100 lines
3.1 KiB
Nix
100 lines
3.1 KiB
Nix
{ pkgs, lib, config, ... }:
|
|
let
|
|
cfg = config.cloud.conduit.heisenbridge;
|
|
cfgConduit = config.cloud.conduit;
|
|
in
|
|
with lib; {
|
|
options.cloud.conduit.heisenbridge = {
|
|
enable = mkEnableOption "Enable heisenbridge for conduit";
|
|
package = mkPackageOption pkgs "heisenbridge" { };
|
|
appserviceFile = mkOption {
|
|
type = types.str;
|
|
description = "The path to the appservice config file";
|
|
};
|
|
port = mkOption {
|
|
type = types.nullOr types.int;
|
|
description = "The port to listen to. Leave blank to just use the appserviceFile's configuration";
|
|
default = null;
|
|
};
|
|
};
|
|
config = mkIf cfg.enable (
|
|
let
|
|
cfgFile = if cfg.port == null then cfg.appserviceFile else
|
|
pkgs.runCommand "heisenbridge-config" { } ''
|
|
cp ${cfg.appserviceFile} $out
|
|
${pkgs.sd}/bin/sd '^url: .*$' "url: http://127.0.0.1:${cfg.port}"
|
|
'';
|
|
listenArgs = lists.optionals (cfg.port != null) [ "--listen-port" (toString cfg.port) ];
|
|
in
|
|
{
|
|
systemd.services.heisenbridge = {
|
|
description = "Matrix<->IRC bridge";
|
|
before = [ "matrix-synapse.service" ]; # So the registration file can be used by Synapse
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
serviceConfig = rec {
|
|
Type = "simple";
|
|
ExecStart = lib.concatStringsSep " " (
|
|
[
|
|
"${cfg.package}/bin/heisenbridge"
|
|
"-v"
|
|
|
|
"--config"
|
|
cfgFile
|
|
]
|
|
++ listenArgs
|
|
++ [
|
|
# Homeserver
|
|
"https://${toString cfgConduit.host}"
|
|
]
|
|
);
|
|
|
|
# Hardening options
|
|
|
|
User = "heisenbridge";
|
|
Group = "heisenbridge";
|
|
RuntimeDirectory = "heisenbridge";
|
|
RuntimeDirectoryMode = "0700";
|
|
StateDirectory = "heisenbridge";
|
|
StateDirectoryMode = "0755";
|
|
|
|
ProtectSystem = "strict";
|
|
ProtectHome = true;
|
|
PrivateTmp = true;
|
|
PrivateDevices = true;
|
|
ProtectKernelTunables = true;
|
|
ProtectControlGroups = true;
|
|
RestrictSUIDSGID = true;
|
|
PrivateMounts = true;
|
|
ProtectKernelModules = true;
|
|
ProtectKernelLogs = true;
|
|
ProtectHostname = true;
|
|
ProtectClock = true;
|
|
ProtectProc = "invisible";
|
|
ProcSubset = "pid";
|
|
RestrictNamespaces = true;
|
|
RemoveIPC = true;
|
|
UMask = "0077";
|
|
|
|
CapabilityBoundingSet = [ "CAP_CHOWN" ] ++ optional (cfg.port != null && cfg.port < 1024) "CAP_NET_BIND_SERVICE";
|
|
AmbientCapabilities = CapabilityBoundingSet;
|
|
NoNewPrivileges = true;
|
|
LockPersonality = true;
|
|
RestrictRealtime = true;
|
|
SystemCallFilter = [ "@system-service" "~@privileged" "@chown" ];
|
|
SystemCallArchitectures = "native";
|
|
RestrictAddressFamilies = "AF_INET AF_INET6";
|
|
};
|
|
};
|
|
|
|
users.groups.heisenbridge = { };
|
|
users.users.heisenbridge = {
|
|
description = "Service user for the Heisenbridge";
|
|
group = "heisenbridge";
|
|
isSystemUser = true;
|
|
};
|
|
}
|
|
);
|
|
}
|
|
|