From 87b0880423e4306e156af709a63ab1b565970204 Mon Sep 17 00:00:00 2001
From: Silas Schöffel <sils@sils.li>
Date: Sat, 25 Jan 2025 22:12:04 +0100
Subject: feat(matrix): make secrets configurable

---
 hosts/by-name/server3/configuration.nix         |  1 +
 hosts/by-name/server3/secrets/matrix/passwd.age | 15 +++++++++++++++
 modules/by-name/ma/matrix/module.nix            |  6 +++++-
 modules/by-name/ma/matrix/passwd.age            | 15 ---------------
 secrets.nix                                     |  3 +--
 5 files changed, 22 insertions(+), 18 deletions(-)
 create mode 100644 hosts/by-name/server3/secrets/matrix/passwd.age
 delete mode 100644 modules/by-name/ma/matrix/passwd.age

diff --git a/hosts/by-name/server3/configuration.nix b/hosts/by-name/server3/configuration.nix
index 2afc79f..ec6a39f 100644
--- a/hosts/by-name/server3/configuration.nix
+++ b/hosts/by-name/server3/configuration.nix
@@ -23,6 +23,7 @@
       enable = true;
       fqdn = "matrix.vhack.eu";
       url = "vhack.eu";
+      sharedSecretFile = ./secrets/matrix/passwd.age;
     };
     miniflux = {
       enable = true;
diff --git a/hosts/by-name/server3/secrets/matrix/passwd.age b/hosts/by-name/server3/secrets/matrix/passwd.age
new file mode 100644
index 0000000..6386ed6
--- /dev/null
+++ b/hosts/by-name/server3/secrets/matrix/passwd.age
@@ -0,0 +1,15 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrRFcxajBUb2s4dDVKeVZF
+bFE1NUNwS2p0NjhZd2Y0MWNNbFFDcE1VSTJ3Cmdsdmh1MFJ2bWcxVWZlVm1idGdC
+aXU3bnlmVkpydXpMYnh2djNURjd6L0UKLT4gWDI1NTE5IHRidGtkVGZDV0Npck9q
+Y1pRYjVUVWVYMkZxcCtyTGRkQWRGQXB1dEhVR3cKQzNwQndqZTBHTVBnbUg5bWNk
+ZFpOSG1UZzZXQ2kxQjRXUS80Tmx0ZURiMAotPiBzc2gtZWQyNTUxOSBweXU5Ymcg
+YmNaeGV2WTJqZFFSTXhDS1hScDZrV1ZWU1FyYWRtSGNoR3NGUjZ0WmpqSQptRnR5
+cDI4VDFXL2t3VzdnSGF5VzBIbzhzU1NuQmNuUXhReHNVNGd4bnFJCi0+ICJ9OUlg
+LWdyZWFzZQpDYks4Y2dUeEowTHh6cnJsNmpXRGpDYWU1RkRwbC9nYjB2RmtMZjhy
+dTBhVEU1ak04U0VYUkh0WUJsK3h5cXBRCmZ4ekRRczFDZWptWkJQbXZ6NDU0dUh3
+RTlkVkxxQ00xeHNmMkZSS0JIZGpmOU5UYSt1bWdRNlZWbC9ZdQotLS0gbG9RR0Iv
+OTBleHBTS1ZVYjZSODEranR5cGxsTkh1elZwQi9Gd21VbUxkRQoJ+dUdl1CVle6A
+sLVikThgDKKpMekZeLhx97gC6Vxfxd9oJiw1SS7xOjMZz6xcOCG1l1NidrNHmhnK
+4xQMcvHU+5Ogw3YUnPcL1sGjYWkvgUcwie+WEKZFXkCaJwz91ria
+-----END AGE ENCRYPTED FILE-----
diff --git a/modules/by-name/ma/matrix/module.nix b/modules/by-name/ma/matrix/module.nix
index a73fd13..4b730da 100644
--- a/modules/by-name/ma/matrix/module.nix
+++ b/modules/by-name/ma/matrix/module.nix
@@ -24,10 +24,14 @@ in {
       type = lib.types.str;
       description = "The url the matrix-server should be known under.";
     };
+    sharedSecretFile = lib.mkOption {
+      type = lib.types.path;
+      description = "The age encrypted shared secret file for synapse, passed to agenix";
+    };
   };
   config = lib.mkIf cfg.enable {
     age.secrets.matrix-synapse_registration_shared_secret = {
-      file = ./passwd.age;
+      file = cfg.sharedSecretFile;
       mode = "700";
       owner = "matrix-synapse";
       group = "matrix-synapse";
diff --git a/modules/by-name/ma/matrix/passwd.age b/modules/by-name/ma/matrix/passwd.age
deleted file mode 100644
index 6386ed6..0000000
--- a/modules/by-name/ma/matrix/passwd.age
+++ /dev/null
@@ -1,15 +0,0 @@
------BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrRFcxajBUb2s4dDVKeVZF
-bFE1NUNwS2p0NjhZd2Y0MWNNbFFDcE1VSTJ3Cmdsdmh1MFJ2bWcxVWZlVm1idGdC
-aXU3bnlmVkpydXpMYnh2djNURjd6L0UKLT4gWDI1NTE5IHRidGtkVGZDV0Npck9q
-Y1pRYjVUVWVYMkZxcCtyTGRkQWRGQXB1dEhVR3cKQzNwQndqZTBHTVBnbUg5bWNk
-ZFpOSG1UZzZXQ2kxQjRXUS80Tmx0ZURiMAotPiBzc2gtZWQyNTUxOSBweXU5Ymcg
-YmNaeGV2WTJqZFFSTXhDS1hScDZrV1ZWU1FyYWRtSGNoR3NGUjZ0WmpqSQptRnR5
-cDI4VDFXL2t3VzdnSGF5VzBIbzhzU1NuQmNuUXhReHNVNGd4bnFJCi0+ICJ9OUlg
-LWdyZWFzZQpDYks4Y2dUeEowTHh6cnJsNmpXRGpDYWU1RkRwbC9nYjB2RmtMZjhy
-dTBhVEU1ak04U0VYUkh0WUJsK3h5cXBRCmZ4ekRRczFDZWptWkJQbXZ6NDU0dUh3
-RTlkVkxxQ00xeHNmMkZSS0JIZGpmOU5UYSt1bWdRNlZWbC9ZdQotLS0gbG9RR0Iv
-OTBleHBTS1ZVYjZSODEranR5cGxsTkh1elZwQi9Gd21VbUxkRQoJ+dUdl1CVle6A
-sLVikThgDKKpMekZeLhx97gC6Vxfxd9oJiw1SS7xOjMZz6xcOCG1l1NidrNHmhnK
-4xQMcvHU+5Ogw3YUnPcL1sGjYWkvgUcwie+WEKZFXkCaJwz91ria
------END AGE ENCRYPTED FILE-----
diff --git a/secrets.nix b/secrets.nix
index 10608f4..819e9c3 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -17,8 +17,6 @@ let
     server3HostKey
   ];
 in {
-  "./modules/by-name/ma/matrix/passwd.age".publicKeys = server3;
-
   "./hosts/by-name/server2/secrets/backuppass.age".publicKeys = server2;
   "./hosts/by-name/server2/secrets/backupssh.age".publicKeys = server2;
   "./hosts/by-name/server2/secrets/etesync/secret_file.age".publicKeys = server2;
@@ -26,6 +24,7 @@ in {
   "./hosts/by-name/server3/secrets/backuppass.age".publicKeys = server3;
   "./hosts/by-name/server3/secrets/backupssh.age".publicKeys = server3;
   "./hosts/by-name/server3/secrets/mastodon/mail.age".publicKeys = server3;
+  "./hosts/by-name/server3/secrets/matrix/passwd.age".publicKeys = server3;
   "./hosts/by-name/server3/secrets/miniflux/secrets/admin.age".publicKeys = server3;
   "./hosts/by-name/server3/secrets/peertube/general.age".publicKeys = server3;
   "./hosts/by-name/server3/secrets/peertube/smtp.age".publicKeys = server3;
-- 
cgit 1.4.1