Move well-known delegation to main domain

Replace dendrite with continuwuity
Upgrade to NixOS 26.05
2026-06-02 15:23:29 +02:00 · 2026-06-02 15:23:29 +02:00 · 2026-06-02 15:23:29 +02:00
11 changed files with 117 additions and 91 deletions
@@ -173,18 +173,10 @@ with pkgs;
      group = "users";
    };
    # HACK The owner and group is set by systemd due to the use of DynamicUser
    secrets.dendrite = {
      file = secrets/dendrite.age;
      owner = "63026";
      group = "63026";
    };
    secrets.dendrite-postgres = {
      file = secrets/dendrite-postgres.age;
      owner = "63026";
      group = "63026";
    };
    secrets.telegram = {
      file = secrets/telegram.age;
      owner = "mautrix-telegram";
      group = "mautrix-telegram";
    };
    secrets.mqtt-sender = {
      file = secrets/mqtt-sender.age;
@@ -198,9 +190,14 @@ with pkgs;
    };
    secrets.facebook = {
      file = secrets/facebook.age;
      owner = "mautrix-meta-facebook";
      group = "mautrix-meta-facebook";
    };
    secrets.signal = {
      file = secrets/signal.age;
      owner = "mautrix-signal";
      group = "mautrix-signal";
    };
    secrets.inadyn-duckdns = {
      file = secrets/inadyn-duckdns.age;
@@ -237,6 +234,11 @@ with pkgs;
      owner = "63026";
      group = "63026";
    };
    secrets.grafana = {
      file = secrets/grafana.age;
      owner = "grafana";
      group = "granafa";
    };
    identityPaths = [ "/etc/ssh/id_ed25519" ];
  };
@@ -9,17 +9,13 @@
  };
  inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-26.05";
    determinate.url = "https://flakehub.com/f/DeterminateSystems/determinate/*";
    agenix = {
      url = "github:ryantm/agenix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    nixos-hardware.url = "github:NixOS/nixos-hardware/master";
    nix-matrix-appservices = {
      url = "gitlab:coffeetables/nix-matrix-appservices";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };
  outputs =
@@ -7,71 +7,92 @@
 with pkgs;
 # NOTE Reference the environment variable set in the corresponding agenix secret
 let
  database = {
    connection_string = "$DB_STRING";
    max_open_conns = 100;
    max_idle_conns = 5;
    conn_max_lifetime = -1;
  };
 in
 {
  # Matrix server configuration
-  services.dendrite = {
+  services.matrix-continuwuity = {
    enable = true;
    httpPort = 8008;
    environmentFile = config.age.secrets.dendrite-postgres.path;
    loadCredential = [ "private_key:${config.age.secrets.dendrite.path}" ];
    settings = {
      global = {
-        server_name = "coolneng.duckdns.org";
+        server_name = "psydnd.org";
-        private_key = config.age.secrets.dendrite.path;
+        port = [ 8008 ];
-        inherit database;
+        allow_encryption = true;
-        dns_cache.enabled = true;
+        allow_federation = true;
-      };
+        well_known.client = "https://matrix.psydnd.org";
      # HACK Inherit postgres connection string for the rest of the DBs
      app_service_api = {
        inherit database;
      };
      media_api = {
        inherit database;
      };
      room_server = {
        inherit database;
      };
      push_server = {
        inherit database;
      };
      mscs = {
        inherit database;
        mscs = [
          "msc2836"
          "msc2946"
        ];
      };
      sync_api = {
        inherit database;
      };
      key_server = {
        inherit database;
      };
      federation_api = {
        inherit database;
      };
      user_api = {
        account_database = database;
        device_database = database;
      };
    };
  };
  ## Matrix bridges
  # Facebook
  services.mautrix-meta.instances.facebook = {
    enable = true;
    environmentFile = config.age.secrets.facebook.path;
    settings = {
      homeserver = {
        address = "https://matrix.psysdnd.org";
        domain = "psydnd.org";
      };
      appservice = {
        address = "http://localhost:8228";
        port = 8228;
        database = "$DB_STRING";
      };
      bridge.permissions."@coolneng:psydnd.org" = "admin";
    };
    serviceDependencies = [ "continuwuity.service" ];
  };
  # Enable voice messages for Facebook
  systemd.services.matrix-as-facebook.path = [ ffmpeg ];
  # Telegram
  services.mautrix-telegram = {
    enable = true;
    environmentFile = config.age.secrets.telegram.path;
    settings = {
      homeserver = {
        address = "https://matrix.psysdnd.org";
        domain = "psydnd.org";
      };
      appservice = {
        address = "http://localhost:8118";
        port = 8118;
        database = "$DB_STRING";
      };
      bridge.permissions."@coolneng:psydnd.org" = "admin";
    };
    serviceDependencies = [ "continuwuity.service" ];
  };
  # Signal
  services.mautrix-signal = {
    enable = true;
    environmentFile = config.age.secrets.signal.path;
    settings = {
      homeserver = {
        address = "https://matrix.psysdnd.org";
        domain = "psydnd.org";
      };
      appservice = {
        address = "http://localhost:8338";
        port = 8338;
        database = "$DB_STRING";
      };
      bridge.permissions."@coolneng:psydnd.org" = "admin";
    };
    serviceDependencies = [ "continuwuity.service" ];
  };
  # HACK Use libolm as there's no good alternative
  nixpkgs.config.permittedInsecurePackages = [
    "olm-3.2.16"
  ];
  # Start dendrite after config files are mounted
-  systemd.services.dendrite.unitConfig.RequiresMountsFor = [
+  systemd.services.continuwuity.unitConfig.RequiresMountsFor = [
-    /var/lib/matrix-as-facebook
+    /var/lib/mautrix-meta-facebook
-    /var/lib/matrix-as-signal
+    /var/lib/mautrix-signal
-    /var/lib/matrix-as-telegram
+    /var/lib/mautrix-telegram
  ];
  # MQTT configuration
@@ -82,10 +82,13 @@ with pkgs;
  # Grafana configuration
  services.grafana = {
    enable = true;
-    settings.server = {
+    settings = {
-      domain = "grafana.psydnd.org";
+      server = {
-      http_port = 9009;
+        domain = "grafana.psydnd.org";
-      http_addr = "127.0.0.1";
+        http_port = 9009;
        http_addr = "127.0.0.1";
      };
      security.secret_key = config.age.secrets.grafana.path;
    };
  };
@@ -135,10 +135,10 @@ in
  services.resolved = {
    enable = true;
    llmnr = "false";
-    extraConfig = ''
+    settings.Resolve = {
-      MulticastDNS=yes
+      MulticastDNS = true;
-      DNSStubListener=no
+      DNSStubListener = false;
-    '';
+    };
  };
  # DNS server with ad-block
@@ -34,21 +34,12 @@
      proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
    '';
    virtualHosts = {
-      # Old domain being redirected
+      # Redirection of the old domain
      "coolneng.duckdns.org" = {
        useACMEHost = "coolneng.duckdns.org";
        forceSSL = true;
        locations = {
          "/".return = "301 https://psydnd.org$request_uri";
          # Delegation for Matrix
          "/.well-known/" = {
            alias = "${../well-known}" + "/";
            extraConfig = ''
              ${config.services.nginx.commonHttpConfig}
              default_type application/json;
              add_header Access-Control-Allow-Origin * always;
            '';
          };
        };
      };
      # Redirect subdomains
@@ -61,6 +52,15 @@
      "psydnd.org" = {
        useACMEHost = "psydnd.org";
        forceSSL = true;
        # Delegation for Matrix
        locations."/.well-known/" = {
          alias = "${../well-known}" + "/";
          extraConfig = ''
            ${config.services.nginx.commonHttpConfig}
            default_type application/json;
            add_header Access-Control-Allow-Origin * always;
          '';
        };
      };
      "radicale.psydnd.org" = {
        useACMEHost = "psydnd.org";
@@ -24,7 +24,7 @@ services=(
    "radicale.service"
    "miniflux.service"
    "gitea.service"
-    "dendrite.service"
+    "continuwuity.service"
    "nginx.service"
    "dnsmasq.service"
    "dnscrypt-proxy.service"
@@ -0,0 +1,5 @@
 age-encryption.org/v1
 -> ssh-ed25519 iUaRGg Ag32nut/aBlxEy7RPw7sV5itZSHkp8eMLVtxFxwQ8EM
 ZhK8EZWTLkxrwo+x97w4HpexDXkC1yQuKyYFujqlOgs
 --- kszqKtyubreK5mGkrJg4hrEKrfITJCCM/hW6IHKlMIE
 TÚ+À~/ œDbM?Çø×å ½œa-ð'ƒÒp^5ç›?�ï&#!àÏ³‰þ~59O
@@ -8,8 +8,6 @@ in
  "gitea.age".publicKeys = [ zion ];
  "miniflux.age".publicKeys = [ zion ];
  "git.age".publicKeys = [ zion ];
  "dendrite.age".publicKeys = [ zion ];
  "dendrite-postgres.age".publicKeys = [ zion ];
  "telegram.age".publicKeys = [ zion ];
  "mqtt-sender.age".publicKeys = [ zion ];
  "mqtt-receiver.age".publicKeys = [ zion ];
@@ -22,4 +20,5 @@ in
  "acme-porkbun.age".publicKeys = [ zion ];
  "microbin.age".publicKeys = [ zion ];
  "readeck.age".publicKeys = [ zion ];
  "grafana.age".publicKeys = [ zion ];
 }
Author	SHA1	Message	Date
coolneng	488969abd7	Move well-known delegation to main domain	2026-06-02 15:23:29 +02:00
coolneng	4cd14c0838	Replace dendrite with continuwuity	2026-06-02 15:23:29 +02:00
coolneng	7544f6d121	Upgrade to NixOS 26.05	2026-06-02 15:23:29 +02:00