From eaf00456f0da02b21ca57d6ddb841635e518b922 Mon Sep 17 00:00:00 2001
From: TheWanderingCrow <contact@wanderingcrow.net>
Date: Mon, 8 Sep 2025 11:22:30 -0400
Subject: [PATCH] matrix

---
 hosts/nixos/HandlerOne/default.nix  |  1 +
 modules/services/matrix/default.nix | 31 +++++++++++++++++++++++++++--
 2 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/hosts/nixos/HandlerOne/default.nix b/hosts/nixos/HandlerOne/default.nix
index b546ad0..440d3e3 100644
--- a/hosts/nixos/HandlerOne/default.nix
+++ b/hosts/nixos/HandlerOne/default.nix
@@ -56,6 +56,7 @@
       "modules/services/netbox"
       "modules/services/system-logging"
       "modules/services/system-logging/nginx.nix"
+      "modules/services/matrix"
       "modules/services/flamesites"
     ])
   ];
diff --git a/modules/services/matrix/default.nix b/modules/services/matrix/default.nix
index 0c5d1be..5e8becd 100644
--- a/modules/services/matrix/default.nix
+++ b/modules/services/matrix/default.nix
@@ -1,5 +1,32 @@
-{pkgs, ...}: {
-  services.matrix-tuwunel = {
+{
+  config,
+  inputs,
+  pkgs,
+  ...
+}: {
+  imports = [
+    "${inputs.nixpkgs-unstable}/nixos/modules/services/matrix/tuwunel.nix"
+  ];
+
+  sops.secrets."matrix/registration_token" = {};
+
+  services.matrix.tuwunel = {
     enable = true;
+    package = pkgs.unstable.matrix-tuwunel;
+    stateDirectory = "tuwunel";
+    settings = {
+      global = {
+        server_name = "psychal.link";
+        new_user_displayname_suffix = "";
+        unix_socket_path = "/run/tuwunel/tuwunel.sock";
+        unix_socket_perms = 660;
+        allow_registration = false;
+        registration_token_file = config.sops.secrets."matrix/registration_token".path;
+        allow_encryption = true;
+        allow_federation = true;
+        require_auth_for_profile_requests = true; # no user enumeration
+        trusted_servers = ["matrix.org"];
+      };
+    };
   };
 }