From c74e40e69e3505152c8bb1030b1b8a606eb0f182 Mon Sep 17 00:00:00 2001 From: Drew Haven Date: Tue, 24 Jun 2025 16:57:38 -0700 Subject: [PATCH] [nix,flake] Moves some container files around. Also updates the flake lock. [synapse] Gets the federation working --- flake.lock | 56 +++---------------- flake.nix | 7 --- system/hosts/mcp/configuration.nix | 7 ++- system/hosts/mcp/containers.nix | 14 ++++- .../mcp/containers/blazestar.net/chat.nix | 31 ++++++++++ .../mcp/containers/blazestar.net/default.nix | 6 ++ .../{synapse.nix => havenisms.com/chat.nix} | 24 ++++---- .../mcp/containers/havenisms.com/default.nix | 6 ++ system/hosts/mcp/containers/traefik.nix | 1 + .../hosts/mcp/containers/traefik/traefik.yaml | 7 +++ 10 files changed, 89 insertions(+), 70 deletions(-) create mode 100644 system/hosts/mcp/containers/blazestar.net/chat.nix create mode 100644 system/hosts/mcp/containers/blazestar.net/default.nix rename system/hosts/mcp/containers/{synapse.nix => havenisms.com/chat.nix} (69%) create mode 100644 system/hosts/mcp/containers/havenisms.com/default.nix diff --git a/flake.lock b/flake.lock index 362ecf9..7dc817b 100644 --- a/flake.lock +++ b/flake.lock @@ -7,11 +7,11 @@ ] }, "locked": { - "lastModified": 1749154018, - "narHash": "sha256-gjN3j7joRvT3a8Zgcylnd4NFsnXeDBumqiu4HmY1RIg=", + "lastModified": 1750792728, + "narHash": "sha256-Lh3dopA8DdY+ZoaAJPrtkZOZaFEJGSYjOdAYYgOPgE4=", "owner": "nix-community", "repo": "home-manager", - "rev": "7aae0ee71a17b19708b93b3ed448a1a0952bf111", + "rev": "366f00797b1efb70f2882d3da485e3c10fd3d557", "type": "github" }, "original": { @@ -21,33 +21,13 @@ "type": "github" } }, - "home-manager-unstable": { - "inputs": { - "nixpkgs": [ - "nixpkgs-unstable" - ] - }, - "locked": { - "lastModified": 1749160002, - "narHash": "sha256-IM3xKjsKxhu7Y1WdgTltrLKiOJS8nW7D4SUDEMNr7CI=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "68cc9eeb3875ae9682c04629f20738e1e79d72aa", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "home-manager", - "type": "github" - } - }, "nixpkgs": { "locked": { - "lastModified": 1749086602, - "narHash": "sha256-DJcgJMekoxVesl9kKjfLPix2Nbr42i7cpEHJiTnBUwU=", + "lastModified": 1750622754, + "narHash": "sha256-kMhs+YzV4vPGfuTpD3mwzibWUE6jotw5Al2wczI0Pv8=", "owner": "nixos", "repo": "nixpkgs", - "rev": "4792576cb003c994bd7cc1edada3129def20b27d", + "rev": "c7ab75210cb8cb16ddd8f290755d9558edde7ee1", "type": "github" }, "original": { @@ -57,28 +37,10 @@ "type": "github" } }, - "nixpkgs-unstable": { - "locked": { - "lastModified": 1748929857, - "narHash": "sha256-lcZQ8RhsmhsK8u7LIFsJhsLh/pzR9yZ8yqpTzyGdj+Q=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "c2a03962b8e24e669fb37b7df10e7c79531ff1a4", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, "root": { "inputs": { "home-manager": "home-manager", - "home-manager-unstable": "home-manager-unstable", "nixpkgs": "nixpkgs", - "nixpkgs-unstable": "nixpkgs-unstable", "sops-nix": "sops-nix" } }, @@ -89,11 +51,11 @@ ] }, "locked": { - "lastModified": 1747603214, - "narHash": "sha256-lAblXm0VwifYCJ/ILPXJwlz0qNY07DDYdLD+9H+Wc8o=", + "lastModified": 1750119275, + "narHash": "sha256-Rr7Pooz9zQbhdVxux16h7URa6mA80Pb/G07T4lHvh0M=", "owner": "Mic92", "repo": "sops-nix", - "rev": "8d215e1c981be3aa37e47aeabd4e61bb069548fd", + "rev": "77c423a03b9b2b79709ea2cb63336312e78b72e2", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 4e8efa4..6cd474a 100644 --- a/flake.nix +++ b/flake.nix @@ -9,13 +9,6 @@ url = "github:nix-community/home-manager?ref=release-25.05"; inputs.nixpkgs.follows = "nixpkgs"; }; - nixpkgs-unstable = { - url = "github:nixos/nixpkgs?ref=nixos-unstable"; - }; - home-manager-unstable = { - url = "github:nix-community/home-manager"; - inputs.nixpkgs.follows = "nixpkgs-unstable"; - }; sops-nix = { url = "github:Mic92/sops-nix"; inputs.nixpkgs.follows = "nixpkgs"; diff --git a/system/hosts/mcp/configuration.nix b/system/hosts/mcp/configuration.nix index 7788031..aa9d920 100644 --- a/system/hosts/mcp/configuration.nix +++ b/system/hosts/mcp/configuration.nix @@ -96,7 +96,8 @@ port = 5000; openFirewall = true; # Bind to the podman network so Traefik can route to it. - # Note that it may fail to start if this network has not been created yet. + # Note that it may fail to start if this network has not been created yet, + # so this has to be manually restarted when the system boots. listenAddress = "10.88.0.1"; }; @@ -107,8 +108,10 @@ enabledCollectors = [ "systemd" ]; port = 9002; # Open the firewall, but only listen on the internal address - # TODO: Add some form authentication openFirewall = true; + # Bind to the podman network so Traefik can route to it. + # Note that it may fail to start if this network has not been created yet, + # so this has to be manually restarted when the system boots. listenAddress = "10.88.0.1"; }; }; diff --git a/system/hosts/mcp/containers.nix b/system/hosts/mcp/containers.nix index 3d6508f..4bc595d 100644 --- a/system/hosts/mcp/containers.nix +++ b/system/hosts/mcp/containers.nix @@ -3,6 +3,9 @@ { # Additional configuration imports = [ + ./containers/havenisms.com + ./containers/blazestar.net + # Docker containers ./containers/dm-companion.nix ./containers/freshrss.nix @@ -19,7 +22,6 @@ ./containers/public-homepage.nix ./containers/searxng.nix ./containers/shared-postgres.nix - ./containers/synapse.nix ./containers/timetagger.nix ./containers/traefik.nix ./containers/users.nix @@ -31,6 +33,13 @@ # Enable common container config files in /etc/containers virtualisation.containers.enable = true; virtualisation = { + # docker = { + # enable = true; + # # Enable rootless so that I can run containers as other users for security. + # rootless = { + # enable = true; + # }; + # }; podman = { enable = true; @@ -43,6 +52,7 @@ extraPackages = [ pkgs.zfs ]; }; }; + virtualisation.oci-containers.backend = "podman"; # Useful other development tools environment.systemPackages = with pkgs; [ @@ -52,11 +62,9 @@ #podman-compose # start group of containers for dev ]; - virtualisation.oci-containers.backend = "podman"; virtualisation.oci-containers.containers = let inherit (import ./containers/lib.nix config) - hostRuleHavenisms localHostRuleHavenisms havenisms ; diff --git a/system/hosts/mcp/containers/blazestar.net/chat.nix b/system/hosts/mcp/containers/blazestar.net/chat.nix new file mode 100644 index 0000000..a3cf059 --- /dev/null +++ b/system/hosts/mcp/containers/blazestar.net/chat.nix @@ -0,0 +1,31 @@ +{ config, ... }: +let + inherit (import ../lib.nix config) mkContainer blazestar; +in +{ + virtualisation.oci-containers.containers.chat-blazestar-net = mkContainer { + image = "ghcr.io/matrix-construct/tuwunel"; + hostName = "chat"; + domain = blazestar; + port = 6167; + volumes = [ + "chat-blazestar-net-db:/var/lib/tuwunel" + ]; + environment = { + TUWUNEL_PORT = "6167"; + TUWUNEL_SERVER_NAME = "blazestar.net"; + TUWUNEL_ALLOW_REGISTRATION = "false"; + TUWUNEL_ALLOW_CHECK_FOR_UPDATES = "true"; + TUWUNEL_ALLOW_FEDERATION = "true"; + TUWUNEL_WELL_KNOWN = '' + client=https://chat.blazestar.net, + server:chat.blazestar.net:443 + ''; + }; + extraLabels = { + "traefik.http.routers.chat-blazestar-net-well-known.rule" = + "Host(`blazestar.net`) && PathPrefix(`.well-known`)"; + "traefik.http.services.chat-blazestar-net-well-known.loadbalancer.server.port" = "6167"; + }; + }; +} diff --git a/system/hosts/mcp/containers/blazestar.net/default.nix b/system/hosts/mcp/containers/blazestar.net/default.nix new file mode 100644 index 0000000..177015c --- /dev/null +++ b/system/hosts/mcp/containers/blazestar.net/default.nix @@ -0,0 +1,6 @@ +{ ... }: +{ + imports = [ + ./chat.nix + ]; +} diff --git a/system/hosts/mcp/containers/synapse.nix b/system/hosts/mcp/containers/havenisms.com/chat.nix similarity index 69% rename from system/hosts/mcp/containers/synapse.nix rename to system/hosts/mcp/containers/havenisms.com/chat.nix index a0644b0..ba5d8a2 100644 --- a/system/hosts/mcp/containers/synapse.nix +++ b/system/hosts/mcp/containers/havenisms.com/chat.nix @@ -1,8 +1,8 @@ { config, ... }: let - inherit (import ./lib.nix config) hostRule havenisms; + inherit (import ../lib.nix config) hostRule havenisms; syncRule = "(PathPrefix(`/client/`) || PathPrefix(`/_matrix/client/unstable/org.matrix.msc3575/sync`))"; - wellKnownRule = "PathPrefix(`/.well-known`)"; + wellKnownRule = "(Host(`havenisms.com`) || Host(`chat.havenisms.com`)) && PathPrefix(`/.well-known`)"; in { @@ -34,13 +34,17 @@ in volumes = [ "/tank/config/synapse/data:/data" ]; - ports = [ - "8008:8008/tcp" - ]; extraOptions = [ "-l=traefik.enable=true" "-l=traefik.http.routers.synapse.rule=${hostRule "chat" havenisms} && !(${syncRule} || ${wellKnownRule})" + "-l=traefik.http.routers.synapse.service=synapse" "-l=traefik.http.services.synapse.loadbalancer.server.port=8008" + + # Federation forwarding + "-l=traefik.http.routers.synapse-federation.rule=${hostRule "chat" havenisms}" + "-l=traefik.http.routers.synapse-federation.service=synapse-federation" + "-l=traefik.http.routers.synapse-federation.entrypoints=matrix-federation" + "-l=traefik.http.services.synapse-federation.loadbalancer.server.port=8448" ]; }; @@ -50,9 +54,6 @@ in "db" "synapse" ]; - ports = [ - "8009:8009" - ]; environmentFiles = [ config.sops.templates."matrix-sliding-sync.env".path ]; @@ -66,15 +67,16 @@ in # This server helps to serve the .well-known files that are required by clients to find the sync server. matrix-well-known = { image = "nginx"; - ports = [ "80" ]; dependsOn = [ "synapse" ]; volumes = [ "/tank/config/synapse/static-files:/usr/share/nginx/html:ro" ]; extraOptions = [ "-l=traefik.enable=true" - "-l=traefik.http.routers.matrix-static.rule=${hostRule "chat" havenisms} && ${wellKnownRule}" - "-l=traefik.http.services.matrix-static.loadbalancer.server.port=80" + "-l=traefik.http.middlewares.strip-well-known.stripprefix.prefixes=/.well-known" + "-l=traefik.http.routers.matrix-well-known.rule=${wellKnownRule}" + "-l=traefik.http.routers.matrix-well-known.middlewares=strip-well-known" + "-l=traefik.http.services.matrix-well-known.loadbalancer.server.port=80" ]; }; }; diff --git a/system/hosts/mcp/containers/havenisms.com/default.nix b/system/hosts/mcp/containers/havenisms.com/default.nix new file mode 100644 index 0000000..177015c --- /dev/null +++ b/system/hosts/mcp/containers/havenisms.com/default.nix @@ -0,0 +1,6 @@ +{ ... }: +{ + imports = [ + ./chat.nix + ]; +} diff --git a/system/hosts/mcp/containers/traefik.nix b/system/hosts/mcp/containers/traefik.nix index d0f9b3f..4a34638 100644 --- a/system/hosts/mcp/containers/traefik.nix +++ b/system/hosts/mcp/containers/traefik.nix @@ -44,6 +44,7 @@ in ports = [ "80:80" "443:443" + "8448:8448" ]; volumes = [ "/var/run/podman/podman.sock:/var/run/docker.sock:ro" diff --git a/system/hosts/mcp/containers/traefik/traefik.yaml b/system/hosts/mcp/containers/traefik/traefik.yaml index e184aa2..fc040a9 100644 --- a/system/hosts/mcp/containers/traefik/traefik.yaml +++ b/system/hosts/mcp/containers/traefik/traefik.yaml @@ -13,6 +13,13 @@ entryPoints: certResolver: letsencrypt metrics: address: ":8082" + asDefault: false + matrix-federation: + address: ":8448" + asDefault: false + http: + tls: + certResolver: letsencrypt api: insecure: true