From 9bfc5b51888b1c0649583691c5bccb98966c33e2 Mon Sep 17 00:00:00 2001
From: notohh <github@notohh.dev>
Date: Mon, 10 Mar 2025 05:58:25 -0400
Subject: [PATCH] sakura: remove unused services && readd matrix

---
 hosts/sakura/services/authelia.nix | 68 ------------------------------
 hosts/sakura/services/default.nix  |  4 +-
 hosts/sakura/services/grafana.nix  |  2 +-
 hosts/sakura/services/hedgedoc.nix | 15 -------
 hosts/sakura/services/matrix.nix   | 29 +++++++++++++
 5 files changed, 32 insertions(+), 86 deletions(-)
 delete mode 100644 hosts/sakura/services/authelia.nix
 delete mode 100644 hosts/sakura/services/hedgedoc.nix
 create mode 100644 hosts/sakura/services/matrix.nix

diff --git a/hosts/sakura/services/authelia.nix b/hosts/sakura/services/authelia.nix
deleted file mode 100644
index 1e9f901..0000000
--- a/hosts/sakura/services/authelia.nix
+++ /dev/null
@@ -1,68 +0,0 @@
-{config, ...}: {
-  networking.firewall.allowedTCPPorts = [9091];
-  sops.secrets.authelia-jwt = {owner = config.systemd.services.authelia-default.serviceConfig.User;};
-  sops.secrets.authelia-sek = {owner = config.systemd.services.authelia-default.serviceConfig.User;};
-  services.authelia.instances.default = {
-    enable = true;
-    secrets = {
-      jwtSecretFile = config.sops.secrets.authelia-jwt.path;
-      storageEncryptionKeyFile = config.sops.secrets.authelia-sek.path;
-    };
-    settings = let
-      pqdn = "notohh.dev";
-    in {
-      log.level = "debug";
-      theme = "dark";
-      default_2fa_method = "totp";
-      default_redirection_url = "https://passport.${pqdn}/";
-      authentication_backend = {
-        file.path = "/var/lib/authelia-default/user.yml";
-      };
-      session = {
-        domain = pqdn;
-        expiration = 3600;
-        inactivity = 300;
-      };
-      totp = {
-        issuer = "authelia.com";
-        disable = false;
-        algorithm = "sha1";
-        digits = 6;
-        period = 30;
-        skew = 1;
-        secret_size = 32;
-      };
-      server = {
-        host = "0.0.0.0";
-        port = 9091;
-      };
-      access_control = {
-        default_policy = "deny";
-        rules = [
-          {
-            domain = pqdn;
-            policy = "bypass";
-          }
-        ];
-      };
-      regulation = {
-        max_retries = 3;
-        find_time = 120;
-        ban_time = 300;
-      };
-      notifier.filesystem = {
-        filename = "/var/lib/authelia-default/notif.txt";
-      };
-      storage.postgres = let
-        dbInfo = "authelia";
-      in {
-        host = "192.168.1.211";
-        port = 5432;
-        database = dbInfo;
-        schema = "public";
-        username = dbInfo;
-        password = dbInfo;
-      };
-    };
-  };
-}
diff --git a/hosts/sakura/services/default.nix b/hosts/sakura/services/default.nix
index 8405898..8fff035 100644
--- a/hosts/sakura/services/default.nix
+++ b/hosts/sakura/services/default.nix
@@ -1,15 +1,15 @@
 {...}: {
   imports = [
     ./restic.nix
-    #  ./authelia.nix
     ./forgejo.nix
     ./rustypaste.nix
-    # ./hedgedoc.nix
     ./grafana.nix
     ./vaultwarden.nix
     ./tailscale.nix
     ./rustlog.nix
     ./wastebin.nix
     ./ganymede.nix
+    ./immich-proxy.nix
+    ./matrix.nix
   ];
 }
diff --git a/hosts/sakura/services/grafana.nix b/hosts/sakura/services/grafana.nix
index 251f8a7..53b1cec 100644
--- a/hosts/sakura/services/grafana.nix
+++ b/hosts/sakura/services/grafana.nix
@@ -25,7 +25,7 @@ in {
         ssl_mode = "disable";
       };
       panels = {
-        disable_sanitize_html = false;
+        disable_sanitize_html = true;
         enable_alpha = true;
       };
     };
diff --git a/hosts/sakura/services/hedgedoc.nix b/hosts/sakura/services/hedgedoc.nix
deleted file mode 100644
index 66f03ba..0000000
--- a/hosts/sakura/services/hedgedoc.nix
+++ /dev/null
@@ -1,15 +0,0 @@
-_: {
-  services.hedgedoc = {
-    enable = true;
-    settings = {
-      port = 3300;
-      domain = "scratch.flake.sh";
-      host = "100.121.201.47";
-      allowOrigin = ["scratch.flake.sh"];
-      allowAnonymous = true;
-      allowFreeURL = true;
-      allowEmailRegister = false;
-      dbURL = "postgres://hedgedoc:hedgedoc@192.168.1.211:5432/hedgedoc";
-    };
-  };
-}
diff --git a/hosts/sakura/services/matrix.nix b/hosts/sakura/services/matrix.nix
new file mode 100644
index 0000000..f687727
--- /dev/null
+++ b/hosts/sakura/services/matrix.nix
@@ -0,0 +1,29 @@
+{pkgs, ...}: {
+  networking.firewall.allowedTCPPorts = [6167 8448];
+  services.matrix-conduit = {
+    enable = true;
+    package = pkgs.conduwuit;
+    settings = {
+      global = {
+        address = "0.0.0.0";
+        server_name = "matrix.flake.sh";
+        allow_registration = false;
+        allow_federation = true;
+        allow_encryption = true;
+        max_concurrent_requests = 100;
+        max_request_size = 20000000;
+        database_backend = "rocksdb";
+        enable_lightning_bolt = false;
+        trusted_servers = ["matrix.org"];
+        url_preview_domain_contains_allowlist = ["*"];
+        new_user_displayname_suffix = "";
+        # yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse = true;
+        log = "info";
+        well_known = {
+          client = "https://matrix.flake.sh";
+          server = "matrix.flake.sh:443";
+        };
+      };
+    };
+  };
+}