From 63ab4323a5298d06e31d3dfc55ddf8738445136c Mon Sep 17 00:00:00 2001 From: ulic-youthlic Date: Sat, 20 Sep 2025 15:36:40 +0800 Subject: [PATCH] feat: Deploy matrix home server --- nixos/configurations/Cape/default.nix | 4 ++ nixos/modules/programs/matrix-tuwunel.nix | 63 +++++++++++++++++++++ nixos/modules/programs/mautrix-telegram.nix | 32 +++++++++-- secrets/general.yaml | 8 +-- 4 files changed, 97 insertions(+), 10 deletions(-) create mode 100644 nixos/modules/programs/matrix-tuwunel.nix diff --git a/nixos/configurations/Cape/default.nix b/nixos/configurations/Cape/default.nix index 3b88cb2..eeb88c8 100644 --- a/nixos/configurations/Cape/default.nix +++ b/nixos/configurations/Cape/default.nix @@ -36,6 +36,10 @@ }; }; juicity.server.enable = true; + matrix-tuwunel = { + enable = true; + serverName = "im.youthlic.social"; + }; }; }; diff --git a/nixos/modules/programs/matrix-tuwunel.nix b/nixos/modules/programs/matrix-tuwunel.nix new file mode 100644 index 0000000..46d11a2 --- /dev/null +++ b/nixos/modules/programs/matrix-tuwunel.nix @@ -0,0 +1,63 @@ +{ + config, + lib, + ... +}: +let + cfg = config.youthlic.programs.matrix-tuwunel; +in +{ + options = { + youthlic.programs.matrix-tuwunel = { + enable = lib.mkEnableOption "tuwunel"; + serverName = lib.mkOption { + type = lib.types.nonEmptyStr; + example = "example.com"; + }; + }; + }; + config = lib.mkMerge [ + (lib.mkIf cfg.enable { + sops.secrets."matrix-reg-token" = { + owner = "tuwunel"; + }; + systemd.services.tuwunel.serviceConfig = { + EnvironmentFile = "${config.sops.secrets.matrix-reg-token.path}"; + }; + services.matrix-tuwunel = { + enable = true; + settings = { + global = { + port = [ 8481 ]; + address = [ + "0.0.0.0" + "::" + ]; + trusted_servers = [ + "matrix.org" + "mozilla.org" + "nichi.co" + ]; + allow_registration = true; + server_name = cfg.serverName; + new_user_displayname_suffix = "⚡"; + database_backup_path = "/var/lib/tuwunel/db.back"; + well_known = { + client = "https://${cfg.serverName}"; + server = "${cfg.serverName}:443"; + }; + }; + }; + }; + }) + (lib.mkIf (cfg.enable && config.youthlic.programs.caddy.enable) { + services.caddy.virtualHosts = { + "${cfg.serverName}" = { + extraConfig = '' + reverse_proxy 127.0.0.1:8481 + ''; + }; + }; + }) + ]; +} diff --git a/nixos/modules/programs/mautrix-telegram.nix b/nixos/modules/programs/mautrix-telegram.nix index b2bc18a..683bde6 100644 --- a/nixos/modules/programs/mautrix-telegram.nix +++ b/nixos/modules/programs/mautrix-telegram.nix @@ -13,12 +13,32 @@ in }; }; config = lib.mkIf cfg.enable { + assertions = [ + { + assertion = config.youthlic.programs.matrix-tuwunel.enable; + message = '' + The bridge bot needs to be registered as appservice for home server. So need enable tuwunel. + ''; + } + ]; sops.secrets.matrix-telegram-bot = { }; services.mautrix-telegram = { enable = true; environmentFile = "${config.sops.secrets.matrix-telegram-bot.path}"; + serviceDependencies = [ "tuwunel.service" ]; settings = { bridge = { + displayname_template = "{displayname} | Telegram"; + telegram_link_preview = true; + caption_in_message = true; + parallel_file_transfer = true; + animated_sticker = { + target = "gif"; + convert_from_webm = false; + }; + animated_emoji = { + target = "webp"; + }; permissions = { "*" = "relaybot"; }; @@ -27,14 +47,14 @@ in address = "http://127.0.0.1:8482"; hostname = "0.0.0.0"; port = 8482; - database = "sqlite:////var/lib/mautrix-telegram/database.db"; - bot_username = "matrix_tg_146bot"; - bot_displayname = "matrix tg bridge"; + bot_username = "telegram"; + bot_displayname = "Telegram Bridge"; + }; + homeserver = { + address = "http://127.0.0.1:8481"; + domain = config.youthlic.programs.matrix-tuwunel.serverName; }; }; }; - nixpkgs.config.permittedInsecurePackages = [ - "olm-3.2.16" - ]; }; } diff --git a/secrets/general.yaml b/secrets/general.yaml index ee2c73c..bfa89a5 100644 --- a/secrets/general.yaml +++ b/secrets/general.yaml @@ -7,8 +7,8 @@ rustypaste: miniflux: ENC[AES256_GCM,data:8u9ElF2LAsIZmq7U8oZJM367y6EAy0si4ZXhpdisYa/PjV70SybUWhrahBft86QB71l8KtLUVuF3Ins=,iv:q7vJzxZICGNv/IaHKDpV50Pc9P4rIwcvfz2+uS1AnyI=,tag:ycwVU3RqfBoXRZQMv653xQ==,type:str] atuin-key: ENC[AES256_GCM,data:e3K7/7BaeXuR+vHJdtO79UQp3XRvROcD8ISkuCp3KGCSlBKUM3GuCwhIeFoIl0fOUqVYOzcCAcjsH2nBRqcXhtS8jhM=,iv:Mh3jsu6mdj0VOLSIoNz/0awyydVf7q3/E7iB7CJi+UA=,tag:xuHhUmK/J2stdjRrtbhQSw==,type:str] access-tokens: ENC[AES256_GCM,data:i/A9OjAnFEP26f4XYuV1G2wVo0dp+Nnte1EECjiLgc9ErDrIcmFfbmv6LgpEpjK06wUC1taPb6IuwM3qP+ucZRK5Eek94vTMpIQueOq8rGB5MYJADUtzX9TBGplVHDsx2lTXGYLxZEwetfnPr1Z6vuVpm13iK/1d,iv:cFKi0hDXAbfK7eLH1GA6aQCWjat0nHfYl/A0QO3tCMA=,tag:Hb1lDzJ/nkQXismo7/5DvQ==,type:str] -matrix-telegram-bot: ENC[AES256_GCM,data:4G9JSR4l3043SM63gvJr0xBFuS11eoesi9rrobTxN9HpEGNklYDWHH/+Bm7P/2Bxnye3CiO/Z8KffvbjH8slRHLtbSpo8lRsfi9uRAbeMl7aXe/nTjpN078QSN3WXXc9XqYq0sxwNKPrnW3bmPQsHUiykZ3Go5A9Qw1iIPvPpXITyNbeD0gA+2CBB7PIURI7X0PIgSfUtMFZvl2J9znqCnlfC41bj6aC3sywsEkpuFJiMEojrwl+XmVS/u4eNMq8KiofVn9QlGx5gdGZ9LfZZdc+8E6u5GovqP2JTwwfaeZPzdwdZ2YsdoAvmgAusMfjCNZvHF7msLsOyNJW4592ZC7+fHhRbkKnVKc3OwA4ILWd9Jl0p0BoS0Ckn3V5nUQFgxVJ2O0yd/FLFaEqbeBLHNqC6u9CTYk82Uy23ilXQYKIc9h2wQkM329E6j9Mk0f9uavoYVPkpz6ahLzcni2W26FUkeaZ7PkrHmHWfJvvvi32GB4+q1m0phPmcd3cKVhXhbhLXiBcx2Rj7Q==,iv:Br0w0SiYajFr8p5CZEg47x3KpJ+AOleHthsEc3ho4YI=,tag:k+wptcSnNzfefF66Ug824Q==,type:str] -matrix-reg-token: ENC[AES256_GCM,data:Cr5560L9gQo/tKUz1sQOAg5dckI6SyDxeNyrjW4oI6qkV8bxUrMaAGnVkkeF9TF9FgAnRb+7Lm+axd2SmkPWnqrLll2NzLC01zXht9Mq9RroAPXFraEV1X1Ge1qAAtkr,iv:42r93HLVDKuDCOYlfem7oi3gcHfhDYiNbFKOCHxim+o=,tag:9hWGQrWHsv2eYNgFlHtfeA==,type:str] +matrix-telegram-bot: ENC[AES256_GCM,data:rMv6XlsAskhqlUq05Jp1JO08Pf4HFYqmU9umlnrjKSRYFP/xo0ch3GVOg9TEVHfxGitRXrf9KCoNw2xI2VsMF8ay493N07vlq0y3QHkgcDGKTtwn1DunTG+gURSPFDcn47JmD20opQ4/PPeB6QFRbSCredeSDRxCH1jVC4VqncMrwoN6rFFmi610tvBn43YE9AKtWfEzk9fJG5arwBvFH28ntgiHnKjzjIAK1guIc3j++0ZdoSQzjgUVKuIsKlfaCBYmF6qo5g0LrVhqr+amiot7b/kEkOewOhgRHr23zmfbzxnAVuXMPDPgEmywuHkZqdhpKZW3oRB+gOXV9aZvs+kgw/xVbDpHXkYfnr0WahZIZG5b+Tk42DPmRFw6Z4VsANqxQ2iJSnQZo9vD850oO1pFqSxfh3OQGzUki60FFv979/v79gy7wpvpiis0S78f7DZ8J9lpJqfkOTlUSpNDh5YzfRDgdBKaM77W42Q7Oq6N45KPe/wgJD9LTysf4ZNGaBeH4GsAHOdBfDW9,iv:U7fGGcWBdbsdZH5RC9E/WUzs1mjMxVlOFYIjax8egaY=,tag:TasFP91a7s6klS5VFDNZUw==,type:str] +matrix-reg-token: ENC[AES256_GCM,data:Hs2RebmhU8KnQYZXkrn3RCrLVTyMhAfYUxt380QJs+OKlAeEpFy3+sP3cQyhDQfLbAm7hM3UX2csLSbVfwtMyGVuVRUVAfTQMm7tfCkiNsU9mhb7INH9SeuYzg/gVQ==,iv:cBVItzWbgL79yxtRIlXno9hakjQU9ZcgK7kYqUbV1h0=,tag:FsvATCrMJ+FkvuboVKtWkg==,type:str] ssh-private-key: radicle: Cape: ENC[AES256_GCM,data:6C4YwlcIpC0ZT1TosOGPm15B+i/bEeGEOw+FCib8vJU9M89LviqeftjcycBCiHmLJms4lKzsWpLn2Rmw9PovBZ0FI2geb+Lthm9etvaJxLtc4DofgLsa3uB79EH8kS93xEN8lfnPct0nYW1z9z/7FB6RaYxUWWX5dlFAxgkM4WtxTjtJ+F48dzoYRUtSfRx/egSJ9PLw2sm8mgBNNt2SDEncX6Im58TuvKA8RTHchnvmguc7HqqNKPAtnvrwOi0jdn+vduP8qZDU9C2spswuyE6NEl0JkV4Wag4Dct6j3A1KcD4W/qf+F6geURhGkvaAKEr6Y7IEEibti/2pCcXYPEQ8CeCdgH1SC9+SruiGCGODuYIXHCEmwhq3geEDr5xGhVdB1F79BCm6k1WQKPHfJA/e9fnUZlzO/U6F7eLopVLPT3cNuaY0qiFnkiHsQj74Wnd3L5Ugw5ZNxzjsnnriGPjn28OXPEbvKwciZLQndb+VFvxJNWk8conIIWcDpLw3cQ/EiwwcnKcQjnDmRASv,iv:Tu3tFmlUFoAD/j4TK8vvQLglmq03jvc35NmELWC+1ak=,tag:bVwBzhqewIdsArJKxdZ5cg==,type:str] @@ -56,7 +56,7 @@ sops: a1Y1NU9CK2h1SS83VW42bzBMa01yMXMKI1DBtgNlkNCrxUQvnD6a45mQKNfg5gM4 Zb5buo9Jofj4dn/HFwng3T3gxKTrP2Dh74CAH4L0M5yrF9fzk5TCcQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-09-25T16:12:36Z" - mac: ENC[AES256_GCM,data:3R8dHU+hOYxgyt31E9XemTZhx2nzUkTG35151nIU6Hf9BZCgu4uYd+LPD6AENwP5O/G4gijQf6PIPaLYvZgfMjkrrlKUkW9aH+QYNE5w+zV1EyNtMo6QauYCH/exLytPo9UBeF5aQ9T62EWIMV8ySXKOmSZny5KWcsEY+IAIm68=,iv:4JcDt7sYJZ5/4EuL0StkYD8ovZrSb3uvCFDzs+1cW5Q=,tag:r0w+OJ7tTOOA4VD3qnQ+UA==,type:str] + lastmodified: "2025-10-01T18:30:31Z" + mac: ENC[AES256_GCM,data:Ka+uZq4Uz9N9JTPOFuIsM12AjR1D1yMy9ZPu9xhqUH4JR2icHel6lma7Src2nAAVjJdOqapqsfLx4j1tjRuMbWKq9BSbU5vnBv27ihwpXiT0SaJTj1m8V4p3VBNCG6701jjptjzfHXckUT+RjYopPAnThcqyeLKsfyAGarMc/ao=,iv:iEw7jqxiicRS5DtQLdkIbyqjqJ9NczRZIRn/mzHpjIc=,tag:sP66xrIHuX+WyFaA1JIdhQ==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2