ops-jrz1/modules/matrix-continuwuity.nix

# NixOS module for Continuwuity Matrix homeserver
# Portable, modular configuration with clean enable/disable
# Creates systemd service manually since services.matrix-continuwuity not in stable
{ config, pkgs, lib, pkgs-unstable, ... }:

with lib;

let
  cfg = config.services.matrix-homeserver;
  continuwuityPkg = pkgs-unstable.matrix-continuwuity;
  
  # Generate TOML configuration
  configFile = pkgs.writeText "continuwuity.toml" ''
    [global]
    server_name = "${cfg.domain}"
    address = "0.0.0.0"
    port = ${toString cfg.port}
    allow_registration = ${boolToString cfg.enableRegistration}
    allow_encryption = true
    allow_federation = ${boolToString cfg.enableFederation}
    database_backend = "rocksdb"
    database_path = "${cfg.dataDir}/db/"
    log = "info,continuwuity=debug"
    ${optionalString cfg.enableFederation ''
    trusted_servers = ["matrix.org"]
    ''}
  '';
in
{
  options.services.matrix-homeserver = {
    enable = mkEnableOption "Continuwuity Matrix homeserver";
    
    domain = mkOption {
      type = types.str;
      default = "10.0.0.40";
      description = "Domain or IP for Matrix server";
    };
    
    port = mkOption {
      type = types.port;
      default = 8008;
      description = "Port for Matrix server";
    };
    
    enableRegistration = mkOption {
      type = types.bool;
      default = true;
      description = "Allow new user registration";
    };
    
    enableFederation = mkOption {
      type = types.bool;
      default = false;
      description = "Enable federation with other Matrix servers";
    };
    
    dataDir = mkOption {
      type = types.path;
      default = "/var/lib/continuwuity";
      description = "Data directory for Matrix server";
    };
  };

  config = mkIf cfg.enable {
    # Create continuwuity user and group
    users.users.continuwuity = {
      description = "Continuwuity Matrix server user";
      group = "continuwuity";
      home = cfg.dataDir;
      createHome = true;
      isSystemUser = true;
    };
    
    users.groups.continuwuity = {};

    # Systemd service for Continuwuity
    systemd.services.continuwuity = {
      description = "Continuwuity Matrix homeserver";
      after = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];
      
      serviceConfig = {
        Type = "simple";
        User = "continuwuity";
        Group = "continuwuity";
        WorkingDirectory = cfg.dataDir;
        ExecStart = "${continuwuityPkg}/bin/conduwuit -c ${configFile}";
        Restart = "always";
        RestartSec = "10s";
        
        # Security hardening
        NoNewPrivileges = true;
        ProtectSystem = "strict";
        ProtectHome = true;
        ReadWritePaths = [ cfg.dataDir ];
        PrivateTmp = true;
        ProtectKernelTunables = true;
        ProtectKernelModules = true;
        ProtectControlGroups = true;
      };
      
      preStart = ''
        # Ensure data directory exists with proper permissions
        mkdir -p ${cfg.dataDir}/db
        chown -R continuwuity:continuwuity ${cfg.dataDir}
        chmod -R 750 ${cfg.dataDir}
      '';
    };

    # Open firewall port only when service is enabled
    networking.firewall.allowedTCPPorts = [ cfg.port ];
    
    # Ensure data directories exist with proper permissions
    systemd.tmpfiles.rules = [
      "d ${cfg.dataDir} 0750 continuwuity continuwuity -"
      "d ${cfg.dataDir}/db 0750 continuwuity continuwuity -"
    ];
  };
}