signal-irc-bridge/module.nix

{
  pkgs,
  config,
  lib,
  ...
}:
let
  cfg = config.services.signal-irc-bridge;
  commonServiceOptions = {
    User = "signal-irc";
    Group = "signal-irc";
    StateDirectory = "signal-cli";
    RuntimeDirectory = "signal-cli";

    PrivateDevices = true;
    PrivateTmp = true;
    ProtectControlGroups = true;
    ProtectKernelTunables = true;
    RestrictSUIDSGID = true;

    ProtectSystem = "strict";
    ProtectKernelLogs = true;
    ProtectProc = "invisible";
    PrivateUsers = true;
    ProtectHome = true;
    UMask = "0027";
    RuntimeDirectoryMode = "0750";
    StateDirectoryMode = "0750";
  };
in
{
  options = {
    services.signal-irc-bridge = {
      enable = lib.mkEnableOption "signal-irc bridge";
      package = lib.mkOption {
        type = lib.types.package;
        default = pkgs.signal-irc-bridge;
      };
      configFile = lib.mkOption {
        type = lib.types.path;
        description = "Path to the toml config file";
      };
    };
  };

  config = {
    nixpkgs.overlays = [ (import ./overlay.nix) ];

    systemd.services = lib.mkIf cfg.enable {
      signal-irc-bridge = {
        script = ''
          CONFIG_PATH=$CREDENTIALS_DIRECTORY/config ${lib.getExe cfg.package}
        '';
        unitConfig = {
          BindsTo = [ "signal-irc-bridge-signal-cli.service" ];
          After = [ "signal-irc-bridge-signal-cli.service" ];
        };
        serviceConfig = commonServiceOptions // {
          Restart = "always";
          RestartSec = "5s";

          LoadCredential = [ "config:${cfg.configFile}" ];

          # Change state/runtime dirs because it deletes the socket else
          StateDirectory = "signal-irc";
          RuntimeDirectory = "signal-irc";
        };
      };
      signal-irc-bridge-signal-cli = {
        serviceConfig = commonServiceOptions // {
          ExecStart = "${lib.getExe pkgs.signal-cli} --config \"\${STATE_DIRECTORY}\"/signal-cli-config/ daemon --socket \"\${RUNTIME_DIRECTORY}\"/socket --receive-mode=manual";
          Restart = "always";
          RestartSec = "5s";
        };
      };
    };
    environment.systemPackages = lib.mkIf cfg.enable [ pkgs.signal-cli ];

    users = lib.mkIf cfg.enable {
      users.signal-irc = {
        isSystemUser = true;
        group = "signal-irc";
      };
      groups.signal-irc = { };
    };
  };
}
chore: Run nixfmt 2024-07-19 19:06:13 +02:00			`{`
			`pkgs,`
			`config,`
			`lib,`
			`...`
			`}:`
feat: package 2024-05-22 12:34:33 +02:00			`let`
			`cfg = config.services.signal-irc-bridge;`
			`commonServiceOptions = {`
fix: Remove dynamicUser and fix little bugs 2024-07-19 19:05:58 +02:00			`User = "signal-irc";`
			`Group = "signal-irc";`
feat: package 2024-05-22 12:34:33 +02:00			`StateDirectory = "signal-cli";`
			`RuntimeDirectory = "signal-cli";`

chore: Run nixfmt 2024-07-19 19:06:13 +02:00			`PrivateDevices = true;`
			`PrivateTmp = true;`
			`ProtectControlGroups = true;`
			`ProtectKernelTunables = true;`
			`RestrictSUIDSGID = true;`
feat: package 2024-05-22 12:34:33 +02:00
chore: Run nixfmt 2024-07-19 19:06:13 +02:00			`ProtectSystem = "strict";`
			`ProtectKernelLogs = true;`
			`ProtectProc = "invisible";`
			`PrivateUsers = true;`
			`ProtectHome = true;`
			`UMask = "0027";`
			`RuntimeDirectoryMode = "0750";`
			`StateDirectoryMode = "0750";`
feat: package 2024-05-22 12:34:33 +02:00			`};`
chore: Run nixfmt 2024-07-19 19:06:13 +02:00			`in`
			`{`
feat: package 2024-05-22 12:34:33 +02:00			`options = {`
			`services.signal-irc-bridge = {`
			`enable = lib.mkEnableOption "signal-irc bridge";`
			`package = lib.mkOption {`
			`type = lib.types.package;`
			`default = pkgs.signal-irc-bridge;`
			`};`
			`configFile = lib.mkOption {`
			`type = lib.types.path;`
			`description = "Path to the toml config file";`
			`};`
			`};`
			`};`

			`config = {`
chore: Run nixfmt 2024-07-19 19:06:13 +02:00			`nixpkgs.overlays = [ (import ./overlay.nix) ];`
feat: package 2024-05-22 12:34:33 +02:00
			`systemd.services = lib.mkIf cfg.enable {`
			`signal-irc-bridge = {`
fix: use loadcredentials for now 2024-05-22 17:09:01 +02:00			`script = ''`
			`CONFIG_PATH=$CREDENTIALS_DIRECTORY/config ${lib.getExe cfg.package}`
			`'';`
feat: package 2024-05-22 12:34:33 +02:00			`unitConfig = {`
			`BindsTo = [ "signal-irc-bridge-signal-cli.service" ];`
			`After = [ "signal-irc-bridge-signal-cli.service" ];`
			`};`
			`serviceConfig = commonServiceOptions // {`
			`Restart = "always";`
chore: Run nixfmt 2024-07-19 19:06:13 +02:00			`RestartSec = "5s";`
fix: use loadcredentials for now 2024-05-22 17:09:01 +02:00
fix: Remove dynamicUser and fix little bugs 2024-07-19 19:05:58 +02:00			`LoadCredential = [ "config:${cfg.configFile}" ];`
fix: use loadcredentials for now 2024-05-22 17:09:01 +02:00
			`# Change state/runtime dirs because it deletes the socket else`
feat: package 2024-05-22 12:34:33 +02:00			`StateDirectory = "signal-irc";`
			`RuntimeDirectory = "signal-irc";`
			`};`
			`};`
			`signal-irc-bridge-signal-cli = {`
			`serviceConfig = commonServiceOptions // {`
			`ExecStart = "${lib.getExe pkgs.signal-cli} --config \"\${STATE_DIRECTORY}\"/signal-cli-config/ daemon --socket \"\${RUNTIME_DIRECTORY}\"/socket --receive-mode=manual";`
			`Restart = "always";`
chore: Run nixfmt 2024-07-19 19:06:13 +02:00			`RestartSec = "5s";`
feat: package 2024-05-22 12:34:33 +02:00			`};`
			`};`
			`};`
chore: Run nixfmt 2024-07-19 19:06:13 +02:00			`environment.systemPackages = lib.mkIf cfg.enable [ pkgs.signal-cli ];`
fix: Remove dynamicUser and fix little bugs 2024-07-19 19:05:58 +02:00
			`users = lib.mkIf cfg.enable {`
			`users.signal-irc = {`
			`isSystemUser = true;`
			`group = "signal-irc";`
			`};`
chore: Run nixfmt 2024-07-19 19:06:13 +02:00			`groups.signal-irc = { };`
fix: Remove dynamicUser and fix little bugs 2024-07-19 19:05:58 +02:00			`};`
feat: package 2024-05-22 12:34:33 +02:00			`};`
			`}`