From 6d1d3b5257aa54163ce4e321b83b99709c0b2aea Mon Sep 17 00:00:00 2001 From: Felix Buehler Date: Sat, 7 Jun 2025 11:33:56 +0200 Subject: [PATCH] service/matrix-bot: migrate matrix-hook from go-neb --- machines/newton/secrets.yaml | 13 ++--- machines/newton/services.nix | 4 +- modules/services/alertmanager/config.nix | 2 +- modules/services/matrix-bot/default.nix | 69 +++++++++++------------- 4 files changed, 37 insertions(+), 51 deletions(-) diff --git a/machines/newton/secrets.yaml b/machines/newton/secrets.yaml index 903cb9d..d46e0c7 100644 --- a/machines/newton/secrets.yaml +++ b/machines/newton/secrets.yaml @@ -27,14 +27,10 @@ sso: password-hash: ENC[AES256_GCM,data:4yOMOg3/RsijtXC7h73sIk3HDPq83xmSY7AaLeUbtPVZzjjZ/Qp+YiXpgL0fVsio1Pic3HyAzeVlWg0E,iv:23CdJQAhtpgrUZ1jVKiKYfgw5jQNVN6413Ew8ryJH6w=,tag:bds2Yd18gFtVDtgLkxMGkQ==,type:str] totp-secret: ENC[AES256_GCM,data:1fh22SICF19Svg6rLwUYs8oIBr0FV9dG30WWpPN751VbL104nQZcKnszbDox0hwuuotY7G8twYI=,iv:RrkNlJ9us8LDeQQUuexB1yvvYIbSElsB3VOm/4fBHzY=,tag:uv6Fwtk42atINufook7aAw==,type:str] matrix-bot: - password: ENC[AES256_GCM,data:LruowBkvNx2MgkChUvBFBl62zH39YzHyrNW6cfaUlzGr0DQ6WP5kFiju88VTVfje40jskhQsYqCabH5yrFaoQA==,iv:1fIRRVNNpLOGLQekACgmDdwyYRuryqjdTLOGGS+bVD8=,tag:CcFFw27rj7X9mtSvQj5pHw==,type:str] + password: ENC[AES256_GCM,data:RmEcNdQXEQoFYRdDC4fP7+b59aqrWh39YPVI3Ej7MRlMVdUGjmLW4pjhsq98TTqaLefwX0RYW7AD6wo0ua1wLA==,iv:wZF3xTdM4XOIwaweOoHW9d52atjI3zFiQ19dVDj9BLw=,tag:m4KGfgQMKtRi266fovXQSA==,type:str] acme: inwx: ENC[AES256_GCM,data:tu3pdI2fAQPAwQNdIIk10Kkl0xBPBLx592UlYYEXxJX0YGddAhGMwDUqKTh/B5k9WW11cyoLoeTMnZPMzD15V1Qj,iv:UbbauJBjr3O4XnKRL9Pc3PdRGJqAhqO0PDNkvpyXH2o=,tag:YRVtRo8D0KLVCtWukW7GWw==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] age: - recipient: age1hf8m9upp00dr7qv2kmqdr50fpvd9ejzkfu8yknqnuda2aas2tvrs4l3u7m enc: | @@ -54,8 +50,7 @@ sops: NmNwT3N5UEVabFdLTDhseFRjeVZaWFkKL3HGFqfttU1tXY4OhnIr1ABFsHB0R0CX s6wxb0ilut32ijjtnGXMIIa9y6XsMTpYskTb9FdRP9VnQQGVrMfdew== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-04-01T20:14:13Z" - mac: ENC[AES256_GCM,data:TYsCSFADZkIqN+CggAoyBLHYBnF8XG9c7zGzsjyDG35Xty/JP6K6pC/7IPUEKtvStm0hUCS5seil5gTNmBBIgynVI3xTqhzIQ5UJ6QgxbVIcKR9j3lXF0FpuVSwh8p2Q6jL3LRM3nItCvtYYdw2CFL7pBSuk5BKkPVWbb1n1oyU=,iv:xYZSTv25Af0XSO0SpbwA3F/ORYOdDCemSS8uyFTklXA=,tag:y03I0hQweArU83l1nKFxfw==,type:str] - pgp: [] + lastmodified: "2025-06-06T18:36:39Z" + mac: ENC[AES256_GCM,data:cXcCbvl+KgXniJUF70yH2PcQanptrBoY36FdtJjWz5TiNlPNbJCXprmrnetb3Cjwn9LzT+yxF29ZqLP4U5Z4dqfyFHUVHKugiAtvQFYPWiux8Tx9x582RS+R6LXtpZaxWY2Ho30kO/INI3n9FRkdwcCWvgbS5G0y4a8v/tbEhTU=,iv:ACa221uyygkE1yWgA1Eps0oTjd67z9nO12X5x3q1Vyo=,tag:YtydRTcualGTTX920iZVtA==,type:str] unencrypted_suffix: _unencrypted - version: 3.9.4 + version: 3.10.2 diff --git a/machines/newton/services.nix b/machines/newton/services.nix index dc65fd6..ddffcd0 100644 --- a/machines/newton/services.nix +++ b/machines/newton/services.nix @@ -28,9 +28,7 @@ in "grafana/password" = { owner = config.users.users.grafana.name; }; - "matrix-bot/password" = { - owner = config.systemd.services.go-neb.serviceConfig.User; - }; + "matrix-bot/password" = { }; }; # List services that you want to enable: diff --git a/modules/services/alertmanager/config.nix b/modules/services/alertmanager/config.nix index 52ba37b..ec779c6 100644 --- a/modules/services/alertmanager/config.nix +++ b/modules/services/alertmanager/config.nix @@ -17,7 +17,7 @@ email_configs = [ { to = "server@buehler.rocks"; } ]; webhook_configs = [ { - url = "http://localhost:4050/services/hooks/YWxlcnRtYW5hZ2VyX3NlcnZpY2U"; + url = "http://localhost:4050/alert"; send_resolved = true; } ]; diff --git a/modules/services/matrix-bot/default.nix b/modules/services/matrix-bot/default.nix index 308fc42..5cf9adb 100644 --- a/modules/services/matrix-bot/default.nix +++ b/modules/services/matrix-bot/default.nix @@ -1,5 +1,9 @@ -# adjusted from: https://github.com/NixOS/nixos-org-configurations/blob/master/delft/eris/alertmanager-matrix-forwarder.nix -{ config, lib, ... }: +{ + config, + lib, + pkgs, + ... +}: let cfg = config.my.services.matrix-bot; in @@ -14,7 +18,10 @@ in }; PasswortFile = mkOption { type = types.path; - description = "Password for the bot."; + description = '' + Password for the bot. + format: MX_TOKEN= + ''; example = "/run/secrets/password"; }; RoomID = mkOption { @@ -26,41 +33,27 @@ in }; config = lib.mkIf cfg.enable { - # TODO: since no encryption is used, this is not a major problem, but migration is advised - nixpkgs.config.permittedInsecurePackages = [ "olm-3.2.16" ]; - - # Create user so that we can set the ownership of the key to - # it. DynamicUser will not take full effect as a result of this. - users.users.go-neb = { - isSystemUser = true; - group = "go-neb"; - }; - users.groups.go-neb = { }; - - services.go-neb = { - enable = true; - baseUrl = "http://localhost"; - secretFile = cfg.PasswortFile; - config = { - clients = [ - { - UserId = cfg.Username; - AccessToken = "$CHANGEME"; - DeviceID = "KIYFUKBRRK"; - HomeServerUrl = "https://matrix-client.matrix.org"; - Sync = true; - AutoJoinRooms = true; - DisplayName = "Stunkymonkey-Bot"; - } - ]; - services = [ - { - ID = "echo_service"; - Type = "echo"; - UserId = cfg.Username; - Config = { }; - } - ]; + systemd.services.matrix-hook = { + description = "Matrix Hook"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + environment = { + HTTP_ADDRESS = "[::1]"; + HTTP_PORT = "4050"; + MX_HOMESERVER = "https://matrix.org"; + MX_ID = cfg.Username; + MX_ROOMID = cfg.RoomID; + MX_MSG_TEMPLATE = "${pkgs.matrix-hook}/message.html.tmpl"; + }; + serviceConfig = { + EnvironmentFile = [ cfg.PasswortFile ]; + Type = "simple"; + ExecStart = lib.getExe pkgs.matrix-hook; + Restart = "always"; + RestartSec = "10"; + DynamicUser = true; + User = "matrix-hook"; + Group = "matrix-hook"; }; }; };