Commit b443a4d9 authored by Frédéric Christ's avatar Frédéric Christ
Browse files

mautrix-whatsapp: Apply suggestions 

This contribution applies suggestions made by Luflosi in
https://github.com/NixOS/nixpkgs/pull/176025#issuecomment-1237338551


as well as some general refactoring.

Co-authored-by: default avatarLuflosi <Luflosi@users.noreply.github.com>
parent 641d717a

nixos/modules/services/matrix/mautrix-whatsapp.nix

+89 −56
Original line number Diff line number Diff line
@@ -7,41 +7,25 @@ 
with lib; let

  cfg = config.services.mautrix-whatsapp;

  dataDir = "/var/lib/mautrix-whatsapp";

  settingsFormat = pkgs.formats.json {};



  registrationFile = "${dataDir}/whatsapp-registration.yaml";

  settingsFile = settingsFormat.generate "config.json" cfg.settings;



  startupScript = ''

    ${pkgs.yq}/bin/yq -s '.[0].appservice.as_token = .[1].as_token

      | .[0].appservice.hs_token = .[1].hs_token

      | .[0]' ${settingsFile} ${registrationFile} \

      > ${dataDir}/config.yml



    ${pkgs.mautrix-whatsapp}/bin/mautrix-whatsapp \

      --config='${dataDir}/config.yml' \

      --registration='${registrationFile}'

  '';

  settingsFile = "${dataDir}/config.json";

  settingsFileUnsubstituted = settingsFormat.generate "mautrix-whatsapp-config-unsubstituted.json" cfg.settings;

  settingsFormat = pkgs.formats.json {};

in {

  options.services.mautrix-whatsapp = {

    enable = mkEnableOption "Mautrix-whatsapp, a puppeting bridge between Matrix and WhatsApp.";

    enable = mkEnableOption "mautrix-whatsapp, a puppeting/relaybot bridge between Matrix and WhatsApp.";



    settings = mkOption rec {

      apply = recursiveUpdate default;

      inherit (settingsFormat) type;



      description = lib.mdDoc ''

        {file}`config.yaml` configuration as a Nix attribute set.

        Configuration options should match those described in

        [example-config.yaml](https://github.com/mautrix/whatsapp/blob/master/example-config.yaml).

      '';

      default = {

        homeserver = {

          domain = config.services.matrix-synapse.settings.server_name;

        };

        appservice = rec {

          address = "http://localhost:29318";

          hostname = "0.0.0.0";

          address = "http://localhost:${toString port}";

          hostname = "[::]";

          port = 29318;

          database = {

            type = "sqlite3";
@@ -50,38 +34,62 @@ in { 
          id = "whatsapp";

          bot = {

            username = "whatsappbot";

            displayname = "WhatsApp Bot";

            displayname = "WhatsApp Bridge Bot";

          };

          as_token = "";

          hs_token = "";

        };

        bridge = {

          username_template = "whatsapp_{{.}}";

          displayname_template = "{{if .Notify}}{{.Notify}}{{else}}{{.Jid}}{{end}}";

          displayname_template = "{{if .BusinessName}}{{.BusinessName}}{{else if .PushName}}{{.PushName}}{{else}}{{.JID}}{{end}} (WA)";

          double_puppet_server_map = {};

          login_shared_secret_map = {};

          command_prefix = "!wa";

          permissions."*" = "relay";

        };

          relay = {

            enabled = true;

          management = "!whatsappbot:${toString (config.services.matrix-synapse.settings.server_name)}";

          };

        };

        logging = {

          directory = "${dataDir}/logs";

          file_name_format = "{{.Date}}-{{.Index}}.log";

          file_date_format = "2006-01-02";

          file_mode = 0384;

          timestamp_format = "Jan _2, 2006 15:04:05";

          print_level = "info";

          min_level = "info";

          writers = [

            {

              type = "stdout";

              format = "pretty-colored";

            }

            {

              type = "file";

              format = "json";

            }

          ];

        };

      };

      example = {

        settings = {

          homeserver.address = https://matrix.myhomeserver.org;

          homeserver.address = "https://matrix.myhomeserver.org";

          bridge.permissions = {

            "@admin:myhomeserver.org" = "admin";

          };

        };

      };

      description = lib.mdDoc ''

        {file}`config.yaml` configuration as a Nix attribute set.

        Configuration options should match those described in

        [example-config.yaml](https://github.com/mautrix/whatsapp/blob/master/example-config.yaml).



        Secret tokens should be specified using {option}`environmentFile`

        instead of this world-readable attribute set.

      '';

    };



    environmentFile = mkOption {

      type = types.nullOr types.path;

      default = null;

      description = lib.mdDoc ''

        File containing environment variables to be passed to the mautrix-whatsapp service,

        in which secret tokens can be specified securely by optionally defining a value for

        `MAUTRIX_WHATSAPP_BRIDGE_LOGIN_SHARED_SECRET`.

      '';

    };



    serviceDependencies = mkOption {
@@ -105,6 +113,16 @@ in { 
      after = ["network-online.target"] ++ cfg.serviceDependencies;



      preStart = ''

        # substitute the settings file by environment variables

        # in this case read from EnvironmentFile

        test -f '${settingsFile}' && rm -f '${settingsFile}'

        old_umask=$(umask)

        umask 0177

        ${pkgs.envsubst}/bin/envsubst \

          -o '${settingsFile}' \

          -i '${settingsFileUnsubstituted}'

        umask $old_umask



        # generate the appservice's registration file if absent

        if [ ! -f '${registrationFile}' ]; then

          ${pkgs.mautrix-whatsapp}/bin/mautrix-whatsapp \
@@ -113,36 +131,51 @@ in { 
            --registration='${registrationFile}'

        fi

        chmod 640 ${registrationFile}

      '';



      script = startupScript;

        umask 0177

        ${pkgs.yq}/bin/yq -s '.[0].appservice.as_token = .[1].as_token

          | .[0].appservice.hs_token = .[1].hs_token

          | .[0]' '${settingsFile}' '${registrationFile}' \

          > '${settingsFile}.tmp'

        mv '${settingsFile}.tmp' '${settingsFile}'

        umask $old_umask

      '';



      serviceConfig = {

        Type = "simple";

        #DynamicUser = true;

        PrivateTmp = true;

        DynamicUser = true;

        EnvironmentFile = cfg.environmentFile;

        StateDirectory = baseNameOf dataDir;

        WorkingDirectory = "${dataDir}";



        ProtectSystem = "strict";

        ExecStart = ''

          ${pkgs.mautrix-whatsapp}/bin/mautrix-whatsapp \

          --config='${settingsFile}' \

          --registration='${registrationFile}'

        '';

        LockPersonality = true;

        MemoryDenyWriteExecute = true;

        NoNewPrivileges = true;

        PrivateDevices = true;

        PrivateTmp = true;

        PrivateUsers = true;

        ProtectClock = true;

        ProtectControlGroups = true;

        ProtectHome = true;

        ProtectKernelTunables = true;

        ProtectHostname = true;

        ProtectKernelLogs = true;

        ProtectKernelModules = true;

        ProtectControlGroups = true;

        User = "mautrix-whatsapp";

        Group = "matrix-synapse";

        SupplementaryGroups = "matrix-synapse";

        ProtectKernelTunables = true;

        ProtectSystem = "strict";

        Restart = "on-failure";

        RestartSec = "30s";

        RestrictRealtime = true;

        RestrictSUIDSGID = true;

        SystemCallArchitectures = "native";

        SystemCallErrorNumber = "EPERM";

        SystemCallFilter = ["@system-service"];

        Type = "simple";

        UMask = 0027;

        Restart = "always";

      };

      };



    users.groups.mautrix-whatsapp = {};

    users.users.mautrix-whatsapp = {

      isSystemUser = true;

      group = "mautrix-whatsapp";

      home = dataDir;

      restartTriggers = [settingsFileUnsubstituted];

    };

    services.matrix-synapse.settings.app_service_config_files = ["${registrationFile}"];

  };

}