nixos/modules/services/matrix/pantalaimon.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70

{ config, lib, pkgs, ... }:

with lib;
let
  cfg = config.services.pantalaimon-headless;

  iniFmt = pkgs.formats.ini { };

  mkConfigFile = name: instanceConfig: iniFmt.generate "pantalaimon.conf" {
    Default = {
      LogLevel = instanceConfig.logLevel;
      Notifications = false;
    };

    ${name} = (recursiveUpdate
      {
        Homeserver = instanceConfig.homeserver;
        ListenAddress = instanceConfig.listenAddress;
        ListenPort = instanceConfig.listenPort;
        SSL = instanceConfig.ssl;

        # Set some settings to prevent user interaction for headless operation
        IgnoreVerification = true;
        UseKeyring = false;
      }
      instanceConfig.extraSettings
    );
  };

  mkPantalaimonService = name: instanceConfig:
    nameValuePair "pantalaimon-${name}" {
      description = "pantalaimon instance ${name} - E2EE aware proxy daemon for matrix clients";
      wants = [ "network-online.target" ];
      after = [ "network-online.target" ];
      wantedBy = [ "multi-user.target" ];

      serviceConfig = {
        ExecStart = ''${pkgs.pantalaimon-headless}/bin/pantalaimon --config ${mkConfigFile name instanceConfig} --data-path ${instanceConfig.dataPath}'';
        Restart = "on-failure";
        DynamicUser = true;
        NoNewPrivileges = true;
        PrivateDevices = true;
        PrivateTmp = true;
        ProtectHome = true;
        ProtectSystem = "strict";
        StateDirectory = "pantalaimon-${name}";
      };
    };
in
{
  options.services.pantalaimon-headless.instances = mkOption {
    default = { };
    type = types.attrsOf (types.submodule (import ./pantalaimon-options.nix));
    description = ''
      Declarative instance config.

      Note: to use pantalaimon interactively, e.g. for a Matrix client which does not
      support End-to-end encryption (like <literal>fractal</literal>), refer to the home-manager module.
    '';
  };

  config = mkIf (config.services.pantalaimon-headless.instances != { })
    {
      systemd.services = mapAttrs' mkPantalaimonService config.services.pantalaimon-headless.instances;
    };

  meta = {
    maintainers = with maintainers; [ jojosch ];
  };
}