From edf81976ac82e0667d47b450376e8f37706f3219 Mon Sep 17 00:00:00 2001 From: h7x4 Date: Fri, 29 Nov 2024 00:17:35 +0100 Subject: [PATCH] tsuki/osuchan: use sops template for secrets --- hosts/tsuki/services/osuchan.nix | 20 +++++++++++++++++--- secrets/tsuki.yaml | 9 ++++++--- 2 files changed, 23 insertions(+), 6 deletions(-) diff --git a/hosts/tsuki/services/osuchan.nix b/hosts/tsuki/services/osuchan.nix index 4975c14..7cbabf7 100644 --- a/hosts/tsuki/services/osuchan.nix +++ b/hosts/tsuki/services/osuchan.nix @@ -1,12 +1,26 @@ { config, ... }: { - sops.secrets."osuchan/envfile" = { - restartUnits = [ "osuchan.service" ]; + sops = { + secrets = { + "osuchan/env/channel_access_token" = { }; + "osuchan/env/channel_id" = { }; + "osuchan/env/channel_secret" = { }; + }; + templates."osuchan.env" = { + restartUnits = [ "osuchan.service" ]; + content = let + inherit (config.sops) placeholder; + in '' + CHANNEL_ACCESS_TOKEN=${placeholder."osuchan/env/channel_access_token"} + CHANNEL_ID=${placeholder."osuchan/env/channel_id"} + CHANNEL_SECRET=${placeholder."osuchan/env/channel_secret"} + ''; + }; }; services.osuchan = { enable = true; port = 9283; - secretFile = config.sops.secrets."osuchan/envfile".path; + secretFile = config.sops.templates."osuchan.env".path; }; } diff --git a/secrets/tsuki.yaml b/secrets/tsuki.yaml index 6d890a8..5ae0bee 100644 --- a/secrets/tsuki.yaml +++ b/secrets/tsuki.yaml @@ -37,7 +37,10 @@ matrix_synapse: registration_secret: ENC[AES256_GCM,data:Sc5piAESWk9HUe3ZOQ+7ZB9aCZwjTdFrfYkU+XFuXGUZ3xCkCt7QDPmDQBIs+lYOLV9Y165cObKDgMNHBaMkRQ5wXVBrd0l9js70h9LC3IGuK+BOa5tZa4u0zku4zStRuN7xCeGNeAWFOPCQ4a5rQMqbDz6iwWkMQvlHqwzBYtP7PuTuAocwkjlo+3AOnw92DjY4xODPgHR7w4rNSvoSZIUjlAIk3yyHNLV68UiTPoJ5lUqGleLznCpqjLhpxAycfEbWUXCNx8Z5oJ+czptWzhb/hhjH/SgeMvflk8KFwJAYBXxA+YgM+unlWS500OGsgYIbhPyvSzSrs1JkDQBVXA==,iv:/Q4gTEe6WU7XID2ayCFq6xmF6J5UrQw4OjmpU4dhZSA=,tag:kLTdqoanqUAlVrRcKZRxcw==,type:str] turn_shared_secret: ENC[AES256_GCM,data:ay8VETIPaaRHmmy+DFaqsOD8svfxcrJtaf9QEB8QxqE=,iv:VzHs5zHADvl/7cl9FgwFfgQbdv9/ujPFz9rojgHsyo4=,tag:atRZGV1dj7pa1e5TycLFKg==,type:str] osuchan: - envfile: ENC[AES256_GCM,data:pMt7n2nEBH4sEW9RZxyyvpnScHsSbSKgMKihwplGcj37TugGb5F30iJatiBhAoeptRSSYgrMjRBLoyWAdxzFiBvKZmkNdka4afy1Cl/LT2hZ+jjkjLBCFv6A8Z0HoWZlvzjuYpybqO9dNdWbQYKDJr0xcVAnaNkv0ThtpZV0CqVfcdJvzx9NyzJzHfIu0p+2BEwzVzr7pt5XwwGcRNru6/x/90d5W6btU4jW33oSBErcuNwdFjmVSgJdHfCxaKgYoIMTYrwepHJ5M7tmA/uJp4JmxCQvgvK78Rp0ooEIyd2aN+r8HAXGnFaskdjELaxBRM76PhTqgaiHfmuiTqesnYSPYJyCIb/r,iv:lRjpv0MziFmWvJgwAFdoP+QtRXEEwgZWLR6krvaV8VE=,tag:prYGTXnhFRecc10ND3Gg3Q==,type:str] + env: + channel_access_token: ENC[AES256_GCM,data:DjE+92zPa7nOR1T2ggXSU9CWM6ruZCKQsVzj04mwacNyZcGBn7ydNnit2yaTaAWemAaFZkHCmJChvEXUtVXX02W3xjP3kuFNSod4x8KIEeAwP10SAfyaXlrYLTrhf0fhNqQDsSO9OxYaP1X/k9JFiakb3E3ZAqdhznaNfEfbRjABligAyxAFU8lm1V2bhe6BX91dZ+rwuLSpI72NLAhgkXD8AtVTdb66kEGRyw==,iv:BtVka/U9NVoSTrvSTt+4I9XGsARTkkj5DEtV8v12zy4=,tag:CrOf4CW0QNaRRh+IcxE4Gg==,type:str] + channel_id: ENC[AES256_GCM,data:qS4no9fC2EI+Bw==,iv:+2Q0ceJBZ7Il4bwtyx0+n69bLV1P7RtZxhWTaUrricM=,tag:+q9plSfQ9I6Xe+nvuG9yQg==,type:str] + channel_secret: ENC[AES256_GCM,data:p6N7AOyNs/LsmSd5J4WfyWszg4sjv60ZL/3k1IdeGZg=,iv:pSp+3gR76u1GbgROSZXcflRWSO1wYV0M4d11nEIG/k0=,tag:RO+3kpZ1ZmYU5PKaC96CFQ==,type:str] sops: kms: [] gcp_kms: [] @@ -53,8 +56,8 @@ sops: MThmQ1Iza0F6Q0Y4N1JpT2V5a0FrTGMKIzpNe4dyCLuyKjjXjadZepRYvULr3j3i 7SSwFgVvESj0aVwcGMW1swkhdb2evZgcghhrJpiK8kKIPrWEuFiCcw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-28T14:01:15Z" - mac: ENC[AES256_GCM,data:x5EUjXx2SeNWkxeMDiYtWCz938dPZv5zlxTjGf4ewWnJ6FJP6GAuY+aKucK9L21AlbQ39osTPRbH/fTLBP/hmZM5yvarFmelfhFZzXyRj1t4USy8Ms+VwwelWcG0WClbMGVT/SUCvyK5IoUL6J4ZYC1aqAPr3q8MR/y/wYW5QPU=,iv:bF24zQk0+G/EtBoIvlxKZz6v/Ud1URguExOJg2Nf5O0=,tag:0VAzdDyB8MgQhUDjz7S1jQ==,type:str] + lastmodified: "2024-11-28T23:15:15Z" + mac: ENC[AES256_GCM,data:fG5F0YWkCEc8HdJHx+EVeIMB8u/Lab9mV1Kp3+n1iCWmia9CmlAyrQipexVcgObMJ5GUX2c3sMcMqJiv83HsExtiPz8Ut5oAXltSdJWzUWS0e0+NbokEIGUha/+eMeCvu7phjmuzmEgiXHe/OwWz1wJh+J6eI1SGz2TsKy3/5Nk=,iv:xx2DycXq8hUUiXXC1e5fMcqsHJOtB1uiK8+gO9E/mVs=,tag:tZrxW3TrWq79MZZFvUoaDg==,type:str] pgp: - created_at: "2024-06-25T17:16:27Z" enc: |-