chris/sneeuwvlok
chris/sneeuwvlok
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add arrtrix Matrix bridge service and package scaffolding
Some checks failed
Test action / kaas (push) Failing after 1s
Details

Browse source
This commit is contained in:
Chris Kruining 2026-04-16 07:46:45 +02:00
parent c4e9485ccb
commit ce44496a48
No known key found for this signature in database
GPG key ID: EB894A3560CCCAD2
13 changed files with 712 additions and 256 deletions
Download patch file Download diff file Expand all files Collapse all files

432
modules/nixos/services/communication/matrix/default.nix
View file

@ -6,7 +6,7 @@
...
}: let
inherit (builtins) toString toJSON;
inherit (lib) mkIf mkEnableOption;
inherit (lib) mkIf mkEnableOption mkMerge;
cfg = config.${namespace}.services.communication.matrix;
@ -16,11 +16,36 @@
database = "synapse";
keyFile = "/var/lib/element-call/key";
in {
imports = [
./mautrix-starr.nix
];
mkMautrix = bridge: i: conf: {
${bridge} =
{
enable = true;
registerToSynapse = true;
settings = {
appservice = {
# hostname = "[::]";
# port = 40010 + i;
# address = "http://${config.services.${bridge}.settings.appservice.hostname}:${toString config.services.${bridge}.settings.appservice.port}";
provisioning.enabled = false;
};
homeserver = {
inherit domain;
address = "http://[::1]:${toString port}";
};
bridge = {
permissions = {
"@chris:${domain}" = "admin";
};
};
};
}
// conf;
};
in {
options.${namespace}.services.communication.matrix = {
enable = mkEnableOption "Matrix server (Synapse)";
};
@ -30,24 +55,6 @@ in {
persistance.postgresql.enable = true;
networking.caddy = {
# globalConfig = ''
# layer4 {
# 127.0.0.1:4004
# route {
# proxy {
# upstream synapse:4004
# }
# }
# }
# 127.0.0.1:4005
# route {
# proxy {
# upstream synapse:4005
# }
# }
# }
# }
# '';
hosts = let
server = {
"m.server" = "${fqn}:443";
@ -99,259 +106,166 @@ in {
};
};
services = {
matrix-synapse = {
enable = true;
services = mkMerge [
(mkMautrix "mautrix-signal" 1 {})
(mkMautrix "mautrix-telegram" 2 {})
(mkMautrix "mautrix-whatsapp" 3 {})
(mkMautrix "arrtrix" 4 {})
{
matrix-synapse = {
enable = true;
extras = ["oidc"];
extras = ["oidc"];
extraConfigFiles = [
config.sops.templates."synapse-oidc.yaml".path
];
extraConfigFiles = [
config.sops.templates."synapse.yaml".path
config.sops.templates."synapse-oidc.yaml".path
];
settings = {
server_name = domain;
public_baseurl = "https://${fqn}";
settings = {
server_name = domain;
public_baseurl = "https://${fqn}";
enable_metrics = true;
enable_metrics = true;
registration_shared_secret = "tZtBnlhEmLbMwF0lQ112VH1Rl5MkZzYH9suI4pEoPXzk6nWUB8FJF4eEnwLkbstz";
url_preview_enabled = true;
precence.enabled = true;
url_preview_enabled = true;
precence.enabled = true;
# Since we'll be using OIDC for auth disable all local options
enable_registration = false;
enable_registration_without_verification = false;
password_config.enabled = true;
backchannel_logout_enabled = true;
# Since we'll be using OIDC for auth disable all local options
enable_registration = false;
enable_registration_without_verification = false;
password_config.enabled = true;
backchannel_logout_enabled = true;
# Element Call options
max_event_delay_duration = "24h";
rc_message = {
per_second = 0.5;
burst_count = 30;
};
rc_delayed_event_mgmt = {
per_second = 1;
burst_count = 20;
};
turn_uris = ["turn:turn.${domain}:4004?transport=udp" "turn:turn.${domain}:4004?transport=tcp"];
experimental_features = {
# MSC2965: OAuth 2.0 Authorization Server Metadata discovery
msc2965_enabled = true;
# MSC3266: Room summary API. Used for knocking over federation
msc3266_enabled = true;
# MSC4222 needed for syncv2 state_after. This allow clients to
# correctly track the state of the room.
msc4222_enabled = true;
};
sso = {
client_whitelist = ["http://[::1]:9092/" "https://auth.kruining.eu/"];
update_profile_information = true;
};
database = {
# this is postgresql (also the default, but I prefer to be explicit)
name = "psycopg2";
args = {
database = database;
user = database;
# Element Call options
max_event_delay_duration = "24h";
rc_message = {
per_second = 0.5;
burst_count = 30;
};
rc_delayed_event_mgmt = {
per_second = 1;
burst_count = 20;
};
turn_uris = ["turn:turn.${domain}:4004?transport=udp" "turn:turn.${domain}:4004?transport=tcp"];
experimental_features = {
# MSC2965: OAuth 2.0 Authorization Server Metadata discovery
msc2965_enabled = true;
# MSC3266: Room summary API. Used for knocking over federation
msc3266_enabled = true;
# MSC4222 needed for syncv2 state_after. This allow clients to
# correctly track the state of the room.
msc4222_enabled = true;
};
sso = {
client_whitelist = ["http://[::1]:9092/" "https://auth.kruining.eu/"];
update_profile_information = true;
};
database = {
# this is postgresql (also the default, but I prefer to be explicit)
name = "psycopg2";
args = {
database = database;
user = database;
};
};
listeners = [
{
bind_addresses = ["::"];
port = port;
type = "http";
tls = false;
x_forwarded = true;
resources = [
{
names = ["client" "federation" "openid" "metrics" "media" "health"];
compress = true;
}
];
}
];
};
};
listeners = [
postgresql = {
ensureDatabases = [database];
ensureUsers = [
{
bind_addresses = ["::"];
port = port;
type = "http";
tls = false;
x_forwarded = true;
resources = [
{
names = ["client" "federation" "openid" "metrics" "media" "health"];
compress = true;
}
];
name = database;
ensureDBOwnership = true;
}
];
};
};
mautrix-signal = {
enable = true;
registerToSynapse = true;
livekit = {
enable = true;
openFirewall = true;
inherit keyFile;
settings = {
appservice = {
provisioning.enabled = false;
};
homeserver = {
address = "http://[::1]:${toString port}";
domain = domain;
};
bridge = {
permissions = {
"@chris:${domain}" = "admin";
};
settings = {
port = 4002;
room.auto_create = false;
};
};
};
mautrix-telegram = {
enable = true;
registerToSynapse = true;
settings = {
telegram = {
api_id = 32770816;
api_hash = "7b63778a976619c9d4ab62adc51cde79";
bot_token = "disabled";
catch_up = true;
sequential_updates = true;
};
appservice = {
port = 40011;
provisioning.enabled = false;
};
homeserver = {
address = "http://[::1]:${toString port}";
domain = domain;
};
bridge = {
permissions = {
"@chris:${domain}" = "admin";
};
};
lk-jwt-service = {
enable = true;
port = 4003;
# can be on the same virtualHost as synapse
livekitUrl = "wss://${domain}/livekit/sfu";
inherit keyFile;
};
};
mautrix-whatsapp = {
enable = true;
registerToSynapse = true;
settings = {
appservice = {
provisioning.enabled = false;
};
homeserver = {
address = "http://[::1]:${toString port}";
domain = domain;
};
bridge = {
permissions = {
"@chris:${domain}" = "admin";
};
};
coturn = rec {
enable = true;
listening-port = 4004;
tls-listening-port = 40004;
no-cli = true;
no-tcp-relay = true;
min-port = 50000;
max-port = 50100;
use-auth-secret = true;
static-auth-secret-file = config.sops.secrets."coturn/secret".path;
realm = "turn.${domain}";
# cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
# pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
extraConfig = ''
# for debugging
verbose
# ban private IP ranges
no-multicast-peers
denied-peer-ip=0.0.0.0-0.255.255.255
denied-peer-ip=10.0.0.0-10.255.255.255
denied-peer-ip=100.64.0.0-100.127.255.255
denied-peer-ip=127.0.0.0-127.255.255.255
denied-peer-ip=169.254.0.0-169.254.255.255
denied-peer-ip=172.16.0.0-172.31.255.255
denied-peer-ip=192.0.0.0-192.0.0.255
denied-peer-ip=192.0.2.0-192.0.2.255
denied-peer-ip=192.88.99.0-192.88.99.255
denied-peer-ip=192.168.0.0-192.168.255.255
denied-peer-ip=198.18.0.0-198.19.255.255
denied-peer-ip=198.51.100.0-198.51.100.255
denied-peer-ip=203.0.113.0-203.0.113.255
denied-peer-ip=240.0.0.0-255.255.255.255
denied-peer-ip=::1
denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
'';
};
};
# mautrix-starr = {
# enable = true;
# registerToSynapse = true;
# settings = {
# appservice = {
# provisioning.enabled = false;
# };
# homeserver = {
# address = "http://[::1]:${toString port}";
# domain = domain;
# };
# bridge = {
# permissions = {
# "@chris:${domain}" = "admin";
# };
# };
# };
# };
postgresql = {
ensureDatabases = [database];
ensureUsers = [
{
name = database;
ensureDBOwnership = true;
}
];
};
livekit = {
enable = true;
openFirewall = true;
inherit keyFile;
settings = {
port = 4002;
room.auto_create = false;
};
};
lk-jwt-service = {
enable = true;
port = 4003;
# can be on the same virtualHost as synapse
livekitUrl = "wss://${domain}/livekit/sfu";
inherit keyFile;
};
coturn = rec {
enable = true;
listening-port = 4004;
tls-listening-port = 40004;
no-cli = true;
no-tcp-relay = true;
min-port = 50000;
max-port = 50100;
use-auth-secret = true;
static-auth-secret-file = config.sops.secrets."coturn/secret".path;
realm = "turn.${domain}";
# cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
# pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
extraConfig = ''
# for debugging
verbose
# ban private IP ranges
no-multicast-peers
denied-peer-ip=0.0.0.0-0.255.255.255
denied-peer-ip=10.0.0.0-10.255.255.255
denied-peer-ip=100.64.0.0-100.127.255.255
denied-peer-ip=127.0.0.0-127.255.255.255
denied-peer-ip=169.254.0.0-169.254.255.255
denied-peer-ip=172.16.0.0-172.31.255.255
denied-peer-ip=192.0.0.0-192.0.0.255
denied-peer-ip=192.0.2.0-192.0.2.255
denied-peer-ip=192.88.99.0-192.88.99.255
denied-peer-ip=192.168.0.0-192.168.255.255
denied-peer-ip=198.18.0.0-198.19.255.255
denied-peer-ip=198.51.100.0-198.51.100.255
denied-peer-ip=203.0.113.0-203.0.113.255
denied-peer-ip=240.0.0.0-255.255.255.255
denied-peer-ip=::1
denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
'';
};
};
}
];
networking.firewall = {
allowedTCPPortRanges = [];
@ -400,6 +314,9 @@ in {
"synapse/oidc_secret" = {
restartUnits = ["synapse-matrix.service"];
};
"synapse/shared_secret" = {
restartUnits = ["synapse-matrix.service"];
};
"coturn/secret" = {
owner = config.systemd.services.coturn.serviceConfig.User;
group = config.systemd.services.coturn.serviceConfig.Group;
@ -408,6 +325,13 @@ in {
};
templates = {
"synapse.yaml" = {
owner = "matrix-synapse";
content = ''
registration_shared_secret: ${config.sops.placeholder."synapse/shared_secret"}
'';
restartUnits = ["matrix-synapse.service"];
};
"synapse-oidc.yaml" = {
owner = "matrix-synapse";
content = ''

200
modules/nixos/temp/services/arrtrix/default.nix Normal file
View file

@ -0,0 +1,200 @@
{
config,
lib,
pkgs,
namespace,
...
}: let
inherit (lib) mkEnableOption mkPackageOption mkIf mkOption optionalAttrs recursiveUpdate types baseNameOf;
cfg = config.services.arrtrix;
dataDir = "/var/lib/arrtrix";
registrationFile = "${dataDir}/arrtrix-registration.yaml";
settingsFile = "${dataDir}/config.yaml";
settingsFileUnsubstituted = settingsFormat.generate "arrtrix-config-unsubstituted.json" cfg.settings;
settingsFormat = pkgs.formats.json {};
defaultConfig = {
bridge = {
command_prefix = "!arr";
relay.enabled = true;
permissions."*" = "relay";
};
database = {
type = "sqlite3";
uri = "file:${dataDir}/arrtrix.db?_txlock=immediate";
};
homeserver = {
address = "http://localhost:8448";
domain = config.services.matrix-synapse.settings.server_name or "example.com";
};
appservice = {
hostname = "[::]";
port = 29329;
id = "arrtrix";
bot = {
username = "arrtrixbot";
displayname = "arrtrix Bot";
};
as_token = "";
hs_token = "";
username_template = "arrtrix_{{.}}";
};
double_puppet = {
servers = {};
secrets = {};
};
# By default, the following keys/secrets are set to `generate`. This would break when the service
# is restarted, since the previously generated configuration will be overwritten everytime.
# If encryption is enabled, it's recommended to set those keys via `environmentFile`.
encryption.pickle_key = "";
provisioning.shared_secret = "";
public_media.signing_key = "";
direct_media.server_key = "";
logging = {
min_level = "info";
writers = lib.singleton {
type = "stdout";
format = "pretty-colored";
time_format = " ";
};
};
};
in {
options.services.arrtrix = {
enable = mkEnableOption "Arr-focused Matrix appservice foundation";
package = mkPackageOption pkgs.${namespace} "arrtrix" {};
registerToSynapse = mkOption {
type = types.bool;
default = config.services.matrix-synapse.enable;
defaultText = lib.literalExpression ''
config.services.matrix-synapse.enable
'';
description = ''
Whether to add the bridge's app service registration file to
`services.matrix-synapse.settings.app_service_config_files`.
'';
};
settings = mkOption {
apply = lib.recursiveUpdate defaultConfig;
type = settingsFormat.type;
default = defaultConfig;
description = ''
{file}`config.yaml` configuration as a Nix attribute set.
Configuration options should match those described in the example configuration.
Get an example configuration by executing `arrtrix -c example.yaml --generate-example-config`
Secret tokens should be specified using {option}`environmentFile`
instead of this world-readable attribute set.
'';
example = {};
};
serviceDependencies = lib.mkOption {
type = with lib.types; listOf str;
default =
(lib.optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit)
++ (lib.optional config.services.matrix-conduit.enable "conduit.service");
defaultText = lib.literalExpression ''
(optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit)
++ (optional config.services.matrix-conduit.enable "conduit.service")
'';
description = ''
List of systemd units to require and wait for when starting the application service.
'';
};
};
config = mkIf cfg.enable {
users = {
users."arrtrix" = {
isSystemUser = true;
group = "arrtrix";
};
groups."arrtrix" = {};
};
services.matrix-synapse = lib.mkIf cfg.registerToSynapse {
settings.app_service_config_files = [registrationFile];
};
systemd.services.matrix-synapse = lib.mkIf cfg.registerToSynapse {
serviceConfig.SupplementaryGroups = ["arrtrix"];
};
systemd.services.arrtrix = {
description = "arrtrix, A *arr stack to matrix bridge for *arr-notifications";
wantedBy = ["multi-user.target"];
after = ["network-online.target"];
wants = ["network-online.target"];
restartTriggers = [settingsFileUnsubstituted];
preStart = ''
# substitute the settings file by environment variables
# in this case read from EnvironmentFile
test -f '${settingsFile}' && rm -f '${settingsFile}'
old_umask=$(umask)
umask 0177
${lib.getExe pkgs.envsubst} -o '${settingsFile}' -i '${settingsFileUnsubstituted}'
umask $old_umask
if [ ! -f '${registrationFile}' ]; then
${lib.getExe cfg.package} --generate-registration --config='${settingsFile}' --registration='${registrationFile}'
fi
chmod 640 ${registrationFile}
# 1. Overwrite registration tokens in config
# 2. If environment variable MAUTRIX_SIGNAL_BRIDGE_LOGIN_SHARED_SECRET
# is set, set it as the login shared secret value for the configured
# homeserver domain.
umask 0177
${lib.getExe pkgs.yq} -s '.[0].appservice.as_token = .[1].as_token
| .[0].appservice.hs_token = .[1].hs_token
| .[0]
| if env.MAUTRIX_SIGNAL_BRIDGE_LOGIN_SHARED_SECRET then .double_puppet.secrets.[.homeserver.domain] = env.MAUTRIX_SIGNAL_BRIDGE_LOGIN_SHARED_SECRET else . end' \
'${settingsFile}' '${registrationFile}' > '${settingsFile}.tmp'
mv '${settingsFile}.tmp' '${settingsFile}'
umask $old_umask
'';
serviceConfig = {
Type = "simple";
User = "arrtrix";
Group = "arrtrix";
StateDirectory = baseNameOf dataDir;
WorkingDirectory = dataDir;
ExecStart = ''
${lib.getExe cfg.package} --config='${settingsFile}' --registration='${registrationFile}'
'';
Restart = "on-failure";
RestartSec = "30s";
NoNewPrivileges = true;
PrivateTmp = true;
ProtectHome = true;
ProtectSystem = "strict";
ProtectClock = true;
ProtectControlGroups = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
LockPersonality = true;
MemoryDenyWriteExecute = true;
SystemCallArchitectures = "native";
SystemCallErrorNumber = "EPERM";
SystemCallFilter = ["@system-service"];
UMask = "0027";
};
};
};
}