plumjam/nixos - Change DBFGLS5HV5W6BDTZYDWPHNWR4FA5JRC2VGJ2Q5DDRNBING44QYJAC

dendritic: Migrate Matrix and Cinny to a combined module.

Created by PlumJam on February 14, 2026

DBFGLS5HV5W6BDTZYDWPHNWR4FA5JRC2VGJ2Q5DDRNBING44QYJAC

Dependencies

In channels

main

Change contents

File addition: 791b532e988722d9533a0b31689c347f-matrixRegistrationSecret.age (----------)
[5.2685]
File addition: 2094e37b0080ddb1784778e52e7d2d61-matrixSigningKey.age (----------)
[5.2685]

Insertion in modules/nginx.nix at line 107 [7.6103]

[6.2812]

              ~^https://app\.element\.io$ $http_origin;

Insertion in modules/nginx.nix at line 114 [7.6103]

[6.3205]

              ~^https://app\.element\.io$ "DELETE, GET, OPTIONS, POST, PUT";

File move: matrix.nix → matrix.nix
BF:BFD[7.128] → [7.13794:13828]
BF:BF[7.13828] → [7.9988:9988]
[8.2]
[7.9988]
Deletion in modules/matrix.nix at line 1 [7.9988]
B:BD[7.9988] → [9.11366:11402]
```
{
  self,
  config,
  lib,
  ...
}:
```

Replacement in modules/matrix.nix at line 2 [7.9988]

∅:D[9.11406] → [7.10021:10084]

B:BD[7.10021] → [7.10021:10084]

  inherit (config.networking) domain;
  inherit (lib) enabled;

[9.11406]

[7.10084]

  matrixBase =
    { config, ... }:
    let
      inherit (config.myLib) merge mkResticBackup;
      inherit (config.networking) domain;

Replacement in modules/matrix.nix at line 8 [7.9988]

B:BD[7.10085] → [7.10085:10129]

B:BD[7.10129] → [9.11407:11412]

∅:D[9.11412] → [7.10134:10180]

B:BD[7.10134] → [7.10134:10180]

B:BD[7.10180] → [9.11413:11472]

  fqdn = "matrix.${domain}";
  port = 8008;
in
{
  imports = [
    (self + /modules/nginx.nix)
  ]
  ++ (lib.collectNix ./. |> lib.remove ./default.nix);

[7.10085]

[7.10237]

      fqdn = "matrix.${domain}";
      port = 8008;
    in
    {
      services.restic.backups.matrix = mkResticBackup "matrix" {
        paths = [ "/var/lib/matrix-synapse" ];
        timerConfig = {
          OnCalendar = "hourly";
          Persistent = true;
        };
      };

Replacement in modules/matrix.nix at line 20 [7.9988]

B:BD[7.10238] → [7.10238:10334]

B:BD[7.10334] → [9.11473:11533]

∅:D[9.11533] → [7.10402:10407]

B:BD[7.10402] → [7.10402:10407]

  age.secrets.matrixSigningKey = {
    rekeyFile = self + /secrets/plum-matrix-signing-key.age;
    owner = "matrix-synapse";
    group = "matrix-synapse";
  };

[7.10238]

[7.10407]

      systemd.services.matrix-synapse.serviceConfig = {
        # sandboxing
        PrivateTmp = true;
        ProtectSystem = "strict";
        ProtectHome = true;

Replacement in modules/matrix.nix at line 26 [7.9988]

B:BD[7.10408] → [7.10408:10520]

B:BD[7.10520] → [9.11534:11594]

∅:D[9.11594] → [7.10588:10593]

B:BD[7.10588] → [7.10588:10593]

  age.secrets.matrixRegistrationSecret = {
    rekeyFile = self + /secrets/plum-matrix-registration-secret.age;
    owner = "matrix-synapse";
    group = "matrix-synapse";
  };

[7.10408]

[7.10593]

        # fs restrictions
        ReadWritePaths = [ "/var/lib/matrix-synapse" ];

Replacement in modules/matrix.nix at line 29 [7.9988]

B:BD[7.10594] → [7.10594:10684]

B:BD[7.10684] → [9.11595:11653]

∅:D[9.11653] → [7.10753:10865]

B:BD[7.10753] → [7.10753:10865]

  systemd.services.matrix-backup = {
    description = "Backup Matrix data and database";
    after = [ "matrix-synapse.service" ];
    script = ''
      mkdir -p /var/backup/matrix
      cp -r /var/lib/matrix-synapse /var/backup/matrix/$(date +%Y%m%d_%H%M%S)

[7.10594]

[7.10865]

        # network restrictions
        RestrictAddressFamilies = [
          "AF_INET"
          "AF_INET6"
          "AF_UNIX"
        ];

Replacement in modules/matrix.nix at line 36 [7.9988]

B:BD[7.10866] → [7.10866:10971]

      # keep only last 7 backups
      ls -1t /var/backup/matrix/ | tail -n +8 | xargs -r rm -rf
    '';

[7.10866]

[7.10971]

        # misc
        NoNewPrivileges = true;
        RestrictSUIDSGID = true;
      };

Replacement in modules/matrix.nix at line 41 [7.9988]
B:BD[7.10972] → [7.10972:11008]
B:BD[7.11008] → [9.11654:11697]
∅:D[9.11697] → [7.11049:11054]
B:BD[7.11049] → [7.11049:11054]
```
    serviceConfig.Type = "oneshot";
    serviceConfig.User = "matrix-synapse";
  };
```
[7.10972]
[7.11054]
```
      services.matrix-synapse = {
        enable = true;
        withJemalloc = true;
```

Replacement in modules/matrix.nix at line 45 [7.9988]

B:BD[7.11055] → [7.11055:11135]

B:BD[7.11135] → [9.11698:11734]

  systemd.timers.matrix-backup = {
    description = "Run Matrix backup daily";
    wantedBy = [ "timers.target" ];

[7.11055]

[7.11174]

        configureRedisLocally = true;

Replacement in modules/matrix.nix at line 47 [7.9988]
B:BD[7.11175] → [7.11175:11213]
B:BD[7.11213] → [9.11735:11770]
∅:D[9.11770] → [7.11246:11251]
B:BD[7.11246] → [7.11246:11251]
```
    timerConfig.OnCalendar = "daily";
    timerConfig.Persistent = true;
  };
```
[7.11175]
[7.11251]
```
        settings = {
          server_name = domain;
```

Replacement in modules/matrix.nix at line 50 [7.9988]

B:BD[7.11252] → [7.11252:11321]

B:BD[7.11321] → [9.11771:11794]

∅:D[9.11794] → [7.11347:11377]

B:BD[7.11347] → [7.11347:11377]

B:BD[7.11377] → [9.11795:11819]

  systemd.services.matrix-synapse.serviceConfig = {
    # sandboxing
    PrivateTmp = true;
    ProtectSystem = "strict";
    ProtectHome = true;

[7.11252]

[7.11403]

          listeners = [
            {
              inherit port;
              bind_addresses = [ "::1" ];
              type = "http";
              tls = false;
              x_forwarded = true; # behind reverse proxy
              resources = [
                {
                  names = [
                    "client"
                    "federation"
                    "media"
                  ];
                  compress = false;
                }
              ];
            }
          ];

Replacement in modules/matrix.nix at line 70 [7.9988]

B:BD[7.11404] → [7.11404:11478]

    # fs restrictions
    ReadWritePaths = [ "/var/lib/matrix-synapse" ];

[7.11404]

[7.11478]

          database.name = "sqlite3";
          database.args.database = "/var/lib/matrix-synapse/homeserver.db";

Replacement in modules/matrix.nix at line 73 [7.9988]

B:BD[7.11479] → [7.11479:11506]

B:BD[7.11506] → [9.11820:11908]

    # network restrictions
    RestrictAddressFamilies = [
      "AF_INET"
      "AF_INET6"
      "AF_UNIX"
    ];

[7.11479]

[7.11572]

          log_config = "/var/lib/matrix-synapse/log.yaml";
          log.root.level = "WARNING";

Replacement in modules/matrix.nix at line 76 [7.9988]
B:BD[7.11573] → [7.11573:11584]
B:BD[7.11584] → [9.11909:11937]
∅:D[9.11937] → [7.11613:11647]
B:BD[7.11613] → [7.11613:11647]
```
    # misc
    NoNewPrivileges = true;
    RestrictSUIDSGID = true;
  };
```
[7.11573]
[7.11647]
```
          enable_registration = true;
          registration_requires_token = true;
```

Replacement in modules/matrix.nix at line 79 [7.9988]

B:BD[7.11648] → [7.11648:11711]

  services.matrix-synapse = enabled {
    withJemalloc = true;

[7.11648]

[7.11711]

          allow_public_rooms_without_auth = true;
          allow_public_rooms_over_federation = true;

Replacement in modules/matrix.nix at line 82 [7.9988]
B:BD[7.11712] → [7.11712:11746]
```
    configureRedisLocally = true;
```
[7.11712]
[7.11746]
```
          report_stats = false;
```

Replacement in modules/matrix.nix at line 84 [7.9988]

B:BD[7.11747] → [7.11747:11792]

    settings = {
      server_name = domain;

[7.11747]

[7.11792]

          delete_stale_devices_after = "30d";

Replacement in modules/matrix.nix at line 86 [7.9988]

B:BD[7.11793] → [9.11938:11968]

B:BD[9.11968] → [2.570:594]

∅:D[2.594] → [9.11991:12333]

B:BD[9.11991] → [9.11991:12333]

      listeners = [
        {
          inherit port;
          bind_addresses = [ "::1" ];
          type = "http";
          tls = false;
          x_forwarded = true; # behind reverse proxy
          resources = [
            {
              names = [
                "client"
                "federation"
                "media"
              ];
              compress = false;
            }

[7.11793]

[9.12333]

          redis.enabled = true;
          max_upload_size = "512M";
          media_store_path = "/var/lib/matrix-synapse/media_store";
          url_preview_enabled = true;
          dynamic_thumbnails = true;
          signing_key_path = config.age.secrets.matrixSigningKey.path;
          registration_shared_secret = config.age.secrets.matrixRegistrationSecret.path;
          trusted_key_servers = [ ];
          extras = [
            "url-preview"
            "user-search"

Replacement in modules/matrix.nix at line 104 [7.9988]
B:BD[9.12346] → [9.12346:12365]
```
        }
      ];
```
[9.12346]
[7.12134]
```
        };
      };
```

Replacement in modules/matrix.nix at line 107 [7.9988]

B:BD[7.12135] → [9.12366:12471]

      database.name = "sqlite3";
      database.args.database = "/var/lib/matrix-synapse/homeserver.db";

[7.12135]

[7.12246]

      services.nginx.virtualHosts.${fqdn} = merge config.services.nginx.sslTemplate {
        extraConfig = ''
          ${config.services.nginx.goatCounterTemplate}
        '';
        locations."/_matrix".proxyPass = "http://[::1]:${toString port}";
        locations."/_synapse/client".proxyPass = "http://[::1]:${toString port}";
        locations."/_synapse/admin".proxyPass = "http://[::1]:${toString port}";
      };

Replacement in modules/matrix.nix at line 116 [7.9988]

B:BD[7.12247] → [9.12472:12561]

      log_config = "/var/lib/matrix-synapse/log.yaml";
      log.root.level = "WARNING";

[7.12247]

[7.12337]

      services.nginx.virtualHosts.${domain} = merge config.services.nginx.sslTemplate {
        locations."/.well-known/matrix/client".extraConfig = ''
          			return 200 '{"m.homeserver": {"base_url": "https://${fqdn}"}}';
          		'';

Replacement in modules/matrix.nix at line 121 [7.9988]

B:BD[7.12338] → [9.12562:12596]

∅:D[9.12596] → [7.12380:12422]

B:BD[7.12380] → [7.12380:12422]

      enable_registration = true;
      registration_requires_token = true;

[7.12338]

[7.12422]

        locations."/.well-known/matrix/server".extraConfig = ''
          			return 200 '{"m.server": "${fqdn}:443"}';
          		'';
      };
    };

Replacement in modules/matrix.nix at line 127 [7.9988]

B:BD[7.12423] → [9.12597:12643]

∅:D[9.12643] → [7.12472:12521]

B:BD[7.12472] → [7.12472:12521]

      allow_public_rooms_without_auth = true;
      allow_public_rooms_over_federation = true;

[7.12423]

[7.12521]

  cinnyBase =
    {
      pkgs,
      lib,
      config,
      ...
    }:
    let
      inherit (lib.strings) toJSON;
      inherit (lib.lists) singleton;
      inherit (config.networking) domain hostName;
      inherit (config.myLib) merge;
      fqdn = "chat.${domain}";
      root = pkgs.cinny;
      cinnyConfig = {
        allowCustomHomeservers = false;
        homeserverList = [ domain ];
        defaultHomeserver = 0;

Replacement in modules/matrix.nix at line 148 [7.9988]

B:BD[7.12522] → [7.12522:12550]

      report_stats = false;

[7.12522]

[7.12550]

        hashRouter = {
          enabled = false;
          basename = "/";
        };
        featuredCommunities = {
          openAsDefault = false;

Replacement in modules/matrix.nix at line 156 [7.9988]

B:BD[7.12551] → [7.12551:12593]

      delete_stale_devices_after = "30d";

[7.12551]

[7.12593]

          servers = [
            domain
            "matrix.org"
          ];

Replacement in modules/matrix.nix at line 161 [7.9988]
B:BD[7.12594] → [7.12594:12622]
```
      redis.enabled = true;
```
[7.12594]
[7.12622]
```
          spaces = [ ];
```

Replacement in modules/matrix.nix at line 163 [7.9988]

B:BD[7.12623] → [7.12623:12655]

      max_upload_size = "512M";

[7.12623]

[7.12655]

          rooms = [ ];
        };
      };
    in
    {
      assertions = singleton {
        assertion = config.services.matrix-synapse.enable;
        message = "The Cinny module should be used on the host running Matrix, but you're trying to enable it on '${hostName}'.";
      };

Replacement in modules/matrix.nix at line 173 [7.9988]

B:BD[7.12656] → [7.12656:12720]

      media_store_path = "/var/lib/matrix-synapse/media_store";

[7.12656]

[7.12720]

      services.nginx.virtualHosts.${fqdn} = merge config.services.nginx.sslTemplate {
        inherit root;

Replacement in modules/matrix.nix at line 176 [7.9988]

B:BD[7.12721] → [7.12721:12755]

B:BD[7.12755] → [9.12644:12677]

      url_preview_enabled = true;
      dynamic_thumbnails = true;

[7.12721]

[7.12789]

        locations."= /config.json".extraConfig = # nginx
          ''
            default_type application/json;
            return 200 '${toJSON cinnyConfig}';
          '';

Replacement in modules/matrix.nix at line 182 [7.9988]

B:BD[7.12790] → [9.12678:12745]

∅:D[9.12745] → [7.12867:12952]

B:BD[7.12867] → [7.12867:12952]

      signing_key_path = config.age.secrets.matrixSigningKey.path;
      registration_shared_secret = config.age.secrets.matrixRegistrationSecret.path;

[7.12790]

[7.12952]

        locations."/".extraConfig = # nginx
          ''
            proxy_hide_header Content-Security-Policy;
            add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval' ${domain} *.${domain}; object-src 'self' ${domain} *.${domain}; img-src 'self' data: https: blob:; base-uri 'self'; frame-ancestors 'self';" always;
            add_header X-Frame-Options DENY always;
            add_header X-Content-Type-Options nosniff always;
            add_header X-XSS-Protection "1; mode=block" always;
            add_header Permissions-Policy "camera=(), geolocation=(), payment=(), usb=()" always;
            add_header Referrer-Policy no-referrer always;
          '';

Replacement in modules/matrix.nix at line 193 [7.9988]

B:BD[7.12953] → [9.12746:12779]

      trusted_key_servers = [ ];

[7.12953]

[7.12985]

        extraConfig = # nginx
          ''
            rewrite ^/config.json$ /config.json break;
            rewrite ^/manifest.json$ /manifest.json break;

Replacement in modules/matrix.nix at line 198 [7.9988]

B:BD[7.12986] → [9.12780:12850]

∅:D[9.12850] → [7.13034:13046]

B:BD[7.13034] → [7.13034:13046]

      extras = [
        "url-preview"
        "user-search"
      ];
    };
  };

[7.12986]

[7.13046]

            rewrite ^/sw.js$ /sw.js break;
            rewrite ^/pdf.worker.min.js$ /pdf.worker.min.js break;

Replacement in modules/matrix.nix at line 201 [7.9988]

B:BD[7.13047] → [7.13047:13213]

B:BD[7.13213] → [9.12851:12921]

∅:D[9.12921] → [7.13291:13369]

B:BD[7.13291] → [7.13291:13369]

B:BD[7.13369] → [9.12922:12999]

∅:D[9.12999] → [7.13447:13452]

B:BD[7.13447] → [7.13447:13452]

  services.nginx.virtualHosts.${fqdn} = lib.merge config.services.nginx.sslTemplate {
    extraConfig = ''
      ${config.services.nginx.goatCounterTemplate}
    '';
    locations."/_matrix".proxyPass = "http://[::1]:${toString port}";
    locations."/_synapse/client".proxyPass = "http://[::1]:${toString port}";
    locations."/_synapse/admin".proxyPass = "http://[::1]:${toString port}";
  };

[7.13047]

[7.13452]

            rewrite ^/public/(.*)$ /public/$1 break;
            rewrite ^/assets/(.*)$ /assets/$1 break;

Replacement in modules/matrix.nix at line 204 [7.9988]

B:BD[7.13453] → [7.13453:13601]

B:BD[7.13601] → [9.13000:13085]

  services.nginx.virtualHosts.${domain} = lib.merge config.services.nginx.sslTemplate {
    locations."/.well-known/matrix/client".extraConfig = ''
      			return 200 '{"m.homeserver": {"base_url": "https://${fqdn}"}}';
      		'';

[7.13453]

[7.13674]

            rewrite ^(.+)$ /index.html break;
          '';
      };

Replacement in modules/matrix.nix at line 208 [7.9988]

B:BD[7.13675] → [7.13675:13735]

B:BD[7.13735] → [9.13086:13149]

∅:D[9.13149] → [7.13786:13791]

B:BD[7.13786] → [7.13786:13791]

    locations."/.well-known/matrix/server".extraConfig = ''
      			return 200 '{"m.server": "${fqdn}:443"}';
      		'';
  };

[7.13675]

[7.13791]

    };
in
{
  flake.modules.nixos.matrix = matrixBase;
  flake.modules.nixos.cinny = cinnyBase;

Insertion in modules/hosts.nix at line 214 [11.110]
[3.233]
[10.3901]
```
      cinny
```
Insertion in modules/hosts.nix at line 221 [11.110]
[4.1916]
[10.3979]
```
      matrix
```

Insertion in modules/hosts.nix at line 267 [11.110]

[12.1951]

[13.2937]

            };
            matrixSigningKey = {
              rekeyFile = ../secrets/plum-matrix-signing-key.age;
              owner = "matrix-synapse";
              group = "matrix-synapse";
            };
            matrixRegistrationSecret = {
              rekeyFile = ../secrets/plum-matrix-registration-secret.age;
              owner = "matrix-synapse";
              group = "matrix-synapse";

File deletion: cinny.nix

BF:BFD[7.128] → [7.32751:32784]

BF:BFD[7.32784] → [7.30858:30858]

∅:D[9.16995] → [7.30897:31094]

B:BD[7.30897] → [7.30897:31094]

∅:D[9.17056] → [7.31167:31187]

B:BD[7.31167] → [7.31167:31187]

∅:D[9.17080] → [7.31211:31415]

B:BD[7.31211] → [7.31211:31415]

∅:D[9.17086] → [7.31420:31466]

B:BD[7.31420] → [7.31420:31466]

B:BD[7.31467] → [7.31467:32750]

B:BD[7.31415] → [9.17081:17086]

B:BD[7.31187] → [9.17057:17080]

B:BD[7.31094] → [9.16996:17056]

B:BD[7.30858] → [9.16947:16995]

  inherit (config.networking) domain;
  inherit (lib) merge;
  inherit (lib.strings) toJSON;
  fqdn = "chat.${domain}";
  root = pkgs.cinny;
  cinnyConfig = {
    allowCustomHomeservers = false;
    hashRouter = {
      basename = "/";
    };
    featuredCommunities = {
      openAsDefault = false;
      servers = [
        domain
        "matrix.org"
      ];
      spaces = [ ];
      rooms = [ ];
    };
  };
  imports = [ (self + /modules/nginx.nix) ];
  services.nginx.virtualHosts.${fqdn} = merge config.services.nginx.sslTemplate {
    inherit root;
    locations."= /config.json".extraConfig = /* nginx */ ''
      default_type application/json;
      return 200 '${toJSON cinnyConfig}';
    '';
    locations."/".extraConfig = /* nginx */ ''
      proxy_hide_header Content-Security-Policy;
      add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval' ${domain} *.${domain}; object-src 'self' ${domain} *.${domain}; img-src 'self' data: https: blob:; base-uri 'self'; frame-ancestors 'self';" always;
      add_header X-Frame-Options DENY always;
      add_header X-Content-Type-Options nosniff always;
      add_header X-XSS-Protection "1; mode=block" always;
      add_header Permissions-Policy "camera=(), geolocation=(), payment=(), usb=()" always;
      add_header Referrer-Policy no-referrer always;
    '';
    extraConfig = /* nginx */ ''
      rewrite ^/config.json$ /config.json break;
      rewrite ^/manifest.json$ /manifest.json break;
      rewrite ^/sw.js$ /sw.js break;
      rewrite ^/pdf.worker.min.js$ /pdf.worker.min.js break;
      rewrite ^/public/(.*)$ /public/$1 break;
      rewrite ^/assets/(.*)$ /assets/$1 break;
      rewrite ^(.+)$ /index.html break;
    '';
  };
}
in
{
      enabled = false;
    homeserverList = [ domain ];
    defaultHomeserver = 0;
{
  self,
  config,
  lib,
  pkgs,
  ...
}:
let