From cea96f49fa71e9eaced1fe59fe8c9ab5392c2f6d Mon Sep 17 00:00:00 2001 From: stuebinm Date: Wed, 27 Mar 2024 23:52:39 +0100 Subject: help i wrote a matrix bot not sure if this is a good idea or not, but i always liked how the IRC #voc-wok channel of the c3voc works, and I don't run my own IRC (nor do i want to have my monitoring on infra that is not my own), so I built a similar thing with matrix. --- .sops.yaml | 8 +++++++- chaski/configuration.nix | 3 +++ chaski/services/conduit.nix | 24 ++++++++++++++++++++++++ flake.lock | 23 ++++++++++++++++++++--- flake.nix | 5 ++++- pkgs/overlay.nix | 9 +++++++++ secrets/chaski.yaml | 31 +++++++++++++++++++++++++++++++ 7 files changed, 98 insertions(+), 5 deletions(-) create mode 100644 secrets/chaski.yaml diff --git a/.sops.yaml b/.sops.yaml index c3f890a..ec05e3f 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -2,9 +2,15 @@ keys: - &ilex age18wkr3kjalalzrq9l05q32gnlaqr7t6rqqzde307m83rs9fp4xcfsdtj9gt # server's ssh pubkeys as age keys - &flora age1d8hulw7weg6gwxv0cmz969w04d2jkphdx93tm9xs0mqr0ut0t4ls4g4vah + - &chaski age14cf8h02c8r2c7nag5fezyhp56za9c4p0t8n39qy452t8hsqwlvgs9y7r8v creation_rules: - - path_regex: secrets/[^/]+\.yaml$ + - path_regex: secrets/flora\.yaml$ key_groups: - age: - *ilex - *flora + - path_regex: secrets/chaski\.yaml$ + key_groups: + - age: + - *ilex + - *chaski diff --git a/chaski/configuration.nix b/chaski/configuration.nix index 875e412..d2b1233 100644 --- a/chaski/configuration.nix +++ b/chaski/configuration.nix @@ -15,6 +15,9 @@ ./services/conduit.nix ]; + sops.defaultSopsFile = ../secrets/chaski.yaml; + # This will automatically import SSH keys as age keys + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; environment.noXlibs = true; services.nginx.enable = true; diff --git a/chaski/services/conduit.nix b/chaski/services/conduit.nix index 022863c..30d6a0b 100644 --- a/chaski/services/conduit.nix +++ b/chaski/services/conduit.nix @@ -1,5 +1,14 @@ { config, lib, pkgs, ... }: +let + botConfig = pkgs.writeText "ntfy-matrix-bot.toml" '' + matrix_homeserver = "https://conduit.stuebinm.eu" + matrix_username = "testbot" + matrix_rooms = [ "#test:conduit.stuebinm.eu" ] + ntfy_server = "https://ping.stuebinm.eu" + ntfy_topics = [ "monit" ] + ''; +in { services.matrix-conduit = { enable = true; @@ -11,7 +20,22 @@ port = 6167; allow_registration = false; }; + }; + + sops.secrets."ntfy-matrix-bot/env" = {}; + systemd.services.ntfy-matrix-bot = { + enable = true; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = "${lib.getExe pkgs.ntfy-matrix-bot} -c ${botConfig}"; + Type = "simple"; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + DynamicUser = true; + BindPaths = botConfig; + EnvironmentFile = "/run/secrets/ntfy-matrix-bot/env"; + }; + environment.RUST_LOG = "ntfy_matrix_bot=info"; }; services.nginx.virtualHosts."conduit.stuebinm.eu" = { diff --git a/flake.lock b/flake.lock index 5a82db9..c04d1d0 100644 --- a/flake.lock +++ b/flake.lock @@ -252,6 +252,22 @@ "type": "github" } }, + "ntfy-matrix-bot": { + "flake": false, + "locked": { + "lastModified": 1711577402, + "narHash": "sha256-O8xtbOhrXiJhteEOcYYXqXuA/edkebg0GERBcZ3mH/w=", + "ref": "refs/heads/main", + "rev": "bade89a506c380a7d4cab4fdd765e28686c14776", + "revCount": 1, + "type": "git", + "url": "https://stuebinm.eu/git/ntfy-matrix-bot" + }, + "original": { + "type": "git", + "url": "https://stuebinm.eu/git/ntfy-matrix-bot" + } + }, "playground": { "flake": false, "locked": { @@ -281,6 +297,7 @@ "nixpkgs": "nixpkgs", "nixpkgs-review": "nixpkgs-review", "nixpkgs-unstable": "nixpkgs-unstable", + "ntfy-matrix-bot": "ntfy-matrix-bot", "playground": "playground", "rust-overlay": "rust-overlay", "showrt": "showrt", @@ -300,11 +317,11 @@ ] }, "locked": { - "lastModified": 1711419061, - "narHash": "sha256-+5M/czgYGqs/jKmi8bvYC+JUYboUKNTfkRiesXopeXQ=", + "lastModified": 1711505476, + "narHash": "sha256-yK1zue1c8EdpZvEyQWrjawG9Ykzl7eB2xJ/V+2vU5Jo=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "4c11d2f698ff1149f76b69e72852d5d75f492d0c", + "rev": "56f48d6e7559b807763ea03191bfaf95549ce610", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 7acdf75..eb4cfcb 100644 --- a/flake.nix +++ b/flake.nix @@ -44,6 +44,8 @@ isabelle-utils.flake = false; bahnhof-name.url = "git+https://stuebinm.eu/git/bahnhof.name"; bahnhof-name.flake = false; + ntfy-matrix-bot.url = "git+https://stuebinm.eu/git/ntfy-matrix-bot"; + ntfy-matrix-bot.flake = false; gtfsBooks.url = "git+https://stuebinm.eu/git/forks/gtfs-books?ref=main"; gtfsBooks.flake = false; @@ -152,7 +154,8 @@ kijetesantakaluotokieni showrt isabelle-utils isabat travelynx crs-tracker crs-php bahnhof-name matrix-to hikari_unstable heartwood radicle-interface radicle-tui - inweb nomsring bookwyrm mollysocket git-annex-remote-remarkable2; + inweb nomsring bookwyrm mollysocket git-annex-remote-remarkable2 + ntfy-matrix-bot; tests.bookwyrm = nixpkgs.nixosTest ./tests/bookwyrm.nix; }; diff --git a/pkgs/overlay.nix b/pkgs/overlay.nix index 0194a2a..9d8b7b8 100644 --- a/pkgs/overlay.nix +++ b/pkgs/overlay.nix @@ -107,6 +107,15 @@ in isabelle-rust-utils = self.isabelle-utils; }; + ntfy-matrix-bot = rustPlatform.buildRustPackage rec { + pname = "ntfy-matrix-bot"; + version = "0.10"; + src = inputs.ntfy-matrix-bot; + cargoLock.lockFile = "${src}/Cargo.lock"; + doCheck = false; + meta.mainProgram = "ntfy-matrix-bot"; + }; + bahnhof-name = let haskellPkgs = self.haskellPackages.override (old: { diff --git a/secrets/chaski.yaml b/secrets/chaski.yaml new file mode 100644 index 0000000..7f07b2c --- /dev/null +++ b/secrets/chaski.yaml @@ -0,0 +1,31 @@ +ntfy-matrix-bot: + env: ENC[AES256_GCM,data:mk/7fcdfsq+BOB8QK7LzVhYMDmMLw0cB0qq3p2IGWQAJtodqlqQMJukVF0jpoJLB/9GMcCweloVikus9K23/lcUPMZFHCdpMRR94puGROub8RF+v6XvegC741utlsLWGnS+Z/U8atHoI2rptdh4OV9lwELFYMpwDC/2IhxnhIyqWbAKnuWGdJcNVAKF6QxI0gY854xKoxRNXs3BrctoubSbBSyarjQiFgpk=,iv:jip5eTFPyBa199/SZhfezMY+Og8i1rh+2dmfVzBRPpo=,tag:xyLR34PqtJI63M5qnMvemQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age18wkr3kjalalzrq9l05q32gnlaqr7t6rqqzde307m83rs9fp4xcfsdtj9gt + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6eVRBaUxaUFREd3AvK3hE + YmcxUFRlK0F0aW0wMlFsWEtSSHdxUm1rK0Y4CkNyYVI4TnBXL0hOUDJYbThXYks5 + WkVKMThqdWxRdzBURXp2aHUxZko3RzgKLS0tIHRVclNFNkRWZThBZklhRklrSmZP + TUE5N2IyNnFXb0ZTQ2U1NTYzSXZtVkEKM4fyZCpQtaFj2xmHJXJJlsQ48olr5uTV + IYs/FkXHIu2MXD4br3M5VQRNoN2htYKlMwEUF2tLdZio73RN3jodPw== + -----END AGE ENCRYPTED FILE----- + - recipient: age14cf8h02c8r2c7nag5fezyhp56za9c4p0t8n39qy452t8hsqwlvgs9y7r8v + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPRGd3Nmhzd0NVM3lmcUxO + NG1mMWhMaGNEYURNK0MxUFdvakltT01Obnk0CkI4bDA0UUF0QkJqVGxMeWRXSjg0 + SDF5cDF1bDUrbVNIcGUydWpVL0kxcjgKLS0tIE5LYTdnTzVlcjFTRXhJM1pNd1Ji + aFF6Nkowc3kxckFGNWRqSUxYdXZOd0kKsoRAtnnhIkaPACXgaGzMNW6uAG4pAg4d + DdgcTPKdAEv0uAqAmndsll+vWE1C0FaUwe37/jmBfAKrXpN7GwVa4g== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-03-27T22:32:40Z" + mac: ENC[AES256_GCM,data:MJTMrHLh9rL7p1Y+e4if51ZYvfYWDV25eJvJ3unZwIAahF5GoOav4rb1hU1hLObZFhtlyjgHe/VGP2D+QsDARJOop0kGiybnfHqz7Vh7KIWhjDwsxaBPkxMUovxrEhxnwHR8+zKqNs+Vcl06ZaJ2F6U0rJRqyxO2CK5aSnuqDtE=,iv:qDsnPrVlnwnmWFJYxgCBCvg1/qgFl1IOC3QEifXaEbs=,tag:/oVJDam2l7pD+g2tIBAakg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 -- cgit v1.2.3