nixos/mautrix-telegram: switch to using static user for automated registration of appservice (#389679)

2026-01-12 02:40:31 +08:00 · 2025-03-19 15:38:57 +01:00
parent 834f706590 f375a86fc1
commit 2a725d40de
1 changed files with 54 additions and 2 deletions
--- a/nixos/modules/services/matrix/mautrix-telegram.nix
+++ b/nixos/modules/services/matrix/mautrix-telegram.nix
@@ -9,7 +9,8 @@ let
  registrationFile = "${dataDir}/telegram-registration.yaml";
  cfg = config.services.mautrix-telegram;
  settingsFormat = pkgs.formats.json { };
-  settingsFile = settingsFormat.generate "mautrix-telegram-config.json" cfg.settings;
+  settingsFileUnsubstituted = settingsFormat.generate "mautrix-telegram-config.json" cfg.settings;
+  settingsFile = "${dataDir}/config.json";

 in
 {
@@ -132,10 +133,37 @@ in
          List of Systemd services to require and wait for when starting the application service.
        '';
      };
+
+      registerToSynapse = lib.mkOption {
+        type = lib.types.bool;
+        default = config.services.matrix-synapse.enable;
+        defaultText = lib.literalExpression "config.services.matrix-synapse.enable";
+        description = ''
+          Whether to add the bridge's app service registration file to
+          `services.matrix-synapse.settings.app_service_config_files`.
+        '';
+      };
    };
  };

  config = lib.mkIf cfg.enable {
+
+    users.users.mautrix-telegram = {
+      isSystemUser = true;
+      group = "mautrix-telegram";
+      home = dataDir;
+      description = "Mautrix-Telegram bridge user";
+    };
+
+    users.groups.mautrix-telegram = { };
+
+    services.matrix-synapse = lib.mkIf cfg.registerToSynapse {
+      settings.app_service_config_files = [ registrationFile ];
+    };
+    systemd.services.matrix-synapse = lib.mkIf cfg.registerToSynapse {
+      serviceConfig.SupplementaryGroups = [ "mautrix-telegram" ];
+    };
+
    systemd.services.mautrix-telegram = {
      description = "Mautrix-Telegram, a Matrix-Telegram hybrid puppeting/relaybot bridge.";

@@ -161,6 +189,16 @@ in

      preStart =
        ''
+          # substitute the settings file by environment variables
+          # in this case read from EnvironmentFile
+          test -f '${settingsFile}' && rm -f '${settingsFile}'
+          old_umask=$(umask)
+          umask 0177
+          ${pkgs.envsubst}/bin/envsubst \
+            -o '${settingsFile}' \
+            -i '${settingsFileUnsubstituted}'
+          umask $old_umask
+
          # generate the appservice's registration file if absent
          if [ ! -f '${registrationFile}' ]; then
            ${pkgs.mautrix-telegram}/bin/mautrix-telegram \
@@ -168,6 +206,19 @@ in
              --config='${settingsFile}' \
              --registration='${registrationFile}'
          fi
+
+          old_umask=$(umask)
+          umask 0177
+          # 1. Overwrite registration tokens in config
+          #    is set, set it as the login shared secret value for the configured
+          #    homeserver domain.
+          ${pkgs.yq}/bin/yq -s '.[0].appservice.as_token = .[1].as_token
+            | .[0].appservice.hs_token = .[1].hs_token
+            | .[0]' \
+            '${settingsFile}' '${registrationFile}' > '${settingsFile}.tmp'
+          mv '${settingsFile}.tmp' '${settingsFile}'
+
+          umask $old_umask
        ''
        + lib.optionalString (pkgs.mautrix-telegram ? alembic) ''
          # run automatic database init and migration scripts
@@ -175,6 +226,8 @@ in
        '';

      serviceConfig = {
+        User = "mautrix-telegram";
+        Group = "mautrix-telegram";
        Type = "simple";
        Restart = "always";

@@ -184,7 +237,6 @@ in
        ProtectKernelModules = true;
        ProtectControlGroups = true;

-        DynamicUser = true;
        PrivateTmp = true;
        WorkingDirectory = pkgs.mautrix-telegram; # necessary for the database migration scripts to be found
        StateDirectory = baseNameOf dataDir;