feat: Deploy matrix home server

nixos/configurations/Cape/default.nix

@@ -36,6 +36,10 @@
         };
       };
       juicity.server.enable = true;
+      matrix-tuwunel = {
+        enable = true;
+        serverName = "im.youthlic.social";
+      };
     };
   };
 

nixos/modules/programs/matrix-tuwunel.nix

@@ -0,0 +1,63 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  cfg = config.youthlic.programs.matrix-tuwunel;
+in
+{
+  options = {
+    youthlic.programs.matrix-tuwunel = {
+      enable = lib.mkEnableOption "tuwunel";
+      serverName = lib.mkOption {
+        type = lib.types.nonEmptyStr;
+        example = "example.com";
+      };
+    };
+  };
+  config = lib.mkMerge [
+    (lib.mkIf cfg.enable {
+      sops.secrets."matrix-reg-token" = {
+        owner = "tuwunel";
+      };
+      systemd.services.tuwunel.serviceConfig = {
+        EnvironmentFile = "${config.sops.secrets.matrix-reg-token.path}";
+      };
+      services.matrix-tuwunel = {
+        enable = true;
+        settings = {
+          global = {
+            port = [ 8481 ];
+            address = [
+              "0.0.0.0"
+              "::"
+            ];
+            trusted_servers = [
+              "matrix.org"
+              "mozilla.org"
+              "nichi.co"
+            ];
+            allow_registration = true;
+            server_name = cfg.serverName;
+            new_user_displayname_suffix = "⚡";
+            database_backup_path = "/var/lib/tuwunel/db.back";
+            well_known = {
+              client = "https://${cfg.serverName}";
+              server = "${cfg.serverName}:443";
+            };
+          };
+        };
+      };
+    })
+    (lib.mkIf (cfg.enable && config.youthlic.programs.caddy.enable) {
+      services.caddy.virtualHosts = {
+        "${cfg.serverName}" = {
+          extraConfig = ''
+            reverse_proxy 127.0.0.1:8481
+          '';
+        };
+      };
+    })
+  ];
+}

nixos/modules/programs/mautrix-telegram.nix

@@ -13,12 +13,32 @@ in
     };
   };
   config = lib.mkIf cfg.enable {
+    assertions = [
+      {
+        assertion = config.youthlic.programs.matrix-tuwunel.enable;
+        message = ''
+          The bridge bot needs to be registered as appservice for home server. So need enable tuwunel.
+        '';
+      }
+    ];
     sops.secrets.matrix-telegram-bot = { };
     services.mautrix-telegram = {
       enable = true;
       environmentFile = "${config.sops.secrets.matrix-telegram-bot.path}";
+      serviceDependencies = [ "tuwunel.service" ];
       settings = {
         bridge = {
+          displayname_template = "{displayname} | Telegram";
+          telegram_link_preview = true;
+          caption_in_message = true;
+          parallel_file_transfer = true;
+          animated_sticker = {
+            target = "gif";
+            convert_from_webm = false;
+          };
+          animated_emoji = {
+            target = "webp";
+          };
           permissions = {
             "*" = "relaybot";
           };
@@ -27,14 +47,14 @@ in
           address = "http://127.0.0.1:8482";
           hostname = "0.0.0.0";
           port = 8482;
-          database = "sqlite:////var/lib/mautrix-telegram/database.db";
+          bot_username = "telegram";
-          bot_username = "matrix_tg_146bot";
+          bot_displayname = "Telegram Bridge";
-          bot_displayname = "matrix tg bridge";
+        };
+        homeserver = {
+          address = "http://127.0.0.1:8481";
+          domain = config.youthlic.programs.matrix-tuwunel.serverName;
         };
       };
     };
-    nixpkgs.config.permittedInsecurePackages = [
-      "olm-3.2.16"
-    ];
   };
 }

secrets/general.yaml

@@ -7,8 +7,8 @@ rustypaste:
 miniflux: ENC[AES256_GCM,data:8u9ElF2LAsIZmq7U8oZJM367y6EAy0si4ZXhpdisYa/PjV70SybUWhrahBft86QB71l8KtLUVuF3Ins=,iv:q7vJzxZICGNv/IaHKDpV50Pc9P4rIwcvfz2+uS1AnyI=,tag:ycwVU3RqfBoXRZQMv653xQ==,type:str]
 atuin-key: ENC[AES256_GCM,data:e3K7/7BaeXuR+vHJdtO79UQp3XRvROcD8ISkuCp3KGCSlBKUM3GuCwhIeFoIl0fOUqVYOzcCAcjsH2nBRqcXhtS8jhM=,iv:Mh3jsu6mdj0VOLSIoNz/0awyydVf7q3/E7iB7CJi+UA=,tag:xuHhUmK/J2stdjRrtbhQSw==,type:str]
 access-tokens: ENC[AES256_GCM,data:i/A9OjAnFEP26f4XYuV1G2wVo0dp+Nnte1EECjiLgc9ErDrIcmFfbmv6LgpEpjK06wUC1taPb6IuwM3qP+ucZRK5Eek94vTMpIQueOq8rGB5MYJADUtzX9TBGplVHDsx2lTXGYLxZEwetfnPr1Z6vuVpm13iK/1d,iv:cFKi0hDXAbfK7eLH1GA6aQCWjat0nHfYl/A0QO3tCMA=,tag:Hb1lDzJ/nkQXismo7/5DvQ==,type:str]
-matrix-telegram-bot: ENC[AES256_GCM,data:4G9JSR4l3043SM63gvJr0xBFuS11eoesi9rrobTxN9HpEGNklYDWHH/+Bm7P/2Bxnye3CiO/Z8KffvbjH8slRHLtbSpo8lRsfi9uRAbeMl7aXe/nTjpN078QSN3WXXc9XqYq0sxwNKPrnW3bmPQsHUiykZ3Go5A9Qw1iIPvPpXITyNbeD0gA+2CBB7PIURI7X0PIgSfUtMFZvl2J9znqCnlfC41bj6aC3sywsEkpuFJiMEojrwl+XmVS/u4eNMq8KiofVn9QlGx5gdGZ9LfZZdc+8E6u5GovqP2JTwwfaeZPzdwdZ2YsdoAvmgAusMfjCNZvHF7msLsOyNJW4592ZC7+fHhRbkKnVKc3OwA4ILWd9Jl0p0BoS0Ckn3V5nUQFgxVJ2O0yd/FLFaEqbeBLHNqC6u9CTYk82Uy23ilXQYKIc9h2wQkM329E6j9Mk0f9uavoYVPkpz6ahLzcni2W26FUkeaZ7PkrHmHWfJvvvi32GB4+q1m0phPmcd3cKVhXhbhLXiBcx2Rj7Q==,iv:Br0w0SiYajFr8p5CZEg47x3KpJ+AOleHthsEc3ho4YI=,tag:k+wptcSnNzfefF66Ug824Q==,type:str]
+matrix-telegram-bot: ENC[AES256_GCM,data:rMv6XlsAskhqlUq05Jp1JO08Pf4HFYqmU9umlnrjKSRYFP/xo0ch3GVOg9TEVHfxGitRXrf9KCoNw2xI2VsMF8ay493N07vlq0y3QHkgcDGKTtwn1DunTG+gURSPFDcn47JmD20opQ4/PPeB6QFRbSCredeSDRxCH1jVC4VqncMrwoN6rFFmi610tvBn43YE9AKtWfEzk9fJG5arwBvFH28ntgiHnKjzjIAK1guIc3j++0ZdoSQzjgUVKuIsKlfaCBYmF6qo5g0LrVhqr+amiot7b/kEkOewOhgRHr23zmfbzxnAVuXMPDPgEmywuHkZqdhpKZW3oRB+gOXV9aZvs+kgw/xVbDpHXkYfnr0WahZIZG5b+Tk42DPmRFw6Z4VsANqxQ2iJSnQZo9vD850oO1pFqSxfh3OQGzUki60FFv979/v79gy7wpvpiis0S78f7DZ8J9lpJqfkOTlUSpNDh5YzfRDgdBKaM77W42Q7Oq6N45KPe/wgJD9LTysf4ZNGaBeH4GsAHOdBfDW9,iv:U7fGGcWBdbsdZH5RC9E/WUzs1mjMxVlOFYIjax8egaY=,tag:TasFP91a7s6klS5VFDNZUw==,type:str]
-matrix-reg-token: ENC[AES256_GCM,data:Cr5560L9gQo/tKUz1sQOAg5dckI6SyDxeNyrjW4oI6qkV8bxUrMaAGnVkkeF9TF9FgAnRb+7Lm+axd2SmkPWnqrLll2NzLC01zXht9Mq9RroAPXFraEV1X1Ge1qAAtkr,iv:42r93HLVDKuDCOYlfem7oi3gcHfhDYiNbFKOCHxim+o=,tag:9hWGQrWHsv2eYNgFlHtfeA==,type:str]
+matrix-reg-token: ENC[AES256_GCM,data:Hs2RebmhU8KnQYZXkrn3RCrLVTyMhAfYUxt380QJs+OKlAeEpFy3+sP3cQyhDQfLbAm7hM3UX2csLSbVfwtMyGVuVRUVAfTQMm7tfCkiNsU9mhb7INH9SeuYzg/gVQ==,iv:cBVItzWbgL79yxtRIlXno9hakjQU9ZcgK7kYqUbV1h0=,tag:FsvATCrMJ+FkvuboVKtWkg==,type:str]
 ssh-private-key:
     radicle:
         Cape: ENC[AES256_GCM,data:6C4YwlcIpC0ZT1TosOGPm15B+i/bEeGEOw+FCib8vJU9M89LviqeftjcycBCiHmLJms4lKzsWpLn2Rmw9PovBZ0FI2geb+Lthm9etvaJxLtc4DofgLsa3uB79EH8kS93xEN8lfnPct0nYW1z9z/7FB6RaYxUWWX5dlFAxgkM4WtxTjtJ+F48dzoYRUtSfRx/egSJ9PLw2sm8mgBNNt2SDEncX6Im58TuvKA8RTHchnvmguc7HqqNKPAtnvrwOi0jdn+vduP8qZDU9C2spswuyE6NEl0JkV4Wag4Dct6j3A1KcD4W/qf+F6geURhGkvaAKEr6Y7IEEibti/2pCcXYPEQ8CeCdgH1SC9+SruiGCGODuYIXHCEmwhq3geEDr5xGhVdB1F79BCm6k1WQKPHfJA/e9fnUZlzO/U6F7eLopVLPT3cNuaY0qiFnkiHsQj74Wnd3L5Ugw5ZNxzjsnnriGPjn28OXPEbvKwciZLQndb+VFvxJNWk8conIIWcDpLw3cQ/EiwwcnKcQjnDmRASv,iv:Tu3tFmlUFoAD/j4TK8vvQLglmq03jvc35NmELWC+1ak=,tag:bVwBzhqewIdsArJKxdZ5cg==,type:str]
@@ -56,7 +56,7 @@ sops:
             a1Y1NU9CK2h1SS83VW42bzBMa01yMXMKI1DBtgNlkNCrxUQvnD6a45mQKNfg5gM4
             Zb5buo9Jofj4dn/HFwng3T3gxKTrP2Dh74CAH4L0M5yrF9fzk5TCcQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-09-25T16:12:36Z"
+    lastmodified: "2025-10-01T18:30:31Z"
-    mac: ENC[AES256_GCM,data:3R8dHU+hOYxgyt31E9XemTZhx2nzUkTG35151nIU6Hf9BZCgu4uYd+LPD6AENwP5O/G4gijQf6PIPaLYvZgfMjkrrlKUkW9aH+QYNE5w+zV1EyNtMo6QauYCH/exLytPo9UBeF5aQ9T62EWIMV8ySXKOmSZny5KWcsEY+IAIm68=,iv:4JcDt7sYJZ5/4EuL0StkYD8ovZrSb3uvCFDzs+1cW5Q=,tag:r0w+OJ7tTOOA4VD3qnQ+UA==,type:str]
+    mac: ENC[AES256_GCM,data:Ka+uZq4Uz9N9JTPOFuIsM12AjR1D1yMy9ZPu9xhqUH4JR2icHel6lma7Src2nAAVjJdOqapqsfLx4j1tjRuMbWKq9BSbU5vnBv27ihwpXiT0SaJTj1m8V4p3VBNCG6701jjptjzfHXckUT+RjYopPAnThcqyeLKsfyAGarMc/ao=,iv:iEw7jqxiicRS5DtQLdkIbyqjqJ9NczRZIRn/mzHpjIc=,tag:sP66xrIHuX+WyFaA1JIdhQ==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.10.2