From ca994395ba9816586fc86dc6f036960a9f362de0 Mon Sep 17 00:00:00 2001 From: rnhmjoj Date: Wed, 10 Aug 2022 11:42:58 +0200 Subject: [PATCH] matrix: move secrets to extra YAML files --- matrix.nix | 21 +++--- secrets/default.nix | 115 ++++++++++++++++--------------- secrets/matrix/registration.yaml | 2 + secrets/matrix/turn.sec | 2 + secrets/matrix/turn.yaml | 2 + 5 files changed, 77 insertions(+), 65 deletions(-) create mode 100644 secrets/matrix/registration.yaml create mode 100644 secrets/matrix/turn.sec create mode 100644 secrets/matrix/turn.yaml diff --git a/matrix.nix b/matrix.nix index 9384653..dc3d212 100644 --- a/matrix.nix +++ b/matrix.nix @@ -127,13 +127,16 @@ in event_cache_size = "2K"; max_upload_size = "1000M"; turn_user_lifetime = "1d"; - - # Needed to restrict access to the TURN - # server to only our matrix users. - turn_shared_secret = config.secrets.matrix.turn; - # Needed by the register_new_matrix_user script - registration_shared_secret = config.secrets.matrix.registration; }; + services.matrix-synapse.extraConfigFiles = + [ + # Needed to restrict access to the TURN + # server to only our matrix users. + config.secrets.matrix.turn.conf + + # Needed by the register_new_matrix_user script + config.secrets.matrix.registration + ]; ### Database @@ -157,9 +160,9 @@ in # Only allow users vouched for # by the Matrix server. - lt-cred-mech = true; - use-auth-secret = true; - static-auth-secret = config.secrets.matrix.turn; + lt-cred-mech = true; + use-auth-secret = true; + static-auth-secret-file = config.secrets.matrix.turn.secret; # Use maxwell certificate for TLS realm = config.var.hostname; diff --git a/secrets/default.nix b/secrets/default.nix index 29007b8..c4ab13d 100644 --- a/secrets/default.nix +++ b/secrets/default.nix @@ -1,56 +1,59 @@ -U2FsdGVkX1+tNQ2MrBDObxfvhpH7naoPAoH7vyfycbutpD/9CBa8+4WwGQShIYNR -51lwkWPQLdrNkY9+sDOgCEuHTmTmbw0lTWk80D7oHaCrPZUURdl4xNoQcCE3NEYH -zbYUpgTstVn4XqnyMepUQ3wwMwUvMaqdJA1lBjUKlv1QaMi9en6Qcxy/RQtZC4R8 -mdFLWpVfu8+lb9c4Yl/K/Zmuf7qSYmyXZEdeG/kufcdBCBk/Ctd5wMk7AmyW19tg -FDJAlMV07GMmybtwjRzAUkuDhnWz7TJqAlhrn6+hAu21RZAaZgNcWnVBLM4qpQ9x -cMmW5+SPh6qMSq4TiucXQR9U0V9cbahPKSyYTx8y0THtVGaNcsm/t3woysvaO3r7 -YRnv3wKDeVb4O2oFvm1q4QutMViMYygIOhs7zgP0+BlvrnQm/Gljod79WQMH8EP5 -sIr1W7JSNcRNfpADl3ZroNJnrGtnVRFmrjkGXCI9lbNZannpDiDcLUy7QQ5RpGSo -4Y88TFRcP0WnL8rB+SNzafj2rHIiKaQo/RDPzhIafP+Vy9JrPUBbznl4UgyRip86 -rq6UEPKITP2EOVOC86FoYR+tpj/4tNJgjzQ5v7wkcV0NyBpv4sljAqApM8mJwQ3W -N0yPCck4L1L5qa8ru2FB5AOryPmhYWyzXJhziM+XWccQa1k4+VyKH/+ItlMkMxnb -sEHn8R2YhoBAiD2Cn9m1qF/xNHsk0Xe7jDMP/JYeO/uJx0FPwXKoHENnO795uSez -+1UI4tpPHQlj2FMxSyDOI70d2Q+TL7H9pal6j3p+NijX1ve2glst/O14O24fUa0L -pKkXb5wZsN0NBgskrOg+6181JAKtuGbF+bAXqP0MqGzwEcfADFeSgIOArRDBEWkF -QeeqUCCTdXj2Xk33oN7tJur2g6ovpgywHWNa12rRiiPUxdelzeI0I+JE1knKPFti -f4wKVFJArbuOzKd1tHvL4eXAUO5OHS6/yqK2mQHUx36HldWTnGjqsZ5cRMcbue0c -hF2+saCkbEGOSrH3PBWC2+bNoczPzAHHXM62525Z5wTecHGCYZSPn37XNj9+hpV8 -Qr9WEExfuMnmzeWD9VjZ+IyA4kD2Kb8sS2ri/N72UHL6L64rPFhe/5CVHbsjJybu -rg/puzYY2gTmvz4HYSG9ixjM6SZ09a1l2ciWqjRaOTndFbIQpnY+5/c3U+nF6O6D -Y01oPmToW+FE6PMdjQXfwH59EHFmtM9P/DbWJTbinYUGlJSo6Z4CnVV+1Lou3wwb -i2MpMPV2r8zcWxoJip/kEz61TqCjjkhVfY8wHt0tx2ng2TvG3RA7JZdpBbGLN8bx -ZR3pnKLTJddXcRuwE45kz/9wXRfWit7HKryvC3S4Ju2NcvA/ikMpdlb3ZuZ5F62g -a5NJMotgbfSyEggqS4KA4nUVU2cG7EZCTiyQKX/nB1q3qpob2WCYif6fLusOF9ze -CYhdZycvK/EuQ1vrx8euJNpZQ9ESQbt6R+HD9dWMPj+1ffxYx6Q+D2YWqG/UPqiQ -qCSuDLSvAWmcSsyk00uobR+clRQe8qUuGGw4Ic/WG2S62LKhPNl2EJv0vVP7Gb9A -du0rKbobyxDGyKfXnHJz49uUiGUiFlnPGcBuu2s0TC7a+sc7/0fsSHZQGe4PBbj+ -pu9w1LJe0dAJmaJjsuJub421zcwdw0PzS1W5/TsqrHuWqU5jMVptMTV3jJ/ajwAa -LoxZg+el1BGKcNnRSn/o7qVTqaY+k7QuzJ+fqjRq7nMEAvhbvynVYBoqK4WODTvG -8PPm3gb9KppdeSy3l/jtmWMgsXIsBgFtJixnYWrbEPHmt7eKzg1tBEk1udTj9wTJ -VI3pok4xsjsFy88AdmFnEDJeVoe+0mOiSa+gNZ5jlZDSMheiNsxlqhy0WQ1CCRCg -8ktI6Uy6oSaRG6PDXr50peRjxJmZKJ3lhaCNGnSMksDnpkjxxiwIf5YsQPYv8rBP -sXztgwjhQ4SP/l8Palvmusu6XbC0yag3hPnb6SQ1rV6JhbJwMRRyqJfa1A1nIILK -N8NKIA86AhUkSj6XxmH/AE5rI4XP60VHiwzXDdNeFWvHJ/UFSmAxJL5OMNRkcrK3 -u9LMrbt/tRALgliwUbXjX5q5p2ag7SWIkGT1tIJ1ZSpNugE+WvBhLqGQmJd1JnD9 -imTY0vzF68bZPX88Xf/119L9KmU627iqYkbgWkiSnMqH4VypxP6Yj+Mm86fOSSZ2 -I/tcG0QOlJ5QMx0PDXJ6bfY16BnJh0FjqrtV4MMEkcYGEJsGVYyi7uILMEfnMhZF -vHfz8A6TuW904al6zxMkQTzkDCMeviDXsHkyUb+a6qXiHMmpvBaOjNuHU+svKTDy -CYP7AGtlB4fwyBhfWnO3nvpKwZMbuCW9SzHH0J51BuxDWcd9Dm90TnptReLu0AJt -n8m5lfI040oMYkp1du8mAVglAQ/9Ymm3mxj26ZA4f8o+iR9ZC0fH4X3ClpI60gUh -FkhQAn3j/30h5xQQJheV/yPKycJhx1JEfEmFTdAvD9ZIFqftP2mWZH3iK2igNLmF -ABHqOfp/IJ26u4jv535vVfMjML4MCfw0388+7PB9+MHrQ3pX4EMA6VHRcZjWmN45 -li2+HMFbddC49BLeDG1kbT5IE+nu4+oCGeepU366gL9u37GiSQQ8VCYx5GtmKwa+ -5lu5h/HRrVR82JNm03BvLEI5b86QF7aJw/n/5rT0OLMWcEUsZeghd9p3FSWR+YZA -Gv5w/NidK9dScIfb2VP9d+5qjrLGEXkx3FOp9VFKOaM+WYdm/zyvMZhx3X6ome2m -yK4zpOUQNyzfd5HCMAVEpKysu6EZelY5bDtdUMgFVON6gbkQf2frmFPkT3Q3wxTV -bjfGfvEmO14PEHbSzSzLThjZs94HHMD8V1VNZBnfhoMENXRSph1a3ZZkty5fAWal -sX8bNH1+beRNdsXBhumi1V1UbzQ6xS+by7nR3cDLv8ikC6H5A/n6ZpZ8prmPBV6z -2HBwbCcbb5CMdnlaUi4oqDOJEl+QBNp6Z73oj2pzl5rQEUhi3uq2oPAhZRtNtjzE -GFBzyTg1R6PgdTS9Edm4YmJPCyTsgnYPYjODEckWADkzZnlLSTHl7irQFxjbaEKq -MH6iLBzx5N/j8TxCxBqGlKhIxoLaMteSA3LPoiKE22S4SFLEZFz3L01TEtLh4+t0 -7sk8Fu+zIVB/wZYPH/Q8COUOvfNwR6XyAI3/Vfb2otyNg3OygLNxq8p1UAKoxWSm -MS+LbWaxF7sFZmeoF8PmOMYHKEfwjiQzY7RugIFJK8FBbhmfrrQz6ITaEBNPPpL5 -tQzYzp2jVtWASOItZlsmtJiAurCahTyn+3fVK6H79UtWaA4h3r6whx8V8ig9o+Lw -TJMWiUs+QhoWkoHzibCLxzNW7Ni8UzJSkOu6m/5TcqZMhnTJVwRDxb500NumZVkE -S/aIPfuTNrFDAnCC7GC8vkVQ/ZtCkZEw1srFySa8oZInTpnl2+D3Gfn4dwujCVNL -glJyBMH0x5FlXZ/mhFMAfXZWOHgj +U2FsdGVkX191uk0AhtEdICnhkSv/so8qXU0ks2TsF9Hu6c9V7Urd0N5f2XtmJJSx +dTVFxbpLY4AS/j5hFF+L/9YtCuvE9clJfpvNy1H32t4PPGLCiivqeLcb17BMsBro +yD/n5kgPnJMbdtZnvp4xboomk0xdJcJ3PdgEY95pr2U14gHeLrTVvXtEsUvjmg3U +0Z1e0/oj8r5piKSHJ7gMcKDUl60QkQSMqAzewAFNqW0BQzqev8dJaA8wAidxmYCY +zEDIi+yt8RmGiIPP3hUS2hCH6UT1rCwcPJDPpHfPcKsYds5zxUdD3htrtBvndzhj +WFmMe25q3pfTWNSZg7pqNa+V0a1wLhVaA63SwWnuwxOs2VFik5vKEzmnDpmXv8SM +Fs4LV+8l2UrmWvY83JD4sFKK2oDkeH8apuqKhjDmgFfDkNzAwxbzoqePccNPnlec +7UbMpUOdwTGKN6Ps0aQabmbG/kXmLKJHUGGO+dwDICrCb5/HM+1+7/1rboceZCxL +qrAfIDB2CIiGJrk6DxYboLbZIwECVc7htZHsOy9uhtuhAPwF5MYb/z81j351rqV4 +JvV126EFdVfFDDxfTGdbXxly3a+0TF72grxat+1fLpc3X+uDzlHWnD1kLNNGuK60 +YvbvJNPtJlDIVt1e4aDtJVN1NlFbEZpvt4dPteYdseqtR2IQPZ8pw44VUVAk5mq+ +tAuwvnTGi45DL9EAP62OyFMVpotXxhDm/tZU6Ym/9NvyVaFQ9XpBzdfrGRYPM7Nn +wp3TLms+JeX5f/PcaCJka0DY/wAMXPOt3/0GeqZkgJkTsyYV8olCLvxxaQMZfoiV +0hXEYD4FVU7mZ9cpEwcPtvQ5yYdbIqY73VzoSRzdq6BXpP1AtglC/kqq73xnxZ2a +Yy2ZqLFdwrWgV0Elq5u2kjSAhOMEuVQLqsSb/ukxtRTFcpt/PpTYCaNIU8XkZayt +s7/KK6KBqb5RWjo5awRy6q8fn91zwzjLZE5HuEsm14HHOzEW17aAidf9Ul4/6nPD +A69oOZYMocDzrywi8DpOqv/s7Ow1i6yPztCitH3ZxBP0e1qZFPqq0GN3c4Sbn9uS +haqZWzAn7/tybV9oMKcjkgEP7eUIrAMyG7MyUY0DdI/zUj8xLU3TTPOfXNl7PL8S +iwfTMqG39d/m1xqRjDYzJfQ+BFkEOWENor4OKYaGXTXL1OVSRWwSISpUuXcFxygm +FTgQwnNE9u2il2Jy6kAHH6aUQsvlQ6tp7XZncWDLYUXLRV0CZZGVG/CCnhsIYVmq +SZMFU0oFKpuB1KgVtjXvKQWF4CBBWxE1dIk2oXpfQIGyt7kD7JaK9M952gOWYUkr +olOwdqT24MkW9hU7jifqQhmauFeSo0u0/YBYaLcfiexlUrCQ7DUsGIxs6ETQI3tk +F6gYayT4bGoujLK+1hSIkVAH66WZQxXHJgu/ggDuuI8M/1VK1K+rbUBSOXhI8C76 +mePHxGYsotOoErO4UOxu8OJLIccelzNZ90TjdJWyigoyjB4Tn5o+VKXTMGXcJVgA +bmtrOxmMJbFaxs2kT7RX0vP+jFtSE6GEzvKyxLmYlH8yD/aI3rXY8ImfDYz7kPBt +7Zfd/36UAGNbNb4C8kri9LIChSk7oPhIy0c/569MVodWjDTJ5NLYDDOwMjcoVDvu +CLK3EB3wZ5Hl8IkHp3v3NWn+JdjyO/wdrCig7zdVY/GC7qgT7s+EGLkIVUVII4F3 +l4WbAqMT2DKnWp0XLSg0RDnnB73j3p97depfYPy9/KcqUSjNPl4jCchb/117/4MZ +5baMkYmL8q1BXB3QfjIUNGMcfPTgWh/pnzhIRmh9WdYi4M8iNd6OHt5ScBj4rOdu +Rlxe1Pg2lbXNF+4e3i7gNWKOnONfviNcJ8oWIRe5bX0zfB1cHu1UaRzS+iD4oekT +evbq7DkisBICTzCG9miF/33WXFYGaANhuSPy6W83MAdd4R17gBKhk1hOL7vhHUeu +p+hFzEewmgWF5sePr9iMam8j49lej168b5zxOT0+Hkm1GRdFljiN1751Ld0IVV78 +Sy0HHJp0zKuje/ivlYf1xb3YB48uELdOq2kaq9OAYVzHXX076ZP0cAxt2SAVp1vn +/ETw1ElG0G8z/nZOuISXlSLEbbaKTCW2b0a25TVZtFTfhGoKoweDyge8JKOI9zj2 +j5YsLV7MGp56vc21kWEI3/LIZnve0slvsO6SA5j+N5R/oL+g8YuS626J4aJ7dpqr +pNByU+83bqEApLC9hG7veYOnZ22JIRo2JNoaqZTCr5MtFHMVYnb+J2+bG/RKTuGD +JwWiXxSGMMcqgnmm/xswijXefDQ2YRBsXmhhVZrS3Dl/4RHoEH39pLRkmH1ABf9W +6CH+2SKnteryBXXwlRzOlqqFzmQ3WPq9xmxGumygWtKp4yNV4kuKV7qO/1Jk897R +tQrOakxPdjwyFL2cYl5zBi40LKoEPe6L8YUG9qAvhKVul19vV+T+/R/sz7cBCudP +JbuyxJlC46gf6W1WzAj1ql2HJzot/Tcc0PtZ9lrbZYp7YgBYVwfHK2JnIerGLuAP +6GhRc8DmNZa2eHryWj8Sc89CJnVKQ3qWvsqiYfPDjrobvaQekW2PGNaqJ40lv/s4 +E0RL7U7JFBMyDDcx+hmtWqqoTC7wyXLnrimGMwisbVWMYq/hDiUokYvyiDEK+BTf +VNDjI2u6YtiWId9+sIfY3VlOpTzk5HuG6pfmgi1C4XLoAppFbjZED9cV+tIshML2 +vMJRED4c0cvFbAbxbbpvs6i6FrsDQmAiOXmeV4ffu/P5Vk+pPY+70NZmFQZnKlGc +i9+xRK575uATh0mClB7A6jPi2SQVsntXaW5uDhsWY+h0pec3i6lsUWyak9dz3biv +CVYi2TS/qSPnOXAgukcnFdBHld+28RslzIq4zhahMVfRDL87jfFSNNd78GuzOG9E +nC266G8knEGFFqJ0FAwFkJakoPGxaWU/50wAbQLM/K7QrM3VQ4is+vbO8xv3BklR +NohBBt6Maeok86e0mL8os5SQ79TC7XRPgcBjIwHKFlirgnI9mEZhQzH0QEx5K8l6 +RHuKvs1r+gnQ5yIy9mWYtjWHX6CoURSDbZ4WY3nkKO/7lkIyy68kom+c9wSj5+ce +G4ygySMUOcYrFxYcqpeJjhYOiBs1TVXyC8jzqLmiUZyUBgSE2L4T07jeX+xaiCtM +l0W7q0UQch5a70cDdfEtYDlInZM05aBELC60q2opBAvuNws28JhAoU7oFmBXFL6G +H7acBc6OESva96/Sdxb85Ftib7BOBaTiKhhvbmPRXUnwJv5DQjwe6zwgF6Mr3ar5 +D+QMGTg4kyQS2IXQ2fDJG1vxHmcecuBP+vU3w1XDv+NJUe4O+Ij81YdEuW2mMCPK +UWyQeIdGnnv/RkA72otFuC5GRL/M6N5jIoB6LxeNZFghZfG+vVDgwcKBJidXK9Wh +11pr8HTHPvjAwhz3JTzNbFJIBIYpJTIe7qIenqy5mN9l+auyywsO9jrKJ6gAK9uK +MsFett/LgyJInZcbzIC/Z7hpqLGJ6LKFp8AeKjYTOHmicWctKNi87T6T63sTtd8g +CDkCkLy3XABG5KCHt1WZH09kHVlyG4x8duDmGrgnXBEHhGbzAxmksE4p5nTUv7VM +NvYPKk+Af1HU8U8agMag+7Ku4k6OEeEDktQMh2GuDXDCXvhcDe+gVVMxx1LTeVzD +JPKdqLMj1yxMEjd0uA== diff --git a/secrets/matrix/registration.yaml b/secrets/matrix/registration.yaml new file mode 100644 index 0000000..44bb350 --- /dev/null +++ b/secrets/matrix/registration.yaml @@ -0,0 +1,2 @@ +U2FsdGVkX1+llDB5VqCr1IypfnYvO/G6YP0LZIcGXf5rJXiD7yFgmfag9uqoLpUS +OdevSmwuZRxQf7OMJC//qWZBnKt6RQgtebhWYgecmbJpXkI= diff --git a/secrets/matrix/turn.sec b/secrets/matrix/turn.sec new file mode 100644 index 0000000..3e0cfa9 --- /dev/null +++ b/secrets/matrix/turn.sec @@ -0,0 +1,2 @@ +U2FsdGVkX1/LQEXVW9522X9Wk7X9Rjn4vTSUguvsQH7S3hXHFZp440yYE0bWElPm +Bn+iWLLaZNQ= diff --git a/secrets/matrix/turn.yaml b/secrets/matrix/turn.yaml new file mode 100644 index 0000000..a0c5545 --- /dev/null +++ b/secrets/matrix/turn.yaml @@ -0,0 +1,2 @@ +U2FsdGVkX1/+v3zwfqsp7i87S5sGEoBaJoWzXDh8hUGn9gRs7KUGFgfE66GwOwjG +1ZfgMEiT3NA8mzboyEA/V+4aX5sl8ATnRVvkojoF