feat: Matterbridge

je suis fatigué

machines/core-services-01/configuration.nix

@@ -22,6 +22,7 @@
       ./dex.nix
       ./oauth2_proxy.nix
       ./secrets
+      ./matterbridge.nix
       # TODO push to gitea
       # TODO ./gotify.nix
       # TODO(Raito): ./backups.nix

machines/core-services-01/matterbridge.nix

@@ -0,0 +1,50 @@
+{ config, pkgs, ... }:
+let
+  manageSecrets = conf: secrets: output: keys:
+    /*
+    `secrets` are in the form "SECRET_1=secret\nSECRET_2=secre"
+    For each name in `keys` we search for a line `$NAME=<secret>`,
+    (`<secret>` is just everything up to the end of the line)
+    and we substitute `$NAME` by `<secret>` in `conf`, and we print
+    the result in `output`.
+    */
+    let
+      check = key: ''
+        if grep ${key} ${secrets} > /dev/null
+        then
+          true
+        else
+          echo "Missing ${key} from secrets"
+          exit 1
+        fi
+        '';
+      get = key: "$(grep '${key}=' ${secrets} | sed 's/^.*=//' | sed -e 's/[\\/&]/\\\\&/g')";
+      checks = pkgs.lib.concatMapStrings check;
+      replaces = pkgs.lib.concatMapStrings (key: "s/${key}/${get key}/;");
+    in pkgs.writeShellScriptBin "preStart" ''
+      ${checks keys}
+      sed "${replaces keys}" ${conf} > ${output}
+      '';
+  startScript = pkgs.writeShellScriptBin "start" ''
+    ${manageSecrets
+          ./matterbridge.toml "$CREDENTIALS_DIRECTORY/secrets" "$RUNTIME_DIRECTORY/conf.toml"
+          [ "SECRET_MATTERMOST_WEBHOOK" ]}/bin/preStart
+    ${pkgs.matterbridge}/bin/matterbridge -conf $RUNTIME_DIRECTORY/conf.toml
+    '';
+in {
+  networking.firewall.allowedTCPPorts = [ 52187 ];
+  systemd.services.matterbridge = {
+    description = "Chat platform bridge";
+    wantedBy = [ "multi-user.target" ];
+    after = [ "network.target" ];
+
+    serviceConfig = {
+      DynamicUser = true;
+      LoadCredential = "secrets:${config.age.secrets.matterbridge.path}";
+      ExecStart = "${startScript}/bin/start";
+      Restart = "always";
+      RestartSec = "10";
+      RuntimeDirectory = "matterbridge";
+    };
+  };
+}

machines/core-services-01/matterbridge.toml

@@ -0,0 +1,23 @@
+[irc]
+    [irc.ulminfo]
+    Server="ens.wtf:6697"
+    Nick="botte"
+        UseTLS=true
+        Charset="utf8"
+        PrefixMessagesWithNick=true
+        RemoteNickFormat="<{NICK}> "
+[mattermost]
+    [mattermost.merle]
+        WebhookURL="SECRET_MATTERMOST_WEBHOOK"
+        WebhookBindAddress="0.0.0.0:52187"
+        PrefixMessagesWithNick=false
+        RemoteNickFormat="{NICK}"
+[[gateway]]
+name="réseau"
+enable=true
+    [[gateway.inout]]
+    account="irc.ulminfo"
+    channel="#réseau"
+    [[gateway.inout]]
+    account="mattermost.merle"
+    channel="town-square"

machines/core-services-01/secrets/default.nix

@@ -4,4 +4,5 @@
   age.secrets.oauth2ProxyKeyFile.file = ./oauth2ProxyKeyFile.age;
   age.secrets.droneKeyFile.file = ./droneKeyFile.age;
   age.secrets.dexGiteaClientSecret.file = ./dexGiteaClientSecret.age;
+  age.secrets.matterbridge.file = ./matterbridge.age;
 }

machines/core-services-01/secrets/matterbridge.age

@@ -0,0 +1,28 @@
+age-encryption.org/v1
+-> ssh-ed25519 lHr4YQ HJL96EuQl0qWnOeAR2lXroAQmAdlpqcQKseelyfExgA
+xWjYiQmkgz/jOOpWpHPn/3rt7ZJdmP88Gz43E3roa6I
+-> ssh-ed25519 h6AgbA 1GpBA4vLsVOUkX8J5YLQMi3Xfdhv+4u7yG7oI49u5wk
+oWR+SI4hyhbcEXSm0HMwi9JfC31C9eyXnco4LEknOUk
+-> ssh-ed25519 Wu8JLQ ZZB4XicZQfT7H+nKr6QJgJaKXt8QOlMBdNfuOsgtqUI
+sdmNC14ORCJDLcXqWDWwZZ6Eg/oR87unKhDgbdmfWek
+-> ssh-ed25519 cvTB5g 7+tI7ZXsHjInyRYKXh7Ib/GBlAggr+xmXKnbfMSiNjM
+R69O8e2vhIBznrX86Duxc3sYgeiFq0dOdLBvQHeP4F4
+-> ssh-ed25519 /vwQcQ N5wmtMG7kwHRIANNlsjcRDGgkDdBaqUyFAJALXASMRg
+oEU6zPMTi2e05G8TgyAq2iCZCwDDsFN1VZIbFvU4MP4
+-> ssh-ed25519 reTIKw ZqKi1btO33hUfCb4ZCX1h+ful/8safmcPwdBfh0+V3c
++agInPvfpuuQGuStNCX71dSlUJedHc7HjKDZiIh2VNk
+-> ssh-ed25519 85WiGg 8VoK1DXQdNX4bjC42jsZZc3RpAkua1o/zdhI5WkR72Q
+vzvCER9TOE+6NQWmtb/b9yybv7yKM2VMA/cHrsUN8jo
+-> ssh-rsa krWCLQ
+YyOhEu3NJ6JXqSfk1QbLm/HhOS8KFvX0extWp8djBYTx0DaqAFYW6gX8HReQsky4
+5MOVZ7NjkBuWteRD7Xw/H1Y4I0t9ciBP06Yv64TpciHYahE36GUA8kS6eYr9kAP+
+gf1/aExn8CJX1NES6rDgEDNmlBuuLMk611wYT1wwt44MhsATmOAEW35A9tbpuJeh
+Qc/aZX7XzeOkzpO/aYMn/SVREU5fWNdhAgA3vD7MUEAYzB4sS5BaOZ2PBGU/IohL
+MhbdTLA3EE3mfSMCJonNz/lF3qNRkCXFbXvhtvck/OAHnprGRhAbbHJPpqx147hc
+LvbEgEtQe9JM6uaKR0Qy1g
+-> gWo;S~-grease
+q68DoRepcege0soJFgobnMTxzSfPRXge3B5CEiCywztahSXsr3ft/JVSh6KBIJG0
+pMsIk2Q
+--- q1UjUMNNAe9WWCzomMsLxh7s+1USEVZsJNHrLsGVuks
+H9zÊz
óehJÍ>#¾³ÎÞ×…ãÙ<C3A3>iíÆÛ
+ÒLô_c—G´y‰ƒCAxÕ	԰ˆ˜:u—íe4ñêî½ãC’¸€‹$V²´ý+4%†™Å&£øIüàÄ#]ê)ÏÿˆV?rÖ4ÜwT³a@û4

machines/core-services-01/secrets/secrets.nix

@@ -11,5 +11,6 @@ in
     "oauth2ProxyKeyFile.age".publicKeys = superadmins ++ systems;
     "droneKeyFile.age".publicKeys = superadmins ++ systems;
     "dexGiteaClientSecret.age".publicKeys = superadmins ++ systems;
+    "matterbridge.age".publicKeys = superadmins ++ systems;
   }