teidesu/nixfiles
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(koi): conduwuit

Browse source
This commit is contained in:
alina 🌸 2024-08-29 23:15:50 +03:00
parent 9fe5fb80a6
commit 2e30f0541c
Signed by: teidesu
SSH key fingerprint: SHA256:uNeCpw6aTSU4aIObXLvHfLkDa82HWH9EiOj9AXOIRpI
10 changed files with 349 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
hosts/koi/configuration.nix
View file

@ -27,6 +27,7 @@
./containers/sharkey ./containers/sharkey
./containers/pds ./containers/pds
./containers/navidrome ./containers/navidrome
./containers/conduwuit
./containers/zond ./containers/zond
./containers/teisu.nix ./containers/teisu.nix
./containers/bots/pcre-sub-bot.nix ./containers/bots/pcre-sub-bot.nix
@ -92,6 +93,8 @@
value = "8192"; value = "8192";
}]; }];
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
services.desu-deploy = { services.desu-deploy = {
enable = true; enable = true;
key = builtins.readFile (abs "ssh/desu-deploy.pub"); key = builtins.readFile (abs "ssh/desu-deploy.pub");

109
hosts/koi/containers/conduwuit/bridges/telegram/config.nix Normal file
View file

@ -0,0 +1,109 @@
{
homeserver = {
address = "http://conduwuit.docker:6167";
domain = "stupid.fish";
verify_ssl = false;
software = "standard";
http_retry_count = 4;
status_endpoint = null;
message_send_checkpoint_endpoint = null;
async_media = false;
};
appservice = {
address = "http://mautrix-telegram.docker:29317";
hostname = "0.0.0.0";
port = 29317;
max_body_size = 1;
database = "sqlite:/data/mautrix-telegram.db";
id = "telegram";
bot_username = "telegrambot";
bot_displayname = "Telegram bridge bot";
bot_avatar = "mxc://maunium.net/tJCRmUyJDsgRNgqhOgoiHWbX";
provisioning = { enabled = false; };
ephemeral_events = true;
as_token._secret = "MAUTRIX_AS_TOKEN";
hs_token._secret = "MAUTRIX_HS_TOKEN";
};
bridge = {
username_template = "telegram_{userid}";
alias_template = "telegram_{groupname}";
displayname_template = "{displayname} (Telegram)";
allow_matrix_login = false;
create_group_on_invite = false;
displayname_preference = [ "full name" "username" "phone number" ];
displayname_max_length = 100;
allow_avatar_remove = false;
allow_contact_info = false;
filter = {
mode = "whitelist";
list = [
1183945448 # zachem
];
users = false;
};
relay_user_distinguishers = [];
permissions = {
"*" = "relaybot";
"@teidesu:stupid.fish" = "admin";
};
relaybot = {
group_chat_invite = [ "@teidesu:stupid.fish" ];
authless_portals = true;
whitelist_group_admins = false;
ignore_unbridged_group_chat = true;
whitelist = [
1787945512 # teidesu
];
};
encryption = {
allow = true;
default = false;
appservice = false;
require = false;
allow_key_sharing = true;
delete_keys = {
delete_outbound_on_ack = false;
dont_store_outbound = false;
ratchet_on_decrypt = false;
delete_fully_used_on_decrypt = true;
delete_prev_on_new_session = true;
delete_on_device_delete = true;
periodically_delete_expired = true;
delete_outdated_inbound = false;
};
};
};
telegram = {
api_id._secret = "TELEGRAM_API_ID";
api_hash._secret = "TELEGRAM_API_HASH";
bot_token._secret = "TELEGRAM_BOT_TOKEN";
catch_up = true;
sequential_updates = true;
exit_on_update_error = false;
force_refresh_interval_seconds = 0;
};
logging = {
version = 1;
formatters = {
simple = {
format = "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s";
};
};
handlers = {
console = {
class = "logging.StreamHandler";
formatter = "simple";
stream = "ext://sys.stdout";
};
};
loggers = {
mau = { level = "DEBUG"; };
telethon = { level = "INFO"; };
aiohttp = { level = "INFO"; };
};
root = {
level = "DEBUG";
handlers = [ "console" ];
};
};
}

52
hosts/koi/containers/conduwuit/bridges/telegram/default.nix Normal file
View file

@ -0,0 +1,52 @@
{ pkgs, abs, config, ... } @ inputs:
let
secrets = import (abs "lib/secrets.nix");
trivial = import (abs "lib/trivial.nix") inputs;
env = import (abs "lib/env.nix") inputs;
UID = 1108;
bridgeConfig = pkgs.writeText "config.yaml" (builtins.toJSON (import ./config.nix));
in {
imports = [
(secrets.declare [{
name = "mautrix-tg-env";
owner = "mautrix";
}])
];
users.groups.mautrix = {};
users.users.mautrix = {
isNormalUser = true;
uid = UID;
};
virtualisation.oci-containers.containers.mautrix-telegram = let
entrypoint = env.mkJsonEnvEntrypoint {
template = "/config-template.yaml";
target = "/data/config.yaml";
entrypoint = "python3 -m mautrix_telegram -c /data/config.yaml";
};
in {
image = "dock.mau.dev/mautrix/telegram:v0.15.2";
volumes = [
"${bridgeConfig}:/config-template.yaml:ro"
"${pkgs.pkgsStatic.jq}/bin/jq:/bin/jq"
"${entrypoint}:/entrypoint.sh"
"/srv/mautrix-telegram:/data"
];
environment = {
MAUTRIX_DIRECT_STARTUP = "1";
};
entrypoint = "/entrypoint.sh";
environmentFiles = [
(secrets.file config "mautrix-tg-env")
];
user = builtins.toString UID;
};
systemd.tmpfiles.rules = [
"d /srv/mautrix-telegram 0700 ${builtins.toString UID} ${builtins.toString UID} -"
];
}

85
hosts/koi/containers/conduwuit/config.toml Normal file
View file

@ -0,0 +1,85 @@
# https://conduwuit.puppyirl.gay/configuration.html
[global]
server_name = "stupid.fish"
sentry = true
sentry_send_server_name = true
sentry_traces_sample_rate = 0.01
sentry_attach_stacktrace = false
database_path = "/data"
database_backend = "rocksdb"
port = 6167
address = "0.0.0.0"
max_request_size = 20_000_000
ip_range_denylist = [
"127.0.0.0/8",
"10.0.0.0/8",
"172.16.0.0/12",
"192.168.0.0/16",
"100.64.0.0/10",
"192.0.0.0/24",
"169.254.0.0/16",
"192.88.99.0/24",
"198.18.0.0/15",
"192.0.2.0/24",
"198.51.100.0/24",
"203.0.113.0/24",
"224.0.0.0/4",
"::1/128",
"fe80::/10",
"fc00::/7",
"2001:db8::/32",
"ff00::/8",
"fec0::/10",
]
allow_guest_registration = false
log_guest_registrations = false
allow_guests_auto_join_rooms = false
allow_registration = true
# set via CONDUWUIT_REGISTRATION_TOKEN env var
# registration_token = "..."
allow_public_room_directory_over_federation = false
allow_public_room_directory_without_auth = false
lockdown_public_room_directory = true
allow_device_name_federation = false
url_preview_domain_contains_allowlist = []
url_preview_domain_explicit_allowlist = [
"discord.com",
"discord.gg",
"t.me",
"telegram.me",
"fxtwitter.com",
"fixupx.com",
"twitter.com",
"x.com",
"instagram.com",
"github.com",
"youtube.com",
"youtu.be",
]
url_preview_url_contains_allowlist = []
url_preview_domain_explicit_denylist = []
url_preview_max_spider_size = 384_000
url_preview_check_root_domain = true
allow_profile_lookup_federation_requests = true
new_user_displayname_suffix = ""
media_compat_file_link = false
# we dont have ipv6
ip_lookup_strategy = 1
# turn is also set up via env var

61
hosts/koi/containers/conduwuit/default.nix Normal file
View file

@ -0,0 +1,61 @@
{ abs, config, ... } @ inputs:
let
secrets = import (abs "lib/secrets.nix");
UID = 1107;
in {
imports = [
(secrets.declare [{
name = "conduwuit-env";
owner = "conduwuit";
}])
./bridges/telegram
];
users.groups.conduwuit = {};
users.users.conduwuit = {
isNormalUser = true;
uid = UID;
};
virtualisation.oci-containers.containers.conduwuit = {
image = "ghcr.io/girlbossceo/conduwuit:main-28cd784972f9e6e78a77ee54ca07d998ca15a788";
volumes = [
"${./config.toml}:/conduwuit.toml"
"/srv/conduwuit:/data"
];
environment = {
CONDUWUIT_CONFIG = "/conduwuit.toml";
};
environmentFiles = [
(secrets.file config "conduwuit-env")
];
user = builtins.toString UID;
};
systemd.tmpfiles.rules = [
"d /srv/conduwuit 0755 ${builtins.toString UID} ${builtins.toString UID} -"
];
services.nginx.virtualHosts."stupid.fish" = {
forceSSL = true;
useACMEHost = "stupid.fish";
locations."/_matrix/" = {
proxyPass = "http://conduwuit.docker:6167$request_uri";
extraConfig = ''
proxy_buffering off;
'';
};
locations."/.well-known/matrix/server" = {
extraConfig = ''
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Content-Type' 'application/json';
return 200 '{"m.server": "stupid.fish:443"}';
'';
};
};
}

1
hosts/koi/services/coredns.nix
View file

@ -9,7 +9,6 @@ let
10.42.0.2 koi.stupid.fish 10.42.0.2 koi.stupid.fish
10.42.0.2 hass.stupid.fish 10.42.0.2 hass.stupid.fish
10.42.0.2 very.stupid.fish 10.42.0.2 very.stupid.fish
10.42.0.5 puffer.stupid.fish
10.42.0.8 bnuuy.stupid.fish 10.42.0.8 bnuuy.stupid.fish
10.42.0.2 puffer.stupid.fish 10.42.0.2 puffer.stupid.fish
''; '';

28
lib/env.nix Normal file
View file

@ -0,0 +1,28 @@
{ pkgs, lib, ... }:
rec {
fillJsonWithEnv = template: target: ''
SECRETS=$(jq -c '(paths(scalars | true) | select (.[-1] == "_secret")) as $p | getpath($p) as $v | [$p, $v]' ${lib.escapeShellArg template})
cp ${lib.escapeShellArg template} ${lib.escapeShellArg target}
echo "$SECRETS" | while read -r secret; do
jq --argjson secret "$secret" 'setpath($secret[0][:-1]; $ENV[$secret[1]])' ${lib.escapeShellArg target} > ${lib.escapeShellArg target}.tmp
mv ${lib.escapeShellArg target}.tmp ${lib.escapeShellArg target}
done
'';
mkJsonEnvEntrypoint = { template, target, entrypoint, extraScript ? "" }: pkgs.writeScript "entrypoint.sh" ''
#!/bin/sh
if [ ! -f ${lib.escapeShellArg template} ]; then
echo "Missing secrets file: ${lib.escapeShellArg template}"
exit 1
fi
if ! command -v jq &> /dev/null; then
echo "jq not found, please make it available"
exit 1
fi
${fillJsonWithEnv template target}
${extraScript}
exec ${entrypoint}
'';
}

4
lib/trivial.nix
View file

@ -17,4 +17,8 @@
}; };
in in
"${drv}/${dirName}"; "${drv}/${dirName}";
yaml2json = file: pkgs.runCommand "yaml2json" { buildInputs = [ pkgs.yq ]; } ''
yq -j < ${file} > $out
'';
} }

7
secrets/conduwuit-env.age Normal file
View file

@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 sj88Xw jUbEto1kylQCsyH2RdPPdqPgp681SW16xZJsLFlfiwk
D1H2OUVxvN1RWTrUdwB75M5PPbrri70sh76DJHBBzo4
--- nFLS6RRYqCsQzmfSyHCPu9PbNp2LwrkFEJG9tFuZQdw
"I×/Ïzé2æylù޶݌ÒT%7.!éþyjT¼Îß;¿¥Çƒ†~pü´ƒÎëtòïdúäå   HÅ]eÚ„±8`Áôu '<¹XH.£Èn²á9Ã¥€S9ÄÁ:ó]mÄ?è«ÝlÕ?lgú'þ<>¢Låj<C3A5>ˆLXSÓ6xëê>œsÀG“32½jÜÂÊëz(zöV
±Ë‡‡GHDáÅsˆõÞ¡ú5ööZ\c¬blÍÁÉë…R77Ü R•
'<27>•mJ¡3±<33>o`&É·+r²XNV›œö”xÒÅÊñèÆ­ gNá­ÂÌ-_ü„Ÿ5×I÷ÍTÃÕAV(Ü´æ{QÀ³}¤Ä_<C384>ÒhªV•ï%•¸üí6ÂO^ Ö€Ÿc’ÀÐ

BIN
secrets/mautrix-tg-env.age Normal file
View file

Binary file not shown.