hosts/nachtigall/apps/matrix/matrix-hookshot.nix

@@ -0,0 +1,112 @@
+{ flake, pkgs, ...}:{
+
+  age.secrets."matrix-hookshot-registration.yaml" = {
+    file = "${flake.self}/secrets/matrix-hookshot-registration.yaml.age";
+    mode = "400";
+    owner = "matrix-synapse";
+  };
+
+  configFile = ''
+    bot:
+      avatar: mxc://half-shot.uk/2876e89ccade4cb615e210c458e2a7a6883fe17d
+      displayname: Hookshot Bot
+    bridge:
+      bindAddress: 0.0.0.0
+      domain: test.pub.solar
+      mediaUrl: http://matrix-nginx-proxy:12080
+      port: 9993
+      url: http://matrix-nginx-proxy:12080
+    feeds:
+      enabled: true
+      pollIntervalSeconds: 600
+      pollTimeoutSeconds: 30
+    generic:
+      allowJsTransformationFunctions: true
+      enableHttpGet: false
+      enabled: true
+      urlPrefix: https://matrix.test.pub.solar/hookshot/webhooks
+      userIdPrefix: _webhooks_
+      waitForComplete: false
+    gitlab:
+      instances:
+        gitlab.com:
+          url: https://gitlab.com
+      webhook:
+        secret: ""
+    listeners:
+    - bindAddress: 0.0.0.0
+      port: 9000
+      resources:
+      - webhooks
+    - bindAddress: 0.0.0.0
+      port: 9002
+      resources:
+      - provisioning
+    - bindAddress: 0.0.0.0
+      port: 9003
+      resources:
+      - widgets
+    logging:
+      level: warn
+    metrics:
+      enabled: false
+    passFile: /data/passkey.pem
+    permissions:
+    - actor: pub.solar
+      services:
+      - level: commands
+        service: '*'
+    - actor: '@axeman:pub.solar'
+      services:
+      - level: admin
+        service: '*'
+    - actor: '@b12f:pub.solar'
+      services:
+      - level: admin
+        service: '*'
+    - actor: '@hensoko:pub.solar'
+      services:
+      - level: admin
+        service: '*'
+    - actor: '@teutat3s:pub.solar'
+      services:
+      - level: admin
+        service: '*'
+    provisioning:
+      secret: 1acb44197a5a6d52c6cff38ea07433bfbfe9a83313a6bade
+    widgets:
+      addToAdminRooms: false
+      branding:
+        widgetTitle: Hookshot Configuration
+      publicUrl: https://matrix.pub.solar/hookshot/widgetapi/v1/static
+      roomSetupWidget:
+        addOnInvite: false
+  '';
+
+  systemd.services.matrix-hookshot = {
+    description = "Matrix-Hookshot,  a bridge between Matrix and multiple project management services, such as GitHub, GitLab and JIRA. ";
+
+    wantedBy = [ "multi-user.target" ];
+    wants = [ "network-online.target" ];
+    after = [ "network-online.target" ];
+
+    serviceConfig = {
+      Type = "simple";
+      Restart = "always";
+
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectControlGroups = true;
+
+      DynamicUser = true;
+      PrivateTmp = true;
+      UMask = "0027";
+
+      ExecStart = ''
+          ${pkgs.matrix-hookshot}/bin/matrix-hookshot
+        '';
+    };
+  };
+}

hosts/nachtigall/apps/nginx-matrix.nix

@@ -6,10 +6,10 @@ let
     add_header X-XSS-Protection "1; mode=block";
   '';
   clientConfig = import ./matrix/element-client-config.nix;
-  wellKnownClient = {
+  wellKnownClient = domain: {
-    "m.homeserver".base_url = "https://matrix.pub.solar";
+    "m.homeserver".base_url = "https://matrix.${domain}";
-    "m.identity_server".base_url = "https://matrix.pub.solar";
+    "m.identity_server".base_url = "https://matrix.${domain}";
-    "org.matrix.msc3575.proxy".url = "https://matrix.pub.solar/sliding-sync";
+    "org.matrix.msc3575.proxy".url = "https://matrix.${domain}/sliding-sync";
     "im.vector.riot.e2ee".default = true;
     "io.element.e2ee" = {
       default = true;
@@ -19,21 +19,21 @@ let
     "m.integrations" = {
       managers = [
         {
-          api_url = "https://dimension.pub.solar/api/v1/scalar";
+          api_url = "https://dimension.${domain}/api/v1/scalar";
-          ui_url = "https://dimension.pub.solar/element";
+          ui_url = "https://dimension.${domain}/element";
         }
       ];
     };
   };
-  wellKnownServer."m.server" = "matrix.pub.solar:8448";
+  wellKnownServer = domain: { "m.server" = "${domain}:8448"; };
   mkWellKnown = data: ''
     add_header Content-Type application/json;
     add_header Access-Control-Allow-Origin *;
     return 200 '${builtins.toJSON data}';
   '';
-  wellKnownLocations =  {
+  wellKnownLocations = domain: {
-    "= /.well-known/matrix/server".extraConfig = mkWellKnown wellKnownServer;
+    "= /.well-known/matrix/server".extraConfig = mkWellKnown (wellKnownServer domain);
-    "= /.well-known/matrix/client".extraConfig = mkWellKnown wellKnownClient;
+    "= /.well-known/matrix/client".extraConfig = mkWellKnown (wellKnownClient domain);
   };
 in
 {
@@ -44,7 +44,7 @@ in
     #####################################
 
     "pub.solar" = {
-      locations = wellKnownLocations;
+      locations = wellKnownLocations "pub.solar";
     };
 
     #######################################
@@ -70,7 +70,7 @@ in
         gzip on;
         gzip_types text/plain application/json;
       '';
-      locations = wellKnownLocations // {
+      locations = (wellKnownLocations "test.pub.solar") // {
         # TODO: Configure metrics
         # "/metrics" = {
         # };

hosts/nachtigall/default.nix

@@ -25,6 +25,7 @@
       ./apps/postgresql.nix
       ./apps/searx.nix
 
+      ./apps/matrix/matrix-hookshot.nix
       ./apps/matrix/mautrix-telegram.nix
       ./apps/matrix/synapse.nix
       ./apps/nginx-matrix.nix

secrets/secrets.nix

@@ -44,6 +44,7 @@ in {
   "matrix-mautrix-telegram-env-file.age".publicKeys = nachtigallKeys ++ baseKeys;
   "matrix-synapse-signing-key.age".publicKeys = nachtigallKeys ++ baseKeys;
   "matrix-synapse-secret-config.yaml.age".publicKeys = nachtigallKeys ++ baseKeys;
+  "matrix-hookshot-registration.yaml.age".publicKeys = nachtigallKeys ++ baseKeys;
 
   "nextcloud-secrets.age".publicKeys = nachtigallKeys ++ baseKeys;
   "nextcloud-admin-pass.age".publicKeys = nachtigallKeys ++ baseKeys;