.forgejo/workflows/release-image.yml

@@ -10,7 +10,7 @@ on:
       - ".gitlab-ci.yml"
       - ".gitignore"
       - "renovate.json"
-      - "pkg/**"
+      - "debian/**"
       - "docker/**"
       - "docs/**"
   # Allows you to run this workflow manually from the Actions tab

arch/conduwuit.service

@@ -0,0 +1,84 @@
+[Unit]
+
+Description=Continuwuity - Matrix homeserver
+Wants=network-online.target
+After=network-online.target
+Documentation=https://continuwuity.org/
+RequiresMountsFor=/var/lib/private/conduwuit
+Alias=matrix-conduwuit.service
+
+[Service]
+DynamicUser=yes
+Type=notify-reload
+ReloadSignal=SIGUSR1
+
+TTYPath=/dev/tty25
+DeviceAllow=char-tty
+StandardInput=tty-force
+StandardOutput=tty
+StandardError=journal+console
+
+Environment="CONTINUWUITY_LOG_TO_JOURNALD=true"
+Environment="CONTINUWUITY_JOURNALD_IDENTIFIER=%N"
+Environment="CONTINUWUITY_DATABASE_PATH=/var/lib/conduwuit"
+
+TTYReset=yes
+# uncomment to allow buffer to be cleared every restart
+TTYVTDisallocate=no
+
+TTYColumns=120
+TTYRows=40
+
+AmbientCapabilities=
+CapabilityBoundingSet=
+
+DevicePolicy=closed
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+#ProcSubset=pid
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+ProtectSystem=strict
+PrivateDevices=yes
+PrivateMounts=yes
+PrivateTmp=yes
+PrivateUsers=yes
+PrivateIPC=yes
+RemoveIPC=yes
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+SystemCallFilter=@system-service @resources
+SystemCallFilter=~@clock @debug @module @mount @reboot @swap @cpu-emulation @obsolete @timer @chown @setuid @privileged @keyring @ipc
+SystemCallErrorNumber=EPERM
+StateDirectory=conduwuit
+
+RuntimeDirectory=conduwuit
+RuntimeDirectoryMode=0750
+
+Environment=CONTINUWUITY_CONFIG=%d/config.toml
+LoadCredential=config.toml:/etc/conduwuit/conduwuit.toml
+BindPaths=/var/lib/private/conduwuit:/var/lib/matrix-conduit
+BindPaths=/var/lib/private/conduwuit:/var/lib/private/matrix-conduit
+
+ExecStart=/usr/bin/conduwuit
+Restart=on-failure
+RestartSec=5
+
+TimeoutStopSec=4m
+TimeoutStartSec=4m
+
+StartLimitInterval=1m
+StartLimitBurst=5
+
+[Install]
+WantedBy=multi-user.target

conduwuit-example.toml

@@ -79,9 +79,9 @@
 # This is the only directory where continuwuity will save its data,
 # including media. Note: this was previously "/var/lib/matrix-conduit".
 #
-# YOU NEED TO EDIT THIS, UNLESS you are running continuwuity as a
+# YOU NEED TO EDIT THIS, UNLESS you are running continuwuity as a `systemd` service.
-# `systemd` service. The service file sets it to `/var/lib/conduwuit`
+# The service file sets it to `/var/lib/conduwuit` using an environment variable
-# using an environment variable and also grants write access.
+# and also grants write access.
 #
 # example: "/var/lib/conduwuit"
 #

debian/conduwuit.service

@@ -0,0 +1,71 @@
+[Unit]
+
+Description=Continuwuity - Matrix homeserver
+Wants=network-online.target
+After=network-online.target
+Documentation=https://continuwuity.org/
+Alias=matrix-conduwuit.service
+
+[Service]
+DynamicUser=yes
+User=conduwuit
+Group=conduwuit
+Type=notify
+
+Environment="CONTINUWUITY_CONFIG=/etc/conduwuit/conduwuit.toml"
+
+Environment="CONTINUWUITY_LOG_TO_JOURNALD=true"
+Environment="CONTINUWUITY_JOURNALD_IDENTIFIER=%N"
+Environment="CONTINUWUITY_DATABASE_PATH=/var/lib/conduwuit"
+
+ExecStart=/usr/sbin/conduwuit
+
+ReadWritePaths=/var/lib/conduwuit /etc/conduwuit
+
+AmbientCapabilities=
+CapabilityBoundingSet=
+
+DevicePolicy=closed
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+#ProcSubset=pid
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+ProtectSystem=strict
+PrivateDevices=yes
+PrivateMounts=yes
+PrivateTmp=yes
+PrivateUsers=yes
+PrivateIPC=yes
+RemoveIPC=yes
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+SystemCallFilter=@system-service @resources
+SystemCallFilter=~@clock @debug @module @mount @reboot @swap @cpu-emulation @obsolete @timer @chown @setuid @privileged @keyring @ipc
+SystemCallErrorNumber=EPERM
+#StateDirectory=conduwuit
+
+RuntimeDirectory=conduwuit
+RuntimeDirectoryMode=0750
+
+Restart=on-failure
+RestartSec=5
+
+TimeoutStopSec=2m
+TimeoutStartSec=2m
+
+StartLimitInterval=1m
+StartLimitBurst=5
+
+[Install]
+WantedBy=multi-user.target

debian/postinst

@@ -0,0 +1,44 @@
+#!/bin/sh
+set -e
+
+# TODO: implement debconf support that is maintainable without duplicating the config
+#. /usr/share/debconf/confmodule
+
+CONDUWUIT_DATABASE_PATH=/var/lib/conduwuit
+CONDUWUIT_CONFIG_PATH=/etc/conduwuit
+
+case "$1" in
+  configure)
+    # Create the `conduwuit` user if it does not exist yet.
+    if ! getent passwd conduwuit > /dev/null ; then
+      echo 'Adding system user for the conduwuit Matrix homeserver' 1>&2
+      adduser --system --group --quiet \
+        --home "$CONDUWUIT_DATABASE_PATH" \
+        --disabled-login \
+        --shell "/usr/sbin/nologin" \
+        conduwuit
+    fi
+
+    # Create the database path if it does not exist yet and fix up ownership
+    # and permissions for the config.
+    mkdir -v -p "$CONDUWUIT_DATABASE_PATH"
+
+    # symlink the previous location for compatibility if it does not exist yet.
+    if ! test -L "/var/lib/matrix-conduit" ; then
+        ln -s -v "$CONDUWUIT_DATABASE_PATH" "/var/lib/matrix-conduit"
+    fi
+
+    chown -v conduwuit:conduwuit -R "$CONDUWUIT_DATABASE_PATH"
+    chown -v conduwuit:conduwuit -R "$CONDUWUIT_CONFIG_PATH"
+
+    chmod -v 740 "$CONDUWUIT_DATABASE_PATH"
+
+    echo ''
+    echo 'Make sure you edit the example config at /etc/conduwuit/conduwuit.toml before starting!'
+    echo 'To start the server, run: systemctl start conduwuit.service'
+    echo ''
+
+    ;;
+esac
+
+#DEBHELPER#

debian/postrm

@@ -20,18 +20,24 @@ case $1 in
 
     if [ -d "$CONDUWUIT_CONFIG_PATH" ]; then
       if test -L "$CONDUWUIT_CONFIG_PATH"; then
-        echo "Deleting continuwuity configuration files"
+        echo "Deleting conduwuit configuration files"
         rm -v -r "$CONDUWUIT_CONFIG_PATH"
       fi
     fi
 
     if [ -d "$CONDUWUIT_DATABASE_PATH" ]; then
       if test -L "$CONDUWUIT_DATABASE_PATH"; then
-        echo "Deleting continuwuity database directory"
+        echo "Deleting conduwuit database directory"
         rm -r "$CONDUWUIT_DATABASE_PATH"
       fi
     fi
 
+    if [ -d "$CONDUWUIT_DATABASE_PATH_SYMLINK" ]; then
+      if test -L "$CONDUWUIT_DATABASE_SYMLINK"; then
+        echo "Removing matrix-conduit symlink"
+        rm -r "$CONDUWUIT_DATABASE_PATH_SYMLINK"
+      fi
+    fi
     ;;
 esac
 

docs/configuration/examples.md

@@ -9,11 +9,24 @@
 
 </details>
 
-## systemd unit file
+## Debian systemd unit file
 
 <details>
-<summary>systemd unit file</summary>
+<summary>Debian systemd unit file</summary>
 
 ```
-{{#include ../../pkg/conduwuit.service}}
+{{#include ../../debian/conduwuit.service}}
 ```
+
+</details>
+
+## Arch Linux systemd unit file
+
+<details>
+<summary>Arch Linux systemd unit file</summary>
+
+```
+{{#include ../../arch/conduwuit.service}}
+```
+
+</details>

docs/deploying/debian.md

@@ -1 +1 @@
-{{#include ../../pkg/debian/README.md}}
+{{#include ../../debian/README.md}}

fedora/conduwuit.service

@@ -9,8 +9,7 @@ Alias=matrix-conduwuit.service
 DynamicUser=yes
 User=conduwuit
 Group=conduwuit
-Type=notify-reload
+Type=notify
-ReloadSignal=SIGUSR1
 
 Environment="CONTINUWUITY_CONFIG=/etc/conduwuit/conduwuit.toml"
 
@@ -60,8 +59,8 @@ RuntimeDirectoryMode=0750
 Restart=on-failure
 RestartSec=5
 
-TimeoutStopSec=4m
+TimeoutStopSec=2m
-TimeoutStartSec=4m
+TimeoutStartSec=2m
 
 StartLimitInterval=1m
 StartLimitBurst=5

fedora/continuwuity.spec.rpkg

@@ -51,7 +51,7 @@ find .cargo/registry/ -executable -name "*.rs" -exec chmod -x {} +
 
 %install
 install -Dpm0755 target/rpm/conduwuit -t %{buildroot}%{_bindir}
-install -Dpm0644 pkg/conduwuit.service -t %{buildroot}%{_unitdir}
+install -Dpm0644 fedora/conduwuit.service -t %{buildroot}%{_unitdir}
 install -Dpm0644 conduwuit-example.toml %{buildroot}%{_sysconfdir}/conduwuit/conduwuit.toml
 
 %files

flake.nix

@@ -48,7 +48,7 @@
           pkgs.lib.makeScope pkgs.newScope (self: {
             inherit pkgs inputs;
             craneLib = (inputs.crane.mkLib pkgs).overrideToolchain (_: toolchain);
-            main = self.callPackage ./pkg/nix/pkgs/main { };
+            main = self.callPackage ./nix/pkgs/main { };
             liburing = pkgs.liburing.overrideAttrs {
               # Tests weren't building
               outputs = [

pkg/debian/postinst

@@ -1,20 +0,0 @@
-#!/bin/sh
-set -e
-
-# TODO: implement debconf support that is maintainable without duplicating the config
-#. /usr/share/debconf/confmodule
-
-CONDUWUIT_DATABASE_PATH=/var/lib/conduwuit
-CONDUWUIT_CONFIG_PATH=/etc/conduwuit
-
-case "$1" in
-  configure)
-    echo ''
-    echo 'Make sure you edit the example config at /etc/conduwuit/conduwuit.toml before starting!'
-    echo 'To start the server, run: systemctl start conduwuit.service'
-    echo ''
-
-    ;;
-esac
-
-#DEBHELPER#

src/core/config/mod.rs

@@ -126,9 +126,9 @@ pub struct Config {
 	/// This is the only directory where continuwuity will save its data,
 	/// including media. Note: this was previously "/var/lib/matrix-conduit".
 	///
-	/// YOU NEED TO EDIT THIS, UNLESS you are running continuwuity as a
+	/// YOU NEED TO EDIT THIS, UNLESS you are running continuwuity as a `systemd` service.
-	/// `systemd` service. The service file sets it to `/var/lib/conduwuit`
+	/// The service file sets it to `/var/lib/conduwuit` using an environment variable
-	/// using an environment variable and also grants write access.
+	/// and also grants write access.
 	///
 	/// example: "/var/lib/conduwuit"
 	pub database_path: PathBuf,

src/main/Cargo.toml

@@ -32,12 +32,12 @@ a cool hard fork of Conduit, a Matrix homeserver written in Rust"""
 section = "net"
 priority = "optional"
 conf-files = ["/etc/conduwuit/conduwuit.toml"]
-maintainer-scripts = "../../pkg/debian/"
+maintainer-scripts = "../../debian/"
-systemd-units = { unit-name = "conduwuit", start = false, unit-scripts = "../../pkg/" }
+systemd-units = { unit-name = "conduwuit", start = false }
 assets = [
-	["../../pkg/debian/README.md", "usr/share/doc/conduwuit/README.Debian", "644"],
+	["../../debian/README.md", "usr/share/doc/conduwuit/README.Debian", "644"],
 	["../../README.md", "usr/share/doc/conduwuit/", "644"],
-	["../../target/release/conduwuit", "usr/bin/conduwuit", "755"],
+	["../../target/release/conduwuit", "usr/sbin/conduwuit", "755"],
 	["../../conduwuit-example.toml", "etc/conduwuit/conduwuit.toml", "640"],
 ]