alpine: update authentik and mautrix

nixos/services/authentik.nix

@@ -10,7 +10,7 @@
   };
   authentik-config = {
     autoStart = true;
-    image = "ghcr.io/goauthentik/server:2025.6.3";
+    image = "ghcr.io/goauthentik/server:2025.8.4";
     volumes = ["/home/tristan/pods/authentik/media:/media"];
     environment = {
       AUTHENTIK_POSTGRESQL__USER = postgres.user;

nixos/services/mautrix/signal.nix

@@ -1,10 +1,13 @@
-{config, lib, ...}: let
+{
+  config,
+  lib,
+  ...
+}: let
   inherit (import ./lib.nix) toAppRegistration;
   inherit (config.sops) templates placeholder;
 in {
-
   virtualisation.oci-containers.containers.mautrix-signal = {
-    image = "dock.mau.dev/mautrix/signal:v0.8.3";
+    image = "dock.mau.dev/mautrix/signal:v25.10";
     dependsOn = ["mautrix-signal-psql"];
     volumes = [
       "/home/tristan/pods/signal-bridge/mautrix-signal:/data:z"
@@ -15,16 +18,15 @@ in {
     ];
   };
 
-# when you get around to backing this up
-# 1. stop the server.
-# 2. backup the db.
-# 3. migrate to newer version of postgres
-# 4. migrate db to local
+  # when you get around to backing this up
+  # 1. stop the server.
+  # 2. backup the db.
+  # 3. migrate to newer version of postgres
+  # 4. migrate db to local
   virtualisation.oci-containers.containers.mautrix-signal-psql = {
     image = "docker.io/postgres:14-alpine";
-    # ports = [ "127.0.0.1:5435:5432" ];
-    ports = [ "5435:5432" ];
-    volumes = [ "/home/tristan/pods/signal-bridge/db:/var/lib/postgresql/data" ];
+    ports = ["5435:5432"];
+    volumes = ["/home/tristan/pods/signal-bridge/db:/var/lib/postgresql/data"];
     environmentFiles = [templates."mautrix-signal/psql.env".path];
   };
   sops.templates = {
@@ -58,5 +60,4 @@ in {
   services.matrix-synapse.settings.app_service_config_files = [
     templates."mautrix-signal/appservice.yaml".path
   ];
-
 }

nixos/services/mautrix/whatsapp.nix

@@ -1,5 +1,4 @@
-{config, ...}:
-{
+{config, ...}: {
   nixpkgs.config.permittedInsecurePackages = [
     "olm-3.2.16"
   ];
@@ -7,9 +6,9 @@
     enable = true;
     registerToSynapse = true;
     settings = {
-      appservice.database = {
-        type = "sqlite3";
-        uri = "/var/lib/mautrix-whatsapp/mautrix-whatsapp.db";
+      database = {
+        type = "sqlite3-fk-wal";
+        uri = "file:/var/lib/mautrix-whatsapp/mautrix-whatsapp.db?_txlock=immediate";
       };
       homeserver = {
         address = "http://localhost:8008";
@@ -20,12 +19,13 @@
           "tristans.cloud" = "user";
           "@tristan:tristans.cloud" = "admin";
         };
-        encryption = {
-          allow = true;
-          appservice = false;
-        };
         personal_filtering_spaces = true;
       };
+      encryption = {
+        allow = true;
+        appservice = false;
+        pickle_key = "maunium.net/go/mautrix-whatsapp";
+      };
     };
   };
 }

nixos/services/synapse/default.nix

@@ -36,6 +36,11 @@ in {
     "synapse/secrets.yaml" = {
       owner = "matrix-synapse";
       content = builtins.toJSON {
+        jwt_config = {
+          enabled = true;
+          secret = sops.placeholder."synapse/oidc_client_secret";
+          algorithm = "RS256";
+        };
         oidc_providers = [
           {
             idp_id = "authentik";
@@ -84,6 +89,21 @@ in {
           ];
         }
       ];
+      # log_config = pkgs.writeTextFile {
+      #   name = "synapse-logging.json";
+      #   text = builtins.toJSON {
+      #     version = 1;
+      #     root = {
+      #       level = "INFO";
+      #       handlers = ["console"];
+      #     };
+      #     formatters.precise.format = "%(levelname)s - %(name)s - %(message)s";
+      #     handlers.console = {
+      #       class = "logging.StreamHandler";
+      #       formatter = "precise";
+      #     };
+      #   };
+      # };
     };
   };