treewide: Start using nixpkgs-fmt formatting

2024-06-28 20:12:55 +02:00 · 2024-06-28 20:12:55 +02:00 · fd138d45e6
commit fd138d45e6
parent 501c3466bc
29 changed files with 812 additions and 767 deletions
--- a/configuration/services/conduit.nix
+++ b/configuration/services/conduit.nix
@ -1,15 +1,16 @@
-{
-  pkgs,
-  config,
-  lib,
-  ...
-}: let
+{ pkgs
+, config
+, lib
+, ...
+}:
+let
  inherit (lib.strings) concatMapStringsSep;

  cfg = config.services.matrix-conduit;
  domain = "matrix.${config.services.nginx.domain}";
  turn-realm = "turn.${config.services.nginx.domain}";
-in {
+in
+{
  services.matrix-conduit = {
    enable = true;
    settings.global = {
@ -17,99 +18,103 @@ in {
      server_name = domain;
      database_backend = "rocksdb";

-      turn_uris = let
-        address = "${config.services.coturn.realm}:${toString config.services.coturn.listening-port}";
-        tls-address = "${config.services.coturn.realm}:${toString config.services.coturn.tls-listening-port}";
-      in [
-        "turn:${address}?transport=udp"
-        "turn:${address}?transport=tcp"
-        "turns:${tls-address}?transport=udp"
-        "turns:${tls-address}?transport=tcp"
-      ];
-    };
-  };
-
-  systemd.services.heisenbridge = let
-    replaceSecretBin = "${pkgs.replace-secret}/bin/replace-secret";
-    registrationFile = builtins.toFile "heisenbridge-registration.yaml" (builtins.toJSON {
-      id = "heisenbridge";
-      url = "http://127.0.0.1:9898";
-      as_token = "@AS_TOKEN@";
-      hs_token = "@HS_TOKEN@";
-      rate_limited = false;
-      sender_localpart = "heisenbridge";
-      namespaces = {
-        users = [
-          {
-            regex = "@irc_.*";
-            exclusive = true;
-          }
-          {
-            regex = "@heisenbridge:.*";
-            exclusive = true;
-          }
+      turn_uris =
+        let
+          address = "${config.services.coturn.realm}:${toString config.services.coturn.listening-port}";
+          tls-address = "${config.services.coturn.realm}:${toString config.services.coturn.tls-listening-port}";
+        in
+        [
+          "turn:${address}?transport=udp"
+          "turn:${address}?transport=tcp"
+          "turns:${tls-address}?transport=udp"
+          "turns:${tls-address}?transport=tcp"
        ];
-        aliases = [];
-        rooms = [];
-      };
-    });
-
-    # TODO(tlater): Starting with systemd 253 it will become possible
-    # to do the credential setup as part of ExecStartPre/preStart
-    # instead.
-    #
-    # This will also make it possible to actually set caps on the
-    # heisenbridge process using systemd, so that we can run the
-    # identd process.
-    execScript = pkgs.writeShellScript "heisenbridge" ''
-      cp ${registrationFile} "$RUNTIME_DIRECTORY/heisenbridge-registration.yaml"
-      chmod 600 $RUNTIME_DIRECTORY/heisenbridge-registration.yaml
-      ${replaceSecretBin} '@AS_TOKEN@' "$CREDENTIALS_DIRECTORY/heisenbridge_as-token" "$RUNTIME_DIRECTORY/heisenbridge-registration.yaml"
-      ${replaceSecretBin} '@HS_TOKEN@' "$CREDENTIALS_DIRECTORY/heisenbridge_hs-token" "$RUNTIME_DIRECTORY/heisenbridge-registration.yaml"
-      chmod 400 $RUNTIME_DIRECTORY/heisenbridge-registration.yaml
-
-      ${pkgs.heisenbridge}/bin/heisenbridge \
-          --config $RUNTIME_DIRECTORY/heisenbridge-registration.yaml \
-          --owner @tlater:matrix.tlater.net \
-          'http://localhost:${toString cfg.settings.global.port}'
-    '';
-  in {
-    description = "Matrix<->IRC bridge";
-    wantedBy = ["multi-user.target"];
-    after = ["conduit.service"];
-
-    serviceConfig = {
-      Type = "simple";
-
-      LoadCredential = "heisenbridge:/run/secrets/heisenbridge";
-
-      ExecStart = execScript;
-
-      DynamicUser = true;
-      RuntimeDirectory = "heisenbridge";
-      RuntimeDirectoryMode = "0700";
-
-      RestrictNamespaces = true;
-      PrivateUsers = true;
-      ProtectHostname = true;
-      ProtectClock = true;
-      ProtectKernelTunables = true;
-      ProtectKernelModules = true;
-      ProtectKernelLogs = true;
-      ProtectControlGroups = true;
-      RestrictAddressFamilies = ["AF_INET AF_INET6"];
-      LockPersonality = true;
-      RestrictRealtime = true;
-      ProtectProc = "invisible";
-      ProcSubset = "pid";
-      UMask = 0077;
-
-      # For the identd port
-      # CapabilityBoundingSet = ["CAP_NET_BIND_SERVICE"];
-      # AmbientCapabilities = ["CAP_NET_BIND_SERVICE"];
    };
  };

+  systemd.services.heisenbridge =
+    let
+      replaceSecretBin = "${pkgs.replace-secret}/bin/replace-secret";
+      registrationFile = builtins.toFile "heisenbridge-registration.yaml" (builtins.toJSON {
+        id = "heisenbridge";
+        url = "http://127.0.0.1:9898";
+        as_token = "@AS_TOKEN@";
+        hs_token = "@HS_TOKEN@";
+        rate_limited = false;
+        sender_localpart = "heisenbridge";
+        namespaces = {
+          users = [
+            {
+              regex = "@irc_.*";
+              exclusive = true;
+            }
+            {
+              regex = "@heisenbridge:.*";
+              exclusive = true;
+            }
+          ];
+          aliases = [ ];
+          rooms = [ ];
+        };
+      });
+
+      # TODO(tlater): Starting with systemd 253 it will become possible
+      # to do the credential setup as part of ExecStartPre/preStart
+      # instead.
+      #
+      # This will also make it possible to actually set caps on the
+      # heisenbridge process using systemd, so that we can run the
+      # identd process.
+      execScript = pkgs.writeShellScript "heisenbridge" ''
+        cp ${registrationFile} "$RUNTIME_DIRECTORY/heisenbridge-registration.yaml"
+        chmod 600 $RUNTIME_DIRECTORY/heisenbridge-registration.yaml
+        ${replaceSecretBin} '@AS_TOKEN@' "$CREDENTIALS_DIRECTORY/heisenbridge_as-token" "$RUNTIME_DIRECTORY/heisenbridge-registration.yaml"
+        ${replaceSecretBin} '@HS_TOKEN@' "$CREDENTIALS_DIRECTORY/heisenbridge_hs-token" "$RUNTIME_DIRECTORY/heisenbridge-registration.yaml"
+        chmod 400 $RUNTIME_DIRECTORY/heisenbridge-registration.yaml
+
+        ${pkgs.heisenbridge}/bin/heisenbridge \
+            --config $RUNTIME_DIRECTORY/heisenbridge-registration.yaml \
+            --owner @tlater:matrix.tlater.net \
+            'http://localhost:${toString cfg.settings.global.port}'
+      '';
+    in
+    {
+      description = "Matrix<->IRC bridge";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "conduit.service" ];
+
+      serviceConfig = {
+        Type = "simple";
+
+        LoadCredential = "heisenbridge:/run/secrets/heisenbridge";
+
+        ExecStart = execScript;
+
+        DynamicUser = true;
+        RuntimeDirectory = "heisenbridge";
+        RuntimeDirectoryMode = "0700";
+
+        RestrictNamespaces = true;
+        PrivateUsers = true;
+        ProtectHostname = true;
+        ProtectClock = true;
+        ProtectKernelTunables = true;
+        ProtectKernelModules = true;
+        ProtectKernelLogs = true;
+        ProtectControlGroups = true;
+        RestrictAddressFamilies = [ "AF_INET AF_INET6" ];
+        LockPersonality = true;
+        RestrictRealtime = true;
+        ProtectProc = "invisible";
+        ProcSubset = "pid";
+        UMask = 0077;
+
+        # For the identd port
+        # CapabilityBoundingSet = ["CAP_NET_BIND_SERVICE"];
+        # AmbientCapabilities = ["CAP_NET_BIND_SERVICE"];
+      };
+    };
+
  # Pass in the TURN secret via EnvironmentFile, not supported by
  # upstream module currently.
  #
@ -249,6 +254,6 @@ in {
    ];
    # Other services store their data in conduit, so no other services
    # need to be shut down currently.
-    pauseServices = ["conduit.service"];
+    pauseServices = [ "conduit.service" ];
  };
 }