diff --git a/nixos/machines/hera/configuration.nix b/nixos/machines/hera/configuration.nix
index 7b42d42d..21a10905 100644
--- a/nixos/machines/hera/configuration.nix
+++ b/nixos/machines/hera/configuration.nix
@@ -19,6 +19,7 @@ in
../../roles/blog.nix
../../roles/email2matrix.nix
../../roles/matrix-synapse
+ ../../roles/matrix-signal
../../roles/coturn.nix
../../roles/go-neb.nix
../../roles/laminar
diff --git a/nixos/roles/matrix-signal/default.nix b/nixos/roles/matrix-signal/default.nix
index 576075ef..056b64e6 100644
--- a/nixos/roles/matrix-signal/default.nix
+++ b/nixos/roles/matrix-signal/default.nix
@@ -13,7 +13,6 @@ in
services.mautrix-signal = {
enable = true;
- environmentFile = pkgs.privateFile "mautrix-signal.env";
settings = {
homeserver = {
address = "http://localhost:${builtins.toString synapse-port}";
diff --git a/nixos/roles/matrix-signal/mautrix-signal-module.nix b/nixos/roles/matrix-signal/mautrix-signal-module.nix
index 71cd7e75..0bae041e 100644
--- a/nixos/roles/matrix-signal/mautrix-signal-module.nix
+++ b/nixos/roles/matrix-signal/mautrix-signal-module.nix
@@ -83,22 +83,6 @@ in
Configuration options should match those described in
example-config.yaml.
-
-
-
- Secret tokens should be specified using
- instead of this world-readable attribute set.
- '';
- };
-
- environmentFile = mkOption {
- type = types.nullOr types.path;
- default = null;
- description = ''
- File containing environment variables to be passed to the mautrix-signal service,
- in which secret tokens can be specified securely by defining values for
- MAUTRIX_SIGNAL_APPSERVICE_AS_TOKEN,
- MAUTRIX_SIGNAL_APPSERVICE_HS_TOKEN,
'';
};
@@ -113,6 +97,19 @@ in
};
config = mkIf cfg.enable {
+ services.postgresql =
+ {
+ ensureDatabases = [ "mautrix-signal" ];
+ ensureUsers = [
+ {
+ name = "mautrix-signal";
+ ensurePermissions = {
+ "DATABASE \"mautrix-signal\"" = "ALL PRIVILEGES";
+ };
+ }
+ ];
+ };
+ services.matrix-synapse.app_service_config_files = [ registrationFile ];
systemd.services.mautrix-signal = {
description = "Mautrix-Signal, a Matrix-Signal hybrid puppeting/relaybot bridge.";
@@ -121,26 +118,41 @@ in
after = [ "network-online.target" "signald.target" ];
preStart = ''
- # Not all secrets can be passed as environment variable (yet)
- [ -f ${settingsFile} ] && rm -f ${settingsFile}
old_umask=$(umask)
- umask 0277
- ${pkgs.envsubst}/bin/envsubst \
- -o ${settingsFile} \
- -i ${settingsFileUnsubstituted}
- umask $old_umask
+ makeSettingsFile () {
+ tempjson=$(${pkgs.coreutils}/bin/mktemp)
+ ${pkgs.yq}/bin/yq . '${registrationFile}' > "$tempjson"
+ [ -f ${settingsFile} ] && rm -f ${settingsFile}
+ umask 0277
+ ${pkgs.jq}/bin/jq '.[0] * { appservice : { as_token: .[1].as_token, hs_token: .[1].hs_token }}' \
+ -s '${settingsFileUnsubstituted}' $tempjson > '${settingsFile}'
+ rm $tempjson
+ umask $old_umask
+ }
- # generate the appservice's registration file if absent
- if [ ! -f '${registrationFile}' ]; then
+ if [ -f '${registrationFile}' ]; then
+ makeSettingsFile
+ else
+ umask 0277
+ cp '${settingsFileUnsubstituted}' '${settingsFile}'
+ umask 0077
+ # generate the appservice's registration file if absent
${pkgs.mautrix-signal}/bin/mautrix-signal \
--generate-registration \
- --base-config='${pkgs.mautrix-signal}/${pkgs.mautrix-signal.pythonModule.sitePackages}/mautrix_signal/example-config.yaml' \
--config='${settingsFile}' \
- --registration='${registrationFile}'
+ --registration='${registrationFile}' \
+ -n
+ umask $old_umask
+ makeSettingsFile
+ fi
+ # Allow synapse access to the registration
+ if ${getBin pkgs.glibc}/bin/getent group matrix-synapse > /dev/null; then
+ chgrp matrix-synapse ${registrationFile}
+ chmod g+r ${registrationFile}
fi
'';
- serviceConfig = {
+ serviceConfig = rec {
Type = "simple";
Restart = "always";
@@ -149,13 +161,21 @@ in
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectControlGroups = true;
+ User = "mautrix-signal";
+ Group = "mautrix-signal";
+
+ CapabilityBoundingSet = [ "CAP_CHOWN" ];
+ AmbientCapabilities = CapabilityBoundingSet;
+ NoNewPrivileges = true;
+
+ LockPersonality = true;
+ RestrictRealtime = true;
- DynamicUser = true;
SupplementaryGroups = [ "signald" ];
BindPaths = "/var/lib/signald";
StateDirectory = baseNameOf dataDir;
+ StateDirectoryMode = "711";
UMask = 0023;
- EnvironmentFile = cfg.environmentFile;
ExecStart = ''
${pkgs.mautrix-signal}/bin/mautrix-signal \
@@ -168,6 +188,12 @@ in
restartTriggers = [ settingsFileUnsubstituted ];
};
+ users.groups.mautrix-signal = { };
+ users.users.mautrix-signal = {
+ description = "Service user for the Matrix-Signal bridge";
+ group = "mautrix-signal";
+ isSystemUser = true;
+ };
};
meta.maintainers = with maintainers; [ expipiplus1 ];
diff --git a/nixos/roles/matrix-signal/signald-module.nix b/nixos/roles/matrix-signal/signald-module.nix
index 3c9ba7c9..3d1f1718 100644
--- a/nixos/roles/matrix-signal/signald-module.nix
+++ b/nixos/roles/matrix-signal/signald-module.nix
@@ -28,6 +28,7 @@ in
config = mkIf cfg.enable {
users.users."signald" = { isSystemUser = true; };
users.groups."signald" = { };
+ systemd.tmpfiles.rules = [ "z /var/lib/signald/avatars 0750 signald signald - -" ];
systemd.services.signald = {
description = "A daemon for interacting with the Signal Private Messenger";