servo: matrix-appservice-discord: hide keys in sops, and enable.
This commit is contained in:
parent
ca239ca3e6
commit
a3db626a00
|
@ -19,7 +19,7 @@ creation_rules:
|
||||||
- *host_lappy
|
- *host_lappy
|
||||||
- *host_servo
|
- *host_servo
|
||||||
- *host_moby
|
- *host_moby
|
||||||
- path_regex: secrets/servo.yaml$
|
- path_regex: secrets/servo*
|
||||||
key_groups:
|
key_groups:
|
||||||
- age:
|
- age:
|
||||||
- *user_desko_colin
|
- *user_desko_colin
|
||||||
|
|
|
@ -82,7 +82,7 @@
|
||||||
|
|
||||||
# Discord bridging
|
# Discord bridging
|
||||||
# docs: https://github.com/matrix-org/matrix-appservice-discord
|
# docs: https://github.com/matrix-org/matrix-appservice-discord
|
||||||
services.matrix-appservice-discord.enable = false;
|
services.matrix-appservice-discord.enable = true;
|
||||||
services.matrix-appservice-discord.settings = {
|
services.matrix-appservice-discord.settings = {
|
||||||
bridge = {
|
bridge = {
|
||||||
homeserverUrl = "http://127.0.0.1:8008";
|
homeserverUrl = "http://127.0.0.1:8008";
|
||||||
|
@ -94,8 +94,9 @@
|
||||||
};
|
};
|
||||||
# these are marked as required in the yaml schema
|
# these are marked as required in the yaml schema
|
||||||
auth = {
|
auth = {
|
||||||
clientId = "FILLME";
|
# apparently not needed if you provide them as env vars (below).
|
||||||
botToken = "FILLME";
|
# clientId = "FILLME";
|
||||||
|
# botToken = "FILLME";
|
||||||
usePrivilegedIntents = false;
|
usePrivilegedIntents = false;
|
||||||
};
|
};
|
||||||
logging = {
|
logging = {
|
||||||
|
@ -103,8 +104,12 @@
|
||||||
console = "verbose";
|
console = "verbose";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
# fix up to not use /var/lib/private, but just /var/lib
|
# contains what's ordinarily put into auth.clientId, auth.botToken
|
||||||
|
# i.e. `APPSERVICE_DISCORD_AUTH_CLIENT_I_D=...` and `APPSERVICE_DISCORD_AUTH_BOT_TOKEN=...`
|
||||||
|
services.matrix-appservice-discord.environmentFile = config.sops.secrets.matrix_appservice_discord_env.path;
|
||||||
|
|
||||||
systemd.services.matrix-appservice-discord.serviceConfig = {
|
systemd.services.matrix-appservice-discord.serviceConfig = {
|
||||||
|
# fix up to not use /var/lib/private, but just /var/lib
|
||||||
DynamicUser = lib.mkForce false;
|
DynamicUser = lib.mkForce false;
|
||||||
User = "matrix-appservice-discord";
|
User = "matrix-appservice-discord";
|
||||||
Group = "matrix-appservice-discord";
|
Group = "matrix-appservice-discord";
|
||||||
|
@ -208,4 +213,9 @@
|
||||||
sopsFile = ../../../../secrets/servo.yaml;
|
sopsFile = ../../../../secrets/servo.yaml;
|
||||||
owner = config.users.users.matrix-synapse.name;
|
owner = config.users.users.matrix-synapse.name;
|
||||||
};
|
};
|
||||||
|
sops.secrets.matrix_appservice_discord_env = {
|
||||||
|
sopsFile = ../../../../secrets/servo/matrix_appservice_discord_env.bin;
|
||||||
|
owner = config.users.users.matrix-appservice-discord.name;
|
||||||
|
format = "binary";
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,28 @@
|
||||||
|
{
|
||||||
|
"data": "ENC[AES256_GCM,data:7j1l4XJ8cp8MVuSmOedOZwGDWV11hmwFyLW43ixUBaZLWbUZ6Z4P4Gt+o7bj8gc/X8aiPV8sxAR/jY28Sc5DIaAnkKnXjesPVlG0c3oRAsXemKGX8fANkoNX5iEPbWAkFiJdLS6Fgdv2g4z6DQ4odvZQKrMchx8MPYq8icBvvbhKiGs5xo+MGrMBVRCZOERM2FJSy/q9zLv6hU5SfnnYDTMt,iv:poHHiCs0YOCv74dQ2kyXogdgTUqmKRgGq2r7lcxe4bQ=,tag:rz1/FLC5Q8S13TTWNKcYyQ==,type:str]",
|
||||||
|
"sops": {
|
||||||
|
"kms": null,
|
||||||
|
"gcp_kms": null,
|
||||||
|
"azure_kv": null,
|
||||||
|
"hc_vault": null,
|
||||||
|
"age": [
|
||||||
|
{
|
||||||
|
"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
|
||||||
|
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2TjVWenJkYVdjeExzYjVj\nUVdFeUdMRUtwOWJNYUx6dFRWRXdEUWJhdkVFClM1UnhtWndYbE91RCtVRnl4TGp4\nZHNJNUliOWhqcUorZVBEQWR0eXZaMVEKLS0tIDdsVFJ2bmdNeVk5b3FJVDQ3T1BG\nU0taQlA1QVEvYVJweDQ5L2YwTmo2ek0K+nbzpIpjAhRgJ5Lw+mx/doGMjw0aMNkZ\n5sAnPJo88Sa/TW3qBN48xFBMLWMp/SKs2JTaMu0xW0u2SkQX38TLlw==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"recipient": "age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu",
|
||||||
|
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyUFBSYVJZUmRBcGJXclNP\nRDRUZnRKMmYwdFhQcE1oWUhrZGxNTk5YOFIwCldUMW92NGl0VVBsS0JtYjJOTW9E\nK2ZZdm9GK3FOMitUdEU3QStsR2svQWMKLS0tIE9SWXAzVndsdGY3Uzh2eHpBRjdO\nTVc4cWNDUWRuSWRmZC8rK1ZFS2l4WEkKQR9mApDjb0k14W3jK+CEz3Dez6wSBpg+\nZ7uUfSbPXFxRxvNEascRn/+EHPcd/A7MZjViDUyWVcP6fSMPsQvxhw==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"recipient": "age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf",
|
||||||
|
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkWHlteTRDcHRneW9hbzlh\nMHBjZ2RHeDBIbDM2QXVxK09mcERVSUliVWw0Ckg1dGFkUUxPQW1HcDFXcEEyejFD\nWW5qUkNwRkdIdjRiTFJNd0Q5NWpLUUEKLS0tIG1wTnk1aEhudm9VZjZRVGRWWnR0\nVHlFbUJHaitadDVOSG1FMTBqeHJGV0kKAjuuw3j4dx3QfNcjyl8XCP9Q6oOkLZBN\nsW7uCqbVgBCG+uIggwefLWAy8g6PYlLj0aumgLPYVsXShbQYi32m/g==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"lastmodified": "2022-10-06T05:07:20Z",
|
||||||
|
"mac": "ENC[AES256_GCM,data:9WR8xfs5XIkWxDlJVX1EiSJBLBgWMR99PJJXCK9RcbuChK7QvjWjEflwq419qeNbMWdHLkUwSQrBsoHomaiGWFOPZ0C8bqcqDl0zzXMk7nBxM4UgTjRLmML2tdI2bCS0DC0AtytThYPvkW+JHgKB6bOAEw/bVWVP4YJQKWEf6FY=,iv:nG+J7jCdqZHp6x6Vlvye7BbK7YSl0Y9cjTWbW/BZLxo=,tag:OWqXktZE52Q3j7D2KG+vHw==,type:str]",
|
||||||
|
"pgp": null,
|
||||||
|
"unencrypted_suffix": "_unencrypted",
|
||||||
|
"version": "3.7.3"
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in New Issue