🔒️ registration shared secret for matrix

hosts/plato/configuration.nix

@@ -13,6 +13,7 @@ in {
     ../../modules/gitea
     ../../modules/home-assistant
     ../../modules/matrix
+    ../../modules/sops
   ];
 
   # Use the systemd-boot EFI boot loader.

modules/matrix/default.nix

@@ -22,7 +22,6 @@
       enable_registration = false;
       database_type = "psycopg2";
       database_args = { database = "matrix"; };
-
       listeners = [{
         port = 8008;
         type = "http";
@@ -33,6 +32,9 @@
           names = [ "client" "federation" ];
         }];
       }];
+      extraConfigFiles = [
+        config.sops.secrets.matrix_registration_secret.path
+      ];
 
       account_threepid_delegates = {
         email = "https://vector.im";
@@ -40,4 +42,8 @@
       };
     };
   };
+
+  sops.secrets.matrix_registration_secret = { 
+    owner = "matrix-synapse";
+  };
 }

modules/sops/default.nix

@@ -0,0 +1,9 @@
+{ config, lib, pkgs, ... }:
+
+let
+  sources = import ../../nix/sources.nix;
+in
+{
+  imports = [ "${sources.sops-nix}/modules/sops" ];
+  sops.defaultSopsFile = ../../secrets/secrets.yaml;
+}

secrets/secrets.yaml

@@ -1,4 +1,4 @@
-testing: ENC[AES256_GCM,data:L7u7KRH74FPLtYi/,iv:yloHuSqAbxz95L3Bpye8VRJFR87dVGMkArTBj5GFVtA=,tag:pKbC5EsdBM4zqrUwzb0abA==,type:str]
+matrix_registration_secret: ENC[AES256_GCM,data:QPLarOeOr5Il2Q8I5RB8VWHwM/H0f7McV7du50WPe9HGRVYla2jbWNtWTTrDGQndso7YimQl8qNA4w9AYPpbcwX36JYGhWkWZFcEg3XAeNHcSJ1Z5BgCTOPvdn4=,iv:lYXyERKhmX2sww56gyZR2JVSvpVv+Y4yWqnRufZsN98=,tag:hTg4T/nzjKwfGV/kHjKTdg==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -23,8 +23,8 @@ sops:
             QXJkUkFMS1ZCcXl1ZCsvUmdqeVVvc0EK9xP+VkSN61gLwMwwlOFCpLsfL6Jzk7CB
             5LfW5lsyWCMqnw00W52h177kHZdf/nLmnoLDz2jZ7hPXiDpS7G9MrA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2021-11-12T04:16:10Z"
+    lastmodified: "2021-11-14T19:03:58Z"
-    mac: ENC[AES256_GCM,data:o4Pbvl/ry70zqKZnQ95I0zff/8Vzz1g+5i5PrrClmAlrq4OKiXKhmAyriMSknYzcBA4JnHqjfyHWzB7VpIPCAfiT5jmSjQgMaixVkFvtjDKNtuVXP9ECSY1sb3EeKBnlkR4Ev9aodkoJGxeaiTChadadkG09M6pjSwwyn6r1yNM=,iv:6GjWlgSHRDqwqeAI2J8IgGFo7/cTwKLcxz2h8tj+iYY=,tag:T3W+cvDk0t3G/c/mkcqoyw==,type:str]
+    mac: ENC[AES256_GCM,data:H+rHU+hAt/zGbIq5unUVKnYnHJgRfekGADokELgPdUppmIS1aIOSk+Y+sJG6v3xPeLeys+gD1KkAH0nbPpuU5R3b2JSTGxQmSe37gWSKksZ8yNmqN3vI74nUfoI6IJlPfUfe7RhPLpEihfKJOIs5k47jyjYXH1VKoi6/v5UpL3M=,iv:vnkHmekuvRI1LAgzGxAfbM5eMDBajLOB8PP74LDbGyE=,tag:+GrWMOYQ0+MVqiSraQxoqA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.7.1