From f56fd8dccc84ac5d53ecdb811a553610b4ddd723 Mon Sep 17 00:00:00 2001
From: Akshay Mankar <itsakshaymankar@gmail.com>
Date: Sun, 29 Oct 2023 13:45:51 +0100
Subject: [PATCH 1/3] WIP: Add matrix-hookshot

---
 .../apps/matrix/matrix-hookshot.nix           | 112 ++++++++++++++++++
 secrets/matrix-hookshot-registration.yaml.age | Bin 0 -> 1824 bytes
 secrets/secrets.nix                           |   1 +
 3 files changed, 113 insertions(+)
 create mode 100644 hosts/nachtigall/apps/matrix/matrix-hookshot.nix
 create mode 100644 secrets/matrix-hookshot-registration.yaml.age

diff --git a/hosts/nachtigall/apps/matrix/matrix-hookshot.nix b/hosts/nachtigall/apps/matrix/matrix-hookshot.nix
new file mode 100644
index 0000000..d2b44c7
--- /dev/null
+++ b/hosts/nachtigall/apps/matrix/matrix-hookshot.nix
@@ -0,0 +1,112 @@
+{ flake, pkgs, ...}:{
+
+  age.secrets."matrix-hookshot-registration.yaml" = {
+    file = "${flake.self}/secrets/matrix-hookshot-registration.yaml.age";
+    mode = "400";
+    owner = "matrix-synapse";
+  };
+
+  configFile = ''
+    bot:
+      avatar: mxc://half-shot.uk/2876e89ccade4cb615e210c458e2a7a6883fe17d
+      displayname: Hookshot Bot
+    bridge:
+      bindAddress: 0.0.0.0
+      domain: test.pub.solar
+      mediaUrl: http://matrix-nginx-proxy:12080
+      port: 9993
+      url: http://matrix-nginx-proxy:12080
+    feeds:
+      enabled: true
+      pollIntervalSeconds: 600
+      pollTimeoutSeconds: 30
+    generic:
+      allowJsTransformationFunctions: true
+      enableHttpGet: false
+      enabled: true
+      urlPrefix: https://matrix.test.pub.solar/hookshot/webhooks
+      userIdPrefix: _webhooks_
+      waitForComplete: false
+    gitlab:
+      instances:
+        gitlab.com:
+          url: https://gitlab.com
+      webhook:
+        secret: ""
+    listeners:
+    - bindAddress: 0.0.0.0
+      port: 9000
+      resources:
+      - webhooks
+    - bindAddress: 0.0.0.0
+      port: 9002
+      resources:
+      - provisioning
+    - bindAddress: 0.0.0.0
+      port: 9003
+      resources:
+      - widgets
+    logging:
+      level: warn
+    metrics:
+      enabled: false
+    passFile: /data/passkey.pem
+    permissions:
+    - actor: pub.solar
+      services:
+      - level: commands
+        service: '*'
+    - actor: '@axeman:pub.solar'
+      services:
+      - level: admin
+        service: '*'
+    - actor: '@b12f:pub.solar'
+      services:
+      - level: admin
+        service: '*'
+    - actor: '@hensoko:pub.solar'
+      services:
+      - level: admin
+        service: '*'
+    - actor: '@teutat3s:pub.solar'
+      services:
+      - level: admin
+        service: '*'
+    provisioning:
+      secret: 1acb44197a5a6d52c6cff38ea07433bfbfe9a83313a6bade
+    widgets:
+      addToAdminRooms: false
+      branding:
+        widgetTitle: Hookshot Configuration
+      publicUrl: https://matrix.pub.solar/hookshot/widgetapi/v1/static
+      roomSetupWidget:
+        addOnInvite: false
+  '';
+
+  systemd.services.matrix-hookshot = {
+    description = "Matrix-Hookshot,  a bridge between Matrix and multiple project management services, such as GitHub, GitLab and JIRA. ";
+
+    wantedBy = [ "multi-user.target" ];
+    wants = [ "network-online.target" ];
+    after = [ "network-online.target" ];
+
+    serviceConfig = {
+      Type = "simple";
+      Restart = "always";
+
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectControlGroups = true;
+
+      DynamicUser = true;
+      PrivateTmp = true;
+      UMask = "0027";
+
+      ExecStart = ''
+          ${pkgs.matrix-hookshot}/bin/matrix-hookshot
+        '';
+    };
+  };
+}
diff --git a/secrets/matrix-hookshot-registration.yaml.age b/secrets/matrix-hookshot-registration.yaml.age
new file mode 100644
index 0000000000000000000000000000000000000000..11189a2c3944f0f388fe50a15e49db68fb8aab1c
GIT binary patch
literal 1824
zcmZA0{qNia0mpF=G_2$6z=3liB<FA-Hb;Bc-d!)7bM4*r+Fsl1<K6XmaJ}}f?LG8*
z?X`E;O+*<GHXWHb5{C$jlPuwDgb<bie%+L>h;crkk*NX4=0ZZ48XS9!U*`N_zw9q~
zC7*oWy46m$UBjPwV`u2zHS{egN&(3Yi6F3(Z8M$8r1A-;Sm{oz1g6Mr#6lrWP?H{M
zXl1C<4eVf&mo-Dmk&e(7{gH_)RT~3_h|KrgZa*iE=x(S%)t2ALhGDP7$=PwY?iOVW
z?Wv=>pj%gJp=K2MNrG@=N*Xt?F{{?7enB2my{y@H7_&qB>Qo1(rFN?b=Cfd(1E#$e
z8qGSoXyoH|r>O}+rI)I}QGVpM2UBgBaqz)7Zg4t_U)KCUPxQ#54C4R~`(#ry;IivQ
z)ocT_h`L<Eq!~gJjY7?2Wy6h|S;g@hW0;W#Fu@Oux@nUXou*_soC1?JED6?(*3&f+
z^dTe5Px-Q0Y)y(@*cXLSCR6Og+}O^x2~Zu3bQpsqN4D#bN*Wa$)&SgddmN07v9TKV
zJ1k1mRAwmji*mg&ftutbfMK@K$8b)owz`7O)x(TEQ9&+3wXl#Gb3mFwB0P<bDkxot
zttf+)(A3mLxnYI2!(p>Ha_BIHz>1m13zf(Vh6;g^Mp>at6sh#fIY1C3Q5>U$*LTW_
znX6EBkg-6`>hx!*EcN3)tEC-3qm-MLfe5raoLMypB(-TVU7@^22Ox)Oi4)v-CMr=d
zAXVJNsIDXVUI~c`r9O(~8v>ij+K5;3XbLS4piqxMHjl%|lx-+2pe&_IhKb<4*pC~Q
zAvvX1RVG_~s2Jqha>X~fQoc<ytQ|9{YKqVtRd8&fDx>mL>7lj;n0yE9`XqrhZIvm8
zq7zF+14F5lr6ZMYsYx?bBT8|D(5VVm1+!|_pgrjD)`0Cd@{I@ravsR=I!Fa3tJL$v
zwAG1vMVo?@q3WSH3Civ?N5^(dBSn$xFlpYNg`?Q>1(B=e`-})6qmD~!7BMUc9_tn~
zNEZ31SFIO02ti1X4S6>=;l<dTVPd-(6=6i{doa-yIK<+LDgtEWQATJ+J}Y#?u--xV
zfxxIP*_~8sxu7hxCYmo`wp<wvjmtm2+^9y%)xb)iqmDS#dObNup~J@L(#WZaud6k2
zl*av1hPO<~FdJD-c13_HU#d`;P$EmsKr4+*Iml**6%wjr&a{O%ypQq)Ml4u@dZp%2
zwJd@svN~y~;dIy%#wiaOFky^#WZWsoRbgU+Qm>yS2|b0nT?Ys7upLkxzDA;a&X$p!
zO7fIf*H|JiWWy8=)xjy5qw+1(;;z()S};@ags%4xZ=hsEx6ZT0xX~7bfh*}WG3Z5N
zzAm=nm|}giS(yw0xa^IqHHOLKtewp?V=}x{8rf1tb`XJetIyP+4C}}JMj8FTw#l0$
zEx)Y??L=L5M$O75Dxu#-txv3NOXXx@3kVRB4q5()<|nEL!k96Uxt7)vt3WcDO!UOz
zj3dxkVzQ#rCSYG71&mbFbcAJSn2WUh*a{~qR~T5p`Twr})`4@6Z9UC2mrexxUflJR
z|MaR2H=56F%ddM=xp>q#edn*%X>$u-%;qor^qzm5+`0eE7rrlkN<O}@_TSe$n7d`u
z#y|dK<-WyzCzq~2bkk@4^z6mlxsTQ?CJ%4CKDQ_MVA)$24qd$peQ)>PgS(CdmBN;<
zZ%yxbEc_?XUUy`6-w)=Z=XcphU-<LR_(%8MaB%L`zn-0EFI;o)!b)lRsjB(8TbBmQ
z&;NR}|G@e|-B`7G^|OCtU;B9D@)r&qd;8`iFV1he^Y-r?Te183oAuW}{Kiq?%$MU|
zq<;Ix9cxBslZ2CfZ`=J(LFc&O;4)(2hgV;9T)E}t;E`8OzPslW^p<ZgdwGxa@H-EG
z^_}^wFs~fl-d((Qe*ae<+Vaw)z?N;VUi|d;?ymiO@2TxK#Y^WmK6C18p>+RMp>X1@
zdjjt4+TYl#-?v`B?exFm-6zTmhu*mL58qr^c>lA>kAAl5*tI)8eCX&W4=-+fa>J8n
z;0OOx`0;bAm+yZ2OE0~~JhFfLjuV>}SD5)Vzx?2i=(=U<&aF3G_w?~rjVX{f&RK^G
tE1sBNdS&I~bHC&F9@=xaMSpzPyPtpJz|u3n-@W;}_x^qLn}5L`_#g6Domv0@

literal 0
HcmV?d00001

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 7baeeae..0a4d589 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -44,6 +44,7 @@ in {
   "matrix-mautrix-telegram-env-file.age".publicKeys = nachtigallKeys ++ baseKeys;
   "matrix-synapse-signing-key.age".publicKeys = nachtigallKeys ++ baseKeys;
   "matrix-synapse-secret-config.yaml.age".publicKeys = nachtigallKeys ++ baseKeys;
+  "matrix-hookshot-registration.yaml.age".publicKeys = nachtigallKeys ++ baseKeys;
 
   "nextcloud-secrets.age".publicKeys = nachtigallKeys ++ baseKeys;
   "nextcloud-admin-pass.age".publicKeys = nachtigallKeys ++ baseKeys;
-- 
2.44.2


From 63041ec805392a59086bc7019a833324ad8f2efc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Benjamin=20B=C3=A4dorf?= <hello@benjaminbaedorf.eu>
Date: Thu, 16 Nov 2023 20:10:39 +0100
Subject: [PATCH 2/3] feat: add wellknown for matrix test domain

---
 hosts/nachtigall/apps/nginx-matrix.nix | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/hosts/nachtigall/apps/nginx-matrix.nix b/hosts/nachtigall/apps/nginx-matrix.nix
index da6edee..eaee415 100644
--- a/hosts/nachtigall/apps/nginx-matrix.nix
+++ b/hosts/nachtigall/apps/nginx-matrix.nix
@@ -6,10 +6,10 @@ let
     add_header X-XSS-Protection "1; mode=block";
   '';
   clientConfig = import ./matrix/element-client-config.nix;
-  wellKnownClient = {
-    "m.homeserver".base_url = "https://matrix.pub.solar";
-    "m.identity_server".base_url = "https://matrix.pub.solar";
-    "org.matrix.msc3575.proxy".url = "https://matrix.pub.solar/sliding-sync";
+  wellKnownClient = domain: {
+    "m.homeserver".base_url = "https://matrix.${domain}";
+    "m.identity_server".base_url = "https://matrix.${domain}";
+    "org.matrix.msc3575.proxy".url = "https://matrix.${domain}/sliding-sync";
     "im.vector.riot.e2ee".default = true;
     "io.element.e2ee" = {
       default = true;
@@ -19,21 +19,21 @@ let
     "m.integrations" = {
       managers = [
         {
-          api_url = "https://dimension.pub.solar/api/v1/scalar";
-          ui_url = "https://dimension.pub.solar/element";
+          api_url = "https://dimension.${domain}/api/v1/scalar";
+          ui_url = "https://dimension.${domain}/element";
         }
       ];
     };
   };
-  wellKnownServer."m.server" = "matrix.pub.solar:8448";
+  wellKnownServer = domain: { "m.server" = "${domain}:8448"; };
   mkWellKnown = data: ''
     add_header Content-Type application/json;
     add_header Access-Control-Allow-Origin *;
     return 200 '${builtins.toJSON data}';
   '';
-  wellKnownLocations =  {
-    "= /.well-known/matrix/server".extraConfig = mkWellKnown wellKnownServer;
-    "= /.well-known/matrix/client".extraConfig = mkWellKnown wellKnownClient;
+  wellKnownLocations = domain: {
+    "= /.well-known/matrix/server".extraConfig = mkWellKnown (wellKnownServer domain);
+    "= /.well-known/matrix/client".extraConfig = mkWellKnown (wellKnownClient domain);
   };
 in
 {
@@ -44,7 +44,7 @@ in
     #####################################
 
     "pub.solar" = {
-      locations = wellKnownLocations;
+      locations = wellKnownLocations "pub.solar";
     };
 
     #######################################
@@ -70,7 +70,7 @@ in
         gzip on;
         gzip_types text/plain application/json;
       '';
-      locations = wellKnownLocations // {
+      locations = (wellKnownLocations "test.pub.solar") // {
         # TODO: Configure metrics
         # "/metrics" = {
         # };
-- 
2.44.2


From 977a9c07585e62c0659f2adaee01b2a41415985f Mon Sep 17 00:00:00 2001
From: teutat3s <teutates@mailbox.org>
Date: Sat, 18 Nov 2023 17:41:00 +0100
Subject: [PATCH 3/3] feat(matrix-hookshot): import matrix-hookshot

---
 hosts/nachtigall/default.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hosts/nachtigall/default.nix b/hosts/nachtigall/default.nix
index 8800356..72fe55b 100644
--- a/hosts/nachtigall/default.nix
+++ b/hosts/nachtigall/default.nix
@@ -25,6 +25,7 @@
       ./apps/postgresql.nix
       ./apps/searx.nix
 
+      ./apps/matrix/matrix-hookshot.nix
       ./apps/matrix/mautrix-telegram.nix
       ./apps/matrix/synapse.nix
       ./apps/nginx-matrix.nix
-- 
2.44.2