diff --git a/hosts/best/matrix/default.nix b/hosts/best/matrix/default.nix index 89a88d2..9fced80 100644 --- a/hosts/best/matrix/default.nix +++ b/hosts/best/matrix/default.nix @@ -1,3 +1,6 @@ +# TODO: FIXME: We are not handling backups properly. +# The `e2e_one_time_keys_json` table should not be backed up. + { self, config, lib, ... }: let inherit (config.networking) domain; inherit (lib) const enabled genAttrs merge; @@ -29,8 +32,12 @@ in { (self + /modules/postgresql.nix) ]; + secrets.matrixKey = { + file = ./key.age; + owner = "matrix-synapse"; + }; secrets.matrixSecret = { - file = ./password.secret.age; + file = ./secret.age; owner = "matrix-synapse"; }; @@ -75,10 +82,10 @@ in { # Trusting Matrix.org. suppress_key_server_warning = true; - }; - # Sets registration_shared_secret. - extraConfigFiles = [ config.secrets.matrixSecret.path ]; + signing_key_path = config.secrets.matrixKey.path; + registration_shared_secret_path = config.secrets.matrixSecret.path; + }; settings.listeners = [{ inherit port; diff --git a/hosts/best/matrix/key.age b/hosts/best/matrix/key.age new file mode 100644 index 0000000..f461b83 Binary files /dev/null and b/hosts/best/matrix/key.age differ diff --git a/hosts/best/matrix/password.secret.age b/hosts/best/matrix/password.secret.age deleted file mode 100644 index 780510c..0000000 Binary files a/hosts/best/matrix/password.secret.age and /dev/null differ diff --git a/hosts/best/matrix/secret.age b/hosts/best/matrix/secret.age new file mode 100644 index 0000000..980a138 --- /dev/null +++ b/hosts/best/matrix/secret.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 8y3T6w sUQRJW9xDK6GmZLtl4MK48DZIh2t8a/KWPkzrMK34mY +gVmL1Bn+kcT6ReAO2oxYSpGL5URQnqEOqDUxWgpHsrM +-> ssh-ed25519 CzqbPQ GticSm2nWNiADVwuxH+aeJeQVlAWz9hy9VsTMkCw/yg +KaQ2pnVAblIftzqBOvcxHhXcBOivax0em2EOLXFH2Q8 +--- ukxPhzbewA/HQQlDqlavsGQ9uDXp55M0ZFMcDJT4TWc +Σð „6½ÄþZKxÔ>Åñ­' ‹z¡ ¾„ãk$ˆ›J$ïBX3:KÞ¶cš¡å]©·¨ °Z±×vOjõ·½çÓ¨>Îé¨7’à{R=t¯a*e)ú/Û_Í{"úmœ \ No newline at end of file diff --git a/secrets.nix b/secrets.nix index 4e0ab44..e013ff2 100644 --- a/secrets.nix +++ b/secrets.nix @@ -9,26 +9,27 @@ in { "hosts/best/garage/environment.age".publicKeys = [ best ] ++ admins; - "hosts/best/grafana/password.age".publicKeys = [ best ] ++ admins; + "hosts/best/grafana/password.age".publicKeys = [ best ] ++ admins; - "hosts/best/hercules/caches.age".publicKeys = [ best ] ++ admins; - "hosts/best/hercules/credentials.age".publicKeys = [ best ] ++ admins; - "hosts/best/hercules/secrets.age".publicKeys = [ best ] ++ admins; - "hosts/best/hercules/token.age".publicKeys = [ best ] ++ admins; + "hosts/best/hercules/caches.age".publicKeys = [ best ] ++ admins; + "hosts/best/hercules/credentials.age".publicKeys = [ best ] ++ admins; + "hosts/best/hercules/secrets.age".publicKeys = [ best ] ++ admins; + "hosts/best/hercules/token.age".publicKeys = [ best ] ++ admins; - "hosts/best/matrix/password.secret.age".publicKeys = [ best ] ++ admins; + "hosts/best/matrix/key.age".publicKeys = [ best ] ++ admins; + "hosts/best/matrix/secret.age".publicKeys = [ best ] ++ admins; - "hosts/best/nextcloud/password.age".publicKeys = [ best ] ++ admins; + "hosts/best/nextcloud/password.age".publicKeys = [ best ] ++ admins; - "hosts/best/plausible/key.age".publicKeys = [ best ] ++ admins; + "hosts/best/plausible/key.age".publicKeys = [ best ] ++ admins; # disk "hosts/disk/id.age".publicKeys = [ disk ] ++ admins; "hosts/disk/password.age".publicKeys = [ disk ] ++ admins; # nine - "hosts/nine/id.age".publicKeys = [ nine ] ++ admins; - "hosts/nine/password.age".publicKeys = [ nine ] ++ admins; + "hosts/nine/id.age".publicKeys = [ nine ] ++ admins; + "hosts/nine/password.age".publicKeys = [ nine ] ++ admins; "hosts/nine/github2forgejo/environment.age".publicKeys = [ nine ] ++ admins;