From ee3c58f78f88464c1ba8b01812c8bd7de7f1b29a Mon Sep 17 00:00:00 2001 From: emily Date: Wed, 20 Nov 2024 16:29:42 +0100 Subject: [PATCH] docs: add workaround to use unix sockets with the nixos module --- docs/deploying/nixos.md | 26 +++++++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/docs/deploying/nixos.md b/docs/deploying/nixos.md index 61fb39163..0372228df 100644 --- a/docs/deploying/nixos.md +++ b/docs/deploying/nixos.md @@ -55,15 +55,31 @@ appropriately to use conduwuit instead of Conduit. ### UNIX sockets Due to the lack of a conduwuit NixOS module, when using the `services.matrix-conduit` module -it is not possible to use UNIX sockets. This is because the UNIX socket option does not exist -in Conduit, and their module forces listening on `[::1]:6167` by default if unspecified. +a workaround like the one below is necessary to use UNIX sockets. This is because the UNIX +socket option does not exist in Conduit, and the module forcibly sets the `address` and +`port` config options. + +```nix +options.services.matrix-conduit.settings = lib.mkOption { + apply = old: old // ( + if (old.global ? "unix_socket_path") + then { global = builtins.removeAttrs old.global [ "address" "port" ]; } + else { } + ); +}; + +``` Additionally, the [`matrix-conduit` systemd unit][systemd-unit] in the module does not allow the `AF_UNIX` socket address family in their systemd unit's `RestrictAddressFamilies=` which -disallows the namespace from accessing or creating UNIX sockets. +disallows the namespace from accessing or creating UNIX sockets and has to be enabled like so: + +```nix +systemd.services.conduit.serviceConfig.RestrictAddressFamilies = [ "AF_UNIX" ]; +``` -There is no known workaround these. A conduwuit NixOS configuration module must be developed and -published by the community. +Even though those workarounds are feasible a conduwuit NixOS configuration module, developed and +published by the community, would be appreciated. ### jemalloc and hardened profile