services: matrix bridge fix signal
This commit is contained in:
parent
f5b6f5fb8f
commit
91c5be61fd
SSH Key Fingerprint:
SHA256:A5zPB5I6u5V78V51c362BBdCwhDhfDUVbt7NfKdjWBY
@ -101,20 +101,61 @@ in {
|
|||||||
User = "mautrix-whatsapp";
|
User = "mautrix-whatsapp";
|
||||||
Group = "mautrix-whatsapp";
|
Group = "mautrix-whatsapp";
|
||||||
Environment = "HOME=/var/lib/mautrix-whatsapp";
|
Environment = "HOME=/var/lib/mautrix-whatsapp";
|
||||||
|
ReadWritePaths="/var/log/mautrix-whatsapp";
|
||||||
|
NoNewPrivileges=true;
|
||||||
|
MemoryDenyWriteExecute=true;
|
||||||
|
PrivateDevices=true;
|
||||||
PrivateTmp=true;
|
PrivateTmp=true;
|
||||||
|
ProtectHome=true;
|
||||||
|
ProtectSystem="strict";
|
||||||
|
ProtectControlGroups=true;
|
||||||
|
RestrictSUIDSGID=true;
|
||||||
|
RestrictRealtime=true;
|
||||||
|
LockPersonality=true;
|
||||||
|
ProtectKernelLogs=true;
|
||||||
|
ProtectKernelTunables=true;
|
||||||
|
ProtectHostname=true;
|
||||||
|
ProtectKernelModules=true;
|
||||||
|
PrivateUsers=true;
|
||||||
|
ProtectClock=true;
|
||||||
|
SystemCallArchitectures="native";
|
||||||
|
SystemCallErrorNumber="EPERM";
|
||||||
|
SystemCallFilter="@system-service";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
mautrix-signal = {
|
mautrix-signal = {
|
||||||
description = "Matrix <-> Signal bridge";
|
description = "Matrix <-> Signal bridge";
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
after = [ "network.target" "postgresql.service" "matrix-synapse.service" ];
|
after = [ "network.target" "postgresql.service" "matrix-synapse.service" "signald.service" ];
|
||||||
requires = [ "postgresql.service" "matrix-synapse.service" "signald.service"];
|
requires = [ "postgresql.service" "matrix-synapse.service" "signald.service"];
|
||||||
script = "${pkgs.mautrix-signal}/bin/mautrix-signal -n --config ${config.age.secrets."services/matrix/mautrix-signal.yml".path}";
|
script = "${pkgs.mautrix-signal}/bin/mautrix-signal -n --config ${config.age.secrets."services/matrix/mautrix-signal.yml".path}";
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
User = "mautrix-signal";
|
User = "mautrix-signal";
|
||||||
Group = "mautrix-signal";
|
Group = "mautrix-signal";
|
||||||
Environment = "HOME=/var/lib/mautrix-whatsapp";
|
Environment = "HOME=/var/lib/mautrix-signal";
|
||||||
|
ReadWritePaths= [
|
||||||
|
"/var/run/signald/signald.sock"
|
||||||
|
"/var/log/mautrix-signal"
|
||||||
|
];
|
||||||
|
NoNewPrivileges=true;
|
||||||
|
MemoryDenyWriteExecute=true;
|
||||||
|
PrivateDevices=true;
|
||||||
PrivateTmp=true;
|
PrivateTmp=true;
|
||||||
|
ProtectHome=true;
|
||||||
|
ProtectSystem="strict";
|
||||||
|
ProtectControlGroups=true;
|
||||||
|
RestrictSUIDSGID=true;
|
||||||
|
RestrictRealtime=true;
|
||||||
|
LockPersonality=true;
|
||||||
|
ProtectKernelLogs=true;
|
||||||
|
ProtectKernelTunables=true;
|
||||||
|
ProtectHostname=true;
|
||||||
|
ProtectKernelModules=true;
|
||||||
|
PrivateUsers=true;
|
||||||
|
ProtectClock=true;
|
||||||
|
SystemCallArchitectures="native";
|
||||||
|
SystemCallErrorNumber="EPERM";
|
||||||
|
SystemCallFilter="@system-service";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
@ -199,6 +240,8 @@ in {
|
|||||||
};
|
};
|
||||||
signald = {
|
signald = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
user = "mautrix-signal";
|
||||||
|
group = "mautrix-signal";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user