Nixos deployment

I don't think we've previously had any Nix/NixOS/nixpkgs related entries in TWIM, so I'll start ^^

We now have a module for Heisenbridge and Conduit, which makes it super easy to deploy any of those services: My configuration for Heisenbridge is 21 lines long, and Conduit is only 11 lines. You can browse the available configuration options online: services.matrix-conduit, services.heisenbridge (note that some of them are freeform and simply forward to the upstream configuration).

For support, join our Matrix space at #nix:nixos.org and the Matrix-Nix channel: #matrix-nix:transformierende-gesellschaft.org

Nixos deployment

I don't think we've previously had any Nix/NixOS/nixpkgs related entries in TWIM, so I'll start ^^

We now have a module for Heisenbridge and Conduit, which makes it super easy to deploy any of those services: My configuration for Heisenbridge is 21 lines long, and Conduit is only 11 lines. You can browse the available configuration options online: services.matrix-conduit, services.heisenbridge (note that some of them are freeform and simply forward to the upstream configuration).

For those that are not into NixOS, a module is the code that turns the declarative configuration files into your running system setup. As an example, if you enable services.heisenbridge the following things are done for you:

• Create a new heisenbridge user and group for the service
• Create and manage the registration file for the homeserver (i.e. automatically regenerate it after the configuration changed)
• Create a systemd service that runs the heisenbridge command with the requested bridge configuration. The unit also sets a few systemd security hardening options.

For support, join our Matrix space at #nix:nixos.org and the Matrix-Nix channel: #matrix-nix:transformierende-gesellschaft.org

In reply to @piegames:matrix.org
Feedback?

In reply to @piegames:matrix.org
Janne Heß: the modules are on unstable only

In reply to @janne.hess:helsinki-systems.de
Also I'd go for We now have a module for Heisenbridge and Conduit → The latest release 21.11 of the [NixOS](https://nixos.org) distribution has extended Matrix support to also include [Conduit](https://blah) and [Heisenbridge](https://blah) packages and modules (Synapse and Element have already been supported in previous releases). (maybe?)

Nixos deployment

I don't think we've previously had any Nix/NixOS/nixpkgs related entries in TWIM, so I'll start ^^

The current unstable channel has extended its Matrix ecosystem support to also include Heisenbridge and Conduit packages and modules. This makes it super easy to deploy any of those services: For example, my configuration for Heisenbridge is 21 lines long, and Conduit is only 11 lines. You can browse the available configuration options online: services.matrix-conduit, services.heisenbridge (note that some of them are freeform and simply forward to the upstream configuration).

For those that are not into NixOS, a module is the code that turns the declarative configuration files into your running system setup. As an example, if you enable services.heisenbridge the following things are done for you:

• Create a new heisenbridge user and group for the service
• Create and manage the registration file for the homeserver (i.e. automatically regenerate it after the configuration changed)
• Create a systemd service that runs the heisenbridge command with the requested bridge configuration. The unit also sets a few systemd security hardening options.

For support, join our Matrix space at #community:nixos.org and its Matrix-Nix channel: #matrix-nix:transformierende-gesellschaft.org

{ pkgs, lib, ... }: let 
  config = {
    id = "heisenbridge";
    url = "http://127.0.0.1:9898";
    as_token = "$APPSERVICE_TOKEN";
    hs_token = "$HOMESERVER_TOKEN";
    rate_limited = false;
    sender_localpart = "heisenbridge";
    namespaces = {
      users = [{ regex = "@heisenbridge_.*"; exclusive = true; }];
      aliases = [ ];
      rooms = [ ];
    };
  };
  configFile = pkgs.writeText "heisenbridge.yml" (lib.generators.toYAML {} config);
  package = pkgs.heisenbridge.overrideAttrs (oA: let
    version = "1.8.2";
  in {
    name = "${oA.pname}-${version}";

    src = pkgs.fetchFromGitHub {
      owner = "hifi";
      repo = oA.pname;
      rev = "v${version}";
      sha256 = "173prcd56rwlxjxlw67arnm12k1l317xi5s6m7jhmp8zbbrj5vwr";
    };

    patches = [];
  });
in {
  systemd.services.heisenbridge = {
    description = "Heisenbridge Matrix IRC bridge";
    before = [ "matrix-synapse.service" ];
    wantedBy = [ "multi-user.target" ];
    stopIfChanged = false;

    preStart = ''
      umask 027
      ${pkgs.envsubst}/bin/envsubst -i ${configFile} -o /run/heisenbridge/appservice.yml
      chgrp matrix-synapse /run/heisenbridge/appservice.yml
    '';

    sandbox = 2;
    serviceConfig = {
      Restart = "always";
      EnvironmentFile = "/run/secrets/heisenbridge/env";
      ExecStart = "${package}/bin/heisenbridge --config /run/heisenbridge/appservice.yml --identd http://localhost:8080";

      RuntimeDirectory = "heisenbridge";
      RuntimeDirectoryMode = "0755";

      User = "heisenbridge";
      Group = "heisenbridge";

      PrivateNetwork = false;
      SystemCallFilter = "@system-service";
      # needed for ident
      AmbientCapabilities = [ "CAP_CHOWN" "CAP_NET_BIND_SERVICE" ];
      PrivateUsers = false;
    };
    apparmor = {
      enable = true;
      extraConfig = ''
        @{PROC}@{pid}/fd/ r,

        network udp,
        network tcp,
        network netlink raw,

        capability chown,
        capability net_bind_service,
      '';
    };
  };

  users.users.heisenbridge = {
    description = "Heisenbridge service user";
    isSystemUser = true;
    group = "heisenbridge";
  };
  users.groups.heisenbridge = {};

  # identd
  helsinki.firewall.ports.tcp = [ 113 ];

  helsinki.helsinkey.private."heisenbridge/env" = {
    services = [ "heisenbridge" ];
  };
}