matrix-synapse: auto-register the ntfy-sh push gateway at launch

2023-10-24 14:47:59 +00:00 · 2023-10-24 14:47:59 +00:00 · ec4b974f3d
commit ec4b974f3d
parent 84ad85a81e
2 changed files with 70 additions and 19 deletions
--- a/hosts/by-name/servo/services/matrix/default.nix
+++ b/hosts/by-name/servo/services/matrix/default.nix
@ -70,25 +70,23 @@
    config.sops.secrets."matrix_synapse_secrets.yaml".path
  ];

-  # services.matrix-synapse.extraConfigFiles = [builtins.toFile "matrix-synapse-extra-config" ''
-  #   admin_contact: "admin.matrix@uninsane.org"
-  #   registrations_require_3pid:
-  #     - email
-  #   email:
-  #     smtp_host: "mx.uninsane.org"
-  #     smtp_port: 587
-  #     smtp_user: "matrix-synapse"
-  #     smtp_pass: "${secrets.matrix-synapse.smtp_pass}"
-  #     require_transport_security: true
-  #     enable_tls: true
-  #     notif_from: "%(app)s <notify.matrix@uninsane.org>"
-  #     app_name: "Uninsane Matrix"
-  #     enable_notifs: true
-  #     validation_token_lifetime: 96h
-  #     invite_client_location: "https://web.matrix.uninsane.org"
-  #     subjects:
-  #       email_validation: "[%(server_name)s] Validate your email"
-  # ''];
+  systemd.services.matrix-synapse.postStart = ''
+    ACCESS_TOKEN=$(${pkgs.coreutils}/bin/cat ${config.sops.secrets.matrix_access_token.path})
+    TOPIC=$(${pkgs.coreutils}/bin/cat ${config.sops.secrets.ntfy-sh-topic.path})
+
+    echo "ensuring ntfy push gateway"
+    ${pkgs.curl}/bin/curl \
+      --header "Authorization: Bearer $ACCESS_TOKEN" \
+      --data "{ \"app_display_name\": \"ntfy-adapter\", \"app_id\": \"ntfy.uninsane.org\", \"data\": { \"url\": \"https://ntfy.uninsane.org/_matrix/push/v1/notify\", \"format\": \"event_id_only\" }, \"device_display_name\": \"ntfy-adapter\", \"kind\": \"http\", \"lang\": \"en-US\", \"profile_tag\": \"\", \"pushkey\": \"$TOPIC\" }" \
+      localhost:8008/_matrix/client/v3/pushers/set
+
+    echo "registered push gateways:"
+    ${pkgs.curl}/bin/curl \
+      --header "Authorization: Bearer $ACCESS_TOKEN" \
+      localhost:8008/_matrix/client/v3/pushers \
+      | ${pkgs.jq}/bin/jq .
+  '';
+

  # new users may be registered on the CLI:
  #   register_new_matrix_user -c /nix/store/8n6kcka37jhmi4qpd2r03aj71pkyh21s-homeserver.yaml http://localhost:8008
@ -159,4 +157,9 @@
  sops.secrets."matrix_synapse_secrets.yaml" = {
    owner = config.users.users.matrix-synapse.name;
  };
+  sops.secrets."matrix_access_token" = {
+    owner = config.users.users.matrix-synapse.name;
+  };
+  # provide access to ntfy-sh-topic secret
+  users.users.matrix-synapse.extraGroups = [ "ntfy-sh" ];
 }
--- a/secrets/servo/matrix_access_token.bin
+++ b/secrets/servo/matrix_access_token.bin
@ -0,0 +1,48 @@
+{
+	"data": "ENC[AES256_GCM,data:y7G41ExHy/O7VIgPxzf0EhzykhPjJ0HMdqpG9CYPDJegFqlxsi+7og==,iv:9Je9UfvL+Pz+QgbbaBMT9ANIJBfnticogwsmOXBJ5dw=,tag:ZCZxjr81jfCxChlzj9fprA==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwL3lPenI0VEtnZHFSZ3or\nTVZ4VUhhQW55RExVd1lGYk54TDBUZHZRRlNZCnl5ekdqV0RwV1B2dmFZeE90UHhZ\nNHA2amgwME1zbTFoYnFkRVJTNU9BOE0KLS0tIHdDNDVaRklpWGpSZkYyQWJNaHVJ\nN2dwZGdOZTdxSHRWUndJSjJscHhuVzgKqSrFY6Yqo0fGnVc/bP2djCh7NpIA9wsW\nFUTgTBPqylTkqaSjShT//Zjn7YqPHWcK4qLCosEO7TuyPL15Z9/3vA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2VzVhNklLUDVEUnBuNWdV\neWtwM1U5Q1ZPVjB5M294dWtqd29NeTZyc0JzCkphYkRZM2wxOVJRL09ua24xcGpI\nVDArNXFVYURRSjgrTUx2T3ZtZUg4VWMKLS0tIHlZc0JHeGVxN3J3SXdoNnlJSmZh\nTkZ2QkF3YVp5anBZV0xySkthMysvVmcKSGP1A7g59HTNG1KJI2VOM7SYSMZRcWLH\nTPJtEWSDx0D8GDnV3aeSiXre+q6jrdi71xpCFnjSXK+EIHIYf8dujw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsWHRaR0p6aUtQdWcwQjUw\nc2xtSlZzZkFYeWp6MzBkOW53R25HM2xMUVNjCktOUHU1T1dKN25SU1k4bWpYSU1T\nUHZUaUdjTUg2eEFXbjNmREM3SlNKL3cKLS0tIGtqV1ovaXVXWUxBZmhHL0E5eW5s\nLzhaS2VncS9Za3ltRmYrcWhBMzBUV1EKvoFL3WIw0qif1FwyKoej+WTU7ubpQEHp\nU/upcmVYe6F/+hJufcK4WhPoa/EJri5QlgguaQ4Qvc8Hd+53PC4GFg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1zsrsvd7j6l62fjxpfd2qnhqlk8wk4p8r0dtxpe4sdgnh2474095qdu7xj9",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDaDJQL3pzTDJxcDZnaldR\nenN4cmVlWWN0azl4cDlWTjluWWxkVGlua25RCmpVVG9uQ2pabE0zTmNGdlJBSW04\nN1JJVFN3TktOeVVUR2orMnNvOFh0QVUKLS0tIHFtbUdjZmFHRlY5TmFmZjNaMmNn\nS1ltZEw0VU1rWVNKdmJUbkdJRXZiZFUKSnBVhrk+SmDnHk9pQNdJhNMEomYXKTDQ\nPnILCOdYVk2wF6u5kxf6FLKYjsepSP/4NywAMt0NjK1u4IXJymG7eQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1vnw7lnfpdpjn62l3u5nyv5xt2c965k96p98kc43mcnyzpetrts9q54mc9v",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuSUxCMkIzNXA1YXplS1pk\nZ214ek5IZURWU3RlRlFyTklvY1RsQTE2UFY0CmQrOVRjY1JnMzhPSjFlTzFQWUs3\nVlVhc2FySTZiUnR1UkRWNjlyVEZqaU0KLS0tIGwzdVcyakNtWVdGS0JVZlJsa2dF\nMjU1ME5PWXA4clY3QUlWeWRmMUdoVVUKqAX82ZhbNj8C6cNV4HozMDRfCKSJUGSt\n4Q4vPbf3aPiFmAFasRJ1xrvn4iODKV1WLwxzGaps5+AKrnfiueENbQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1w7mectcjku6x3sd8plm8wkn2qfrhv9n6zhzlf329e2r2uycgke8qkf9dyn",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDdTRhbkY3MHl2MGdmUXlP\ndEZVZFVwUVRDWmk2OVFnSVI5OS94WmkvaFQ0CnJKTEFZVnkxek4wMjZ1OHNzVFNv\nM1ovVHNUYWI1dUVWNzMvRUhJU2pjRDgKLS0tIHM2aVlVU2tKanAwaVlqd1h2TGhL\nRHMwdXFCcitWaGVNdXp1R2RIY2g5ZVUKDw+qzXBdSIdpcNn15IEx+v4BNwIzVzmH\nIzOlnRckPakrQ/SmSTeFyPgXwV04LGQq8cdvGhBjLV8Aep0aFX7jWA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVZEZJZXZ0c3I5Rko3NWg4\nWkdYZldkU0lFTWIwWSsrNzdBNjk4RmpTRkNZClJER2M2TjVXaVFNakFZK2Fvc2Vr\nSTVnSnF0YWFtcVB2R0M3VnNaWjNBY0EKLS0tIDlvMEhQZnowWlhDT2ExWkRGejFT\nNHZSd0xWQXpTL3k5Ulo1S1I0YldCalkKIT8qgIrd27Gq1X7Ur4YX3hYHf9QqDYwR\nXUl/91Bvi1p9V6hlV8/tOywkR0LqD0eU6aMBnBWygCS8OcphEaGbSA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age18vq5ktwgeaysucvw9t67drqmg5zd5c5k3le34yqxckkfj7wqdqgsd4ejmt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzR2J5Z2dKMWtadWdXM2pa\naXFkVnZyNlMrcGp0NlpxRWxuT2NEVCtmQkhBCkkxaHFkZXVKWGMrS081Q1lrN2M5\nN0lWUzhhQzNGcWpXTHFHUVNXZ0I3VTAKLS0tIFpyNGF3QjFHanI5ZFd0TUh1dUpM\ndGNPSmp3MzgyT0ZPR1VHTlUwTEliWVEKWvPXylu5CZL3FZ5JRaH7SY9T2u48sQNQ\nQTTH5P4/ck4NhQsTKr0Jc4qOouxRFzbbYaSLRjXtJdfU7ozc4cb6Pw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2023-10-24T14:08:41Z",
+		"mac": "ENC[AES256_GCM,data:pmDk9/mPC9Qyz2rI689qrFrhFC5ozk3YMfdJKBzsFbajHDEhoI4uOUcycxKbENaubjT7VM2OZJXJI8t7oeYAnAVZN+hyIq0auFp/Au4DZY0Mjpka76IsIcQI4kCIneX1eKCfSbSa7LZTpWxEjrmGbmdysH4J83tX60yEa8zPLf4=,iv:1vLiCRDaI9GdojGyrwzGM5BwJ5MuKKDJAtdA21kYGKk=,tag:HAdlCB9RCsb6/xQVmKQWag==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.8.1"
+	}
+}