Move well-known delegation to main domain

configuration.nix

@@ -173,18 +173,10 @@ with pkgs;
       group = "users";
     };
     # HACK The owner and group is set by systemd due to the use of DynamicUser
-    secrets.dendrite = {
-      file = secrets/dendrite.age;
-      owner = "63026";
-      group = "63026";
-    };
-    secrets.dendrite-postgres = {
-      file = secrets/dendrite-postgres.age;
-      owner = "63026";
-      group = "63026";
-    };
     secrets.telegram = {
       file = secrets/telegram.age;
+      owner = "mautrix-telegram";
+      group = "mautrix-telegram";
     };
     secrets.mqtt-sender = {
       file = secrets/mqtt-sender.age;
@@ -198,9 +190,14 @@ with pkgs;
     };
     secrets.facebook = {
       file = secrets/facebook.age;
+      owner = "mautrix-meta-facebook";
+      group = "mautrix-meta-facebook";
+
     };
     secrets.signal = {
       file = secrets/signal.age;
+      owner = "mautrix-signal";
+      group = "mautrix-signal";
     };
     secrets.inadyn-duckdns = {
       file = secrets/inadyn-duckdns.age;
@@ -237,6 +234,11 @@ with pkgs;
       owner = "63026";
       group = "63026";
     };
+    secrets.grafana = {
+      file = secrets/grafana.age;
+      owner = "grafana";
+      group = "granafa";
+    };
     identityPaths = [ "/etc/ssh/id_ed25519" ];
   };
 

flake.nix

@@ -9,17 +9,13 @@
   };
 
   inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-26.05";
     determinate.url = "https://flakehub.com/f/DeterminateSystems/determinate/*";
     agenix = {
       url = "github:ryantm/agenix";
       inputs.nixpkgs.follows = "nixpkgs";
     };
     nixos-hardware.url = "github:NixOS/nixos-hardware/master";
-    nix-matrix-appservices = {
-      url = "gitlab:coffeetables/nix-matrix-appservices";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
   };
 
   outputs =

modules/communication.nix

@@ -7,71 +7,92 @@
 
 with pkgs;
 
-# NOTE Reference the environment variable set in the corresponding agenix secret
-let
-  database = {
-    connection_string = "$DB_STRING";
-    max_open_conns = 100;
-    max_idle_conns = 5;
-    conn_max_lifetime = -1;
-  };
-
-in
 {
   # Matrix server configuration
-  services.dendrite = {
+  services.matrix-continuwuity = {
     enable = true;
-    httpPort = 8008;
-    environmentFile = config.age.secrets.dendrite-postgres.path;
-    loadCredential = [ "private_key:${config.age.secrets.dendrite.path}" ];
     settings = {
       global = {
-        server_name = "coolneng.duckdns.org";
+        server_name = "psydnd.org";
-        private_key = config.age.secrets.dendrite.path;
+        port = [ 8008 ];
-        inherit database;
+        allow_encryption = true;
-        dns_cache.enabled = true;
+        allow_federation = true;
-      };
+        well_known.client = "https://matrix.psydnd.org";
-      # HACK Inherit postgres connection string for the rest of the DBs
-      app_service_api = {
-        inherit database;
-      };
-      media_api = {
-        inherit database;
-      };
-      room_server = {
-        inherit database;
-      };
-      push_server = {
-        inherit database;
-      };
-      mscs = {
-        inherit database;
-        mscs = [
-          "msc2836"
-          "msc2946"
-        ];
-      };
-      sync_api = {
-        inherit database;
-      };
-      key_server = {
-        inherit database;
-      };
-      federation_api = {
-        inherit database;
-      };
-      user_api = {
-        account_database = database;
-        device_database = database;
       };
     };
   };
 
+  ## Matrix bridges
+  # Facebook
+  services.mautrix-meta.instances.facebook = {
+    enable = true;
+    environmentFile = config.age.secrets.facebook.path;
+    settings = {
+      homeserver = {
+        address = "https://matrix.psysdnd.org";
+        domain = "psydnd.org";
+      };
+      appservice = {
+        address = "http://localhost:8228";
+        port = 8228;
+        database = "$DB_STRING";
+      };
+      bridge.permissions."@coolneng:psydnd.org" = "admin";
+    };
+    serviceDependencies = [ "continuwuity.service" ];
+  };
+
+  # Enable voice messages for Facebook
+  systemd.services.matrix-as-facebook.path = [ ffmpeg ];
+
+  # Telegram
+  services.mautrix-telegram = {
+    enable = true;
+    environmentFile = config.age.secrets.telegram.path;
+    settings = {
+      homeserver = {
+        address = "https://matrix.psysdnd.org";
+        domain = "psydnd.org";
+      };
+      appservice = {
+        address = "http://localhost:8118";
+        port = 8118;
+        database = "$DB_STRING";
+      };
+      bridge.permissions."@coolneng:psydnd.org" = "admin";
+    };
+    serviceDependencies = [ "continuwuity.service" ];
+  };
+
+  # Signal
+  services.mautrix-signal = {
+    enable = true;
+    environmentFile = config.age.secrets.signal.path;
+    settings = {
+      homeserver = {
+        address = "https://matrix.psysdnd.org";
+        domain = "psydnd.org";
+      };
+      appservice = {
+        address = "http://localhost:8338";
+        port = 8338;
+        database = "$DB_STRING";
+      };
+      bridge.permissions."@coolneng:psydnd.org" = "admin";
+    };
+    serviceDependencies = [ "continuwuity.service" ];
+  };
+
+  # HACK Use libolm as there's no good alternative
+  nixpkgs.config.permittedInsecurePackages = [
+    "olm-3.2.16"
+  ];
+
   # Start dendrite after config files are mounted
-  systemd.services.dendrite.unitConfig.RequiresMountsFor = [
+  systemd.services.continuwuity.unitConfig.RequiresMountsFor = [
-    /var/lib/matrix-as-facebook
+    /var/lib/mautrix-meta-facebook
-    /var/lib/matrix-as-signal
+    /var/lib/mautrix-signal
-    /var/lib/matrix-as-telegram
+    /var/lib/mautrix-telegram
   ];
 
   # MQTT configuration

modules/networking.nix

@@ -135,10 +135,10 @@ in
   services.resolved = {
     enable = true;
     llmnr = "false";
-    extraConfig = ''
+    settings.Resolve = {
-      MulticastDNS=yes
+      MulticastDNS = true;
-      DNSStubListener=no
+      DNSStubListener = false;
-    '';
+    };
   };
 
   # DNS server with ad-block

modules/webstack.nix

@@ -34,21 +34,12 @@
       proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
     '';
     virtualHosts = {
-      # Old domain being redirected
+      # Redirection of the old domain
       "coolneng.duckdns.org" = {
         useACMEHost = "coolneng.duckdns.org";
         forceSSL = true;
         locations = {
           "/".return = "301 https://psydnd.org$request_uri";
-          # Delegation for Matrix
-          "/.well-known/" = {
-            alias = "${../well-known}" + "/";
-            extraConfig = ''
-              ${config.services.nginx.commonHttpConfig}
-              default_type application/json;
-              add_header Access-Control-Allow-Origin * always;
-            '';
-          };
         };
       };
       # Redirect subdomains
@@ -61,6 +52,15 @@
       "psydnd.org" = {
         useACMEHost = "psydnd.org";
         forceSSL = true;
+        # Delegation for Matrix
+        locations."/.well-known/" = {
+          alias = "${../well-known}" + "/";
+          extraConfig = ''
+            ${config.services.nginx.commonHttpConfig}
+            default_type application/json;
+            add_header Access-Control-Allow-Origin * always;
+          '';
+        };
       };
       "radicale.psydnd.org" = {
         useACMEHost = "psydnd.org";

scripts/motd.sh

@@ -24,7 +24,7 @@ services=(
     "radicale.service"
     "miniflux.service"
     "gitea.service"
-    "dendrite.service"
+    "continuwuity.service"
     "nginx.service"
     "dnsmasq.service"
     "dnscrypt-proxy.service"

secrets/grafana.age

@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 iUaRGg Ag32nut/aBlxEy7RPw7sV5itZSHkp8eMLVtxFxwQ8EM
+ZhK8EZWTLkxrwo+x97w4HpexDXkC1yQuKyYFujqlOgs
+--- kszqKtyubreK5mGkrJg4hrEKrfITJCCM/hW6IHKlMIE
+TÚ+À~/ œDbM?Çø×å ½œa-ð'ƒÒp^5ç›?�ï&#!àϳ‰þ~59O

secrets/secrets.nix

@@ -8,8 +8,6 @@ in
   "gitea.age".publicKeys = [ zion ];
   "miniflux.age".publicKeys = [ zion ];
   "git.age".publicKeys = [ zion ];
-  "dendrite.age".publicKeys = [ zion ];
-  "dendrite-postgres.age".publicKeys = [ zion ];
   "telegram.age".publicKeys = [ zion ];
   "mqtt-sender.age".publicKeys = [ zion ];
   "mqtt-receiver.age".publicKeys = [ zion ];
@@ -22,4 +20,5 @@ in
   "acme-porkbun.age".publicKeys = [ zion ];
   "microbin.age".publicKeys = [ zion ];
   "readeck.age".publicKeys = [ zion ];
+  "grafana.age".publicKeys = [ zion ];
 }