sakura: remove unused services && readd matrix

hosts/sakura/services/authelia.nix

@@ -1,68 +0,0 @@
-{config, ...}: {
-  networking.firewall.allowedTCPPorts = [9091];
-  sops.secrets.authelia-jwt = {owner = config.systemd.services.authelia-default.serviceConfig.User;};
-  sops.secrets.authelia-sek = {owner = config.systemd.services.authelia-default.serviceConfig.User;};
-  services.authelia.instances.default = {
-    enable = true;
-    secrets = {
-      jwtSecretFile = config.sops.secrets.authelia-jwt.path;
-      storageEncryptionKeyFile = config.sops.secrets.authelia-sek.path;
-    };
-    settings = let
-      pqdn = "notohh.dev";
-    in {
-      log.level = "debug";
-      theme = "dark";
-      default_2fa_method = "totp";
-      default_redirection_url = "https://passport.${pqdn}/";
-      authentication_backend = {
-        file.path = "/var/lib/authelia-default/user.yml";
-      };
-      session = {
-        domain = pqdn;
-        expiration = 3600;
-        inactivity = 300;
-      };
-      totp = {
-        issuer = "authelia.com";
-        disable = false;
-        algorithm = "sha1";
-        digits = 6;
-        period = 30;
-        skew = 1;
-        secret_size = 32;
-      };
-      server = {
-        host = "0.0.0.0";
-        port = 9091;
-      };
-      access_control = {
-        default_policy = "deny";
-        rules = [
-          {
-            domain = pqdn;
-            policy = "bypass";
-          }
-        ];
-      };
-      regulation = {
-        max_retries = 3;
-        find_time = 120;
-        ban_time = 300;
-      };
-      notifier.filesystem = {
-        filename = "/var/lib/authelia-default/notif.txt";
-      };
-      storage.postgres = let
-        dbInfo = "authelia";
-      in {
-        host = "192.168.1.211";
-        port = 5432;
-        database = dbInfo;
-        schema = "public";
-        username = dbInfo;
-        password = dbInfo;
-      };
-    };
-  };
-}

hosts/sakura/services/default.nix

@@ -1,15 +1,15 @@
 {...}: {
   imports = [
     ./restic.nix
-    #  ./authelia.nix
     ./forgejo.nix
     ./rustypaste.nix
-    # ./hedgedoc.nix
     ./grafana.nix
     ./vaultwarden.nix
     ./tailscale.nix
     ./rustlog.nix
     ./wastebin.nix
     ./ganymede.nix
+    ./immich-proxy.nix
+    ./matrix.nix
   ];
 }

hosts/sakura/services/grafana.nix

@@ -25,7 +25,7 @@ in {
         ssl_mode = "disable";
       };
       panels = {
-        disable_sanitize_html = false;
+        disable_sanitize_html = true;
         enable_alpha = true;
       };
     };

hosts/sakura/services/hedgedoc.nix

@@ -1,15 +0,0 @@
-_: {
-  services.hedgedoc = {
-    enable = true;
-    settings = {
-      port = 3300;
-      domain = "scratch.flake.sh";
-      host = "100.121.201.47";
-      allowOrigin = ["scratch.flake.sh"];
-      allowAnonymous = true;
-      allowFreeURL = true;
-      allowEmailRegister = false;
-      dbURL = "postgres://hedgedoc:hedgedoc@192.168.1.211:5432/hedgedoc";
-    };
-  };
-}

hosts/sakura/services/matrix.nix

@@ -0,0 +1,29 @@
+{pkgs, ...}: {
+  networking.firewall.allowedTCPPorts = [6167 8448];
+  services.matrix-conduit = {
+    enable = true;
+    package = pkgs.conduwuit;
+    settings = {
+      global = {
+        address = "0.0.0.0";
+        server_name = "matrix.flake.sh";
+        allow_registration = false;
+        allow_federation = true;
+        allow_encryption = true;
+        max_concurrent_requests = 100;
+        max_request_size = 20000000;
+        database_backend = "rocksdb";
+        enable_lightning_bolt = false;
+        trusted_servers = ["matrix.org"];
+        url_preview_domain_contains_allowlist = ["*"];
+        new_user_displayname_suffix = "";
+        # yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse = true;
+        log = "info";
+        well_known = {
+          client = "https://matrix.flake.sh";
+          server = "matrix.flake.sh:443";
+        };
+      };
+    };
+  };
+}