naimi/matrix-btw
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

updating files for lxc container and ipv6

Browse Source
This commit is contained in:
Kibi Kelburton
2026-02-18 18:43:48 +01:00
parent d82cd7ae26
commit 3120984bbd
2 changed files with 73 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
configuration.nix
View File

@@ -1,39 +1,37 @@
{ config, modulesPath, pkgs, lib, ... }:
{ {
config,
lib,
pkgs,
...
}: {
imports = [ imports = [
./hardware-configuration.nix (modulesPath + "/virtualisation/proxmox-lxc.nix")
./matrix.nix ./matrix.nix
]; ];
nix.settings = { sandbox = false; };
proxmoxLXC = {
manageNetwork = false;
privileged = true;
};
boot.loader.systemd-boot.enable = true; # Disable /sys/kernel/debug mount which fails in LXC
boot.loader.efi.canTouchEfiVariables = true; systemd.mounts = [{
where = "/sys/kernel/debug";
enable = false;
}];
networking.hostName = "nixos-matrix"; services.fstrim.enable = false; # Let Proxmox host handle fstrim
networking.networkmanager.enable = true; networking.firewall.enable = false;
services.openssh = {
enable = true;
openFirewall = true;
settings = {
PermitRootLogin = "yes";
PasswordAuthentication = true;
PermitEmptyPasswords = "yes";
};
};
time.timeZone = "America/Los_Angeles"; users.users.w0bm = {
users.users.tony = {
isNormalUser = true; isNormalUser = true;
extraGroups = ["wheel"]; extraGroups = ["wheel"];
}; };
services.openssh.enable = true;
services.nginx.enable = true;
security.acme = {
acceptTerms = true;
defaults.email = "your-email@example.com";
};
environment.systemPackages = with pkgs; [
vim
git
];
system.stateVersion = "25.11"; system.stateVersion = "25.11";
} }

54
matrix.nix
View File

@@ -28,7 +28,7 @@ in {
listeners = [ listeners = [
{ {
port = 8008; port = 8008;
bind_addresses = ["127.0.0.1"]; bind_addresses = ["::1"];
type = "http"; type = "http";
tls = false; tls = false;
x_forwarded = true; x_forwarded = true;
@@ -57,6 +57,20 @@ in {
enable_metrics = false; enable_metrics = false;
registration_shared_secret_path = "/var/lib/matrix-synapse/registration_secret"; registration_shared_secret_path = "/var/lib/matrix-synapse/registration_secret";
# Allow others to view the public room list
allow_public_rooms_without_auth = true;
allow_public_rooms_over_federation = true;
room_list_publication_rules = [
{
action = "allow";
user_id = "*";
room_id = "*";
alias = "*";
require_admin = true;
}
];
trusted_key_servers = [ trusted_key_servers = [
{ {
server_name = "matrix.org"; server_name = "matrix.org";
@@ -76,18 +90,48 @@ in {
]; ];
}; };
services.nginx.enable = true;
system.activationScripts.generate-matrix-certs = {
text = ''
mkdir -p /var/lib/matrix-certs
# Ensure permissions on the directory itself
chown nginx:nginx /var/lib/matrix-certs
chmod 750 /var/lib/matrix-certs
if [ ! -f /var/lib/matrix-certs/matrix.key ]; then
${pkgs.openssl}/bin/openssl req -x509 -newkey rsa:4096 -keyout /var/lib/matrix-certs/matrix.key -out /var/lib/matrix-certs/matrix.crt -days 3650 -nodes -subj "/CN=${matrixDomain}"
fi
# Force permissions on files every time
chown nginx:nginx /var/lib/matrix-certs/matrix.*
chmod 640 /var/lib/matrix-certs/matrix.key
chmod 644 /var/lib/matrix-certs/matrix.crt
# Ensure log directory exists and is writable
mkdir -p /var/log/nginx
chown -R nginx:nginx /var/log/nginx
chmod 750 /var/log/nginx
'';
deps = ["users"];
};
services.nginx.virtualHosts.${domain} = { services.nginx.virtualHosts.${domain} = {
enableACME = true; sslCertificate = "/var/lib/matrix-certs/matrix.crt";
sslCertificateKey = "/var/lib/matrix-certs/matrix.key";
forceSSL = true; forceSSL = true;
locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig; locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig; locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
}; };
services.nginx.virtualHosts.${matrixDomain} = { services.nginx.virtualHosts.${matrixDomain} = {
enableACME = true; sslCertificate = "/var/lib/matrix-certs/matrix.crt";
sslCertificateKey = "/var/lib/matrix-certs/matrix.key";
forceSSL = true; forceSSL = true;
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:8008"; proxyPass = "http://[::1]:8008";
extraConfig = '' extraConfig = ''
proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
@@ -97,5 +141,5 @@ in {
}; };
}; };
networking.firewall.allowedTCPPorts = [8448]; networking.firewall.allowedTCPPorts = [443];
} }