From 130800aaa142519391c7444b28b8e0304cfb7958 Mon Sep 17 00:00:00 2001 From: Niklas Korz Date: Sat, 23 Nov 2024 15:35:02 +0100 Subject: [PATCH] nixos/conduwuit: init --- .../manual/release-notes/rl-2505.section.md | 2 + nixos/modules/module-list.nix | 1 + nixos/modules/services/matrix/conduwuit.nix | 280 ++++++++++++++++++ nixos/tests/all-tests.nix | 1 + nixos/tests/matrix/conduwuit.nix | 94 ++++++ pkgs/by-name/co/conduwuit/package.nix | 10 +- 6 files changed, 385 insertions(+), 3 deletions(-) create mode 100644 nixos/modules/services/matrix/conduwuit.nix create mode 100644 nixos/tests/matrix/conduwuit.nix diff --git a/nixos/doc/manual/release-notes/rl-2505.section.md b/nixos/doc/manual/release-notes/rl-2505.section.md index 32f60ddcf7d92a..67e94bd5cc246f 100644 --- a/nixos/doc/manual/release-notes/rl-2505.section.md +++ b/nixos/doc/manual/release-notes/rl-2505.section.md @@ -16,6 +16,8 @@ - [Omnom](https://github.com/asciimoo/omnom), a webpage bookmarking and snapshotting service. Available as [services.omnom](options.html#opt-services.omnom.enable). +- [Conduwuit](https://conduwuit.puppyirl.gay/), a federated chat server implementing the Matrix protocol, forked from Conduit. Available as [services.conduwuit](#opt-services.conduwuit.enable). + - [Traccar](https://www.traccar.org/), a modern GPS Tracking Platform. Available as [services.traccar](#opt-services.traccar.enable). - [Amazon CloudWatch Agent](https://github.com/aws/amazon-cloudwatch-agent), the official telemetry collector for AWS CloudWatch and AWS X-Ray. Available as [services.amazon-cloudwatch-agent](options.html#opt-services.amazon-cloudwatch-agent.enable). diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index eaff9dc318dfa8..e28f183de93c15 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -708,6 +708,7 @@ ./services/matrix/appservice-discord.nix ./services/matrix/appservice-irc.nix ./services/matrix/conduit.nix + ./services/matrix/conduwuit.nix ./services/matrix/dendrite.nix ./services/matrix/hebbot.nix ./services/matrix/hookshot.nix diff --git a/nixos/modules/services/matrix/conduwuit.nix b/nixos/modules/services/matrix/conduwuit.nix new file mode 100644 index 00000000000000..3e3e93c99fde06 --- /dev/null +++ b/nixos/modules/services/matrix/conduwuit.nix @@ -0,0 +1,280 @@ +{ + config, + lib, + pkgs, + ... +}: +let + cfg = config.services.conduwuit; + defaultUser = "conduwuit"; + defaultGroup = "conduwuit"; + + format = pkgs.formats.toml { }; + # TOML does not allow null values, so we just omit those fields + filteredSettings = lib.converge (lib.filterAttrsRecursive (_: v: v != null)) cfg.settings; + configFile = format.generate "conduwuit.toml" filteredSettings; +in +{ + meta.maintainers = with lib.maintainers; [ niklaskorz ]; + options.services.conduwuit = { + enable = lib.mkEnableOption "conduwuit"; + + user = lib.mkOption { + type = lib.types.nonEmptyStr; + description = '' + The user {command}`conduwuit` is run as. + ''; + default = defaultUser; + }; + + group = lib.mkOption { + type = lib.types.nonEmptyStr; + description = '' + The group {command}`conduwuit` is run as. + ''; + default = defaultGroup; + }; + + extraEnvironment = lib.mkOption { + type = lib.types.attrsOf lib.types.str; + description = "Extra Environment variables to pass to the conduwuit server."; + default = { }; + example = { + RUST_BACKTRACE = "yes"; + }; + }; + + package = lib.mkPackageOption pkgs "conduwuit" { }; + + settings = lib.mkOption { + type = lib.types.submodule { + freeformType = format.type; + options = { + global.server_name = lib.mkOption { + type = lib.types.nonEmptyStr; + example = "example.com"; + description = "The server_name is the name of this server. It is used as a suffix for user and room ids."; + }; + global.address = lib.mkOption { + type = lib.types.nullOr (lib.types.listOf lib.types.nonEmptyStr); + default = null; + example = [ + "127.0.0.1" + "::1" + ]; + description = '' + Addresses (IPv4 or IPv6) to listen on for connections by the reverse proxy/tls terminator. + If set to `null`, conduwuit will listen on IPv4 and IPv6 localhost. + Must be `null` if `unix_socket_path` is set. + ''; + }; + global.port = lib.mkOption { + type = lib.types.listOf lib.types.port; + default = [ 6167 ]; + description = '' + The port(s) conduwuit will be running on. + You need to set up a reverse proxy in your web server (e.g. apache or nginx), + so all requests to /_matrix on port 443 and 8448 will be forwarded to the conduwuit + instance running on this port. + ''; + }; + global.unix_socket_path = lib.mkOption { + type = lib.types.nullOr lib.types.path; + default = null; + description = '' + Listen on a UNIX socket at the specified path. If listening on a UNIX socket, + listening on an address will be disabled. The `address` option must be set to + `null` (the default value). The option {option}`services.conduwuit.group` must + be set to a group your reverse proxy is part of. + + This will automatically add a system user "conduwuit" to your system if + {option}`services.conduwuit.user` is left at the default, and a "conduwuit" + group if {option}`services.conduwuit.group` is left at the default. + ''; + }; + global.unix_socket_perms = lib.mkOption { + type = lib.types.ints.positive; + default = 660; + description = "The default permissions (in octal) to create the UNIX socket with."; + }; + global.max_request_size = lib.mkOption { + type = lib.types.ints.positive; + default = 20000000; + description = "Max request size in bytes. Don't forget to also change it in the proxy."; + }; + global.allow_registration = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + Whether new users can register on this server. + + Registration with token requires `registration_token` or `registration_token_file` to be set. + + If set to true without a token configured, and + `yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse` + is set to true, users can freely register. + ''; + }; + global.allow_encryption = lib.mkOption { + type = lib.types.bool; + default = true; + description = "Whether new encrypted rooms can be created. Note: existing rooms will continue to work."; + }; + global.allow_federation = lib.mkOption { + type = lib.types.bool; + default = true; + description = '' + Whether this server federates with other servers. + ''; + }; + global.trusted_servers = lib.mkOption { + type = lib.types.listOf lib.types.nonEmptyStr; + default = [ "matrix.org" ]; + description = '' + Servers listed here will be used to gather public keys of other servers + (notary trusted key servers). + + Currently, conduwuit doesn't support inbound batched key requests, so + this list should only contain other Synapse servers. + + Example: `[ "matrix.org" "constellatory.net" "tchncs.de" ]` + ''; + }; + global.database_path = lib.mkOption { + readOnly = true; + type = lib.types.path; + default = "/var/lib/conduwuit/"; + description = '' + Path to the conduwuit database, the directory where conduwuit will save its data. + Note that database_path cannot be edited because of the service's reliance on systemd StateDir. + ''; + }; + global.allow_check_for_updates = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + If enabled, conduwuit will send a simple GET request periodically to + for any new announcements made. + Despite the name, this is not an update check endpoint, it is simply an announcement check endpoint. + + Disabled by default. + ''; + }; + }; + }; + default = { }; + description = '' + Generates the conduwuit.toml configuration file. Refer to + + for details on supported values. + ''; + }; + }; + + config = lib.mkIf cfg.enable { + assertions = [ + { + assertion = cfg.settings.global.unix_socket_path == null || cfg.settings.global.address == null; + message = '' + In `services.conduwuit.settings.global`, `unix_socket_path` and `address` cannot be set at the + same time. + Leave one of the two options unset or explicitly set them to `null`. + ''; + } + ]; + + # DynamicUser requires both user and group to exist or both not to exist. + # If we're configured to run under a different user or group, ensure + # the other default exists. + users = + lib.mkIf + ( + cfg.settings.global.unix_socket_path != null || cfg.group != defaultGroup || cfg.user != defaultUser + ) + { + groups = lib.mkIf (cfg.group == defaultGroup) { + ${defaultGroup} = { }; + }; + users = lib.mkIf (cfg.user == defaultUser) { + ${defaultUser} = { + group = cfg.group; + home = cfg.settings.global.database_path; + isSystemUser = true; + }; + }; + }; + + systemd.services.conduwuit = { + description = "Conduwuit Matrix Server"; + documentation = [ "https://conduwuit.puppyirl.gay/" ]; + wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ]; + after = [ "network-online.target" ]; + environment = lib.mkMerge ([ + { CONDUWUIT_CONFIG = configFile; } + cfg.extraEnvironment + ]); + startLimitBurst = 5; + startLimitIntervalSec = 60; + serviceConfig = { + DynamicUser = true; + User = cfg.user; + Group = cfg.group; + + DevicePolicy = "closed"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + PrivateDevices = true; + PrivateMounts = true; + PrivateTmp = true; + PrivateUsers = true; + PrivateIPC = true; + RemoveIPC = true; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + "AF_UNIX" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "@resources" + "~@clock" + "@debug" + "@module" + "@mount" + "@reboot" + "@swap" + "@cpu-emulation" + "@obsolete" + "@timer" + "@chown" + "@setuid" + "@privileged" + "@keyring" + "@ipc" + ]; + SystemCallErrorNumber = "EPERM"; + + StateDirectory = "conduwuit"; + StateDirectoryMode = "0700"; + RuntimeDirectory = "conduwuit"; + RuntimeDirectoryMode = "0750"; + + ExecStart = lib.getExe cfg.package; + Restart = "on-failure"; + RestartSec = 10; + }; + }; + }; +} diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index fae441d28e20c6..40b96a272bd4a7 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -217,6 +217,7 @@ in { coder = handleTest ./coder.nix {}; collectd = handleTest ./collectd.nix {}; commafeed = handleTest ./commafeed.nix {}; + conduwuit = handleTest ./matrix/conduwuit.nix {}; connman = handleTest ./connman.nix {}; consul = handleTest ./consul.nix {}; consul-template = handleTest ./consul-template.nix {}; diff --git a/nixos/tests/matrix/conduwuit.nix b/nixos/tests/matrix/conduwuit.nix new file mode 100644 index 00000000000000..4571474279268e --- /dev/null +++ b/nixos/tests/matrix/conduwuit.nix @@ -0,0 +1,94 @@ +import ../make-test-python.nix ( + { pkgs, lib, ... }: + let + name = "conduwuit"; + in + { + inherit name; + + nodes = { + conduwuit = args: { + services.conduwuit = { + enable = true; + settings.global = { + server_name = name; + address = "0.0.0.0"; + allow_registration = true; + yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse = true; + }; + extraEnvironment.RUST_BACKTRACE = "yes"; + }; + networking.firewall.allowedTCPPorts = [ 6167 ]; + }; + client = + { pkgs, ... }: + { + environment.systemPackages = [ + (pkgs.writers.writePython3Bin "do_test" { libraries = [ pkgs.python3Packages.matrix-nio ]; } '' + import asyncio + + from nio import AsyncClient + + + async def main() -> None: + # Connect to conduwuit + client = AsyncClient("http://conduwuit:6167", "alice") + + # Register as user alice + response = await client.register("alice", "my-secret-password") + + # Log in as user alice + response = await client.login("my-secret-password") + + # Create a new room + response = await client.room_create(federate=False) + room_id = response.room_id + + # Join the room + response = await client.join(room_id) + + # Send a message to the room + response = await client.room_send( + room_id=room_id, + message_type="m.room.message", + content={ + "msgtype": "m.text", + "body": "Hello conduwuit!" + } + ) + + # Sync responses + response = await client.sync(timeout=30000) + + # Check the message was received by conduwuit + last_message = response.rooms.join[room_id].timeline.events[-1].body + assert last_message == "Hello conduwuit!" + + # Leave the room + response = await client.room_leave(room_id) + + # Close the client + await client.close() + + asyncio.get_event_loop().run_until_complete(main()) + '') + ]; + }; + }; + + testScript = '' + start_all() + + with subtest("start conduwuit"): + conduwuit.wait_for_unit("conduwuit.service") + conduwuit.wait_for_open_port(6167) + + with subtest("ensure messages can be exchanged"): + client.succeed("do_test") + ''; + + meta.maintainers = with lib.maintainers; [ + niklaskorz + ]; + } +) diff --git a/pkgs/by-name/co/conduwuit/package.nix b/pkgs/by-name/co/conduwuit/package.nix index 8cf9cfafc0a109..d1e0f9fedf6e49 100644 --- a/pkgs/by-name/co/conduwuit/package.nix +++ b/pkgs/by-name/co/conduwuit/package.nix @@ -17,6 +17,7 @@ rust-jemalloc-sys, enableLiburing ? stdenv.hostPlatform.isLinux, liburing, + nixosTests, }: let rust-jemalloc-sys' = rust-jemalloc-sys.override { @@ -84,9 +85,12 @@ rustPlatform.buildRustPackage rec { passthru = { updateScript = nix-update-script { }; - tests.version = testers.testVersion { - package = conduwuit; - version = "${version}"; + tests = { + inherit (nixosTests) conduwuit; + version = testers.testVersion { + inherit version; + package = conduwuit; + }; }; };