matrix: Add heisenbridge
This commit is contained in:
parent
33ec32a8da
commit
74f38614a0
GPG key ID:
49670FD774E43268
4 changed files with 94 additions and 4 deletions
|
|
@ -1,4 +1,5 @@
|
|||
{
|
||||
pkgs,
|
||||
config,
|
||||
lib,
|
||||
flake-inputs,
|
||||
|
|
@ -30,6 +31,87 @@ in {
|
|||
};
|
||||
};
|
||||
|
||||
systemd.services.heisenbridge = let
|
||||
replaceSecretBin = "${pkgs.replace-secret}/bin/replace-secret";
|
||||
registrationFile = builtins.toFile "heisenbridge-registration.yaml" (builtins.toJSON {
|
||||
id = "heisenbridge";
|
||||
url = "http://127.0.0.1:9898";
|
||||
as_token = "@AS_TOKEN@";
|
||||
hs_token = "@HS_TOKEN@";
|
||||
rate_limited = false;
|
||||
sender_localpart = "heisenbridge";
|
||||
namespaces = {
|
||||
users = [
|
||||
{
|
||||
regex = "@irc_.*";
|
||||
exclusive = true;
|
||||
}
|
||||
{
|
||||
regex = "@heisenbridge:.*";
|
||||
exclusive = true;
|
||||
}
|
||||
];
|
||||
aliases = [];
|
||||
rooms = [];
|
||||
};
|
||||
});
|
||||
|
||||
# TODO(tlater): Starting with systemd 253 it will become possible
|
||||
# to do the credential setup as part of ExecStartPre/preStart
|
||||
# instead.
|
||||
#
|
||||
# This will also make it possible to actually set caps on the
|
||||
# heisenbridge process using systemd, so that we can run the
|
||||
# identd process.
|
||||
execScript = pkgs.writeShellScript "heisenbridge" ''
|
||||
cp ${registrationFile} "$RUNTIME_DIRECTORY/heisenbridge-registration.yaml"
|
||||
chmod 600 $RUNTIME_DIRECTORY/heisenbridge-registration.yaml
|
||||
${replaceSecretBin} '@AS_TOKEN@' "$CREDENTIALS_DIRECTORY/heisenbridge_as-token" "$RUNTIME_DIRECTORY/heisenbridge-registration.yaml"
|
||||
${replaceSecretBin} '@HS_TOKEN@' "$CREDENTIALS_DIRECTORY/heisenbridge_hs-token" "$RUNTIME_DIRECTORY/heisenbridge-registration.yaml"
|
||||
chmod 400 $RUNTIME_DIRECTORY/heisenbridge-registration.yaml
|
||||
|
||||
${pkgs.heisenbridge}/bin/heisenbridge \
|
||||
--config $RUNTIME_DIRECTORY/heisenbridge-registration.yaml \
|
||||
--owner @tlater:matrix.tlater.net \
|
||||
'http://localhost:${toString cfg.settings.global.port}'
|
||||
'';
|
||||
in {
|
||||
description = "Matrix<->IRC bridge";
|
||||
wantedBy = ["multi-user.target"];
|
||||
after = ["conduit.service"];
|
||||
|
||||
serviceConfig = {
|
||||
Type = "simple";
|
||||
|
||||
LoadCredential = "heisenbridge:/run/secrets/heisenbridge";
|
||||
|
||||
ExecStart = execScript;
|
||||
|
||||
DynamicUser = true;
|
||||
RuntimeDirectory = "heisenbridge";
|
||||
RuntimeDirectoryMode = "0700";
|
||||
|
||||
RestrictNamespaces = true;
|
||||
PrivateUsers = true;
|
||||
ProtectHostname = true;
|
||||
ProtectClock = true;
|
||||
ProtectKernelTunables = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectControlGroups = true;
|
||||
RestrictAddressFamilies = ["AF_INET AF_INET6"];
|
||||
LockPersonality = true;
|
||||
RestrictRealtime = true;
|
||||
ProtectProc = "invisible";
|
||||
ProcSubset = "pid";
|
||||
UMask = 0077;
|
||||
|
||||
# For the identd port
|
||||
# CapabilityBoundingSet = ["CAP_NET_BIND_SERVICE"];
|
||||
# AmbientCapabilities = ["CAP_NET_BIND_SERVICE"];
|
||||
};
|
||||
};
|
||||
|
||||
# Pass in the TURN secret via EnvironmentFile, not supported by
|
||||
# upstream module currently.
|
||||
#
|
||||
|
|
|
|||
|
|
@ -6,6 +6,8 @@
|
|||
group = "nextcloud";
|
||||
};
|
||||
secrets."steam/tlater" = {};
|
||||
secrets."heisenbridge/as-token" = {};
|
||||
secrets."heisenbridge/hs-token" = {};
|
||||
secrets."turn/env" = {};
|
||||
secrets."turn/secret" = {
|
||||
owner = "turnserver";
|
||||
|
|
|
|||
|
|
@ -2,6 +2,9 @@ nextcloud:
|
|||
tlater: ENC[AES256_GCM,data:zNsPm4uFaIRe3LjcwmayRg==,iv:5wam6bP5zP708jC9UrLV0s8qspl3Pm4fPzbMFYBUyPQ=,tag:apnJUMeJwMn9q0NhO4ptmA==,type:str]
|
||||
steam:
|
||||
tlater: ENC[AES256_GCM,data:HNsve/Wid40ftclO9n09yXg=,iv:VQxAz4eR9lfxEvM0zl1FpJpbKrEFxjIYLyCqL9Aool0=,tag:LHcpHCXAHe8p2kOvOnKXyw==,type:str]
|
||||
heisenbridge:
|
||||
as-token: ENC[AES256_GCM,data:+2yo6T18j34622H8ZWblAFB2phLw1q0k0vUQEZ5sFj7dQaRnkEiAMi0R3p17Zq0pOtGEC0RRZuPLYkcZ1oKP0w==,iv:lGwrQYp//FufpmJocrLIVyy9RK7lEEVcpAi0wmkjr34=,tag:yV06UbhAYJQz36O2XdhY+A==,type:str]
|
||||
hs-token: ENC[AES256_GCM,data:u52WpkQFd/J7JFoE/rfNluebyZQLOokvkVdL7+AEAvrhJhrkJli1ztkD79lbC+6tGUH4tT3T+nX9wvGKnrRUQg==,iv:as+9fVuvMg2IoE2WIKD9mHi+znhNcWRh5Zq+yr0xcDQ=,tag:mZ7fh7U0MfgI8hyq/28Bcg==,type:str]
|
||||
turn:
|
||||
env: ENC[AES256_GCM,data:kt5nhVo9pb/ZbPUEcqSYXxN9YMgQKnFb5VRfFFS/qoIaJ73uD2fuJKqcxAyVRrdLqnSAWSQBgTgunBzdP7xqLAK2qt8DYAQWHkIe9uxFbSXZpdmw,iv:9lq6SFwTFN4GGm6gPiJpUMasMdnHVF6XLGYrsyG3kjU=,tag:428Qf9DOiiHt/Wjb188b8g==,type:str]
|
||||
secret: ENC[AES256_GCM,data:si7ee6Xfhdgdyzbp6aQpF7pz3TmTBb7iQ82lRPVXNDg9JfHI+lbmgAsSnRLX5qMCA6P9R045sSMosqidL8QwRg==,iv:SrhpZKK8D45yxCEfDb9P3TwtA14+qEI+wcRqcN/a6pw=,tag:PiwV+mOL9xHJgJft6sc61g==,type:str]
|
||||
|
|
@ -14,8 +17,8 @@ sops:
|
|||
azure_kv: []
|
||||
hc_vault: []
|
||||
age: []
|
||||
lastmodified: "2022-11-05T18:45:55Z"
|
||||
mac: ENC[AES256_GCM,data:xPCfjqVkewEqrUjHroXa9RGHITntVj2uGPaRZfj0lqTUPFG6GQDn3Yq6L6cV3EPOYQ4OedJlaVXy05OHkzZwjYEbBQVGQ0aH/ZOP7X301eebBX5MvHLFU4mcnjMITWGH/E7SXz3pPF75s9eM/onx374PcQt6zevbBF+Jp0Fz71I=,iv:84JL69nF3ougygMAVFOoTaCn37thvm4lF6HYdgTiftg=,tag:ATQ18acehgUAE/dX+vYugQ==,type:str]
|
||||
lastmodified: "2023-02-21T10:51:11Z"
|
||||
mac: ENC[AES256_GCM,data:uMqT+7ljd6t1RpF9IH7illO62pq5cERoAtJlRic5BNOeawy/+7ufVorhhya15m39WTKnlGyIY0MEd3tDueHBm4rjf+Pmh6PQ+owRv+deXHv0jXYWX2sz/6i1aYbv9DDMWsvNbkdidKEme+ctY6EVgjSjN5nxxcx+vH+u1OyQ3t0=,iv:VKXznTlMH34SOS+4dpfOVaoiiUTRmIbUMnTPNpyawvY=,tag:onA5C4o/tcGjdBxO9JxMGw==,type:str]
|
||||
pgp:
|
||||
- created_at: "2022-10-12T00:46:51Z"
|
||||
enc: |
|
||||
|
|
|
|||
|
|
@ -2,6 +2,9 @@ nextcloud:
|
|||
tlater: ENC[AES256_GCM,data:91kDcO4hpng=,iv:ayuILRmRru4ZxTCur9H2xHuLjkDzwPdS/4lEog/tesU=,tag:qYhJxnNDcCwUM7xe7Tlcjw==,type:str]
|
||||
steam:
|
||||
tlater: ENC[AES256_GCM,data:jcW4wacGzOQ=,iv:KstKGHflscSWDFXGbnAZUcsqGN4Ot+w7sRbsAUwZNHQ=,tag:n9sRWvaKSgagpIgV/NF/Og==,type:str]
|
||||
heisenbridge:
|
||||
as-token: ENC[AES256_GCM,data:tXbOeo7nv8I=,iv:wJAKcOXX9nGIw4n38ThOoj29u7dUWhsxSQG/p79JlEw=,tag:rTVaGS2UuWcea1uBa8YX2g==,type:str]
|
||||
hs-token: ENC[AES256_GCM,data:VBwvwomv0Xg=,iv:q6INtJ+rg+QiXj8uBdBzQYQZUBBXp+9odxDHwvu8Jxc=,tag:XKhm8nxygAkKaiVPJ2Fcdg==,type:str]
|
||||
turn:
|
||||
env: ENC[AES256_GCM,data:xjIz/AY109lyiL5N01p5T3HcYco/rM5CJSRTtg==,iv:16bW6OpyOK/QL0QPGQp/Baa9xyT8E3ZsYkwqmjuofk0=,tag:J5re3uKxIykw3YunvQWBgg==,type:str]
|
||||
secret: ENC[AES256_GCM,data:eQ7dAocoZtg=,iv:fgzjTPv30WqTKlLy+yMn5MsKQgjhPnwlGFFwYEg3gWs=,tag:1ze33U1NBkgMX/9SiaBNQg==,type:str]
|
||||
|
|
@ -14,8 +17,8 @@ sops:
|
|||
azure_kv: []
|
||||
hc_vault: []
|
||||
age: []
|
||||
lastmodified: "2023-01-11T01:49:31Z"
|
||||
mac: ENC[AES256_GCM,data:5IcHdNQ/mh6Jz60dlpgqbBtVGKYml4EOs7YXsBcejgAoPzZqEK+xb3f9+rq2G6sCcMXzROHJsdQUfp1wMgfp8DwVm4H+XO+SQh/E1kFuWO8G/IpXOT4P9RQC+wHxrVuxHd8pwl9CLv6uuMnO+FNg9TeWB2GAVxIBsY8JHwGN/BA=,iv:/Yqfij58LGNooyyhmr8aWCpknd4dN+b4iSvokVoDGls=,tag:XHm8Qcg75B1+pTOcgZubIQ==,type:str]
|
||||
lastmodified: "2023-02-21T08:32:04Z"
|
||||
mac: ENC[AES256_GCM,data:ZZtL4zYX7FsYeGJ1CcTq5AzRkrvOxIeCoVf77JyEj9k3gApm3k7z2eXe/D+8qvwahlleuvAqhVCUH/I5yHaQSjXXsHO1flULiTnQVk4hrX0fDwXp97NQwpvDovSRyGqx4F25dISfYLVhFpb+64yaPxqMzThVk+Q7Xn40GCY5PR8=,iv:xNeyqB5K2EBDDJEq72IDwpGqzKkAlcxHO6GlJY/iHmM=,tag:Qxz0GTQ/I4EsZhFZh2VxKg==,type:str]
|
||||
pgp:
|
||||
- created_at: "2022-10-12T16:48:23Z"
|
||||
enc: |
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue