mautrix-signal: get a *little* closer to working

it looks like mautrix-signal reads the appserver token (AS_TOKEN) from its config file -- which we place in the nix store. as such, we have no easy way of getting the token from registration.yaml over to mautrix-signal. this is presumably what the environmentFile stuff is meant for, but it doesn't *really* help much. i think it makes sense to pursue coffeetables' nix-matrix-appservices module, which has good-looking AS_TOKEN support: <https://gitlab.com/coffeetables/nix-matrix-appservices>
2023-01-16 10:22:41 +00:00 · 2023-01-16 10:22:41 +00:00 · 9eafacad12
commit 9eafacad12
parent 0eb46a3179
3 changed files with 27 additions and 10 deletions
--- a/hosts/common/ids.nix
+++ b/hosts/common/ids.nix
@ -23,6 +23,8 @@
  sane.ids.mediawiki.uid = 2402;
  sane.ids.signald.uid = 2403;
  sane.ids.signald.gid = 2403;
+  sane.ids.mautrix-signal.uid = 2404;
+  sane.ids.mautrix-signal.gid = 2404;

  sane.ids.colin.uid = 1000;
  sane.ids.guest.uid = 1100;
--- a/hosts/servo/services/matrix/signal.nix
+++ b/hosts/servo/services/matrix/signal.nix
@ -3,6 +3,7 @@
  services.signald.enable = true;
  services.mautrix-signal.enable = true;

+  services.mautrix-signal.settings.homeserver.domain = "uninsane.org";
  services.matrix-synapse.settings.app_service_config_files = [
    # auto-created by mautrix-signal service
    "/var/lib/mautrix-signal/signal-registration.yaml"
--- a/modules/services/mautrix-signal.nix
+++ b/modules/services/mautrix-signal.nix
@ -23,6 +23,7 @@ in
          homeserver = {
            address = "http://localhost:8008";
            software = "standard";
+            # domain = "SETME";
          };

          appservice = rec {
@ -45,16 +46,17 @@ in
          logging = {
            version = 1;

-            formatters.journal_fmt.format = "%(name)s: %(message)s";
-            handlers.journal = {
-              class = "systemd.journal.JournalHandler";
-              formatter = "journal_fmt";
-              SYSLOG_IDENTIFIER = "mautrix-signal";
+            formatters.precise.format = "[%(levelname)s@%(name)s] %(message)s";
+
+            handlers.console = {
+              class = "logging.StreamHandler";
+              formatter = "precise";
            };
-            # log to systemd instead of file/console
+
+            # log to console/systemd instead of file
            root = {
              level = "INFO";
-              handlers = ["journal"];
+              handlers = ["console"];
            };
          };
        };
@ -92,6 +94,13 @@ in
  };

  config = mkIf cfg.enable {
+    users.groups.mautrix-signal = {};
+
+    users.users.mautrix-signal = {
+      group = "mautrix-signal";
+      isSystemUser = true;
+    };
+
    systemd.services.mautrix-signal = {
      description = "Mautrix-Signal, a Matrix-Signal puppeting bridge.";

@ -100,6 +109,8 @@ in
      after = [ "network-online.target" ] ++ cfg.serviceDependencies;
      path = [ pkgs.ffmpeg ];  # voice messages need `ffmpeg`

+      # environment.HOME = dataDir;
+
      preStart = ''
        # generate the appservice's registration file if absent
        if [ ! -f '${registrationFile}' ]; then
@ -115,20 +126,23 @@ in
        Type = "simple";
        Restart = "always";

+        User = "mautrix-signal";
+
        ProtectSystem = "strict";
        ProtectHome = true;
        ProtectKernelTunables = true;
        ProtectKernelModules = true;
        ProtectControlGroups = true;

-        DynamicUser = true;
        PrivateTmp = true;
-        StateDirectory = baseNameOf dataDir;
+        # WorkingDirectory = pkgs.mautrix-signal;
+        # StateDirectory = baseNameOf dataDir;
        UMask = "0027";

        ExecStart = ''
          ${pkgs.mautrix-signal}/bin/mautrix-signal \
-            --config='${settingsFile}'
+            --config='${settingsFile}' \
+            --no-update
        '';
      };
    };