Cluster secrets #100
10 changed files with 27 additions and 51 deletions
|
@ -1,19 +1,11 @@
|
|||
{ config, depot, ... }:
|
||||
{ cluster, depot, ... }:
|
||||
let
|
||||
inherit (depot.lib.meta) domain;
|
||||
in
|
||||
{
|
||||
age.secrets = {
|
||||
matrix-appservice-discord-token = {
|
||||
file = ../../../../secrets/matrix-appservice-discord-token.age;
|
||||
owner = "root";
|
||||
group = "root";
|
||||
mode = "0400";
|
||||
};
|
||||
};
|
||||
services.matrix-appservice-discord = {
|
||||
enable = true;
|
||||
environmentFile = config.age.secrets.matrix-appservice-discord-token.path;
|
||||
environmentFile = cluster.config.services.matrix.secrets.discordAppServiceToken.path;
|
||||
settings = {
|
||||
bridge = {
|
||||
inherit domain;
|
||||
|
|
|
@ -1,13 +1,5 @@
|
|||
{ config, depot, ... }:
|
||||
{ cluster, depot, ... }:
|
||||
{
|
||||
age.secrets = {
|
||||
coturn-static-auth = {
|
||||
file = ../../../secrets/coturn-static-auth.age;
|
||||
owner = "turnserver";
|
||||
group = "root";
|
||||
mode = "0400";
|
||||
};
|
||||
};
|
||||
services.coturn = {
|
||||
enable = true;
|
||||
no-cli = true;
|
||||
|
@ -22,7 +14,7 @@
|
|||
lt-cred-mech = true;
|
||||
use-auth-secret = true;
|
||||
|
||||
static-auth-secret-file = config.age.secrets.coturn-static-auth.path;
|
||||
static-auth-secret-file = cluster.config.services.matrix.secrets.coturnStaticAuth.path;
|
||||
# TODO: acme
|
||||
cert = "/etc/coturn/certs/fullchain.pem";
|
||||
pkey = "/etc/coturn/certs/privkey.pem";
|
||||
|
|
|
@ -17,6 +17,23 @@
|
|||
./web-client.nix
|
||||
];
|
||||
};
|
||||
secrets = let
|
||||
inherit (config.services.matrix) nodes;
|
||||
default = {
|
||||
nodes = nodes.homeserver;
|
||||
owner = "matrix-synapse";
|
||||
};
|
||||
in {
|
||||
ldapConfig = default;
|
||||
dbConfig = default;
|
||||
turnConfig = default;
|
||||
keysConfig = default;
|
||||
coturnStaticAuth = {
|
||||
nodes = nodes.homeserver;
|
||||
owner = "turnserver";
|
||||
};
|
||||
discordAppServiceToken.nodes = nodes.homeserver;
|
||||
};
|
||||
};
|
||||
|
||||
monitoring.blackbox.targets.matrix = {
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
{ cluster, config, lib, pkgs, depot, ... }:
|
||||
let
|
||||
inherit (depot.lib.meta) domain;
|
||||
inherit (cluster.config.services.matrix) secrets;
|
||||
|
||||
patroni = cluster.config.links.patroni-pg-access;
|
||||
|
||||
|
@ -51,36 +52,10 @@ let
|
|||
clientConfigJSON = pkgs.writeText "matrix-client-config.json" (builtins.toJSON clientConfig);
|
||||
logConfigJSON = pkgs.writeText "matrix-log-config.json" (builtins.toJSON logConfig);
|
||||
dbConfigJSON = pkgs.writeText "matrix-log-config.json" (builtins.toJSON dbConfig);
|
||||
dbPasswordFile = config.age.secrets.synapse-db.path;
|
||||
dbPasswordFile = secrets.dbConfig.path;
|
||||
dbConfigOut = "${cfg.dataDir}/synapse-db-config-generated.yml";
|
||||
cfg = config.services.matrix-synapse;
|
||||
in {
|
||||
age.secrets = {
|
||||
synapse-ldap = {
|
||||
file = ../../../secrets/synapse-ldap.age;
|
||||
owner = "matrix-synapse";
|
||||
group = "matrix-synapse";
|
||||
mode = "0400";
|
||||
};
|
||||
synapse-db = {
|
||||
file = ../../../secrets/synapse-db.age;
|
||||
owner = "matrix-synapse";
|
||||
group = "matrix-synapse";
|
||||
mode = "0400";
|
||||
};
|
||||
synapse-turn = {
|
||||
file = ../../../secrets/synapse-turn.age;
|
||||
owner = "matrix-synapse";
|
||||
group = "matrix-synapse";
|
||||
mode = "0400";
|
||||
};
|
||||
synapse-keys = {
|
||||
file = ../../../secrets/synapse-keys.age;
|
||||
owner = "matrix-synapse";
|
||||
group = "matrix-synapse";
|
||||
mode = "0400";
|
||||
};
|
||||
};
|
||||
services.matrix-synapse = {
|
||||
enable = true;
|
||||
plugins = [ pkgs.matrix-synapse-plugins.matrix-synapse-ldap3 ];
|
||||
|
@ -114,10 +89,10 @@ in {
|
|||
in map makeTurnServer combinations;
|
||||
};
|
||||
|
||||
extraConfigFiles = (map (x: config.age.secrets.${x}.path) [
|
||||
"synapse-ldap"
|
||||
"synapse-turn"
|
||||
"synapse-keys"
|
||||
extraConfigFiles = (map (x: secrets."${x}Config".path) [
|
||||
"ldap"
|
||||
"turn"
|
||||
"keys"
|
||||
]) ++ [ dbConfigOut ];
|
||||
};
|
||||
|
||||
|
|
Loading…
Reference in a new issue