dan/ops-jrz1
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
ops-jrz1/modules/matrix-continuwuity.nix
Dan 8826d62bcc Add maubot integration and infrastructure updates 
- maubot.nix: Declarative bot framework with plugin deployment
- backup.nix: Local backup service for Matrix/bridge data
- sna-instagram-bot: Instagram content bridge plugin
- beads: Issue tracking workflow integrated
- spec 004: Browser-based dev environment design
- nixpkgs bump: Oct 22 → Dec 2
- Fix maubot health check (401 = healthy)
2025-12-08 15:55:12 -08:00

119 lines
3.4 KiB
Nix
Raw Blame History

# NixOS module for Continuwuity Matrix homeserver
# Portable, modular configuration with clean enable/disable
# Creates systemd service manually since services.matrix-continuwuity not in stable
{ config, pkgs, lib, pkgs-unstable, ... }:
with lib;
let
cfg = config.services.matrix-homeserver;
continuwuityPkg = pkgs-unstable.matrix-continuwuity;
# Generate TOML configuration
configFile = pkgs.writeText "continuwuity.toml" ''
[global]
server_name = "${cfg.domain}"
address = "0.0.0.0"
port = ${toString cfg.port}
allow_registration = ${boolToString cfg.enableRegistration}
allow_encryption = true
allow_federation = ${boolToString cfg.enableFederation}
database_backend = "rocksdb"
database_path = "${cfg.dataDir}/db/"
log = "info"
${optionalString cfg.enableFederation ''
trusted_servers = ["matrix.org"]
''}
'';
in
{
options.services.matrix-homeserver = {
enable = mkEnableOption "Continuwuity Matrix homeserver";
domain = mkOption {
type = types.str;
default = "10.0.0.40";
description = "Domain or IP for Matrix server";
};
port = mkOption {
type = types.port;
default = 8008;
description = "Port for Matrix server";
};
enableRegistration = mkOption {
type = types.bool;
default = true;
description = "Allow new user registration";
};
enableFederation = mkOption {
type = types.bool;
default = false;
description = "Enable federation with other Matrix servers";
};
dataDir = mkOption {
type = types.path;
default = "/var/lib/continuwuity";
description = "Data directory for Matrix server";
};
};
config = mkIf cfg.enable {
# Create continuwuity user and group
users.users.continuwuity = {
description = "Continuwuity Matrix server user";
group = "continuwuity";
home = cfg.dataDir;
createHome = true;
isSystemUser = true;
};
users.groups.continuwuity = {};
# Systemd service for Continuwuity
systemd.services.continuwuity = {
description = "Continuwuity Matrix homeserver";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "simple";
User = "continuwuity";
Group = "continuwuity";
WorkingDirectory = cfg.dataDir;
ExecStart = "${continuwuityPkg}/bin/conduwuit -c ${configFile}";
Restart = "always";
RestartSec = "10s";
# Security hardening
NoNewPrivileges = true;
ProtectSystem = "strict";
ProtectHome = true;
ReadWritePaths = [ cfg.dataDir ];
PrivateTmp = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectControlGroups = true;
};
preStart = ''
# Ensure data directory exists with proper permissions
mkdir -p ${cfg.dataDir}/db
chown -R continuwuity:continuwuity ${cfg.dataDir}
chmod -R 750 ${cfg.dataDir}
'';
};
# Open firewall port only when service is enabled
networking.firewall.allowedTCPPorts = [ cfg.port ];
# Ensure data directories exist with proper permissions
systemd.tmpfiles.rules = [
"d ${cfg.dataDir} 0750 continuwuity continuwuity -"
"d ${cfg.dataDir}/db 0750 continuwuity continuwuity -"
];
};
}
Reference in a new issue View git blame Copy permalink