colin
/
nix-files
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

servo: matrix-appservice-discord: hide keys in sops, and enable.

This commit is contained in:
colin 2022-10-05 22:38:20 -07:00
parent ca239ca3e6
commit a3db626a00
3 changed files with 43 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.sops.yaml
View File

@ -19,7 +19,7 @@ creation_rules:
- *host_lappy
- *host_servo
- *host_moby
- path_regex: secrets/servo.yaml$
- path_regex: secrets/servo*
key_groups:
- age:
- *user_desko_colin

18
machines/servo/services/matrix/default.nix
View File

@ -82,7 +82,7 @@
# Discord bridging
# docs: https://github.com/matrix-org/matrix-appservice-discord
services.matrix-appservice-discord.enable = false;
services.matrix-appservice-discord.enable = true;
services.matrix-appservice-discord.settings = {
bridge = {
homeserverUrl = "http://127.0.0.1:8008";
@ -94,8 +94,9 @@
};
# these are marked as required in the yaml schema
auth = {
clientId = "FILLME";
botToken = "FILLME";
# apparently not needed if you provide them as env vars (below).
# clientId = "FILLME";
# botToken = "FILLME";
usePrivilegedIntents = false;
};
logging = {
@ -103,8 +104,12 @@
console = "verbose";
};
};
# fix up to not use /var/lib/private, but just /var/lib
# contains what's ordinarily put into auth.clientId, auth.botToken
# i.e. `APPSERVICE_DISCORD_AUTH_CLIENT_I_D=...` and `APPSERVICE_DISCORD_AUTH_BOT_TOKEN=...`
services.matrix-appservice-discord.environmentFile = config.sops.secrets.matrix_appservice_discord_env.path;
systemd.services.matrix-appservice-discord.serviceConfig = {
# fix up to not use /var/lib/private, but just /var/lib
DynamicUser = lib.mkForce false;
User = "matrix-appservice-discord";
Group = "matrix-appservice-discord";
@ -208,4 +213,9 @@
sopsFile = ../../../../secrets/servo.yaml;
owner = config.users.users.matrix-synapse.name;
};
sops.secrets.matrix_appservice_discord_env = {
sopsFile = ../../../../secrets/servo/matrix_appservice_discord_env.bin;
owner = config.users.users.matrix-appservice-discord.name;
format = "binary";
};
}

28
secrets/servo/matrix_appservice_discord_env.bin Normal file
View File

@ -0,0 +1,28 @@
{
"data": "ENC[AES256_GCM,data:7j1l4XJ8cp8MVuSmOedOZwGDWV11hmwFyLW43ixUBaZLWbUZ6Z4P4Gt+o7bj8gc/X8aiPV8sxAR/jY28Sc5DIaAnkKnXjesPVlG0c3oRAsXemKGX8fANkoNX5iEPbWAkFiJdLS6Fgdv2g4z6DQ4odvZQKrMchx8MPYq8icBvvbhKiGs5xo+MGrMBVRCZOERM2FJSy/q9zLv6hU5SfnnYDTMt,iv:poHHiCs0YOCv74dQ2kyXogdgTUqmKRgGq2r7lcxe4bQ=,tag:rz1/FLC5Q8S13TTWNKcYyQ==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2TjVWenJkYVdjeExzYjVj\nUVdFeUdMRUtwOWJNYUx6dFRWRXdEUWJhdkVFClM1UnhtWndYbE91RCtVRnl4TGp4\nZHNJNUliOWhqcUorZVBEQWR0eXZaMVEKLS0tIDdsVFJ2bmdNeVk5b3FJVDQ3T1BG\nU0taQlA1QVEvYVJweDQ5L2YwTmo2ek0K+nbzpIpjAhRgJ5Lw+mx/doGMjw0aMNkZ\n5sAnPJo88Sa/TW3qBN48xFBMLWMp/SKs2JTaMu0xW0u2SkQX38TLlw==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyUFBSYVJZUmRBcGJXclNP\nRDRUZnRKMmYwdFhQcE1oWUhrZGxNTk5YOFIwCldUMW92NGl0VVBsS0JtYjJOTW9E\nK2ZZdm9GK3FOMitUdEU3QStsR2svQWMKLS0tIE9SWXAzVndsdGY3Uzh2eHpBRjdO\nTVc4cWNDUWRuSWRmZC8rK1ZFS2l4WEkKQR9mApDjb0k14W3jK+CEz3Dez6wSBpg+\nZ7uUfSbPXFxRxvNEascRn/+EHPcd/A7MZjViDUyWVcP6fSMPsQvxhw==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkWHlteTRDcHRneW9hbzlh\nMHBjZ2RHeDBIbDM2QXVxK09mcERVSUliVWw0Ckg1dGFkUUxPQW1HcDFXcEEyejFD\nWW5qUkNwRkdIdjRiTFJNd0Q5NWpLUUEKLS0tIG1wTnk1aEhudm9VZjZRVGRWWnR0\nVHlFbUJHaitadDVOSG1FMTBqeHJGV0kKAjuuw3j4dx3QfNcjyl8XCP9Q6oOkLZBN\nsW7uCqbVgBCG+uIggwefLWAy8g6PYlLj0aumgLPYVsXShbQYi32m/g==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2022-10-06T05:07:20Z",
"mac": "ENC[AES256_GCM,data:9WR8xfs5XIkWxDlJVX1EiSJBLBgWMR99PJJXCK9RcbuChK7QvjWjEflwq419qeNbMWdHLkUwSQrBsoHomaiGWFOPZ0C8bqcqDl0zzXMk7nBxM4UgTjRLmML2tdI2bCS0DC0AtytThYPvkW+JHgKB6bOAEw/bVWVP4YJQKWEf6FY=,iv:nG+J7jCdqZHp6x6Vlvye7BbK7YSl0Y9cjTWbW/BZLxo=,tag:OWqXktZE52Q3j7D2KG+vHw==,type:str]",
"pgp": null,
"unencrypted_suffix": "_unencrypted",
"version": "3.7.3"
}
}