stuff i guess

2025-10-24 12:14:48 -04:00 · 2025-10-24 12:14:48 -04:00 · 9766e1447a
commit 9766e1447a
parent 28795e9b3e
6 changed files with 75 additions and 15 deletions
--- a/clients/nova/matrix/zulip.nix
+++ b/clients/nova/matrix/zulip.nix
@ -1 +1,51 @@
-{ }
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}:
+{
+  systemd.services.matrix-zulip-bridge = {
+    description = "matrix-zulip-bridge server";
+    wantedBy = [ "multi-user.target" ];
+    wants = [ "network-online.target" ];
+    after = [ "network-online.target" ];
+
+    serviceConfig =
+      let
+        secretName = "matrix-zulip-bridge-secrets";
+      in
+      {
+        LoadCredential = [
+          "${secretName}:${config.age.secrets."zulipRegistration.age".path}"
+        ];
+        ExecStart = "${lib.getExe pkgs.matrix-zulip-bridge} --config /run/credentials/matrix-zulip-bridge.service/${secretName} --owner @quadradical:${config.quad.matrix.domain} ${config.services.matrix-continuwuity.settings.global.well_known.client}";
+        DynamicUser = true;
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        PrivateDevices = true;
+        PrivateMounts = true;
+        RestrictAddressFamilies = [
+          "AF_INET"
+          "AF_INET6"
+        ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        ProtectHome = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [
+          "@system-service"
+          "~@privileged"
+          "~@resources"
+        ];
+        Restart = "always";
+        RestartSec = 5;
+      };
+  };
+}
--- a/clients/quadraticserver/matrix/bridges.nix
+++ b/clients/quadraticserver/matrix/bridges.nix
@ -7,13 +7,13 @@
 }:
 let
  client = config.services.matrix-continuwuity.settings.global.well_known.client;
-  server_name = config.services.matrix-continuwuity.settings.global.server_name;
+  domain = config.quad.matrix.domain;

  settings = {
    backfill.enabled = true;

    homeserver = {
-      domain = server_name;
+      inherit domain;
      address = client;
    };

@ -24,8 +24,8 @@ let
    };

    bridge.permissions = {
-      "${server_name}" = "user";
-      "@quadradical:${server_name}" = "admin";
+      "${domain}" = "user";
+      "@quadradical:${domain}" = "admin";
    };
  };
 in
@ -66,7 +66,7 @@ in
      matrix-ooye = {
        enable = true;
        homeserver = client;
-        homeserverName = server_name;
+        homeserverName = domain;
        discordTokenPath = config.age.secrets."discordToken.age".path;
        discordClientSecretPath = config.age.secrets."discordClientSecret.age".path;
        socket = "8081";
--- a/clients/quadraticserver/matrix/call.nix
+++ b/clients/quadraticserver/matrix/call.nix
@ -34,7 +34,7 @@
             default_server_config = {
               "m.homeserver" = {
                 "base_url" = config.services.matrix-continuwuity.settings.global.well_known.client;
-                 "server_name" = config.services.matrix-continuwuity.settings.global.server_name;
+                 "server_name" = config.quad.matrix.domain;
               };
             };
             livekit.livekit_service_url = "https://${domain}/livekit";
--- a/clients/quadraticserver/matrix/draupnir.nix
+++ b/clients/quadraticserver/matrix/draupnir.nix
@ -4,7 +4,7 @@
    enable = false; # Blocked on https://forgejo.ellis.link/continuwuation/continuwuity/issues/1098
    settings =
      let
-        serverName = config.services.matrix-continuwuity.settings.global.server_name;
+        serverName = config.quad.matrix.domain;
        homeserverUrl = config.services.matrix-continuwuity.settings.global.well_known.client;
      in
      {
--- a/clients/quadraticserver/searxng.nix
+++ b/clients/quadraticserver/searxng.nix
@ -1,4 +1,4 @@
-{ lib, ... }:
+{ pkgs, lib, ... }:
 {
  services =
    let
@ -8,6 +8,9 @@
    {
      searx = {
        enable = true;
+        package = pkgs.searxng.overrideAttrs {
+          patches = [ ./google.patch ];
+        };
        settings =
          let
            enginesByCategory = {
--- a/secrets/zulipRegistration.age
+++ b/secrets/zulipRegistration.age
@ -1,8 +1,15 @@
 -----BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFZLUVVkUSBTSExM
-ZDRISFJsVUJhalR0V3FWVW1lamlVcUlUZDNIUUFDRnQ2Q1AxOUVFCkpwN0JMQVph
-NFpVS2o3Y2RiZGYyd0tKdURzc0g3clBvV1lVN3ZhbzFoMEEKLT4gKG5MLWdyZWFz
-ZSBLdEl7UkRlOyBQeiBsLgpvajZ2aEpmcGpnTnZwMnBHbUZ4T3JLcVZFZ0kKLS0t
-IHJlL1VIWDE0anZ5a3czbFNqNml2RkVoZzdrZ0dNT3NPcDNkMjJUNmN2SEUKo+lX
-j6VNWaIiS7zIAMyZW7h72T3s9NfDEACSpcNiADGsQbcOIA==
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFZLUVVkUSBSMW56
+RnhUTkplcDUvaWVhWG9lTzNOTlloVUY4RVVUN1hkdHdKaG84Mmc0Cnl1bWNFbm9x
+ZTVTbk1ZLzROd1lsc3ArOW9EYjA5VnBoV2R4cFZPNCs5TTQKLT4gL2RTaGlVby1n
+cmVhc2UgZSBzCkNpb0JDelQ1c3RjdTJYK0lacTNFY2dFTDQzSUEzdjhmQ0JRCi0t
+LSB0MDZUd2NCdWpEcFoveXVHdTNUWDFZVmMwdEJIWVcrWm13VG9wdE1tNmZBCq0a
+VyxFKbGEgLVT8cKpKhScmqG2BdggLpF/UbKIX158hoijYlIvf9YyuycS69fVfthZ
+/jkeVzZ9dmkVxBdyLiq88Pfgtim2yp66C8kYW7U9CL2ckLq4gn87S/KSiMUS+oPB
+CVOijzeO6/AFRSp9Hbg8b93PnfIApeQhIgP07zpr9Sn9Ys0WCQBklDCHRRS9JBM0
+URmBu+2Jac8jGcBLf20z1Ixo7Vpp+Xr3/pwFLlqhHaYfpackX9siYfp9F52zOQif
+pGwiLVjUGu86jpTDV2DqnRgrPMo94CGaVkF/jjqNP5dt6uCe8PlZ1MYCKd+OZhdu
+wsBdKiJ2f4JPoZUK8sTvIXlK/zNti59AvxmKnRb2Pa1tnahodmHGHH7qoZBdAYOZ
+sXvg5MN77lAXNQN2j7urHIrEwXCHb++yFk2ZC6WjMO9vyHmXJeLuxL0JC9AAUoO2
+T0hrul3f0myG5s9/O5mqwZDPE9fWk+DOwSq8iIvIAlSH9LjIPjI=
 -----END AGE ENCRYPTED FILE-----