From 6159a76a85a0394eb8d0cb98fbf488166b5fe364 Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Thu, 29 Feb 2024 15:37:22 +0100
Subject: [PATCH] matrix: add telegram bridge

---
 flake.lock                                    |  12 +--
 hosts/nuc/default.nix                         |   1 +
 .../nuc/modules/mautrix-telegram/default.nix  |  74 ++++++++++++++++++
 hosts/nuc/modules/seafile/default.nix         |   1 +
 secrets.nix                                   |   1 +
 secrets/nuc/mautrix-telegram/env.age          | Bin 0 -> 516 bytes
 users/rouven/modules/packages.nix             |   2 +-
 7 files changed, 84 insertions(+), 7 deletions(-)
 create mode 100644 hosts/nuc/modules/mautrix-telegram/default.nix
 create mode 100644 secrets/nuc/mautrix-telegram/env.age

diff --git a/flake.lock b/flake.lock
index cfadb71..6ad590c 100644
--- a/flake.lock
+++ b/flake.lock
@@ -180,11 +180,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1708806879,
-        "narHash": "sha256-MSbxtF3RThI8ANs/G4o1zIqF5/XlShHvwjl9Ws0QAbI=",
+        "lastModified": 1709204054,
+        "narHash": "sha256-U1idK0JHs1XOfSI1APYuXi4AEADf+B+ZU4Wifc0pBHk=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "4ee704cb13a5a7645436f400b9acc89a67b9c08a",
+        "rev": "2f3367769a93b226c467551315e9e270c3f78b15",
         "type": "github"
       },
       "original": {
@@ -296,11 +296,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1708807242,
-        "narHash": "sha256-sRTRkhMD4delO/hPxxi+XwLqPn8BuUq6nnj4JqLwOu0=",
+        "lastModified": 1709150264,
+        "narHash": "sha256-HofykKuisObPUfj0E9CJVfaMhawXkYx3G8UIFR/XQ38=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "73de017ef2d18a04ac4bfd0c02650007ccb31c2a",
+        "rev": "9099616b93301d5cf84274b184a3a5ec69e94e08",
         "type": "github"
       },
       "original": {
diff --git a/hosts/nuc/default.nix b/hosts/nuc/default.nix
index 025f6e0..670f0ea 100644
--- a/hosts/nuc/default.nix
+++ b/hosts/nuc/default.nix
@@ -11,6 +11,7 @@
       ./modules/hydra
       # ./modules/prometheus
       ./modules/matrix
+      ./modules/mautrix-telegram
       ./modules/seafile
       ./modules/uptime-kuma
       ./modules/vaultwarden
diff --git a/hosts/nuc/modules/mautrix-telegram/default.nix b/hosts/nuc/modules/mautrix-telegram/default.nix
new file mode 100644
index 0000000..b54feae
--- /dev/null
+++ b/hosts/nuc/modules/mautrix-telegram/default.nix
@@ -0,0 +1,74 @@
+{ config, lib, pkgs, ... }:
+let
+  homeserverDomain = config.services.matrix-synapse.settings.server_name;
+  registrationFileSynapse = "/var/lib/matrix-synapse/telegram-registration.yaml";
+  registrationFileMautrix = "/var/lib/mautrix-telegram/telegram-registration.yaml";
+  settingsFile = builtins.head (builtins.match ".*--config='(.*)' \\\\.*" config.systemd.services.mautrix-telegram.preStart);
+in
+{
+  services.postgresql = {
+    enable = true;
+    ensureUsers = [{
+      name = "mautrix-telegram";
+      ensureDBOwnership = true;
+    }];
+    ensureDatabases = [ "mautrix-telegram" ];
+  };
+
+  age.secrets.mautrix-telegram = {
+    file = ../../../../secrets/nuc/mautrix-telegram/env.age;
+    owner = config.systemd.services.matrix-synapse.serviceConfig.User;
+  };
+
+
+  services.matrix-synapse.settings.app_service_config_files = [
+    # The registration file is automatically generated after starting the
+    # appservice for the first time.
+    registrationFileSynapse
+  ];
+
+  systemd.tmpfiles.rules = [
+    # copy registration file over to synapse
+    "C ${registrationFileSynapse} - - - - ${registrationFileMautrix}"
+    "Z /var/lib/matrix-synapse/ - matrix-synapse matrix-synapse - -"
+  ];
+
+  services.mautrix-telegram = {
+    enable = true;
+
+    environmentFile = config.age.secrets.mautrix-telegram.path;
+
+    settings = {
+      homeserver = {
+        address = "http://[::1]:8008";
+        domain = homeserverDomain;
+      };
+
+      appservice = rec {
+        # Use postgresql instead of sqlite
+        database = "postgresql:///mautrix-telegram?host=/run/postgresql";
+        port = 8082;
+        address = "http://localhost:${toString port}";
+      };
+
+      bridge = {
+        relaybot.authless_portals = false;
+        permissions = {
+          "@rouven:${homeserverDomain}" = "admin";
+        };
+        relay_user_distinguishers = [ ];
+      };
+    };
+  };
+
+  # If we don't explicitly set {a,h}s_token, mautrix-telegram will try to read them from the registrationFile
+  # and write them to the settingsFile in /nix/store, which obviously fails.
+  systemd.services.mautrix-telegram.serviceConfig.ExecStart =
+    lib.mkForce (pkgs.writeShellScript "start" ''
+      export MAUTRIX_TELEGRAM_APPSERVICE_AS_TOKEN=$(grep as_token ${registrationFileMautrix} | cut -d' ' -f2-)
+      export MAUTRIX_TELEGRAM_APPSERVICE_HS_TOKEN=$(grep hs_token ${registrationFileMautrix} | cut -d' ' -f2-)
+
+      ${pkgs.mautrix-telegram}/bin/mautrix-telegram --config='${settingsFile}'
+    '');
+}
+
diff --git a/hosts/nuc/modules/seafile/default.nix b/hosts/nuc/modules/seafile/default.nix
index 5676a07..d2608c8 100644
--- a/hosts/nuc/modules/seafile/default.nix
+++ b/hosts/nuc/modules/seafile/default.nix
@@ -9,6 +9,7 @@ in
     initialAdminPassword = "unused garbage";
     ccnetSettings.General.SERVICE_URL = "https://${domain}";
     ccnetSettings.General.FILE_SERVER_ROOT = "https://${domain}/seafhttp";
+    seafileSettings.fileserver.port = 8083;
   };
   services.nginx.virtualHosts."${domain}" = {
     enableACME = true;
diff --git a/secrets.nix b/secrets.nix
index f5a7f64..afcde6c 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -18,6 +18,7 @@ in
   # nuc
   "secrets/nuc/matrix/shared.age".publicKeys = [ rouven nuc ];
   "secrets/nuc/matrix/sync.age".publicKeys = [ rouven nuc ];
+  "secrets/nuc/mautrix-telegram/env.age".publicKeys = [ rouven nuc ];
   "secrets/nuc/vaultwarden.age".publicKeys = [ rouven nuc ];
   "secrets/nuc/cache.age".publicKeys = [ rouven nuc ];
   "secrets/nuc/borg/passphrase.age".publicKeys = [ rouven nuc ];
diff --git a/secrets/nuc/mautrix-telegram/env.age b/secrets/nuc/mautrix-telegram/env.age
new file mode 100644
index 0000000000000000000000000000000000000000..212d341f74efef586866d0d43e6c5b345e0cae94
GIT binary patch
literal 516
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSH4Nr3P2vi8N2==WA
zE;iJ5PP9z+2?%rYDN8h{@<}uIPV;b!Do#xDGcMImO))eIcjWSLFY?rON(^>1D-0=1
zj7+ZzH#RZODlB*Nv`9=&FE2Ls^-eD{@GkW#bw#($C?qH)B3;2N+oLETDag;aGA%7A
z(<89bAjvh-JTt3OKh(siGOHljJI5p0vmiJp+m|c3%Fr?@INPbbC^<L7D=0nCJId1A
zHzlGnAfTWqF)7U>B(<O_%E({4BArWDS689HJkhV*(AmW}E6Ls4*sriSs@TgvHOaLw
zv@{?;BDA2`(m2yE)Y2(DBbkf)(*>U|<@4)|Gwy4AdlFSOcU5IW$>QttcTCxPdFzY5
z%FBff20h)6nU#Jn=zT2R#?89q_ve+plAH^!o4s4kaNBXsLv7ul5{Vs5Znw^8_Dc&)
z4fT#zn{=vuTAN(RS<!iiSx+kk79P3qTQ%u`D8H(U|Aj{XzR6Q-5*ptXT_`dC_3-=W
z4c;roe9a4<F#rB28UK*`&8>^#zdZltmq`BjV<S7+rJePH#OJz+C5L^!{$2OD`Loh9
zyP~brXOtSfd;ILs11_1h$NkQi>8oU=?_sZ04%dq4WORDW6L&u`LXvNGsL`Q4VF3Rz
B(0>2`

literal 0
HcmV?d00001

diff --git a/users/rouven/modules/packages.nix b/users/rouven/modules/packages.nix
index eb3fbba..429861a 100644
--- a/users/rouven/modules/packages.nix
+++ b/users/rouven/modules/packages.nix
@@ -64,7 +64,7 @@
 
     # fancy tools
     just
-    (himalaya.override { buildFeatures = [ "pgp-commands" ]; })
+    himalaya
     # strace but with colors
     (strace.overrideAttrs (_: {
       patches = [