Cluster secrets #100

Merged
max merged 17 commits from pr-cluster-secrets into master 2024-07-08 22:23:11 +03:00
10 changed files with 27 additions and 51 deletions
Showing only changes of commit f8f6e27e6f - Show all commits

View file

@ -1,19 +1,11 @@
{ config, depot, ... }:
{ cluster, depot, ... }:
let
inherit (depot.lib.meta) domain;
in
{
age.secrets = {
matrix-appservice-discord-token = {
file = ../../../../secrets/matrix-appservice-discord-token.age;
owner = "root";
group = "root";
mode = "0400";
};
};
services.matrix-appservice-discord = {
enable = true;
environmentFile = config.age.secrets.matrix-appservice-discord-token.path;
environmentFile = cluster.config.services.matrix.secrets.discordAppServiceToken.path;
settings = {
bridge = {
inherit domain;

View file

@ -1,13 +1,5 @@
{ config, depot, ... }:
{ cluster, depot, ... }:
{
age.secrets = {
coturn-static-auth = {
file = ../../../secrets/coturn-static-auth.age;
owner = "turnserver";
group = "root";
mode = "0400";
};
};
services.coturn = {
enable = true;
no-cli = true;
@ -22,7 +14,7 @@
lt-cred-mech = true;
use-auth-secret = true;
static-auth-secret-file = config.age.secrets.coturn-static-auth.path;
static-auth-secret-file = cluster.config.services.matrix.secrets.coturnStaticAuth.path;
# TODO: acme
cert = "/etc/coturn/certs/fullchain.pem";
pkey = "/etc/coturn/certs/privkey.pem";

View file

@ -17,6 +17,23 @@
./web-client.nix
];
};
secrets = let
inherit (config.services.matrix) nodes;
default = {
nodes = nodes.homeserver;
owner = "matrix-synapse";
};
in {
ldapConfig = default;
dbConfig = default;
turnConfig = default;
keysConfig = default;
coturnStaticAuth = {
nodes = nodes.homeserver;
owner = "turnserver";
};
discordAppServiceToken.nodes = nodes.homeserver;
};
};
monitoring.blackbox.targets.matrix = {

View file

@ -1,6 +1,7 @@
{ cluster, config, lib, pkgs, depot, ... }:
let
inherit (depot.lib.meta) domain;
inherit (cluster.config.services.matrix) secrets;
patroni = cluster.config.links.patroni-pg-access;
@ -51,36 +52,10 @@ let
clientConfigJSON = pkgs.writeText "matrix-client-config.json" (builtins.toJSON clientConfig);
logConfigJSON = pkgs.writeText "matrix-log-config.json" (builtins.toJSON logConfig);
dbConfigJSON = pkgs.writeText "matrix-log-config.json" (builtins.toJSON dbConfig);
dbPasswordFile = config.age.secrets.synapse-db.path;
dbPasswordFile = secrets.dbConfig.path;
dbConfigOut = "${cfg.dataDir}/synapse-db-config-generated.yml";
cfg = config.services.matrix-synapse;
in {
age.secrets = {
synapse-ldap = {
file = ../../../secrets/synapse-ldap.age;
owner = "matrix-synapse";
group = "matrix-synapse";
mode = "0400";
};
synapse-db = {
file = ../../../secrets/synapse-db.age;
owner = "matrix-synapse";
group = "matrix-synapse";
mode = "0400";
};
synapse-turn = {
file = ../../../secrets/synapse-turn.age;
owner = "matrix-synapse";
group = "matrix-synapse";
mode = "0400";
};
synapse-keys = {
file = ../../../secrets/synapse-keys.age;
owner = "matrix-synapse";
group = "matrix-synapse";
mode = "0400";
};
};
services.matrix-synapse = {
enable = true;
plugins = [ pkgs.matrix-synapse-plugins.matrix-synapse-ldap3 ];
@ -114,10 +89,10 @@ in {
in map makeTurnServer combinations;
};
extraConfigFiles = (map (x: config.age.secrets.${x}.path) [
"synapse-ldap"
"synapse-turn"
"synapse-keys"
extraConfigFiles = (map (x: secrets."${x}Config".path) [
"ldap"
"turn"
"keys"
]) ++ [ dbConfigOut ];
};