Enable heisenbridge

2023-03-31 16:48:33 +02:00 · 2023-03-31 16:48:33 +02:00 · 6950c8c4ec
parent 7717607628
commit 6950c8c4ec
4 changed files with 120 additions and 2 deletions
--- a/modules/cloud/conduit/default.nix
+++ b/modules/cloud/conduit/default.nix
@ -5,6 +5,7 @@ let
 in
 with lib;
 {
+  imports = [ ./heisenbridge.nix ];
  options.cloud.conduit = {
    enable = mkEnableOption "Enable the conduit server";

--- a/modules/cloud/conduit/heisenbridge.nix
+++ b/modules/cloud/conduit/heisenbridge.nix
@ -0,0 +1,99 @@
+{ pkgs, lib, config, ... }:
+let
+  cfg = config.cloud.conduit.heisenbridge;
+  cfgConduit = config.cloud.conduit;
+in
+with lib; {
+  options.cloud.conduit.heisenbridge = {
+    enable = mkEnableOption "Enable heisenbridge for conduit";
+    package = mkPackageOption pkgs "heisenbridge" { };
+    appserviceFile = mkOption {
+      type = types.str;
+      description = "The path to the appservice config file";
+    };
+    port = mkOption {
+      type = types.nullOr types.int;
+      description = "The port to listen to. Leave blank to just use the appserviceFile's configuration";
+      default = null;
+    };
+  };
+  config = mkIf cfg.enable (
+    let
+      cfgFile = if cfg.port == null then cfg.appserviceFile else
+      pkgs.runCommand "heisenbridge-config" { } ''
+        cp ${cfg.appserviceFile} $out
+        ${pkgs.sd}/bin/sd '^url: .*$' "url: http://127.0.0.1:${cfg.port}"
+      '';
+      listenArgs = lists.optionals (cfg.port != null) [ "--listen-port" (toString cfg.port) ];
+    in
+    {
+      systemd.services.heisenbridge = {
+        description = "Matrix<->IRC bridge";
+        before = [ "matrix-synapse.service" ]; # So the registration file can be used by Synapse
+        wantedBy = [ "multi-user.target" ];
+
+        serviceConfig = rec {
+          Type = "simple";
+          ExecStart = lib.concatStringsSep " " (
+            [
+              "${cfg.package}/bin/heisenbridge"
+              "-v"
+
+              "--config"
+              cfgFile
+            ]
+            ++ listenArgs
+            ++ [
+              # Homeserver
+              "https://${toString cfgConduit.host}"
+            ]
+          );
+
+          # Hardening options
+
+          User = "heisenbridge";
+          Group = "heisenbridge";
+          RuntimeDirectory = "heisenbridge";
+          RuntimeDirectoryMode = "0700";
+          StateDirectory = "heisenbridge";
+          StateDirectoryMode = "0755";
+
+          ProtectSystem = "strict";
+          ProtectHome = true;
+          PrivateTmp = true;
+          PrivateDevices = true;
+          ProtectKernelTunables = true;
+          ProtectControlGroups = true;
+          RestrictSUIDSGID = true;
+          PrivateMounts = true;
+          ProtectKernelModules = true;
+          ProtectKernelLogs = true;
+          ProtectHostname = true;
+          ProtectClock = true;
+          ProtectProc = "invisible";
+          ProcSubset = "pid";
+          RestrictNamespaces = true;
+          RemoveIPC = true;
+          UMask = "0077";
+
+          CapabilityBoundingSet = [ "CAP_CHOWN" ] ++ optional (cfg.port != null && cfg.port < 1024) "CAP_NET_BIND_SERVICE";
+          AmbientCapabilities = CapabilityBoundingSet;
+          NoNewPrivileges = true;
+          LockPersonality = true;
+          RestrictRealtime = true;
+          SystemCallFilter = [ "@system-service" "~@privileged" "@chown" ];
+          SystemCallArchitectures = "native";
+          RestrictAddressFamilies = "AF_INET AF_INET6";
+        };
+      };
+
+      users.groups.heisenbridge = { };
+      users.users.heisenbridge = {
+        description = "Service user for the Heisenbridge";
+        group = "heisenbridge";
+        isSystemUser = true;
+      };
+    }
+  );
+}
+
--- a/nki-personal-do/configuration.nix
+++ b/nki-personal-do/configuration.nix
@ -64,8 +64,25 @@
    usersFile = config.sops.secrets.traefik-dashboard-users.path;
  };
  cloud.traefik.certsDumper.enable = true;
+
+  # Conduit
+  sops.secrets.heisenbridge = { owner = "heisenbridge"; };
  cloud.conduit.enable = true;
  cloud.conduit.package = pkgs.unstable.matrix-conduit;
+  cloud.conduit.heisenbridge = {
+    enable = true;
+    package = pkgs.heisenbridge.overrideAttrs (old: rec {
+      version = "1.14.2";
+
+      src = pkgs.fetchFromGitHub {
+        owner = "hifi";
+        repo = "heisenbridge";
+        rev = "refs/tags/v${version}";
+        sha256 = "sha256-qp0LVcmWf5lZ52h0V58S6FoIM8RLOd6Y3FRb85j7KRg=";
+      };
+    });
+    appserviceFile = config.sops.secrets.heisenbridge.path;
+  };

  # Navidrome back to the PC
  cloud.traefik.hosts.navidrome = {
--- a/nki-personal-do/secrets/secrets.yaml
+++ b/nki-personal-do/secrets/secrets.yaml
@ -11,6 +11,7 @@ mail-users: ENC[AES256_GCM,data:DXVx2e6MSSSpHfKFD35zHGnGDPoZi7cOqPfAGubxa4gupatY
 youmubot-env: ENC[AES256_GCM,data:m/NGN8r6Caq2tTHeVWV9y5fol9r36aKYYXLjHaa0AR+0XpVeJdXVZxPfQtzX4uo09rOGAPE4lepO05weo7mvEjI5m5QJ4FWrw0/HkLm4SUWnTnDU6BlK7l4K/2Ayz7jmD6GLWI+KcOSjEmma9GXNkVwDnxVrwaAWYOfDqDJMjMES/1S8OgCe5+74MCgNeefIwgXnmmxVMpl8fAdnOgovh1zRvcKPVrN5T0ia39IatDERwegas+q8t90Jjw==,iv:IEFvaMWzgClbHbsxGTdP5EdGayHQgggOT9CU7oAyMtE=,tag:GoEEcGCNHMimzltDit4kzA==,type:str]
 outline:
    smtp-password: ENC[AES256_GCM,data:zpIi6jVB2Y7ksBOR8SGFgjOD1x3aS6dKa6taLKB8v2l9p92iWDti75qgB1puglmmq8mCzz8KXLrM0Bv7W8GWRg==,iv:6tKINzQcApmNuIbNn0kSzFJtwn3rky/uFG2Ff3lazUk=,tag:kjB6qB87tRQVpy32Pt3D5A==,type:str]
+heisenbridge: ENC[AES256_GCM,data:rJY7gpcOY8nODR3KlYW1rEs54mKxr+AjNBeg1/2vTG0Gzpuvjgbnn5UVJS+P8uej/P4HfeFtlQSFZCEy8cXcwvwq97ppVliCGL4GMLRWaFmop35feC8t2ovh79cy/vKC7drASeGvWYNUmGRjboPuKA8W5LARa0HVDPGDLIEMVgJfYry/YKR3gsGmLzU7Mx1yLO6M/EFOJQJc84bSuu+CPSZcyUVF4SSNBiaDU5/NazlqaA9KWL6Xzu1MD2LEYdEFkRfitNgYj2m2gLd9voyGV4cfaCqJvYjJPwuZeZUoqCpDnom2JoV29q/Yq/gmyumPgOvriGxLsYBqV14MaCcE6KXE2uLicD+I/5or1AxepVDVjG9NoSgho1HpLvpRhMSCeXLk9+U+ykH3QA+0M+VVu9pswMMVQifnTtXZRM6pWxOnRVAzGf2tGDo4jy36S7pHaRn7SJcrljjWLfwHuNiu7E2uZhMrkcCjnjcBA9Xrb3drDQYVHya7XcoD4wOBHBDvVZwhYkNdkS3oYkom8A==,iv:fO1onfon3EdSNC/LjN1aWxpHBYq5aa0F/h0V6gl88ac=,tag:NL9p2nhIlEqgOdvUDM19Dg==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -44,8 +45,8 @@ sops:
            by9kZFlTRVdCZFkxYTVVb0RIRk8zUlkKCqMw9oL9RaYBV5Hhy3o8Nm5xmGrPH8Sd
            hv36sxRFFNZT/DCKaHaSRbT3mfpBZSTXJt1dgl4nZe6whH54t/1KmA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-01-31T11:07:33Z"
-    mac: ENC[AES256_GCM,data:p0i2UKKVZVnp38Kh5Y1vD1UUeYt8MSb9ICxn6o+iRO0uHMxtlxr8yTJ2erczPNp0HcFnShBIBlVaZ5m3SmAWmrpF3fNKcJEPr+cgajkcXbzJoyjiH6LtKwS1sp/geKlLMlTFzBOhKx9xbGB7TJ1/XRB3c+n+Ed/wkp61xes9uT4=,iv:8KYZJpYPX92/KcmTt7+YLafNkxnAcZ6YOnitecoGdWs=,tag:EtbogNCTj2pOU9p5R3+G9g==,type:str]
+    lastmodified: "2023-03-31T09:59:11Z"
+    mac: ENC[AES256_GCM,data:OqxOvJGa7v7+SUyuTMjc02kvLS3R+TmGu7DqaYWv0tdrHpbsIwqbA6l2Ex046I28mG+SPbfgsDxMXkNKjSVkjqR1UBvRrdJMM0MPinlUebi2egwqwRj/QbPjyvWPYMTqQBwucBEW98IuQEo77HDSfQ0727PXQiBINoXTU0oGg2M=,iv:xg1sAecRMLd+ZH44ehCxkS+E4e+7R0NIiMjafaP4chg=,tag:bv4FEzZO0CTOl3mvHSDEyA==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.7.3