DerGrumpf/cyper-nix
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added Bridges; Changed shell

Browse Source
This commit is contained in:
DerGrumpf
2026-05-07 14:10:16 +02:00
parent a32a2800f7
commit 2740d04253
8 changed files with 114 additions and 61 deletions
Download Patch File Download Diff File Expand all files Collapse all files
nixos/roles/matrix/default.nix
+2 -2
View File
@@ -4,11 +4,11 @@
{
imports = [
./synapse.nix
#./lk-jwt.nix
./livekit.nix
./clients.nix
./mjolnir.nix
./coturn.nix
#./maubot.nix # known security risk
./discord-bridge.nix
./whatsapp-bridge.nix
];
}
nixos/roles/matrix/discord-bridge.nix
+64
View File
@@ -0,0 +1,64 @@
{ config, pkgs, ... }:
{
nixpkgs.config.permittedInsecurePackages = [ "olm-3.2.16" ];
sops.secrets.discord_bot_token = {
owner = "mautrix-discord";
group = "mautrix-discord";
};
sops.secrets.discord_client_id = {
owner = "mautrix-discord";
group = "mautrix-discord";
};
systemd.services.mautrix-discord-env = {
before = [ "mautrix-discord-registration.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
mkdir -p /run/mautrix-discord
echo "DISCORD_BOT_TOKEN=$(cat ${config.sops.secrets.discord_bot_token.path})" > /run/mautrix-discord/env
echo "DISCORD_CLIENT_ID=$(cat ${config.sops.secrets.discord_client_id.path})" >> /run/mautrix-discord/env
chmod 600 /run/mautrix-discord/env
chown mautrix-discord:mautrix-discord /run/mautrix-discord/env
'';
};
services.postgresql = {
ensureUsers = [
{
name = "mautrix-discord";
ensureDBOwnership = true;
}
];
ensureDatabases = [ "mautrix-discord" ];
};
services.mautrix-discord = {
enable = true;
environmentFile = "/run/mautrix-discord/env";
settings = {
homeserver = {
address = "http://127.0.0.1:8008";
domain = "cyperpunk.de";
};
appservice.database = {
type = "postgres";
uri = "postgres:///mautrix-discord?host=/run/postgresql&sslmode=disable";
};
bridge = {
permissions = {
"cyperpunk.de" = "user";
"@dergrumpf:cyperpunk.de" = "admin";
};
};
discord = {
client_id = "$DISCORD_CLIENT_ID";
bot_token = "$DISCORD_BOT_TOKEN";
};
};
};
}
nixos/roles/matrix/lk-jwt.nix
-25
View File
@@ -1,25 +0,0 @@
{ config, ... }:
let
domain = "cyperpunk.de";
synapseUrl = "http://127.0.0.1:8008";
# Internal LiveKit address — JWT service must NOT go through the TLS proxy.
# Using the public wss:// URL caused token rejection because nginx re-wraps
# the connection and the JWT service couldn't verify the livekit instance.
livekitInternalUrl = "ws://127.0.0.1:7880";
in
{
# Same secret as livekit.nix — both services must share the same key pair
sops.secrets.livekit_key = { };
services.lk-jwt-service = {
enable = true;
port = 18080;
keyFile = config.sops.secrets.livekit_key.path;
livekitUrl = livekitInternalUrl;
};
systemd.services.lk-jwt-service.environment = {
LIVEKIT_FULL_ACCESS_HOMESERVERS = domain;
MATRIX_BASE_URL = synapseUrl;
};
}
nixos/roles/matrix/maubot.nix
-22
View File
@@ -1,22 +0,0 @@
{ config, ... }:
{
services = {
maubot = {
enable = true;
settings = {
database = "postgresql://maubot@localhost/maubot";
server = {
public_url = "matrix.cyperpunk.de";
#ui_base_path = "/another/base/path";
};
};
};
nginx.virtualHosts."matrix.cyperpunk.de".locations = {
"/_matrix/maubot/" = {
proxyPass = "http://127.0.0.1:${toString config.services.maubot.settings.server.port}";
proxyWebsockets = true;
};
};
};
}
nixos/roles/matrix/whatsapp-bridge.nix
+30
View File
@@ -0,0 +1,30 @@
{ ... }:
{
services.postgresql = {
ensureUsers = [
{
name = "mautrix-whatsapp";
ensureDBOwnership = true;
}
];
ensureDatabases = [ "mautrix-whatsapp" ];
};
services.mautrix-whatsapp = {
enable = true;
settings = {
homeserver = {
address = "http://127.0.0.1:8008";
domain = "cyperpunk.de";
};
database = {
type = "postgres";
uri = "postgres:///mautrix-whatsapp?host=/run/postgresql&sslmode=disable";
};
bridge.permissions = {
"cyperpunk.de" = "user";
"@dergrumpf:cyperpunk.de" = "admin";
};
};
};
}