From ed5403efc317d02de9fbc8c1471e904de0cb0f09 Mon Sep 17 00:00:00 2001 From: Kevin Cox Date: Sat, 11 Sep 2021 16:54:10 -0400 Subject: [PATCH] nixos.mautrix-facebook: init module This is the first version of the mautrix-facebook module. Due to lack of secret support on NixOS as well as the requirement of a homeserver domain it requires some setup. For completeness here is my working config using NixOps secrets: ```nix deployment.keys."mautrix-facebook-config.env" = { text = '' MAUTRIX_FACEBOOK_APPSERVICE_AS_TOKEN=${secrets.as_token} MAUTRIX_FACEBOOK_APPSERVICE_HS_TOKEN=${secrets.hs_token} ''; destDir = "/var/keys"; }; deployment.keys."mautrix-facebook-registration.yaml" = { text = builtins.toJSON config.services.mautrix-facebook.registrationData; destDir = "/var/keys"; user = "matrix-synapse"; }; users.users.matrix-synapse.extraGroups = ["keys"]; systemd.services.matrix-synapse.after = ["keys.service"]; systemd.services.matrix-synapse.wants = ["keys.service"]; services.mautrix-facebook = { enable = true; settings = { homeserver.domain = "bots.kevincox.ca"; bridge = { displayname_template = "{displayname}"; permissions = { "@kevincox:matrix.org" = "admin"; }; }; }; environmentFile = "/var/keys/mautrix-facebook-config.env"; registrationData = { as_token = secrets.as_token; hs_token = secrets.hs_token; }; }; systemd.services.mautrix-facebook = rec { wants = ["keys.target"]; after = wants; }; services.matrix-synapse.app_service_config_files = [ "/var/keys/mautrix-facebook-registration.yaml" ]; ``` --- nixos/modules/module-list.nix | 1 + .../services/misc/mautrix-facebook.nix | 195 ++++++++++++++++++ 2 files changed, 196 insertions(+) create mode 100644 nixos/modules/services/misc/mautrix-facebook.nix diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index d24f98efb7d3..cbcf35075ab3 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -542,6 +542,7 @@ ./services/misc/matrix-appservice-discord.nix ./services/misc/matrix-appservice-irc.nix ./services/misc/matrix-synapse.nix + ./services/misc/mautrix-facebook.nix ./services/misc/mautrix-telegram.nix ./services/misc/mbpfan.nix ./services/misc/mediatomb.nix diff --git a/nixos/modules/services/misc/mautrix-facebook.nix b/nixos/modules/services/misc/mautrix-facebook.nix new file mode 100644 index 000000000000..e046c791ac01 --- /dev/null +++ b/nixos/modules/services/misc/mautrix-facebook.nix @@ -0,0 +1,195 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + cfg = config.services.mautrix-facebook; + settingsFormat = pkgs.formats.json {}; + settingsFile = settingsFormat.generate "mautrix-facebook-config.json" cfg.settings; + + puppetRegex = concatStringsSep + ".*" + (map + escapeRegex + (splitString + "{userid}" + cfg.settings.bridge.username_template)); +in { + options = { + services.mautrix-facebook = { + enable = mkEnableOption "Mautrix-Facebook, a Matrix-Facebook hybrid puppeting/relaybot bridge"; + + settings = mkOption rec { + apply = recursiveUpdate default; + type = settingsFormat.type; + default = { + homeserver = { + address = "http://localhost:8008"; + }; + + appservice = rec { + address = "http://${hostname}:${toString port}"; + hostname = "localhost"; + port = 29319; + + database = "postgresql://"; + + bot_username = "facebookbot"; + }; + + metrics.enabled = false; + manhole.enabled = false; + + bridge = { + encryption = { + allow = true; + default = true; + }; + username_template = "facebook_{userid}"; + }; + + logging = { + version = 1; + formatters.journal_fmt.format = "%(name)s: %(message)s"; + handlers.journal = { + class = "systemd.journal.JournalHandler"; + formatter = "journal_fmt"; + SYSLOG_IDENTIFIER = "mautrix-facebook"; + }; + root = { + level = "INFO"; + handlers = ["journal"]; + }; + }; + }; + example = literalExpression '' + { + homeserver = { + address = "http://localhost:8008"; + domain = "mydomain.example"; + }; + + bridge.permissions = { + "@admin:mydomain.example" = "admin"; + "mydomain.example" = "user"; + }; + } + ''; + description = '' + config.yaml configuration as a Nix attribute set. + Configuration options should match those described in + + example-config.yaml. + + + + Secret tokens should be specified using + instead of this world-readable attribute set. + ''; + }; + + environmentFile = mkOption { + type = types.nullOr types.path; + default = null; + description = '' + File containing environment variables to be passed to the mautrix-telegram service. + + Any config variable can be overridden by setting MAUTRIX_FACEBOOK_SOME_KEY to override the some.key variable. + ''; + }; + + configurePostgresql = mkOption { + type = types.bool; + default = true; + description = '' + Enable PostgreSQL and create a user and database for mautrix-facebook. The default settings reference this database, if you disable this option you must provide a database URL. + ''; + }; + + registrationData = mkOption { + type = types.attrs; + default = {}; + description = '' + Output data for appservice registration. Simply make any desired changes and serialize to JSON. Note that this data contains secrets so think twice before putting it into the nix store. + + Currently as_token and hs_token need to be added as they are not known to this module. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + users.users.mautrix-facebook = { + group = "mautrix-facebook"; + isSystemUser = true; + }; + + services.postgresql = mkIf cfg.configurePostgresql { + ensureDatabases = ["mautrix-facebook"]; + ensureUsers = [{ + name = "mautrix-facebook"; + ensurePermissions = { + "DATABASE \"mautrix-facebook\"" = "ALL PRIVILEGES"; + }; + }]; + }; + + systemd.services.mautrix-facebook = rec { + wantedBy = [ "multi-user.target" ]; + wants = [ + "network-online.target" + ] ++ optional config.services.matrix-synapse.enable "matrix-synapse.service" + ++ optional cfg.configurePostgresql "postgresql.service"; + after = wants; + + serviceConfig = { + Type = "simple"; + Restart = "always"; + + User = "mautrix-facebook"; + + ProtectSystem = "strict"; + ProtectHome = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + PrivateTmp = true; + + EnvironmentFile = cfg.environmentFile; + + ExecStart = '' + ${pkgs.mautrix-facebook}/bin/mautrix-facebook --config=${settingsFile} + ''; + }; + }; + + services.mautrix-facebook = { + registrationData = { + id = "mautrix-facebook"; + + namespaces = { + users = [ + { + exclusive = true; + regex = escapeRegex "@${cfg.settings.appservice.bot_username}:${cfg.settings.homeserver.domain}"; + } + { + exclusive = true; + regex = "@${puppetRegex}:${escapeRegex cfg.settings.homeserver.domain}"; + } + ]; + aliases = []; + }; + + url = cfg.settings.appservice.address; + sender_localpart = "mautrix-facebook-sender"; + + rate_limited = false; + "de.sorunome.msc2409.push_ephemeral" = true; + push_ephemeral = true; + }; + }; + }; + + meta.maintainers = with maintainers; [ kevincox ]; +}