pyrox.dev
1{ config, lib, pkgs, ... }:
2
3with lib;
4
5let
6 cfg = config.services.matrix-conduit;
7
8 format = pkgs.formats.toml {};
9 configFile = format.generate "conduit.toml" cfg.settings;
10in
11 {
12 meta.maintainers = with maintainers; [ pstn piegames ];
13 options.services.matrix-conduit = {
14 enable = mkEnableOption (lib.mdDoc "matrix-conduit");
15
16 extraEnvironment = mkOption {
17 type = types.attrsOf types.str;
18 description = lib.mdDoc "Extra Environment variables to pass to the conduit server.";
19 default = {};
20 example = { RUST_BACKTRACE="yes"; };
21 };
22
23 package = mkOption {
24 type = types.package;
25 default = pkgs.matrix-conduit;
26 defaultText = lib.literalExpression "pkgs.matrix-conduit";
27 description = lib.mdDoc ''
28 Package of the conduit matrix server to use.
29 '';
30 };
31
32 settings = mkOption {
33 type = types.submodule {
34 freeformType = format.type;
35 options = {
36 global.server_name = mkOption {
37 type = types.str;
38 example = "example.com";
39 description = lib.mdDoc "The server_name is the name of this server. It is used as a suffix for user # and room ids.";
40 };
41 global.port = mkOption {
42 type = types.port;
43 default = 6167;
44 description = lib.mdDoc "The port Conduit will be running on. You need to set up a reverse proxy in your web server (e.g. apache or nginx), so all requests to /_matrix on port 443 and 8448 will be forwarded to the Conduit instance running on this port";
45 };
46 global.max_request_size = mkOption {
47 type = types.ints.positive;
48 default = 20000000;
49 description = lib.mdDoc "Max request size in bytes. Don't forget to also change it in the proxy.";
50 };
51 global.allow_registration = mkOption {
52 type = types.bool;
53 default = false;
54 description = lib.mdDoc "Whether new users can register on this server.";
55 };
56 global.allow_encryption = mkOption {
57 type = types.bool;
58 default = true;
59 description = lib.mdDoc "Whether new encrypted rooms can be created. Note: existing rooms will continue to work.";
60 };
61 global.allow_federation = mkOption {
62 type = types.bool;
63 default = true;
64 description = lib.mdDoc ''
65 Whether this server federates with other servers.
66 '';
67 };
68 global.trusted_servers = mkOption {
69 type = types.listOf types.str;
70 default = [ "matrix.org" ];
71 description = lib.mdDoc "Servers trusted with signing server keys.";
72 };
73 global.address = mkOption {
74 type = types.str;
75 default = "::1";
76 description = lib.mdDoc "Address to listen on for connections by the reverse proxy/tls terminator.";
77 };
78 global.database_path = mkOption {
79 type = types.str;
80 default = "/var/lib/matrix-conduit/";
81 readOnly = true;
82 description = lib.mdDoc ''
83 Path to the conduit database, the directory where conduit will save its data.
84 Note that due to using the DynamicUser feature of systemd, this value should not be changed
85 and is set to be read only.
86 '';
87 };
88 global.database_backend = mkOption {
89 type = types.enum [ "sqlite" "rocksdb" ];
90 default = "sqlite";
91 example = "rocksdb";
92 description = lib.mdDoc ''
93 The database backend for the service. Switching it on an existing
94 instance will require manual migration of data.
95 '';
96 };
97 global.allow_check_for_updates = mkOption {
98 type = types.bool;
99 default = false;
100 description = lib.mdDoc ''
101 Whether to allow Conduit to automatically contact
102 <https://conduit.rs> hourly to check for important Conduit news.
103
104 Disabled by default because nixpkgs handles updates.
105 '';
106 };
107 };
108 };
109 default = {};
110 description = lib.mdDoc ''
111 Generates the conduit.toml configuration file. Refer to
112 <https://gitlab.com/famedly/conduit/-/blob/master/conduit-example.toml>
113 for details on supported values.
114 Note that database_path can not be edited because the service's reliance on systemd StateDir.
115 '';
116 };
117 };
118
119 config = mkIf cfg.enable {
120 systemd.services.conduit = {
121 description = "Conduit Matrix Server";
122 documentation = [ "https://gitlab.com/famedly/conduit/" ];
123 wantedBy = [ "multi-user.target" ];
124 environment = lib.mkMerge ([
125 { CONDUIT_CONFIG = configFile; }
126 cfg.extraEnvironment
127 ]);
128 serviceConfig = {
129 DynamicUser = true;
130 User = "conduit";
131 LockPersonality = true;
132 MemoryDenyWriteExecute = true;
133 ProtectClock = true;
134 ProtectControlGroups = true;
135 ProtectHostname = true;
136 ProtectKernelLogs = true;
137 ProtectKernelModules = true;
138 ProtectKernelTunables = true;
139 PrivateDevices = true;
140 PrivateMounts = true;
141 PrivateUsers = true;
142 RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
143 RestrictNamespaces = true;
144 RestrictRealtime = true;
145 SystemCallArchitectures = "native";
146 SystemCallFilter = [
147 "@system-service"
148 "~@privileged"
149 ];
150 StateDirectory = "matrix-conduit";
151 StateDirectoryMode = "0700";
152 ExecStart = "${cfg.package}/bin/conduit";
153 Restart = "on-failure";
154 RestartSec = 10;
155 StartLimitBurst = 5;
156 UMask = "077";
157 };
158 };
159 };
160 }