diff --git a/flake.nix b/flake.nix index aeb1c37..a334213 100644 --- a/flake.nix +++ b/flake.nix @@ -13,6 +13,7 @@ }; in { + nixosModules.default = import ./modules; overlays.default = import ./overlay.nix; packages.x86_64-linux.autobrr = pkgs_x86_64-linux.callPackage ./packages/autobrr { }; packages.aarch64-linux.autobrr = pkgs_aarch64-linux.callPackage ./packages/autobrr { }; diff --git a/modules/base.nix b/modules/base.nix new file mode 100644 index 0000000..e6de6a2 --- /dev/null +++ b/modules/base.nix @@ -0,0 +1,10 @@ +{ lib, ... }: { + options.recipes = { + dataDir = lib.mkOption { + type = lib.types.str; + default = null; + example = "/mnt/data"; + description = "A directory where other recipes may store data"; + }; + }; +} diff --git a/modules/conduwuit.nix b/modules/conduwuit.nix new file mode 100644 index 0000000..a66ae1a --- /dev/null +++ b/modules/conduwuit.nix @@ -0,0 +1,205 @@ +{ config, lib, pkgs, ... }: +let + cfgBase = config.recipes; + cfg = cfgBase.conduwuit; + + format = pkgs.formats.toml { }; + configFile = format.generate "conduwuit.toml" cfg.settings; +in +{ + meta.maintainers = with lib.maintainers; [ adtya ]; + options.recipes.conduwuit = { + enable = lib.mkEnableOption "conduwuit"; + + extraEnvironment = lib.mkOption { + type = lib.types.attrsOf lib.types.str; + description = "Extra Environment variables to pass to the conduwuit server."; + default = { }; + example = { RUST_BACKTRACE = true; }; + }; + + user = lib.mkOption { + type = lib.types.str; + default = "conduwuit"; + description = "user conduwuit runs as"; + }; + + group = lib.mkOption { + type = lib.types.str; + default = "conduwuit"; + description = "group conduit runs as"; + }; + + dataDir = lib.mkOption { + type = lib.types.str; + default = "conduwuit"; + description = "directory created under dataDir for conduwuit's data"; + }; + + package = lib.mkPackageOption pkgs "conduwuit" { }; + + settings = lib.mkOption { + type = lib.types.submodule { + freeformType = format.type; + options = { + global.server_name = lib.mkOption { + type = lib.types.str; + example = "example.com"; + description = "The server_name is the name of this server. It is used as a suffix for user # and room ids."; + }; + global.port = lib.mkOption { + type = lib.types.port; + default = 6167; + description = "The port Conduit will be running on. You need to set up a reverse proxy in your web server (e.g. apache or nginx), so all requests to /_matrix on port 443 and 8448 will be forwarded to the Conduit instance running on this port"; + }; + global.max_request_size = lib.mkOption { + type = lib.types.ints.positive; + default = 20000000; + description = "Max request size in bytes. Don't forget to also change it in the proxy."; + }; + global.allow_registration = lib.mkOption { + type = lib.types.bool; + default = false; + description = "Whether new users can register on this server."; + }; + global.allow_encryption = lib.mkOption { + type = lib.types.bool; + default = true; + description = "Whether new encrypted rooms can be created. Note: existing rooms will continue to work."; + }; + global.allow_federation = lib.mkOption { + type = lib.types.bool; + default = true; + description = '' + Whether this server federates with other servers. + ''; + }; + global.trusted_servers = lib.mkOption { + type = lib.types.listOf lib.types.str; + default = [ "matrix.org" ]; + description = "Servers trusted with signing server keys."; + }; + global.address = lib.mkOption { + type = lib.types.str; + default = "::1"; + description = "Address to listen on for connections by the reverse proxy/tls terminator."; + }; + global.database_path = lib.mkOption { + type = lib.types.str; + default = "/var/lib/conduwuit/"; + readOnly = true; + description = '' + Path to the conduwuit database, the directory where conduwuit will save its data. + Note that due to using the DynamicUser feature of systemd, this value should not be changed + and is set to be read only. + ''; + }; + global.database_backend = lib.mkOption { + type = lib.types.enum [ "sqlite" "rocksdb" ]; + default = "sqlite"; + example = "rocksdb"; + description = '' + The database backend for the service. Switching it on an existing + instance will require manual migration of data. + ''; + }; + global.allow_check_for_updates = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + Whether to allow Conduit to automatically contact + hourly to check for important Conduit news. + + Disabled by default because nixpkgs handles updates. + ''; + }; + }; + }; + default = { }; + description = '' + Generates the conduwuit.toml configuration file. Refer to + + for details on supported values. + Note that database_path can not be edited because the service's reliance on systemd StateDir. + ''; + }; + }; + + config = lib.mkIf cfg.enable { + systemd.tmpfiles.settings."10-conduit"."${cfgBase.dataDir}/${cfg.dataDir}".d = { + inherit (cfg) user group; + mode = "0750"; + }; + + systemd.services.conduwuit = { + description = "Conduwuit Matrix Server"; + documentation = [ "https://conduwuit.puppyirl.gay" ]; + wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ]; + after = [ "network-online.target" ]; + environment = lib.mkMerge ([ + { CONDUIT_CONFIG = configFile; } + cfg.extraEnvironment + ]); + unitConfig = { + RequiresMountsFor = [ "${cfgBase.dataDir}" "/var/lib/private/conduwuit"]; + }; + serviceConfig = { + Type = "notify"; + DynamicUser = true; + AmbientCapabilities = [ ]; + CapabilityBoundingSet = [ ]; + DevicePolicy = "closed"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + PrivateDevices = true; + PrivateMounts = true; + PrivateTmp = true; + PrivateUsers = true; + PrivateIPC = true; + RemoveIPC = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ "@system-service" "@resources" ] ++ [ + "~@clock" + "~@debug" + "~@module" + "~@mount" + "~@reboot" + "~@swap" + "~@cpu-emulation" + "~@obsolete" + "~@timer" + "~@chown" + "~@setuid" + "~@privileged" + "~@keyring" + "~@ipc" + ]; + SystemCallErrorNumber = "EPERM"; + BindPaths = "${cfgBase.dataDir}/${cfg.dataDir}:/var/lib/private/conduwuit"; + StateDirectory = "conduwuit"; + RuntimeDirectory = "conduwuit"; + RuntimeDirectoryMode = "0750"; + ExecStart = "${cfg.package}/bin/conduit"; + Restart = "on-failure"; + RestartSec = 10; + StartLimitBurst = 5; + }; + }; + }; +} diff --git a/modules/default.nix b/modules/default.nix new file mode 100644 index 0000000..e0c329a --- /dev/null +++ b/modules/default.nix @@ -0,0 +1,6 @@ +_: { + imports = [ + ./base.nix + ./conduwuit.nix + ]; +}