nki/nix-home
1
0
Fork 0
Code Issues Pull requests 2 Packages Projects Releases Wiki Activity

Enable heisenbridge

Browse source
This commit is contained in:
Natsu Kagami 2023-03-31 16:48:33 +02:00
parent 7717607628
commit 6950c8c4ec
Signed by: nki
GPG key ID: 7306B3D3C3AD6E51
4 changed files with 120 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
modules/cloud/conduit/default.nix
View file

@ -5,6 +5,7 @@ let
in in
with lib; with lib;
{ {
imports = [ ./heisenbridge.nix ];
options.cloud.conduit = { options.cloud.conduit = {
enable = mkEnableOption "Enable the conduit server"; enable = mkEnableOption "Enable the conduit server";

99
modules/cloud/conduit/heisenbridge.nix Normal file
View file

@ -0,0 +1,99 @@
{ pkgs, lib, config, ... }:
let
cfg = config.cloud.conduit.heisenbridge;
cfgConduit = config.cloud.conduit;
in
with lib; {
options.cloud.conduit.heisenbridge = {
enable = mkEnableOption "Enable heisenbridge for conduit";
package = mkPackageOption pkgs "heisenbridge" { };
appserviceFile = mkOption {
type = types.str;
description = "The path to the appservice config file";
};
port = mkOption {
type = types.nullOr types.int;
description = "The port to listen to. Leave blank to just use the appserviceFile's configuration";
default = null;
};
};
config = mkIf cfg.enable (
let
cfgFile = if cfg.port == null then cfg.appserviceFile else
pkgs.runCommand "heisenbridge-config" { } ''
cp ${cfg.appserviceFile} $out
${pkgs.sd}/bin/sd '^url: .*$' "url: http://127.0.0.1:${cfg.port}"
'';
listenArgs = lists.optionals (cfg.port != null) [ "--listen-port" (toString cfg.port) ];
in
{
systemd.services.heisenbridge = {
description = "Matrix<->IRC bridge";
before = [ "matrix-synapse.service" ]; # So the registration file can be used by Synapse
wantedBy = [ "multi-user.target" ];
serviceConfig = rec {
Type = "simple";
ExecStart = lib.concatStringsSep " " (
[
"${cfg.package}/bin/heisenbridge"
"-v"
"--config"
cfgFile
]
++ listenArgs
++ [
# Homeserver
"https://${toString cfgConduit.host}"
]
);
# Hardening options
User = "heisenbridge";
Group = "heisenbridge";
RuntimeDirectory = "heisenbridge";
RuntimeDirectoryMode = "0700";
StateDirectory = "heisenbridge";
StateDirectoryMode = "0755";
ProtectSystem = "strict";
ProtectHome = true;
PrivateTmp = true;
PrivateDevices = true;
ProtectKernelTunables = true;
ProtectControlGroups = true;
RestrictSUIDSGID = true;
PrivateMounts = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectHostname = true;
ProtectClock = true;
ProtectProc = "invisible";
ProcSubset = "pid";
RestrictNamespaces = true;
RemoveIPC = true;
UMask = "0077";
CapabilityBoundingSet = [ "CAP_CHOWN" ] ++ optional (cfg.port != null && cfg.port < 1024) "CAP_NET_BIND_SERVICE";
AmbientCapabilities = CapabilityBoundingSet;
NoNewPrivileges = true;
LockPersonality = true;
RestrictRealtime = true;
SystemCallFilter = [ "@system-service" "~@privileged" "@chown" ];
SystemCallArchitectures = "native";
RestrictAddressFamilies = "AF_INET AF_INET6";
};
};
users.groups.heisenbridge = { };
users.users.heisenbridge = {
description = "Service user for the Heisenbridge";
group = "heisenbridge";
isSystemUser = true;
};
}
);
}

17
nki-personal-do/configuration.nix
View file

@ -64,8 +64,25 @@
usersFile = config.sops.secrets.traefik-dashboard-users.path; usersFile = config.sops.secrets.traefik-dashboard-users.path;
}; };
cloud.traefik.certsDumper.enable = true; cloud.traefik.certsDumper.enable = true;
# Conduit
sops.secrets.heisenbridge = { owner = "heisenbridge"; };
cloud.conduit.enable = true; cloud.conduit.enable = true;
cloud.conduit.package = pkgs.unstable.matrix-conduit; cloud.conduit.package = pkgs.unstable.matrix-conduit;
cloud.conduit.heisenbridge = {
enable = true;
package = pkgs.heisenbridge.overrideAttrs (old: rec {
version = "1.14.2";
src = pkgs.fetchFromGitHub {
owner = "hifi";
repo = "heisenbridge";
rev = "refs/tags/v${version}";
sha256 = "sha256-qp0LVcmWf5lZ52h0V58S6FoIM8RLOd6Y3FRb85j7KRg=";
};
});
appserviceFile = config.sops.secrets.heisenbridge.path;
};
# Navidrome back to the PC # Navidrome back to the PC
cloud.traefik.hosts.navidrome = { cloud.traefik.hosts.navidrome = {

5
nki-personal-do/secrets/secrets.yaml
View file

@ -11,6 +11,7 @@ mail-users: ENC[AES256_GCM,data:DXVx2e6MSSSpHfKFD35zHGnGDPoZi7cOqPfAGubxa4gupatY
youmubot-env: ENC[AES256_GCM,data:m/NGN8r6Caq2tTHeVWV9y5fol9r36aKYYXLjHaa0AR+0XpVeJdXVZxPfQtzX4uo09rOGAPE4lepO05weo7mvEjI5m5QJ4FWrw0/HkLm4SUWnTnDU6BlK7l4K/2Ayz7jmD6GLWI+KcOSjEmma9GXNkVwDnxVrwaAWYOfDqDJMjMES/1S8OgCe5+74MCgNeefIwgXnmmxVMpl8fAdnOgovh1zRvcKPVrN5T0ia39IatDERwegas+q8t90Jjw==,iv:IEFvaMWzgClbHbsxGTdP5EdGayHQgggOT9CU7oAyMtE=,tag:GoEEcGCNHMimzltDit4kzA==,type:str] youmubot-env: ENC[AES256_GCM,data:m/NGN8r6Caq2tTHeVWV9y5fol9r36aKYYXLjHaa0AR+0XpVeJdXVZxPfQtzX4uo09rOGAPE4lepO05weo7mvEjI5m5QJ4FWrw0/HkLm4SUWnTnDU6BlK7l4K/2Ayz7jmD6GLWI+KcOSjEmma9GXNkVwDnxVrwaAWYOfDqDJMjMES/1S8OgCe5+74MCgNeefIwgXnmmxVMpl8fAdnOgovh1zRvcKPVrN5T0ia39IatDERwegas+q8t90Jjw==,iv:IEFvaMWzgClbHbsxGTdP5EdGayHQgggOT9CU7oAyMtE=,tag:GoEEcGCNHMimzltDit4kzA==,type:str]
outline: outline:
smtp-password: ENC[AES256_GCM,data:zpIi6jVB2Y7ksBOR8SGFgjOD1x3aS6dKa6taLKB8v2l9p92iWDti75qgB1puglmmq8mCzz8KXLrM0Bv7W8GWRg==,iv:6tKINzQcApmNuIbNn0kSzFJtwn3rky/uFG2Ff3lazUk=,tag:kjB6qB87tRQVpy32Pt3D5A==,type:str] smtp-password: ENC[AES256_GCM,data:zpIi6jVB2Y7ksBOR8SGFgjOD1x3aS6dKa6taLKB8v2l9p92iWDti75qgB1puglmmq8mCzz8KXLrM0Bv7W8GWRg==,iv:6tKINzQcApmNuIbNn0kSzFJtwn3rky/uFG2Ff3lazUk=,tag:kjB6qB87tRQVpy32Pt3D5A==,type:str]
heisenbridge: ENC[AES256_GCM,data:rJY7gpcOY8nODR3KlYW1rEs54mKxr+AjNBeg1/2vTG0Gzpuvjgbnn5UVJS+P8uej/P4HfeFtlQSFZCEy8cXcwvwq97ppVliCGL4GMLRWaFmop35feC8t2ovh79cy/vKC7drASeGvWYNUmGRjboPuKA8W5LARa0HVDPGDLIEMVgJfYry/YKR3gsGmLzU7Mx1yLO6M/EFOJQJc84bSuu+CPSZcyUVF4SSNBiaDU5/NazlqaA9KWL6Xzu1MD2LEYdEFkRfitNgYj2m2gLd9voyGV4cfaCqJvYjJPwuZeZUoqCpDnom2JoV29q/Yq/gmyumPgOvriGxLsYBqV14MaCcE6KXE2uLicD+I/5or1AxepVDVjG9NoSgho1HpLvpRhMSCeXLk9+U+ykH3QA+0M+VVu9pswMMVQifnTtXZRM6pWxOnRVAzGf2tGDo4jy36S7pHaRn7SJcrljjWLfwHuNiu7E2uZhMrkcCjnjcBA9Xrb3drDQYVHya7XcoD4wOBHBDvVZwhYkNdkS3oYkom8A==,iv:fO1onfon3EdSNC/LjN1aWxpHBYq5aa0F/h0V6gl88ac=,tag:NL9p2nhIlEqgOdvUDM19Dg==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -44,8 +45,8 @@ sops:
by9kZFlTRVdCZFkxYTVVb0RIRk8zUlkKCqMw9oL9RaYBV5Hhy3o8Nm5xmGrPH8Sd by9kZFlTRVdCZFkxYTVVb0RIRk8zUlkKCqMw9oL9RaYBV5Hhy3o8Nm5xmGrPH8Sd
hv36sxRFFNZT/DCKaHaSRbT3mfpBZSTXJt1dgl4nZe6whH54t/1KmA== hv36sxRFFNZT/DCKaHaSRbT3mfpBZSTXJt1dgl4nZe6whH54t/1KmA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2023-01-31T11:07:33Z" lastmodified: "2023-03-31T09:59:11Z"
mac: ENC[AES256_GCM,data:p0i2UKKVZVnp38Kh5Y1vD1UUeYt8MSb9ICxn6o+iRO0uHMxtlxr8yTJ2erczPNp0HcFnShBIBlVaZ5m3SmAWmrpF3fNKcJEPr+cgajkcXbzJoyjiH6LtKwS1sp/geKlLMlTFzBOhKx9xbGB7TJ1/XRB3c+n+Ed/wkp61xes9uT4=,iv:8KYZJpYPX92/KcmTt7+YLafNkxnAcZ6YOnitecoGdWs=,tag:EtbogNCTj2pOU9p5R3+G9g==,type:str] mac: ENC[AES256_GCM,data:OqxOvJGa7v7+SUyuTMjc02kvLS3R+TmGu7DqaYWv0tdrHpbsIwqbA6l2Ex046I28mG+SPbfgsDxMXkNKjSVkjqR1UBvRrdJMM0MPinlUebi2egwqwRj/QbPjyvWPYMTqQBwucBEW98IuQEo77HDSfQ0727PXQiBINoXTU0oGg2M=,iv:xg1sAecRMLd+ZH44ehCxkS+E4e+7R0NIiMjafaP4chg=,tag:bv4FEzZO0CTOl3mvHSDEyA==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.7.3 version: 3.7.3