L-Nafaryus/bonfire
L-Nafaryus/bonfire
1
0
Fork 0
Code Issues 5 Pull Requests Actions Packages Projects 4 Releases Wiki Activity

Compare commits

base: L-Nafaryus:1836d855d58439cfcfaba91058851f1c19a984c8
Branches Tags
L-Nafaryus:master
L-Nafaryus:devel
L-Nafaryus:catarina-radio-service
L-Nafaryus:packages-onetagger
L-Nafaryus:packages-wezterm
...
compare: L-Nafaryus:e0d0da9d8f46b26e77523677744be66ea66ce84e
Branches Tags
L-Nafaryus:devel
L-Nafaryus:master
L-Nafaryus:catarina-radio-service
L-Nafaryus:packages-onetagger
L-Nafaryus:packages-wezterm

2 Commits
1836d855d5 ... e0d0da9d8f

Author SHA1 Message Date
L-Nafaryus
e0d0da9d8f
catarina: matrix and turn services
All checks were successful
nix / check (push) Successful in 3m24s
Details
2024-10-09 22:40:40 +05:00
L-Nafaryus
7aeff65627
new: nixosModules.conduit 2024-10-09 22:39:53 +05:00
9 changed files with 386 additions and 25 deletions
Show Stats Expand all files Collapse all files

16
flake.lock generated
View File

@ -350,6 +350,21 @@
"type": "github"
}
},
"nix-std_2": {
"locked": {
"lastModified": 1710870712,
"narHash": "sha256-e+7MJF2gsgTBuOWv4mCimSP0D9+naeFSw9a7N3yEmv4=",
"owner": "chessai",
"repo": "nix-std",
"rev": "31bbc925750cc9d8f828fe55cee1a2bd985e0c00",
"type": "github"
},
"original": {
"owner": "chessai",
"repo": "nix-std",
"type": "github"
}
},
"nixos-mailserver": {
"inputs": {
"blobs": "blobs",
@ -575,6 +590,7 @@
"elnafo-radio": "elnafo-radio",
"fenix": "fenix_2",
"home-manager": "home-manager",
"nix-std": "nix-std_2",
"nixos-mailserver": "nixos-mailserver",
"nixpkgs": "nixpkgs",
"nixvim": "nixvim",

1
flake.nix
View File

@ -69,6 +69,7 @@
url = "git+https://vcs.elnafo.ru/L-Nafaryus/elnafo-radio";
inputs.nixpkgs.follows = "nixpkgs";
};
nix-std.url = "github:chessai/nix-std";
};
outputs = {self, ...} @ inputs: let

3
lib/default.nix
View File

@ -112,4 +112,7 @@
packagesList;
in
lib.mapAttrs (name: value: lib.mergeAttrsList value) (lib.zipAttrs evaluatedPackages);
# external
inherit (inputs.nix-std.lib.serde) toTOML;
}

1
nixosConfigurations/catarina/default.nix
View File

@ -13,6 +13,7 @@
# ./services/papermc.nix # disabled
./services/gitea.nix
./services/radio.nix
./services/matrix.nix
];
# Nix settings

101
nixosConfigurations/catarina/services/matrix.nix Normal file
View File

@ -0,0 +1,101 @@
{
config,
lib,
pkgs,
...
}: {
services.conduit = {
enable = true;
settings.global = {
allow_registration = true;
server_name = "elnafo.ru";
address = "127.0.0.1";
database_backend = "sqlite";
well_known.client = "https://matrix.elnafo.ru";
well_known.server = "matrix.elnafo.ru:443";
turn_uris = ["turn:elnafo.ru?transport=udp" "turn:elnafo.ru?transport=tcp"];
};
turn_secret_file = config.sops.secrets.turn-secret.path;
};
services.nginx = {
virtualHosts."matrix.elnafo.ru" = {
forceSSL = true;
http2 = true;
useACMEHost = "elnafo.ru";
locations."/" = {
proxyPass = "http://127.0.0.1:6167";
extraConfig = ''
proxy_http_version 1.0;
client_max_body_size 50M;
'';
};
};
virtualHosts."element.elnafo.ru" = {
forceSSL = true;
http2 = true;
useACMEHost = "elnafo.ru";
root = pkgs.element-web.override {
conf = {
default_theme = "dark";
default_server_name = "matrix.elnafo.ru";
brand = "Elnafo Matrix";
permalink_prefix = "https://element.elnafo.ru";
};
};
};
virtualHosts."matrix-federation" = {
serverName = "elnafo.ru";
forceSSL = true;
useACMEHost = "elnafo.ru";
listen = [
{
port = 8448;
addr = "0.0.0.0";
ssl = true;
}
{
port = 443;
addr = "0.0.0.0";
ssl = true;
}
];
locations."~ ^/(_matrix|.well_known)" = {
proxyPass = "http://127.0.0.1:6167";
extraConfig = ''
proxy_http_version 1.0;
client_max_body_size 50M;
'';
};
};
};
services.coturn = rec {
enable = true;
no-cli = true;
no-tcp-relay = true;
min-port = 49000;
max-port = 50000;
use-auth-secret = true;
static-auth-secret-file = config.sops.secrets.coturn-secret.path;
realm = "elnafo.ru";
cert = "${config.security.acme.certs."elnafo.ru".directory}/full.pem";
pkey = "${config.security.acme.certs."elnafo.ru".directory}/key.pem";
extraConfig = ''
# for debugging
verbose
# ban private IP ranges
no-multicast-peers
'';
};
networking.firewall = {
allowedUDPPortRanges = lib.singleton {
from = config.services.coturn.min-port;
to = config.services.coturn.max-port;
};
allowedUDPPorts = [3478 5349];
allowedTCPPorts = [8448 3478 5349];
};
}

4
nixosModules/default.nix
View File

@ -11,6 +11,7 @@
./services/qbittorrent-nox.nix
./services/spoofdpi.nix
./services/zapret.nix
./services/conduit.nix
];
configModule = {
@ -24,6 +25,7 @@
# extra arguments
_module.args = {
bonPkgs = self.packages.${pkgs.system};
bonLib = lib.mkDefault bonLib;
};
};
};
@ -44,7 +46,7 @@
...
}: {
# collect all modules
imports = importedModules;
imports = moduleList ++ [configModule];
};
in
lib.listToAttrs (

50
nixosModules/misc/bonfire/secrets/catarina.yaml
View File

@ -1,22 +1,24 @@
dns: ENC[AES256_GCM,data:KIcegw69ZEVY1VnSktZMMjaRhCJVCHn7BCAKvfR/iXs5AseDLVC025WRAy92UuuVYPwBvdHgRQUg8I6lrfr7RTHJooANHUK8D79c2+sAI/KsUw2ENh1tVgdW2A4enQ==,iv:12yEf+u0Ky0vktAfpAuG28mRSKDLyWlWHJ+9EPYqI4w=,tag:9MKTsAUfvzEyEzTd6ba/Jg==,type:str]
dns: ENC[AES256_GCM,data:x2oHP6nGHnPl5WblPHRcBDQCkhj8FZnr5r+cBdaHyrPKxI71ECYmno/ItV/0opj0eGYamQjrVJkuZBGcQlXMMn9Hp4ImjByaX/zqYrdIjSY2B24h8kvnblsXjF6SlA==,iv:QRbiqpCwQ41pfmn3wwNITWdoMI9FzxShsG+fR5lAbl4=,tag:Rknw+qwLZ8No806ek+2zmQ==,type:str]
users:
root: ENC[AES256_GCM,data:nZpmZM0Ws9mVujJhqPKfSJwIqit23pc2TlF6k4iGEzQvf2iROyWN/+b212d/LiAWOoVl3tRkt7EcOiLsLu51DJnQtCGOWGcF5w==,iv:hbNMqy+OxbHsh77zT6a2Yb1lUXwVRvRF1PhSO/15keE=,tag:oe/Y2fWKHNiRamuhY+3xYQ==,type:str]
l-nafaryus: ENC[AES256_GCM,data:RJXjIcSWrG00IqneQVBpvPayVZ/mFNZ16digWF/GaNNGYy+bDPYkglTiMdy5/xfah8BMrwmfID4PKyEBtMiIEx8VlV55N+hJyg==,iv:noFYBRrWMg7dxqAbVuT7uOCK4mQk4U29kiECJLb6QCQ=,tag:dZs6TC8kI9ioRYfhcceT+Q==,type:str]
root: ENC[AES256_GCM,data:NIWAU+rCD7ShRU+ZMWw7D1XlNdhL9iwu6MP53edBFeCdSaiA91uS/n4MDgoQkao3sIE6zl5k/jht8GigZLSbjlj9iGhe3sTngg==,iv:hjimz2SsXf0nNgGhkDx97sg8iWBrne75KSbJLtJUf3k=,tag:4wfCpXew/OtTDZLIQk3cFA==,type:str]
l-nafaryus: ENC[AES256_GCM,data:xXRQH92Hi0qO31pxmlHNLG+fHJRsAFgEs1a1APwNsGRZEVV5UB+ijK1S8dThFN+gnlcLb/gLlypFiK8Vzd7/kCOMyaJYtXJChg==,iv:AgE2X3iUAA/U8YmPawcONvWcxgBDkRdVvye4dTSIBd4=,tag:kkwiaSymObztQTjcfno1DA==,type:str]
database:
git: ENC[AES256_GCM,data:g5Fnb9R/LnKrB6rDQ0ss0wu9SZu7433xfUIzJQKG3SA=,iv:MHEclxa1ldE51hNe0zHsVv5BPdN5RELlkHgZGXxSdTo=,tag:zzKNB0/RehFPrhFQMi/g9w==,type:str]
git: ENC[AES256_GCM,data:noMvwTPWZWb79JtoEh0FLuXotVAXTX51QLcRfmjwxVg=,iv:EMiKZvMNhxpe2gARJ7BUrJFVM3ap/gMhJaRnKEJ7lX8=,tag:y+TAUHijY0NCvlwdg1fS1w==,type:str]
mail:
l-nafaryus: ENC[AES256_GCM,data:8JGjpQxcytZhfYT2JFUspufCnwCISbzBbaY2gN8WpSrlSlhIxVBkcdFnuGl3EJ6kABFX3lEGZomVNtay,iv:9l/x5xiDvkJ8QeqK7LTtQ/nxTckMGTkgujSDLtfWMZM=,tag:6qVUxjgs6QB+MQwog1fksw==,type:str]
git: ENC[AES256_GCM,data:w6odytyieDSJCRdf6og7rX1274Xtd3Mn+Eg5tPFjQv3pN/OVJ1fRk7nGFmHlKqR2VEtUVFHyZHKW4J7+,iv:Lo9yyCNvBxUOlxhLo4PFfT7eZrwZ3d6Yue2U8MBlTfM=,tag:T41aErdaYDI6ns20EBOwyw==,type:str]
kirill: ENC[AES256_GCM,data:ZBFfZufBdRRaeXUWiISVPxGvou78kNn+U1nYSBJ7OR6IqyvZMec+/s3+dDiwySOJ58EYCCqUZ7pq05U0,iv:r+mHKvxfI32Y/AHVN0AQqj3OqkxECuU6LIFNzmGvZ5s=,tag:gJsG2pa2k4gBTD294DuNWg==,type:str]
l-nafaryus: ENC[AES256_GCM,data:0PKuC3fI8gGOg99DtyF84neRRnr1P7cqKti8XSjHUurb4CyLG01+aCzABBJzcAs05oQMjiLbAj0prj6Q,iv:m4PzJ5hJqyyLmNss8/CckrBhDe3HC3HVTCbCvhZf93Y=,tag:uKiZLlmQzuO7mcGhQb3/og==,type:str]
git: ENC[AES256_GCM,data:YxU4Ws+yHgv5RsluX6BhpEnGBiDWZmIx+D8uD7oZr+v18tCSX27mI+T0t4IycPli4SLHUQR4PjGmnJao,iv:yHPkp1QmRWj4Nj4isIYtpe0ROSVLK9biBWJb81P5aew=,tag:+FJ6l4P7onUhKejYVq25Hg==,type:str]
kirill: ENC[AES256_GCM,data:erI0exQOi8JccOQVkWIt8zwvrm45Yrt1MNccBYO2oE5eEuXmeDU7uL92U4h+rDH+NojYpVjl1IaRAyU5,iv:kRvqVs70OzXLOBpZ/bfN0TQMdhqV6RAzQiszPQ4ZIwM=,tag:1whNxpchBdzOiVxCwYAzFA==,type:str]
gitea:
mail: ENC[AES256_GCM,data:LFYWpjHPcu6CQgcUEVcFA0ewZRjzA36wsoATnVGj,iv:Jqn1+6xa+wdkmdG2z9b8jf4DzCqF0I0YSctbiMN2tKw=,tag:aQQJG9STQmnAu+Dp9lj6cg==,type:str]
mail: ENC[AES256_GCM,data:RwQY3sOfcZMTWbvK5NWOprTSKTY5Fn/cECCh1MRC,iv:KjiYDiqmMO8u3m2VArdAva937cqfqNHKKMUkvnpDtkU=,tag:OpkSgrs8Rrz+XG5Q3tw+QQ==,type:str]
gitea-runner:
master-token: ENC[AES256_GCM,data:hZc+sti6I1j3EQQc/wRb5exg0yO6+wq0NCdUJ6FN/wpwyhfWPdEJ5eWw+3bAsEpxdQ==,iv:uJXhf5DZtk1LROyfw8bn5ZjN329LbZyTlaSPMvzeNXs=,tag:IeGUODEvfELc2YS+TUP7/g==,type:str]
master-token: ENC[AES256_GCM,data:VbOnxgDr8Ni0NTdJvnwnppY3Q+/bev7IoVhxTpjGAphxh0tieCPfbnBJweav+l8dtQ==,iv:FzB5h/O0GSeBv1ZzE/zojWR2C6RR90NsxYddreVSmU0=,tag:c1WDgG9BlzvXaf+afzZW5g==,type:str]
papermc:
rcon: ENC[AES256_GCM,data:t6EjQmR+7l9x,iv:Vg3Ht/FNDUSkpRcP4c3hR/GzXMFMH/uD1wkPGn/OyKQ=,tag:++OEAYFK2qE4gM/XMSGH+g==,type:str]
discordToken: ENC[AES256_GCM,data:oRNbi3uDJClyRJgKycvJAt+2ZPT3hU9AVGmB1XMGqObz6O0DpdBlsmSCbwXwhvD2U0cMLUx7fdehdDUXTnk5qLR/eBSwD/k0+0U=,iv:WXRo7iSRn+/4oeHuuEhQsDNrxw1pWt21GDLeinVOmV0=,tag:IHWpKGlkmHwDI7j9MHTbtg==,type:str]
rcon: ENC[AES256_GCM,data:h9DqMN3MAS2X,iv:M72Ku0n1BTaj9TuHmpj+xBcE/6nJvHWKB87HZ3pUKyE=,tag:QRN8e/SXKv0VGyOf9Fq49Q==,type:str]
discordToken: ENC[AES256_GCM,data:dII/1MKdUt/gjl6j+0mIyy0e03BmRwFPBle4fCx5ZYFjQ6zy9ByjFwVYKS8LlXTaPZQGknTBg0QHypRjE3XFW5uzvfp0OfTYm0o=,iv:bSkp6dKYeOuei9OkshO89ihfGMpRXE+8vb0iXEEkv0I=,tag:ICCUF/l8vJfzb/hgF9AYsg==,type:str]
nix-store:
cache-key: ENC[AES256_GCM,data:SH0lBYa6ELoraxKmWo+hb3+rFRjFbVm1mj0YiVKUua5pVnC8Weihk4haTJZ1zShc3ADuinyHD/Ns+576bajWoE5jSGHXlgWQ8P+5fMZ0BkmZEuP5kooWRBk5t1aZilM3LJavwsYiE6E=,iv:KpwDXIXtaiNgVgcUQJJOnA+YLXVhJwILeq2dX1XkXgo=,tag:4kTemsodW0bhW9joQAPzhA==,type:str]
cache-key: ENC[AES256_GCM,data:wEp8XH18N5P+h8EMognt93/VwXVF5/sxvEOrGzba/iK1W4nVZM8pStGAP0wI593MEB7Vobw+slWj4I3wwRJjOpDsK4EsgROUBein84Gn9uqk/liCEqjSAqZkktv4yX5p3dETZw+Ojak=,iv:oVKBfzJP8il3N6lH4JmaPaHSaqkUfmsM6cr+xumjAdE=,tag:+Gj9CzpoQknT+i6xAPZ7dg==,type:str]
matrix:
coturn-secret: ENC[AES256_GCM,data:BWYo08cS4oAYk7aK5yKT7xWkcxhOhxi3mZzl//xB/IqJ70x4ggGoiVudTxE=,iv:4YYWyxnwR1KcpjTNwvzrGWWVobr3LM6H6l/1/fbBQE4=,tag:qmXc+tzYKJR6hErgurx97Q==,type:str]
sops:
kms: []
gcp_kms: []
@ -26,23 +28,23 @@ sops:
- recipient: age1u9xr3tmwskfsrxg6gus3hmh9eakjh2h22jklfmcu33kassaraues435vvc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvajllWmw2U2U3eDFvY0Uw
S09kTGV1RDZVTU42QmlOZXcwWFl2RWNQeldRCklsSERCUUJKS1BNbkt4MWtoWFl3
ZG9BVUFoQ1h5ZGlFelNzMEtIQmliTjgKLS0tIHZCWFBHUEw2TE9Yc0tZemtkUkNN
eXgrOTk1S0tDWWpHUkIveWZZdlYvMTQKyZMAYr6n5figUX2YUAAA37nxA5r1tyXh
F7/l2T4R+cXq3Oywf5EtezOMdl9Xprk0ZoubzT55p0TPtYwCNk6Chg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnVmZiM3RqVkphSm5aV0E5
ZW56NjEvdEFyQmI1NlEwaHNYOWN4aEp0bDN3CmcyTDY3QzJLSk5MSXZ4T0xONG5D
NXRQejQrSlRWSHBQbnhVVVY5SGdmQzAKLS0tIGJWRWlPbVVicWhXcm1wMnBjbGpB
aXFvYzkvUDV6RTZTdzViZkVmeHY1MUkKoxyI003op6VxqTNFApFoAzIA1KwvKD51
hjBPkP9e1B3fRWZXysva51G/Y2zc6ylv17qPE5TjaVw9OS2WqTQNWA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1wyz7cfldqe9hh8qyw2qm42hkq9s7qdwqnrnv0u3s6vstv9649v0sh0z4em
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxSkt5NG4wdGVwMDlpMFhv
Vm56L1owRXJ2RTBhUVZ2aXpVVUVrZDV6M0FNCmYxTlNrQko0SmorWUV3VnRkOENK
RDJzQkk0dVA0UVdDWEtxRDJEZFpSWVUKLS0tIGc1NFUzb1dhWUZlQWdpNFA4ZC9J
cFBmaUV4SWx3K21UUDA2YlBVY1NCazgK080jE+EELtQf8PmlaZs4RR+gjJEeEiTn
wwZXV8ufOGtLLwFtYlm8pdMXDtVrBywcRdzSo6/e73Y+GFxulTIFCQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3eGVWZnVUMUdyNys4cUFv
czl4THRPOFN6RXl1d3hoUlMzVittUmtjMGl3CnlCOElNVitLdXJQbmMxNTROdHRz
MFl6NmxHWEY3anFsUkxpWGZHZ21iZ2sKLS0tIG1UT0VpaDBRNUpSY2lDcTRJMHpT
ZnlzMlFUcEx5bHltdlg5ODVMVFNHNW8K7x38gdL5sbNLqTXdCxIHuX+yIy+XX8Vi
x90Ltb5GOAMkd6qzgup3bWuQazpZ/Gj25f6ql7L2Oenlw8/8S9vbeQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-08-05T17:43:22Z"
mac: ENC[AES256_GCM,data:OMwzBcK+KEaxZNTxCnlhDmm9efUkOtMk7vZUfxV9bCny80CdQhp9dD9a9bRPwn+lzgTj3CZLhLAubB3Eh01dqrbZ3DQt/p6xFQ54kCX0a18AHVSIrDcYQNez0MLcOI56RvJDofsO5Dh3i2sFXZ/gaxEjPBQPxlbH1KOrjCm480w=,iv:70i/TOlDF8Vru5FBu0fVb9IkG+Fg83zqcrcuyiHEHBc=,tag:A5qPz8KQl33Z5uHzMlTA0Q==,type:str]
lastmodified: "2024-10-09T07:20:47Z"
mac: ENC[AES256_GCM,data:fJ86HMwKQmbSTsAWAKC1cGxDqwkddTGHfFjQMa74RVxNh+yFlD+gEHFV2GKTRVji8kEUlp4qXqwtKnJ9Fx5zw0P1LHuCE9Q4j1Cxgs/j7XFTNMTvpt/8sVR1YC77Qp9LDwDxdDQK0GV4Z3BzoqjM20BHRbTWtCSyoNRmBP6Wcg8=,iv:BptqL9qXcyc5SaGvPMfUWDd0b22Viy5LJElbNGhpDYQ=,tag:jHMETvWq9IOCk+z63Dntpg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.0

12
nixosModules/misc/bonfire/secrets/default.nix
View File

@ -42,6 +42,18 @@
group = "nix-serve";
mode = "0600";
};
coturn-secret = lib.mkIf config.services.coturn.enable {
owner = "turnserver";
group = "turnserver";
key = "matrix/coturn-secret";
};
turn-secret = lib.mkIf config.services.conduit.enable {
owner = "conduit";
group = "conduit";
key = "matrix/coturn-secret";
};
};
};

223
nixosModules/services/conduit.nix Normal file
View File

@ -0,0 +1,223 @@
{
config,
lib,
pkgs,
bonLib,
...
}:
with lib; let
cfg = config.services.conduit;
format = pkgs.formats.toml {};
configFile = pkgs.writeText "config.toml" ''
${bonLib.toTOML {global = cfg.settings.global // lib.optionals (cfg.turn_secret_file != null) {turn_secret = "#turn_secret#";};}}
'';
in {
options.services.conduit = {
enable = mkEnableOption "conduit";
extraEnvironment = mkOption {
type = types.attrsOf types.str;
description = "Extra Environment variables to pass to the conduit server.";
default = {};
example = {RUST_BACKTRACE = "yes";};
};
package = mkOption {
type = types.package;
default = pkgs.matrix-conduit;
defaultText = literalExpression "pkgs.matrix-conduit";
description = "The package to use.";
};
turn_secret_file = mkOption {
type = types.nullOr types.path;
default = null;
description = "The path to the file with TURN secret.";
};
settings = mkOption {
type = types.submodule {
#freeformType = format.type;
options = {
global.server_name = mkOption {
type = types.str;
example = "example.com";
description = "The server_name is the name of this server. It is used as a suffix for user # and room ids.";
};
global.port = mkOption {
type = types.port;
default = 6167;
description = "The port Conduit will be running on. You need to set up a reverse proxy in your web server (e.g. apache or nginx), so all requests to /_matrix on port 443 and 8448 will be forwarded to the Conduit instance running on this port";
};
global.max_request_size = mkOption {
type = types.ints.positive;
default = 20000000;
description = "Max request size in bytes. Don't forget to also change it in the proxy.";
};
global.allow_registration = mkOption {
type = types.bool;
default = false;
description = "Whether new users can register on this server.";
};
global.allow_encryption = mkOption {
type = types.bool;
default = true;
description = "Whether new encrypted rooms can be created. Note: existing rooms will continue to work.";
};
global.allow_federation = mkOption {
type = types.bool;
default = true;
description = ''
Whether this server federates with other servers.
'';
};
global.trusted_servers = mkOption {
type = types.listOf types.str;
default = ["matrix.org"];
description = "Servers trusted with signing server keys.";
};
global.address = mkOption {
type = types.str;
default = "::1";
description = "Address to listen on for connections by the reverse proxy/tls terminator.";
};
global.database_path = mkOption {
type = types.str;
default = "/var/lib/conduit/";
readOnly = true;
description = ''
Path to the conduit database, the directory where conduit will save its data.
Note that due to using the DynamicUser feature of systemd, this value should not be changed
and is set to be read only.
'';
};
global.database_backend = mkOption {
type = types.enum ["sqlite" "rocksdb"];
default = "sqlite";
example = "rocksdb";
description = ''
The database backend for the service. Switching it on an existing
instance will require manual migration of data.
'';
};
global.allow_check_for_updates = mkOption {
type = types.bool;
default = false;
description = ''
Whether to allow Conduit to automatically contact
<https://conduit.rs> hourly to check for important Conduit news.
Disabled by default because nixpkgs handles updates.
'';
};
global.well_known.client = mkOption {
type = types.nullOr types.str;
default = null;
description = "The URL that clients should use to connect to Conduit.";
};
global.well_known.server = mkOption {
type = types.nullOr types.str;
default = null;
description = "The hostname and port servers should use to connect to Conduit.";
};
global.turn_uris = mkOption {
type = types.listOf types.str;
default = [];
description = "The TURN URIs.";
};
global.turn_secret = mkOption {
type = types.nullOr types.str;
default = null;
description = "The TURN secret.";
};
global.turn_ttl = mkOption {
type = types.int;
default = 86400;
description = "The TURN TTL in seconds.";
};
};
};
default = {};
description = ''
Generates the conduit.toml configuration file. Refer to
<https://docs.conduit.rs/configuration.html>
for details on supported values.
Note that database_path can not be edited because the service's reliance on systemd StateDir.
'';
};
};
config = mkIf cfg.enable {
assertions = [
{
assertion = cfg.settings.global.turn_secret != null -> cfg.turn_secret_file == null;
message = "settings.global.turn_secret and turn_secret_file cannot be set at the same time";
}
];
users.users.conduit = {
description = "Conduit service user.";
isSystemUser = true;
group = "conduit";
};
users.groups.conduit = {};
systemd.services.conduit = let
runConfig = "/run/conduit/config.toml";
in {
description = "Conduit Matrix Server";
documentation = ["https://gitlab.com/famedly/conduit/"];
after = ["network-online.target"];
wants = ["network-online.target"];
wantedBy = ["multi-user.target"];
environment = mkMerge [
{CONDUIT_CONFIG = runConfig;}
cfg.extraEnvironment
];
preStart = ''
cat ${configFile} > ${runConfig}
${lib.optionalString (cfg.turn_secret_file != null) ''
${pkgs.replace-secret}/bin/replace-secret \
"#turn_secret#" \
${cfg.turn_secret_file} \
${runConfig}
''}
chmod 640 ${runConfig}
'';
serviceConfig = {
User = "conduit";
LockPersonality = true;
MemoryDenyWriteExecute = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateUsers = true;
RestrictAddressFamilies = ["AF_INET" "AF_INET6"];
RestrictNamespaces = true;
RestrictRealtime = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged"
];
StateDirectory = "conduit";
StateDirectoryMode = "0700";
RuntimeDirectory = "conduit";
ExecStart = "${cfg.package}/bin/conduit";
Restart = "on-failure";
RestartSec = 10;
StartLimitBurst = 5;
UMask = "077";
};
};
systemd.tmpfiles.rules = [
"d /run/conduit 0700 conduit conduit - -"
];
};
}