feat: tuwunel matrix server + hermes update

2026-04-24 21:38:57 +02:00
parent d47680aef7
commit 383f4ef56f
12 changed files with 281 additions and 36 deletions
--- a/hosts/m3-atlas/secrets.nix
+++ b/hosts/m3-atlas/secrets.nix
@@ -33,6 +33,10 @@
      restreamer-env = {file = ../../secrets/restreamer-env.age;};
      searx = {file = ../../secrets/searx.age;};
      tailscale-key = {file = ../../secrets/tailscale-key.age;};
+      tuwunel-registration-token = {
+        file = ../../secrets/tuwunel-registration-token.age;
+        owner = "tuwunel";
+      };
      traefik = {
        file = ../../secrets/traefik.age;
        owner = "traefik";
@@ -65,7 +69,6 @@
        owner = "m3tam3re";
      };
      authentik-env = {file = ../../secrets/authentik-env.age;};
-      conduit-env = {file = ../../secrets/conduit-env.age;};
    };
  };
 }
--- a/hosts/m3-atlas/services/default.nix
+++ b/hosts/m3-atlas/services/default.nix
@@ -1,6 +1,6 @@
 {
  imports = [
-    ./conduit.nix
+    ./tuwunel.nix
    ./containers
    ./gitea.nix
    ./gitea-actions-runner.nix
--- a/hosts/m3-atlas/services/tuwunel.nix
+++ b/hosts/m3-atlas/services/tuwunel.nix
@@ -1,44 +1,46 @@
-{config, ...}: {
-  services.matrix-conduit = {
+{config, ...}: let
+  # Tuwunel uses a list for ports
+  tuwunel-port = config.m3ta.ports.get "tuwunel";
+in {
+  services.matrix-tuwunel = {
    enable = true;
    settings.global = {
      server_name = "m3ta.dev";
-      address = "127.0.0.1";
-      port = config.m3ta.ports.get "conduit";
+      address = ["127.0.0.1"];
+      port = [tuwunel-port];
      max_request_size = 20000000;
-      allow_registration = false;
+      allow_registration = true;
+      registration_token_file = config.age.secrets."tuwunel-registration-token".path;
      allow_encryption = true;
      allow_federation = true;
      trusted_servers = ["matrix.org"];
-      database_backend = "rocksdb";
    };
-    secretFile = config.age.secrets.conduit-env.path;
  };

-  # Traefik configuration for Conduit
+  # Traefik configuration for Tuwunel
  services.traefik.dynamicConfigOptions.http = {
-    services.conduit.loadBalancer.servers = [
+    services.tuwunel.loadBalancer.servers = [
      {
-        url = "http://localhost:${toString (config.m3ta.ports.get "conduit")}/";
+        url = "http://localhost:${toString tuwunel-port}/";
      }
    ];

-    routers.conduit = {
+    routers.tuwunel = {
      rule = "Host(`matrix.m3ta.dev`)";
      tls = {
        certResolver = "godaddy";
      };
-      service = "conduit";
+      service = "tuwunel";
      entrypoints = "websecure";
    };

    # Federation endpoint on base domain
-    routers.conduit-federation = {
+    routers.tuwunel-federation = {
      rule = "Host(`m3ta.dev`) && PathPrefix(`/_matrix`)";
      tls = {
        certResolver = "godaddy";
      };
-      service = "conduit";
+      service = "tuwunel";
      entrypoints = "websecure";
    };
  };