hectic-lab/util.nix
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: module: ~matrix

Browse Source
This commit is contained in:
yukkop
2026-05-22 20:13:47 +00:00
parent 56881b766a
commit 09ed045da9
5 changed files with 72 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
nixos/module/hectic/service/element-rtc.nix
View File

@@ -47,14 +47,13 @@ in {
virtualHosts.${cfg.matrixDomain} = { virtualHosts.${cfg.matrixDomain} = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8008";
};
locations."=/.well-known/matrix/client" = { locations."=/.well-known/matrix/client" = {
extraConfig = '' extraConfig = ''
default_type application/json; default_type application/json;
add_header Access-Control-Allow-Origin *; add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
add_header Access-Control-Allow-Headers "X-Requested-With, Content-Type, Authorization";
''; '';
return = ''200 '{ return = ''200 '{
"m.homeserver": { "m.homeserver": {

19
nixos/module/hectic/service/matrix.nix
View File

@@ -57,6 +57,20 @@ in {
settings = { settings = {
server_name = cfg.matrixDomain; server_name = cfg.matrixDomain;
public_baseurl = "https://${cfg.matrixDomain}"; public_baseurl = "https://${cfg.matrixDomain}";
experimental_features = {
msc3266_enabled = true;
msc4140_enabled = true;
msc4143_enabled = true;
msc4222_enabled = true;
};
matrix_rtc = {
transports = [
{
type = "livekit";
livekit_service_url = "https://${cfg.matrixDomain}/livekit/jwt";
}
];
};
listeners = [ listeners = [
{ {
port = 8008; port = 8008;
@@ -70,6 +84,7 @@ in {
# Ability speak between different matrix servers and get # Ability speak between different matrix servers and get
# global id, requires .well-known # global id, requires .well-known
"federation" "federation"
"openid"
]; ];
compress = false; compress = false;
} }
@@ -100,7 +115,7 @@ in {
]; ];
enableTCPIP = true; enableTCPIP = true;
port = cfg.postgresql.port; settings.port = cfg.postgresql.port;
authentication = builtins.concatStringsSep "\n" [ authentication = builtins.concatStringsSep "\n" [
"local all all trust" "local all all trust"
"host sameuser all 127.0.0.1/32 scram-sha-256" "host sameuser all 127.0.0.1/32 scram-sha-256"
@@ -153,6 +168,8 @@ in {
extraConfig = '' extraConfig = ''
default_type application/json; default_type application/json;
add_header Access-Control-Allow-Origin *; add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
add_header Access-Control-Allow-Headers "X-Requested-With, Content-Type, Authorization";
''; '';
return = "200 '{\"m.server\": \"${cfg.matrixDomain}:443\"}'"; return = "200 '{\"m.server\": \"${cfg.matrixDomain}:443\"}'";
}; };

4
nixos/module/hectic/service/voice-tune.nix
View File

@@ -61,7 +61,11 @@ in {
turn_uris = [ turn_uris = [
"turn:${cfg.matrixDomain}:3478?transport=udp" "turn:${cfg.matrixDomain}:3478?transport=udp"
"turn:${cfg.matrixDomain}:3478?transport=tcp" "turn:${cfg.matrixDomain}:3478?transport=tcp"
"turns:${cfg.matrixDomain}:5349?transport=udp"
"turns:${cfg.matrixDomain}:5349?transport=tcp"
]; ];
turn_user_lifetime = 86400000;
turn_allow_guests = true;
}; };
}; };
} }

25
nixos/system/hectic-lab/hectic-lab.nix
View File

@@ -15,6 +15,7 @@ with builtins;
with lib; with lib;
let let
domain = "hectic-lab.com"; domain = "hectic-lab.com";
matrixDomain = "accord.tube";
sslOpts = { sslOpts = {
sslCertificate = config.sops.secrets."ssl/porkbun/${domain}/domain.cert.pem".path; sslCertificate = config.sops.secrets."ssl/porkbun/${domain}/domain.cert.pem".path;
sslCertificateKey = config.sops.secrets."ssl/porkbun/${domain}/private.key.pem".path; sslCertificateKey = config.sops.secrets."ssl/porkbun/${domain}/private.key.pem".path;
@@ -53,6 +54,17 @@ in {
ipv4 = "128.140.75.58"; ipv4 = "128.140.75.58";
ipv6 = "2a01:4f8:c2c:d54a"; ipv6 = "2a01:4f8:c2c:d54a";
}; };
services.matrix = {
enable = true;
secretsFile = config.sops.secrets."matrix/secrets".path;
turnSecretFile = config.sops.secrets."matrix/turn-secret".path;
publicIp = "128.140.75.58";
postgresql = {
port = 5432;
initialEnvFile = config.sops.secrets."init-postgresql".path;
};
inherit matrixDomain;
};
}; };
# NOTE(yukkop): disk was provisioned by Hetzner rescue image, disko was never # NOTE(yukkop): disk was provisioned by Hetzner rescue image, disko was never
@@ -120,6 +132,18 @@ in {
sops.secrets."mailserver/snuff/hashedPassword" = {}; sops.secrets."mailserver/snuff/hashedPassword" = {};
sops.secrets."mailserver/antoshka/hashedPassword" = {}; sops.secrets."mailserver/antoshka/hashedPassword" = {};
sops.secrets."mailserver/founders/hashedPassword" = {}; sops.secrets."mailserver/founders/hashedPassword" = {};
sops.secrets."init-postgresql" = {
key = "init-postgresql";
};
sops.secrets."matrix/secrets" = {
key = "matrix/secrets";
};
sops.secrets."matrix/turn-secret" = {
key = "matrix/turn-secret";
owner = "turnserver";
group = "turnserver";
mode = "0400";
};
services.mailserver = { services.mailserver = {
enable = true; enable = true;
@@ -160,6 +184,7 @@ in {
networking.firewall = { networking.firewall = {
allowedTCPPorts = [ allowedTCPPorts = [
80
443 443
3306 # mysql 3306 # mysql
25565 25565

8
sus/hectic-lab.yaml
View File

@@ -11,6 +11,10 @@ mailserver:
hashedPassword: ENC[AES256_GCM,data:Dv0vhe5LEFbAi/hadztQUTrRbPENSTxxOSTM7iwosH5kO28FCK56ZkKD8p/CLva6v97Cp2sWAXwd0fS6,iv:nUF4deb/8iF1mS5h+Z6oDE16YVQZ6ArfSnXG9DzqzLE=,tag:rKKlkYOl5oABbnzEjTOSVQ==,type:str] hashedPassword: ENC[AES256_GCM,data:Dv0vhe5LEFbAi/hadztQUTrRbPENSTxxOSTM7iwosH5kO28FCK56ZkKD8p/CLva6v97Cp2sWAXwd0fS6,iv:nUF4deb/8iF1mS5h+Z6oDE16YVQZ6ArfSnXG9DzqzLE=,tag:rKKlkYOl5oABbnzEjTOSVQ==,type:str]
antoshka: antoshka:
hashedPassword: ENC[AES256_GCM,data:6Rgj4JIrEF9ZRRRwGpV4yCdS7cw81xKLfavuii1cHqZK3JDlD2HOAVYgrrl+fWD6rNxUPAXpVuAIgxCu,iv:Y67je0qtEpnbwhiYXL2FJUAedPlKdTTb6wGeSVVEaPQ=,tag:Thvt+gsebEjoIjwOmNgBGQ==,type:str] hashedPassword: ENC[AES256_GCM,data:6Rgj4JIrEF9ZRRRwGpV4yCdS7cw81xKLfavuii1cHqZK3JDlD2HOAVYgrrl+fWD6rNxUPAXpVuAIgxCu,iv:Y67je0qtEpnbwhiYXL2FJUAedPlKdTTb6wGeSVVEaPQ=,tag:Thvt+gsebEjoIjwOmNgBGQ==,type:str]
init-postgresql: ENC[AES256_GCM,data:Iw8M2P1QoqPVaEdM8Zo0qlHrYgop0iknDY4NtgDo,iv:RWj9AFnh4/KWCm3UH4RoCdM2lzsXGY7A7qko8xCxjp8=,tag:l8acSq8+NBXB4L1rVzG6kw==,type:str]
matrix:
secrets: ENC[AES256_GCM,data:ivXp2YSiMI4hgL6122Ex+fGW0lsZvGD6XmiRvNgFgvzLH5yDv9uLsYcGCTYfQSL3X5VyIMGvsdRF+4pbIjBZMuQKrjvXv74E7aFBLQ2Qk98N3IIrznUFR3KXbHR6xXy5ILd7Bmw5JI/ZHULbmITahXUBt2kEJvfh4eAtqShNA4vsJrabHX9A8Q+2Ddp16w0cWftV5++WXzlNpvIc2Py6BwvfroNAjpSaO+ILYDOIL7XjPvF83fTt64pxZ9nsi3hCzcDtBgGkqc8=,iv:wvt9V2uYQUwivSwEIYZwcHjXr5WwMw19lgFDIa1CcVw=,tag:/22UZvp7+1hLbt+kV+wokQ==,type:str]
turn-secret: ENC[AES256_GCM,data:2RerKgYNFXEVM/YVmXt2l+t3BqduS+FlmjBWTA==,iv:6odb0HB9mntsceNaJtU2kwEVAiF0O88u47eDPLZVJbs=,tag:BJXAvK8abcnCLi96Kra5zA==,type:str]
wg-bfs: wg-bfs:
private-key: ENC[AES256_GCM,data:/J02asiesrQcsO7Xbq66HQIQeSPmFEMkM2q/z+9Y42K8SYEQP0OYQz+8fXI=,iv:PdGhPWgGxhe0a7C6CaVM/ePKABT+y8HRFOAPzNwQk+c=,tag:9AI30JFh6uyaXXVjMBJ1zg==,type:str] private-key: ENC[AES256_GCM,data:/J02asiesrQcsO7Xbq66HQIQeSPmFEMkM2q/z+9Y42K8SYEQP0OYQz+8fXI=,iv:PdGhPWgGxhe0a7C6CaVM/ePKABT+y8HRFOAPzNwQk+c=,tag:9AI30JFh6uyaXXVjMBJ1zg==,type:str]
ss-bfs: ss-bfs:
@@ -72,7 +76,7 @@ sops:
Yk43ZmlTc09aNFV1VjdjN2RWQlFWTDQKcYSvA2lHP8GS0lkYY19Tm8RXmFHQX5Ck Yk43ZmlTc09aNFV1VjdjN2RWQlFWTDQKcYSvA2lHP8GS0lkYY19Tm8RXmFHQX5Ck
qV2Fn22Fic4M5FVKDEMfaO6WmeXgki9a8dGeO9LlC+Phf16SOq7eLw== qV2Fn22Fic4M5FVKDEMfaO6WmeXgki9a8dGeO9LlC+Phf16SOq7eLw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2026-04-26T15:09:14Z" lastmodified: "2026-05-22T20:03:30Z"
mac: ENC[AES256_GCM,data:xDzKY+rn12ORC3HZHmMs3orTcg3kZiLwZYip/0ZZ7UJLJxoO98TIWvB1rxl8aAOjJCJ54LWRYkhMACn+4tdUhiy+RlsqVcL0jG9Vb1jpfVtPKy6tschoyVmWYOrc9dMHrnP3OEyYzqlAOdZ5tY9GubWx5hkdFOp17CtlCJV9faI=,iv:OXMlQ/ssDqiL9Lwv0EQefIIlv/VFBMwTSZ0WE3746k0=,tag:M3Oic7tiR/n71xEZrTa9tw==,type:str] mac: ENC[AES256_GCM,data:L59emZfOoFtisno0/yYVRtutaJAClIDStt6aWUzCI+WPU2g4XX5/pKGr3Lhd5bhyq7v+GWQJ6D94AfmeyVIIr2aJVQNlPlRKc+1Tn7VKDdqP2Seb4erkMmmxrmG6b7qCTTR7llF6zaqXXsnRav1JrTX1B5GFSgRjmIaVpM2Ik64=,iv:3u+LMlOdTYgXgqnFMamwlAJhqixB+P/cvyYyPlzqjjs=,tag:WyGkpArTk4r/nq+WA2vgPQ==,type:str]
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.10.2 version: 3.10.2