nix/nixos/services/signal.nix

{config, ...}: let
  inherit (config) sops;
  inherit (sops) templates placeholder;

  toAppRegistration = {
    port,
    id,
    as_token,
    hs_token,
    sender_localpart,
    rate_limited ? false,
    ...
  } @ conf:
    builtins.toJSON ({
        namespaces = {
          users = [
            {
              exclusive = true;
              regex = "^@${id}_.*:tristans.cloud$";
            }
            {
              exclusive = true;
              regex = "^@${id}bot:tristans.cloud$";
            }
          ];
        };
        url = "http://localhost:${toString port}";
      }
      // conf);
  port = 29328;
in {
  sops.secrets = {
    "mautrix-signal/as_token" = {};
    "mautrix-signal/hs_token" = {};
  };
  sops.templates = {
    "mautrix-signal/appservice.yaml" = {
      owner = "matrix-synapse";
      content = toAppRegistration {
        id = "signal";
        port = port;
        as_token = placeholder."mautrix-signal/as_token";
        hs_token = placeholder."mautrix-signal/hs_token";
        sender_localpart = "Gx8tLTHsxVlrdD3qibaPdaP9t7GhfciV";
        "de.sorunome.msc2409.push_ephemeral" = true;
      };
    };
  };

  # mautrix-signal server currently in ansible/podman

  services.matrix-synapse.settings.app_service_config_files = [
    templates."mautrix-signal/appservice.yaml".path
  ];
}