diff --git a/hosts/nachtigall/apps/matrix/matrix-hookshot.nix b/hosts/nachtigall/apps/matrix/matrix-hookshot.nix new file mode 100644 index 00000000..d2b44c7c --- /dev/null +++ b/hosts/nachtigall/apps/matrix/matrix-hookshot.nix @@ -0,0 +1,112 @@ +{ flake, pkgs, ...}:{ + + age.secrets."matrix-hookshot-registration.yaml" = { + file = "${flake.self}/secrets/matrix-hookshot-registration.yaml.age"; + mode = "400"; + owner = "matrix-synapse"; + }; + + configFile = '' + bot: + avatar: mxc://half-shot.uk/2876e89ccade4cb615e210c458e2a7a6883fe17d + displayname: Hookshot Bot + bridge: + bindAddress: 0.0.0.0 + domain: test.pub.solar + mediaUrl: http://matrix-nginx-proxy:12080 + port: 9993 + url: http://matrix-nginx-proxy:12080 + feeds: + enabled: true + pollIntervalSeconds: 600 + pollTimeoutSeconds: 30 + generic: + allowJsTransformationFunctions: true + enableHttpGet: false + enabled: true + urlPrefix: https://matrix.test.pub.solar/hookshot/webhooks + userIdPrefix: _webhooks_ + waitForComplete: false + gitlab: + instances: + gitlab.com: + url: https://gitlab.com + webhook: + secret: "" + listeners: + - bindAddress: 0.0.0.0 + port: 9000 + resources: + - webhooks + - bindAddress: 0.0.0.0 + port: 9002 + resources: + - provisioning + - bindAddress: 0.0.0.0 + port: 9003 + resources: + - widgets + logging: + level: warn + metrics: + enabled: false + passFile: /data/passkey.pem + permissions: + - actor: pub.solar + services: + - level: commands + service: '*' + - actor: '@axeman:pub.solar' + services: + - level: admin + service: '*' + - actor: '@b12f:pub.solar' + services: + - level: admin + service: '*' + - actor: '@hensoko:pub.solar' + services: + - level: admin + service: '*' + - actor: '@teutat3s:pub.solar' + services: + - level: admin + service: '*' + provisioning: + secret: 1acb44197a5a6d52c6cff38ea07433bfbfe9a83313a6bade + widgets: + addToAdminRooms: false + branding: + widgetTitle: Hookshot Configuration + publicUrl: https://matrix.pub.solar/hookshot/widgetapi/v1/static + roomSetupWidget: + addOnInvite: false + ''; + + systemd.services.matrix-hookshot = { + description = "Matrix-Hookshot, a bridge between Matrix and multiple project management services, such as GitHub, GitLab and JIRA. "; + + wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ]; + after = [ "network-online.target" ]; + + serviceConfig = { + Type = "simple"; + Restart = "always"; + + ProtectSystem = "strict"; + ProtectHome = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + + DynamicUser = true; + PrivateTmp = true; + UMask = "0027"; + + ExecStart = '' + ${pkgs.matrix-hookshot}/bin/matrix-hookshot + ''; + }; + }; +} diff --git a/secrets/matrix-hookshot-registration.yaml.age b/secrets/matrix-hookshot-registration.yaml.age new file mode 100644 index 00000000..11189a2c Binary files /dev/null and b/secrets/matrix-hookshot-registration.yaml.age differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 7baeeaec..0a4d5897 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -44,6 +44,7 @@ in { "matrix-mautrix-telegram-env-file.age".publicKeys = nachtigallKeys ++ baseKeys; "matrix-synapse-signing-key.age".publicKeys = nachtigallKeys ++ baseKeys; "matrix-synapse-secret-config.yaml.age".publicKeys = nachtigallKeys ++ baseKeys; + "matrix-hookshot-registration.yaml.age".publicKeys = nachtigallKeys ++ baseKeys; "nextcloud-secrets.age".publicKeys = nachtigallKeys ++ baseKeys; "nextcloud-admin-pass.age".publicKeys = nachtigallKeys ++ baseKeys;