From f9746844985f239030b7893aa7c514fd57e98426 Mon Sep 17 00:00:00 2001
From: Jens Nolte <git@queezle.net>
Date: Tue, 16 Nov 2021 23:00:16 +0100
Subject: [PATCH] Replace secretConfigFile with extraConfigFiles

---
 modules/matrix-homeserver/default.nix        | 20 +++++++++++++-------
 modules/matrix-homeserver/heisenbridge.nix   |  5 ++---
 modules/matrix-homeserver/matrix-synapse.nix | 14 ++++----------
 modules/matrix-homeserver/settings.nix       |  4 ++++
 4 files changed, 23 insertions(+), 20 deletions(-)

diff --git a/modules/matrix-homeserver/default.nix b/modules/matrix-homeserver/default.nix
index c9544cc..0b66dcf 100644
--- a/modules/matrix-homeserver/default.nix
+++ b/modules/matrix-homeserver/default.nix
@@ -68,21 +68,25 @@ in {
       default = settingsFormat.generate "synapse-homeserver.yaml" cfg.settings;
       defaultText = ''settingsFormat.generate "synapse-homeserver.yaml" config.queezle.matrix-homeserver.configuration'';
       description = ''
-        Path to the config file. By default generated from queezle.matrix-homeserver.configuration.
+        Path to the config file. By default generated from queezle.matrix-homeserver.settings.
       '';
     };
 
-    secretsConfigFile = mkOption {
-      type = types.path;
-      default = "/etc/secrets/matrix-synapse/secrets.yaml";
+    extraConfigFiles = mkOption {
+      type = types.attrsOf types.path;
+      default = {};
+      example = { secrets = "/path/to/matrix-synapse/secrets.yaml"; };
       description = ''
-        A path to a file containing the 'registration_shared_secret' and other
-        secrets. Should only be readable by root (i.e. not in the Nix store).
+        Extra config files to include, e.g. as a way to include secrets without
+        publishing them to the nix store.
+        This is the recommended way to include the 'registration_shared_secret'
+        and other secrets.
+        Files will be read as root.
       '';
     };
 
     dataDir = mkOption {
-      type = types.str;
+      type = types.path;
       default = "/var/lib/matrix-synapse";
       description = ''
         The directory where matrix-synapse stores its stateful data such as
@@ -112,6 +116,7 @@ in {
       '';
     };
 
+    # .well-known configuration. Can be enabled on the same or on another another host.
     well-known = {
       enable = mkEnableOption ".well-known for queezles matrix homeserver";
 
@@ -121,6 +126,7 @@ in {
       };
     };
 
+    # Heisenbridge IRC bouncer. Has to run un the same host as synapse.
     heisenbridge = {
       enable = mkEnableOption "heisenbridge";
 
diff --git a/modules/matrix-homeserver/heisenbridge.nix b/modules/matrix-homeserver/heisenbridge.nix
index e0c9391..0b6e1e6 100644
--- a/modules/matrix-homeserver/heisenbridge.nix
+++ b/modules/matrix-homeserver/heisenbridge.nix
@@ -14,8 +14,8 @@ in {
     systemd.services.heisenbridge-generate = {
       description = "generate heisenbridge config";
       # Appconfig-file needs to exist before synapse is started
-      wantedBy = [ "matrix-synapse.service" ];
       before = [ "matrix-synapse.service" ];
+      wantedBy = [ "matrix-synapse.service" ];
 
       unitConfig = {
         # Only run once
@@ -57,7 +57,6 @@ in {
       serviceConfig = {
         Type = "exec";
         ExecStart =
-            # is a script to load environment variable
           let startScript = pkgs.writeShellScriptBin "heisenbridge" ''
             exec ${cfg.heisenbridge.package}/bin/heisenbridge --config $CREDENTIALS_DIRECTORY/config
           '';
@@ -74,12 +73,12 @@ in {
         Group = "heisenbridge";
 
         ProtectHome = true;
-        PrivateDevices = true;
         ProtectProc = "invisible";
         ProtectKernelTunables = true;
         ProtectControlGroups = true;
         ProtectKernelLogs = true;
         RestrictRealtime = true;
+        PrivateDevices = true;
       };
     };
   };
diff --git a/modules/matrix-homeserver/matrix-synapse.nix b/modules/matrix-homeserver/matrix-synapse.nix
index 369aee2..496d8d1 100644
--- a/modules/matrix-homeserver/matrix-synapse.nix
+++ b/modules/matrix-homeserver/matrix-synapse.nix
@@ -43,21 +43,15 @@ in {
 
       serviceConfig = {
         Type = "notify";
-        # Running as script to access environment variable
-        # Exec is used to preserve main process pid for systemd
-        ExecStart =
-          let startScript = pkgs.writeShellScriptBin "synapse" ''
-            exec ${cfg.package}/bin/homeserver --config-path ${cfg.configFile} --config-path $CREDENTIALS_DIRECTORY/secrets --keys-directory ${cfg.dataDir}
-          '';
-          in "${startScript}/bin/synapse";
+        ExecStart = ''
+          ${cfg.package}/bin/homeserver --config-path ${cfg.configFile} --config-directory ''${CREDENTIALS_DIRECTORY} --keys-directory ${cfg.dataDir}
+        '';
 
         User = "matrix-synapse";
         Group = "matrix-synapse";
         WorkingDirectory = cfg.dataDir;
 
-        LoadCredential = [
-          "secrets:${cfg.secretsConfigFile}"
-        ];
+        LoadCredential = mapAttrsToList (name: path: "${name}:${path}") cfg.extraConfigFiles;
 
         ExecReload = "${pkgs.util-linux}/bin/kill -HUP $MAINPID";
         Restart = "on-failure";
diff --git a/modules/matrix-homeserver/settings.nix b/modules/matrix-homeserver/settings.nix
index 620aa44..2bdf726 100644
--- a/modules/matrix-homeserver/settings.nix
+++ b/modules/matrix-homeserver/settings.nix
@@ -8,6 +8,10 @@ in {
   # Allow to get more events during get and sync operation if requested by client
   filter_timeline_limit = 1000;
 
+  # Should be at least 1.1 to prevent TLS downgrade attacks
+  # But 1.2 should be supported by all homeservers, as well as the usual reverse proxies
+  federation_client_minimum_tls_version = 1.2;
+
   caches = {
     global_factor = 4.0;
   };
-- 
GitLab