Skip to content

Commit

Permalink
docs: add workaround to use unix sockets with the nixos module
Browse files Browse the repository at this point in the history
  • Loading branch information
snaakey authored and girlbossceo committed Nov 20, 2024
1 parent 876c6e9 commit ee3c58f
Showing 1 changed file with 21 additions and 5 deletions.
26 changes: 21 additions & 5 deletions docs/deploying/nixos.md
Original file line number Diff line number Diff line change
Expand Up @@ -55,15 +55,31 @@ appropriately to use conduwuit instead of Conduit.
### UNIX sockets

Due to the lack of a conduwuit NixOS module, when using the `services.matrix-conduit` module
it is not possible to use UNIX sockets. This is because the UNIX socket option does not exist
in Conduit, and their module forces listening on `[::1]:6167` by default if unspecified.
a workaround like the one below is necessary to use UNIX sockets. This is because the UNIX
socket option does not exist in Conduit, and the module forcibly sets the `address` and
`port` config options.

```nix
options.services.matrix-conduit.settings = lib.mkOption {
apply = old: old // (
if (old.global ? "unix_socket_path")
then { global = builtins.removeAttrs old.global [ "address" "port" ]; }
else { }
);
};
```

Additionally, the [`matrix-conduit` systemd unit][systemd-unit] in the module does not allow
the `AF_UNIX` socket address family in their systemd unit's `RestrictAddressFamilies=` which
disallows the namespace from accessing or creating UNIX sockets.
disallows the namespace from accessing or creating UNIX sockets and has to be enabled like so:

```nix
systemd.services.conduit.serviceConfig.RestrictAddressFamilies = [ "AF_UNIX" ];
```

There is no known workaround these. A conduwuit NixOS configuration module must be developed and
published by the community.
Even though those workarounds are feasible a conduwuit NixOS configuration module, developed and
published by the community, would be appreciated.

### jemalloc and hardened profile

Expand Down

0 comments on commit ee3c58f

Please sign in to comment.