[matrix] Moves secrets into sops

secrets/mcp.yaml

@@ -15,8 +15,11 @@ traefik:
     oauth2-client-secret: ENC[AES256_GCM,data:gV9/yBCqWPcNG/m7S0PRE3TduKzqRD1ii3RGGjNprQM=,iv:jmwBYWhPQJMZWHZine6Eb+7fdW44QOvkK52LQ6ISK4s=,tag:yNWRJ1IdPcxn6e0DXQe7Cw==,type:str]
     oauth2-plugin-secret: ENC[AES256_GCM,data:sArqwKHAdW35o5kD7DGfXSYCXFUXqvKQdoVnXutsNLw=,iv:qWf597QS3BqkVQkeAb99HbpDB0kUhdD+qKdpUPZEB0o=,tag:vXnb93npaklItWkMZ+/M9Q==,type:str]
 deploy-key:
-    terakoda.com: ENC[AES256_GCM,data:STOAUPihw2KfndKm/XV5evihrTy/TQrbtVh7EpEyVE6Z1FsJd3UljcjhTmp/Z3nSpq4LCiezmaxISTnQDIP/NzPfou309SLl2QvD7deFhurMsYbeWJw62RP0ClBfteBaVxeqlH/pksoE1cJaZFxv/KxXYYoxzCUzeXC31GQv6Mft+/FnA1rsVp2n0Ay73hMVjMY0ml2csybLOuuKyxEq3nImhLFvtr4jJhVmxnN2L+bs0a+GohjC98HwITJD2OsrJwSpW4cv2v1GqeJCr2om5SgplwvjkiHJrg/WLO8N6BuVDOy0yx9Vbf1cAwkzPd3gBeKd5po+baJwRFAXpB03KvG/w6Yz/4ewo4X78IhwtLvTl876e/i/7K17ILvc5JJrKe9lmEuNUaItRPWYypEHrkge/PXSAvPIqRnAEi3jfOfVXWygZPerS3hs7bBE/Lem1U7/MUcK+pfXnZDgbWVsRuFhZhxasFGa7cG+gBUZsHWbyXi2e/koFUqUTR0HU0q0zF1xw/8jthPPGoIJ/0tP,iv:99AI3rnNjt9XqXJHnQ3DAEFm90h465ymjNWEpsWvRnM=,tag:96dnIojTXXONozgYDFwcBA==,type:str]
-    dm.terakoda.com: ENC[AES256_GCM,data:WvRoASLJZF3IqFTJvZbn/+l9Jm16+K2kf7MefMpElmIZhpROaWxyPO5DyJaCqGsUZOaf9+ulOhhy+harmyE2VtKYAA6XDkMh1aBFMuBxwYYY4D6UW182RhSfqTYCFD8KulgSpBYFHhbhmc8U9Yfp1248ex35abwX5+Ck0jD7v57TsWv37o7KzECyPkx3hzMbDeUe3ivqq/t5VUzrwws4Ds6eI3ytk/FX4VsjdoBDkHoDMyaloI6ErpEQX48KIP+ljYaOte4rTIXiX4ftbW3NVZtf7EVUJ8qa0sWhfSfYhSk+C1SMw+2jeYnG2pDBW7g46wj3uyq5l6+Wg3o1per/3YCdaiQ86taShpLVzbTdpLer7TwCZwxGlLgPO+75d2i2hKLBQdj/YpRAOAiz4sBYpHFc2cR20E8NnIWNxPg1CPrTnfsiOQ+qhbvvmjHShz3sRmT4I0QXP8Yr2fm6bkDQj6dWdyf2UmiNOqhVeqvABxlZIAM/Yhb+83eOQWY77G+loXxeo3e5vLBHeXvdYRkk,iv:ysnpaSDWG+YuqV2QOt3W6CfU8C5cThd1MzDwqzadCbQ=,tag:X9fjM4LhZe2XwG0OxnyoSA==,type:str]
+    mcp: ENC[AES256_GCM,data:eQcX8xdz5qZ6nU8ISOvZo+ZtP4Z/ePd+/ZZReX1BKvTUqGQPPFxConbLMwFzvzpD6xAUbA1MLkcR/bT98QbNx6LJYlhbofuDUg2DI79RB0fcrAcj/wUV0YPhmgofUdYYDaimH5A2PSvtmKfB3CtKKuA5HNeLymoXeLEpFzbckkGhzPee/CHiUmxayogp6za6btsDJsiT8hdHbrzyD2S6fhMJrzX+PlRzT32M/6eaFuFWE8EUO1gbkRlNfKPXw/EM2GXWJfR4qXfN2YKIKigqrtlAAoxnrUbp5EBrn/hGHS2ZYZXeRUFr3avFjcI0bLX423PWRHAylfQCPxgYVEtbcRv11CAFmq4rfFl0ZdvnAKbTLNmWcrQNijBATZPaAdQzgKPDHs8pwPUFR9Tcg8pZNbzw0mK9kPolniAOL2PBKUHv6LP/uEkB1E6Pxc7yms0kGpeJyo7hrFVOiVAckCey+SI9dpbJMSB3md070I1xk6Ik7PywrWh2QDeUtOU1U28UkYgnJ/9MJelWsNlUX9SR,iv:oCNeanaV/7UZ3dhmq4ZmJUZ5hb61AnHpHCfskM2Jsm8=,tag:F2uJKN5beM/rfiBMSyUP7w==,type:str]
+matrix:
+    syncv3:
+        db-password: ENC[AES256_GCM,data:N/IO0k/2BZpmaDTbKZmSgZNzmdk=,iv:p0jGjJ9mTCh5FPM/Oe1vxusYvlyg14UeggE5ynpDVL8=,tag:tZbddwxJf6wSH6L1QRUQVg==,type:str]
+        secret: ENC[AES256_GCM,data:KZjYxjUxGgkY1I5jGF7XMEhkHK+khDaQzxugoKxpLsROmVs722tFfbUAxhp71llam55gy9+eUWGxIPlmvOySlw==,iv:OoThGcT08Z11kpnAMQ7w59wj5JheNFGEk1jfFENsmy0=,tag:8EeKT7dh2/a52Amf6LsL1w==,type:str]
 sops:
     age:
         - recipient: age1yvdzvuvu5wqztcx6ll2xk6x547uuyqy735tjjdd7zftkz53jsf9qf5ahue
@@ -37,7 +40,7 @@ sops:
             by9aNFY4dXNxaWxnTXFTQS9reHhuQWMKh5rZ93nFtBV9EpFVRp+E+GXZ6xzVy2Jw
             vFh4deGcAb60q4odSaeWfk1Dr7L9Ua69oK9omjbCNUt+P7Kwlfca7Q==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-06-15T03:39:30Z"
-    mac: ENC[AES256_GCM,data:NM96EJZf1MauW3RPd9G3GiI3sA4K05VnfS9yakBaToecTMrWpAPZ278faqvU8VocRb4GvMVHvTONGJ2G8d3GHboq+E3MGMopZBkbbDTTuc5KSaL4yOJz9iHrC6BOwWbovFOBKFt708Qq1Y9Gep0feGfy9zYiIqd0Ltnc5X2QXXY=,iv:1qlIilZ4PmnYNXV5G8xifCL1ym4rJgfgjMADnN/cOEw=,tag:onA5AW9VdL5n1aUiHVHN9A==,type:str]
+    lastmodified: "2025-06-24T21:12:13Z"
+    mac: ENC[AES256_GCM,data:S3tI++pml5/g8JSOImfmfrpmY3KQWN5bccM9HilGSEN24RU5ZhUBWs4mjuhPQQfFvrq+OSOqQZbdChHuIPf00szwIVJ3tXivcavcofVtNU81mqpKB6CatEQdy1zzErZf2wPeJk6RCZY+6tumyf/sE+e3ruZnZvttNYGF1xk75H4=,iv:8EoDYkCTUCMKTRX8nNVuoSrzQ7mCQ0DFMJ7ayU+ysfA=,tag:SIhs57wJJqNxVAlKp1tiZQ==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.10.2

system/hosts/mcp/containers/public-homepage.nix

@@ -40,6 +40,12 @@ in
       host = terakoda;
       dir = "dist";
     }
-    // mkStaticSite { host = havenisms; }
-    // mkStaticSite { host = blazestar; };
+    // mkStaticSite {
+      host = blazestar;
+      dir = "dist";
+    }
+    // mkStaticSite {
+      host = havenisms;
+      dir = "public";
+    };
 }

system/hosts/mcp/containers/synapse.nix

@@ -1,9 +1,29 @@
 { config, ... }:
-let inherit (import ./lib.nix config) hostRule havenisms;
+let
+  inherit (import ./lib.nix config) hostRule havenisms;
   syncRule = "(PathPrefix(`/client/`) || PathPrefix(`/_matrix/client/unstable/org.matrix.msc3575/sync`))";
   wellKnownRule = "PathPrefix(`/.well-known`)";
 in
 {
+
+  sops.secrets = {
+    "matrix/syncv3/db-password" = {
+      restartUnits = [ "podman-matrix-sliding-sync.service" ];
+    };
+    "matrix/syncv3/secret" = {
+      restartUnits = [ "podman-matrix-sliding-sync.service" ];
+    };
+  };
+
+  sops.templates."matrix-sliding-sync.env".content = ''
+    SYNCV3_SERVER=http://synapse:8008
+    SYNCV3_DB=postgres://syncv3:${
+      config.sops.placeholder."matrix/syncv3/db-password"
+    }@db:5432/syncv3?sslmode=disable
+    SYNCV3_SECRET=${config.sops.placeholder."matrix/syncv3/secret"}
+    SYNCV3_BINDADDR=:8009
+  '';
+
   virtualisation.oci-containers.containers = {
     synapse = {
       image = "docker.io/matrixdotorg/synapse:latest";
@@ -23,30 +43,31 @@ in
         "-l=traefik.http.services.synapse.loadbalancer.server.port=8008"
       ];
     };
-    matrix_sliding_sync = {
+
+    matrix-sliding-sync = {
       image = "ghcr.io/matrix-org/sliding-sync:latest";
-      dependsOn = ["db"];
+      dependsOn = [
+        "db"
+        "synapse"
+      ];
       ports = [
         "8009:8009"
       ];
-      environment = {
-        SYNCV3_SERVER = "http://synapse:8008";
-        # TODO: Store password securely
-        SYNCV3_DB = "postgres://syncv3:TZKr3RNmVx@db:5432/syncv3?sslmode=disable";
-        # TODO: Store secret securely
-        SYNCV3_SECRET = "4917590296b90910ec31ba355af6c7731409fd5f284d24912b852c3f928fa162";
-        SYNCV3_BINDADDR = ":8009";
-      };
+      environmentFiles = [
+        config.sops.templates."matrix-sliding-sync.env".path
+      ];
       extraOptions = [
         "-l=traefik.enable=true"
         "-l=traefik.http.routers.syncv3.rule=${hostRule "chat" havenisms} && ${syncRule}"
         "-l=traefik.http.services.syncv3.loadbalancer.server.port=8009"
       ];
     };
+
     # This server helps to serve the .well-known files that are required by clients to find the sync server.
-    matrix_well_known = {
+    matrix-well-known = {
       image = "nginx";
       ports = [ "80" ];
+      dependsOn = [ "synapse" ];
       volumes = [
         "/tank/config/synapse/static-files:/usr/share/nginx/html:ro"
       ];

system/hosts/mcp/static-site-hooks.nix

@@ -19,7 +19,7 @@ let
         pwd
 
         export GIT_SSH_COMMAND='ssh -v -o "UserKnownHostsFile ${gitKnownHosts}" -i "${
-          config.sops.secrets."deploy-key/terakoda.com".path
+          config.sops.secrets."deploy-key/mcp".path
         }"'
 
         # Disable astro telemetry otherwise it will try to write to `~/.config/astro/config.json`
@@ -39,11 +39,7 @@ let
 in
 {
   sops.secrets = {
-    "deploy-key/terakoda.com" = {
-      restartUnits = [ "webhook.service" ];
-      owner = config.users.users.webhook.name;
-    };
-    "deploy-key/dm.terakoda.com" = {
+    "deploy-key/mcp" = {
       restartUnits = [ "webhook.service" ];
       owner = config.users.users.webhook.name;
     };
@@ -104,6 +100,15 @@ in
           trigger-rule-mismatch-http-response-code = 400;
           inherit trigger-rule;
         };
+        "deploy-blazestar-net" = {
+          id = "deploy-blazestar-net";
+          http-methods = [ "POST" ];
+          command-working-directory = "/tank/web/blazestar.net";
+          include-command-output-in-response-on-error = true;
+          execute-command = "${testHook}/bin/build-npm-app";
+          trigger-rule-mismatch-http-response-code = 400;
+          inherit trigger-rule;
+        };
       };
     };
 }