[nix,flake] Moves some container files around. Also updates the flake lock. [synapse] Gets the federation working

2025-06-24 16:57:38 -07:00
parent 514746686f
commit c74e40e69e
10 changed files with 89 additions and 70 deletions
--- a/system/hosts/mcp/configuration.nix
+++ b/system/hosts/mcp/configuration.nix
@@ -96,7 +96,8 @@
    port = 5000;
    openFirewall = true;
    # Bind to the podman network so Traefik can route to it.
-    # Note that it may fail to start if this network has not been created yet.
+    # Note that it may fail to start if this network has not been created yet,
+    # so this has to be manually restarted when the system boots.
    listenAddress = "10.88.0.1";
  };

@@ -107,8 +108,10 @@
        enabledCollectors = [ "systemd" ];
        port = 9002;
        # Open the firewall, but only listen on the internal address
-        # TODO: Add some form authentication
        openFirewall = true;
+        # Bind to the podman network so Traefik can route to it.
+        # Note that it may fail to start if this network has not been created yet,
+        # so this has to be manually restarted when the system boots.
        listenAddress = "10.88.0.1";
      };
    };
--- a/system/hosts/mcp/containers.nix
+++ b/system/hosts/mcp/containers.nix
@@ -3,6 +3,9 @@
 {
  # Additional configuration
  imports = [
+    ./containers/havenisms.com
+    ./containers/blazestar.net
+
    # Docker containers
    ./containers/dm-companion.nix
    ./containers/freshrss.nix
@@ -19,7 +22,6 @@
    ./containers/public-homepage.nix
    ./containers/searxng.nix
    ./containers/shared-postgres.nix
-    ./containers/synapse.nix
    ./containers/timetagger.nix
    ./containers/traefik.nix
    ./containers/users.nix
@@ -31,6 +33,13 @@
  # Enable common container config files in /etc/containers
  virtualisation.containers.enable = true;
  virtualisation = {
+    # docker = {
+    #   enable = true;
+    #   # Enable rootless so that I can run containers as other users for security.
+    #   rootless = {
+    #     enable = true;
+    #   };
+    # };
    podman = {
      enable = true;

@@ -43,6 +52,7 @@
      extraPackages = [ pkgs.zfs ];
    };
  };
+  virtualisation.oci-containers.backend = "podman";

  # Useful other development tools
  environment.systemPackages = with pkgs; [
@@ -52,11 +62,9 @@
    #podman-compose # start group of containers for dev
  ];

-  virtualisation.oci-containers.backend = "podman";
  virtualisation.oci-containers.containers =
    let
      inherit (import ./containers/lib.nix config)
-        hostRuleHavenisms
        localHostRuleHavenisms
        havenisms
        ;
--- a/system/hosts/mcp/containers/blazestar.net/chat.nix
+++ b/system/hosts/mcp/containers/blazestar.net/chat.nix
@@ -0,0 +1,31 @@
+{ config, ... }:
+let
+  inherit (import ../lib.nix config) mkContainer blazestar;
+in
+{
+  virtualisation.oci-containers.containers.chat-blazestar-net = mkContainer {
+    image = "ghcr.io/matrix-construct/tuwunel";
+    hostName = "chat";
+    domain = blazestar;
+    port = 6167;
+    volumes = [
+      "chat-blazestar-net-db:/var/lib/tuwunel"
+    ];
+    environment = {
+      TUWUNEL_PORT = "6167";
+      TUWUNEL_SERVER_NAME = "blazestar.net";
+      TUWUNEL_ALLOW_REGISTRATION = "false";
+      TUWUNEL_ALLOW_CHECK_FOR_UPDATES = "true";
+      TUWUNEL_ALLOW_FEDERATION = "true";
+      TUWUNEL_WELL_KNOWN = ''
+        client=https://chat.blazestar.net,
+        server:chat.blazestar.net:443
+      '';
+    };
+    extraLabels = {
+      "traefik.http.routers.chat-blazestar-net-well-known.rule" =
+        "Host(`blazestar.net`) && PathPrefix(`.well-known`)";
+      "traefik.http.services.chat-blazestar-net-well-known.loadbalancer.server.port" = "6167";
+    };
+  };
+}
--- a/system/hosts/mcp/containers/blazestar.net/default.nix
+++ b/system/hosts/mcp/containers/blazestar.net/default.nix
@@ -0,0 +1,6 @@
+{ ... }:
+{
+  imports = [
+    ./chat.nix
+  ];
+}
--- a/system/hosts/mcp/containers/havenisms.com/chat.nix
+++ b/system/hosts/mcp/containers/havenisms.com/chat.nix
@@ -1,8 +1,8 @@
 { config, ... }:
 let
-  inherit (import ./lib.nix config) hostRule havenisms;
+  inherit (import ../lib.nix config) hostRule havenisms;
  syncRule = "(PathPrefix(`/client/`) || PathPrefix(`/_matrix/client/unstable/org.matrix.msc3575/sync`))";
-  wellKnownRule = "PathPrefix(`/.well-known`)";
+  wellKnownRule = "(Host(`havenisms.com`) || Host(`chat.havenisms.com`)) && PathPrefix(`/.well-known`)";
 in
 {

@@ -34,13 +34,17 @@ in
      volumes = [
        "/tank/config/synapse/data:/data"
      ];
-      ports = [
-        "8008:8008/tcp"
-      ];
      extraOptions = [
        "-l=traefik.enable=true"
        "-l=traefik.http.routers.synapse.rule=${hostRule "chat" havenisms} && !(${syncRule} || ${wellKnownRule})"
+        "-l=traefik.http.routers.synapse.service=synapse"
        "-l=traefik.http.services.synapse.loadbalancer.server.port=8008"
+
+        # Federation forwarding
+        "-l=traefik.http.routers.synapse-federation.rule=${hostRule "chat" havenisms}"
+        "-l=traefik.http.routers.synapse-federation.service=synapse-federation"
+        "-l=traefik.http.routers.synapse-federation.entrypoints=matrix-federation"
+        "-l=traefik.http.services.synapse-federation.loadbalancer.server.port=8448"
      ];
    };

@@ -50,9 +54,6 @@ in
        "db"
        "synapse"
      ];
-      ports = [
-        "8009:8009"
-      ];
      environmentFiles = [
        config.sops.templates."matrix-sliding-sync.env".path
      ];
@@ -66,15 +67,16 @@ in
    # This server helps to serve the .well-known files that are required by clients to find the sync server.
    matrix-well-known = {
      image = "nginx";
-      ports = [ "80" ];
      dependsOn = [ "synapse" ];
      volumes = [
        "/tank/config/synapse/static-files:/usr/share/nginx/html:ro"
      ];
      extraOptions = [
        "-l=traefik.enable=true"
-        "-l=traefik.http.routers.matrix-static.rule=${hostRule "chat" havenisms} && ${wellKnownRule}"
-        "-l=traefik.http.services.matrix-static.loadbalancer.server.port=80"
+        "-l=traefik.http.middlewares.strip-well-known.stripprefix.prefixes=/.well-known"
+        "-l=traefik.http.routers.matrix-well-known.rule=${wellKnownRule}"
+        "-l=traefik.http.routers.matrix-well-known.middlewares=strip-well-known"
+        "-l=traefik.http.services.matrix-well-known.loadbalancer.server.port=80"
      ];
    };
  };
--- a/system/hosts/mcp/containers/havenisms.com/default.nix
+++ b/system/hosts/mcp/containers/havenisms.com/default.nix
@@ -0,0 +1,6 @@
+{ ... }:
+{
+  imports = [
+    ./chat.nix
+  ];
+}
--- a/system/hosts/mcp/containers/traefik.nix
+++ b/system/hosts/mcp/containers/traefik.nix
@@ -44,6 +44,7 @@ in
    ports = [
      "80:80"
      "443:443"
+      "8448:8448"
    ];
    volumes = [
      "/var/run/podman/podman.sock:/var/run/docker.sock:ro"
--- a/system/hosts/mcp/containers/traefik/traefik.yaml
+++ b/system/hosts/mcp/containers/traefik/traefik.yaml
@@ -13,6 +13,13 @@ entryPoints:
        certResolver: letsencrypt
  metrics:
    address: ":8082"
+    asDefault: false
+  matrix-federation:
+    address: ":8448"
+    asDefault: false
+    http:
+      tls:
+        certResolver: letsencrypt

 api:
  insecure: true