nixos/matrix-appservice-irc: media proxying support

Adds required options for serving authenticated media and the key generation logic.
2024-09-04 20:35:02 +02:00 · 2024-09-04 20:35:02 +02:00 · d3df411913
commit d3df411913
parent e80cd707c4
2 changed files with 46 additions and 6 deletions
--- a/nixos/modules/services/matrix/appservice-irc.nix
+++ b/nixos/modules/services/matrix/appservice-irc.nix
@ -137,6 +137,37 @@ in {
                  type = submodule { freeformType = jsonType; };
                  description = "IRC servers to connect to";
                };
+
+                mediaProxy = {
+                  signingKeyPath = lib.mkOption {
+                    type = path;
+                    default = "/var/lib/matrix-appservice-irc/media-signingkey.jwk";
+                    description = ''
+                      Path to the signing key file for authenticated media.
+                    '';
+                  };
+                  ttlSeconds = lib.mkOption {
+                    type = ints.positive;
+                    default = 3600;
+                    description = ''
+                      Lifetime in seconds, that generated URLs stay valid.
+                    '';
+                  };
+                  bindPort = lib.mkOption {
+                    type = port;
+                    default = 11111;
+                    description = ''
+                      Port that the media proxy binds to.
+                    '';
+                  };
+                  publicUrl = lib.mkOption {
+                    type = str;
+                    example = "https://matrix.example.com/media";
+                    description = ''
+                      URL under which the media proxy is publicly acccessible.
+                    '';
+                  };
+                };
              };
            };
          };
@ -144,6 +175,7 @@ in {
      };
    };
  };
+
  config = lib.mkIf cfg.enable {
    systemd.services.matrix-appservice-irc = {
      description = "Matrix-IRC bridge";
@ -181,6 +213,9 @@ in {
          sed -i "s/^hs_token:.*$/$hs_token/g" ${registrationFile}
          sed -i "s/^as_token:.*$/$as_token/g" ${registrationFile}
        fi
+        if ! [ -f "${cfg.settings.ircService.mediaProxy.signingKeyPath}"]; then
+          ${lib.getExe pkgs.nodejs} ${pkg}/lib/generate-signing-key.js > "${cfg.settings.ircService.mediaProxy.signingKeyPath}"
+        fi
        # Allow synapse access to the registration
        if ${pkgs.getent}/bin/getent group matrix-synapse > /dev/null; then
          chgrp matrix-synapse ${registrationFile}
--- a/nixos/tests/matrix/appservice-irc.nix
+++ b/nixos/tests/matrix/appservice-irc.nix
@ -75,13 +75,16 @@ import ../make-test-python.nix ({ pkgs, ... }:
            homeserver.url = homeserverUrl;
            homeserver.domain = "homeserver";

-            ircService.servers."ircd" = {
-              name = "IRCd";
-              port = 6667;
-              dynamicChannels = {
-                enabled = true;
-                aliasTemplate = "#irc_$CHANNEL";
+            ircService = {
+              servers."ircd" = {
+                name = "IRCd";
+                port = 6667;
+                dynamicChannels = {
+                  enabled = true;
+                  aliasTemplate = "#irc_$CHANNEL";
+                };
              };
+              mediaProxy.publicUrl = "http://localhost:11111/media";
            };
          };
        };
@ -203,6 +206,8 @@ import ../make-test-python.nix ({ pkgs, ... }:
      with subtest("start the appservice"):
          appservice.wait_for_unit("matrix-appservice-irc.service")
          appservice.wait_for_open_port(8009)
+          appservice.wait_for_file("/var/lib/matrix-appservice-irc/media-signingkey.jwk")
+          appservice.wait_for_open_port(11111)

      with subtest("copy the registration file"):
          appservice.copy_from_vm("/var/lib/matrix-appservice-irc/registration.yml")