{ pkgs, lib, config, ... }: let conduitCfg = config.services.matrix-conduit; matrixLib = pkgs.callPackage ./lib.nix { }; in { systemd.services.heisenbridge = let registration = matrixLib.writeRegistrationScript { id = "heisenbridge"; url = "http://127.0.0.1:9898"; sender_localpart = "heisenbridge"; namespaces = { users = [ { regex = "@irc_.*"; exclusive = true; } { regex = "@heisenbridge:.*"; exclusive = true; } ]; aliases = [ ]; rooms = [ ]; }; }; in { description = "Matrix<->IRC bridge"; wantedBy = [ "multi-user.target" ]; after = [ "conduit.service" ]; serviceConfig = { Type = "exec"; LoadCredential = "heisenbridge:/run/secrets/heisenbridge"; inherit (registration) ExecStartPre; ExecStart = lib.concatStringsSep " " [ "${lib.getExe pkgs.heisenbridge}" "--config \${RUNTIME_DIRECTORY}/heisenbridge-registration.yaml" "--owner @tlater:matrix.tlater.net" "http://localhost:${toString conduitCfg.settings.global.port}" ]; DynamicUser = true; RuntimeDirectory = "heisenbridge"; RuntimeDirectoryMode = "0700"; RestrictNamespaces = true; PrivateUsers = true; ProtectHostname = true; ProtectClock = true; ProtectKernelTunables = true; ProtectKernelModules = true; ProtectKernelLogs = true; ProtectControlGroups = true; RestrictAddressFamilies = [ "AF_INET AF_INET6" ]; LockPersonality = true; RestrictRealtime = true; ProtectProc = "invisible"; ProcSubset = "pid"; UMask = 77; # For the identd port # CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ]; # AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; }; }; }