Enable heisenbridge

2023-03-31 16:48:33 +02:00 · 2023-03-31 16:48:33 +02:00 · 6950c8c4ec
commit 6950c8c4ec
parent 7717607628
4 changed files with 120 additions and 2 deletions
--- a/modules/cloud/conduit/default.nix
+++ b/modules/cloud/conduit/default.nix
@ -5,6 +5,7 @@ let
 in
 with lib;
 {
+  imports = [ ./heisenbridge.nix ];
  options.cloud.conduit = {
    enable = mkEnableOption "Enable the conduit server";

--- a/modules/cloud/conduit/heisenbridge.nix
+++ b/modules/cloud/conduit/heisenbridge.nix
@ -0,0 +1,99 @@
+{ pkgs, lib, config, ... }:
+let
+  cfg = config.cloud.conduit.heisenbridge;
+  cfgConduit = config.cloud.conduit;
+in
+with lib; {
+  options.cloud.conduit.heisenbridge = {
+    enable = mkEnableOption "Enable heisenbridge for conduit";
+    package = mkPackageOption pkgs "heisenbridge" { };
+    appserviceFile = mkOption {
+      type = types.str;
+      description = "The path to the appservice config file";
+    };
+    port = mkOption {
+      type = types.nullOr types.int;
+      description = "The port to listen to. Leave blank to just use the appserviceFile's configuration";
+      default = null;
+    };
+  };
+  config = mkIf cfg.enable (
+    let
+      cfgFile = if cfg.port == null then cfg.appserviceFile else
+      pkgs.runCommand "heisenbridge-config" { } ''
+        cp ${cfg.appserviceFile} $out
+        ${pkgs.sd}/bin/sd '^url: .*$' "url: http://127.0.0.1:${cfg.port}"
+      '';
+      listenArgs = lists.optionals (cfg.port != null) [ "--listen-port" (toString cfg.port) ];
+    in
+    {
+      systemd.services.heisenbridge = {
+        description = "Matrix<->IRC bridge";
+        before = [ "matrix-synapse.service" ]; # So the registration file can be used by Synapse
+        wantedBy = [ "multi-user.target" ];
+
+        serviceConfig = rec {
+          Type = "simple";
+          ExecStart = lib.concatStringsSep " " (
+            [
+              "${cfg.package}/bin/heisenbridge"
+              "-v"
+
+              "--config"
+              cfgFile
+            ]
+            ++ listenArgs
+            ++ [
+              # Homeserver
+              "https://${toString cfgConduit.host}"
+            ]
+          );
+
+          # Hardening options
+
+          User = "heisenbridge";
+          Group = "heisenbridge";
+          RuntimeDirectory = "heisenbridge";
+          RuntimeDirectoryMode = "0700";
+          StateDirectory = "heisenbridge";
+          StateDirectoryMode = "0755";
+
+          ProtectSystem = "strict";
+          ProtectHome = true;
+          PrivateTmp = true;
+          PrivateDevices = true;
+          ProtectKernelTunables = true;
+          ProtectControlGroups = true;
+          RestrictSUIDSGID = true;
+          PrivateMounts = true;
+          ProtectKernelModules = true;
+          ProtectKernelLogs = true;
+          ProtectHostname = true;
+          ProtectClock = true;
+          ProtectProc = "invisible";
+          ProcSubset = "pid";
+          RestrictNamespaces = true;
+          RemoveIPC = true;
+          UMask = "0077";
+
+          CapabilityBoundingSet = [ "CAP_CHOWN" ] ++ optional (cfg.port != null && cfg.port < 1024) "CAP_NET_BIND_SERVICE";
+          AmbientCapabilities = CapabilityBoundingSet;
+          NoNewPrivileges = true;
+          LockPersonality = true;
+          RestrictRealtime = true;
+          SystemCallFilter = [ "@system-service" "~@privileged" "@chown" ];
+          SystemCallArchitectures = "native";
+          RestrictAddressFamilies = "AF_INET AF_INET6";
+        };
+      };
+
+      users.groups.heisenbridge = { };
+      users.users.heisenbridge = {
+        description = "Service user for the Heisenbridge";
+        group = "heisenbridge";
+        isSystemUser = true;
+      };
+    }
+  );
+}
+