nixos(hetzner-matrix): enable local provisioning service and route

basnijholt · basnijholt · commit 3231cdbd9523 · 2026-02-27T19:42:42.000-08:00
diff --git a/configs/nixos/hosts/hetzner-matrix/default.nix b/configs/nixos/hosts/hetzner-matrix/default.nix
@@ -40,6 +40,7 @@ let
     database_path = "/var/lib/tuwunel"
     address = ["127.0.0.1", "::1"]
     port = 8008
+    # Token-gated registration; token is loaded from an agenix-managed secret file.
     allow_registration = true
     registration_token_file = "${config.age.secrets.registration-token.path}"
     allow_federation = true
@@ -81,6 +82,7 @@ in
   imports = [
     ../../optional/zfs-auto-snapshot.nix
     ./networking.nix
+    ./local_mindroom_provisioning_service.nix
   ];
 
   # ── Tuwunel Matrix homeserver ───────────────────────────────────────
@@ -100,6 +102,12 @@ in
       group = "tuwunel";
       mode = "0400";
     };
+    registration-token-provisioning = {
+      file = ./secrets/registration-token.age;
+      owner = "mindroom-local-provisioning";
+      group = "mindroom-local-provisioning";
+      mode = "0400";
+    };
     sso-google-secret = {
       file = ./secrets/sso-google-secret.age;
       owner = "tuwunel";
@@ -172,6 +180,7 @@ in
     virtualHosts."${siteDomain}" = {
       extraConfig = ''
         reverse_proxy /_matrix/* localhost:8008
+        reverse_proxy /v1/local-mindroom/* localhost:8776
 
         handle /.well-known/matrix/server {
           header Content-Type application/json
@@ -198,13 +207,24 @@ in
     # Cinny web client (SPA)
     virtualHosts."${cinnyDomain}" = {
       extraConfig = ''
-        root * ${cinnyDist}/dist
+        root * /var/www/cinny/dist
         try_files {path} /index.html
         file_server
       '';
     };
   };
 
+  services.mindroom-local-provisioning = {
+    enable = true;
+    repoPath = "/srv/mindroom";
+    matrixHomeserver = "https://${siteDomain}";
+    matrixServerName = siteDomain;
+    matrixRegistrationTokenFile = config.age.secrets.registration-token-provisioning.path;
+    listenHost = "127.0.0.1";
+    listenPort = 8776;
+    corsOrigins = [ "https://${cinnyDomain}" ];
+  };
+
   # ── General server config ──────────────────────────────────────────
 
   # Packages needed for release pin updates and operational debugging.
diff --git a/configs/nixos/hosts/hetzner-matrix/local_mindroom_provisioning_service.nix b/configs/nixos/hosts/hetzner-matrix/local_mindroom_provisioning_service.nix
@@ -0,0 +1,124 @@
+# Source: https://github.com/mindroom-ai/mindroom/blob/main/scripts/local_mindroom_provisioning_service.nix
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.services.mindroom-local-provisioning;
+in
+{
+  options.services.mindroom-local-provisioning = {
+    enable = lib.mkEnableOption "MindRoom local provisioning service";
+
+    repoPath = lib.mkOption {
+      type = lib.types.str;
+      default = "/srv/mindroom";
+      description = "Absolute path to a checkout of this repository.";
+    };
+
+    scriptPath = lib.mkOption {
+      type = lib.types.str;
+      default = "scripts/local_mindroom_provisioning_service.py";
+      description = "Path to the provisioning script relative to repoPath.";
+    };
+
+    matrixHomeserver = lib.mkOption {
+      type = lib.types.str;
+      default = "https://mindroom.chat";
+      description = "Matrix homeserver used for /account/whoami token verification.";
+    };
+
+    matrixServerName = lib.mkOption {
+      type = lib.types.nullOr lib.types.str;
+      default = null;
+      description = "Optional Matrix server_name override when it differs from matrixHomeserver host.";
+    };
+
+    matrixRegistrationTokenFile = lib.mkOption {
+      type = lib.types.str;
+      description = "File containing the Matrix registration token.";
+    };
+
+    listenHost = lib.mkOption {
+      type = lib.types.str;
+      default = "127.0.0.1";
+      description = "Bind address for the local provisioning HTTP server.";
+    };
+
+    listenPort = lib.mkOption {
+      type = lib.types.port;
+      default = 8776;
+      description = "Bind port for the local provisioning HTTP server.";
+    };
+
+    corsOrigins = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      default = [ "https://chat.mindroom.chat" ];
+      description = "CORS origins allowed to call provisioning endpoints from browser UI.";
+    };
+
+    statePath = lib.mkOption {
+      type = lib.types.str;
+      default = "/var/lib/mindroom-local-provisioning/state.json";
+      description = "State file path for pair sessions/connections.";
+    };
+
+    caddyHost = lib.mkOption {
+      type = lib.types.nullOr lib.types.str;
+      default = null;
+      description = "Optional host name to publish through Caddy (for example provisioning.mindroom.chat).";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    users.users.mindroom-local-provisioning = {
+      isSystemUser = true;
+      group = "mindroom-local-provisioning";
+      home = "/var/lib/mindroom-local-provisioning";
+    };
+    users.groups.mindroom-local-provisioning = { };
+
+    systemd.tmpfiles.rules = [
+      "d /var/lib/mindroom-local-provisioning 0750 mindroom-local-provisioning mindroom-local-provisioning -"
+    ];
+
+    systemd.services.mindroom-local-provisioning = {
+      description = "MindRoom Local Provisioning Service";
+      after = [ "network-online.target" ];
+      wants = [ "network-online.target" ];
+      wantedBy = [ "multi-user.target" ];
+
+      environment = {
+        MATRIX_HOMESERVER = cfg.matrixHomeserver;
+        MATRIX_REGISTRATION_TOKEN_FILE = cfg.matrixRegistrationTokenFile;
+        MINDROOM_PROVISIONING_HOST = cfg.listenHost;
+        MINDROOM_PROVISIONING_PORT = toString cfg.listenPort;
+        MINDROOM_PROVISIONING_STATE_PATH = cfg.statePath;
+        MINDROOM_PROVISIONING_CORS_ORIGINS = lib.concatStringsSep "," cfg.corsOrigins;
+      } // lib.optionalAttrs (cfg.matrixServerName != null) {
+        MATRIX_SERVER_NAME = cfg.matrixServerName;
+      };
+
+      serviceConfig = {
+        Type = "simple";
+        User = "mindroom-local-provisioning";
+        Group = "mindroom-local-provisioning";
+        WorkingDirectory = cfg.repoPath;
+        ExecStart = "${pkgs.uv}/bin/uv run --script ${cfg.repoPath}/${cfg.scriptPath}";
+        Restart = "on-failure";
+        RestartSec = "5s";
+        NoNewPrivileges = true;
+        PrivateTmp = true;
+        ProtectHome = true;
+        ProtectSystem = "strict";
+        ReadWritePaths = [ "/var/lib/mindroom-local-provisioning" ];
+      };
+    };
+
+    services.caddy.virtualHosts = lib.mkIf (cfg.caddyHost != null) {
+      "${cfg.caddyHost}" = {
+        extraConfig = ''
+          reverse_proxy localhost:${toString cfg.listenPort}
+        '';
+      };
+    };
+  };
+}
