matrix: bridges are no longer containers

nifoc · Aug 1, 2023 · e55ab84 · e55ab84
1 parent 7ba43a7
commit e55ab84
Show file tree

Hide file tree

Showing 12 changed files with 100 additions and 96 deletions.
diff --git a/agenix/hosts/tanker/config.nix b/agenix/hosts/tanker/config.nix
@@ -107,11 +107,6 @@
 
     mautrix-signal-config = {
       file = ./mautrix-signal/config.age;
-      symlink = false;
-      path = "/var/lib/matrix-bridges/signal/config.yaml";
-      mode = "640";
-      owner = "1337";
-      group = "1337";
     };
 
     signald-environment = {
@@ -130,11 +125,6 @@
 
     mautrix-whatsapp-config = {
       file = ./mautrix-whatsapp/config.age;
-      symlink = false;
-      path = "/var/lib/matrix-bridges/whatsapp/config.yaml";
-      mode = "640";
-      owner = "1337";
-      group = "1337";
     };
 
     weewx-config = {

diff --git a/agenix/hosts/tanker/mautrix-signal/config.age b/agenix/hosts/tanker/mautrix-signal/config.age
diff --git a/agenix/hosts/tanker/mautrix-whatsapp/config.age b/agenix/hosts/tanker/mautrix-whatsapp/config.age
diff --git a/agenix/hosts/tanker/signald/environment.age b/agenix/hosts/tanker/signald/environment.age
@@ -1,10 +1,10 @@
 age-encryption.org/v1
--> ssh-ed25519 MtGp6g TjcF9u1gbYjURFImt7uh+O7hNw3E2pR6H/i8Xd90DkU
-wdeuBiwP0BTzMeVx+i7+jpWFaAW+dMnsXakFenPad/E
--> ssh-ed25519 iO8/4g V/BUJLff8IK0g5UFXqJ5ftK6Fs8zpheFr4ETzKQd5xs
-0hzEB9qG6VX878t7tZzfjyH2BkgAhl+uDR4jX9chwgY
--> g.G-grease X;7X` 3ecO{T|m
-/2RKLQzMCznCQXYnltmy7YhoXzHRJ4oxdArYCfQzJEcWDwy465xgm8EMNdu0mNA+
-O15n2g
---- C896AcFfLEvwf3tcYqZP5dfPKFmE4oaaKH6KveEao6A
-'��{�3��*v�䖋�Ѷ4��ޫ���<�;��QC(�b-�`.�go���n�˲<>:��l0�ԑ�]T⵽ 2Δ*��h���%�l�*W�A ��O(���屄W�R�A0[��_H�C��6`
+-> ssh-ed25519 MtGp6g /N1cHH7SmlpEdvKEcMzVflInTXChp+eWJFU2RoPWMUk
+7nLndAtQ3DWXYmPvwq9tDPBiPLJMuDuCRtSXdFveSoo
+-> ssh-ed25519 iO8/4g WSUXe/SRWLMN23PWyOM7qOCbXOFvTrzmTcq0zW/ABFs
+NmQoYqT0x6t0WByQrIg+OAvP4VUU5tVydAHfVTZvPUE
+-> eo6mwb;-grease :nS'C`f ?/iI)
+oQ4Y4ksapQU8WwrdzObrSTiUiS37dk+c180046s7BqC6GX8iXFjR9kQSPb6tR9bl
+Nhh/zHwzdGQmy7VekRL8ZdpbUeKd5D6X7w
+--- aHWIb4WJ+O2kXUGFczOA6ngejy6jkMOmrFmcKLllq8s
+*?DG��L5����Bf&AH�;��a�s��%1�h1rdO���&�q"D�`CQ�5���x�q���2���_�[g����Dd��'+�g�)6n��/�*,�;lxS;R[����c�	�(
diff --git a/container/matrix/default.nix b/container/matrix/default.nix
diff --git a/flake.lock b/flake.lock
diff --git a/home/programs/nvim/plugins.nix b/home/programs/nvim/plugins.nix
@@ -308,12 +308,12 @@ in
   };
   comment-nvim = buildVimPluginFrom2Nix {
     pname = "comment.nvim";
-    version = "2023-06-12";
+    version = "2023-08-01";
     src = fetchFromGitHub {
       owner = "numtostr";
       repo = "comment.nvim";
-      rev = "176e85eeb63f1a5970d6b88f1725039d85ca0055";
-      sha256 = "0y3zhv82hi8avxhmp1c9h0r17kfclwxphzyk7701f6wjky375ksw";
+      rev = "bacbed6346d1c5a095897f3fde3451a9a08e7f7d";
+      sha256 = "19s2kmflga4v0dqwjb79imbv4aa4hcck340159rbzdb8a3bfhrji";
       fetchSubmodules = false;
     };
   };

diff --git a/system/hosts/tanker.nix b/system/hosts/tanker.nix
@@ -49,13 +49,12 @@ in
 
     ../nixos/rimgo.nix
 
-    ../nixos/synapse.nix
+    ../nixos/matrix
 
     ../nixos/tailscale.nix
 
     ../nixos/websites-tanker.nix
 
-    ../../container/matrix
     ../../container/proxitok
     ../../container/weewx
   ];

diff --git a/system/nixos/matrix/default.nix b/system/nixos/matrix/default.nix
@@ -0,0 +1,7 @@
+{
+  imports = [
+    ./synapse.nix
+    ./mautrix-whatsapp.nix
+    ./mautrix-signal.nix
+  ];
+}
diff --git a/system/nixos/matrix/mautrix-signal.nix b/system/nixos/matrix/mautrix-signal.nix
@@ -0,0 +1,39 @@
+{ pkgs, config, ... }:
+
+{
+  services.signald.enable = true;
+  systemd.services.signald.serviceConfig.EnvironmentFile = [
+    config.age.secrets.signald-environment.path
+  ];
+
+  systemd.services.mautrix-signal = {
+    description = "A Matrix-Signal puppeting bridge";
+    wantedBy = [ "multi-user.target" ];
+    requires = [ "matrix-synapse.service" "signald.service" ];
+    after = [ "matrix-synapse.service" "signald.service" ];
+    restartTriggers = [ "${config.age.secrets.mautrix-signal-config.file}" ];
+    serviceConfig = {
+      User = config.services.signald.user;
+      Group = config.services.signald.group;
+      LoadCredential = [ "config:${config.age.secrets.mautrix-signal-config.path}" ];
+      ExecStart = "${pkgs.mautrix-signal}/bin/mautrix-signal --config=%d/config --no-update";
+      Restart = "on-failure";
+      RestartSec = "5s";
+
+      StateDirectory = "mautrix-signal";
+      RuntimeDirectory = "mautrix-signal";
+      StateDirectoryMode = "0750";
+      RuntimeDirectoryMode = "0750";
+
+      ProtectHome = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectControlGroups = true;
+      PrivateTmp = true;
+    };
+  };
+
+  services.matrix-synapse.settings.app_service_config_files = [
+    "/var/lib/matrix-synapse/bridges/registration-signal.yaml"
+  ];
+}
diff --git a/system/nixos/matrix/mautrix-whatsapp.nix b/system/nixos/matrix/mautrix-whatsapp.nix
@@ -0,0 +1,30 @@
+{ pkgs, config, ... }:
+
+{
+  systemd.services.mautrix-whatsapp = {
+    description = "Matrix <-> Whatsapp hybrid puppeting/relaybot bridge";
+    wantedBy = [ "multi-user.target" ];
+    requires = [ "matrix-synapse.service" ];
+    after = [ "matrix-synapse.service" ];
+    restartTriggers = [ "${config.age.secrets.mautrix-whatsapp-config.file}" ];
+    serviceConfig = {
+      DynamicUser = true;
+      StateDirectory = "mautrix-whatsapp";
+      LoadCredential = [ "config:${config.age.secrets.mautrix-whatsapp-config.path}" ];
+      ExecStart = "${pkgs.mautrix-whatsapp}/bin/mautrix-whatsapp --config=%d/config --no-update";
+      Restart = "on-failure";
+      RestartSec = "5s";
+
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectControlGroups = true;
+      PrivateTmp = true;
+    };
+  };
+
+  services.matrix-synapse.settings.app_service_config_files = [
+    "/var/lib/matrix-synapse/bridges/registration-whatsapp.yaml"
+  ];
+}
diff --git a/system/nixos/synapse.nix → system/nixos/matrix/synapse.nix b/system/nixos/synapse.nix → system/nixos/matrix/synapse.nix
@@ -15,7 +15,7 @@ in
 
       listeners = [
         {
-          bind_addresses = [ "127.0.0.1" "10.88.0.1" ];
+          bind_addresses = [ "127.0.0.1" ];
           port = 8008;
           tls = false;
           type = "http";
@@ -81,11 +81,6 @@ in
       enable_metrics = false;
       report_stats = false;
 
-      app_service_config_files = [
-        "/var/lib/matrix-bridges/signal/registration.yaml"
-        "/var/lib/matrix-bridges/whatsapp/registration.yaml"
-      ];
-
       experimental_features = {
         msc3202_device_masquerading = true;
         msc3202_transaction_extensions = true;
@@ -107,9 +102,7 @@ in
     };
   };
 
-  systemd.services.matrix-synapse.after = [ "postgresql.service" "podman-wait-for-host-interface.service" ];
-
-  networking.firewall.interfaces."podman+".allowedTCPPorts = [ 8008 ];
+  systemd.services.matrix-synapse.after = [ "postgresql.service" ];
 
   services.nginx.virtualHosts."${fqdn}" = {
     quic = true;