NixOS Matrix Subsystem - Public Room Timeline - Matrix Static

	NixOS Matrix Subsystem	139 Members
	Coordination and discussion about the matrix subsystem in NixOS - https://nixos.wiki/wiki/Matrix	70 Servers

Load older messages

Sender	Message	Time
6 Jan 2022
Janne Heß	* Also I'd go for `We now have a module for Heisenbridge and Conduit` → `The newly released [NixOS](https://nixos.org) 21.11 has extended Matrix support to also include Conduit and Heisenbridge packages and modules (Synapse and Element have already been supported for some time).` (maybe?)	14:12:36
Janne Heß	* Also I'd go for `We now have a module for Heisenbridge and Conduit` → `The newly released [NixOS](https://nixos.org) 21.11 has extended Matrix support to also include Conduit and Heisenbridge packages and modules (Synapse and Element have already been supported in previous releases).` (maybe?)	14:12:44
Janne Heß	* Also I'd go for `We now have a module for Heisenbridge and Conduit` → `The newly released [NixOS](https://nixos.org) 21.11 has extended Matrix support to also include [Conduit](https://blah) and [Heisenbridge](https://blah) packages and modules (Synapse and Element have already been supported in previous releases).` (maybe?)	14:13:37
Janne Heß	* Also I'd go for `We now have a module for Heisenbridge and Conduit` → `The latest release 21.11 of the [NixOS](https://nixos.org) distribution has extended Matrix support to also include [Conduit](https://blah) and [Heisenbridge](https://blah) packages and modules (Synapse and Element have already been supported in previous releases).` (maybe?)	14:14:51
piegames	Janne Heß: the modules are on unstable only	14:23:41
Janne Heß	In reply to @piegames:matrix.org Janne Heß: the modules are on unstable only oops	14:29:32
hexa	we can always backport them	14:35:57
hexa	they likely won't cause regressions	14:36:04
piegames	I wouldn't do that for Heisenbridge until the remaining small issues are resolved, so it certainly won't be ready for TWIM tomorrow.	15:44:04
piegames	* I wouldn't do that for Heisenbridge until the remaining small issues are resolved, so it certainly won't be ready for TWIM tomorrow. The Conduit module has a "part 2" WIP as well	15:44:28
piegames	In reply to @janne.hess:helsinki-systems.de Also I'd go for `We now have a module for Heisenbridge and Conduit` → `The latest release 21.11 of the [NixOS](https://nixos.org) distribution has extended Matrix support to also include [Conduit](https://blah) and [Heisenbridge](https://blah) packages and modules (Synapse and Element have already been supported in previous releases).` (maybe?) Nixos deployment I don't think we've previously had any Nix/NixOS/nixpkgs related entries in TWIM, so I'll start ^^ The current unstable channel has extended its Matrix ecosystem support to also include Heisenbridge and Conduit packages and modules. This makes it super easy to deploy any of those services: For example, my configuration for Heisenbridge is 21 lines long, and Conduit is only 11 lines. You can browse the available configuration options online: `services.matrix-conduit`, `services.heisenbridge` (note that some of them are freeform and simply forward to the upstream configuration). For those that are not into NixOS, a module is the code that turns the declarative configuration files into your running system setup. As an example, if you enable `services.heisenbridge` the following things are done for you: Create a new `heisenbridge` user and group for the service Create and manage the registration file for the homeserver (i.e. automatically regenerate it after the configuration changed) Create a systemd service that runs the `heisenbridge` command with the requested bridge configuration. The unit also sets a few systemd security hardening options. For support, join our Matrix space at #community:nixos.org and its Matrix-Nix channel: #matrix-nix:transformierende-gesellschaft.org	15:51:43
	miloignis joined the room.	21:17:33
7 Jan 2022
	mg joined the room.	23:16:02
8 Jan 2022
	clamydo joined the room.	06:46:53
piegames	Janne Heß: May you please post your Heisenbridge module? Maybe there's more than the hardening options that we can upstream	23:41:50
9 Jan 2022
Janne Heß	Redacted or Malformed Event	14:27:49
Janne Heß	Redacted or Malformed Event	14:28:49
Janne Heß	{ pkgs, lib, ... }: let config = { id = "heisenbridge"; url = "http://127.0.0.1:9898"; as_token = "$APPSERVICE_TOKEN"; hs_token = "$HOMESERVER_TOKEN"; rate_limited = false; sender_localpart = "heisenbridge"; namespaces = { users = [{ regex = "@heisenbridge_.*"; exclusive = true; }]; aliases = [ ]; rooms = [ ]; }; }; configFile = pkgs.writeText "heisenbridge.yml" (lib.generators.toYAML {} config); package = pkgs.heisenbridge.overrideAttrs (oA: let version = "1.8.2"; in { name = "${oA.pname}-${version}"; src = pkgs.fetchFromGitHub { owner = "hifi"; repo = oA.pname; rev = "v${version}"; sha256 = "173prcd56rwlxjxlw67arnm12k1l317xi5s6m7jhmp8zbbrj5vwr"; }; patches = []; }); in { systemd.services.heisenbridge = { description = "Heisenbridge Matrix IRC bridge"; before = [ "matrix-synapse.service" ]; wantedBy = [ "multi-user.target" ]; stopIfChanged = false; preStart = '' umask 027 ${pkgs.envsubst}/bin/envsubst -i ${configFile} -o /run/heisenbridge/appservice.yml chgrp matrix-synapse /run/heisenbridge/appservice.yml ''; sandbox = 2; serviceConfig = { Restart = "always"; EnvironmentFile = "/run/secrets/heisenbridge/env"; ExecStart = "${package}/bin/heisenbridge --config /run/heisenbridge/appservice.yml --identd http://localhost:8080"; RuntimeDirectory = "heisenbridge"; RuntimeDirectoryMode = "0755"; User = "heisenbridge"; Group = "heisenbridge"; PrivateNetwork = false; SystemCallFilter = "@system-service"; # needed for ident AmbientCapabilities = [ "CAP_CHOWN" "CAP_NET_BIND_SERVICE" ]; PrivateUsers = false; }; apparmor = { enable = true; extraConfig = '' @{PROC}@{pid}/fd/ r, network udp, network tcp, network netlink raw, capability chown, capability net_bind_service, ''; }; }; users.users.heisenbridge = { description = "Heisenbridge service user"; isSystemUser = true; group = "heisenbridge"; }; users.groups.heisenbridge = {}; # identd helsinki.firewall.ports.tcp = [ 113 ]; helsinki.helsinkey.private."heisenbridge/env" = { services = [ "heisenbridge" ]; }; }	14:29:25
Janne Heß	That depends on our sandbox module though…	14:30:10
Janne Heß	Relevant part of that module: config = mkMerge [ (mkIf (config.sandbox >= 2) { serviceConfig = mapAttrs (_: mkDefaulter) { # Filesystem stuff ProtectSystem = "strict"; # Prevent writing to most of / ProtectHome = true; # Prevent accessing /home and /root PrivateTmp = true; # Give an own directory under /tmp PrivateDevices = true; # Deny access to most of /dev ProtectKernelTunables = true; # Protect some parts of /sys ProtectControlGroups = true; # Remount cgroups read-only RestrictSUIDSGID = true; # Prevent creating SETUID/SETGID files PrivateMounts = true; # Give an own mount namespace RemoveIPC = true; UMask = "0077"; # Capabilities CapabilityBoundingSet = ""; # Allow no capabilities at all NoNewPrivileges = true; # Disallow getting more capabilities. This is also implied by other options. # Kernel stuff ProtectKernelModules = true; # Prevent loading of kernel modules SystemCallArchitectures = "native"; # Usually no need to disable this ProtectKernelLogs = true; # Prevent access to kernel logs ProtectClock = true; # Prevent setting the RTC # Networking RestrictAddressFamilies = ""; # Example: "AF_UNIX AF_INET AF_INET6" PrivateNetwork = true; # Isolate the entire network # Misc LockPersonality = true; # Prevent change of the personality ProtectHostname = true; # Give an own UTS namespace RestrictRealtime = true; # Prevent switching to RT scheduling MemoryDenyWriteExecute = true; # Maybe disable this for interpreters like python PrivateUsers = true; # If anything randomly breaks, it's mostly because of this RestrictNamespaces = true; }; }) ];	14:31:20
Janne Heß	The sandbox module is basically the opt-out approach to sandboxing that hifi was talking about	14:32:55
piegames	Thank you, I'll have a look later	17:38:17
piegames	In reply to @janne.hess:helsinki-systems.de The sandbox module is basically the opt-out approach to sandboxing that hifi was talking about This is funny, because I'm pretty certain that andi also built something like that.	17:40:23
13 Jan 2022
piegames	Anybody in here wants to be added as a Codeowner for your preferred Matrix packages? https://github.com/NixOS/nixpkgs/pull/154074	22:39:51
14 Jan 2022
	Chuck Winter changed their display name from Rev. CornWallace III (novus ordo seclorum) to coilWinder.	04:39:26
	Chuck Winter changed their display name from coilWinder to CoilWinder (novus ordo seclorum).	04:41:39
philipp	piegames: Would you add me to the conduit stuff?	10:04:24
15 Jan 2022
	JulianF joined the room.	10:54:38
16 Jan 2022
	kraem set a profile picture.	09:54:32
17 Jan 2022
Sumner Evans	https://github.com/NixOS/nixpkgs/pull/153279 would be great to get merged	19:26:06

Show newer messages

Back to Room ListRoom Version: 4