cluster/services/matrix: use cluster secrets

cluster/services/matrix/bridges/discord.nix

@@ -1,19 +1,11 @@
-{ config, depot, ... }:
+{ cluster, depot, ... }:
 let
   inherit (depot.lib.meta) domain;
 in
 {
-  age.secrets = {
-    matrix-appservice-discord-token = {
-      file = ../../../../secrets/matrix-appservice-discord-token.age;
-      owner = "root";
-      group = "root";
-      mode = "0400";
-    };
-  };
   services.matrix-appservice-discord = {
     enable = true;
-    environmentFile = config.age.secrets.matrix-appservice-discord-token.path;
+    environmentFile = cluster.config.services.matrix.secrets.discordAppServiceToken.path;
     settings = {
       bridge = {
         inherit domain;

cluster/services/matrix/coturn.nix

@@ -1,13 +1,5 @@
-{ config, depot, ... }:
+{ cluster, depot, ... }:
 {
-  age.secrets = {
-    coturn-static-auth = {
-      file = ../../../secrets/coturn-static-auth.age;
-      owner = "turnserver";
-      group = "root";
-      mode = "0400";
-    };
-  };
   services.coturn = {
     enable = true;
     no-cli = true;
@@ -22,7 +14,7 @@
     lt-cred-mech = true;
     use-auth-secret = true;
 
-    static-auth-secret-file = config.age.secrets.coturn-static-auth.path;
+    static-auth-secret-file = cluster.config.services.matrix.secrets.coturnStaticAuth.path;
     # TODO: acme
     cert = "/etc/coturn/certs/fullchain.pem";
     pkey = "/etc/coturn/certs/privkey.pem";

cluster/services/matrix/default.nix

@@ -17,6 +17,23 @@
         ./web-client.nix
       ];
     };
+    secrets = let
+      inherit (config.services.matrix) nodes;
+      default = {
+        nodes = nodes.homeserver;
+        owner = "matrix-synapse";
+      };
+    in {
+      ldapConfig = default;
+      dbConfig = default;
+      turnConfig = default;
+      keysConfig = default;
+      coturnStaticAuth = {
+        nodes = nodes.homeserver;
+        owner = "turnserver";
+      };
+      discordAppServiceToken.nodes = nodes.homeserver;
+    };
   };
 
   monitoring.blackbox.targets.matrix = {

cluster/services/matrix/homeserver.nix

@@ -1,6 +1,7 @@
 { cluster, config, lib, pkgs, depot, ... }:
 let
   inherit (depot.lib.meta) domain;
+  inherit (cluster.config.services.matrix) secrets;
 
   patroni = cluster.config.links.patroni-pg-access;
 
@@ -51,36 +52,10 @@ let
   clientConfigJSON = pkgs.writeText "matrix-client-config.json" (builtins.toJSON clientConfig);
   logConfigJSON = pkgs.writeText "matrix-log-config.json" (builtins.toJSON logConfig);
   dbConfigJSON = pkgs.writeText "matrix-log-config.json" (builtins.toJSON dbConfig);
-  dbPasswordFile = config.age.secrets.synapse-db.path;
+  dbPasswordFile = secrets.dbConfig.path;
   dbConfigOut = "${cfg.dataDir}/synapse-db-config-generated.yml";
   cfg = config.services.matrix-synapse;
 in {
-  age.secrets = {
-    synapse-ldap = {
-      file = ../../../secrets/synapse-ldap.age;
-      owner = "matrix-synapse";
-      group = "matrix-synapse";
-      mode = "0400";
-    };
-    synapse-db = {
-      file = ../../../secrets/synapse-db.age;
-      owner = "matrix-synapse";
-      group = "matrix-synapse";
-      mode = "0400";
-    };
-    synapse-turn = {
-      file = ../../../secrets/synapse-turn.age;
-      owner = "matrix-synapse";
-      group = "matrix-synapse";
-      mode = "0400";
-    };
-    synapse-keys = {
-      file = ../../../secrets/synapse-keys.age;
-      owner = "matrix-synapse";
-      group = "matrix-synapse";
-      mode = "0400";
-    };
-  };
   services.matrix-synapse = {
     enable = true;
     plugins = [ pkgs.matrix-synapse-plugins.matrix-synapse-ldap3 ];
@@ -114,10 +89,10 @@ in {
       in map makeTurnServer combinations;
     };
 
-    extraConfigFiles = (map (x: config.age.secrets.${x}.path) [
-      "synapse-ldap"
-      "synapse-turn"
-      "synapse-keys"
+    extraConfigFiles = (map (x: secrets."${x}Config".path) [
+      "ldap"
+      "turn"
+      "keys"
     ]) ++ [ dbConfigOut ];
   };