From fe7d8c4f1279f0498fdfccf0b49d9b544c449e79 Mon Sep 17 00:00:00 2001
From: Charles Hall <charles@computer.surgery>
Date: Sat, 15 Oct 2022 13:02:13 -0700
Subject: [PATCH 1/2] add nix flake

Also add `.envrc` for direnv + Nix users. This makes developing locally
easier for us NixOS folks.

The flake itself will allow NixOS users to pull code directly from
Conduit's repository, making it completely trivial to stay up-to-date
with every commit.

I'd also like to add a NixOS module directly to this repository at some
point so that new configuration options will be available in the NixOS
module faster. But for now, NixOS users can simply override
`serivces.matrix-conduit.package` and get pretty much all the
functionality.

I've added myself to the `CODEOWNERS` file for the Nix files, since I am
willing to maintain this stuff. I use Conduit on NixOS so I'm personally
invested in having this work.

Lastly, `.gitignore` was updated to exclude symlinks created by `direnv`
and `nix build` and other such Nix commands.

This doesn't come without maintenance burden, however:

* The `sha256` in `flake.nix` will need to be updated whenever Conduit's
  MSRV is updated, but that should be pretty infrequent.

* `nix flake update` should be run every so often to pull in updates to
  `nixpkgs` and other flake inputs. I think downstream users can also
  override this themselves with `inputs.<name>.inputs.<name>.follows`.

* `nix flake check` should be run in CI to ensure Nix builds keep
  working.

* `nixpkgs-fmt --check $(fd '\.nix')` (or similar) should be run in CI
  to ensure style uniformity.
---
 .envrc             |   1 +
 .gitignore         |   6 +++
 .gitlab/CODEOWNERS |   4 ++
 flake.lock         | 102 +++++++++++++++++++++++++++++++++++++++++++++
 flake.nix          |  75 +++++++++++++++++++++++++++++++++
 5 files changed, 188 insertions(+)
 create mode 100644 .envrc
 create mode 100644 .gitlab/CODEOWNERS
 create mode 100644 flake.lock
 create mode 100644 flake.nix

diff --git a/.envrc b/.envrc
new file mode 100644
index 00000000..3550a30f
--- /dev/null
+++ b/.envrc
@@ -0,0 +1 @@
+use flake
diff --git a/.gitignore b/.gitignore
index f5e9505b..19f05ce3 100644
--- a/.gitignore
+++ b/.gitignore
@@ -62,3 +62,9 @@ conduit.db
 
 # Etc.
 **/*.rs.bk
+
+# Nix artifacts
+/result*
+
+# Direnv cache
+/.direnv
diff --git a/.gitlab/CODEOWNERS b/.gitlab/CODEOWNERS
new file mode 100644
index 00000000..20ec9fa7
--- /dev/null
+++ b/.gitlab/CODEOWNERS
@@ -0,0 +1,4 @@
+# Nix things
+.envrc @CobaltCause
+flake.lock @CobaltCause
+flake.nix @CobaltCause
diff --git a/flake.lock b/flake.lock
new file mode 100644
index 00000000..9217ff26
--- /dev/null
+++ b/flake.lock
@@ -0,0 +1,102 @@
+{
+  "nodes": {
+    "fenix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "rust-analyzer-src": "rust-analyzer-src"
+      },
+      "locked": {
+        "lastModified": 1665815894,
+        "narHash": "sha256-Vboo1L4NMGLKZKVLnOPi9OHlae7uoNyfgvyIUm+SVXE=",
+        "owner": "nix-community",
+        "repo": "fenix",
+        "rev": "2348450241a5f945f0ba07e44ecbfac2f541d7f4",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "fenix",
+        "type": "github"
+      }
+    },
+    "flake-utils": {
+      "locked": {
+        "lastModified": 1659877975,
+        "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "naersk": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1662220400,
+        "narHash": "sha256-9o2OGQqu4xyLZP9K6kNe1pTHnyPz0Wr3raGYnr9AIgY=",
+        "owner": "nix-community",
+        "repo": "naersk",
+        "rev": "6944160c19cb591eb85bbf9b2f2768a935623ed3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "naersk",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1665856037,
+        "narHash": "sha256-/RvIWnGKdTSoIq5Xc2HwPIL0TzRslzU6Rqk4Img6UNg=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "c95ebc5125ffffcd431df0ad8620f0926b8125b8",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "fenix": "fenix",
+        "flake-utils": "flake-utils",
+        "naersk": "naersk",
+        "nixpkgs": "nixpkgs"
+      }
+    },
+    "rust-analyzer-src": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1665765556,
+        "narHash": "sha256-w9L5j0TIB5ay4aRwzGCp8mgvGsu5dVJQvbEFutwr6xE=",
+        "owner": "rust-lang",
+        "repo": "rust-analyzer",
+        "rev": "018b8429cf3fa9d8aed916704e41dfedeb0f4f78",
+        "type": "github"
+      },
+      "original": {
+        "owner": "rust-lang",
+        "ref": "nightly",
+        "repo": "rust-analyzer",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
diff --git a/flake.nix b/flake.nix
new file mode 100644
index 00000000..924300cf
--- /dev/null
+++ b/flake.nix
@@ -0,0 +1,75 @@
+{
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs";
+    flake-utils.url = "github:numtide/flake-utils";
+
+    fenix = {
+      url = "github:nix-community/fenix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    naersk = {
+      url = "github:nix-community/naersk";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+  };
+
+  outputs =
+    { self
+    , nixpkgs
+    , flake-utils
+
+    , fenix
+    , naersk
+    }: flake-utils.lib.eachDefaultSystem (system:
+    let
+      pkgs = nixpkgs.legacyPackages.${system};
+
+      # Nix-accessible `Cargo.toml`
+      cargoToml = builtins.fromTOML (builtins.readFile ./Cargo.toml);
+
+      # The Rust toolchain to use
+      toolchain = fenix.packages.${system}.toolchainOf {
+        # Use the Rust version defined in `Cargo.toml`
+        channel = cargoToml.package.rust-version;
+
+        # This will need to be updated when `package.rust-version` is changed in
+        # `Cargo.toml`
+        sha256 = "sha256-KXx+ID0y4mg2B3LHp7IyaiMrdexF6octADnAtFIOjrY=";
+      };
+
+      builder = (pkgs.callPackage naersk {
+        inherit (toolchain) rustc cargo;
+      }).buildPackage;
+    in
+    {
+      packages.default = builder {
+        src = ./.;
+
+        nativeBuildInputs = (with pkgs.rustPlatform; [
+          bindgenHook
+        ]);
+      };
+
+      devShells.default = pkgs.mkShell {
+        # Rust Analyzer needs to be able to find the path to default crate
+        # sources, and it can read this environment variable to do so
+        RUST_SRC_PATH = "${toolchain.rust-src}/lib/rustlib/src/rust/library";
+
+        # Development tools
+        nativeBuildInputs = (with pkgs.rustPlatform; [
+          bindgenHook
+        ]) ++ (with toolchain; [
+          cargo
+          clippy
+          rust-src
+          rustc
+          rustfmt
+        ]);
+      };
+
+      checks = {
+        packagesDefault = self.packages.${system}.default;
+        devShellsDefault = self.devShells.${system}.default;
+      };
+    });
+}

From 716f82db6dbd324bbd0b142db740e8f5e39b2a6c Mon Sep 17 00:00:00 2001
From: Charles Hall <charles@computer.surgery>
Date: Sat, 15 Oct 2022 15:21:04 -0700
Subject: [PATCH 2/2] add nix/nixos deployment documentation

---
 .gitlab/CODEOWNERS |   1 +
 README.md          |   1 +
 nix/README.md      | 188 +++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 190 insertions(+)
 create mode 100644 nix/README.md

diff --git a/.gitlab/CODEOWNERS b/.gitlab/CODEOWNERS
index 20ec9fa7..665aaaa7 100644
--- a/.gitlab/CODEOWNERS
+++ b/.gitlab/CODEOWNERS
@@ -2,3 +2,4 @@
 .envrc @CobaltCause
 flake.lock @CobaltCause
 flake.nix @CobaltCause
+nix/ @CobaltCause
diff --git a/README.md b/README.md
index 730b2512..ab471769 100644
--- a/README.md
+++ b/README.md
@@ -34,6 +34,7 @@ Check out the [Conduit 1.0 Release Milestone](https://gitlab.com/famedly/conduit
 
 - Simple install (this was tested the most): [DEPLOY.md](DEPLOY.md)
 - Debian package: [debian/README.Debian](debian/README.Debian)
+- Nix/NixOS: [nix/README.md](nix/README.md)
 - Docker: [docker/README.md](docker/README.md)
 
 If you want to connect an Appservice to Conduit, take a look at [APPSERVICES.md](APPSERVICES.md).
diff --git a/nix/README.md b/nix/README.md
new file mode 100644
index 00000000..d92f910b
--- /dev/null
+++ b/nix/README.md
@@ -0,0 +1,188 @@
+# Conduit for Nix/NixOS
+
+This guide assumes you have a recent version of Nix (^2.4) installed.
+
+Since Conduit ships as a Nix flake, you'll first need to [enable
+flakes][enable_flakes].
+
+You can now use the usual Nix commands to interact with Conduit's flake. For
+example, `nix run gitlab:famedly/conduit` will run Conduit (though you'll need
+to provide configuration and such manually as usual).
+
+If your NixOS configuration is defined as a flake, you can depend on this flake
+to provide a more up-to-date version than provided by `nixpkgs`. In your flake,
+add the following to your `inputs`:
+
+```nix
+conduit = {
+    url = "gitlab:famedly/conduit";
+
+    # Assuming you have an input for nixpkgs called `nixpkgs`. If you experience
+    # build failures while using this, try commenting/deleting this line. This
+    # will probably also require you to always build from source.
+    inputs.nixpkgs.follows = "nixpkgs";
+};
+```
+
+Next, make sure you're passing your flake inputs to the `specialArgs` argument
+of `nixpkgs.lib.nixosSystem` [as explained here][specialargs]. This guide will
+assume you've named the group `flake-inputs`.
+
+Now you can configure Conduit and a reverse proxy for it. Add the following to
+a new Nix file and include it in your configuration:
+
+```nix
+{ config
+, pkgs
+, flake-inputs
+, ...
+}:
+
+let
+  # You'll need to edit these values
+
+  # The hostname that will appear in your user and room IDs
+  server_name = "example.com";
+
+  # The hostname that Conduit actually runs on
+  #
+  # This can be the same as `server_name` if you want. This is only necessary
+  # when Conduit is running on a different machine than the one hosting your
+  # root domain. This configuration also assumes this is all running on a single
+  # machine, some tweaks will need to be made if this is not the case.
+  matrix_hostname = "matrix.${server_name}";
+
+  # An admin email for TLS certificate notifications
+  admin_email = "admin@${server_name}";
+
+  # These ones you can leave alone
+
+  # Build a dervation that stores the content of `${server_name}/.well-known/matrix/server`
+  well_known_server = pkgs.writeText "well-known-matrix-server" ''
+    {
+      "m.server": "${matrix_hostname}"
+    }
+  '';
+
+  # Build a dervation that stores the content of `${server_name}/.well-known/matrix/client`
+  well_known_client = pkgs.writeText "well-known-matrix-client" ''
+    {
+      "m.homeserver": {
+        "base_url": "https://${matrix_hostname}"
+      }
+    }
+  '';
+in
+
+{
+  # Configure Conduit itself
+  services.matrix-conduit = {
+    enable = true;
+
+    # This causes NixOS to use the flake defined in this repository instead of
+    # the build of Conduit built into nixpkgs.
+    package = flake-inputs.conduit.packages.${pkgs.system}.default;
+
+    settings.global = {
+      inherit server_name;
+    };
+  };
+
+  # Configure automated TLS acquisition/renewal
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      email = admin_email;
+    };
+  };
+
+  # ACME data must be readable by the NGINX user
+  users.users.nginx.extraGroups = [
+    "acme"
+  ];
+
+  # Configure NGINX as a reverse proxy
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+
+    virtualHosts = {
+      "${server_name}" = {
+        forceSSL = true;
+        enableACME = true;
+
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 443;
+            ssl = true;
+          }
+          {
+            addr = "0.0.0.0";
+            port = 8448;
+            ssl = true;
+          }
+        ];
+
+        extraConfig = ''
+          merge_slashes off;
+        '';
+
+      "${matrix_hostname}" = {
+        forceSSL = true;
+        enableACME = true;
+
+        locations."/_matrix/" = {
+          proxyPass = "http://backend_conduit$request_uri";
+          proxyWebsockets = true;
+          extraConfig = ''
+            proxy_set_header Host $host;
+            proxy_buffering off;
+          '';
+        };
+
+        locations."=/.well-known/matrix/server" = {
+          # Use the contents of the derivation built previously
+          alias = "${well_known_server}";
+
+          extraConfig = ''
+            # Set the header since by default NGINX thinks it's just bytes
+            default_type application/json;
+          '';
+        };
+
+        locations."=/.well-known/matrix/client" = {
+          # Use the contents of the derivation built previously
+          alias = "${well_known_client}";
+
+          extraConfig = ''
+            # Set the header since by default NGINX thinks it's just bytes
+            default_type application/json;
+
+            # https://matrix.org/docs/spec/client_server/r0.4.0#web-browser-clients
+            add_header Access-Control-Allow-Origin "*";
+          '';
+        };
+      };
+    };
+
+    upstreams = {
+      "backend_conduit" = {
+        servers = {
+          "localhost:${toString config.services.matrix-conduit.settings.global.port}" = { };
+        };
+      };
+    };
+  };
+
+  # Open firewall ports for HTTP, HTTPS, and Matrix federation
+  networking.firewall.allowedTCPPorts = [ 80 443 8448 ];
+  networking.firewall.allowedUDPPorts = [ 80 443 8448 ];
+}
+```
+
+Now you can rebuild your system configuration and you should be good to go!
+
+[enable_flakes]: https://nixos.wiki/wiki/Flakes#Enable_flakes
+
+[specialargs]: https://nixos.wiki/wiki/Flakes#Using_nix_flakes_with_NixOS