bicep/matrix: use sops templates for appservice registrations

2024-10-14 15:46:58 +02:00
parent 5aed665cc8
commit 47ed79986c
3 changed files with 87 additions and 16 deletions
--- a/hosts/bicep/services/matrix/discord.nix
+++ b/hosts/bicep/services/matrix/discord.nix
@@ -6,15 +6,42 @@ in
 {
  users.groups.keys-matrix-registrations = { };

-  sops.secrets."matrix/registrations/mx-puppet-discord" = {
+  sops.secrets."matrix/discord/as_token" = {
    sopsFile = ../../../../secrets/bicep/matrix.yaml;
-    key = "registrations/mx-puppet-discord";
+    key = "discord/as_token";
+  };
+  sops.secrets."matrix/discord/hs_token" = {
+    sopsFile = ../../../../secrets/bicep/matrix.yaml;
+    key = "discord/hs_token";
+  };
+
+  sops.templates."discord-registration.yaml" = {
    owner = config.users.users.matrix-synapse.name;
    group = config.users.groups.keys-matrix-registrations.name;
+    content = ''
+      as_token: "${config.sops.placeholder."matrix/discord/as_token"}"
+      hs_token: "${config.sops.placeholder."matrix/discord/hs_token"}"
+      id: discord-puppet
+      namespaces:
+        users:
+          - exclusive: true
+            regex: '@_discordpuppet_.*'
+        rooms: []
+        aliases:
+          - exclusive: true
+            regex: '#_discordpuppet_.*'
+      protocols: []
+      rate_limited: false
+      sender_localpart: _discordpuppet_bot
+      url: 'http://localhost:8434'
+      de.sorunome.msc2409.push_ephemeral: true
+    '';
  };

  systemd.services.mx-puppet-discord = {
-    serviceConfig.SupplementaryGroups = [ config.users.groups.keys-matrix-registrations.name ];
+    serviceConfig.SupplementaryGroups = [
+      config.users.groups.keys-matrix-registrations.name
+    ];
  };


@@ -29,11 +56,16 @@ in
    relay.whitelist = [ ".*" ];
    selfService.whitelist = [ "@danio:pvv\\.ntnu\\.no" "@dandellion:dodsorf\\.as" ];
  };
-  services.mx-puppet-discord.serviceDependencies = [ "matrix-synapse.target" "nginx.service" ];
+  services.mx-puppet-discord.serviceDependencies = [
+    "matrix-synapse.target"
+    "nginx.service"
+  ];


  services.matrix-synapse-next.settings = {
-    app_service_config_files = [ config.sops.secrets."matrix/registrations/mx-puppet-discord".path ];
+    app_service_config_files = [
+      config.sops.templates."discord-registration.yaml".path
+    ];
    use_appservice_legacy_authorization = true;
  };

--- a/hosts/bicep/services/matrix/hookshot/default.nix
+++ b/hosts/bicep/services/matrix/hookshot/default.nix
@@ -10,21 +10,52 @@ in
    ./module.nix
  ];

-  sops.secrets."matrix/registrations/matrix-hookshot" = {
+  sops.secrets."matrix/hookshot/as_token" = {
    sopsFile = ../../../../../secrets/bicep/matrix.yaml;
-    key = "registrations/matrix-hookshot";
+    key = "hookshot/as_token";
+  };
+  sops.secrets."matrix/hookshot/hs_token" = {
+    sopsFile = ../../../../../secrets/bicep/matrix.yaml;
+    key = "hookshot/hs_token";
+  };
+
+  sops.templates."hookshot-registration.yaml" = {
    owner = config.users.users.matrix-synapse.name;
    group = config.users.groups.keys-matrix-registrations.name;
+    content = ''
+      id: matrix-hookshot
+      as_token: "${config.sops.placeholder."matrix/hookshot/as_token"}"
+      hs_token: "${config.sops.placeholder."matrix/hookshot/hs_token"}"
+      namespaces:
+        rooms: []
+        users:
+          - regex: "@_webhooks_.*:pvv.ntnu.no"
+            exclusive: true
+          - regex: "@bot_feeds:pvv.ntnu.no"
+            exclusive: true
+        aliases: []
+
+      sender_localpart: hookshot
+      url: "http://${cfg.settings.bridge.bindAddress}:${toString cfg.settings.bridge.port}"
+      rate_limited: false
+
+      # If enabling encryption
+      de.sorunome.msc2409.push_ephemeral: true
+      push_ephemeral: true
+      org.matrix.msc3202: true
+    '';
  };

  systemd.services.matrix-hookshot = {
-    serviceConfig.SupplementaryGroups = [ config.users.groups.keys-matrix-registrations.name ];
+    serviceConfig.SupplementaryGroups = [
+      config.users.groups.keys-matrix-registrations.name
+    ];
  };

  services.matrix-hookshot = {
    enable = true;
    package = unstablePkgs.matrix-hookshot;
-    registrationFile = config.sops.secrets."matrix/registrations/matrix-hookshot".path;
+    registrationFile = config.sops.templates."hookshot-registration.yaml".path;
    settings = {
      bridge = {
        bindAddress = "127.0.0.1";
@@ -88,10 +119,15 @@ in
    };
  };

-  services.matrix-hookshot.serviceDependencies = [ "matrix-synapse.target" "nginx.service" ];
+  services.matrix-hookshot.serviceDependencies = [
+    "matrix-synapse.target"
+    "nginx.service"
+  ];

  services.matrix-synapse-next.settings = {
-    app_service_config_files = [ config.sops.secrets."matrix/registrations/matrix-hookshot".path ];
+    app_service_config_files = [
+      config.sops.templates."hookshot-registration.yaml".path
+    ];
  };

  services.nginx.virtualHosts."hookshot.pvv.ntnu.no" = {