Added Bridges; Changed shell

home/default.nix

@@ -34,12 +34,12 @@
     ./obsidian.nix
   ];
 
-  nixpkgs.config.allowUnfree = true;
   nixpkgs.config.allowUnfreePredicate =
     pkg:
     builtins.elem (lib.getName pkg) [
       "wezterm.nvim"
     ];
+
   home = {
     username = primaryUser;
     stateVersion = "26.05";

home/shell.nix

@@ -189,9 +189,6 @@
 
       # llm | glow
       def l [...args] { llm prompt -m groq/llama-3.3-70b-versatile -t std ...$args | glow }
-
-      # Fastfetch on shell start
-      fastfetch
     '';
 
     extraEnv = ''
@@ -230,7 +227,14 @@
       fzf --fish | source
       zoxide init fish --cmd cd | source
       function fish_greeting
-            		fastfetch
+        echo "                                              _         _      ";
+        echo "                                             | |       | |     ";
+        echo "  ___ _   _ _ __   ___ _ __ _ __  _   _ _ __ | | __  __| | ___ ";
+        echo " / __| | | | '_ \\ / _ \\ '__| '_ \\| | | | '_ \\| |/ / / _\` |/ _ \\";
+        echo "| (__| |_| | |_) |  __/ |  | |_) | |_| | | | |   < | (_| |  __/";
+        echo " \\___|\\__, | .__/ \\___|_|  | .__/ \\__,_|_| |_|_|\\_(_)__,_|\\___|";
+        echo "       __/ | |             | |                                 ";
+        echo "      |___/|_|             |_|                                 ";
       end
     '';
 

nixos/roles/matrix/default.nix

@@ -4,11 +4,11 @@
 {
   imports = [
     ./synapse.nix
-    #./lk-jwt.nix
     ./livekit.nix
     ./clients.nix
     ./mjolnir.nix
     ./coturn.nix
-    #./maubot.nix # known security risk
+    ./discord-bridge.nix
+    ./whatsapp-bridge.nix
   ];
 }

nixos/roles/matrix/discord-bridge.nix

@@ -0,0 +1,64 @@
+{ config, pkgs, ... }:
+{
+  nixpkgs.config.permittedInsecurePackages = [ "olm-3.2.16" ];
+
+  sops.secrets.discord_bot_token = {
+    owner = "mautrix-discord";
+    group = "mautrix-discord";
+  };
+  sops.secrets.discord_client_id = {
+    owner = "mautrix-discord";
+    group = "mautrix-discord";
+  };
+
+  systemd.services.mautrix-discord-env = {
+    before = [ "mautrix-discord-registration.service" ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+    script = ''
+      mkdir -p /run/mautrix-discord
+      echo "DISCORD_BOT_TOKEN=$(cat ${config.sops.secrets.discord_bot_token.path})" > /run/mautrix-discord/env
+      echo "DISCORD_CLIENT_ID=$(cat ${config.sops.secrets.discord_client_id.path})" >> /run/mautrix-discord/env
+      chmod 600 /run/mautrix-discord/env
+      chown mautrix-discord:mautrix-discord /run/mautrix-discord/env
+    '';
+  };
+
+  services.postgresql = {
+    ensureUsers = [
+      {
+        name = "mautrix-discord";
+        ensureDBOwnership = true;
+      }
+    ];
+    ensureDatabases = [ "mautrix-discord" ];
+  };
+
+  services.mautrix-discord = {
+    enable = true;
+    environmentFile = "/run/mautrix-discord/env";
+    settings = {
+      homeserver = {
+        address = "http://127.0.0.1:8008";
+        domain = "cyperpunk.de";
+      };
+      appservice.database = {
+        type = "postgres";
+        uri = "postgres:///mautrix-discord?host=/run/postgresql&sslmode=disable";
+      };
+      bridge = {
+        permissions = {
+          "cyperpunk.de" = "user";
+          "@dergrumpf:cyperpunk.de" = "admin";
+        };
+      };
+      discord = {
+        client_id = "$DISCORD_CLIENT_ID";
+        bot_token = "$DISCORD_BOT_TOKEN";
+      };
+    };
+  };
+}

nixos/roles/matrix/lk-jwt.nix

@@ -1,25 +0,0 @@
-{ config, ... }:
-let
-  domain = "cyperpunk.de";
-  synapseUrl = "http://127.0.0.1:8008";
-  # Internal LiveKit address — JWT service must NOT go through the TLS proxy.
-  # Using the public wss:// URL caused token rejection because nginx re-wraps
-  # the connection and the JWT service couldn't verify the livekit instance.
-  livekitInternalUrl = "ws://127.0.0.1:7880";
-in
-{
-  # Same secret as livekit.nix — both services must share the same key pair
-  sops.secrets.livekit_key = { };
-
-  services.lk-jwt-service = {
-    enable = true;
-    port = 18080;
-    keyFile = config.sops.secrets.livekit_key.path;
-    livekitUrl = livekitInternalUrl;
-  };
-
-  systemd.services.lk-jwt-service.environment = {
-    LIVEKIT_FULL_ACCESS_HOMESERVERS = domain;
-    MATRIX_BASE_URL = synapseUrl;
-  };
-}

nixos/roles/matrix/maubot.nix

@@ -1,22 +0,0 @@
-{ config, ... }:
-{
-  services = {
-    maubot = {
-      enable = true;
-      settings = {
-        database = "postgresql://maubot@localhost/maubot";
-        server = {
-          public_url = "matrix.cyperpunk.de";
-          #ui_base_path = "/another/base/path";
-        };
-      };
-    };
-
-    nginx.virtualHosts."matrix.cyperpunk.de".locations = {
-      "/_matrix/maubot/" = {
-        proxyPass = "http://127.0.0.1:${toString config.services.maubot.settings.server.port}";
-        proxyWebsockets = true;
-      };
-    };
-  };
-}

nixos/roles/matrix/whatsapp-bridge.nix

@@ -0,0 +1,30 @@
+{ ... }:
+{
+  services.postgresql = {
+    ensureUsers = [
+      {
+        name = "mautrix-whatsapp";
+        ensureDBOwnership = true;
+      }
+    ];
+    ensureDatabases = [ "mautrix-whatsapp" ];
+  };
+
+  services.mautrix-whatsapp = {
+    enable = true;
+    settings = {
+      homeserver = {
+        address = "http://127.0.0.1:8008";
+        domain = "cyperpunk.de";
+      };
+      database = {
+        type = "postgres";
+        uri = "postgres:///mautrix-whatsapp?host=/run/postgresql&sslmode=disable";
+      };
+      bridge.permissions = {
+        "cyperpunk.de" = "user";
+        "@dergrumpf:cyperpunk.de" = "admin";
+      };
+    };
+  };
+}

secrets/secrets.yaml

@@ -11,6 +11,8 @@ paperless_admin: ENC[AES256_GCM,data:sVvlMQ3dDE2XsDfpwpCTbzPCEKdUMNTFtRXDIuBbgyf
 livekit_key_file: ENC[AES256_GCM,data:wOtJhwDtZNEY+QjHyLL1FTOtkmzkNA5BoTsx0+ZMij9uUaKC28uFIkMAq2ZzIU7Nyvk8+4YjbK/Rrsoy,iv:UTDuItr0XsG+/4HFkEHDpxXy41QiVgPCisHeMMY2dQo=,tag:SkoeLWClO9I/V2sn27Y2uw==,type:str]
 mjolnir_access_token: ENC[AES256_GCM,data:vvrAY9CAkEIGEzah+TQiwa6PahGuXVvU7wzBpTnqeSLqe3mqtw120GRj,iv:J+/VJ40BsImr832eGUHShhDVWYC7KsEwQUH9AE6Rs9c=,tag:n+y0flxfqY47rB4yv9TnBw==,type:str]
 coturn_static_auth_secret: ENC[AES256_GCM,data:7AI0E8Hu4WxI5q4j1GqBMSQ+evE006uPMtwIfGn4eFz+XB2JA6fhhiGMPPxSkqOyK+3eZJ5ahiG05JpmBmmAbw==,iv:hQJQQDVo43U7lvV754PC1THeFCpZZEyag+BslXyoDos=,tag:Vkm+IXr1h8ZNpah6UYaKng==,type:str]
+discord_bot_token: ENC[AES256_GCM,data:j37Qo3FCyRwNFqWSWpnQKCs+AxH5HlQ8U5If7ylHilQoORp8Pb3TtNETTJSjZyvUXllldevAbHrbAEEKnNfoUJx1U8/wl6H0,iv:WQqxFXTE+0LIB2lSvVcnr4LNXPE7uzNc0Kk8NU6Z/aE=,tag:fNeQLhoThEgfa4sSGKLZCw==,type:str]
+discord_client_id: ENC[AES256_GCM,data:U/iUKXT6Nsl6LRN9lPh1xaIaqw==,iv:k7kQ8rJBrMs3YwD9aDfZ6qhd7H3aVsSPTOwEIxVTw2Y=,tag:2wKhxGbf+P+h3BYeWUSczA==,type:str]
 gitea:
     dbPassword: ENC[AES256_GCM,data:S6VvRgkdYk1AzXljyQEEq68UJ9zrFy6+INBMIAspXNcqcM6o+es19o0mcXA=,iv:/pHYpkZZq+9Md+75uSCb2YXfSvaDzUh6mMfH53wb7eg=,tag:ZnbyCQwrK2JnbO5HFqgJYw==,type:str]
     internalToken: ENC[AES256_GCM,data:7N8TkPNb1YdCk2uAcCvVd2pKRVOf85//DYxAvz0UCg1E8ccEI5630xVyKafDFiSTM4ER7xiYelartzXL0jLWSf3QNOjSHUP8TIAz4bJRAZUJPxO917bURSLGGe7WEOfONzqy3Ts5QhrJ,iv:DiIs1ytlwLvqD/Ejep6m2fmpSqdFZkxBcgLNt6+29jY=,tag:8jsEcOkH0p+1mP9cnVjiDQ==,type:str]
@@ -29,7 +31,7 @@ sops:
             N3I5dzUwc3JtYzczMUhyT04vSHlZamMKT+FzYcDLmlEFYxm/XoBpJb8XaZzBH1v9
             6fuez+zApathZfl14w41kAUojPWBznnxDqYtNvzVVLXwnpp3BMx+7w==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-05-06T21:16:11Z"
+    lastmodified: "2026-05-07T07:00:06Z"
-    mac: ENC[AES256_GCM,data:Dl9FbobKAg5T6H5nQr7VL7LAyk5DgzJDWzlHa1GqhqqbFV8InJtwVc+H3iqiBbsLNW2D4TowqmKMae2aZQ3CLN1YCtScMci9fO0+V0+dEWDismTk/Gd4jJzKAIei3ewXkqiWpIg9yt9LvQAp0Jbg5/vP/2UsBBqXmFbRxbME0NY=,iv:i13Wya8uUsUVPE7ZBxNDgH2kg0OwGysfC/qHoJEmYhg=,tag:kiosVeWZNhKEwCVrg3t/ow==,type:str]
+    mac: ENC[AES256_GCM,data:KSkcRm/aTGAZBfj2ZZ03x8EB2Sh0lFKUSDKLedgtYYk/QnUKTZOO8oaT36xIdrPN0pjK1CnElDQMkAHG6JCklif2UkcodKcerVWaVcNwZ4mk6wSvZz7OIqneMR0W/U+Ly3NMgwIKrlP9f7axiYMq9JyK6pVeepKrmw4RvOPzxqU=,iv:vlcFxxV5EofNAPnDf7eGJZ8FUM83uGUnkZtU57Epb3Y=,tag:yfYpa/F7PTwvZY11SZyRaw==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.12.2