diff --git a/config/services/matrix-media-repo.nix b/config/services/matrix-media-repo.nix
index 2789d667..fc3c1ae8 100644
--- a/config/services/matrix-media-repo.nix
+++ b/config/services/matrix-media-repo.nix
@@ -134,7 +134,7 @@ in {
curl -H "Authorization: Bearer $MATRIX_TOKEN" -X POST https://matrix.chir.rs/_matrix/media/unstable/admin/purge/old\?before_ts=$(date -d "3 months ago" +%s%3N)\&include_local=true && exit 0
done
'';
-
+
serviceConfig = {
Type = "oneshot";
User = "matrix-media-repo";
diff --git a/config/services/mautrix-telegram.nix b/config/services/mautrix-telegram.nix
index 25307ada..1e41f42f 100644
--- a/config/services/mautrix-telegram.nix
+++ b/config/services/mautrix-telegram.nix
@@ -4,7 +4,10 @@
pkgs,
...
}: {
- services.mautrix-telegram = {
+ imports = [
+ ../../modules/matrix/mautrix-telegram.nix
+ ];
+ services.mautrix-telegram-2 = {
enable = true;
environmentFile = config.sops.secrets."services/mautrix/telegram".path;
settings = {
@@ -69,16 +72,4 @@
};
}
];
- users.users.mautrix-telegram = {
- description = "Mautrix telegram bridge";
- home = "/var/lib/mautrix-telegram";
- useDefaultShell = true;
- group = "matrix-synapse";
- isSystemUser = true;
- };
- systemd.services.mautrix-telegram.serviceConfig = {
- User = "mautrix-telegram";
- Group = "matrix-synapse";
- DynamicUser = lib.mkForce false;
- };
}
diff --git a/modules/matrix/mautrix-telegram.nix b/modules/matrix/mautrix-telegram.nix
new file mode 100644
index 00000000..410ce79a
--- /dev/null
+++ b/modules/matrix/mautrix-telegram.nix
@@ -0,0 +1,152 @@
+{
+ config,
+ pkgs,
+ lib,
+ ...
+}:
+with lib; let
+ dataDir = "/var/lib/mautrix-telegram";
+ registrationFile = "${dataDir}/signal-registration.yaml";
+ cfg = config.services.mautrix-telegram-2;
+ settingsFormat = pkgs.formats.yaml {};
+ settingsFileUnsubstituted = settingsFormat.generate "mautrix-telegram-signal-unsubstituted.yaml" cfg.settings;
+ settingsFile = "${dataDir}/config.yaml";
+in {
+ options = {
+ services.mautrix-telegram-2 = {
+ enable = mkEnableOption "mautrix-telegram, a Matrix-signal hybrid puppeting/relaybot bridge";
+ settings = mkOption rec {
+ apply = recursiveUpdate default;
+ inherit (settingsFormat) type;
+ default = {
+ appservice = {
+ address = "http://localhost:29328";
+ hostname = "0.0.0.0";
+ port = 29328;
+ database = "sqlite:///${dataDir}/mautrix-telegram.db";
+ as_token = "$AS_TOKEN";
+ hs_token = "$HS_TOKEN";
+ };
+ logging = {
+ version = 1;
+
+ formatters.precise.format = "[%(levelname)s@%(name)s] %(message)s";
+
+ handlers.console = {
+ class = "logging.StreamHandler";
+ formatter = "precise";
+ };
+
+ loggers = {
+ mau.level = "INFO";
+ telethon.level = "INFO";
+
+ # prevent tokens from leaking in the logs:
+ # https://github.com/tulir/mautrix-telegram/issues/351
+ aiohttp.level = "WARNING";
+ };
+
+ # log to console/systemd instead of file
+ root = {
+ level = "INFO";
+ handlers = ["console"];
+ };
+ };
+ };
+ };
+ environmentFile = mkOption {
+ type = types.nullOr types.path;
+ default = null;
+ description = ''
+ File containing environment variables to be passed to the mautrix-telegram service,
+ in which secret tokens can be specified securely by defining values for
+ MAUTRIX_TELEGRAM_APPSERVICE_AS_TOKEN,
+ MAUTRIX_TELEGRAM_APPSERVICE_HS_TOKEN,
+ MAUTRIX_TELEGRAM_TELEGRAM_API_ID,
+ MAUTRIX_TELEGRAM_TELEGRAM_API_HASH and optionally
+ MAUTRIX_TELEGRAM_TELEGRAM_BOT_TOKEN.
+ '';
+ };
+ };
+ };
+ config = mkIf cfg.enable {
+ systemd.services.mautrix-telegram-genregistration = {
+ description = "mautrix-telegram Registration";
+
+ requiredBy = ["matrix-synapse.service"];
+ before = ["matrix-synapse.service"];
+ script = ''
+ # Not all secrets can be passed as environment variable (yet)
+ # https://github.com/tulir/mautrix-telegram/issues/584
+ [ -f ${settingsFile} ] && rm -f ${settingsFile}
+ old_umask=$(umask)
+ umask 0177
+ export AS_TOKEN="This value is generated when generating the registration"
+ export HS_TOKEN="This value is generated when generating the registration"
+ ${pkgs.envsubst}/bin/envsubst \
+ -o ${settingsFile} \
+ -i ${settingsFileUnsubstituted}
+ umask $old_umask
+
+ [ -f ${registrationFile} ] && rm -f ${registrationFile}
+ ${pkgs.mautrix-telegram}/bin/mautrix-telegram --generate-registration --config ${settingsFile} --registration ${registrationFile}
+ chmod 660 ${registrationFile}
+
+ # Extract the tokens from the registration
+ export AS_TOKEN=$(${pkgs.yq}/bin/yq -r '.as_token' ${registrationFile})
+ export HS_TOKEN=$(${pkgs.yq}/bin/yq -r '.hs_token' ${registrationFile})
+ umask 0177
+ ${pkgs.envsubst}/bin/envsubst \
+ -o ${settingsFile} \
+ -i ${settingsFileUnsubstituted}
+ umask $old_umask
+ '';
+ serviceConfig = {
+ Type = "oneshot";
+ RemainAfterExit = true;
+ ProtectSystem = "strict";
+ ProtectHome = true;
+ ProtectKernelTunables = true;
+ ProtectKernelModules = true;
+ ProtectControlGroups = true;
+ WorkingDirectory = dataDir;
+ StateDirectory = baseNameOf dataDir;
+ UMask = 0117;
+ User = "mautrix-telegram";
+ Group = "matrix-synapse";
+ EnvironmentFile = cfg.environmentFile;
+ };
+ restartTriggers = [settingsFileUnsubstituted cfg.environmentFile];
+ };
+ systemd.services.mautrix-telegram = {
+ description = "mautrix-telegram";
+ wantedBy = ["multi-user.target"];
+ wants = ["matrix-synapse.service" "mautrix-telegram-genregistration.service"];
+ after = ["matrix-synapse.service" "mautrix-telegram-genregistration.service"];
+ serviceConfig = {
+ Type = "simple";
+ Restart = "always";
+
+ WorkingDirectory = dataDir;
+ User = "mautrix-telegram";
+ Group = "matrix-synapse";
+ EnvironmentFile = cfg.environmentFile;
+ ExecStart = ''
+ ${pkgs.mautrix-telegram}/bin/mautrix-telegram \
+ --config='${settingsFile}'
+ '';
+ };
+ restartTriggers = [cfg.environmentFile];
+ };
+ users.users.mautrix-telegram = {
+ description = "Mautrix telegram bridge";
+ home = "${dataDir}";
+ useDefaultShell = true;
+ group = "matrix-synapse";
+ isSystemUser = true;
+ };
+ services.matrix-synapse.settings.app_service_config_files = [
+ registrationFile
+ ];
+ };
+}