matrix: Switch to oci-containers config

agenix/hosts/sail/config.nix

@@ -54,6 +54,10 @@
       group = "matrix-synapse";
     };
 
+    signald-environment = {
+      file = ./signald/environment.age;
+    };
+
     mosquitto-password-weewx-proxy = {
       file = ./mosquitto/passwordWeewxProxy.age;
       owner = "mosquitto";

agenix/hosts/sail/signald/environment.age

@@ -0,0 +1,12 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE10R3A2ZyBnOFBF
+VGgxaWd4TFI3Kzc1MTVOZ3oyTkw5OUFJQ1VvejhPVFpBaG5LZlIwCnZldWd2OGNS
+a3dSaEZzOWdKaHRCdjJSWXRzM3F0bFZZTEVhYWROdUVOSEkKLT4gc3NoLWVkMjU1
+MTkgTmJWNGh3IGtQMS9ubGIwaXB2SHlQV1JwUHk0T2orN1VxQ1p3THVlU1ovcW5j
+VU5QUmsKdkNVbW90bVhjNW5BZkVya1ViS0lRY0kvT05IK3pNc2JJcFlWd2xxcElM
+QQotPiBnLWdyZWFzZSBKbyRNY0s/Ck9QQy83OCtKNUpCYnhBCi0tLSBzNFB2eTJ5
+c2p2bHhMeWdSMTBXTmoyaExST1lpZmJsSEt3UmdHbGJEZnhvCvqkLX1gUWNIX4gQ
+5hj/S53ekxGqauFA0b+DZ+JxORK90CdRHvenBUeuxfqwjPwlQQXwmL2DDoTVU2qu
+HlMitZrjsV8pcHm6HXOdOPBldWbpfvr1ET/rM7OEo5eW/EPqdTvsgLHjKetsra3V
+4eqciGp4HlcEQPU6p9i9R0Kv
+-----END AGE ENCRYPTED FILE-----

container/matrix/config.nix

@@ -1,25 +0,0 @@
-{
-  systemd.tmpfiles.rules = [
-    "d /etc/container-matrix/signald 0775 0 0"
-    "d /etc/container-matrix/signal 0775 1337 1337"
-    "d /etc/container-matrix/whatsapp 0775 1337 1337"
-  ];
-
-  # Matrix: Signal
-
-  environment.etc."container-matrix/signal/config.yaml" = {
-    source = ../../secret/container/matrix/config/signal.yaml;
-    mode = "0640";
-    uid = 1337;
-    gid = 1337;
-  };
-
-  # Matrix: WhatsApp
-
-  environment.etc."container-matrix/whatsapp/config.yaml" = {
-    source = ../../secret/container/matrix/config/whatsapp.yaml;
-    mode = "0640";
-    uid = 1337;
-    gid = 1337;
-  };
-}

container/matrix/default.nix

@@ -1,61 +1,67 @@
-let
-  secret = import ../../secret/container/matrix;
-  custom-config = import ./config.nix;
-in
+{ config, ... }:
+
 {
-  virtualisation.arion.projects.matrix.settings = {
-    services = {
-      signald = {
-        service = {
-          image = "registry.gitlab.com/signald/signald:latest";
-          container_name = "signald";
-          restart = "unless-stopped";
-          volumes = [
-            "/etc/container-matrix/signald:/signald"
-          ];
-          environment = {
-            SIGNALD_DATABASE = secret.container.matrix.signald.environment.database;
-          };
-          labels = {
-            "com.centurylinklabs.watchtower.enable" = "true";
-            "io.containers.autoupdate" = "registry";
-          };
-        };
-      };
+  virtualisation.oci-containers.containers = {
+    signald = {
+      image = "registry.gitlab.com/signald/signald:latest";
+      environmentFiles = [ config.age.secrets.signald-environment.path ];
+      volumes = [
+        "/etc/container-matrix/signald:/signald"
+      ];
+      extraOptions = [
+        "--label=com.centurylinklabs.watchtower.enable=true"
+        "--label=io.containers.autoupdate=registry"
+      ];
+    };
 
-      matrix-signal = {
-        service = {
-          image = "dock.mau.dev/mautrix/signal:latest";
-          container_name = "mautrix-signal";
-          restart = "unless-stopped";
-          depends_on = [ "signald" ];
-          ports = [ "29328:29328" ];
-          volumes = [
-            "/etc/container-matrix/signal:/data"
-            "/etc/container-matrix/signald:/signald"
-          ];
-          labels = {
-            "com.centurylinklabs.watchtower.enable" = "true";
-            "io.containers.autoupdate" = "registry";
-          };
-        };
-      };
+    matrix-signal = {
+      image = "dock.mau.dev/mautrix/signal:latest";
+      dependsOn = [ "signald" ];
+      ports = [ "127.0.0.1:29328:29328" ];
+      volumes = [
+        "/etc/container-matrix/signal:/data"
+        "/etc/container-matrix/signald:/signald"
+      ];
+      extraOptions = [
+        "--label=com.centurylinklabs.watchtower.enable=true"
+        "--label=io.containers.autoupdate=registry"
+      ];
+    };
 
-      matrix-whatsapp = {
-        service = {
-          image = "dock.mau.dev/mautrix/whatsapp:latest";
-          container_name = "mautrix-whatsapp";
-          restart = "unless-stopped";
-          ports = [ "29318:29318" ];
-          volumes = [
-            "/etc/container-matrix/whatsapp:/data"
-          ];
-          labels = {
-            "com.centurylinklabs.watchtower.enable" = "true";
-            "io.containers.autoupdate" = "registry";
-          };
-        };
-      };
+    matrix-whatsapp = {
+      image = "dock.mau.dev/mautrix/whatsapp:latest";
+      ports = [ "127.0.0.1:29318:29318" ];
+      volumes = [
+        "/etc/container-matrix/whatsapp:/data"
+      ];
+      extraOptions = [
+        "--label=com.centurylinklabs.watchtower.enable=true"
+        "--label=io.containers.autoupdate=registry"
+      ];
     };
   };
-} // custom-config
+
+  systemd.tmpfiles.rules = [
+    "d /etc/container-matrix/signald 0775 0 0"
+    "d /etc/container-matrix/signal 0775 1337 1337"
+    "d /etc/container-matrix/whatsapp 0775 1337 1337"
+  ];
+
+  # Matrix: Signal
+
+  environment.etc."container-matrix/signal/config.yaml" = {
+    source = ../../secret/container/matrix/config/signal.yaml;
+    mode = "0640";
+    uid = 1337;
+    gid = 1337;
+  };
+
+  # Matrix: WhatsApp
+
+  environment.etc."container-matrix/whatsapp/config.yaml" = {
+    source = ../../secret/container/matrix/config/whatsapp.yaml;
+    mode = "0640";
+    uid = 1337;
+    gid = 1337;
+  };
+} 

secrets.nix

@@ -19,6 +19,8 @@ in
 
   "agenix/hosts/sail/synapse/extraConfig.age".publicKeys = sail;
 
+  "agenix/hosts/sail/signald/environment.age".publicKeys = sail;
+
   "agenix/hosts/sail/mosquitto/passwordWeewxProxy.age".publicKeys = sail;
   "agenix/hosts/sail/mosquitto/passwordWeewx.age".publicKeys = sail;