diff --git a/secrets/mcp.yaml b/secrets/mcp.yaml index ad6d12d..0c24c96 100644 --- a/secrets/mcp.yaml +++ b/secrets/mcp.yaml @@ -15,8 +15,11 @@ traefik: oauth2-client-secret: ENC[AES256_GCM,data:gV9/yBCqWPcNG/m7S0PRE3TduKzqRD1ii3RGGjNprQM=,iv:jmwBYWhPQJMZWHZine6Eb+7fdW44QOvkK52LQ6ISK4s=,tag:yNWRJ1IdPcxn6e0DXQe7Cw==,type:str] oauth2-plugin-secret: ENC[AES256_GCM,data:sArqwKHAdW35o5kD7DGfXSYCXFUXqvKQdoVnXutsNLw=,iv:qWf597QS3BqkVQkeAb99HbpDB0kUhdD+qKdpUPZEB0o=,tag:vXnb93npaklItWkMZ+/M9Q==,type:str] deploy-key: - terakoda.com: ENC[AES256_GCM,data:STOAUPihw2KfndKm/XV5evihrTy/TQrbtVh7EpEyVE6Z1FsJd3UljcjhTmp/Z3nSpq4LCiezmaxISTnQDIP/NzPfou309SLl2QvD7deFhurMsYbeWJw62RP0ClBfteBaVxeqlH/pksoE1cJaZFxv/KxXYYoxzCUzeXC31GQv6Mft+/FnA1rsVp2n0Ay73hMVjMY0ml2csybLOuuKyxEq3nImhLFvtr4jJhVmxnN2L+bs0a+GohjC98HwITJD2OsrJwSpW4cv2v1GqeJCr2om5SgplwvjkiHJrg/WLO8N6BuVDOy0yx9Vbf1cAwkzPd3gBeKd5po+baJwRFAXpB03KvG/w6Yz/4ewo4X78IhwtLvTl876e/i/7K17ILvc5JJrKe9lmEuNUaItRPWYypEHrkge/PXSAvPIqRnAEi3jfOfVXWygZPerS3hs7bBE/Lem1U7/MUcK+pfXnZDgbWVsRuFhZhxasFGa7cG+gBUZsHWbyXi2e/koFUqUTR0HU0q0zF1xw/8jthPPGoIJ/0tP,iv:99AI3rnNjt9XqXJHnQ3DAEFm90h465ymjNWEpsWvRnM=,tag:96dnIojTXXONozgYDFwcBA==,type:str] - dm.terakoda.com: ENC[AES256_GCM,data:WvRoASLJZF3IqFTJvZbn/+l9Jm16+K2kf7MefMpElmIZhpROaWxyPO5DyJaCqGsUZOaf9+ulOhhy+harmyE2VtKYAA6XDkMh1aBFMuBxwYYY4D6UW182RhSfqTYCFD8KulgSpBYFHhbhmc8U9Yfp1248ex35abwX5+Ck0jD7v57TsWv37o7KzECyPkx3hzMbDeUe3ivqq/t5VUzrwws4Ds6eI3ytk/FX4VsjdoBDkHoDMyaloI6ErpEQX48KIP+ljYaOte4rTIXiX4ftbW3NVZtf7EVUJ8qa0sWhfSfYhSk+C1SMw+2jeYnG2pDBW7g46wj3uyq5l6+Wg3o1per/3YCdaiQ86taShpLVzbTdpLer7TwCZwxGlLgPO+75d2i2hKLBQdj/YpRAOAiz4sBYpHFc2cR20E8NnIWNxPg1CPrTnfsiOQ+qhbvvmjHShz3sRmT4I0QXP8Yr2fm6bkDQj6dWdyf2UmiNOqhVeqvABxlZIAM/Yhb+83eOQWY77G+loXxeo3e5vLBHeXvdYRkk,iv:ysnpaSDWG+YuqV2QOt3W6CfU8C5cThd1MzDwqzadCbQ=,tag:X9fjM4LhZe2XwG0OxnyoSA==,type:str] + mcp: ENC[AES256_GCM,data:eQcX8xdz5qZ6nU8ISOvZo+ZtP4Z/ePd+/ZZReX1BKvTUqGQPPFxConbLMwFzvzpD6xAUbA1MLkcR/bT98QbNx6LJYlhbofuDUg2DI79RB0fcrAcj/wUV0YPhmgofUdYYDaimH5A2PSvtmKfB3CtKKuA5HNeLymoXeLEpFzbckkGhzPee/CHiUmxayogp6za6btsDJsiT8hdHbrzyD2S6fhMJrzX+PlRzT32M/6eaFuFWE8EUO1gbkRlNfKPXw/EM2GXWJfR4qXfN2YKIKigqrtlAAoxnrUbp5EBrn/hGHS2ZYZXeRUFr3avFjcI0bLX423PWRHAylfQCPxgYVEtbcRv11CAFmq4rfFl0ZdvnAKbTLNmWcrQNijBATZPaAdQzgKPDHs8pwPUFR9Tcg8pZNbzw0mK9kPolniAOL2PBKUHv6LP/uEkB1E6Pxc7yms0kGpeJyo7hrFVOiVAckCey+SI9dpbJMSB3md070I1xk6Ik7PywrWh2QDeUtOU1U28UkYgnJ/9MJelWsNlUX9SR,iv:oCNeanaV/7UZ3dhmq4ZmJUZ5hb61AnHpHCfskM2Jsm8=,tag:F2uJKN5beM/rfiBMSyUP7w==,type:str] +matrix: + syncv3: + db-password: ENC[AES256_GCM,data:N/IO0k/2BZpmaDTbKZmSgZNzmdk=,iv:p0jGjJ9mTCh5FPM/Oe1vxusYvlyg14UeggE5ynpDVL8=,tag:tZbddwxJf6wSH6L1QRUQVg==,type:str] + secret: ENC[AES256_GCM,data:KZjYxjUxGgkY1I5jGF7XMEhkHK+khDaQzxugoKxpLsROmVs722tFfbUAxhp71llam55gy9+eUWGxIPlmvOySlw==,iv:OoThGcT08Z11kpnAMQ7w59wj5JheNFGEk1jfFENsmy0=,tag:8EeKT7dh2/a52Amf6LsL1w==,type:str] sops: age: - recipient: age1yvdzvuvu5wqztcx6ll2xk6x547uuyqy735tjjdd7zftkz53jsf9qf5ahue @@ -37,7 +40,7 @@ sops: by9aNFY4dXNxaWxnTXFTQS9reHhuQWMKh5rZ93nFtBV9EpFVRp+E+GXZ6xzVy2Jw vFh4deGcAb60q4odSaeWfk1Dr7L9Ua69oK9omjbCNUt+P7Kwlfca7Q== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-06-15T03:39:30Z" - mac: ENC[AES256_GCM,data:NM96EJZf1MauW3RPd9G3GiI3sA4K05VnfS9yakBaToecTMrWpAPZ278faqvU8VocRb4GvMVHvTONGJ2G8d3GHboq+E3MGMopZBkbbDTTuc5KSaL4yOJz9iHrC6BOwWbovFOBKFt708Qq1Y9Gep0feGfy9zYiIqd0Ltnc5X2QXXY=,iv:1qlIilZ4PmnYNXV5G8xifCL1ym4rJgfgjMADnN/cOEw=,tag:onA5AW9VdL5n1aUiHVHN9A==,type:str] + lastmodified: "2025-06-24T21:12:13Z" + mac: ENC[AES256_GCM,data:S3tI++pml5/g8JSOImfmfrpmY3KQWN5bccM9HilGSEN24RU5ZhUBWs4mjuhPQQfFvrq+OSOqQZbdChHuIPf00szwIVJ3tXivcavcofVtNU81mqpKB6CatEQdy1zzErZf2wPeJk6RCZY+6tumyf/sE+e3ruZnZvttNYGF1xk75H4=,iv:8EoDYkCTUCMKTRX8nNVuoSrzQ7mCQ0DFMJ7ayU+ysfA=,tag:SIhs57wJJqNxVAlKp1tiZQ==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2 diff --git a/system/hosts/mcp/containers/synapse.nix b/system/hosts/mcp/containers/synapse.nix index 3677492..a0644b0 100644 --- a/system/hosts/mcp/containers/synapse.nix +++ b/system/hosts/mcp/containers/synapse.nix @@ -1,9 +1,29 @@ { config, ... }: -let inherit (import ./lib.nix config) hostRule havenisms; +let + inherit (import ./lib.nix config) hostRule havenisms; syncRule = "(PathPrefix(`/client/`) || PathPrefix(`/_matrix/client/unstable/org.matrix.msc3575/sync`))"; wellKnownRule = "PathPrefix(`/.well-known`)"; in { + + sops.secrets = { + "matrix/syncv3/db-password" = { + restartUnits = [ "podman-matrix-sliding-sync.service" ]; + }; + "matrix/syncv3/secret" = { + restartUnits = [ "podman-matrix-sliding-sync.service" ]; + }; + }; + + sops.templates."matrix-sliding-sync.env".content = '' + SYNCV3_SERVER=http://synapse:8008 + SYNCV3_DB=postgres://syncv3:${ + config.sops.placeholder."matrix/syncv3/db-password" + }@db:5432/syncv3?sslmode=disable + SYNCV3_SECRET=${config.sops.placeholder."matrix/syncv3/secret"} + SYNCV3_BINDADDR=:8009 + ''; + virtualisation.oci-containers.containers = { synapse = { image = "docker.io/matrixdotorg/synapse:latest"; @@ -23,30 +43,31 @@ in "-l=traefik.http.services.synapse.loadbalancer.server.port=8008" ]; }; - matrix_sliding_sync = { + + matrix-sliding-sync = { image = "ghcr.io/matrix-org/sliding-sync:latest"; - dependsOn = ["db"]; + dependsOn = [ + "db" + "synapse" + ]; ports = [ "8009:8009" ]; - environment = { - SYNCV3_SERVER = "http://synapse:8008"; - # TODO: Store password securely - SYNCV3_DB = "postgres://syncv3:TZKr3RNmVx@db:5432/syncv3?sslmode=disable"; - # TODO: Store secret securely - SYNCV3_SECRET = "4917590296b90910ec31ba355af6c7731409fd5f284d24912b852c3f928fa162"; - SYNCV3_BINDADDR = ":8009"; - }; + environmentFiles = [ + config.sops.templates."matrix-sliding-sync.env".path + ]; extraOptions = [ "-l=traefik.enable=true" "-l=traefik.http.routers.syncv3.rule=${hostRule "chat" havenisms} && ${syncRule}" "-l=traefik.http.services.syncv3.loadbalancer.server.port=8009" ]; }; + # This server helps to serve the .well-known files that are required by clients to find the sync server. - matrix_well_known = { + matrix-well-known = { image = "nginx"; ports = [ "80" ]; + dependsOn = [ "synapse" ]; volumes = [ "/tank/config/synapse/static-files:/usr/share/nginx/html:ro" ];