycopg2"; - database_args.database = "matrix-synapse"; + settings.global = { + address = [ "127.0.0.1" ]; + port = [ 8094 ]; + server_name = "imxyy.top"; + allow_registration = true; + registration_token_file = config.sops.secrets.tuwunel-reg-token.path; }; - extraConfigFiles = [ - "/var/lib/matrix-synapse/secret" - ]; + }; + services.caddy.virtualHosts."imxyy.top" = { + extraConfig = '' + handle /.well-known/matrix/client { + header Content-Type application/json + header "Access-Control-Allow-Origin" "*" + + respond `{"m.homeserver": {"base_url": "https://matrix.imxyy.top"}}` 200 + } + ''; + }; + services.caddy.virtualHosts."imxyy.top:8448" = { + extraConfig = '' + reverse_proxy :8094 + + handle /.well-known/matrix/client { + header Content-Type application/json + header "Access-Control-Allow-Origin" "*" + + respond `{"m.homeserver": {"base_url": "https://matrix.imxyy.top"}}` 200 + } + ''; }; services.caddy.virtualHosts."matrix.imxyy.top" = { extraConfig = '' reverse_proxy :8094 - handle_path /_matrix { - reverse_proxy :8094 + + handle /.well-known/matrix/client { + header Content-Type application/json + header "Access-Control-Allow-Origin" "*" + + respond `{"m.homeserver": {"base_url": "https://matrix.imxyy.top"}}` 200 } - handle_path /_synapse/client { - reverse_proxy :8094 + ''; + }; + services.caddy.virtualHosts."matrix.imxyy.top:8448" = { + extraConfig = '' + reverse_proxy :8094 + + handle /.well-known/matrix/client { + header Content-Type application/json + header "Access-Control-Allow-Origin" "*" + + respond `{"m.homeserver": {"base_url": "https://matrix.imxyy.top"}}` 200 } ''; }; diff --git a/config/hosts/imxyy-nix-server/net.nix b/config/hosts/imxyy-nix-server/net.nix index 187340a..43958f2 100644 --- a/config/hosts/imxyy-nix-server/net.nix +++ b/config/hosts/imxyy-nix-server/net.nix @@ -377,6 +377,20 @@ customDomains = [ "sy.imxyy.top" ]; } + { + name = "matrix-root-http"; + type = "http"; + localIP = "127.0.0.1"; + localPort = 80; + customDomains = [ "imxyy.top" ]; + } + { + name = "matrix-root-https"; + type = "https"; + localIP = "127.0.0.1"; + localPort = 443; + customDomains = [ "imxyy.top" ]; + } { name = "matrix-http"; type = "http"; @@ -391,6 +405,13 @@ localPort = 443; customDomains = [ "matrix.imxyy.top" ]; } + { + name = "matrix-fed"; + type = "tcp"; + localIP = "127.0.0.1"; + localPort = 8448; + remotePort = 8448; + } { name = "immich-http"; diff --git a/secrets/tuwunel-reg-token.txt b/secrets/tuwunel-reg-token.txt new file mode 100644 index 0000000..af2c857 --- /dev/null +++ b/secrets/tuwunel-reg-token.txt @@ -0,0 +1,23 @@ +{ + "data": "ENC[AES256_GCM,data:Me4kvuk4WovDtuzKFVOyC0TMyPntio+pOv7lpSowTVgX5IJhBQ==,iv:3gVN817C4EuqUt+pZwLEi4BUr06NJS4jw5TaH/T5qwQ=,tag:uF+b06x1tJNVXf2c+5N7zA==,type:str]", + "sops": { + "age": [ + { + "recipient": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOEFLUkyeaK8ZPPZdVNEmtx8zvoxi7xqS2Z6oxRBuUPO", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDltTWRrUSA2YVJI\nOGxJZS9qeGhxSWpQZlJ1bEVCUm5ZMjkzNm90Rm50aitFdlZwbHprCkpWaWhINGcv\nSXZJR2pUajBBRnZ5YnRKZk50amIycTBGM3BXMXFJNlNhVEUKLS0tIGd5R2lHV1RW\ncmxlYmRlU2pCbEJHSmRoYThyL2cyak5icTJ3cFJPRjRiVDAKcnKZ2ei+9uwPjf7q\nxyhcFz+JDYv/fRH0/CuwTtDilUOJoQOTWKUNw/e4ImsFomo0Ra4S7HLCScCSMCVc\nQd3Scw==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB28jpN+h5euh3NtdN+A+EtqgIatC22e4i1TPTioKire", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IHJNY1d1ZyBoQjVD\nRy82QWNpeHAydkhsLzN0ZldvSzRsM0ljWmVOWnBJdWNuQjBrZlVVCnpNQkZ4bUxT\ncGhVSlFCNHdNMlZWRzBnWi95azJMN2xTN3JoaXB1UXpjSUkKLS0tIDdvZ3p1VnN4\nNy96SmFRdjQ5MVB6dS9kU1VSUUttUXFoVUs5ZDZMbW5yMFEK64rP7bZcOAU1PZd9\nFq3Ba/4I82dRXqhAk8YIiZ6j6z6UdpTtYk3E7Thqx9ZcqUkgpxFbAEi4jhgn028z\nYqH3RA==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMb5G/ieEYBOng66YeyttBQLThyM6W//z2POsNyq4Rw/", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFhGYmtrZyB4akZq\nNmtnRUdrSlROS0tJazNjTzhqY0lZUXRiS1l2Q0F6dVRLZUw5dDBFCjRMVmFvM3RZ\nN0lIMGNwcjlXQ0h6TXA1RStxS3BLd01tNnVqaDMwbHdDV1EKLS0tIHBFSXMyNU9J\nL0JucEd2MzFIeTBVakFWdWpGQVJ2MUczd2ZRNkNlTnR2Nk0KKYgjgZtVqgfwda2x\noFgsqP+6VCWN7K2Qo3arfTvyRq1vd9Zs4UUavUDgZDylst5iVIeNhZc0flFBo3Cy\nqs4VDQ==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-08-15T02:07:33Z", + "mac": "ENC[AES256_GCM,data:MTcdSizIG8UNStgIqzar6bSejAPvSUKj+d7jVVuU/kvEgxA4Mrmv63wUF98fDBs6cgkHojwutLLiUo/4PzKPGccbyL+c2Y1vEkHmFcqMB1OOsl4Yfz/V5DdaDF3JcyNrSPcC8ooCChd7383z11kmE/a2sLkrNIMwIBjx3qNvaY0=,iv:6a2d+T28LI7zem2VfDffGoiafn2EEbtThvJ7e7myBSw=,tag:0ZV+mCyvLRliL+LtZ/WddA==,type:str]", + "unencrypted_suffix": "_unencrypted", + "version": "3.10.2" + } +}