···
1
-
{ lib, config, pkgs, ... }:
3
-
cfg = config.services.mautrix-signal;
4
-
dataDir = "/var/lib/mautrix-signal";
5
-
registrationFile = "${dataDir}/signal-registration.yaml";
6
-
settingsFile = "${dataDir}/config.json";
7
-
settingsFileUnsubstituted =
8
-
settingsFormat.generate "mautrix-signal-config-unsubstituted.json"
10
-
settingsFormat = pkgs.formats.json { };
11
-
appservicePort = 29328;
13
-
mkDefaults = lib.mapAttrsRecursive (n: v: lib.mkDefault v);
15
-
homeserver.address = "http://localhost:8448";
17
-
socket_path = config.services.signald.socketPath;
18
-
outgoing_attachment_dir = "/var/lib/signald/tmp";
22
-
port = appservicePort;
23
-
database.type = "sqlite3";
24
-
database.uri = "${dataDir}/mautrix-signal.db";
26
-
bot.username = "signalbot";
27
-
bot.displayname = "Signal Bridge Bot";
32
-
username_template = "signal_{{.}}";
33
-
double_puppet_server_map = { };
34
-
login_shared_secret_map = { };
35
-
permissions."*" = "relay";
39
-
writers = lib.singleton {
41
-
format = "pretty-colored";
48
-
options.services.mautrix-signal = {
49
-
enable = lib.mkEnableOption (lib.mdDoc
50
-
"mautrix-signal, a puppeting/relaybot bridge between Matrix and Signal.");
52
-
settings = lib.mkOption {
53
-
type = settingsFormat.type;
54
-
default = defaultConfig;
55
-
description = lib.mdDoc ''
56
-
{file}`config.yaml` configuration as a Nix attribute set.
57
-
Configuration options should match those described in
58
-
[example-config.yaml](https://github.com/mautrix/signal/blob/master/example-config.yaml).
64
-
uri = "postgresql:///mautrix_signal?host=/run/postgresql";
67
-
ephemeral_events = false;
70
-
history_sync = { request_full_sync = true; };
71
-
private_chat_portal_meta = true;
72
-
mute_bridging = true;
78
-
provisioning = { shared_secret = "disable"; };
79
-
permissions = { "example.com" = "user"; };
84
-
serviceDependencies = lib.mkOption {
85
-
type = with lib.types; listOf str;
86
-
default = lib.optional config.services.matrix-synapse.enable
87
-
config.services.matrix-synapse.serviceUnit;
88
-
defaultText = lib.literalExpression ''
89
-
optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnits
91
-
description = lib.mdDoc ''
92
-
List of Systemd services to require and wait for when starting the application service.
97
-
config = lib.mkIf cfg.enable {
99
-
services.signald.enable = true;
101
-
users.users.mautrix-signal = {
102
-
isSystemUser = true;
103
-
group = "mautrix-signal";
105
-
description = "Mautrix-Signal bridge user";
108
-
users.groups.mautrix-signal = { };
110
-
services.mautrix-signal.settings = lib.mkMerge (map mkDefaults [
112
-
# Note: this is defined here to avoid the docs depending on `config`
114
-
homeserver.domain = config.services.matrix-synapse.settings.server_name;
118
-
systemd.services.mautrix-signal = {
119
-
description = "Mautrix-Signal Service - A Signal bridge for Matrix";
121
-
requires = [ "signald.service" ];
122
-
# voice messages need `ffmpeg`
123
-
path = [ pkgs.ffmpeg ];
125
-
wantedBy = [ "multi-user.target" ];
126
-
wants = [ "network-online.target" ] ++ cfg.serviceDependencies;
127
-
after = [ "network-online.target" "signald.service" ]
128
-
++ cfg.serviceDependencies;
131
-
# substitute the settings file by environment variables
132
-
# in this case read from EnvironmentFile
133
-
test -f '${settingsFile}' && rm -f '${settingsFile}'
136
-
${pkgs.envsubst}/bin/envsubst \
137
-
-o '${settingsFile}' \
138
-
-i '${settingsFileUnsubstituted}'
141
-
# generate the appservice's registration file if absent
142
-
if [ ! -f '${registrationFile}' ]; then
143
-
${pkgs.mautrix-signal}/bin/mautrix-signal \
144
-
--generate-registration \
145
-
--config='${settingsFile}' \
146
-
--registration='${registrationFile}'
148
-
chmod 640 ${registrationFile}
151
-
${pkgs.yq}/bin/yq -s '.[0].appservice.as_token = .[1].as_token
152
-
| .[0].appservice.hs_token = .[1].hs_token
153
-
| .[0]' '${settingsFile}' '${registrationFile}' \
154
-
> '${settingsFile}.tmp'
155
-
mv '${settingsFile}.tmp' '${settingsFile}'
160
-
SupplementaryGroups = [ "signald" ];
161
-
User = "mautrix-signal";
162
-
Group = "mautrix-signal";
163
-
StateDirectory = baseNameOf dataDir;
164
-
WorkingDirectory = dataDir;
166
-
${pkgs.mautrix-signal}/bin/mautrix-signal \
167
-
--config='${settingsFile}' \
168
-
--registration='${registrationFile}'
170
-
LockPersonality = true;
171
-
MemoryDenyWriteExecute = true;
172
-
NoNewPrivileges = true;
173
-
PrivateDevices = true;
175
-
PrivateUsers = true;
176
-
ProtectClock = true;
177
-
ProtectControlGroups = true;
178
-
ProtectHome = true;
179
-
ProtectHostname = true;
180
-
ProtectKernelLogs = true;
181
-
ProtectKernelModules = true;
182
-
ProtectKernelTunables = true;
183
-
ProtectSystem = "strict";
184
-
Restart = "on-failure";
185
-
RestartSec = "30s";
186
-
RestrictRealtime = true;
187
-
RestrictSUIDSGID = true;
188
-
SystemCallArchitectures = "native";
189
-
SystemCallErrorNumber = "EPERM";
190
-
SystemCallFilter = [ "@system-service" ];
194
-
restartTriggers = [ settingsFileUnsubstituted ];
ryan.freumh.org