Cluster secrets #100
10 changed files with 27 additions and 51 deletions
|
@ -1,19 +1,11 @@
|
||||||
{ config, depot, ... }:
|
{ cluster, depot, ... }:
|
||||||
let
|
let
|
||||||
inherit (depot.lib.meta) domain;
|
inherit (depot.lib.meta) domain;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
age.secrets = {
|
|
||||||
matrix-appservice-discord-token = {
|
|
||||||
file = ../../../../secrets/matrix-appservice-discord-token.age;
|
|
||||||
owner = "root";
|
|
||||||
group = "root";
|
|
||||||
mode = "0400";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
services.matrix-appservice-discord = {
|
services.matrix-appservice-discord = {
|
||||||
enable = true;
|
enable = true;
|
||||||
environmentFile = config.age.secrets.matrix-appservice-discord-token.path;
|
environmentFile = cluster.config.services.matrix.secrets.discordAppServiceToken.path;
|
||||||
settings = {
|
settings = {
|
||||||
bridge = {
|
bridge = {
|
||||||
inherit domain;
|
inherit domain;
|
||||||
|
|
|
@ -1,13 +1,5 @@
|
||||||
{ config, depot, ... }:
|
{ cluster, depot, ... }:
|
||||||
{
|
{
|
||||||
age.secrets = {
|
|
||||||
coturn-static-auth = {
|
|
||||||
file = ../../../secrets/coturn-static-auth.age;
|
|
||||||
owner = "turnserver";
|
|
||||||
group = "root";
|
|
||||||
mode = "0400";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
services.coturn = {
|
services.coturn = {
|
||||||
enable = true;
|
enable = true;
|
||||||
no-cli = true;
|
no-cli = true;
|
||||||
|
@ -22,7 +14,7 @@
|
||||||
lt-cred-mech = true;
|
lt-cred-mech = true;
|
||||||
use-auth-secret = true;
|
use-auth-secret = true;
|
||||||
|
|
||||||
static-auth-secret-file = config.age.secrets.coturn-static-auth.path;
|
static-auth-secret-file = cluster.config.services.matrix.secrets.coturnStaticAuth.path;
|
||||||
# TODO: acme
|
# TODO: acme
|
||||||
cert = "/etc/coturn/certs/fullchain.pem";
|
cert = "/etc/coturn/certs/fullchain.pem";
|
||||||
pkey = "/etc/coturn/certs/privkey.pem";
|
pkey = "/etc/coturn/certs/privkey.pem";
|
||||||
|
|
|
@ -17,6 +17,23 @@
|
||||||
./web-client.nix
|
./web-client.nix
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
secrets = let
|
||||||
|
inherit (config.services.matrix) nodes;
|
||||||
|
default = {
|
||||||
|
nodes = nodes.homeserver;
|
||||||
|
owner = "matrix-synapse";
|
||||||
|
};
|
||||||
|
in {
|
||||||
|
ldapConfig = default;
|
||||||
|
dbConfig = default;
|
||||||
|
turnConfig = default;
|
||||||
|
keysConfig = default;
|
||||||
|
coturnStaticAuth = {
|
||||||
|
nodes = nodes.homeserver;
|
||||||
|
owner = "turnserver";
|
||||||
|
};
|
||||||
|
discordAppServiceToken.nodes = nodes.homeserver;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
monitoring.blackbox.targets.matrix = {
|
monitoring.blackbox.targets.matrix = {
|
||||||
|
|
|
@ -1,6 +1,7 @@
|
||||||
{ cluster, config, lib, pkgs, depot, ... }:
|
{ cluster, config, lib, pkgs, depot, ... }:
|
||||||
let
|
let
|
||||||
inherit (depot.lib.meta) domain;
|
inherit (depot.lib.meta) domain;
|
||||||
|
inherit (cluster.config.services.matrix) secrets;
|
||||||
|
|
||||||
patroni = cluster.config.links.patroni-pg-access;
|
patroni = cluster.config.links.patroni-pg-access;
|
||||||
|
|
||||||
|
@ -51,36 +52,10 @@ let
|
||||||
clientConfigJSON = pkgs.writeText "matrix-client-config.json" (builtins.toJSON clientConfig);
|
clientConfigJSON = pkgs.writeText "matrix-client-config.json" (builtins.toJSON clientConfig);
|
||||||
logConfigJSON = pkgs.writeText "matrix-log-config.json" (builtins.toJSON logConfig);
|
logConfigJSON = pkgs.writeText "matrix-log-config.json" (builtins.toJSON logConfig);
|
||||||
dbConfigJSON = pkgs.writeText "matrix-log-config.json" (builtins.toJSON dbConfig);
|
dbConfigJSON = pkgs.writeText "matrix-log-config.json" (builtins.toJSON dbConfig);
|
||||||
dbPasswordFile = config.age.secrets.synapse-db.path;
|
dbPasswordFile = secrets.dbConfig.path;
|
||||||
dbConfigOut = "${cfg.dataDir}/synapse-db-config-generated.yml";
|
dbConfigOut = "${cfg.dataDir}/synapse-db-config-generated.yml";
|
||||||
cfg = config.services.matrix-synapse;
|
cfg = config.services.matrix-synapse;
|
||||||
in {
|
in {
|
||||||
age.secrets = {
|
|
||||||
synapse-ldap = {
|
|
||||||
file = ../../../secrets/synapse-ldap.age;
|
|
||||||
owner = "matrix-synapse";
|
|
||||||
group = "matrix-synapse";
|
|
||||||
mode = "0400";
|
|
||||||
};
|
|
||||||
synapse-db = {
|
|
||||||
file = ../../../secrets/synapse-db.age;
|
|
||||||
owner = "matrix-synapse";
|
|
||||||
group = "matrix-synapse";
|
|
||||||
mode = "0400";
|
|
||||||
};
|
|
||||||
synapse-turn = {
|
|
||||||
file = ../../../secrets/synapse-turn.age;
|
|
||||||
owner = "matrix-synapse";
|
|
||||||
group = "matrix-synapse";
|
|
||||||
mode = "0400";
|
|
||||||
};
|
|
||||||
synapse-keys = {
|
|
||||||
file = ../../../secrets/synapse-keys.age;
|
|
||||||
owner = "matrix-synapse";
|
|
||||||
group = "matrix-synapse";
|
|
||||||
mode = "0400";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
services.matrix-synapse = {
|
services.matrix-synapse = {
|
||||||
enable = true;
|
enable = true;
|
||||||
plugins = [ pkgs.matrix-synapse-plugins.matrix-synapse-ldap3 ];
|
plugins = [ pkgs.matrix-synapse-plugins.matrix-synapse-ldap3 ];
|
||||||
|
@ -114,10 +89,10 @@ in {
|
||||||
in map makeTurnServer combinations;
|
in map makeTurnServer combinations;
|
||||||
};
|
};
|
||||||
|
|
||||||
extraConfigFiles = (map (x: config.age.secrets.${x}.path) [
|
extraConfigFiles = (map (x: secrets."${x}Config".path) [
|
||||||
"synapse-ldap"
|
"ldap"
|
||||||
"synapse-turn"
|
"turn"
|
||||||
"synapse-keys"
|
"keys"
|
||||||
]) ++ [ dbConfigOut ];
|
]) ++ [ dbConfigOut ];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue