Somehow fixed traefik, added copyparty

modules/default.nix

@@ -4,5 +4,7 @@
   imports = [
     ./reverse-proxy
     ./virtualisation
+    ./social
+    ./file-server
   ];
 }

modules/file-server/copyparty/default.nix

@@ -0,0 +1,19 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.dov.file-server.copyparty;
+in {
+  options.dov.file-server.copyparty = { enable = mkEnableOption "copyparty config"; };
+
+  config = mkIf cfg.enable {
+    # # add the copyparty overlay to expose the package to the module
+    # nixpkgs.overlays = [ copyparty.overlays.default ];
+    # # (optional) install the package globally
+    # environment.systemPackages = [ pkgs.copyparty ];
+    # # configure the copyparty module
+    # services.copyparty.enable = cfg.enable;
+  };
+
+}

modules/file-server/default.nix

@@ -0,0 +1,7 @@
+{ config, lib, pkgs, ... }:
+
+{
+  imports = [
+    ./copyparty
+  ];
+}

modules/reverse-proxy/traefik/default.nix

@@ -4,24 +4,26 @@ with lib;
 
 let
   cfg = config.dov.reverse-proxy.traefik;
+  configFile = pkgs.writeText "duckdns-options"
+    ''
+    DUCKDNS_PROPAGATION_TIMEOUT=120
+    '';
 in {
   options.dov.reverse-proxy.traefik = { enable = mkEnableOption "traefik config"; };
 
   config = mkIf cfg.enable {
-    # 1. SOPS Configuration for the DuckDNS Token
-    #    This decrypts the secret and provides it to the Traefik service.
+    networking.firewall.allowedTCPPorts = [ 80 443 53 ];
+
     sops.secrets.duckdns-token = {
-      # The Traefik service needs permission to read this file.
       owner = "traefik";
       group = config.services.traefik.group;
     };
 
-    # 3. Traefik Service Configuration
     services.traefik = {
       enable = true;
 
       # Load the DuckDNS token as an environment variable for Traefik.
-      environmentFiles = [ config.sops.secrets.duckdns-token.path ];
+      environmentFiles = [ config.sops.secrets.duckdns-token.path configFile ];
 
       # Static configuration (traefik.yml) - defines entrypoints and certificate resolvers.
       staticConfigOptions = {
@@ -53,11 +55,7 @@ in {
               # Use the DNS-01 challenge with the DuckDNS provider
               dnsChallenge = {
                 provider = "duckdns";
-                # Traefik will get the DUCKDNS_TOKEN from the environment file.
-                resolvers = [
-                  "1.1.1.1:53"
-                  "8.8.8.8:53"
-                ];
+                disablePropagationCheck = true;
               };
             };
           };
@@ -73,14 +71,14 @@ in {
           routers = {
             # --- Router for the Traefik dashboard (optional) ---
             dashboard-router = {
-              rule = "Host(`traefik.local.susano-traefik.duckdns.org`)"; # Example: A local-only subdomain
+              rule = "Host(`traefik.susano-test.duckdns.org`)"; # Example: A local-only subdomain
               entryPoints = [ "websecure" ];
               service = "api@internal"; # Special service for the dashboard
               tls.certResolver = "duckdns";
             };
 
             immich-router = {
-              rule = "Host(`immich.susano-traefik.duckdns.org`)"; # 1. The new domain
+              rule = "Host(`immich.susano-test.duckdns.org`)"; # 1. The new domain
               entryPoints = [ "websecure" ];                        # 2. Listen on HTTPS
               service = "immich-service";                           # 3. Link to the new Immich service
               tls.certResolver = "duckdns";                         # 4. Use the same SSL resolver

modules/social/default.nix

@@ -0,0 +1,7 @@
+{ config, lib, pkgs, ... }:
+
+{
+  imports = [
+    ./matrix
+  ];
+}

modules/social/matrix/default.nix

@@ -0,0 +1,56 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.dov.social.matrix;
+  fqdn = "matrix.susano-tailscale.duckdns.org";
+  baseUrl = "https://${fqdn}";
+  clientConfig."m.homeserver".base_url = baseUrl;
+  serverConfig."m.server" = "${fqdn}:443";
+  mkWellKnown = data: ''
+    default_type application/json;
+    add_header Access-Control-Allow-Origin *;
+    return 200 '${builtins.toJSON data}';
+  '';
+in {
+  options.dov.social.matrix = {
+    enable = mkEnableOption "docker config";
+  };
+
+  config = mkIf cfg.enable {
+    sops.secrets.matrix_secret = {
+      owner = "matrix-synapse";
+      group = "matrix-synapse";
+    };
+
+    networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+    services.postgresql.enable = true;
+
+    services.matrix-synapse = {
+      enable = true;
+      settings = {
+        server_name = "susano-tailscale";
+        # The public base URL value must match the `base_url` value set in `clientConfig` above.
+        # The default value here is based on `server_name`, so if your `server_name` is different
+        # from the value of `fqdn` above, you will likely run into some mismatched domain names
+        # in client applications.
+        public_baseurl = baseUrl;
+        listeners = [{
+          port = 8008;
+          bind_addresses = [ "::1" ];
+          type = "http";
+          tls = false;
+          x_forwarded = true;
+          resources = [{
+            names = [ "client" "federation" ];
+            compress = true;
+          }];
+        }];
+      };
+
+      extraConfigFiles = [ "/run/secrets/matrix_secret" ];
+    };
+  };
+}