diff --git a/hosts/nachtigall/apps/matrix/matrix-hookshot.nix b/hosts/nachtigall/apps/matrix/matrix-hookshot.nix new file mode 100644 index 0000000..d2b44c7 --- /dev/null +++ b/hosts/nachtigall/apps/matrix/matrix-hookshot.nix @@ -0,0 +1,112 @@ +{ flake, pkgs, ...}:{ + + age.secrets."matrix-hookshot-registration.yaml" = { + file = "${flake.self}/secrets/matrix-hookshot-registration.yaml.age"; + mode = "400"; + owner = "matrix-synapse"; + }; + + configFile = '' + bot: + avatar: mxc://half-shot.uk/2876e89ccade4cb615e210c458e2a7a6883fe17d + displayname: Hookshot Bot + bridge: + bindAddress: 0.0.0.0 + domain: test.pub.solar + mediaUrl: http://matrix-nginx-proxy:12080 + port: 9993 + url: http://matrix-nginx-proxy:12080 + feeds: + enabled: true + pollIntervalSeconds: 600 + pollTimeoutSeconds: 30 + generic: + allowJsTransformationFunctions: true + enableHttpGet: false + enabled: true + urlPrefix: https://matrix.test.pub.solar/hookshot/webhooks + userIdPrefix: _webhooks_ + waitForComplete: false + gitlab: + instances: + gitlab.com: + url: https://gitlab.com + webhook: + secret: "" + listeners: + - bindAddress: 0.0.0.0 + port: 9000 + resources: + - webhooks + - bindAddress: 0.0.0.0 + port: 9002 + resources: + - provisioning + - bindAddress: 0.0.0.0 + port: 9003 + resources: + - widgets + logging: + level: warn + metrics: + enabled: false + passFile: /data/passkey.pem + permissions: + - actor: pub.solar + services: + - level: commands + service: '*' + - actor: '@axeman:pub.solar' + services: + - level: admin + service: '*' + - actor: '@b12f:pub.solar' + services: + - level: admin + service: '*' + - actor: '@hensoko:pub.solar' + services: + - level: admin + service: '*' + - actor: '@teutat3s:pub.solar' + services: + - level: admin + service: '*' + provisioning: + secret: 1acb44197a5a6d52c6cff38ea07433bfbfe9a83313a6bade + widgets: + addToAdminRooms: false + branding: + widgetTitle: Hookshot Configuration + publicUrl: https://matrix.pub.solar/hookshot/widgetapi/v1/static + roomSetupWidget: + addOnInvite: false + ''; + + systemd.services.matrix-hookshot = { + description = "Matrix-Hookshot, a bridge between Matrix and multiple project management services, such as GitHub, GitLab and JIRA. "; + + wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ]; + after = [ "network-online.target" ]; + + serviceConfig = { + Type = "simple"; + Restart = "always"; + + ProtectSystem = "strict"; + ProtectHome = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + + DynamicUser = true; + PrivateTmp = true; + UMask = "0027"; + + ExecStart = '' + ${pkgs.matrix-hookshot}/bin/matrix-hookshot + ''; + }; + }; +} diff --git a/hosts/nachtigall/apps/nginx-matrix.nix b/hosts/nachtigall/apps/nginx-matrix.nix index da6edee..eaee415 100644 --- a/hosts/nachtigall/apps/nginx-matrix.nix +++ b/hosts/nachtigall/apps/nginx-matrix.nix @@ -6,10 +6,10 @@ let add_header X-XSS-Protection "1; mode=block"; ''; clientConfig = import ./matrix/element-client-config.nix; - wellKnownClient = { - "m.homeserver".base_url = "https://matrix.pub.solar"; - "m.identity_server".base_url = "https://matrix.pub.solar"; - "org.matrix.msc3575.proxy".url = "https://matrix.pub.solar/sliding-sync"; + wellKnownClient = domain: { + "m.homeserver".base_url = "https://matrix.${domain}"; + "m.identity_server".base_url = "https://matrix.${domain}"; + "org.matrix.msc3575.proxy".url = "https://matrix.${domain}/sliding-sync"; "im.vector.riot.e2ee".default = true; "io.element.e2ee" = { default = true; @@ -19,21 +19,21 @@ let "m.integrations" = { managers = [ { - api_url = "https://dimension.pub.solar/api/v1/scalar"; - ui_url = "https://dimension.pub.solar/element"; + api_url = "https://dimension.${domain}/api/v1/scalar"; + ui_url = "https://dimension.${domain}/element"; } ]; }; }; - wellKnownServer."m.server" = "matrix.pub.solar:8448"; + wellKnownServer = domain: { "m.server" = "${domain}:8448"; }; mkWellKnown = data: '' add_header Content-Type application/json; add_header Access-Control-Allow-Origin *; return 200 '${builtins.toJSON data}'; ''; - wellKnownLocations = { - "= /.well-known/matrix/server".extraConfig = mkWellKnown wellKnownServer; - "= /.well-known/matrix/client".extraConfig = mkWellKnown wellKnownClient; + wellKnownLocations = domain: { + "= /.well-known/matrix/server".extraConfig = mkWellKnown (wellKnownServer domain); + "= /.well-known/matrix/client".extraConfig = mkWellKnown (wellKnownClient domain); }; in { @@ -44,7 +44,7 @@ in ##################################### "pub.solar" = { - locations = wellKnownLocations; + locations = wellKnownLocations "pub.solar"; }; ####################################### @@ -70,7 +70,7 @@ in gzip on; gzip_types text/plain application/json; ''; - locations = wellKnownLocations // { + locations = (wellKnownLocations "test.pub.solar") // { # TODO: Configure metrics # "/metrics" = { # }; diff --git a/hosts/nachtigall/default.nix b/hosts/nachtigall/default.nix index 8800356..72fe55b 100644 --- a/hosts/nachtigall/default.nix +++ b/hosts/nachtigall/default.nix @@ -25,6 +25,7 @@ ./apps/postgresql.nix ./apps/searx.nix + ./apps/matrix/matrix-hookshot.nix ./apps/matrix/mautrix-telegram.nix ./apps/matrix/synapse.nix ./apps/nginx-matrix.nix diff --git a/secrets/matrix-hookshot-registration.yaml.age b/secrets/matrix-hookshot-registration.yaml.age new file mode 100644 index 0000000..11189a2 Binary files /dev/null and b/secrets/matrix-hookshot-registration.yaml.age differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 7baeeae..0a4d589 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -44,6 +44,7 @@ in { "matrix-mautrix-telegram-env-file.age".publicKeys = nachtigallKeys ++ baseKeys; "matrix-synapse-signing-key.age".publicKeys = nachtigallKeys ++ baseKeys; "matrix-synapse-secret-config.yaml.age".publicKeys = nachtigallKeys ++ baseKeys; + "matrix-hookshot-registration.yaml.age".publicKeys = nachtigallKeys ++ baseKeys; "nextcloud-secrets.age".publicKeys = nachtigallKeys ++ baseKeys; "nextcloud-admin-pass.age".publicKeys = nachtigallKeys ++ baseKeys;