From e80cd707c4b26ef11e5877bee5f5bac87c7babdd Mon Sep 17 00:00:00 2001
From: Martin Weinelt <hexa@darmstadt.ccc.de>
Date: Wed, 4 Sep 2024 19:37:34 +0200
Subject: [PATCH 1/3] matrix-appservice-irc: 2.0.1 -> 3.0.0

https://github.com/matrix-org/matrix-appservice-irc/releases/tag/3.0.0
---
 .../matrix-synapse/matrix-appservice-irc/default.nix        | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pkgs/servers/matrix-synapse/matrix-appservice-irc/default.nix b/pkgs/servers/matrix-synapse/matrix-appservice-irc/default.nix
index 993fa909b1a8..86be2ddb41f8 100644
--- a/pkgs/servers/matrix-synapse/matrix-appservice-irc/default.nix
+++ b/pkgs/servers/matrix-synapse/matrix-appservice-irc/default.nix
@@ -13,19 +13,19 @@
 
 let
   pname = "matrix-appservice-irc";
-  version = "2.0.1";
+  version = "3.0.0";
 
   src = fetchFromGitHub {
     owner = "matrix-org";
     repo = pname;
     rev = "refs/tags/${version}";
-    hash = "sha256-ue3fOkrEBRI/NRE+uKFR+NaqP8QvzVVeX3LUh4aZYJA=";
+    hash = "sha256-ZT8ugev+Tgu47KLuVVo5sFfiGtWLDc6JW5NZvsQ1mA8=";
   };
 
   yarnOfflineCache = fetchYarnDeps {
     name = "${pname}-${version}-offline-cache";
     yarnLock = "${src}/yarn.lock";
-    hash = "sha256-hapEbdjvvzeZHfrpYRW9W3vXkQVNyGZ0qydO34+mQqQ=";
+    hash = "sha256-13OUcxZOlW1pp4uB1aRmqlzKf6rTgyP/nMnLmksXV3w=";
   };
 
 in

From d3df4119133bb6a79d80077213b9a61d42b40bcc Mon Sep 17 00:00:00 2001
From: Martin Weinelt <hexa@darmstadt.ccc.de>
Date: Wed, 4 Sep 2024 20:35:02 +0200
Subject: [PATCH 2/3] nixos/matrix-appservice-irc: media proxying support

Adds required options for serving authenticated media and the key
generation logic.
---
 .../services/matrix/appservice-irc.nix        | 35 +++++++++++++++++++
 nixos/tests/matrix/appservice-irc.nix         | 17 +++++----
 2 files changed, 46 insertions(+), 6 deletions(-)

diff --git a/nixos/modules/services/matrix/appservice-irc.nix b/nixos/modules/services/matrix/appservice-irc.nix
index 55a04059abe4..df12998ab156 100644
--- a/nixos/modules/services/matrix/appservice-irc.nix
+++ b/nixos/modules/services/matrix/appservice-irc.nix
@@ -137,6 +137,37 @@ in {
                   type = submodule { freeformType = jsonType; };
                   description = "IRC servers to connect to";
                 };
+
+                mediaProxy = {
+                  signingKeyPath = lib.mkOption {
+                    type = path;
+                    default = "/var/lib/matrix-appservice-irc/media-signingkey.jwk";
+                    description = ''
+                      Path to the signing key file for authenticated media.
+                    '';
+                  };
+                  ttlSeconds = lib.mkOption {
+                    type = ints.positive;
+                    default = 3600;
+                    description = ''
+                      Lifetime in seconds, that generated URLs stay valid.
+                    '';
+                  };
+                  bindPort = lib.mkOption {
+                    type = port;
+                    default = 11111;
+                    description = ''
+                      Port that the media proxy binds to.
+                    '';
+                  };
+                  publicUrl = lib.mkOption {
+                    type = str;
+                    example = "https://matrix.example.com/media";
+                    description = ''
+                      URL under which the media proxy is publicly acccessible.
+                    '';
+                  };
+                };
               };
             };
           };
@@ -144,6 +175,7 @@ in {
       };
     };
   };
+
   config = lib.mkIf cfg.enable {
     systemd.services.matrix-appservice-irc = {
       description = "Matrix-IRC bridge";
@@ -181,6 +213,9 @@ in {
           sed -i "s/^hs_token:.*$/$hs_token/g" ${registrationFile}
           sed -i "s/^as_token:.*$/$as_token/g" ${registrationFile}
         fi
+        if ! [ -f "${cfg.settings.ircService.mediaProxy.signingKeyPath}"]; then
+          ${lib.getExe pkgs.nodejs} ${pkg}/lib/generate-signing-key.js > "${cfg.settings.ircService.mediaProxy.signingKeyPath}"
+        fi
         # Allow synapse access to the registration
         if ${pkgs.getent}/bin/getent group matrix-synapse > /dev/null; then
           chgrp matrix-synapse ${registrationFile}
diff --git a/nixos/tests/matrix/appservice-irc.nix b/nixos/tests/matrix/appservice-irc.nix
index 78c53024ca6c..23e0a00436d3 100644
--- a/nixos/tests/matrix/appservice-irc.nix
+++ b/nixos/tests/matrix/appservice-irc.nix
@@ -75,13 +75,16 @@ import ../make-test-python.nix ({ pkgs, ... }:
             homeserver.url = homeserverUrl;
             homeserver.domain = "homeserver";
 
-            ircService.servers."ircd" = {
-              name = "IRCd";
-              port = 6667;
-              dynamicChannels = {
-                enabled = true;
-                aliasTemplate = "#irc_$CHANNEL";
+            ircService = {
+              servers."ircd" = {
+                name = "IRCd";
+                port = 6667;
+                dynamicChannels = {
+                  enabled = true;
+                  aliasTemplate = "#irc_$CHANNEL";
+                };
               };
+              mediaProxy.publicUrl = "http://localhost:11111/media";
             };
           };
         };
@@ -203,6 +206,8 @@ import ../make-test-python.nix ({ pkgs, ... }:
       with subtest("start the appservice"):
           appservice.wait_for_unit("matrix-appservice-irc.service")
           appservice.wait_for_open_port(8009)
+          appservice.wait_for_file("/var/lib/matrix-appservice-irc/media-signingkey.jwk")
+          appservice.wait_for_open_port(11111)
 
       with subtest("copy the registration file"):
           appservice.copy_from_vm("/var/lib/matrix-appservice-irc/registration.yml")

From de396087e9e7e0aff63229788ea00a2f7a96c20c Mon Sep 17 00:00:00 2001
From: Martin Weinelt <hexa@darmstadt.ccc.de>
Date: Wed, 4 Sep 2024 20:35:52 +0200
Subject: [PATCH 3/3] nixos/tests/matrix-appservice-irc: modernize

---
 nixos/tests/all-tests.nix             | 2 +-
 nixos/tests/matrix/appservice-irc.nix | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix
index 76c70e2c3fc8..f8e0eb190bf5 100644
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@@ -570,7 +570,7 @@ in {
   mate-wayland = handleTest ./mate-wayland.nix {};
   matter-server = handleTest ./matter-server.nix {};
   matomo = handleTest ./matomo.nix {};
-  matrix-appservice-irc = handleTest ./matrix/appservice-irc.nix {};
+  matrix-appservice-irc = runTest ./matrix/appservice-irc.nix;
   matrix-conduit = handleTest ./matrix/conduit.nix {};
   matrix-synapse = handleTest ./matrix/synapse.nix {};
   matrix-synapse-workers = handleTest ./matrix/synapse-workers.nix {};
diff --git a/nixos/tests/matrix/appservice-irc.nix b/nixos/tests/matrix/appservice-irc.nix
index 23e0a00436d3..2c556ec37fc5 100644
--- a/nixos/tests/matrix/appservice-irc.nix
+++ b/nixos/tests/matrix/appservice-irc.nix
@@ -1,4 +1,4 @@
-import ../make-test-python.nix ({ pkgs, ... }:
+{ pkgs, ... }:
   let
     homeserverUrl = "http://homeserver:8008";
   in
@@ -9,7 +9,7 @@ import ../make-test-python.nix ({ pkgs, ... }:
     };
 
     nodes = {
-      homeserver = { pkgs, ... }: {
+      homeserver = {
         # We'll switch to this once the config is copied into place
         specialisation.running.configuration = {
           services.matrix-synapse = {
@@ -46,7 +46,7 @@ import ../make-test-python.nix ({ pkgs, ... }:
         };
       };
 
-      ircd = { pkgs, ... }: {
+      ircd = {
         services.ngircd = {
           enable = true;
           config = ''
@@ -227,4 +227,4 @@ import ../make-test-python.nix ({ pkgs, ... }:
       with subtest("ensure messages can be exchanged"):
           client.succeed("do_test ${homeserverUrl} >&2")
     '';
-  })
+  }