[nix,flake] Moves some container files around. Also updates the flake lock. [synapse] Gets the federation working

2025-06-24 16:57:38 -07:00
parent 514746686f
commit c74e40e69e
10 changed files with 89 additions and 70 deletions
--- a/system/hosts/mcp/containers/blazestar.net/chat.nix
+++ b/system/hosts/mcp/containers/blazestar.net/chat.nix
@@ -0,0 +1,31 @@
+{ config, ... }:
+let
+  inherit (import ../lib.nix config) mkContainer blazestar;
+in
+{
+  virtualisation.oci-containers.containers.chat-blazestar-net = mkContainer {
+    image = "ghcr.io/matrix-construct/tuwunel";
+    hostName = "chat";
+    domain = blazestar;
+    port = 6167;
+    volumes = [
+      "chat-blazestar-net-db:/var/lib/tuwunel"
+    ];
+    environment = {
+      TUWUNEL_PORT = "6167";
+      TUWUNEL_SERVER_NAME = "blazestar.net";
+      TUWUNEL_ALLOW_REGISTRATION = "false";
+      TUWUNEL_ALLOW_CHECK_FOR_UPDATES = "true";
+      TUWUNEL_ALLOW_FEDERATION = "true";
+      TUWUNEL_WELL_KNOWN = ''
+        client=https://chat.blazestar.net,
+        server:chat.blazestar.net:443
+      '';
+    };
+    extraLabels = {
+      "traefik.http.routers.chat-blazestar-net-well-known.rule" =
+        "Host(`blazestar.net`) && PathPrefix(`.well-known`)";
+      "traefik.http.services.chat-blazestar-net-well-known.loadbalancer.server.port" = "6167";
+    };
+  };
+}
--- a/system/hosts/mcp/containers/blazestar.net/default.nix
+++ b/system/hosts/mcp/containers/blazestar.net/default.nix
@@ -0,0 +1,6 @@
+{ ... }:
+{
+  imports = [
+    ./chat.nix
+  ];
+}
--- a/system/hosts/mcp/containers/havenisms.com/chat.nix
+++ b/system/hosts/mcp/containers/havenisms.com/chat.nix
@@ -1,8 +1,8 @@
 { config, ... }:
 let
-  inherit (import ./lib.nix config) hostRule havenisms;
+  inherit (import ../lib.nix config) hostRule havenisms;
  syncRule = "(PathPrefix(`/client/`) || PathPrefix(`/_matrix/client/unstable/org.matrix.msc3575/sync`))";
-  wellKnownRule = "PathPrefix(`/.well-known`)";
+  wellKnownRule = "(Host(`havenisms.com`) || Host(`chat.havenisms.com`)) && PathPrefix(`/.well-known`)";
 in
 {

@@ -34,13 +34,17 @@ in
      volumes = [
        "/tank/config/synapse/data:/data"
      ];
-      ports = [
-        "8008:8008/tcp"
-      ];
      extraOptions = [
        "-l=traefik.enable=true"
        "-l=traefik.http.routers.synapse.rule=${hostRule "chat" havenisms} && !(${syncRule} || ${wellKnownRule})"
+        "-l=traefik.http.routers.synapse.service=synapse"
        "-l=traefik.http.services.synapse.loadbalancer.server.port=8008"
+
+        # Federation forwarding
+        "-l=traefik.http.routers.synapse-federation.rule=${hostRule "chat" havenisms}"
+        "-l=traefik.http.routers.synapse-federation.service=synapse-federation"
+        "-l=traefik.http.routers.synapse-federation.entrypoints=matrix-federation"
+        "-l=traefik.http.services.synapse-federation.loadbalancer.server.port=8448"
      ];
    };

@@ -50,9 +54,6 @@ in
        "db"
        "synapse"
      ];
-      ports = [
-        "8009:8009"
-      ];
      environmentFiles = [
        config.sops.templates."matrix-sliding-sync.env".path
      ];
@@ -66,15 +67,16 @@ in
    # This server helps to serve the .well-known files that are required by clients to find the sync server.
    matrix-well-known = {
      image = "nginx";
-      ports = [ "80" ];
      dependsOn = [ "synapse" ];
      volumes = [
        "/tank/config/synapse/static-files:/usr/share/nginx/html:ro"
      ];
      extraOptions = [
        "-l=traefik.enable=true"
-        "-l=traefik.http.routers.matrix-static.rule=${hostRule "chat" havenisms} && ${wellKnownRule}"
-        "-l=traefik.http.services.matrix-static.loadbalancer.server.port=80"
+        "-l=traefik.http.middlewares.strip-well-known.stripprefix.prefixes=/.well-known"
+        "-l=traefik.http.routers.matrix-well-known.rule=${wellKnownRule}"
+        "-l=traefik.http.routers.matrix-well-known.middlewares=strip-well-known"
+        "-l=traefik.http.services.matrix-well-known.loadbalancer.server.port=80"
      ];
    };
  };
--- a/system/hosts/mcp/containers/havenisms.com/default.nix
+++ b/system/hosts/mcp/containers/havenisms.com/default.nix
@@ -0,0 +1,6 @@
+{ ... }:
+{
+  imports = [
+    ./chat.nix
+  ];
+}
--- a/system/hosts/mcp/containers/traefik.nix
+++ b/system/hosts/mcp/containers/traefik.nix
@@ -44,6 +44,7 @@ in
    ports = [
      "80:80"
      "443:443"
+      "8448:8448"
    ];
    volumes = [
      "/var/run/podman/podman.sock:/var/run/docker.sock:ro"
--- a/system/hosts/mcp/containers/traefik/traefik.yaml
+++ b/system/hosts/mcp/containers/traefik/traefik.yaml
@@ -13,6 +13,13 @@ entryPoints:
        certResolver: letsencrypt
  metrics:
    address: ":8082"
+    asDefault: false
+  matrix-federation:
+    address: ":8448"
+    asDefault: false
+    http:
+      tls:
+        certResolver: letsencrypt

 api:
  insecure: true