[nix,flake] Moves some container files around. Also updates the flake lock. [synapse] Gets the federation working

flake.lock

@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1749154018,
+        "lastModified": 1750792728,
-        "narHash": "sha256-gjN3j7joRvT3a8Zgcylnd4NFsnXeDBumqiu4HmY1RIg=",
+        "narHash": "sha256-Lh3dopA8DdY+ZoaAJPrtkZOZaFEJGSYjOdAYYgOPgE4=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "7aae0ee71a17b19708b93b3ed448a1a0952bf111",
+        "rev": "366f00797b1efb70f2882d3da485e3c10fd3d557",
         "type": "github"
       },
       "original": {
@@ -21,33 +21,13 @@
         "type": "github"
       }
     },
-    "home-manager-unstable": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs-unstable"
-        ]
-      },
-      "locked": {
-        "lastModified": 1749160002,
-        "narHash": "sha256-IM3xKjsKxhu7Y1WdgTltrLKiOJS8nW7D4SUDEMNr7CI=",
-        "owner": "nix-community",
-        "repo": "home-manager",
-        "rev": "68cc9eeb3875ae9682c04629f20738e1e79d72aa",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "home-manager",
-        "type": "github"
-      }
-    },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1749086602,
+        "lastModified": 1750622754,
-        "narHash": "sha256-DJcgJMekoxVesl9kKjfLPix2Nbr42i7cpEHJiTnBUwU=",
+        "narHash": "sha256-kMhs+YzV4vPGfuTpD3mwzibWUE6jotw5Al2wczI0Pv8=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "4792576cb003c994bd7cc1edada3129def20b27d",
+        "rev": "c7ab75210cb8cb16ddd8f290755d9558edde7ee1",
         "type": "github"
       },
       "original": {
@@ -57,28 +37,10 @@
         "type": "github"
       }
     },
-    "nixpkgs-unstable": {
-      "locked": {
-        "lastModified": 1748929857,
-        "narHash": "sha256-lcZQ8RhsmhsK8u7LIFsJhsLh/pzR9yZ8yqpTzyGdj+Q=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "c2a03962b8e24e669fb37b7df10e7c79531ff1a4",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
     "root": {
       "inputs": {
         "home-manager": "home-manager",
-        "home-manager-unstable": "home-manager-unstable",
         "nixpkgs": "nixpkgs",
-        "nixpkgs-unstable": "nixpkgs-unstable",
         "sops-nix": "sops-nix"
       }
     },
@@ -89,11 +51,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1747603214,
+        "lastModified": 1750119275,
-        "narHash": "sha256-lAblXm0VwifYCJ/ILPXJwlz0qNY07DDYdLD+9H+Wc8o=",
+        "narHash": "sha256-Rr7Pooz9zQbhdVxux16h7URa6mA80Pb/G07T4lHvh0M=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "8d215e1c981be3aa37e47aeabd4e61bb069548fd",
+        "rev": "77c423a03b9b2b79709ea2cb63336312e78b72e2",
         "type": "github"
       },
       "original": {

flake.nix

@@ -9,13 +9,6 @@
       url = "github:nix-community/home-manager?ref=release-25.05";
       inputs.nixpkgs.follows = "nixpkgs";
     };
-    nixpkgs-unstable = {
-      url = "github:nixos/nixpkgs?ref=nixos-unstable";
-    };
-    home-manager-unstable = {
-      url = "github:nix-community/home-manager";
-      inputs.nixpkgs.follows = "nixpkgs-unstable";
-    };
     sops-nix = {
       url = "github:Mic92/sops-nix";
       inputs.nixpkgs.follows = "nixpkgs";

system/hosts/mcp/configuration.nix

@@ -96,7 +96,8 @@
     port = 5000;
     openFirewall = true;
     # Bind to the podman network so Traefik can route to it.
-    # Note that it may fail to start if this network has not been created yet.
+    # Note that it may fail to start if this network has not been created yet,
+    # so this has to be manually restarted when the system boots.
     listenAddress = "10.88.0.1";
   };
 
@@ -107,8 +108,10 @@
         enabledCollectors = [ "systemd" ];
         port = 9002;
         # Open the firewall, but only listen on the internal address
-        # TODO: Add some form authentication
         openFirewall = true;
+        # Bind to the podman network so Traefik can route to it.
+        # Note that it may fail to start if this network has not been created yet,
+        # so this has to be manually restarted when the system boots.
         listenAddress = "10.88.0.1";
       };
     };

system/hosts/mcp/containers.nix

@@ -3,6 +3,9 @@
 {
   # Additional configuration
   imports = [
+    ./containers/havenisms.com
+    ./containers/blazestar.net
+
     # Docker containers
     ./containers/dm-companion.nix
     ./containers/freshrss.nix
@@ -19,7 +22,6 @@
     ./containers/public-homepage.nix
     ./containers/searxng.nix
     ./containers/shared-postgres.nix
-    ./containers/synapse.nix
     ./containers/timetagger.nix
     ./containers/traefik.nix
     ./containers/users.nix
@@ -31,6 +33,13 @@
   # Enable common container config files in /etc/containers
   virtualisation.containers.enable = true;
   virtualisation = {
+    # docker = {
+    #   enable = true;
+    #   # Enable rootless so that I can run containers as other users for security.
+    #   rootless = {
+    #     enable = true;
+    #   };
+    # };
     podman = {
       enable = true;
 
@@ -43,6 +52,7 @@
       extraPackages = [ pkgs.zfs ];
     };
   };
+  virtualisation.oci-containers.backend = "podman";
 
   # Useful other development tools
   environment.systemPackages = with pkgs; [
@@ -52,11 +62,9 @@
     #podman-compose # start group of containers for dev
   ];
 
-  virtualisation.oci-containers.backend = "podman";
   virtualisation.oci-containers.containers =
     let
       inherit (import ./containers/lib.nix config)
-        hostRuleHavenisms
         localHostRuleHavenisms
         havenisms
         ;

system/hosts/mcp/containers/blazestar.net/chat.nix

@@ -0,0 +1,31 @@
+{ config, ... }:
+let
+  inherit (import ../lib.nix config) mkContainer blazestar;
+in
+{
+  virtualisation.oci-containers.containers.chat-blazestar-net = mkContainer {
+    image = "ghcr.io/matrix-construct/tuwunel";
+    hostName = "chat";
+    domain = blazestar;
+    port = 6167;
+    volumes = [
+      "chat-blazestar-net-db:/var/lib/tuwunel"
+    ];
+    environment = {
+      TUWUNEL_PORT = "6167";
+      TUWUNEL_SERVER_NAME = "blazestar.net";
+      TUWUNEL_ALLOW_REGISTRATION = "false";
+      TUWUNEL_ALLOW_CHECK_FOR_UPDATES = "true";
+      TUWUNEL_ALLOW_FEDERATION = "true";
+      TUWUNEL_WELL_KNOWN = ''
+        client=https://chat.blazestar.net,
+        server:chat.blazestar.net:443
+      '';
+    };
+    extraLabels = {
+      "traefik.http.routers.chat-blazestar-net-well-known.rule" =
+        "Host(`blazestar.net`) && PathPrefix(`.well-known`)";
+      "traefik.http.services.chat-blazestar-net-well-known.loadbalancer.server.port" = "6167";
+    };
+  };
+}

system/hosts/mcp/containers/blazestar.net/default.nix

@@ -0,0 +1,6 @@
+{ ... }:
+{
+  imports = [
+    ./chat.nix
+  ];
+}

system/hosts/mcp/containers/havenisms.com/chat.nix

@@ -1,8 +1,8 @@
 { config, ... }:
 let
-  inherit (import ./lib.nix config) hostRule havenisms;
+  inherit (import ../lib.nix config) hostRule havenisms;
   syncRule = "(PathPrefix(`/client/`) || PathPrefix(`/_matrix/client/unstable/org.matrix.msc3575/sync`))";
-  wellKnownRule = "PathPrefix(`/.well-known`)";
+  wellKnownRule = "(Host(`havenisms.com`) || Host(`chat.havenisms.com`)) && PathPrefix(`/.well-known`)";
 in
 {
 
@@ -34,13 +34,17 @@ in
       volumes = [
         "/tank/config/synapse/data:/data"
       ];
-      ports = [
-        "8008:8008/tcp"
-      ];
       extraOptions = [
         "-l=traefik.enable=true"
         "-l=traefik.http.routers.synapse.rule=${hostRule "chat" havenisms} && !(${syncRule} || ${wellKnownRule})"
+        "-l=traefik.http.routers.synapse.service=synapse"
         "-l=traefik.http.services.synapse.loadbalancer.server.port=8008"
+
+        # Federation forwarding
+        "-l=traefik.http.routers.synapse-federation.rule=${hostRule "chat" havenisms}"
+        "-l=traefik.http.routers.synapse-federation.service=synapse-federation"
+        "-l=traefik.http.routers.synapse-federation.entrypoints=matrix-federation"
+        "-l=traefik.http.services.synapse-federation.loadbalancer.server.port=8448"
       ];
     };
 
@@ -50,9 +54,6 @@ in
         "db"
         "synapse"
       ];
-      ports = [
-        "8009:8009"
-      ];
       environmentFiles = [
         config.sops.templates."matrix-sliding-sync.env".path
       ];
@@ -66,15 +67,16 @@ in
     # This server helps to serve the .well-known files that are required by clients to find the sync server.
     matrix-well-known = {
       image = "nginx";
-      ports = [ "80" ];
       dependsOn = [ "synapse" ];
       volumes = [
         "/tank/config/synapse/static-files:/usr/share/nginx/html:ro"
       ];
       extraOptions = [
         "-l=traefik.enable=true"
-        "-l=traefik.http.routers.matrix-static.rule=${hostRule "chat" havenisms} && ${wellKnownRule}"
+        "-l=traefik.http.middlewares.strip-well-known.stripprefix.prefixes=/.well-known"
-        "-l=traefik.http.services.matrix-static.loadbalancer.server.port=80"
+        "-l=traefik.http.routers.matrix-well-known.rule=${wellKnownRule}"
+        "-l=traefik.http.routers.matrix-well-known.middlewares=strip-well-known"
+        "-l=traefik.http.services.matrix-well-known.loadbalancer.server.port=80"
       ];
     };
   };

system/hosts/mcp/containers/havenisms.com/default.nix

@@ -0,0 +1,6 @@
+{ ... }:
+{
+  imports = [
+    ./chat.nix
+  ];
+}

system/hosts/mcp/containers/traefik.nix

@@ -44,6 +44,7 @@ in
     ports = [
       "80:80"
       "443:443"
+      "8448:8448"
     ];
     volumes = [
       "/var/run/podman/podman.sock:/var/run/docker.sock:ro"

system/hosts/mcp/containers/traefik/traefik.yaml

@@ -13,6 +13,13 @@ entryPoints:
         certResolver: letsencrypt
   metrics:
     address: ":8082"
+    asDefault: false
+  matrix-federation:
+    address: ":8448"
+    asDefault: false
+    http:
+      tls:
+        certResolver: letsencrypt
 
 api:
   insecure: true