darkkirb/nixos-config
1
0
Fork 0
Code Issues 1 Pull requests 2 Projects Releases Packages Wiki Activity Actions

add mautrix-slack

Browse source
This commit is contained in:
Charlotte 🦝 Delenk 2024-09-23 20:26:18 +02:00
parent 1cc6693050
commit 2f383a3313
4 changed files with 207 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
config/nas.nix
View file

@ -40,6 +40,7 @@
#./services/kubernetes.nix
./services/forgejo-runner.nix
./services/renovate.nix
./services/mautrix-slack.nix
];
hardware.cpu.amd.updateMicrocode = true;

49
config/services/mautrix-slack.nix Normal file
View file

@ -0,0 +1,49 @@
{
config,
pkgs,
...
}: {
imports = [
../../modules/matrix/mautrix-slack.nix
];
services.mautrix-slack = {
enable = true;
environmentFile = config.sops.secrets."services/mautrix/shared_secret".path;
settings = {
bridge = {
permissions = {
"*" = "relay";
"@miifox:chir.rs" = "user";
"@lotte:chir.rs" = "admin";
};
};
database = {
type = "postgres";
uri = "postgres:///mautrix_slack?sslmode=disable&host=/run/postgresql";
};
homeserver = {
address = "https://matrix.chir.rs";
domain = "chir.rs";
async_media = true;
};
appservice = {
ephemeral_events = true;
async_transactions = true;
};
backfill = {
enabled = true;
queue.enabled = true;
};
encryption = {
allow = true;
default = true;
appservice = true;
};
};
};
sops.secrets."services/mautrix/shared_secret" = {};
services.postgresql.ensureDatabases = [
"mautrix_slack"
];
}

153
modules/matrix/mautrix-slack.nix Normal file
View file

@ -0,0 +1,153 @@
{
system,
config,
pkgs,
lib,
...
}:
with lib; let
dataDir = "/var/lib/mautrix-slack";
registrationFile = config.sops.secrets."services/mautrix/slack.yaml".path;
cfg = config.services.mautrix-slack;
settingsFormat = pkgs.formats.yaml {};
settingsFileUnsubstituted = settingsFormat.generate "mautrix-slack-config-unsubstituted.yaml" cfg.settings;
settingsFile = "${dataDir}/config.yaml";
inherit (pkgs) mautrix-slack;
in {
options = {
services.mautrix-slack = {
enable = mkEnableOption "Mautrix-Whatsapp, a Matrix-Whatsapp hybrid puppeting/relaybot bridge";
settings = mkOption rec {
apply = recursiveUpdate default;
inherit (settingsFormat) type;
default = {
appservice = {
address = "http://mautrix-slack.int.chir.rs:29320";
hostname = "0.0.0.0";
port = 29320;
database = {
type = "sqlite";
uri = "sqlite:///${dataDir}/mautrix-telegram.db";
};
as_token = "$AS_TOKEN";
hs_token = "$HS_TOKEN";
};
logging = {
file_name_format = null;
};
};
};
environmentFile = mkOption {
type = types.nullOr types.path;
default = null;
description = ''
File containing environment variables to be passed to the mautrix-telegram service,
in which secret tokens can be specified securely by defining values for
<literal>MAUTRIX_TELEGRAM_APPSERVICE_AS_TOKEN</literal>,
<literal>MAUTRIX_TELEGRAM_APPSERVICE_HS_TOKEN</literal>,
<literal>MAUTRIX_TELEGRAM_TELEGRAM_API_ID</literal>,
<literal>MAUTRIX_TELEGRAM_TELEGRAM_API_HASH</literal> and optionally
<literal>MAUTRIX_TELEGRAM_TELEGRAM_BOT_TOKEN</literal>.
'';
};
};
};
config = mkIf cfg.enable {
systemd.services.mautrix-slack-genregistration = {
description = "Mautrix-slack Registration";
script = ''
# Not all secrets can be passed as environment variable (yet)
# https://github.com/tulir/mautrix-telegram/issues/584
[ -f ${settingsFile} ] && rm -f ${settingsFile}
export AS_TOKEN=$(${pkgs.yq}/bin/yq -r '.as_token' ${registrationFile})
export HS_TOKEN=$(${pkgs.yq}/bin/yq -r '.hs_token' ${registrationFile})
umask 0177
${pkgs.envsubst}/bin/envsubst \
-o ${settingsFile} \
-i ${settingsFileUnsubstituted}
'';
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ReadWritePaths = baseNameOf dataDir;
NoNewPrivileges = true;
MemoryDenyWriteExecute = true;
PrivateDevices = true;
PrivateTmp = true;
ProtectHome = true;
ProtectSystem = "strict";
ProtectControlGroups = true;
RestrictSUIDSGID = true;
RestrictRealtime = true;
LockPersonality = true;
ProtectKernelLogs = true;
ProtectKernelTunables = true;
ProtectHostname = true;
ProtectKernelModules = true;
ProtectClock = true;
SystemCallArchitectures = "native";
SystemCallErrorNumber = "EPERM";
SystemCallFilter = "@system-service";
WorkingDirectory = dataDir;
StateDirectory = baseNameOf dataDir;
UMask = 0117;
User = "mautrix-slack";
Group = "mautrix-slack";
EnvironmentFile = cfg.environmentFile;
};
restartTriggers = [settingsFileUnsubstituted cfg.environmentFile];
};
systemd.services.mautrix-slack = {
description = "Mautrix-slack";
path = with pkgs; [ffmpeg lottieconverter];
wantedBy = ["multi-user.target"];
wants = ["mautrix-slack-genregistration.service"];
after = ["mautrix-slack-genregistration.service"];
serviceConfig = {
Type = "simple";
Restart = "always";
ReadWritePaths = baseNameOf dataDir;
NoNewPrivileges = true;
MemoryDenyWriteExecute = true;
PrivateDevices = true;
PrivateTmp = true;
ProtectHome = true;
ProtectSystem = "strict";
ProtectControlGroups = true;
RestrictSUIDSGID = true;
RestrictRealtime = true;
LockPersonality = true;
ProtectKernelLogs = true;
ProtectKernelTunables = true;
ProtectHostname = true;
ProtectKernelModules = true;
ProtectClock = true;
SystemCallArchitectures = "native";
SystemCallErrorNumber = "EPERM";
SystemCallFilter = "@system-service";
WorkingDirectory = dataDir;
StateDirectory = baseNameOf dataDir;
UMask = 0117;
User = "mautrix-slack";
Group = "mautrix-slack";
EnvironmentFile = cfg.environmentFile;
ExecStart = ''
${mautrix-slack}/bin/mautrix-slack \
--config='${settingsFile}'
'';
};
restartTriggers = [cfg.environmentFile];
};
users.users.mautrix-slack = {
description = "Mautrix Whatsapp bridge";
home = "${dataDir}";
useDefaultShell = true;
group = "mautrix-slack";
isSystemUser = true;
};
users.groups.mautrix-slack = {};
sops.secrets."services/mautrix/slack.yaml".owner = "mautrix-slack";
};
}

7
secrets/nas.yaml
View file

@ -11,7 +11,8 @@ services:
signal.yaml: ENC[AES256_GCM,data:8/cn9tIIBhfOLbIHOWKr2I+UG8PcnsYozTuIuyFgkcTCuGemid4hw29KWXahQ/ILtu7e9gVVOYu6fi/bionXKAdyk2bDr7ZC+b4MGaAsLbvKvyZ03Q9aIK8t9JEFTrY9VlhfP3/84ohAoS5P7hnaoO06LFtrApG+0WOoS2TLydlS5e7xuqQxbJkutEi1kmITVTYT21HLdz9Shgmo7s9ZxLQ51kTWVhZBH8ixj4t1BwX7oql+4HCmtEltGUmY31PsINmm3GjKi/D0nuf2oWTpWRCjFkX7wjboPFFmZPV0KTm2gOqDWIXtfgLzyNXsF0kyMM0p9h7UiqiuHSJRmFu3AwQTkTsDVuTh9YmVkyhkyI6fNjrniAckj3UfYyY7AiEeA7QK9fengntwnHDODLxHkwzripxCXRPBa0BUREV3dT5gPW1pDhSNiLE0UGsmIDf80JWDsll053kxe744NBI2bFJYD2dZTbVSmYKLiwjuc2FgofZnR9N0yA+OiVOZMxb9VfoXQC0K10vJd9540UH1UdDgOgM0Z+VW6UIrK9x/UKY4U2nKqD1W8kAC2aHQjIHAs37RzboLfagbAWQ7YeKXXoaaV3a9fTI4bxiTTG8EeYzfulcbtPNMYvZaNZFj34zIvuGJAOsOf67XRtJ5ywvWbagumIW1pyyeJ2Q9onKqzBY+VSDhUNxTyueHB8A=,iv:YI4ugoPUYs9PXaRmaIYY9N+7b8qspNHCSE8qUBKtn8M=,tag:YQ0pWwarrTWQMbb1yara7g==,type:str]
telegram.yaml: ENC[AES256_GCM,data:cK/6xsY0k43X5L7pDZTyKBULtIXSw+VpmK344oRhg9Bp+Ga1W+qUvcJ/ryT7LDC1pJ/8LP5r3/IimlARnFynhkxjJCs52/TPjSSLLTbkwPZG1Mhxp00tE5/+naH7HKs5mlnZHXjNRqtI51xAec9p9gQEvYUDoWmJGV/eYIi1yiVYLy9ce5+rGQMwbWJmLoIKfuOebmqtkX93O8m3ZUOYeRRi05RdNpiKwwrqtpbEfX4IuttFqPltOd7TaFksn081+sRCUFlvfRYlcHWd0d66ekKH9yNheVtOM5fsNwfP418kjPxhf4JcgcXOn7IGUvG/0q7tdLbdfo11fmFDH3Do2J/ua6hEWxjVT/jRhRZgPl6T8nN5TF16oj1kDFJb5EOS8/ZO6dN1f/66/kb3r+JG0auBspfI0jT+2+LPxDf0GoK9/WEE/ZDeNRB08TWE9fNh4MtbPwoZGhl/Z9jzUIgQnSBkM92hRQHq8H5lL52Az+koUFULWa4lSiPuzicVByqsyhv71SwMTKWuMNQoWHIAMANSitTNWfX37/ounBDBahoo8fDob90zFvdTbY6Adyh/amZkbrPB2XLDuuFjsMTqU7ZjY84PteuR2kE48ROzHRyBKv6ECOLZarsinrs2ymQkayaBHPwQd4NsQkmjIn+U80As4G9/HgnJ+g8pCq6tUepdw6m9umgA1WFFXHcRUZtybeFBFWDXhdPtwctM162X6k8CDvUiWv93ijPMbbeU7/MJxP8nrvps7G8CZdofQH8ZiQs10i6fBE11Ew4=,iv:4Q6Nl6mogqHMhlvCppV6hcV2/uXTU/kZi/zvJKOuxYc=,tag:de9gsEpzeSW9u5+Sgm1M0Q==,type:str]
whatsapp.yaml: ENC[AES256_GCM,data:7c2mmpzaDXWlcd+DwPi8mOBeyNMXewsEmIfKIzKPtgmyKUXxTKf0ryvEwIv1hccGPalCs2xZC8rzphUqQbIgow+xgRLn9rOrAXdnZMqJvNx7HWSkq07PPJKN51wvMI24hLQXBKSocZR8MTG0cKqh6V/lUuxv/9lzpH4G5Tn6tADojfaV8B34STe8+ZnoP3+oVkEJYd85fpG10BVyJ7hj0tT3LjwhZnnRUtZ9XzFtZrQZPsXyL+XxkFfSwWn4oFRoqS6lQyS8HiUeaBR8BiA71+Bus6W/MqTFAM9+aQYzB9YHZziEnFAAUcj76khMEqS2XniQunYtGD6isaI6lMpgefarJZirbK5jQsU0RkKNx2VJFOwKMhsPHYNY2E0CzvOuDD4bh3hx4G0oL6xMA1F6rtSa5t6MuuJlLUPQIAITNXhOi8YuS1wQ/7dUmlWR4QEhtLLjJBNTillZm2gecrmBmxmmQDNF8UHe4wlce19A732XiUBs39D4UgQZom99NulfEvWQc9ZmgWPNk9b/OBt0RyjSfagEySPD9wOPYCyLueCrrw2qv7XlEsBGYD5MbRun3jsTeVntgXhsAAipZ/R8YSUUD1/3qCA9lxaHxuLguKN6nZvHcRYTxlXMiqRpmDp0XdjGO8ZjlluyJmv97IOwvS1z7cE=,iv:rGVcLY1MGNzqgXwuSacCuJGg3sBMa3vyLsBT0+EgBT8=,tag:hMFU/o9Gt4eh9Qu2eXybiA==,type:str]
doublepuppet.yaml: ENC[AES256_GCM,data:7EpOPC6vGhSdY08HR6VLtnKlQnqYRyH2ECdbjV14WdPkEYKJIN8wTr6erNMHGcw0P6XC3YZNVur/MpP1nadvGUBguIIkmnkfCLnD8usoJWRG5f+kpzfn2DtTHZ01S1/pdKUsZ+gLw29IK11KJZp2P3bALeHiuhB97QH4lwSwUbSx921LrQV5OZ+lo7GuSVXMsPhewqGu4YeSumyouN7763J5HDcA3eRAJyatxe6wRbUs5gPWHbEOYUPJgTbkc+F63rhAaBvPVaJKdIijWC4M7aByP9FTZeyzrFuwCCmjCbJacaa3e6dYjW+qqg==,iv:YNtupHWmydh6iHTlwfJeixvyA6C2GtDtQ8fngQhBf/I=,tag:qSfKhAtEdiPUbGBs8gafow==,type:str]
slack.yaml: ENC[AES256_GCM,data:MjEVC8XpPnRPO+SYPadAZSCBxOOpPLgdI0x8e1gvC1UictIzfwlfFfFjSFS/FjkL5V1fpffcZFfq9bj+Li2LtUJN6/RdtoBnA+ACNEtbdMPGMLxCvOefh1u2E3yS4lFkd4aljoN/yWLObcuv9Z9qAYOWKHMxCgpJS7lETOOynkmrCqaHgZyqotDFBBXD0aEKW4YOWpVo9CILOb4JeeY0p7S98PR9IW8ntqJOeJ9daGPbwJU3KCjMFXsTWSMdWGYus9dtsDZkb7MEMs3DPJG9seM9QuOQp4FYpWBtg8ffsjCeABQAEiB0OKkKqSS0wHN0LrzoGdSWDJO1fyNt/CoKD2brGEGuW3nnAZKbIP500qkHPj0rOi2DJZxBoVvX++zt+1DQLWOYpe6oe/VgdUmrbUFaCi8W/cNPs2LlvgU6chHJl+Vpk9ycubUl3ab9OqVZJ3Qk/W/up3usoDuwY1ibarV2tuedsHtgAxQZsc7H1CGs85CM95i5HxWsFl2S1LwtD016InHgcH1yoIMVJUmKDozJi6/S+ytChwyQb4blkTJXsuyBFU75cfle9YB4wJfBdC6TxnKWrzmstroylfJqebVaXjPJH7ETwAJEPq7///XarcXf9m3k/4WhCS24U1yM+sJGPYQB3Gpz1rgxFLqK6ceLFGahlw/eVjaz1GGNG/a+WdbkxSQ=,iv:V4ShNH3jNdMLgHU9xKJ33FUqAG5H9s3hQCFXQznOQx8=,tag:EtoUPsLilcZtG/O+Ai4SkA==,type:str]
doublepuppet.yaml: ENC[AES256_GCM,data:L7WUNSgIoTT+7vYdx34z7+TWBMalPzIHzEA5njYwaJaqpLaPMR5Jx3oFv+TUDzYvs2UKP1DfIJBI1zkm+aMRNE5QOTeMDtZj1AZ07v3ENiPSNCuDaUgSLAdsBPtDIA5rCy+SUxLfeVjfCFs929yrlYyPKbzMcmXhk+otofghGDDDDb9CmwJcvamM4+xqS7pEms5CKy2zkyPD0g5PlMSqGzcYtjRL+qRs/MauKtxSpTBYWPv4lUXEr2iN4guGIJu2kkuKWisM01qYN2SLArAL8WAjHzdPx0LU9Qv9oXdCBTVeNNR5+tK4EQ==,iv:AcQGkdbGc4E14g8xQtDd2PZJR7sIkabelLnx2zOJyO4=,tag:TAg/Lx49l51O0y6IltHICg==,type:str]
hydra:
cache-key: ENC[AES256_GCM,data:CLCu9BTtbIFQ3epWbJYwnj+q7Gnxe/Gs8a53pxiEFObVp9EKMMArNHsvGBIBnuBG4vU6muRw/3EhF3LwDgT/YqVaI7KFKYn0myiTviSQ1hBcWHvTdWnbrlrB0kplBcv4oQ==,iv:kw2me7DIkeq4p+vmgl/bH6yvs6Bn2ifJDh56UT5XkaM=,tag:0ZQITx1NyQ67nyuTM6anCw==,type:str]
gitea_token: ENC[AES256_GCM,data:dEXglNtESY30IOKEmTamv8Ce5w63D5T4AJWJBO4XNC2iv9/me5zOuw==,iv:DYjWgu0oQMmMmTFiULcn2ZTV8bKVGR8bouItsNYL9/4=,tag:+/G9dzBaQ130r66PQYVxzA==,type:str]
@ -61,8 +62,8 @@ sops:
Kytvc1lyRHRrRXRjaEV0V3ZDcUgzVVkKkqr0FcWUCkTYLIXJKuY5/LJX1odVaF4s
P2BLyjXj81078QjKwTyXskFV36uWM70LoVfkxBRTMZO/4O+BCwRpkg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-09-04T19:00:05Z"
mac: ENC[AES256_GCM,data:HHqjMF4qdoGS74XZbXeVqQBzkI18Mz8K0qvZpv0K4cWbRrwsZKkZvwdtYJSzAbv4MX1ZVg1sRavekae3WUEjTkktrZQb0jJ+0xLdBz6kO9uwN28EhzH2mXF/cyTuzuAblhWGmN7PzOHaGd+bRsmD5ylRQn+Lgwag2oykxAM2bcs=,iv:ng5KCTJ/kuLYEXM5B3sNzIj+Y87QjhDnimIfIzoJ0wc=,tag:hWKPfWkfrfO+obyc2POUXw==,type:str]
lastmodified: "2024-09-23T18:25:52Z"
mac: ENC[AES256_GCM,data:x3n8Ldl1PNBRP0PDM0kJRQNRqrDxW6YSLi7RQkuYfnIUYlZjxCzZGMpo0U2VeZVuVwnTsfrz/lzxAgXa/wCDaW1QqazKvifpXHBGmxPvhlTnAMWX9vCuzvlqiHILPp5CfhpFr0koy2gnnV///eCK+83DEiMbFSpEoXrmJv1uJGU=,iv:Fv8mblYlathiDAZaN38XbJGtj8IFQrP4eivkr31O8j4=,tag://xL98HDX4bCfQlUvmGsWw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.0