From 530a399ff4cd1524c5efe8b2969b5f522c57dc5e Mon Sep 17 00:00:00 2001 From: Malte Brandy Date: Fri, 4 Jun 2021 01:23:30 +0200 Subject: [PATCH] Fix signal bridge --- nixos/machines/hera/configuration.nix | 1 + nixos/roles/matrix-signal/default.nix | 1 - .../matrix-signal/mautrix-signal-module.nix | 86 ++++++++++++------- nixos/roles/matrix-signal/signald-module.nix | 1 + 4 files changed, 58 insertions(+), 31 deletions(-) diff --git a/nixos/machines/hera/configuration.nix b/nixos/machines/hera/configuration.nix index 7b42d42d..21a10905 100644 --- a/nixos/machines/hera/configuration.nix +++ b/nixos/machines/hera/configuration.nix @@ -19,6 +19,7 @@ in ../../roles/blog.nix ../../roles/email2matrix.nix ../../roles/matrix-synapse + ../../roles/matrix-signal ../../roles/coturn.nix ../../roles/go-neb.nix ../../roles/laminar diff --git a/nixos/roles/matrix-signal/default.nix b/nixos/roles/matrix-signal/default.nix index 576075ef..056b64e6 100644 --- a/nixos/roles/matrix-signal/default.nix +++ b/nixos/roles/matrix-signal/default.nix @@ -13,7 +13,6 @@ in services.mautrix-signal = { enable = true; - environmentFile = pkgs.privateFile "mautrix-signal.env"; settings = { homeserver = { address = "http://localhost:${builtins.toString synapse-port}"; diff --git a/nixos/roles/matrix-signal/mautrix-signal-module.nix b/nixos/roles/matrix-signal/mautrix-signal-module.nix index 71cd7e75..0bae041e 100644 --- a/nixos/roles/matrix-signal/mautrix-signal-module.nix +++ b/nixos/roles/matrix-signal/mautrix-signal-module.nix @@ -83,22 +83,6 @@ in Configuration options should match those described in example-config.yaml. - - - - Secret tokens should be specified using - instead of this world-readable attribute set. - ''; - }; - - environmentFile = mkOption { - type = types.nullOr types.path; - default = null; - description = '' - File containing environment variables to be passed to the mautrix-signal service, - in which secret tokens can be specified securely by defining values for - MAUTRIX_SIGNAL_APPSERVICE_AS_TOKEN, - MAUTRIX_SIGNAL_APPSERVICE_HS_TOKEN, ''; }; @@ -113,6 +97,19 @@ in }; config = mkIf cfg.enable { + services.postgresql = + { + ensureDatabases = [ "mautrix-signal" ]; + ensureUsers = [ + { + name = "mautrix-signal"; + ensurePermissions = { + "DATABASE \"mautrix-signal\"" = "ALL PRIVILEGES"; + }; + } + ]; + }; + services.matrix-synapse.app_service_config_files = [ registrationFile ]; systemd.services.mautrix-signal = { description = "Mautrix-Signal, a Matrix-Signal hybrid puppeting/relaybot bridge."; @@ -121,26 +118,41 @@ in after = [ "network-online.target" "signald.target" ]; preStart = '' - # Not all secrets can be passed as environment variable (yet) - [ -f ${settingsFile} ] && rm -f ${settingsFile} old_umask=$(umask) - umask 0277 - ${pkgs.envsubst}/bin/envsubst \ - -o ${settingsFile} \ - -i ${settingsFileUnsubstituted} - umask $old_umask + makeSettingsFile () { + tempjson=$(${pkgs.coreutils}/bin/mktemp) + ${pkgs.yq}/bin/yq . '${registrationFile}' > "$tempjson" + [ -f ${settingsFile} ] && rm -f ${settingsFile} + umask 0277 + ${pkgs.jq}/bin/jq '.[0] * { appservice : { as_token: .[1].as_token, hs_token: .[1].hs_token }}' \ + -s '${settingsFileUnsubstituted}' $tempjson > '${settingsFile}' + rm $tempjson + umask $old_umask + } - # generate the appservice's registration file if absent - if [ ! -f '${registrationFile}' ]; then + if [ -f '${registrationFile}' ]; then + makeSettingsFile + else + umask 0277 + cp '${settingsFileUnsubstituted}' '${settingsFile}' + umask 0077 + # generate the appservice's registration file if absent ${pkgs.mautrix-signal}/bin/mautrix-signal \ --generate-registration \ - --base-config='${pkgs.mautrix-signal}/${pkgs.mautrix-signal.pythonModule.sitePackages}/mautrix_signal/example-config.yaml' \ --config='${settingsFile}' \ - --registration='${registrationFile}' + --registration='${registrationFile}' \ + -n + umask $old_umask + makeSettingsFile + fi + # Allow synapse access to the registration + if ${getBin pkgs.glibc}/bin/getent group matrix-synapse > /dev/null; then + chgrp matrix-synapse ${registrationFile} + chmod g+r ${registrationFile} fi ''; - serviceConfig = { + serviceConfig = rec { Type = "simple"; Restart = "always"; @@ -149,13 +161,21 @@ in ProtectKernelTunables = true; ProtectKernelModules = true; ProtectControlGroups = true; + User = "mautrix-signal"; + Group = "mautrix-signal"; + + CapabilityBoundingSet = [ "CAP_CHOWN" ]; + AmbientCapabilities = CapabilityBoundingSet; + NoNewPrivileges = true; + + LockPersonality = true; + RestrictRealtime = true; - DynamicUser = true; SupplementaryGroups = [ "signald" ]; BindPaths = "/var/lib/signald"; StateDirectory = baseNameOf dataDir; + StateDirectoryMode = "711"; UMask = 0023; - EnvironmentFile = cfg.environmentFile; ExecStart = '' ${pkgs.mautrix-signal}/bin/mautrix-signal \ @@ -168,6 +188,12 @@ in restartTriggers = [ settingsFileUnsubstituted ]; }; + users.groups.mautrix-signal = { }; + users.users.mautrix-signal = { + description = "Service user for the Matrix-Signal bridge"; + group = "mautrix-signal"; + isSystemUser = true; + }; }; meta.maintainers = with maintainers; [ expipiplus1 ]; diff --git a/nixos/roles/matrix-signal/signald-module.nix b/nixos/roles/matrix-signal/signald-module.nix index 3c9ba7c9..3d1f1718 100644 --- a/nixos/roles/matrix-signal/signald-module.nix +++ b/nixos/roles/matrix-signal/signald-module.nix @@ -28,6 +28,7 @@ in config = mkIf cfg.enable { users.users."signald" = { isSystemUser = true; }; users.groups."signald" = { }; + systemd.tmpfiles.rules = [ "z /var/lib/signald/avatars 0750 signald signald - -" ]; systemd.services.signald = { description = "A daemon for interacting with the Signal Private Messenger";