Community Packages

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#60506 - [matrix-appservice-irc] add a systemd service file

Attached to Project: Community Packages
Opened by Damjan Georgievski (damjan) - Saturday, 20 October 2018, 15:47 GMT
Last edited by David Runge (dvzrv) - Tuesday, 17 March 2020, 17:25 GMT
Task Type Feature Request
Category Packages
Status Closed
Assigned To David Runge (dvzrv)
Bruno Pagani (ArchangeGabriel)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

it would be nice of the package would come out of the box with a .service file. This is the current one I use:

[Unit]
After=network.target
Description=Matrix IRC gateway appservice

[Service]
Type=simple
DynamicUser=yes
Restart=always
ExecStart=/usr/bin/matrix-appservice-irc -c /etc/synapse/appservice-irc-config.yaml -f /etc/synapse/appservice-irc-registration.yaml -p 9009
LogsDirectory=matrix-irc
StateDirectory=matrix-irc
IPAccounting=on

[Install]
WantedBy=synapse.service
This task depends upon

Closed by  David Runge (dvzrv)
Tuesday, 17 March 2020, 17:25 GMT
Reason for closing:  Implemented
Additional comments about closing:  Added service file in 0.16.0-1
Comment by Bruno Pagani (ArchangeGabriel) - Sunday, 23 December 2018, 19:32 GMT
Well, each user would have to override it anyway, because `-c /etc/synapse/appservice-irc-config.yaml -f /etc/synapse/appservice-irc-registration.yaml -p 9009` is user specific (I actually have different values for the three of them). Your `WantedBy` also is not necessarily the same for everyone (you can run both on different machines, VMs, etc.

That being said, we could still provide a default with a list of hardening bits enabled.
Comment by Bruno Pagani (ArchangeGabriel) - Sunday, 29 September 2019, 14:15 GMT
My service file (before decommissioning, I don’t run one anymore):
```
[Unit]
Description=Matrix IRC Bridge
After=network.target synapse.service

[Service]
Type=simple
User=synapse
Group=synapse
ExecStart=/usr/bin/matrix-appservice-irc -c /etc/synapse/irc.config.yaml -f /etc/synapse/irc.registration.yaml -p 9999
Restart=on-failure

[Install]
WantedBy=multi-user.target
```

Hardening would be required. ExecStart is likely to be overridden by user as stated above.
Comment by bobpaul (bobpaul) - Sunday, 16 February 2020, 04:07 GMT
Couldn't this be handled much like the webapps packages are handled (ex: nextcloud, riot, phpmyadmin, etc)? Right now installing this package as an arch package is rather weird; it's not entirely clear what benefit the package provides vs just installing from the git repo. The webapps all have symlinks to their config files an expected location in `/etc`, a sample config, and then I configure a webserver to host them.
Comment by bobpaul (bobpaul) - Sunday, 16 February 2020, 20:54 GMT
Looking at this more closely, I'm not sure most users should need to customize the ExecStart. There's `bindPort` in the config.yaml, so no reason to put the port in the systemd unit. A single appservice can handle multiple IRC servers, so running multiple appservices might not be something that needs to be supported BUT if we want to support that (ie, for someone running appservices for multiple synapse servers), it should be done via systemd template services.
Ex:

[Unit]
Description=Matrix IRC Bridge
After=network.target synapse.service

[Service]
Type=simple
User=synapse
Group=synapse
WorkingDirectory=/usr/lib/node_modules/matrix-appservice-irc/
ExecStart=/usr/bin/matrix-appservice-irc -c /etc/synapse/matrix-appservice-irc/config-%i.yaml \
-f /etc/synapse/matrix-appservice-irc/registration-%i.yaml
Restart=on-failure

[Install]
WantedBy=multi-user.target

Comment by David Runge (dvzrv) - Saturday, 07 March 2020, 22:36 GMT
@damjan: Thanks for bringing up this issue.

@bobpaul and @damjan: I've just pushed matrix-appservice-irc 0.16.0 to [community-testing]. Please give it a spin.
Note: I've removed a lot of clutter from the package (and I hope I didn't accidentally break anything). I currently sadly have no setup to test this with, so it would be very awesome, if you could report back on any issues you might have!
Make sure to backup any configuration files/services files you are currently using before running the service!

matrix-appservice-irc is now run as its own user/group. The configuration files are installed 0640 to /etc/matrix-appservice-irc/ and I've added many hardening options to the service file.
Please report back on any problems, that you run into with the service or the package itself!

Last, but not least: I have not added synapse.service to After=, as there is the use-case of running the bridge on a host, that is not running synapse. If you require it, you can of course add it in an override.
Comment by Damjan Georgievski (damjan) - Monday, 09 March 2020, 14:10 GMT
> Last, but not least: I have not added synapse.service to After=, as there is the use-case of running the bridge on a host, that is not running synapse.

I don't mind that, although After=synapse.service only has any effect if both services *are* enqueued to start on the same host. Otherwise it's a noop (in other words, After/Before only specifies ordering, not dependencies).

I'll test the package soon.
Comment by David Runge (dvzrv) - Tuesday, 10 March 2020, 17:54 GMT
> I don't mind that, although After=synapse.service only has any effect if both services *are* enqueued to start on the same host. Otherwise it's a noop (in other words, After/Before only specifies ordering, not dependencies).

Oh, you are right! Didn't think clearly. Definitely worth adding back...


Thanks for the feedback!
Comment by Damjan Georgievski (damjan) - Tuesday, 10 March 2020, 21:24 GMT
seems it can't import bluebird
Comment by David Runge (dvzrv) - Wednesday, 11 March 2020, 14:39 GMT
@damjan: Thanks! Seems I was too overly eager to remove unneeded things. Turns out package.json files are required ;-)

I've pushed a new version to [community-testing] (also with small changes to the service). Please try again!
Comment by Damjan Georgievski (damjan) - Thursday, 12 March 2020, 20:14 GMT
seems to work nice now.

btw, why did you add CapabilityBoundingSet=CAP_NET_BIND_SERVICE ?
That doesn't add a capability (if you had that in mind) - and since it's a non-root user it doesn't have any capabilities. you maybe wanted to use AmbientCapabilities=
Comment by David Runge (dvzrv) - Thursday, 12 March 2020, 21:46 GMT
@damjan: Glad to hear! I'm not entirely sure. I think I was under the assumption, that the service might need a to be able to assign a port, but just now realized, that this is only valid for ports < 1024, which this service should never use.
It can be removed altogether.

Thanks again for all the great feedback!

Loading...