Tuwunel for NixOS
Tuwunel can be acquired by Nix from various places:
- The
flake.nixat the root of the repo - The
default.nixat the root of the repo - From Tuwunel’s binary cache
A community maintained NixOS package is available at tuwunel
NixOS module
A NixOS module ships with Nixpkgs as services.matrix-tuwunel,
available in 25.11 and unstable. It generates tuwunel.toml from a settings attrset
and runs the server under a hardened systemd unit (DynamicUser, ProtectSystem=strict,
strict SystemCallFilter).
Minimal configuration:
{
services.matrix-tuwunel = {
enable = true;
settings.global = {
server_name = "example.com";
address = [ "127.0.0.1" "::1" ];
port = [ 6167 ];
allow_federation = true;
};
};
}
Notable defaults:
- User and group
tuwunel(override viaservices.matrix-tuwunel.user/.group). - Database under
/var/lib/tuwunel/(override viaservices.matrix-tuwunel.stateDirectory). - Listens on
127.0.0.1and::1port6167.
Anything placed under settings.global is written verbatim into the [global] table of
tuwunel.toml, so the configuration reference applies directly.
UNIX sockets
The module exposes unix_socket_path and unix_socket_perms directly:
services.matrix-tuwunel.settings.global = {
unix_socket_path = "/run/tuwunel/tuwunel.sock";
unix_socket_perms = 660;
};
Leave address unset (or null) when using a socket. The systemd unit already permits
AF_UNIX, so no further overrides are needed.
Migrating from services.matrix-conduit
services.matrix-tuwunel replaces the legacy services.matrix-conduit
module that older guides reference. Most settings carry over because both render the
same TOML schema. When migrating:
- Disable
services.matrix-conduitand enableservices.matrix-tuwunel. - Confirm the database is RocksDB. Tuwunel dropped SQLite in favor of RocksDB; if you ran a SQLite Conduit, migrate first with conduit_toolbox.
- Either set
services.matrix-tuwunel.stateDirectoryto match your existingdatabase_path, or move the database under/var/lib/tuwunel/.