From ee73a964bee70fb750090dd41f22206f6441c400 Mon Sep 17 00:00:00 2001 From: Daniel Olsen Date: Sun, 7 May 2023 10:14:09 +0200 Subject: [PATCH] move matrix to bicep --- .sops.yaml | 9 +++ hosts/bicep/configuration.nix | 8 ++- .../services/matrix/coturn.nix | 6 +- .../services/matrix/default.nix | 0 .../services/matrix/discord.nix | 2 + .../services/matrix/element.nix | 0 .../services/matrix/mjolnir.nix | 2 + .../services/matrix/synapse-admin.nix | 0 .../services/matrix/synapse.nix | 6 ++ .../services/nginx/default.nix | 0 secrets/bicep/matrix.yaml | 69 +++++++++++++++++++ 11 files changed, 98 insertions(+), 4 deletions(-) rename hosts/{jokum => bicep}/services/matrix/coturn.nix (94%) rename hosts/{jokum => bicep}/services/matrix/default.nix (100%) rename hosts/{jokum => bicep}/services/matrix/discord.nix (91%) rename hosts/{jokum => bicep}/services/matrix/element.nix (100%) rename hosts/{jokum => bicep}/services/matrix/mjolnir.nix (94%) rename hosts/{jokum => bicep}/services/matrix/synapse-admin.nix (100%) rename hosts/{jokum => bicep}/services/matrix/synapse.nix (95%) rename hosts/{jokum => bicep}/services/nginx/default.nix (100%) create mode 100644 secrets/bicep/matrix.yaml diff --git a/.sops.yaml b/.sops.yaml index 184c3af..2791263 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -49,3 +49,12 @@ creation_rules: - *user_felixalb pgp: - *user_oysteikt + + - path_regex: secrets/bicep/[^/]+\.yaml$ + key_groups: + - age: + - *host_bicep + - *user_danio + - *user_felixalb + pgp: + - *user_oysteikt diff --git a/hosts/bicep/configuration.nix b/hosts/bicep/configuration.nix index a43f256..950f80e 100644 --- a/hosts/bicep/configuration.nix +++ b/hosts/bicep/configuration.nix @@ -4,9 +4,11 @@ ./hardware-configuration.nix ../../base.nix + ./services/nginx ./services/postgres.nix - ./services/jokum.nix + + ./services/matrix ]; sops.defaultSopsFile = ../../secrets/bicep/bicep.yaml; @@ -22,10 +24,10 @@ systemd.network.networks."30-enp6s0f0" = values.defaultNetworkConfig // { matchConfig.Name = "enp6s0f0"; - address = with values.hosts.bicep; [ (ipv4 + "/25") (ipv6 + "/64") ]; + address = with values.hosts.bicep; [ (ipv4 + "/25") (ipv6 + "/64") ] + ++ (with values.services.turn; [ (ipv4 + "/25") (ipv6 + "/64") ]); }; systemd.network.wait-online = { - ignoredInterfaces = [ "enp6s0f1" ]; anyInterface = true; }; diff --git a/hosts/jokum/services/matrix/coturn.nix b/hosts/bicep/services/matrix/coturn.nix similarity index 94% rename from hosts/jokum/services/matrix/coturn.nix rename to hosts/bicep/services/matrix/coturn.nix index b0f3925..a8d2c94 100644 --- a/hosts/jokum/services/matrix/coturn.nix +++ b/hosts/bicep/services/matrix/coturn.nix @@ -2,10 +2,14 @@ { sops.secrets."matrix/synapse/turnconfig" = { + sopsFile = ../../../../secrets/bicep/matrix.yaml; + key = "synapse/turnconfig"; owner = config.users.users.matrix-synapse.name; group = config.users.users.matrix-synapse.group; }; sops.secrets."matrix/coturn/static-auth-secret" = { + sopsFile = ../../../../secrets/bicep/matrix.yaml; + key = "coturn/static-auth-secret"; owner = config.users.users.turnserver.name; group = config.users.users.turnserver.group; }; @@ -114,7 +118,7 @@ }; networking.firewall = { - interfaces.ens18 = let + interfaces.enp6s0f0 = let range = with config.services.coturn; [ { from = min-port; to = max-port; diff --git a/hosts/jokum/services/matrix/default.nix b/hosts/bicep/services/matrix/default.nix similarity index 100% rename from hosts/jokum/services/matrix/default.nix rename to hosts/bicep/services/matrix/default.nix diff --git a/hosts/jokum/services/matrix/discord.nix b/hosts/bicep/services/matrix/discord.nix similarity index 91% rename from hosts/jokum/services/matrix/discord.nix rename to hosts/bicep/services/matrix/discord.nix index c9bc054..d55273e 100644 --- a/hosts/jokum/services/matrix/discord.nix +++ b/hosts/bicep/services/matrix/discord.nix @@ -7,6 +7,8 @@ in users.groups.keys-matrix-registrations = { }; sops.secrets."matrix/registrations/mx-puppet-discord" = { + sopsFile = ../../../../secrets/bicep/matrix.yaml; + key = "registrations/mx-puppet-discord"; owner = config.users.users.matrix-synapse.name; group = config.users.groups.keys-matrix-registrations.name; }; diff --git a/hosts/jokum/services/matrix/element.nix b/hosts/bicep/services/matrix/element.nix similarity index 100% rename from hosts/jokum/services/matrix/element.nix rename to hosts/bicep/services/matrix/element.nix diff --git a/hosts/jokum/services/matrix/mjolnir.nix b/hosts/bicep/services/matrix/mjolnir.nix similarity index 94% rename from hosts/jokum/services/matrix/mjolnir.nix rename to hosts/bicep/services/matrix/mjolnir.nix index 307b8cb..21dd04d 100644 --- a/hosts/jokum/services/matrix/mjolnir.nix +++ b/hosts/bicep/services/matrix/mjolnir.nix @@ -2,6 +2,8 @@ { sops.secrets."matrix/mjolnir/access_token" = { + sopsFile = ../../../../secrets/bicep/matrix.yaml; + key = "mjolnir/access_token"; owner = config.users.users.mjolnir.name; group = config.users.users.mjolnir.group; }; diff --git a/hosts/jokum/services/matrix/synapse-admin.nix b/hosts/bicep/services/matrix/synapse-admin.nix similarity index 100% rename from hosts/jokum/services/matrix/synapse-admin.nix rename to hosts/bicep/services/matrix/synapse-admin.nix diff --git a/hosts/jokum/services/matrix/synapse.nix b/hosts/bicep/services/matrix/synapse.nix similarity index 95% rename from hosts/jokum/services/matrix/synapse.nix rename to hosts/bicep/services/matrix/synapse.nix index db1a6f9..7858b8f 100644 --- a/hosts/jokum/services/matrix/synapse.nix +++ b/hosts/bicep/services/matrix/synapse.nix @@ -9,16 +9,22 @@ let listToAttrs (imap0 (i: attr: nameValuePair attr (f i attr set.${attr})) (attrNames set)); in { sops.secrets."matrix/synapse/dbconfig" = { + sopsFile = ../../../../secrets/bicep/matrix.yaml; + key = "synapse/dbconfig"; owner = config.users.users.matrix-synapse.name; group = config.users.users.matrix-synapse.group; }; sops.secrets."matrix/synapse/signing_key" = { + key = "synapse/signing_key"; + sopsFile = ../../../../secrets/bicep/matrix.yaml; owner = config.users.users.matrix-synapse.name; group = config.users.users.matrix-synapse.group; }; sops.secrets."matrix/synapse/user_registration" = { + sopsFile = ../../../../secrets/bicep/matrix.yaml; + key = "synapse/signing_key"; owner = config.users.users.matrix-synapse.name; group = config.users.users.matrix-synapse.group; }; diff --git a/hosts/jokum/services/nginx/default.nix b/hosts/bicep/services/nginx/default.nix similarity index 100% rename from hosts/jokum/services/nginx/default.nix rename to hosts/bicep/services/nginx/default.nix diff --git a/secrets/bicep/matrix.yaml b/secrets/bicep/matrix.yaml new file mode 100644 index 0000000..489ef50 --- /dev/null +++ b/secrets/bicep/matrix.yaml @@ -0,0 +1,69 @@ +synapse: + dbconfig: ENC[AES256_GCM,data:QQefrFxpxTXlldA+a5xPm1Mx2E7oRzo4DAOGVYP8IR0zFCsqoAGqeXOPrdT9MczTn4Ur537e9RG2OQMRc8JQASRQLHG6RdNPyREiZmJDs24OyXEF+WerHJtRytF9wugt22AdZtGyk9S/RDqoXDe4CS93EtP7SqAcYWJoDE1Xic7G3g==,iv:q1Is8O5k8PZGmJC3EsftmJMNordGLxJiMg+GsnfzxTY=,tag:sbsj9T0jEr+kZJjej5S0jA==,type:str] + turnconfig: ENC[AES256_GCM,data:mASRjYa4C9WRow4x0XYRrlCE5LMJUYaId+o62r1qhsyJPa2LzrI=,iv:5vYdubvMDjLS6soiWx2DzkEAATb9NFbSS/Jhuuz1yI8=,tag:wOW07CQMDbOiZNervee/pg==,type:str] + user_registration: ENC[AES256_GCM,data:ZDZfEEvyw8pg0WzhrdC8747ed+ZR2ZA8/WypJd/iDkmIy2RmxOeI0sE=,iv:l61mOlvzpCql4fC/eubBSU6px21et2WcpxQ6rFl14iw=,tag:sVDEAa3xipKIi/6isCjWew==,type:str] + signing_key: ENC[AES256_GCM,data:6UpfiRlX9pRM7zhdm7Mc8y8EItLzugWkHSgE0tGpEmudCTa1wc60oNbYfhKDWU81DT/U148pZOoX1A==,iv:UlqCPicPm5eNBz1xBMI3A3Rn4t/GtldNIDdMH5MMnLw=,tag:HHaw6iMjEAv5b9mjHSVpwA==,type:str] +coturn: + static-auth-secret: ENC[AES256_GCM,data:y5cG/LyrorkDH+8YrgcV7DY=,iv:ca90q2J3+NOy51mUBy4TMKfYMgWL4hxWDdsKIuxRBgU=,tag:hpFCns1lpi07paHyGB7tGQ==,type:str] +mjolnir: + access_token: ENC[AES256_GCM,data:ERFqZjK7MRD0xWt91FNCIxP1YC6Qj54QgnckHlCTtcQVLWaM1h2h9lHS+K8=,iv:1d7vmFkXAPcsmumzlmOT31amdrKLWtL5sJiS8G9g+LE=,tag:2l0vWzJ6P12ofuBdf5CCWw==,type:str] +registrations: + mx-puppet-discord: ENC[AES256_GCM,data:FleyXxgOmc05nTP6M2DBJlacufN3p/05eZm4kB8+K4ci0k24o3zli988wlM/kyeZmxu4pgQlJ3lNLte4uip2hBXHWG5t5Ldzmr7bNCUD+r7nM+I1lfNkrDROPZ54bHysmn9O5CHpEa16rSo6RJgncIPqsLJxTwjC7qZlkOpzqvMhkq/MHCVOpvg0M/6AUR+AlSZoggujBMoXLznQNQapN13foEsbuo/QxjszM/ObGmhYMVyaS+TDBXzQLA8Yuj50Q/gZCIINWZ4G2qmgsGxxNR4I+usUQml/jxCtIXS4zn/ettXfL9G4Fdm2F9u1v11DehtTGa5xoxDq94M9rIxOqeJpvgEQEyyKAyFUIrlINfGl7tAj4Zu7+9Z8JTRAnppjM1q8iInwn/Z2L9KgB0YFi/Go1whgXly+TH6hpreo7m5klXV/ff/aV3ghOgFCGA8nBrZFqE8Uw268q9tV1s1dxCb6TbpGf19V5c9MD6BsCIVeoq+j9I/I8iZpzg2Reb4IlHhMDwbwsL2w2ks30wiZ9XO/CFrXDY4uBlI=,iv:3vvkGvldS8Raibg6tzlV8VY1O9NCLxSuNX/lwi1QgiA=,tag:D/noIsE3xlOiYM6Pk+cc8Q==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1sl43gc9cw939z5tgha2lpwf0xxxgcnlw7w4xem4sqgmt2pt264vq0dmwx2 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSZ1dKNy93WmNTVkNzOE50 + SGQ3d1NvcXlMeW9LQ3JCT05aQk5qSTNIUVR3CmlDeE1wTUUzQVZrREdEeDZSeW15 + dEsyd0w5OUpabEZHNm54UDlmaU41V00KLS0tIGJZTXhVdUJJS0VIdGdnV21DUlhL + MjNrRytKUXBXZWhPN2dpUk4wYUJyemsK5sspkZA7AOkVtq4e8p7QhtG2yLZE2TG0 + qOhodWBMqi9VWnwg6HTKtQK6hfZ17McB93J4wtciCFGB7Pa8d79TFw== + -----END AGE ENCRYPTED FILE----- + - recipient: age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEZ1l6SDdpdXl2cFNubjBn + eTU0UCtGTWhFYWIybk0yaGswKyt2clJQekhZCkVkbXdrM1QwaGZ4TXFpOTE1eEJJ + dUZKampwMjFzQXJqUUx0RTVwQzFoVnMKLS0tIEErNjhFZzhrVTJucXgwSVp2RlFi + QllFM3MxbXBBbFNTQkNKWHhyQ09EVGcKJIJ3DB8YmhlL+6sNhp38PojDBcDItsR1 + SKyJC3nTJjwtPD/8P0LivCTn9Gi0Yjd5HVIXq/76RF4aB85HLZLgSg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwY2VLT3Ara1dXTk5EVXBi + b1l6ekd2cEp0TzgrclVNMmR6bXBtZ2Z5V3k0CjRkd0JIUzBCd2NvWDJDU0FyRzR6 + MHJUSis3RHlBSm1raFRSaUY2NHpmWlkKLS0tIEk3VDhLSnU5YjRzNWFtb1ZMcy9o + cGxZVnFhdXRka2drTGdkVk1iM0pFL1kK2ry7b2cLYPfntWi/BV3K2O+mHt3242Ef + sI2JLLQYHeAhxjFdCzP1RDR+Wu/pRxZje6xuTZ9I9TKNmm+LhAXHQw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-05-06T21:32:35Z" + mac: ENC[AES256_GCM,data:W0I9iLVAyWkqWw1m49cAO4eiv71hv0MMgqp/ZoPB/ImI/PijCJh3d3cSxM4HgDqhN7tPqwqegsR7pxbVNHch+VReLoOKOiXWCAmKNhZ2A5uO+RFnrmyCZ5HSbKmex4unzcX9hvkWl1X53dqiOUXu1tdbOt9M0tLxV2kfjPmqqs0=,iv:r9AHHkBZfk67w/MBpMDLjxrmo8JVpkm8Ko8MB/MHqW8=,tag:KuzAAHUbYGOtUu7sZqyXOw==,type:str] + pgp: + - created_at: "2023-05-06T21:31:39Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA0av/duuklWYARAAmj8qTRTeTXx9PNtqOFwCGmLlKGhj860JPE3BUR2n3QOE + h9fdVJa9yqK7Lshyuf2t1HbgG+Ah4p4BaO5gYGsMLV9ybZpyNFuCgSZ3DZ4zSfxM + GSqelcHJF5qbV5gwoJvtyVFV3qtKD9FpOJwh9MfEVe98VkoISCQsPl3CHDH4ot0l + zKa56vOReHRmaCid2LNsN0nHlh1KPpwn7HdgaKyiPFexMFe4L/Q56UrlZx9XyPOb + AJ91ayfI6jWH8Hj0xxyqx0shdA74nJ/Y6ZB3JxLXnGuPvAlC3XJRQUImqYsa7p11 + 4Hus4hRAGEJGpmpxhazInHkWOT5ECtzxMd5LlUSq0AGYlEWJL+jtnrvy86HqpYRj + jpMfwsuwY7dJ0Tll05+goWqn0zB0yZjax71Ynky/ie5Iv8FKaUHHh2HWAzqjUaKg + 6Yp3hzmMdP61fAm7ka4mxQLXQ0lrUbVnOk+pkaTrVrhcQial3W3lIgIhyo0EVi2V + Z7yEFkec7XZieMklhkL7tq9SJlWJYG1T+bavD7JSWjOXu+NlSP1hLKytM7xjp5jH + qZMEsjOaUEPvIO8Kd1f8MpLLe/+EhtmQJJMN8lwA8t/N+aOVYsW1GCspwX5mI+Ob + ZCIPkmeBz+UhJvqFD9QwWB44VWH7429VCg9hL+iWR2UfIUQHQhRFWD3604QBppzS + XgHEqjgLremZkvBsTAZsaLrTFlm7KwgjZsAkA5k+RZR5SH7xCXoSUSMnM8pWTway + 24M8mPHKyshggzR5B50YME5BY1qVKtOMEmTjwN5gpn4CQDcsQ7A3eafZg7uGd64= + =4DU6 + -----END PGP MESSAGE----- + fp: F7D37890228A907440E1FD4846B9228E814A2AAC + unencrypted_suffix: _unencrypted + version: 3.7.3