From 2e30f0541c28e9b906c24bf356f103de42f8eb9b Mon Sep 17 00:00:00 2001 From: teidesu Date: Thu, 29 Aug 2024 23:15:50 +0300 Subject: [PATCH] feat(koi): conduwuit --- hosts/koi/configuration.nix | 3 + .../conduwuit/bridges/telegram/config.nix | 109 ++++++++++++++++++ .../conduwuit/bridges/telegram/default.nix | 52 +++++++++ hosts/koi/containers/conduwuit/config.toml | 85 ++++++++++++++ hosts/koi/containers/conduwuit/default.nix | 61 ++++++++++ hosts/koi/services/coredns.nix | 1 - lib/env.nix | 28 +++++ lib/trivial.nix | 4 + secrets/conduwuit-env.age | 7 ++ secrets/mautrix-tg-env.age | Bin 0 -> 516 bytes 10 files changed, 349 insertions(+), 1 deletion(-) create mode 100644 hosts/koi/containers/conduwuit/bridges/telegram/config.nix create mode 100644 hosts/koi/containers/conduwuit/bridges/telegram/default.nix create mode 100644 hosts/koi/containers/conduwuit/config.toml create mode 100644 hosts/koi/containers/conduwuit/default.nix create mode 100644 lib/env.nix create mode 100644 secrets/conduwuit-env.age create mode 100644 secrets/mautrix-tg-env.age diff --git a/hosts/koi/configuration.nix b/hosts/koi/configuration.nix index 5c3441a..d39c59b 100755 --- a/hosts/koi/configuration.nix +++ b/hosts/koi/configuration.nix @@ -27,6 +27,7 @@ ./containers/sharkey ./containers/pds ./containers/navidrome + ./containers/conduwuit ./containers/zond ./containers/teisu.nix ./containers/bots/pcre-sub-bot.nix @@ -92,6 +93,8 @@ value = "8192"; }]; + boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; + services.desu-deploy = { enable = true; key = builtins.readFile (abs "ssh/desu-deploy.pub"); diff --git a/hosts/koi/containers/conduwuit/bridges/telegram/config.nix b/hosts/koi/containers/conduwuit/bridges/telegram/config.nix new file mode 100644 index 0000000..588197e --- /dev/null +++ b/hosts/koi/containers/conduwuit/bridges/telegram/config.nix @@ -0,0 +1,109 @@ +{ + homeserver = { + address = "http://conduwuit.docker:6167"; + domain = "stupid.fish"; + verify_ssl = false; + software = "standard"; + http_retry_count = 4; + status_endpoint = null; + message_send_checkpoint_endpoint = null; + async_media = false; + }; + appservice = { + address = "http://mautrix-telegram.docker:29317"; + hostname = "0.0.0.0"; + port = 29317; + max_body_size = 1; + database = "sqlite:/data/mautrix-telegram.db"; + id = "telegram"; + bot_username = "telegrambot"; + bot_displayname = "Telegram bridge bot"; + bot_avatar = "mxc://maunium.net/tJCRmUyJDsgRNgqhOgoiHWbX"; + provisioning = { enabled = false; }; + ephemeral_events = true; + as_token._secret = "MAUTRIX_AS_TOKEN"; + hs_token._secret = "MAUTRIX_HS_TOKEN"; + }; + bridge = { + username_template = "telegram_{userid}"; + alias_template = "telegram_{groupname}"; + displayname_template = "{displayname} (Telegram)"; + allow_matrix_login = false; + create_group_on_invite = false; + displayname_preference = [ "full name" "username" "phone number" ]; + displayname_max_length = 100; + allow_avatar_remove = false; + allow_contact_info = false; + filter = { + mode = "whitelist"; + list = [ + 1183945448 # zachem + ]; + users = false; + }; + relay_user_distinguishers = []; + permissions = { + "*" = "relaybot"; + "@teidesu:stupid.fish" = "admin"; + }; + relaybot = { + group_chat_invite = [ "@teidesu:stupid.fish" ]; + authless_portals = true; + whitelist_group_admins = false; + ignore_unbridged_group_chat = true; + whitelist = [ + 1787945512 # teidesu + ]; + }; + encryption = { + allow = true; + default = false; + appservice = false; + require = false; + allow_key_sharing = true; + delete_keys = { + delete_outbound_on_ack = false; + dont_store_outbound = false; + ratchet_on_decrypt = false; + delete_fully_used_on_decrypt = true; + delete_prev_on_new_session = true; + delete_on_device_delete = true; + periodically_delete_expired = true; + delete_outdated_inbound = false; + }; + }; + }; + telegram = { + api_id._secret = "TELEGRAM_API_ID"; + api_hash._secret = "TELEGRAM_API_HASH"; + bot_token._secret = "TELEGRAM_BOT_TOKEN"; + catch_up = true; + sequential_updates = true; + exit_on_update_error = false; + force_refresh_interval_seconds = 0; + }; + logging = { + version = 1; + formatters = { + simple = { + format = "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s"; + }; + }; + handlers = { + console = { + class = "logging.StreamHandler"; + formatter = "simple"; + stream = "ext://sys.stdout"; + }; + }; + loggers = { + mau = { level = "DEBUG"; }; + telethon = { level = "INFO"; }; + aiohttp = { level = "INFO"; }; + }; + root = { + level = "DEBUG"; + handlers = [ "console" ]; + }; + }; +} \ No newline at end of file diff --git a/hosts/koi/containers/conduwuit/bridges/telegram/default.nix b/hosts/koi/containers/conduwuit/bridges/telegram/default.nix new file mode 100644 index 0000000..67b35b6 --- /dev/null +++ b/hosts/koi/containers/conduwuit/bridges/telegram/default.nix @@ -0,0 +1,52 @@ +{ pkgs, abs, config, ... } @ inputs: + +let + secrets = import (abs "lib/secrets.nix"); + trivial = import (abs "lib/trivial.nix") inputs; + env = import (abs "lib/env.nix") inputs; + + UID = 1108; + + bridgeConfig = pkgs.writeText "config.yaml" (builtins.toJSON (import ./config.nix)); +in { + imports = [ + (secrets.declare [{ + name = "mautrix-tg-env"; + owner = "mautrix"; + }]) + ]; + + users.groups.mautrix = {}; + users.users.mautrix = { + isNormalUser = true; + uid = UID; + }; + + virtualisation.oci-containers.containers.mautrix-telegram = let + entrypoint = env.mkJsonEnvEntrypoint { + template = "/config-template.yaml"; + target = "/data/config.yaml"; + entrypoint = "python3 -m mautrix_telegram -c /data/config.yaml"; + }; + in { + image = "dock.mau.dev/mautrix/telegram:v0.15.2"; + volumes = [ + "${bridgeConfig}:/config-template.yaml:ro" + "${pkgs.pkgsStatic.jq}/bin/jq:/bin/jq" + "${entrypoint}:/entrypoint.sh" + "/srv/mautrix-telegram:/data" + ]; + environment = { + MAUTRIX_DIRECT_STARTUP = "1"; + }; + entrypoint = "/entrypoint.sh"; + environmentFiles = [ + (secrets.file config "mautrix-tg-env") + ]; + user = builtins.toString UID; + }; + + systemd.tmpfiles.rules = [ + "d /srv/mautrix-telegram 0700 ${builtins.toString UID} ${builtins.toString UID} -" + ]; +} \ No newline at end of file diff --git a/hosts/koi/containers/conduwuit/config.toml b/hosts/koi/containers/conduwuit/config.toml new file mode 100644 index 0000000..3a674f0 --- /dev/null +++ b/hosts/koi/containers/conduwuit/config.toml @@ -0,0 +1,85 @@ +# https://conduwuit.puppyirl.gay/configuration.html + +[global] + +server_name = "stupid.fish" +sentry = true +sentry_send_server_name = true +sentry_traces_sample_rate = 0.01 +sentry_attach_stacktrace = false + + +database_path = "/data" +database_backend = "rocksdb" + +port = 6167 +address = "0.0.0.0" +max_request_size = 20_000_000 + +ip_range_denylist = [ + "127.0.0.0/8", + "10.0.0.0/8", + "172.16.0.0/12", + "192.168.0.0/16", + "100.64.0.0/10", + "192.0.0.0/24", + "169.254.0.0/16", + "192.88.99.0/24", + "198.18.0.0/15", + "192.0.2.0/24", + "198.51.100.0/24", + "203.0.113.0/24", + "224.0.0.0/4", + "::1/128", + "fe80::/10", + "fc00::/7", + "2001:db8::/32", + "ff00::/8", + "fec0::/10", +] + + +allow_guest_registration = false +log_guest_registrations = false +allow_guests_auto_join_rooms = false + +allow_registration = true +# set via CONDUWUIT_REGISTRATION_TOKEN env var +# registration_token = "..." + +allow_public_room_directory_over_federation = false +allow_public_room_directory_without_auth = false +lockdown_public_room_directory = true + +allow_device_name_federation = false + +url_preview_domain_contains_allowlist = [] +url_preview_domain_explicit_allowlist = [ + "discord.com", + "discord.gg", + "t.me", + "telegram.me", + "fxtwitter.com", + "fixupx.com", + "twitter.com", + "x.com", + "instagram.com", + "github.com", + "youtube.com", + "youtu.be", +] +url_preview_url_contains_allowlist = [] +url_preview_domain_explicit_denylist = [] +url_preview_max_spider_size = 384_000 +url_preview_check_root_domain = true + +allow_profile_lookup_federation_requests = true + +new_user_displayname_suffix = "" + +media_compat_file_link = false + +# we dont have ipv6 +ip_lookup_strategy = 1 + +# turn is also set up via env var \ No newline at end of file diff --git a/hosts/koi/containers/conduwuit/default.nix b/hosts/koi/containers/conduwuit/default.nix new file mode 100644 index 0000000..6439eb4 --- /dev/null +++ b/hosts/koi/containers/conduwuit/default.nix @@ -0,0 +1,61 @@ +{ abs, config, ... } @ inputs: + +let + secrets = import (abs "lib/secrets.nix"); + + UID = 1107; +in { + imports = [ + (secrets.declare [{ + name = "conduwuit-env"; + owner = "conduwuit"; + }]) + ./bridges/telegram + ]; + + users.groups.conduwuit = {}; + users.users.conduwuit = { + isNormalUser = true; + uid = UID; + }; + + virtualisation.oci-containers.containers.conduwuit = { + image = "ghcr.io/girlbossceo/conduwuit:main-28cd784972f9e6e78a77ee54ca07d998ca15a788"; + volumes = [ + "${./config.toml}:/conduwuit.toml" + "/srv/conduwuit:/data" + ]; + environment = { + CONDUWUIT_CONFIG = "/conduwuit.toml"; + }; + environmentFiles = [ + (secrets.file config "conduwuit-env") + ]; + user = builtins.toString UID; + }; + + systemd.tmpfiles.rules = [ + "d /srv/conduwuit 0755 ${builtins.toString UID} ${builtins.toString UID} -" + ]; + + services.nginx.virtualHosts."stupid.fish" = { + forceSSL = true; + useACMEHost = "stupid.fish"; + + locations."/_matrix/" = { + proxyPass = "http://conduwuit.docker:6167$request_uri"; + + extraConfig = '' + proxy_buffering off; + ''; + }; + + locations."/.well-known/matrix/server" = { + extraConfig = '' + add_header 'Access-Control-Allow-Origin' '*'; + add_header 'Content-Type' 'application/json'; + return 200 '{"m.server": "stupid.fish:443"}'; + ''; + }; + }; +} \ No newline at end of file diff --git a/hosts/koi/services/coredns.nix b/hosts/koi/services/coredns.nix index 066ca38..fbc57f3 100644 --- a/hosts/koi/services/coredns.nix +++ b/hosts/koi/services/coredns.nix @@ -9,7 +9,6 @@ let 10.42.0.2 koi.stupid.fish 10.42.0.2 hass.stupid.fish 10.42.0.2 very.stupid.fish - 10.42.0.5 puffer.stupid.fish 10.42.0.8 bnuuy.stupid.fish 10.42.0.2 puffer.stupid.fish ''; diff --git a/lib/env.nix b/lib/env.nix new file mode 100644 index 0000000..b27a225 --- /dev/null +++ b/lib/env.nix @@ -0,0 +1,28 @@ +{ pkgs, lib, ... }: + +rec { + fillJsonWithEnv = template: target: '' + SECRETS=$(jq -c '(paths(scalars | true) | select (.[-1] == "_secret")) as $p | getpath($p) as $v | [$p, $v]' ${lib.escapeShellArg template}) + cp ${lib.escapeShellArg template} ${lib.escapeShellArg target} + echo "$SECRETS" | while read -r secret; do + jq --argjson secret "$secret" 'setpath($secret[0][:-1]; $ENV[$secret[1]])' ${lib.escapeShellArg target} > ${lib.escapeShellArg target}.tmp + mv ${lib.escapeShellArg target}.tmp ${lib.escapeShellArg target} + done + ''; + + mkJsonEnvEntrypoint = { template, target, entrypoint, extraScript ? "" }: pkgs.writeScript "entrypoint.sh" '' + #!/bin/sh + if [ ! -f ${lib.escapeShellArg template} ]; then + echo "Missing secrets file: ${lib.escapeShellArg template}" + exit 1 + fi + if ! command -v jq &> /dev/null; then + echo "jq not found, please make it available" + exit 1 + fi + + ${fillJsonWithEnv template target} + ${extraScript} + exec ${entrypoint} + ''; +} \ No newline at end of file diff --git a/lib/trivial.nix b/lib/trivial.nix index 4546c66..717957c 100644 --- a/lib/trivial.nix +++ b/lib/trivial.nix @@ -17,4 +17,8 @@ }; in "${drv}/${dirName}"; + + yaml2json = file: pkgs.runCommand "yaml2json" { buildInputs = [ pkgs.yq ]; } '' + yq -j < ${file} > $out + ''; } diff --git a/secrets/conduwuit-env.age b/secrets/conduwuit-env.age new file mode 100644 index 0000000..7920d73 --- /dev/null +++ b/secrets/conduwuit-env.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 sj88Xw jUbEto1kylQCsyH2RdPPdqPgp681SW16xZJsLFlfiwk +D1H2OUVxvN1RWTrUdwB75M5PPbrri70sh76DJHBBzo4 +--- nFLS6RRYqCsQzmfSyHCPu9PbNp2LwrkFEJG9tFuZQdw +"I/z2yl݌T%7.!yjT;ǃ~ptd   H]eڄ8`u 'sG32jܑz(zV +ˇGHDsޡ5Z\cblR77 R +'mJ3o`&ɷ+rXNVxƭgN–-_5ITAV(ܴ{Q}_hV%yٸ6O^ c \ No newline at end of file diff --git a/secrets/mautrix-tg-env.age b/secrets/mautrix-tg-env.age new file mode 100644 index 0000000000000000000000000000000000000000..6b3f5271d768903cf2c81acefe66c7788075e145 GIT binary patch literal 516 zcmV+f0{i`8XJsvAZewzJaCB*JZZ2; zSa(-vD>YD3Np@I8M=LLGcyxL;GEGEvMNCFUYez*$GFn4oS9Wl5RY3|)WjJh8Z$d;b zXn1KbQA}?_M{z|lR6$K?G&oLpPE|-+N=$W2Z(($IN>K_eEiE7`c~)9zdT&H!ZZr5DIAX{ zKid1HOZ0q=$fwnv{qS}l-mOJTkg0{Y)X_aYU}>{l&zfPbicm}5iJhtC4q9P>LuNbQ zxEb{Z?_z4ZLcrG1#hDuX>1UPpZAXti`t^LW*kufrF$9xIwr3MN8ENU{hoo@e>|jmY zEOdP^X&-Dii>6apWwfv~>g9AEB5dz5d8+9Hf{M^rxy(mMpw>iMey-cJ;kxxXK}5e> z-P}){9rC~85o1>sqt0}ju2JVWtZivw?kZS(xdI=BDadTJrj`Vf%$mf>#_g6oZ{$bx GyH7Tm