Kabbone/nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix config indentations for signal and remove old secrets

Browse Source
This commit is contained in:
Kabbone
2025-05-27 12:38:46 +02:00
parent 7a85f55a52
commit 6529d08626
5 changed files with 13 additions and 77 deletions
Download Patch File Download Diff File Expand all files Collapse all files

63
modules/services/server/matrix.nix
View File

@@ -19,7 +19,6 @@ let
in {
environment.systemPackages = [
pkgs.mautrix-whatsapp
pkgs.mautrix-signal
];
services.nginx = {
@@ -78,7 +77,6 @@ in {
];
app_service_config_files = [
config.age.secrets."services/matrix/whatsapp-registration.yml".path
config.age.secrets."services/matrix/signal-registration.yml".path
];
};
extraConfigFiles = [
@@ -122,43 +120,9 @@ in {
SystemCallFilter="@system-service";
};
};
mautrix-signal = {
description = "Matrix <-> Signal bridge";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" "postgresql.service" "matrix-synapse.service" ];
requires = [ "postgresql.service" "matrix-synapse.service" ];
script = "${pkgs.mautrix-signal}/bin/mautrix-signal -n --config ${config.age.secrets."services/matrix/mautrix-signal.yml".path}";
serviceConfig = {
User = "mautrix-signal";
Group = "mautrix-signal";
Environment = "HOME=/var/lib/mautrix-signal";
ReadWritePaths= [
"/var/log/mautrix-signal"
];
NoNewPrivileges=true;
PrivateDevices=true;
PrivateTmp=true;
ProtectHome=true;
ProtectSystem="strict";
ProtectControlGroups=true;
RestrictSUIDSGID=true;
RestrictRealtime=true;
LockPersonality=true;
ProtectKernelLogs=true;
ProtectKernelTunables=true;
ProtectHostname=true;
ProtectKernelModules=true;
PrivateUsers=true;
ProtectClock=true;
SystemCallArchitectures="native";
SystemCallErrorNumber="EPERM";
SystemCallFilter="@system-service";
};
};
};
systemd.tmpfiles.rules = [
"d /var/log/mautrix-whatsapp - mautrix-whatsapp mautrix-whatsapp"
"d /var/log/mautrix-signal - mautrix-signal mautrix-signal"
];
users = {
@@ -270,7 +234,17 @@ in {
};
database = {
type = "postgres";
uri = "$MAUTRIX_SIGNAL_APPSERVICE_DATABASE"
uri = "$MAUTRIX_SIGNAL_APPSERVICE_DATABASE";
};
encryption = {
allow = true;
default = true;
verification_levels = {
receive = "cross-signed-untrusted";
send = "cross-signed-untrusted";
};
pickle_key = "$MAUTRIX_SIGNAL_ENCRYPTION_PICKLE_KEY";
};
bridge = {
sync_channel_members = true;
startup_sync = true;
@@ -278,15 +252,6 @@ in {
double_puppet_server_map = {
"kabtop.de" = "https://kabtop.de";
};
encryption = {
allow = true;
default = true;
verification_levels = {
receive = "cross-signed-untrusted";
send = "cross-signed-untrusted";
};
pickle_key = "$MAUTRIX_SIGNAL_ENCRYPTION_PICKLE_KEY";
};
private_chat_portal_meta = "default";
backfill = {
disable_notifications = true;
@@ -327,7 +292,7 @@ in {
file = ../../../secrets/services/matrix/mautrix-whatsapp.age;
owner = "mautrix-whatsapp";
};
age.secrets."services/matrix/mautrix-signal.yml" = {
age.secrets."services/matrix/mautrix-signal.env" = {
file = ../../../secrets/services/matrix/mautrix-signal.age;
owner = "mautrix-signal";
};
@@ -335,9 +300,5 @@ in {
file = ../../../secrets/services/matrix/whatsapp-registration.age;
owner = "matrix-synapse";
};
age.secrets."services/matrix/signal-registration.yml" = {
file = ../../../secrets/services/matrix/signal-registration.age;
owner = "matrix-synapse";
};
}