[matrix] Got Blazestar.net working, but federation and cross-server joining isn't quite right.

secrets/mcp.yaml

@@ -20,6 +20,7 @@ matrix:
     syncv3:
         db-password: ENC[AES256_GCM,data:N/IO0k/2BZpmaDTbKZmSgZNzmdk=,iv:p0jGjJ9mTCh5FPM/Oe1vxusYvlyg14UeggE5ynpDVL8=,tag:tZbddwxJf6wSH6L1QRUQVg==,type:str]
         secret: ENC[AES256_GCM,data:KZjYxjUxGgkY1I5jGF7XMEhkHK+khDaQzxugoKxpLsROmVs722tFfbUAxhp71llam55gy9+eUWGxIPlmvOySlw==,iv:OoThGcT08Z11kpnAMQ7w59wj5JheNFGEk1jfFENsmy0=,tag:8EeKT7dh2/a52Amf6LsL1w==,type:str]
+    blazestar-registration-token: ENC[AES256_GCM,data:TB3bR+E4H4c2l9pRcEOAZr35+vBVaJUcuCs9K0Pjd0aW+M35x5LgZ8+F99Y=,iv:e28sie6LSI5UX41BPb+yN+3n+Yw9Ssfsqe4zppwbPkU=,tag:cQPgZcRFbYSiZnmPVtZxHg==,type:str]
 sops:
     age:
         - recipient: age1yvdzvuvu5wqztcx6ll2xk6x547uuyqy735tjjdd7zftkz53jsf9qf5ahue
@@ -40,7 +41,7 @@ sops:
             by9aNFY4dXNxaWxnTXFTQS9reHhuQWMKh5rZ93nFtBV9EpFVRp+E+GXZ6xzVy2Jw
             vFh4deGcAb60q4odSaeWfk1Dr7L9Ua69oK9omjbCNUt+P7Kwlfca7Q==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-06-24T21:12:13Z"
-    mac: ENC[AES256_GCM,data:S3tI++pml5/g8JSOImfmfrpmY3KQWN5bccM9HilGSEN24RU5ZhUBWs4mjuhPQQfFvrq+OSOqQZbdChHuIPf00szwIVJ3tXivcavcofVtNU81mqpKB6CatEQdy1zzErZf2wPeJk6RCZY+6tumyf/sE+e3ruZnZvttNYGF1xk75H4=,iv:8EoDYkCTUCMKTRX8nNVuoSrzQ7mCQ0DFMJ7ayU+ysfA=,tag:SIhs57wJJqNxVAlKp1tiZQ==,type:str]
+    lastmodified: "2025-06-25T22:38:40Z"
+    mac: ENC[AES256_GCM,data:2/rVuLHtxtiAW5H80vPYc+2QOFSA5nQRONOxbIPeg/KNgre0imaykFPFVXKidvod/QuHnoszKS6Js/HCXLKlesOjxVN4r7lLlGpOE9qkceaDOa5Fv/pwIWjYwovZEsjuJz2Uq7ouB0lBhuTinvP0uNV/LphAZDymeSv+FUkt6hU=,iv:Z48SytML7WgusUMzgWmQkWHwg5WJITj591+MFTWVwag=,tag:ENJWrbmjZMMZ4P9F0Im9bQ==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.10.2

system/hosts/mcp/containers/blazestar.net/chat.nix

@@ -1,31 +1,102 @@
 { config, ... }:
 let
   inherit (import ../lib.nix config) mkContainer blazestar;
+  matrixHost = "matrix";
+  serviceName = "matrix-blazestar-net";
+  dbPath = "/var/lib/matrix";
+  port = 8448;
 in
 {
-  virtualisation.oci-containers.containers.chat-blazestar-net = mkContainer {
-    image = "ghcr.io/matrix-construct/tuwunel";
-    hostName = "chat";
-    domain = blazestar;
-    port = 6167;
+  sops.secrets = {
+    "matrix/blazestar-registration-token" = {
+      restartUnits = [ "${config.local.container-backend}-matrix-blazestar-net.service" ];
+    };
+  };
+
+  sops.templates."matrix-blazestar-net.env".content = ''
+    TUWUNEL_REGISTRATION_TOKEN=${config.sops.placeholder."matrix/blazestar-registration-token"}
+  '';
+
+  virtualisation.oci-containers.containers."${serviceName}" = {
+    # The 1.1.0 version has an issue with the compression being incorrectly tagged.
+    # See: https://github.com/matrix-construct/tuwunel/issues/79
+    image = "ghcr.io/matrix-construct/tuwunel:v1.0.0-release-all-x86_64-linux-gnu";
+    autoStart = true;
+    hostname = "${matrixHost}.${blazestar}";
     volumes = [
-      "chat-blazestar-net-db:/var/lib/tuwunel"
+      "matrix-blazestar-net-db:${dbPath}"
     ];
     environment = {
-      TUWUNEL_PORT = "6167";
+      TUWUNEL_PORT = toString port;
+      TUWUNEL_ADDRESS = "0.0.0.0"; # It'll bind to localhost by default with Podman
       TUWUNEL_SERVER_NAME = "blazestar.net";
-      TUWUNEL_ALLOW_REGISTRATION = "false";
+      TUWUNEL_ALLOW_REGISTRATION = "true";
       TUWUNEL_ALLOW_CHECK_FOR_UPDATES = "true";
       TUWUNEL_ALLOW_FEDERATION = "true";
+      TUWUNEL_DATABASE_BACKEND = "rocksdb";
+      TUWUNEL_DATABASE_PATH = dbPath;
       TUWUNEL_WELL_KNOWN = ''
-        client=https://chat.blazestar.net,
-        server:chat.blazestar.net:443
+        {
+          client=https://${matrixHost}.blazestar.net,
+          server=${matrixHost}.blazestar.net:443
+        }
       '';
+      TUWUNEL_TRUSTED_SERVERS = ''["matrix.org", "chat.havenisms.com"]'';
     };
-    extraLabels = {
-      "traefik.http.routers.chat-blazestar-net-well-known.rule" =
-        "Host(`blazestar.net`) && PathPrefix(`.well-known`)";
-      "traefik.http.services.chat-blazestar-net-well-known.loadbalancer.server.port" = "6167";
+    environmentFiles = [
+      config.sops.templates."matrix-blazestar-net.env".path
+    ];
+    labels = {
+      "traefik.enable" = "true";
+      "traefik.http.routers.${serviceName}.rule" = "Host(`${matrixHost}.${blazestar}`)";
+      "traefik.http.services.${serviceName}.loadbalancer.server.port" = "${toString port}";
+
+      # Redirect well-known requests to this host.
+      "traefik.http.routers.${matrixHost}-blazestar-net-well-known.rule" =
+        "Host(`blazestar.net`) && PathPrefix(`/.well-known/matrix`)";
+      "traefik.http.routers.${matrixHost}-blazestar-net-well-known.service" = serviceName;
+    };
+  };
+  # virtualisation.oci-containers.containers.matrix-blazestar-net =
+  #   mkContainer {
+  #     image = "registry.gitlab.com/famedly/conduit/matrix-conduit:latest";
+  #     hostName = hostname;
+  #     domain = blazestar;
+  #     port = port;
+  #     ports = [
+  #       "8449:6167"
+  #     ];
+  #     volumes = [
+  #       "chat-blazestar-net-db:${dbPath}"
+  #     ];
+  #     environment = {
+  #       CONDUIT_PORT = "6167";
+  #       CONDUIT_SERVER_NAME = "blazestar.net";
+  #       CONDUIT_ALLOW_REGISTRATION = "true";
+  #       CONDUIT_DATABASE_BACKEND = "rocksdb";
+  #       CONDUIT_DATABASE_PATH = dbPath;
+  #       CONDUIT_ALLOW_CHECK_FOR_UPDATES = "true";
+  #       CONDUIT_ALLOW_FEDERATION = "true";
+  #       CONDUIT_MAX_REQUEST_SIZE = "20000000";
+  #       CONDUIT_TRUSTED_SERVERS = "[\"matrix.org\"]";
+  #       CONDUIT_MAX_CONCURRENT_REQUESTS = "100";
+  #       CONDUIT_WELL_KNOWN_CLIENT = "https://${hostname}.blazestar.net";
+  #       CONDUIT_WELL_KNOWN_SERVER = "${hostname}.blazestar.net:443";
+  #       CONDUIT_CONFIG = ""; # Ignore the config file
+  #     };
+  #     extraLabels = {
+  #       "traefik.http.routers.${hostname}-blazestar-net-well-known.rule" =
+  #         "Host(`blazestar.net`) && PathPrefix(`/.well-known`)";
+  #       "traefik.http.routers.${hostname}-blazestar-net-well-known.service" = "${hostname}-blazestar-net";
+  #     };
+  #   };
+  virtualisation.oci-containers.containers.chat = mkContainer {
+    image = "vectorim/element-web:latest";
+    hostName = "chat";
+    port = 8080;
+    domain = blazestar;
+    environment = {
+      ELEMENT_WEB_PORT = "8080";
     };
   };
 }

system/hosts/mcp/containers/havenisms.com/chat.nix

@@ -31,6 +31,7 @@ in
       dependsOn = [
         "db"
       ];
+
       volumes = [
         "/tank/config/synapse/data:/data"
       ];

system/hosts/mcp/containers/media-system.nix

@@ -40,7 +40,7 @@ in
       # };
     };
     deluge = {
-      image = "linuxserver/deluge:latest";
+      image = "lscr.io/linuxserver/deluge:latest";
       autoStart = true;
       dependsOn = [
         "gluetun"
@@ -62,7 +62,7 @@ in
       ];
     };
     qbittorrent = {
-      image = "linuxserver/qbittorrent:latest";
+      image = "lscr.io/linuxserver/qbittorrent:latest";
       autoStart = true;
       dependsOn = [
         "gluetun"