fix: gitea: now works

nixos/module/generic/matrix-cluster-users.nix

@@ -14,6 +14,7 @@
     "lvgkcfjl"
     "MrAlex0O"
     "Антоша"
+    "snuff"
   ];
 
   adminNames = [ "yukkop" ];

nixos/module/generic/matrix-cluster.nix

@@ -231,6 +231,15 @@ in {
         description = "File containing PORKBUN_SECRET_API_KEY value.";
       };
     };
+
+    jitsi.preferredDomain = lib.mkOption {
+      type = lib.types.nullOr lib.types.str;
+      default = null;
+      description = ''
+        Optional self-hosted Jitsi Meet domain to advertise to Matrix/Element
+        clients alongside the cluster-managed homeserver.
+      '';
+    };
   };
 
   config = lib.mkIf cfg.enable (lib.mkMerge [

nixos/module/hectic/service/element.nix

@@ -16,6 +16,10 @@
     && (if clusterCfg.overrideEnableSynapse != null then clusterCfg.overrideEnableSynapse else clusterCfg.role == "primary");
   enabled = legacyCfg.enable || clusterSynapseEnabled;
   matrixDomain = if legacyCfg.enable then legacyCfg.matrixDomain else clusterCfg.matrixDomain;
+  jitsiPreferredDomain =
+    if legacyCfg.enable && config.hectic.services.jitsi.enable
+    then config.hectic.services.jitsi.hostName
+    else clusterCfg.jitsi.preferredDomain;
 in {
   config = lib.mkIf enabled {
     services.nginx.virtualHosts."element.${matrixDomain}" = {
@@ -36,6 +40,10 @@ in {
             matrixDomain
           ];
 
+          jitsi = lib.optionalAttrs (jitsiPreferredDomain != null) {
+            preferred_domain = jitsiPreferredDomain;
+          };
+
           default_theme = "dark";
           show_labs_settings = true;
         };

nixos/module/hectic/service/jitsi.nix

@@ -82,8 +82,8 @@ in {
     security.acme = {
       acceptTerms = true;
       defaults = {
-        email          = "hectic.yukkop.it@gmail.com";
+        email           = lib.mkDefault "hectic.yukkop.it@gmail.com";
-        enableDebugLogs = true;
+        enableDebugLogs = lib.mkDefault true;
       };
     };
 

nixos/system/bfs.poland.xray/bfs.poland.xray.nix

@@ -11,6 +11,7 @@
 }: let
   matrixBackend = "https://128.140.75.58";
   matrixHost = "accord.tube";
+  jitsiHost = "meet.accord.tube";
   elementEntryDomain = "element.bfs.band";
   polandEntryDomain = "bfs.band";
   backendProxyConfig = ''
@@ -53,6 +54,21 @@ in {
       porkbunApiKeyFile       = config.sops.secrets."matrix/porkbun-api-key".path;
       porkbunSecretApiKeyFile = config.sops.secrets."matrix/porkbun-secret-api-key".path;
     };
+    jitsi.preferredDomain = jitsiHost;
+  };
+
+  hectic.services.media-browser = {
+    enable = true;
+    port = 3001;
+    s3Bucket = "matrix-hectic-lab";
+    s3Endpoint = "https://hel1.your-objectstorage.com";
+    s3Region = "hel1";
+    s3CredentialsFile = config.sops.secrets."matrix/object-storage/credentials".path;
+  };
+
+  hectic.services.jitsi = {
+    enable = true;
+    hostName = jitsiHost;
   };
 
   security.acme = {
@@ -156,6 +172,10 @@ in {
             "m.identity_server".base_url = "https://vector.im";
           };
 
+          jitsi = {
+            preferred_domain = jitsiHost;
+          };
+
           room_directory.servers = [ matrixHost ];
 
           default_theme = "dark";

nixos/system/bfs.poland.xray/default.nix

@@ -13,6 +13,10 @@ in self.lib.nixpkgs-lib.nixosSystem {
   pkgs = import inputs.nixpkgs {
     inherit system;
     overlays = [ self.overlays.default ];
+    # jitsi-meet depends on libolm which is marked insecure (CVE-2024-4519x)
+    config.permittedInsecurePackages = [
+      "jitsi-meet-1.0.8792"
+    ];
   };
   modules = [
     { networking.hostName = hostName; }

nixos/system/hectic-lab/hectic-lab.nix

@@ -25,7 +25,6 @@ in {
     self.nixosModules.hectic
     self.nixosModules.matrix-cluster
     inputs.sops-nix.nixosModules.sops
-    self.nixosModules.matrix-cluster-users
 
     self.nixosModules."shadowsocks-rust" # NOTE(nrv): impl
     self.nixosModules."shadowsocks"      # NOTE(nrv): usage/instance
@@ -60,42 +59,6 @@ in {
     services.matrix = {
       enable = false;
     };
-
-    generic.matrix-cluster = {
-      enable        = true;
-      overrideEnableSynapse = false;
-      role          = "standby";
-      inherit matrixDomain;
-      signingKeyFile = config.sops.secrets."matrix/signing-key".path;
-      secretsFile    = config.sops.secrets."matrix/secrets".path;
-      turnSecretFile = config.sops.secrets."matrix/turn-secret".path;
-      publicIp       = "128.140.75.58";
-      objectStorage.s3 = {
-        bucket = "matrix-hectic-lab";
-        regionName = "hel1";
-        endpointUrl = "https://hel1.your-objectstorage.com";
-        credentialsFile = config.sops.secrets."matrix/object-storage/credentials".path;
-      };
-      replication = {
-        peerHost = "91.198.166.181";
-        passwordFile = config.sops.secrets."matrix/postgres-replication-password".path;
-        allowedSourceIPs = [ "91.198.166.181/32" ];
-      };
-      acme = {
-        enable = false;
-        porkbunApiKeyFile       = config.sops.secrets."matrix/porkbun-api-key".path;
-        porkbunSecretApiKeyFile = config.sops.secrets."matrix/porkbun-secret-api-key".path;
-      };
-    };
-
-    services.media-browser = {
-      enable = true;
-      port = 3001;
-      s3Bucket = "matrix-hectic-lab";
-      s3Endpoint = "https://hel1.your-objectstorage.com";
-      s3Region = "hel1";
-      s3CredentialsFile = config.sops.secrets."matrix/object-storage/credentials".path;
-    };
   };
 
   # NOTE(yukkop): disk was provisioned by Hetzner rescue image, disko was never
@@ -167,48 +130,6 @@ in {
   sops.secrets."init-postgresql" = {
     key = "init-postgresql";
   };
-  sops.secrets."matrix/secrets" = {
-    key = "matrix/secrets";
-    owner = "matrix-synapse";
-    sopsFile = "${flake}/sus/matrix-cluster.yaml";
-  };
-  sops.secrets."matrix/turn-secret" = {
-    key   = "matrix/turn-secret";
-    owner = "root";
-    group = "root";
-    mode  = "0400";
-    sopsFile = "${flake}/sus/matrix-cluster.yaml";
-  };
-  sops.secrets."matrix/object-storage/credentials" = {
-    key = "matrix/object-storage/credentials";
-    owner = "matrix-synapse";
-    mode = "0400";
-    sopsFile = "${flake}/sus/matrix-cluster.yaml";
-  };
-
-  # Shared cluster secrets (PL standby also reads from this file).
-  sops.secrets."matrix/signing-key" = {
-    key = "matrix/signing-key";
-    owner = "matrix-synapse";
-    mode = "0400";
-    sopsFile = "${flake}/sus/matrix-cluster.yaml";
-  };
-  sops.secrets."matrix/postgres-replication-password" = {
-    key = "matrix/postgres-replication-password";
-    owner = "postgres";
-    mode = "0400";
-    sopsFile = "${flake}/sus/matrix-cluster.yaml";
-  };
-  sops.secrets."matrix/porkbun-api-key" = {
-    key = "matrix/porkbun-api-key";
-    mode = "0400";
-    sopsFile = "${flake}/sus/matrix-cluster.yaml";
-  };
-  sops.secrets."matrix/porkbun-secret-api-key" = {
-    key = "matrix/porkbun-secret-api-key";
-    mode = "0400";
-    sopsFile = "${flake}/sus/matrix-cluster.yaml";
-  };
 
   services.mailserver = {
     enable = true;
@@ -255,6 +176,7 @@ in {
       80
       443
       3306  # mysql
+      11012 # gitea ssh
       25565
       55228 # ss-bfs
     ];
@@ -318,6 +240,34 @@ in {
         '';
       };
     };
+    virtualHosts."gitea.${domain}" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        extraConfig = ''
+          proxy_pass     http://127.0.0.1:11011/;
+          proxy_redirect off;
+        '';
+      };
+    };
+  };
+
+  services = {
+    gitea = {
+      enable = true;
+      settings.service.DISABLE_REGISTRATION = false;
+      settings.server = {
+        HTTP_PORT = 11011;
+        SSH_PORT = 11012;
+      };
+      database = {
+        createDatabase = true;
+        type = "postgres";
+        socket = "/run/postgresql";
+        user = "gitea";
+        name = "gitea";
+      };
+    };
   };
 
   # === WireGuard (disabled) ===

nixos/system/hectic-lab/mechabellum.nix

@@ -33,14 +33,10 @@ in {
     forceSSL = true;
     root = inputs.mechabellum-replay-analysis.packages.${system}.frontend;
 
-    locations."/api/" = {
+    locations."/api" = {
-      proxyPass = "http://${apiHost}:${builtins.toString apiPort}/api/";
+      proxyPass = "http://${apiHost}:${builtins.toString apiPort}";
       extraConfig = ''
         proxy_http_version 1.1;
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
       '';
     };
 

sus/matrix-cluster.yaml

@@ -17,7 +17,7 @@ matrix:
         vismajor:
             password: ENC[AES256_GCM,data:AOAxZgY6mmw=,iv:RCEqeI/jL1n9oGREFR3zUTcQRQuupqMsoTVxBWaMvf0=,tag:tYv4X1iXkol3I2Qr0oaY5g==,type:str]
         snuff:
-            password: ENC[AES256_GCM,data:gM2BV4xD2lZ860c7VSYRlcgFIwyD,iv:pMb0dzCfYcsrx4ReeI4/4jsCoUj+BKucP9eOFag+vWI=,tag:dPVvXIWOqPi0yAxjmaPE8g==,type:str]
+            password: ENC[AES256_GCM,data:vP7fc0DlhM559c38KIHQswd4WV2RGCtQk/I=,iv:FAsdJz85AklfAKL8K6SrBsZ1wMIFebj0mS7noB7HkfA=,tag:9z5edXIeCDz7mGTZG9Vx5A==,type:str]
         MrAlex0O:
             password: ENC[AES256_GCM,data:aq6wYy1OxXPmHVdE926Q79pARzwaKX1ieE0=,iv:vNV0Gm2DlgLuZpEDm1q4+iltNJOtRechdaXUNfDrfpc=,tag:bECr7NWnOEv7DgZ7OIQMcg==,type:str]
         Антоша:
@@ -87,7 +87,7 @@ sops:
             cGtrUDRlUUliSVVjU1o4VUVMOE0ySFEKnjBAqifgYnaJ6LPWzDcopqQxUJ0d9vhe
             F2fIVq8LmO0Nuu7JMhJAvTJgkEyVUAQVTTAtrnhUf2RmILOb72BTKQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-05-27T12:45:32Z"
+    lastmodified: "2026-05-27T18:49:35Z"
-    mac: ENC[AES256_GCM,data:a0Tr6uAP8tPma7ErK57L4pJUMp29e4+Q+HzsZjGVhIonpmlhAkBDUZz4Mny7kAb9HHW8TKUzsTkvp/PV/hi3EG7OAYQk00D976bDvbMo6bwm/IXFjS9G0ecrN8x+tR8huaApiQyZCseU2I8JtzyFVBIrOsDUFzwUIPbNtmE50h8=,iv:fSB0ATCYdR/Ldsh353OquCFE3IGW64g9qNW5EOXd/1w=,tag:W+6gVxon6xL/LtgYKF/Cxw==,type:str]
+    mac: ENC[AES256_GCM,data:HHjUJxE+iSwoM7YjwV4djlvFwtt9/xw/2kQ8otoCsoGieuUh+NFL5FUJsz3vYOhxsWcN3sC5y6PxEjH6/DuJvt15CLR3bjZ5ZBj8db3gBHApTBm87D31zPbpZFtyT5EBUcA+MwiFhMfE5TLRvx8g2eO2mOG2o7Ve63tVNoPvVYQ=,iv:VblCJjE4oDrekbDis8YITqnVD7DpjcowlvusxwXvf9E=,tag:dfXoMODelKDQN7uiPv1a9g==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.10.2