From 9766e1447a2303a27bf84ae4f58b5f74aa8e178f Mon Sep 17 00:00:00 2001 From: Henry-Hiles Date: Fri, 24 Oct 2025 12:14:48 -0400 Subject: [PATCH] stuff i guess --- clients/nova/matrix/zulip.nix | 52 ++++++++++++++++++++- clients/quadraticserver/matrix/bridges.nix | 10 ++-- clients/quadraticserver/matrix/call.nix | 2 +- clients/quadraticserver/matrix/draupnir.nix | 2 +- clients/quadraticserver/searxng.nix | 5 +- secrets/zulipRegistration.age | 19 +++++--- 6 files changed, 75 insertions(+), 15 deletions(-) diff --git a/clients/nova/matrix/zulip.nix b/clients/nova/matrix/zulip.nix index ffcd441..042e7e1 100644 --- a/clients/nova/matrix/zulip.nix +++ b/clients/nova/matrix/zulip.nix @@ -1 +1,51 @@ -{ } +{ + lib, + pkgs, + config, + ... +}: +{ + systemd.services.matrix-zulip-bridge = { + description = "matrix-zulip-bridge server"; + wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ]; + after = [ "network-online.target" ]; + + serviceConfig = + let + secretName = "matrix-zulip-bridge-secrets"; + in + { + LoadCredential = [ + "${secretName}:${config.age.secrets."zulipRegistration.age".path}" + ]; + ExecStart = "${lib.getExe pkgs.matrix-zulip-bridge} --config /run/credentials/matrix-zulip-bridge.service/${secretName} --owner @quadradical:${config.quad.matrix.domain} ${config.services.matrix-continuwuity.settings.global.well_known.client}"; + DynamicUser = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + PrivateDevices = true; + PrivateMounts = true; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + ProtectHome = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + "~@resources" + ]; + Restart = "always"; + RestartSec = 5; + }; + }; +} diff --git a/clients/quadraticserver/matrix/bridges.nix b/clients/quadraticserver/matrix/bridges.nix index c12c97f..5f9e5ae 100644 --- a/clients/quadraticserver/matrix/bridges.nix +++ b/clients/quadraticserver/matrix/bridges.nix @@ -7,13 +7,13 @@ }: let client = config.services.matrix-continuwuity.settings.global.well_known.client; - server_name = config.services.matrix-continuwuity.settings.global.server_name; + domain = config.quad.matrix.domain; settings = { backfill.enabled = true; homeserver = { - domain = server_name; + inherit domain; address = client; }; @@ -24,8 +24,8 @@ let }; bridge.permissions = { - "${server_name}" = "user"; - "@quadradical:${server_name}" = "admin"; + "${domain}" = "user"; + "@quadradical:${domain}" = "admin"; }; }; in @@ -66,7 +66,7 @@ in matrix-ooye = { enable = true; homeserver = client; - homeserverName = server_name; + homeserverName = domain; discordTokenPath = config.age.secrets."discordToken.age".path; discordClientSecretPath = config.age.secrets."discordClientSecret.age".path; socket = "8081"; diff --git a/clients/quadraticserver/matrix/call.nix b/clients/quadraticserver/matrix/call.nix index af16111..0ec8eac 100644 --- a/clients/quadraticserver/matrix/call.nix +++ b/clients/quadraticserver/matrix/call.nix @@ -34,7 +34,7 @@ default_server_config = { "m.homeserver" = { "base_url" = config.services.matrix-continuwuity.settings.global.well_known.client; - "server_name" = config.services.matrix-continuwuity.settings.global.server_name; + "server_name" = config.quad.matrix.domain; }; }; livekit.livekit_service_url = "https://${domain}/livekit"; diff --git a/clients/quadraticserver/matrix/draupnir.nix b/clients/quadraticserver/matrix/draupnir.nix index beb8a93..fca7952 100644 --- a/clients/quadraticserver/matrix/draupnir.nix +++ b/clients/quadraticserver/matrix/draupnir.nix @@ -4,7 +4,7 @@ enable = false; # Blocked on https://forgejo.ellis.link/continuwuation/continuwuity/issues/1098 settings = let - serverName = config.services.matrix-continuwuity.settings.global.server_name; + serverName = config.quad.matrix.domain; homeserverUrl = config.services.matrix-continuwuity.settings.global.well_known.client; in { diff --git a/clients/quadraticserver/searxng.nix b/clients/quadraticserver/searxng.nix index fe06d9e..c63a6d4 100644 --- a/clients/quadraticserver/searxng.nix +++ b/clients/quadraticserver/searxng.nix @@ -1,4 +1,4 @@ -{ lib, ... }: +{ pkgs, lib, ... }: { services = let @@ -8,6 +8,9 @@ { searx = { enable = true; + package = pkgs.searxng.overrideAttrs { + patches = [ ./google.patch ]; + }; settings = let enginesByCategory = { diff --git a/secrets/zulipRegistration.age b/secrets/zulipRegistration.age index a78b9ad..bf5629b 100644 --- a/secrets/zulipRegistration.age +++ b/secrets/zulipRegistration.age @@ -1,8 +1,15 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFZLUVVkUSBTSExM -ZDRISFJsVUJhalR0V3FWVW1lamlVcUlUZDNIUUFDRnQ2Q1AxOUVFCkpwN0JMQVph -NFpVS2o3Y2RiZGYyd0tKdURzc0g3clBvV1lVN3ZhbzFoMEEKLT4gKG5MLWdyZWFz -ZSBLdEl7UkRlOyBQeiBsLgpvajZ2aEpmcGpnTnZwMnBHbUZ4T3JLcVZFZ0kKLS0t -IHJlL1VIWDE0anZ5a3czbFNqNml2RkVoZzdrZ0dNT3NPcDNkMjJUNmN2SEUKo+lX -j6VNWaIiS7zIAMyZW7h72T3s9NfDEACSpcNiADGsQbcOIA== +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFZLUVVkUSBSMW56 +RnhUTkplcDUvaWVhWG9lTzNOTlloVUY4RVVUN1hkdHdKaG84Mmc0Cnl1bWNFbm9x +ZTVTbk1ZLzROd1lsc3ArOW9EYjA5VnBoV2R4cFZPNCs5TTQKLT4gL2RTaGlVby1n +cmVhc2UgZSBzCkNpb0JDelQ1c3RjdTJYK0lacTNFY2dFTDQzSUEzdjhmQ0JRCi0t +LSB0MDZUd2NCdWpEcFoveXVHdTNUWDFZVmMwdEJIWVcrWm13VG9wdE1tNmZBCq0a +VyxFKbGEgLVT8cKpKhScmqG2BdggLpF/UbKIX158hoijYlIvf9YyuycS69fVfthZ +/jkeVzZ9dmkVxBdyLiq88Pfgtim2yp66C8kYW7U9CL2ckLq4gn87S/KSiMUS+oPB +CVOijzeO6/AFRSp9Hbg8b93PnfIApeQhIgP07zpr9Sn9Ys0WCQBklDCHRRS9JBM0 +URmBu+2Jac8jGcBLf20z1Ixo7Vpp+Xr3/pwFLlqhHaYfpackX9siYfp9F52zOQif +pGwiLVjUGu86jpTDV2DqnRgrPMo94CGaVkF/jjqNP5dt6uCe8PlZ1MYCKd+OZhdu +wsBdKiJ2f4JPoZUK8sTvIXlK/zNti59AvxmKnRb2Pa1tnahodmHGHH7qoZBdAYOZ +sXvg5MN77lAXNQN2j7urHIrEwXCHb++yFk2ZC6WjMO9vyHmXJeLuxL0JC9AAUoO2 +T0hrul3f0myG5s9/O5mqwZDPE9fWk+DOwSq8iIvIAlSH9LjIPjI= -----END AGE ENCRYPTED FILE-----