Releases: wlphi/nixmatrix
v1.0.0 — first production release
First production release. Every fix below was found by deploying to a real, blank cloud VPS, and the final state was re-verified on a from-scratch reinstall of this exact commit — no manual steps after nixos-anywhere.
Verified on a clean deploy
- All services start and stay up (
NRestarts=0): Synapse, MAS, Caddy, nginx, PostgreSQL, LiveKit, lk-jwt-service, FluffyChat. - Real Let's Encrypt certificates on every subdomain.
- Matrix federation tester: green.
- Element Call (LiveKit + JWT service) running.
- Create a user and log in via the Matrix client API — works on first boot.
- Cloud metadata DNS keeps working after containers start (no link-local hijack).
Fixes since v0.1.0
- Element Call:
lk-jwt-servicewas pinned to an image tag that doesn't exist (v0.2.1). The image is published without a leadingv— now pinned to0.4.4. - Federation: port 8448 was open in the firewall but nothing listened on it; Caddy now serves federation there for peers that skip well-known delegation.
- Login / user creation: MAS and Synapse were configured with two different shared secrets, so Synapse rejected MAS's admin calls (
403 "must only be called by MAS"). Both now use the samesynapse_admin_token. - Deploy command: dropped
--force-kexec(unnecessary on a fresh cloud VM, and broken in nixos-anywhere 1.13.0), fixed the README/DEPLOY quick-starts to pass--target-host,--extra-files, and the SSH key, and switched to the canonicalgithub:nix-community/nixos-anywherereference.
Related
Prefer Docker? The same stack as a Docker Compose deployment: https://github.com/wlphi/ess-docker-compose
v0.1.0 — first public release
First public release of nixMatrix — a complete, self-hosted Matrix homeserver
stack as a single NixOS flake. Deploy a federated chat server with modern OIDC
login, web clients, optional bridges, video calls, and monitoring to a fresh VPS
with one nixos-anywhere run.
This is the NixOS sibling of
ess-docker-compose — same stack,
Docker Compose instead of NixOS.
What's included
- Synapse homeserver with federation
- Matrix Authentication Service (MAS) — modern OIDC/OAuth2 login (MSC3861)
- Element Web, FluffyChat, and an admin panel
- Caddy with automatic Let's Encrypt TLS, PostgreSQL 16, Redis
- Prometheus + Grafana monitoring
All opt-in, off by default:
- Messaging bridges — Telegram, WhatsApp, Signal, Discord (
nixmatrix.bridges.*.enable) - hookshot — GitHub / GitLab / Jira / webhooks / RSS (
nixmatrix.bridges.hookshot.enable) - Authelia SSO (
nixmatrix.sso.enable) - TURN fallback for calls behind strict NAT (
nixmatrix.turn.enable) - External reverse proxy mode + drop-in nginx/Apache configs (
nixmatrix.externalProxy.enable) - Public self-signup (
nixmatrix.openRegistration)
Getting started
git clone https://github.com/wlphi/nixmatrix && cd nixmatrix
./scripts/bootstrap.sh # keys, secrets, your domain
nix run github:numtide/nixos-anywhere -- --flake .#matrix-server root@<SERVER_IP>Set one value — your domain — and every service subdomain and user ID is derived
from it. Full guide in docs/DEPLOY.md.
Quality
- An automated NixOS VM test boots the whole stack on every change and checks that
the core services come up and stay up (zero restarts), the databases exist, and
the critical paths work — login routed through MAS, OIDC discovery, well-known
delegation, Element loading. hookshot is boot-tested end-to-end. - Static config checks (90) and the VM test run in CI.
- Upgrade, rollback, and backup-restore are documented, with a
restore-db.sh
helper.
Status — please read
The stack is verified in CI but not yet proven across real-world deployments.
The VM test uses self-signed certificates and throwaway secrets, so it does not
exercise real Let's Encrypt issuance, federation with other servers, calls across
real networks, or the reverse-proxy path. Treat your first deploy as the real
test — and please open an issue with how it went. See
docs/DEPLOY.md §9 for the full list of caveats.
Not yet implemented: Slack and IRC chat bridges.