diff --git a/.sops.yaml b/.sops.yaml index 66e5f8d5..9ae1053e 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -19,7 +19,7 @@ creation_rules: - *host_lappy - *host_servo - *host_moby - - path_regex: secrets/servo.yaml$ + - path_regex: secrets/servo* key_groups: - age: - *user_desko_colin diff --git a/machines/servo/services/matrix/default.nix b/machines/servo/services/matrix/default.nix index 837806a6..3f786f16 100644 --- a/machines/servo/services/matrix/default.nix +++ b/machines/servo/services/matrix/default.nix @@ -82,7 +82,7 @@ # Discord bridging # docs: https://github.com/matrix-org/matrix-appservice-discord - services.matrix-appservice-discord.enable = false; + services.matrix-appservice-discord.enable = true; services.matrix-appservice-discord.settings = { bridge = { homeserverUrl = "http://127.0.0.1:8008"; @@ -94,8 +94,9 @@ }; # these are marked as required in the yaml schema auth = { - clientId = "FILLME"; - botToken = "FILLME"; + # apparently not needed if you provide them as env vars (below). + # clientId = "FILLME"; + # botToken = "FILLME"; usePrivilegedIntents = false; }; logging = { @@ -103,8 +104,12 @@ console = "verbose"; }; }; - # fix up to not use /var/lib/private, but just /var/lib + # contains what's ordinarily put into auth.clientId, auth.botToken + # i.e. `APPSERVICE_DISCORD_AUTH_CLIENT_I_D=...` and `APPSERVICE_DISCORD_AUTH_BOT_TOKEN=...` + services.matrix-appservice-discord.environmentFile = config.sops.secrets.matrix_appservice_discord_env.path; + systemd.services.matrix-appservice-discord.serviceConfig = { + # fix up to not use /var/lib/private, but just /var/lib DynamicUser = lib.mkForce false; User = "matrix-appservice-discord"; Group = "matrix-appservice-discord"; @@ -208,4 +213,9 @@ sopsFile = ../../../../secrets/servo.yaml; owner = config.users.users.matrix-synapse.name; }; + sops.secrets.matrix_appservice_discord_env = { + sopsFile = ../../../../secrets/servo/matrix_appservice_discord_env.bin; + owner = config.users.users.matrix-appservice-discord.name; + format = "binary"; + }; } diff --git a/secrets/servo/matrix_appservice_discord_env.bin b/secrets/servo/matrix_appservice_discord_env.bin new file mode 100644 index 00000000..dc52c8c5 --- /dev/null +++ b/secrets/servo/matrix_appservice_discord_env.bin @@ -0,0 +1,28 @@ +{ + "data": "ENC[AES256_GCM,data:7j1l4XJ8cp8MVuSmOedOZwGDWV11hmwFyLW43ixUBaZLWbUZ6Z4P4Gt+o7bj8gc/X8aiPV8sxAR/jY28Sc5DIaAnkKnXjesPVlG0c3oRAsXemKGX8fANkoNX5iEPbWAkFiJdLS6Fgdv2g4z6DQ4odvZQKrMchx8MPYq8icBvvbhKiGs5xo+MGrMBVRCZOERM2FJSy/q9zLv6hU5SfnnYDTMt,iv:poHHiCs0YOCv74dQ2kyXogdgTUqmKRgGq2r7lcxe4bQ=,tag:rz1/FLC5Q8S13TTWNKcYyQ==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2TjVWenJkYVdjeExzYjVj\nUVdFeUdMRUtwOWJNYUx6dFRWRXdEUWJhdkVFClM1UnhtWndYbE91RCtVRnl4TGp4\nZHNJNUliOWhqcUorZVBEQWR0eXZaMVEKLS0tIDdsVFJ2bmdNeVk5b3FJVDQ3T1BG\nU0taQlA1QVEvYVJweDQ5L2YwTmo2ek0K+nbzpIpjAhRgJ5Lw+mx/doGMjw0aMNkZ\n5sAnPJo88Sa/TW3qBN48xFBMLWMp/SKs2JTaMu0xW0u2SkQX38TLlw==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyUFBSYVJZUmRBcGJXclNP\nRDRUZnRKMmYwdFhQcE1oWUhrZGxNTk5YOFIwCldUMW92NGl0VVBsS0JtYjJOTW9E\nK2ZZdm9GK3FOMitUdEU3QStsR2svQWMKLS0tIE9SWXAzVndsdGY3Uzh2eHpBRjdO\nTVc4cWNDUWRuSWRmZC8rK1ZFS2l4WEkKQR9mApDjb0k14W3jK+CEz3Dez6wSBpg+\nZ7uUfSbPXFxRxvNEascRn/+EHPcd/A7MZjViDUyWVcP6fSMPsQvxhw==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkWHlteTRDcHRneW9hbzlh\nMHBjZ2RHeDBIbDM2QXVxK09mcERVSUliVWw0Ckg1dGFkUUxPQW1HcDFXcEEyejFD\nWW5qUkNwRkdIdjRiTFJNd0Q5NWpLUUEKLS0tIG1wTnk1aEhudm9VZjZRVGRWWnR0\nVHlFbUJHaitadDVOSG1FMTBqeHJGV0kKAjuuw3j4dx3QfNcjyl8XCP9Q6oOkLZBN\nsW7uCqbVgBCG+uIggwefLWAy8g6PYlLj0aumgLPYVsXShbQYi32m/g==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2022-10-06T05:07:20Z", + "mac": "ENC[AES256_GCM,data:9WR8xfs5XIkWxDlJVX1EiSJBLBgWMR99PJJXCK9RcbuChK7QvjWjEflwq419qeNbMWdHLkUwSQrBsoHomaiGWFOPZ0C8bqcqDl0zzXMk7nBxM4UgTjRLmML2tdI2bCS0DC0AtytThYPvkW+JHgKB6bOAEw/bVWVP4YJQKWEf6FY=,iv:nG+J7jCdqZHp6x6Vlvye7BbK7YSl0Y9cjTWbW/BZLxo=,tag:OWqXktZE52Q3j7D2KG+vHw==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.7.3" + } +} \ No newline at end of file