diff --git a/nixos/roles/matrix-signal/default.nix b/nixos/roles/matrix-signal/default.nix index 825e1d12..424b1584 100644 --- a/nixos/roles/matrix-signal/default.nix +++ b/nixos/roles/matrix-signal/default.nix @@ -4,7 +4,12 @@ ./mautrix-signal-module.nix ]; - services.signald.enable = true; + services.signald = { + enable = true; + user = "mautrix-signal"; + group = "mautrix-signal"; + }; + services.mautrix-signal = { enable = true; diff --git a/nixos/roles/matrix-signal/mautrix-signal-module.nix b/nixos/roles/matrix-signal/mautrix-signal-module.nix index 1dd372f3..75fdcfc3 100644 --- a/nixos/roles/matrix-signal/mautrix-signal-module.nix +++ b/nixos/roles/matrix-signal/mautrix-signal-module.nix @@ -33,6 +33,10 @@ in double_puppet_server_map = { }; login_shared_secret_map = { }; }; + signal = { + socket_path = "/run/signald/signald.sock"; + outgoing_attachment_dir = "/var/lib/signald/tmp"; + }; logging = { version = 1; @@ -164,7 +168,6 @@ in ProtectKernelModules = true; ProtectControlGroups = true; User = "mautrix-signal"; - Group = "signald"; CapabilityBoundingSet = [ "CAP_CHOWN" ]; AmbientCapabilities = CapabilityBoundingSet; @@ -173,7 +176,8 @@ in LockPersonality = true; RestrictRealtime = true; - SupplementaryGroups = [ "signald" ]; + ReadWritePaths = [ "/var/lib/signald" ]; + BindPaths = "/var/lib/signald"; StateDirectory = baseNameOf dataDir; StateDirectoryMode = "771"; @@ -184,17 +188,15 @@ in --config='${settingsFile}' ''; }; - unitConfig = { - JoinsNamespaceOf = "signald.service"; - }; restartTriggers = [ settingsFileUnsubstituted ]; }; users.users.mautrix-signal = { description = "Service user for the Matrix-Signal bridge"; - group = "signald"; isSystemUser = true; + group = "mautrix-signal"; }; + users.groups.mautrix-signal = { }; }; meta.maintainers = with maintainers; [ expipiplus1 ];