commit 346d23fdf267022e7fa3895e0ec55a03f5502bce · pyrox.dev/nixpkgs

nixos/doc/manual/release-notes/rl-2405.section.md

···

       128
        
       

     

       129
        
       - [db-rest](https://github.com/derhuerst/db-rest), a wrapper around Deutsche Bahn's internal API for public transport data. Available as [services.db-rest](#opt-services.db-rest.enable).

     

       130
        
       

     

       0
        
       
     

       0
        
       
     

       131
        
       - [Anki Sync Server](https://docs.ankiweb.net/sync-server.html), the official sync server built into recent versions of Anki. Available as [services.anki-sync-server](#opt-services.anki-sync-server.enable).

     

       132
        
       The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been marked deprecated and will be dropped after 24.05 due to lack of maintenance of the anki-sync-server software.

     

       133

···

       128
        
       

     

       129
        
       - [db-rest](https://github.com/derhuerst/db-rest), a wrapper around Deutsche Bahn's internal API for public transport data. Available as [services.db-rest](#opt-services.db-rest.enable).

     

       130
        
       

     

       131
       +
       - [mautrix-signal](https://github.com/mautrix/signal), a Matrix-Signal puppeting bridge. Available as [services.mautrix-signal](#opt-services.mautrix-signal.enable).

     

       132
       +
       

     

       133
        
       - [Anki Sync Server](https://docs.ankiweb.net/sync-server.html), the official sync server built into recent versions of Anki. Available as [services.anki-sync-server](#opt-services.anki-sync-server.enable).

     

       134
        
       The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been marked deprecated and will be dropped after 24.05 due to lack of maintenance of the anki-sync-server software.

     

       135

nixos/modules/module-list.nix

···

       664
        
         ./services/matrix/maubot.nix

     

       665
        
         ./services/matrix/mautrix-facebook.nix

     

       666
        
         ./services/matrix/mautrix-meta.nix

     

       0
        
       
     

       667
        
         ./services/matrix/mautrix-telegram.nix

     

       668
        
         ./services/matrix/mautrix-whatsapp.nix

     

       669
        
         ./services/matrix/mjolnir.nix

···

       664
        
         ./services/matrix/maubot.nix

     

       665
        
         ./services/matrix/mautrix-facebook.nix

     

       666
        
         ./services/matrix/mautrix-meta.nix

     

       667
       +
         ./services/matrix/mautrix-signal.nix

     

       668
        
         ./services/matrix/mautrix-telegram.nix

     

       669
        
         ./services/matrix/mautrix-whatsapp.nix

     

       670
        
         ./services/matrix/mjolnir.nix

+249

nixos/modules/services/matrix/mautrix-signal.nix

···

       1
       +
       { lib

     

       2
       +
       , config

     

       3
       +
       , pkgs

     

       4
       +
       , ...

     

       5
       +
       }:

     

       6
       +
       let

     

       7
       +
         cfg = config.services.mautrix-signal;

     

       8
       +
         dataDir = "/var/lib/mautrix-signal";

     

       9
       +
         registrationFile = "${dataDir}/signal-registration.yaml";

     

       10
       +
         settingsFile = "${dataDir}/config.yaml";

     

       11
       +
         settingsFileUnsubstituted = settingsFormat.generate "mautrix-signal-config-unsubstituted.json" cfg.settings;

     

       12
       +
         settingsFormat = pkgs.formats.json { };

     

       13
       +
         appservicePort = 29328;

     

       14
       +
       

     

       15
       +
         # to be used with a list of lib.mkIf values

     

       16
       +
         optOneOf = lib.lists.findFirst (value: value.condition) (lib.mkIf false null);

     

       17
       +
         mkDefaults = lib.mapAttrsRecursive (n: v: lib.mkDefault v);

     

       18
       +
         defaultConfig = {

     

       19
       +
           homeserver.address = "http://localhost:8448";

     

       20
       +
           appservice = {

     

       21
       +
             hostname = "[::]";

     

       22
       +
             port = appservicePort;

     

       23
       +
             database.type = "sqlite3";

     

       24
       +
             database.uri = "file:${dataDir}/mautrix-signal.db?_txlock=immediate";

     

       25
       +
             id = "signal";

     

       26
       +
             bot = {

     

       27
       +
               username = "signalbot";

     

       28
       +
               displayname = "Signal Bridge Bot";

     

       29
       +
             };

     

       30
       +
             as_token = "";

     

       31
       +
             hs_token = "";

     

       32
       +
           };

     

       33
       +
           bridge = {

     

       34
       +
             username_template = "signal_{{.}}";

     

       35
       +
             displayname_template = "{{or .ProfileName .PhoneNumber \"Unknown user\"}}";

     

       36
       +
             double_puppet_server_map = { };

     

       37
       +
             login_shared_secret_map = { };

     

       38
       +
             command_prefix = "!signal";

     

       39
       +
             permissions."*" = "relay";

     

       40
       +
             relay.enabled = true;

     

       41
       +
           };

     

       42
       +
           logging = {

     

       43
       +
             min_level = "info";

     

       44
       +
             writers = lib.singleton {

     

       45
       +
               type = "stdout";

     

       46
       +
               format = "pretty-colored";

     

       47
       +
               time_format = " ";

     

       48
       +
             };

     

       49
       +
           };

     

       50
       +
         };

     

       51
       +
       

     

       52
       +
       in

     

       53
       +
       {

     

       54
       +
         options.services.mautrix-signal = {

     

       55
       +
           enable = lib.mkEnableOption "mautrix-signal, a Matrix-Signal puppeting bridge.";

     

       56
       +
       

     

       57
       +
           settings = lib.mkOption {

     

       58
       +
             apply = lib.recursiveUpdate defaultConfig;

     

       59
       +
             type = settingsFormat.type;

     

       60
       +
             default = defaultConfig;

     

       61
       +
             description = ''

     

       62
       +
               {file}`config.yaml` configuration as a Nix attribute set.

     

       63
       +
               Configuration options should match those described in

     

       64
       +
               [example-config.yaml](https://github.com/mautrix/signal/blob/master/example-config.yaml).

     

       65
       +
               Secret tokens should be specified using {option}`environmentFile`

     

       66
       +
               instead of this world-readable attribute set.

     

       67
       +
             '';

     

       68
       +
             example = {

     

       69
       +
               appservice = {

     

       70
       +
                 database = {

     

       71
       +
                   type = "postgres";

     

       72
       +
                   uri = "postgresql:///mautrix_signal?host=/run/postgresql";

     

       73
       +
                 };

     

       74
       +
                 id = "signal";

     

       75
       +
                 ephemeral_events = false;

     

       76
       +
               };

     

       77
       +
               bridge = {

     

       78
       +
                 history_sync = {

     

       79
       +
                   request_full_sync = true;

     

       80
       +
                 };

     

       81
       +
                 private_chat_portal_meta = true;

     

       82
       +
                 mute_bridging = true;

     

       83
       +
                 encryption = {

     

       84
       +
                   allow = true;

     

       85
       +
                   default = true;

     

       86
       +
                   require = true;

     

       87
       +
                 };

     

       88
       +
                 provisioning = {

     

       89
       +
                   shared_secret = "disable";

     

       90
       +
                 };

     

       91
       +
                 permissions = {

     

       92
       +
                   "example.com" = "user";

     

       93
       +
                 };

     

       94
       +
               };

     

       95
       +
             };

     

       96
       +
           };

     

       97
       +
       

     

       98
       +
           environmentFile = lib.mkOption {

     

       99
       +
             type = lib.types.nullOr lib.types.path;

     

       100
       +
             default = null;

     

       101
       +
             description = ''

     

       102
       +
               File containing environment variables to be passed to the mautrix-signal service.

     

       103
       +
               If an environment variable `MAUTRIX_SIGNAL_BRIDGE_LOGIN_SHARED_SECRET` is set,

     

       104
       +
               then its value will be used in the configuration file for the option

     

       105
       +
               `login_shared_secret_map` without leaking it to the store, using the configured

     

       106
       +
               `homeserver.domain` as key.

     

       107
       +
               See [here](https://github.com/mautrix/signal/blob/main/example-config.yaml)

     

       108
       +
               for the documentation of `login_shared_secret_map`.

     

       109
       +
             '';

     

       110
       +
           };

     

       111
       +
       

     

       112
       +
           serviceDependencies = lib.mkOption {

     

       113
       +
             type = with lib.types; listOf str;

     

       114
       +
             default = (lib.optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit)

     

       115
       +
               ++ (lib.optional config.services.matrix-conduit.enable "conduit.service");

     

       116
       +
             defaultText = lib.literalExpression ''

     

       117
       +
               (optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit)

     

       118
       +
               ++ (optional config.services.matrix-conduit.enable "conduit.service")

     

       119
       +
             '';

     

       120
       +
             description = ''

     

       121
       +
               List of systemd units to require and wait for when starting the application service.

     

       122
       +
             '';

     

       123
       +
           };

     

       124
       +
       

     

       125
       +
           registerToSynapse = lib.mkOption {

     

       126
       +
             type = lib.types.bool;

     

       127
       +
             default = config.services.matrix-synapse.enable;

     

       128
       +
             defaultText = lib.literalExpression ''

     

       129
       +
               config.services.matrix-synapse.enable

     

       130
       +
             '';

     

       131
       +
             description = ''

     

       132
       +
               Whether to add the bridge's app service registration file to

     

       133
       +
               `services.matrix-synapse.settings.app_service_config_files`.

     

       134
       +
             '';

     

       135
       +
           };

     

       136
       +
         };

     

       137
       +
       

     

       138
       +
         config = lib.mkIf cfg.enable {

     

       139
       +
       

     

       140
       +
           users.users.mautrix-signal = {

     

       141
       +
             isSystemUser = true;

     

       142
       +
             group = "mautrix-signal";

     

       143
       +
             home = dataDir;

     

       144
       +
             description = "Mautrix-Signal bridge user";

     

       145
       +
           };

     

       146
       +
       

     

       147
       +
           users.groups.mautrix-signal = { };

     

       148
       +
       

     

       149
       +
           services.matrix-synapse = lib.mkIf cfg.registerToSynapse {

     

       150
       +
             settings.app_service_config_files = [ registrationFile ];

     

       151
       +
           };

     

       152
       +
           systemd.services.matrix-synapse = lib.mkIf cfg.registerToSynapse {

     

       153
       +
             serviceConfig.SupplementaryGroups = [ "mautrix-signal" ];

     

       154
       +
           };

     

       155
       +
       

     

       156
       +
           # Note: this is defined here to avoid the docs depending on `config`

     

       157
       +
           services.mautrix-signal.settings.homeserver = optOneOf (with config.services; [

     

       158
       +
             (lib.mkIf matrix-synapse.enable (mkDefaults {

     

       159
       +
               domain = matrix-synapse.settings.server_name;

     

       160
       +
             }))

     

       161
       +
             (lib.mkIf matrix-conduit.enable (mkDefaults {

     

       162
       +
               domain = matrix-conduit.settings.global.server_name;

     

       163
       +
               address = "http://localhost:${toString matrix-conduit.settings.global.port}";

     

       164
       +
             }))

     

       165
       +
           ]);

     

       166
       +
       

     

       167
       +
           systemd.services.mautrix-signal = {

     

       168
       +
             description = "mautrix-signal, a Matrix-Signal puppeting bridge.";

     

       169
       +
       

     

       170
       +
             wantedBy = [ "multi-user.target" ];

     

       171
       +
             wants = [ "network-online.target" ] ++ cfg.serviceDependencies;

     

       172
       +
             after = [ "network-online.target" ] ++ cfg.serviceDependencies;

     

       173
       +
             # ffmpeg is required for conversion of voice messages

     

       174
       +
             path = [ pkgs.ffmpeg-headless ];

     

       175
       +
       

     

       176
       +
             preStart = ''

     

       177
       +
               # substitute the settings file by environment variables

     

       178
       +
               # in this case read from EnvironmentFile

     

       179
       +
               test -f '${settingsFile}' && rm -f '${settingsFile}'

     

       180
       +
               old_umask=$(umask)

     

       181
       +
               umask 0177

     

       182
       +
               ${pkgs.envsubst}/bin/envsubst \

     

       183
       +
                 -o '${settingsFile}' \

     

       184
       +
                 -i '${settingsFileUnsubstituted}'

     

       185
       +
               umask $old_umask

     

       186
       +
       

     

       187
       +
               # generate the appservice's registration file if absent

     

       188
       +
               if [ ! -f '${registrationFile}' ]; then

     

       189
       +
                 ${pkgs.mautrix-signal}/bin/mautrix-signal \

     

       190
       +
                   --generate-registration \

     

       191
       +
                   --config='${settingsFile}' \

     

       192
       +
                   --registration='${registrationFile}'

     

       193
       +
               fi

     

       194
       +
               chmod 640 ${registrationFile}

     

       195
       +
       

     

       196
       +
               umask 0177

     

       197
       +
               # 1. Overwrite registration tokens in config

     

       198
       +
               # 2. If environment variable MAUTRIX_SIGNAL_BRIDGE_LOGIN_SHARED_SECRET

     

       199
       +
               #    is set, set it as the login shared secret value for the configured

     

       200
       +
               #    homeserver domain.

     

       201
       +
               ${pkgs.yq}/bin/yq -s '.[0].appservice.as_token = .[1].as_token

     

       202
       +
                 | .[0].appservice.hs_token = .[1].hs_token

     

       203
       +
                 | .[0]

     

       204
       +
                 | if env.MAUTRIX_SIGNAL_BRIDGE_LOGIN_SHARED_SECRET then .bridge.login_shared_secret_map.[.homeserver.domain] = env.MAUTRIX_SIGNAL_BRIDGE_LOGIN_SHARED_SECRET else . end' \

     

       205
       +
                 '${settingsFile}' '${registrationFile}' > '${settingsFile}.tmp'

     

       206
       +
               mv '${settingsFile}.tmp' '${settingsFile}'

     

       207
       +
               umask $old_umask

     

       208
       +
             '';

     

       209
       +
       

     

       210
       +
             serviceConfig = {

     

       211
       +
               User = "mautrix-signal";

     

       212
       +
               Group = "mautrix-signal";

     

       213
       +
               EnvironmentFile = cfg.environmentFile;

     

       214
       +
               StateDirectory = baseNameOf dataDir;

     

       215
       +
               WorkingDirectory = dataDir;

     

       216
       +
               ExecStart = ''

     

       217
       +
                 ${pkgs.mautrix-signal}/bin/mautrix-signal \

     

       218
       +
                 --config='${settingsFile}' \

     

       219
       +
                 --registration='${registrationFile}'

     

       220
       +
               '';

     

       221
       +
               LockPersonality = true;

     

       222
       +
               MemoryDenyWriteExecute = true;

     

       223
       +
               NoNewPrivileges = true;

     

       224
       +
               PrivateDevices = true;

     

       225
       +
               PrivateTmp = true;

     

       226
       +
               PrivateUsers = true;

     

       227
       +
               ProtectClock = true;

     

       228
       +
               ProtectControlGroups = true;

     

       229
       +
               ProtectHome = true;

     

       230
       +
               ProtectHostname = true;

     

       231
       +
               ProtectKernelLogs = true;

     

       232
       +
               ProtectKernelModules = true;

     

       233
       +
               ProtectKernelTunables = true;

     

       234
       +
               ProtectSystem = "strict";

     

       235
       +
               Restart = "on-failure";

     

       236
       +
               RestartSec = "30s";

     

       237
       +
               RestrictRealtime = true;

     

       238
       +
               RestrictSUIDSGID = true;

     

       239
       +
               SystemCallArchitectures = "native";

     

       240
       +
               SystemCallErrorNumber = "EPERM";

     

       241
       +
               SystemCallFilter = [ "@system-service" ];

     

       242
       +
               Type = "simple";

     

       243
       +
               UMask = 0027;

     

       244
       +
             };

     

       245
       +
             restartTriggers = [ settingsFileUnsubstituted ];

     

       246
       +
           };

     

       247
       +
         };

     

       248
       +
         meta.maintainers = with lib.maintainers; [ niklaskorz ];

     

       249
       +
       }