service/matrix-bot: migrate matrix-hook from go-neb

machines/newton/secrets.yaml

@@ -27,14 +27,10 @@ sso:
         password-hash: ENC[AES256_GCM,data:4yOMOg3/RsijtXC7h73sIk3HDPq83xmSY7AaLeUbtPVZzjjZ/Qp+YiXpgL0fVsio1Pic3HyAzeVlWg0E,iv:23CdJQAhtpgrUZ1jVKiKYfgw5jQNVN6413Ew8ryJH6w=,tag:bds2Yd18gFtVDtgLkxMGkQ==,type:str]
         totp-secret: ENC[AES256_GCM,data:1fh22SICF19Svg6rLwUYs8oIBr0FV9dG30WWpPN751VbL104nQZcKnszbDox0hwuuotY7G8twYI=,iv:RrkNlJ9us8LDeQQUuexB1yvvYIbSElsB3VOm/4fBHzY=,tag:uv6Fwtk42atINufook7aAw==,type:str]
 matrix-bot:
-    password: ENC[AES256_GCM,data:LruowBkvNx2MgkChUvBFBl62zH39YzHyrNW6cfaUlzGr0DQ6WP5kFiju88VTVfje40jskhQsYqCabH5yrFaoQA==,iv:1fIRRVNNpLOGLQekACgmDdwyYRuryqjdTLOGGS+bVD8=,tag:CcFFw27rj7X9mtSvQj5pHw==,type:str]
+    password: ENC[AES256_GCM,data:RmEcNdQXEQoFYRdDC4fP7+b59aqrWh39YPVI3Ej7MRlMVdUGjmLW4pjhsq98TTqaLefwX0RYW7AD6wo0ua1wLA==,iv:wZF3xTdM4XOIwaweOoHW9d52atjI3zFiQ19dVDj9BLw=,tag:m4KGfgQMKtRi266fovXQSA==,type:str]
 acme:
     inwx: ENC[AES256_GCM,data:tu3pdI2fAQPAwQNdIIk10Kkl0xBPBLx592UlYYEXxJX0YGddAhGMwDUqKTh/B5k9WW11cyoLoeTMnZPMzD15V1Qj,iv:UbbauJBjr3O4XnKRL9Pc3PdRGJqAhqO0PDNkvpyXH2o=,tag:YRVtRo8D0KLVCtWukW7GWw==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
     age:
         - recipient: age1hf8m9upp00dr7qv2kmqdr50fpvd9ejzkfu8yknqnuda2aas2tvrs4l3u7m
           enc: |
@@ -54,8 +50,7 @@ sops:
             NmNwT3N5UEVabFdLTDhseFRjeVZaWFkKL3HGFqfttU1tXY4OhnIr1ABFsHB0R0CX
             s6wxb0ilut32ijjtnGXMIIa9y6XsMTpYskTb9FdRP9VnQQGVrMfdew==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-04-01T20:14:13Z"
-    mac: ENC[AES256_GCM,data:TYsCSFADZkIqN+CggAoyBLHYBnF8XG9c7zGzsjyDG35Xty/JP6K6pC/7IPUEKtvStm0hUCS5seil5gTNmBBIgynVI3xTqhzIQ5UJ6QgxbVIcKR9j3lXF0FpuVSwh8p2Q6jL3LRM3nItCvtYYdw2CFL7pBSuk5BKkPVWbb1n1oyU=,iv:xYZSTv25Af0XSO0SpbwA3F/ORYOdDCemSS8uyFTklXA=,tag:y03I0hQweArU83l1nKFxfw==,type:str]
-    pgp: []
+    lastmodified: "2025-06-06T18:36:39Z"
+    mac: ENC[AES256_GCM,data:cXcCbvl+KgXniJUF70yH2PcQanptrBoY36FdtJjWz5TiNlPNbJCXprmrnetb3Cjwn9LzT+yxF29ZqLP4U5Z4dqfyFHUVHKugiAtvQFYPWiux8Tx9x582RS+R6LXtpZaxWY2Ho30kO/INI3n9FRkdwcCWvgbS5G0y4a8v/tbEhTU=,iv:ACa221uyygkE1yWgA1Eps0oTjd67z9nO12X5x3q1Vyo=,tag:YtydRTcualGTTX920iZVtA==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.9.4
+    version: 3.10.2

machines/newton/services.nix

@@ -28,9 +28,7 @@ in
     "grafana/password" = {
       owner = config.users.users.grafana.name;
     };
-    "matrix-bot/password" = {
-      owner = config.systemd.services.go-neb.serviceConfig.User;
-    };
+    "matrix-bot/password" = { };
   };
 
   # List services that you want to enable:

modules/services/alertmanager/config.nix

@@ -17,7 +17,7 @@
       email_configs = [ { to = "server@buehler.rocks"; } ];
       webhook_configs = [
         {
-          url = "http://localhost:4050/services/hooks/YWxlcnRtYW5hZ2VyX3NlcnZpY2U";
+          url = "http://localhost:4050/alert";
           send_resolved = true;
         }
       ];

modules/services/matrix-bot/default.nix

@@ -1,5 +1,9 @@
-# adjusted from: https://github.com/NixOS/nixos-org-configurations/blob/master/delft/eris/alertmanager-matrix-forwarder.nix
-{ config, lib, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
 let
   cfg = config.my.services.matrix-bot;
 in
@@ -14,7 +18,10 @@ in
     };
     PasswortFile = mkOption {
       type = types.path;
-      description = "Password for the bot.";
+      description = ''
+        Password for the bot.
+        format: MX_TOKEN=<token>
+      '';
       example = "/run/secrets/password";
     };
     RoomID = mkOption {
@@ -26,41 +33,27 @@ in
   };
 
   config = lib.mkIf cfg.enable {
-    # TODO: since no encryption is used, this is not a major problem, but migration is advised
-    nixpkgs.config.permittedInsecurePackages = [ "olm-3.2.16" ];
-
-    # Create user so that we can set the ownership of the key to
-    # it. DynamicUser will not take full effect as a result of this.
-    users.users.go-neb = {
-      isSystemUser = true;
-      group = "go-neb";
-    };
-    users.groups.go-neb = { };
-
-    services.go-neb = {
-      enable = true;
-      baseUrl = "http://localhost";
-      secretFile = cfg.PasswortFile;
-      config = {
-        clients = [
-          {
-            UserId = cfg.Username;
-            AccessToken = "$CHANGEME";
-            DeviceID = "KIYFUKBRRK";
-            HomeServerUrl = "https://matrix-client.matrix.org";
-            Sync = true;
-            AutoJoinRooms = true;
-            DisplayName = "Stunkymonkey-Bot";
-          }
-        ];
-        services = [
-          {
-            ID = "echo_service";
-            Type = "echo";
-            UserId = cfg.Username;
-            Config = { };
-          }
-        ];
+    systemd.services.matrix-hook = {
+      description = "Matrix Hook";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      environment = {
+        HTTP_ADDRESS = "[::1]";
+        HTTP_PORT = "4050";
+        MX_HOMESERVER = "https://matrix.org";
+        MX_ID = cfg.Username;
+        MX_ROOMID = cfg.RoomID;
+        MX_MSG_TEMPLATE = "${pkgs.matrix-hook}/message.html.tmpl";
+      };
+      serviceConfig = {
+        EnvironmentFile = [ cfg.PasswortFile ];
+        Type = "simple";
+        ExecStart = lib.getExe pkgs.matrix-hook;
+        Restart = "always";
+        RestartSec = "10";
+        DynamicUser = true;
+        User = "matrix-hook";
+        Group = "matrix-hook";
       };
     };
   };