From d59e96181b8d89d1b887e5daf3edb454f2a161ca Mon Sep 17 00:00:00 2001 From: magic_rb Date: Sat, 18 Nov 2023 16:00:30 +0100 Subject: [PATCH] Add Mautrix Slack bridge Signed-off-by: magic_rb --- flake.nix | 2 + .../matrix/mautrix-slack/default.nix | 43 +++ .../matrix/mautrix-slack/mautrix-slack.yaml | 288 ++++++++++++++++++ .../containers/matrix/synapse/postgresql.nix | 5 + overlays/mautrix-slack.nix | 39 +++ terranix/containers/matrix/default.nix | 33 ++ .../matrix/matrix-mautrix-slack.hcl | 118 +++++++ terranix/containers/matrix/matrix-synapse.hcl | 26 ++ 8 files changed, 554 insertions(+) create mode 100644 nixng/containers/matrix/mautrix-slack/default.nix create mode 100644 nixng/containers/matrix/mautrix-slack/mautrix-slack.yaml create mode 100644 overlays/mautrix-slack.nix create mode 100644 terranix/containers/matrix/matrix-mautrix-slack.hcl diff --git a/flake.nix b/flake.nix index 635ca62..c0a8eb9 100644 --- a/flake.nix +++ b/flake.nix @@ -67,6 +67,7 @@ nixng/containers/ingress-toothpick nixng/containers/matrix/mautrix-signal nixng/containers/matrix/mautrix-discord + nixng/containers/matrix/mautrix-slack nixng/containers/matrix/mautrix-facebook nixng/containers/matrix/heisenbridge nixng/containers/matrix/synapse @@ -90,6 +91,7 @@ overlays/emacs-master-nativecomp overlays/zfs-relmount overlays/mautrix-discord.nix + overlays/mautrix-slack.nix overlays/getmail6 overlays/maildrop overlays/courier-unicode.nix diff --git a/nixng/containers/matrix/mautrix-slack/default.nix b/nixng/containers/matrix/mautrix-slack/default.nix new file mode 100644 index 0000000..154cc35 --- /dev/null +++ b/nixng/containers/matrix/mautrix-slack/default.nix @@ -0,0 +1,43 @@ +{ inputs, config, ... }: +{ + flake.nixngConfigurations.mautrixSlack = inputs.nixng.nglib.makeSystem { + system = "x86_64-linux"; + name = "mautrix-slack"; + inherit (inputs) nixpkgs; + config = + { pkgs, lib, ... }: + { + dumb-init = { + enable = true; + type.services = { }; + }; + + init.services.mautrix-slack = { + enabled = true; + shutdownOnExit = true; + script = + let + inherit (lib) + getExe' + makeBinPath; + mautrix-slack = (pkgs.appendOverlays [ config.flake.overlays.mautrix-slack ]).mautrix-slack; + in + pkgs.writeShellScript "mautrix-slack" + '' + DATA_DIR="/var/lib/mautrix-slack" + CONFIG_FILE="$DATA_DIR/config.yaml" + REGISTRATION_FILE="/var/lib/registrations/mautrix-slack.yaml" + + ${getExe' pkgs.envsubst "envsubst"} < ${./mautrix-slack.yaml} > "$CONFIG_FILE" + chmod 755 "$CONFIG_FILE" + + export PATH="$PATH:${makeBinPath [ pkgs.lottieconverter ]};" + + [ -e "$REGISTRATION_FILE" ] || \ + ${getExe' mautrix-slack "mautrix-slack"} -c "$CONFIG_FILE" -r "$REGISTRATION_FILE" -g + ${getExe' mautrix-slack "mautrix-slack"} -c "$CONFIG_FILE" -r "$REGISTRATION_FILE" -n + ''; + }; + }; + }; +} diff --git a/nixng/containers/matrix/mautrix-slack/mautrix-slack.yaml b/nixng/containers/matrix/mautrix-slack/mautrix-slack.yaml new file mode 100644 index 0000000..45fb2e0 --- /dev/null +++ b/nixng/containers/matrix/mautrix-slack/mautrix-slack.yaml @@ -0,0 +1,288 @@ +# Homeserver details. +homeserver: + # The address that this appservice can use to connect to the homeserver. + address: https://matrix.redalder.org + # Publicly accessible base URL for media, used for avatars in relay mode. + # If not set, the connection address above will be used. + public_address: null + # The domain of the homeserver (also known as server_name, used for MXIDs, etc). + domain: matrix.redalder.org + + # What software is the homeserver running? + # Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here. + software: standard + # The URL to push real-time bridge status to. + # If set, the bridge will make POST requests to this URL whenever a user's discord connection state changes. + # The bridge will use the appservice as_token to authorize requests. + status_endpoint: null + # Endpoint for reporting per-message status. + message_send_checkpoint_endpoint: null + # Does the homeserver support https://github.com/matrix-org/matrix-spec-proposals/pull/2246? + async_media: false + +# Application service host/registration related details. +# Changing these values requires regeneration of the registration. +appservice: + # The address that the homeserver can use to connect to this appservice. + address: http://localhost:29335 + + # The hostname and port where this appservice should listen. + hostname: 0.0.0.0 + port: 29335 + + # Database config. + database: + # The database type. "sqlite3-fk-wal" and "postgres" are supported. + type: postgres + # The database URI. + # SQLite: A raw file path is supported, but `file:?_txlock=immediate` is recommended. + # https://github.com/mattn/go-sqlite3#connection-string + # Postgres: Connection string. For example, postgres://user:password@host/database?sslmode=disable + # To connect via Unix socket, use something like postgres:///dbname?host=/var/run/postgresql + uri: postgres://mautrix-slack:${MAUTRIX_SLACK_APPSERVICE_DATABASE_PASSWORD}@127.0.0.1/mautrix-slack?sslmode=disable + # Maximum number of connections. Mostly relevant for Postgres. + max_open_conns: 10 + max_idle_conns: 2 + # Maximum connection idle time and lifetime before they're closed. Disabled if null. + # Parsed with https://pkg.go.dev/time#ParseDuration + max_conn_idle_time: null + max_conn_lifetime: null + + # The unique ID of this appservice. + id: muslack + # Appservice bot details. + bot: + # Username of the appservice bot. + username: muslackbot + # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty + # to leave display name/avatar as-is. + displayname: Mautrix Slack bridge bot + avatar: mxc://maunium.net/pVtzLmChZejGxLqmXtQjFxem + + # Whether or not to receive ephemeral events via appservice transactions. + # Requires MSC2409 support (i.e. Synapse 1.22+). + ephemeral_events: true + + # Should incoming events be handled asynchronously? + # This may be necessary for large public instances with lots of messages going through. + # However, messages will not be guaranteed to be bridged in the same order they were sent in. + async_transactions: false + + # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify. + as_token: "${MAUTRIX_SLACK_APPSERVICE_AS_TOKEN}" + hs_token: "${MAUTRIX_SLACK_APPSERVICE_HS_TOKEN}" + +bridge: + # Localpart template of MXIDs for Slack users. + # {{.}} is replaced with the internal ID of the Slack user. + username_template: slack_{{.}} + # Displayname template for Slack users. + # TODO: document variables + displayname_template: '{{.RealName}} (S)' + bot_displayname_template: '{{.Name}} (bot)' + channel_name_template: '#{{.Name}}' + + portal_message_buffer: 128 + + # Should the bridge send a read receipt from the bridge bot when a message has been sent to Slack? + delivery_receipts: true + # Whether the bridge should send the message status as a custom com.beeper.message_send_status event. + message_status_events: false + # Whether the bridge should send error notices via m.notice events when a message fails to bridge. + message_error_notices: true + # Should incoming custom emoji reactions be bridged as mxc:// URIs? + # If set to false, custom emoji reactions will be bridged as the shortcode instead, and the image won't be available. + custom_emoji_reactions: true + + # Should the bridge sync with double puppeting to receive EDUs that aren't normally sent to appservices. + sync_with_custom_puppets: false + # Should the bridge update the m.direct account data event when double puppeting is enabled. + # Note that updating the m.direct event is not atomic (except with mautrix-asmux) + # and is therefore prone to race conditions. + sync_direct_chat_list: false + # Whether or not created rooms should have federation enabled. + # If false, created portal rooms will never be federated. + federate_rooms: true + # Whether to explicitly set the avatar and room name for private chat portal rooms. + # If set to `default`, this will be enabled in encrypted rooms and disabled in unencrypted rooms. + # If set to `always`, all DM rooms will have explicit names and avatars set. + # If set to `never`, DM rooms will never have names and avatars set. + private_chat_portal_meta: default + + # Servers to always allow double puppeting from + double_puppet_server_map: + example.com: https://example.com + # Allow using double puppeting from any server with a valid client .well-known file. + double_puppet_allow_discovery: false + # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth + # + # If set, double puppeting will be enabled automatically for local users + # instead of users having to find an access token and run `login-matrix` + # manually. + login_shared_secret_map: + example.com: foobar + + message_handling_timeout: + # Send an error message after this timeout, but keep waiting for the response until the deadline. + # This is counted from the origin_server_ts, so the warning time is consistent regardless of the source of delay. + # If the message is older than this when it reaches the bridge, the message won't be handled at all. + error_after: 10s + # Drop messages after this timeout. They may still go through if the message got sent to the servers. + # This is counted from the time the bridge starts handling the message. + deadline: 60s + + # The prefix for commands. Only required in non-management rooms. + command_prefix: '!slack' + # Messages sent upon joining a management room. + # Markdown is supported. The defaults are listed below. + management_room_text: + # Sent when joining a room. + welcome: "Hello, I'm a Slack bridge bot." + # Sent when joining a management room and the user is already logged in. + welcome_connected: "Use `help` for help." + # Sent when joining a management room and the user is not logged in. + welcome_unconnected: "Use `help` for help, or `login-token` or `login-password` to log in." + # Optional extra text sent when joining a management room. + additional_help: "" + + backfill: + # Allow backfilling at all? Requires MSC2716 support on homeserver. + enable: true + + # Maximum number of conversations to fetch from Slack when syncing team from Slack. + # Must be 0-999 + conversations_count: 200 + + # If a backfilled chat is older than this number of hours, mark it as read even if it's unread on Slack. + # Set to -1 to let any chat be unread. + unread_hours_threshold: 720 + + # Number of messages to immediately backfill when creating a portal. + immediate_messages: 10 + + # Settings for incremental backfill of history. + incremental: + # Maximum number of messages to backfill per batch. + messages_per_batch: 100 + # The number of seconds to wait after backfilling the batch of messages. + post_batch_delay: 20 + # The maximum number of messages to backfill per portal, split by the chat type. + # If set to -1, all messages in the chat will eventually be backfilled. + max_messages: + # Channels + channel: -1 + # Group direct messages + group_dm: -1 + # 1:1 direct messages + dm: -1 + + # End-to-bridge encryption support options. + # + # See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info. + encryption: + # Allow encryption, work in group chat rooms with e2ee enabled + allow: false + # Default to encryption, force-enable encryption in all portals the bridge creates + # This will cause the bridge bot to be in private chats for the encryption to work properly. + default: false + # Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data. + appservice: false + # Require encryption, drop any unencrypted messages. + require: false + # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled. + # You must use a client that supports requesting keys from other users to use this feature. + allow_key_sharing: false + # Options for deleting megolm sessions from the bridge. + delete_keys: + # Beeper-specific: delete outbound sessions when hungryserv confirms + # that the user has uploaded the key to key backup. + delete_outbound_on_ack: false + # Don't store outbound sessions in the inbound table. + dont_store_outbound: false + # Ratchet megolm sessions forward after decrypting messages. + ratchet_on_decrypt: false + # Delete fully used keys (index >= max_messages) after decrypting messages. + delete_fully_used_on_decrypt: false + # Delete previous megolm sessions from same device when receiving a new one. + delete_prev_on_new_session: false + # Delete megolm sessions received from a device when the device is deleted. + delete_on_device_delete: false + # Periodically delete megolm sessions when 2x max_age has passed since receiving the session. + periodically_delete_expired: false + # Delete inbound megolm sessions that don't have the received_at field used for + # automatic ratcheting and expired session deletion. This is meant as a migration + # to delete old keys prior to the bridge update. + delete_outdated_inbound: false + # What level of device verification should be required from users? + # + # Valid levels: + # unverified - Send keys to all device in the room. + # cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys. + # cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes). + # cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot. + # Note that creating user signatures from the bridge bot is not currently possible. + # verified - Require manual per-device verification + # (currently only possible by modifying the `trust` column in the `crypto_device` database table). + verification_levels: + # Minimum level for which the bridge should send keys to when bridging messages from WhatsApp to Matrix. + receive: unverified + # Minimum level that the bridge should accept for incoming Matrix messages. + send: unverified + # Minimum level that the bridge should require for accepting key requests. + share: cross-signed-tofu + # Options for Megolm room key rotation. These options allow you to + # configure the m.room.encryption event content. See: + # https://spec.matrix.org/v1.3/client-server-api/#mroomencryption for + # more information about that event. + rotation: + # Enable custom Megolm room key rotation settings. Note that these + # settings will only apply to rooms created after this option is + # set. + enable_custom: false + # The maximum number of milliseconds a session should be used + # before changing it. The Matrix spec recommends 604800000 (a week) + # as the default. + milliseconds: 604800000 + # The maximum number of messages that should be sent with a given a + # session before changing it. The Matrix spec recommends 100 as the + # default. + messages: 100 + + # Disable rotating keys when a user's devices change? + # You should not enable this option unless you understand all the implications. + disable_device_change_key_rotation: false + + # Settings for provisioning API + provisioning: + # Prefix for the provisioning API paths. + prefix: /_matrix/provision + # Shared secret for authentication. If set to "generate", a random secret will be generated, + # or if set to "disable", the provisioning API will be disabled. + shared_secret: generate + + # Permissions for using the bridge. + # Permitted values: + # relay - Talk through the relaybot (if enabled), no access otherwise + # user - Access to use the bridge to chat with a Discord account. + # admin - User level and some additional administration tools + # Permitted keys: + # * - All Matrix users + # domain - All users on that homeserver + # mxid - Specific user + permissions: + "*": relay + "matrix.redalder.org": user + "@magic_rb:matrix.redalder.org": admin + +# Logging config. See https://github.com/tulir/zeroconfig for details. +logging: + min_level: debug + writers: + - type: stdout + format: pretty-colored + - type: file + format: json + filename: ./logs/mautrix-discord.log + max_size: 100 + max_backups: 10 + compress: true diff --git a/nixng/containers/matrix/synapse/postgresql.nix b/nixng/containers/matrix/synapse/postgresql.nix index baccdf7..6633c9d 100644 --- a/nixng/containers/matrix/synapse/postgresql.nix +++ b/nixng/containers/matrix/synapse/postgresql.nix @@ -47,6 +47,7 @@ makeSystem { "mautrix-signal" = { ENCODING = "UTF8"; TEMPLATE = "template0"; }; "mautrix-whatsapp" = { ENCODING = "UTF8"; TEMPLATE = "template0"; }; "mautrix-discord" = { ENCODING = "UTF8"; TEMPLATE = "template0"; }; + "mautrix-slack" = { ENCODING = "UTF8"; TEMPLATE = "template0"; }; }; ensureExtensions = {}; ensureUsers = [ @@ -70,6 +71,10 @@ makeSystem { name = "mautrix-discord"; ensurePermissions."DATABASE \"mautrix-discord\"" = "ALL PRIVILEGES"; } + { + name = "mautrix-slack"; + ensurePermissions."DATABASE \"mautrix-slack\"" = "ALL PRIVILEGES"; + } ]; }; }; diff --git a/overlays/mautrix-slack.nix b/overlays/mautrix-slack.nix new file mode 100644 index 0000000..e6a952d --- /dev/null +++ b/overlays/mautrix-slack.nix @@ -0,0 +1,39 @@ +# SPDX-FileCopyrightText: 2022 Richard Brežák +# +# SPDX-License-Identifier: LGPL-3.0-or-later +{ inputs, ... }: +{ + flake.overlays.mautrix-slack = + final: prev: + let + inherit (prev.lib) + singleton; + in + { + mautrix-slack = + prev.buildGoModule rec { + pname = "mautrix-slack"; + version = "0.6.3"; + + src = prev.fetchFromGitHub { + owner = "mautrix"; + repo = "slack"; + rev = "4530ff397d08d93b673cd71da4c2a75d969ca0df"; + hash = "sha256-zq5Qzdw6MhBJDMmi2SWHTEyOghpfLiQOEf0e2Fn+ww8="; + }; + + buildInputs = singleton prev.olm; + + vendorSha256 = "sha256-Adfz6mHYa22OqEZZHrvst31XdZFo7LuxQI20whq3Zes="; + + doCheck = false; + + meta = with prev.lib; { + homepage = "https://github.com/tulir/mautrix-slack"; + description = "Matrix <-> Slack hybrid puppeting/relaybot bridge"; + license = licenses.agpl3Plus; + maintainers = with maintainers; [ ]; + }; + }; + }; +} diff --git a/terranix/containers/matrix/default.nix b/terranix/containers/matrix/default.nix index 2177e9d..373f0b4 100644 --- a/terranix/containers/matrix/default.nix +++ b/terranix/containers/matrix/default.nix @@ -37,6 +37,14 @@ in mount_flags = [ "hard" "vers=4.2" "rsize=16384" "wsize=16384" "async" ]; }; + resource."nomad_volume"."matrix-mautrix-slack" = nfsVolume { + volume_name = "matrix-mautrix-slack"; + access_mode = "single-node-writer"; + server = "blowhole.hosts.in.redalder.org"; + share = "/mnt/kyle/infrastructure/matrix/mautrix-slack"; + mount_flags = [ "hard" "vers=4.2" "rsize=16384" "wsize=16384" "async" ]; + }; + resource."nomad_volume"."matrix-mautrix-facebook" = nfsVolume { volume_name = "matrix-mautrix-facebook"; access_mode = "single-node-writer"; @@ -93,6 +101,18 @@ in ''; }; + resource."vault_policy"."matrix-mautrix-slack-policy" = { + name = "matrix-mautrix-slack-policy"; + policy = '' + path "kv/data/cluster/matrix/mautrix-slack/main" { + capabilities = ["read"] + } + path "kv/data/cluster/matrix/mautrix-slack/postgresql" { + capabilities = ["read"] + } + ''; + }; + resource."vault_policy"."matrix-mautrix-facebook-policy" = { name = "matrix-mautrix-facebook-policy"; policy = '' @@ -132,6 +152,10 @@ in path "kv/data/cluster/matrix/mautrix-discord/postgresql" { capabilities = ["read"] } + + path "kv/data/cluster/matrix/mautrix-slack/postgresql" { + capabilities = ["read"] + } ''; }; @@ -161,6 +185,15 @@ in }; }; + resource."nomad_job"."matrix-mautrix-slack" = nomadJob { + jobspec = ./matrix-mautrix-slack.hcl; + vars = { + flake_ref = "${vars.flake_host}?ref=${vars.flake_ref}&rev=${vars.flake_rev}"; + flake_sha = vars.flake_sha; + store_path = builtins.unsafeDiscardStringContext config'.flake.nixngConfigurations.mautrixSlack.config.system.build.toplevel; + }; + }; + resource."nomad_job"."matrix-mautrix-facebook" = nomadJob { jobspec = ./matrix-mautrix-facebook.hcl; vars = { diff --git a/terranix/containers/matrix/matrix-mautrix-slack.hcl b/terranix/containers/matrix/matrix-mautrix-slack.hcl new file mode 100644 index 0000000..741d6cd --- /dev/null +++ b/terranix/containers/matrix/matrix-mautrix-slack.hcl @@ -0,0 +1,118 @@ +variable "flake_ref" { + type = string +} + +variable "flake_sha" { + type = string +} + +variable "store_path" { + type = string +} + +job "matrix-mautrix-slack" { + datacenters = [ "homelab-1" ] + type = "service" + + group "mautrix-slack" { + count = 1 + + volume "matrix-mautrix-slack" { + type = "csi" + source = "matrix-mautrix-slack" + read_only = false + + attachment_mode = "file-system" + access_mode = "single-node-writer" + } + + volume "matrix-registrations" { + type = "csi" + source = "matrix-registrations" + read_only = false + + attachment_mode = "file-system" + access_mode = "multi-node-multi-writer" + } + + restart { + attempts = 5 + delay = "5s" + } + + network { + mode = "bridge" + } + + service { + name = "matrix-mautrix-slack" + port = "29335" + + # check { + # type = "http" + # address_mode = "alloc" + # path = "/public" + # port = "29319" + # interval = "2s" + # timeout = "2s" + # } + + connect { + sidecar_service { + proxy { + upstreams { + destination_name = "matrix-postgresql" + local_bind_port = 5432 + } + } + } + } + } + + task "mautrix-slack" { + driver = "docker" + + volume_mount { + volume = "matrix-mautrix-slack" + destination = "/var/lib/mautrix-slack" + read_only = false + } + + volume_mount { + volume = "matrix-registrations" + destination = "/var/lib/registrations" + read_only = false + } + + config { + nix_flake_ref = "${var.flake_ref}#nixngConfigurations.mautrixSlack.config.system.build.toplevel" + nix_flake_sha = var.flake_sha + nix_flake_store_path = var.store_path + entrypoint = [ "init" ] + } + + vault { + policies = ["matrix-mautrix-slack-policy"] + } + + template { + data = <