[matrix] Moves secrets into sops

2025-06-24 14:29:08 -07:00
parent 286701ba83
commit 514746686f
2 changed files with 40 additions and 16 deletions
--- a/system/hosts/mcp/containers/synapse.nix
+++ b/system/hosts/mcp/containers/synapse.nix
@@ -1,9 +1,29 @@
 { config, ... }:
-let inherit (import ./lib.nix config) hostRule havenisms;
+let
+  inherit (import ./lib.nix config) hostRule havenisms;
  syncRule = "(PathPrefix(`/client/`) || PathPrefix(`/_matrix/client/unstable/org.matrix.msc3575/sync`))";
  wellKnownRule = "PathPrefix(`/.well-known`)";
 in
 {
+
+  sops.secrets = {
+    "matrix/syncv3/db-password" = {
+      restartUnits = [ "podman-matrix-sliding-sync.service" ];
+    };
+    "matrix/syncv3/secret" = {
+      restartUnits = [ "podman-matrix-sliding-sync.service" ];
+    };
+  };
+
+  sops.templates."matrix-sliding-sync.env".content = ''
+    SYNCV3_SERVER=http://synapse:8008
+    SYNCV3_DB=postgres://syncv3:${
+      config.sops.placeholder."matrix/syncv3/db-password"
+    }@db:5432/syncv3?sslmode=disable
+    SYNCV3_SECRET=${config.sops.placeholder."matrix/syncv3/secret"}
+    SYNCV3_BINDADDR=:8009
+  '';
+
  virtualisation.oci-containers.containers = {
    synapse = {
      image = "docker.io/matrixdotorg/synapse:latest";
@@ -23,30 +43,31 @@ in
        "-l=traefik.http.services.synapse.loadbalancer.server.port=8008"
      ];
    };
-    matrix_sliding_sync = {
+
+    matrix-sliding-sync = {
      image = "ghcr.io/matrix-org/sliding-sync:latest";
-      dependsOn = ["db"];
+      dependsOn = [
+        "db"
+        "synapse"
+      ];
      ports = [
        "8009:8009"
      ];
-      environment = {
-        SYNCV3_SERVER = "http://synapse:8008";
-        # TODO: Store password securely
-        SYNCV3_DB = "postgres://syncv3:TZKr3RNmVx@db:5432/syncv3?sslmode=disable";
-        # TODO: Store secret securely
-        SYNCV3_SECRET = "4917590296b90910ec31ba355af6c7731409fd5f284d24912b852c3f928fa162";
-        SYNCV3_BINDADDR = ":8009";
-      };
+      environmentFiles = [
+        config.sops.templates."matrix-sliding-sync.env".path
+      ];
      extraOptions = [
        "-l=traefik.enable=true"
        "-l=traefik.http.routers.syncv3.rule=${hostRule "chat" havenisms} && ${syncRule}"
        "-l=traefik.http.services.syncv3.loadbalancer.server.port=8009"
      ];
    };
+
    # This server helps to serve the .well-known files that are required by clients to find the sync server.
-    matrix_well_known = {
+    matrix-well-known = {
      image = "nginx";
      ports = [ "80" ];
+      dependsOn = [ "synapse" ];
      volumes = [
        "/tank/config/synapse/static-files:/usr/share/nginx/html:ro"
      ];