NixOS Matrix Subsystem - Public Room Timeline

	NixOS Matrix Subsystem	150 Members
	Coordination and discussion about the matrix subsystem in NixOS - https://wiki.nixos.org/wiki/Matrix	74 Servers

Load older messages

Sender	Message	Time
9 Jan 2022
Janne Heß	Redacted or Malformed Event	14:27:49
Janne Heß	Redacted or Malformed Event	14:28:49
Janne Heß	{ pkgs, lib, ... }: let config = { id = "heisenbridge"; url = "http://127.0.0.1:9898"; as_token = "$APPSERVICE_TOKEN"; hs_token = "$HOMESERVER_TOKEN"; rate_limited = false; sender_localpart = "heisenbridge"; namespaces = { users = [{ regex = "@heisenbridge_.*"; exclusive = true; }]; aliases = [ ]; rooms = [ ]; }; }; configFile = pkgs.writeText "heisenbridge.yml" (lib.generators.toYAML {} config); package = pkgs.heisenbridge.overrideAttrs (oA: let version = "1.8.2"; in { name = "${oA.pname}-${version}"; src = pkgs.fetchFromGitHub { owner = "hifi"; repo = oA.pname; rev = "v${version}"; sha256 = "173prcd56rwlxjxlw67arnm12k1l317xi5s6m7jhmp8zbbrj5vwr"; }; patches = []; }); in { systemd.services.heisenbridge = { description = "Heisenbridge Matrix IRC bridge"; before = [ "matrix-synapse.service" ]; wantedBy = [ "multi-user.target" ]; stopIfChanged = false; preStart = '' umask 027 ${pkgs.envsubst}/bin/envsubst -i ${configFile} -o /run/heisenbridge/appservice.yml chgrp matrix-synapse /run/heisenbridge/appservice.yml ''; sandbox = 2; serviceConfig = { Restart = "always"; EnvironmentFile = "/run/secrets/heisenbridge/env"; ExecStart = "${package}/bin/heisenbridge --config /run/heisenbridge/appservice.yml --identd http://localhost:8080"; RuntimeDirectory = "heisenbridge"; RuntimeDirectoryMode = "0755"; User = "heisenbridge"; Group = "heisenbridge"; PrivateNetwork = false; SystemCallFilter = "@system-service"; # needed for ident AmbientCapabilities = [ "CAP_CHOWN" "CAP_NET_BIND_SERVICE" ]; PrivateUsers = false; }; apparmor = { enable = true; extraConfig = '' @{PROC}@{pid}/fd/ r, network udp, network tcp, network netlink raw, capability chown, capability net_bind_service, ''; }; }; users.users.heisenbridge = { description = "Heisenbridge service user"; isSystemUser = true; group = "heisenbridge"; }; users.groups.heisenbridge = {}; # identd helsinki.firewall.ports.tcp = [ 113 ]; helsinki.helsinkey.private."heisenbridge/env" = { services = [ "heisenbridge" ]; }; }	14:29:25
Janne Heß	That depends on our sandbox module though…	14:30:10
Janne Heß	Relevant part of that module: config = mkMerge [ (mkIf (config.sandbox >= 2) { serviceConfig = mapAttrs (_: mkDefaulter) { # Filesystem stuff ProtectSystem = "strict"; # Prevent writing to most of / ProtectHome = true; # Prevent accessing /home and /root PrivateTmp = true; # Give an own directory under /tmp PrivateDevices = true; # Deny access to most of /dev ProtectKernelTunables = true; # Protect some parts of /sys ProtectControlGroups = true; # Remount cgroups read-only RestrictSUIDSGID = true; # Prevent creating SETUID/SETGID files PrivateMounts = true; # Give an own mount namespace RemoveIPC = true; UMask = "0077"; # Capabilities CapabilityBoundingSet = ""; # Allow no capabilities at all NoNewPrivileges = true; # Disallow getting more capabilities. This is also implied by other options. # Kernel stuff ProtectKernelModules = true; # Prevent loading of kernel modules SystemCallArchitectures = "native"; # Usually no need to disable this ProtectKernelLogs = true; # Prevent access to kernel logs ProtectClock = true; # Prevent setting the RTC # Networking RestrictAddressFamilies = ""; # Example: "AF_UNIX AF_INET AF_INET6" PrivateNetwork = true; # Isolate the entire network # Misc LockPersonality = true; # Prevent change of the personality ProtectHostname = true; # Give an own UTS namespace RestrictRealtime = true; # Prevent switching to RT scheduling MemoryDenyWriteExecute = true; # Maybe disable this for interpreters like python PrivateUsers = true; # If anything randomly breaks, it's mostly because of this RestrictNamespaces = true; }; }) ];	14:31:20
Janne Heß	The sandbox module is basically the opt-out approach to sandboxing that hifi was talking about	14:32:55
@piegames:matrix.org	Thank you, I'll have a look later	17:38:17
@piegames:matrix.org	In reply to @janne.hess:helsinki-systems.de The sandbox module is basically the opt-out approach to sandboxing that hifi was talking about This is funny, because I'm pretty certain that andi also built something like that.	17:40:23
13 Jan 2022
@piegames:matrix.org	Anybody in here wants to be added as a Codeowner for your preferred Matrix packages? https://github.com/NixOS/nixpkgs/pull/154074	22:39:51
14 Jan 2022
	Chinchilla Optional changed their display name from Rev. CornWallace III (novus ordo seclorum) to coilWinder.	04:39:26
	Chinchilla Optional changed their display name from coilWinder to CoilWinder (novus ordo seclorum).	04:41:39
philipp	piegames: Would you add me to the conduit stuff?	10:04:24
15 Jan 2022
	@julian:foad.me.uk joined the room.	10:54:38
16 Jan 2022
	kraem set a profile picture.	09:54:32
17 Jan 2022
Sumner Evans	https://github.com/NixOS/nixpkgs/pull/153279 would be great to get merged	19:26:06
18 Jan 2022
Janne Heß	In reply to @sumner:nevarro.space https://github.com/NixOS/nixpkgs/pull/153279 would be great to get merged DId you test this?	14:22:27
Janne Heß	I'm not using the desktop app, but the code looks legit. If you (or anyone else) tested it, I'll just hit the magic button	14:22:50
Janne Heß	* I'm not using the desktop app, but the code in combination with the linked resources looks legit. If you (or anyone else) tested it, I'll just hit the magic button	14:23:03
Sumner Evans	In reply to @janne.hess:helsinki-systems.de DId you test this? yes, added screenshot. Also using analogous fix in my home-manager config: https://github.com/sumnerevans/home-manager-config/blob/master/modules/communication.nix#L5 and that works fine	14:27:32
Janne Heß	Thanks!	14:28:21
Janne Heß	In reply to @sumner:nevarro.space yes, added screenshot. Also using analogous fix in my home-manager config: https://github.com/sumnerevans/home-manager-config/blob/master/modules/communication.nix#L5 and that works fine Looks like adding the backport label after merging doesn't do anything :(	14:34:48
Sumner Evans	In reply to @janne.hess:helsinki-systems.de Looks like adding the backport label after merging doesn't do anything :( I'm pretty sure it's supposed to, maybe it's just slow?	14:35:55
Sumner Evans	In reply to @sumner:nevarro.space I'm pretty sure it's supposed to, maybe it's just slow? there, it just did it https://github.com/NixOS/nixpkgs/pull/155480	14:40:03
Sumner Evans	Any chance I can get some eyes on this PR? https://github.com/NixOS/nixpkgs/pull/155398	14:46:30
Sumner Evans	Also, https://github.com/NixOS/nixpkgs/pull/155064 is ready	14:51:35
Sumner Evans	Just updated that PR to 1.50.1 due to bugfix release	17:34:14
19 Jan 2022
Dandellion	https://github.com/NixOS/nixpkgs/pull/155703	18:56:42
20 Jan 2022
	andi- left the room.	00:14:32
21 Jan 2022
ma27	would like to get some feedback on https://github.com/NixOS/nixpkgs/pull/156099 (especially the backport topic)	21:42:19
24 Jan 2022
ma27	Sumner Evans: are you updating synapse to https://github.com/matrix-org/synapse/releases/tag/v1.50.2 already? Otherwise I'd do it later :)	14:53:36

Show newer messages

Back to Room ListRoom Version: 4