pyrox.dev
1{
2 config,
3 lib,
4 pkgs,
5 ...
6}:
7let
8 cfg = config.services.matrix-conduit;
9
10 format = pkgs.formats.toml { };
11 configFile = format.generate "conduit.toml" cfg.settings;
12in
13{
14 meta.maintainers = with lib.maintainers; [
15 pstn
16 SchweGELBin
17 ];
18 options.services.matrix-conduit = {
19 enable = lib.mkEnableOption "matrix-conduit";
20
21 extraEnvironment = lib.mkOption {
22 type = lib.types.attrsOf lib.types.str;
23 description = "Extra Environment variables to pass to the conduit server.";
24 default = { };
25 example = {
26 RUST_BACKTRACE = "yes";
27 };
28 };
29
30 package = lib.mkPackageOption pkgs "matrix-conduit" { };
31
32 secretFile = lib.mkOption {
33 type = lib.types.nullOr lib.types.path;
34 default = null;
35 example = "/run/secrets/matrix-conduit.env";
36 description = ''
37 Path to a file containing sensitive environment as described in {manpage}`systemd.exec(5).
38 Some variables that can be considered secrets are:
39
40 - CONDUIT_JWT_SECRET:
41 The secret used to enable JWT login. Without it a 400 error will be returned.
42
43 - CONDUIT_TURN_SECRET:
44 The TURN secret
45 '';
46 };
47
48 settings = lib.mkOption {
49 type = lib.types.submodule {
50 freeformType = format.type;
51 options = {
52 global.server_name = lib.mkOption {
53 type = lib.types.str;
54 example = "example.com";
55 description = "The server_name is the name of this server. It is used as a suffix for user # and room ids.";
56 };
57 global.port = lib.mkOption {
58 type = lib.types.port;
59 default = 6167;
60 description = "The port Conduit will be running on. You need to set up a reverse proxy in your web server (e.g. apache or nginx), so all requests to /_matrix on port 443 and 8448 will be forwarded to the Conduit instance running on this port";
61 };
62 global.max_request_size = lib.mkOption {
63 type = lib.types.ints.positive;
64 default = 20000000;
65 description = "Max request size in bytes. Don't forget to also change it in the proxy.";
66 };
67 global.allow_registration = lib.mkOption {
68 type = lib.types.bool;
69 default = false;
70 description = "Whether new users can register on this server.";
71 };
72 global.allow_encryption = lib.mkOption {
73 type = lib.types.bool;
74 default = true;
75 description = "Whether new encrypted rooms can be created. Note: existing rooms will continue to work.";
76 };
77 global.allow_federation = lib.mkOption {
78 type = lib.types.bool;
79 default = true;
80 description = ''
81 Whether this server federates with other servers.
82 '';
83 };
84 global.trusted_servers = lib.mkOption {
85 type = lib.types.listOf lib.types.str;
86 default = [ "matrix.org" ];
87 description = "Servers trusted with signing server keys.";
88 };
89 global.address = lib.mkOption {
90 type = lib.types.str;
91 default = "::1";
92 description = "Address to listen on for connections by the reverse proxy/tls terminator.";
93 };
94 global.database_path = lib.mkOption {
95 type = lib.types.str;
96 default = "/var/lib/matrix-conduit/";
97 readOnly = true;
98 description = ''
99 Path to the conduit database, the directory where conduit will save its data.
100 Note that due to using the DynamicUser feature of systemd, this value should not be changed
101 and is set to be read only.
102 '';
103 };
104 global.database_backend = lib.mkOption {
105 type = lib.types.enum [
106 "sqlite"
107 "rocksdb"
108 ];
109 default = "sqlite";
110 example = "rocksdb";
111 description = ''
112 The database backend for the service. Switching it on an existing
113 instance will require manual migration of data.
114 '';
115 };
116 global.allow_check_for_updates = lib.mkOption {
117 type = lib.types.bool;
118 default = false;
119 description = ''
120 Whether to allow Conduit to automatically contact
121 <https://conduit.rs> hourly to check for important Conduit news.
122
123 Disabled by default because nixpkgs handles updates.
124 '';
125 };
126 };
127 };
128 default = { };
129 description = ''
130 Generates the conduit.toml configuration file. Refer to
131 <https://docs.conduit.rs/configuration.html>
132 for details on supported values.
133 Note that database_path can not be edited because the service's reliance on systemd StateDir.
134 For secrets use the `secretFile` option instead.
135 '';
136 };
137 };
138
139 config = lib.mkIf cfg.enable {
140 systemd.services.conduit = {
141 description = "Conduit Matrix Server";
142 documentation = [ "https://gitlab.com/famedly/conduit/" ];
143 wantedBy = [ "multi-user.target" ];
144 wants = [ "network-online.target" ];
145 after = [ "network-online.target" ];
146 environment = lib.mkMerge ([
147 { CONDUIT_CONFIG = configFile; }
148 cfg.extraEnvironment
149 ]);
150 serviceConfig = {
151 DynamicUser = true;
152 User = "conduit";
153 LockPersonality = true;
154 MemoryDenyWriteExecute = true;
155 ProtectClock = true;
156 ProtectControlGroups = true;
157 ProtectHostname = true;
158 ProtectKernelLogs = true;
159 ProtectKernelModules = true;
160 ProtectKernelTunables = true;
161 PrivateDevices = true;
162 PrivateMounts = true;
163 PrivateUsers = true;
164 RestrictAddressFamilies = [
165 "AF_INET"
166 "AF_INET6"
167 ];
168 RestrictNamespaces = true;
169 RestrictRealtime = true;
170 SystemCallArchitectures = "native";
171 SystemCallFilter = [
172 "@system-service"
173 "~@privileged"
174 ];
175 StateDirectory = "matrix-conduit";
176 StateDirectoryMode = "0700";
177 ExecStart = "${cfg.package}/bin/conduit";
178 Restart = "on-failure";
179 RestartSec = 10;
180 UMask = "077";
181 }
182 // lib.optionalAttrs (cfg.secretFile != null) {
183 EnvironmentFile = cfg.secretFile;
184 };
185 unitConfig = {
186 StartLimitBurst = 5;
187 };
188 };
189 };
190}