From ad039a84d4b40f8ae54ba34afee16557f645d037 Mon Sep 17 00:00:00 2001 From: Jurn Wubben Date: Sun, 25 May 2025 11:34:55 +0200 Subject: [PATCH] Added matrix registration password --- secrets/default.nix | 1 + secrets/matrix-registration.age | 11 +++++++++++ secrets/secrets.nix | 1 + system/server/matrix.nix | 20 ++++++++++---------- 4 files changed, 23 insertions(+), 10 deletions(-) create mode 100644 secrets/matrix-registration.age diff --git a/secrets/default.nix b/secrets/default.nix index 396c462..352d01c 100644 --- a/secrets/default.nix +++ b/secrets/default.nix @@ -13,5 +13,6 @@ }; password.file = ./password.age; matrix-priv.file = ./matrix-priv.age; + matrix-registration.file = ./matrix-registration.age; }; } diff --git a/secrets/matrix-registration.age b/secrets/matrix-registration.age new file mode 100644 index 0000000..4ab6638 --- /dev/null +++ b/secrets/matrix-registration.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> ssh-ed25519 WCPLrA XGZXUAx6d4swnmjGCMKtUnTmyyjUlHJwWweJLACKXHw +O7tDm8+1DJlEg2dmjiwZmBoirEK71I2GMA5JbkF3c14 +-> ssh-ed25519 7/ziYw qWvGzM3dxCa31M4qp3VUHfYuoALGYC0nBCbYRlU/XBA +o+4UqGeenrH+dkWglWIY95aInDq/zybiJZzv3Qhoevk +-> ssh-ed25519 GQzYWA UbICRYTkeCqHM6Qzl50xBSlCgEl1BvMCSqAjusjfowQ +raXFAddeBL4AhViLzGxviy6kd9F6U4QlMI2SABuEQ08 +-> ssh-ed25519 MfR7VA tIIPAbmPo1e9SH5gWhQQn5fqEgDlLDmZUBVkWVsvAVY +D03pcUpy06ptfRRG1PfaqMQLuxEGQN/AGdmjVFop8Ko +--- UQs52nFPmuzoQ8C++6tSE5ib+YQ1ap57ZrrzDeTxSL4 +¯Ì zí ¹\0äãŒ9¹u´T¡$ö±/˜?“3€ ½~Ô!iL]¢£å§{SXgÀ;7â½8аnRâÖšØa2¸ÐÈ0W!@? ´E\¤ùZ[ \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 0cee580..44b1b68 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -11,4 +11,5 @@ in { "password.age".publicKeys = systems; "dcbot.age".publicKeys = systems; "matrix-priv.age".publicKeys = systems; + "matrix-registration.age".publicKeys = systems; } diff --git a/system/server/matrix.nix b/system/server/matrix.nix index 620cf18..3189d2a 100644 --- a/system/server/matrix.nix +++ b/system/server/matrix.nix @@ -15,13 +15,20 @@ in { dendrite = { enable = true; httpPort = 9003; + loadCredential = [ + # $ nix-shell -p dendrite --run 'generate-keys --private-key /tmp/key' + "matrix-server-key:${config.age.secrets.matrix-priv.path}" + ]; + environmentFile = config.age.secrets.matrix-registration.path; # Contains: `REGISTRATION_SHARED_SECRET=verysecretpassword` + # openRegistration = true; + settings = { global = { + inherit database; server_name = "matrix.jsw.tf"; private_key = "/$CREDENTIALS_DIRECTORY/matrix-server-key"; #nix shell nixpkgs#dendrite; generate-keys --private-key matrix_key.pem }; - - global.database = database; + client_api.registration_shared_secret = "$REGISTRATION_SHARED_SECRET"; app_service_api.database = database; federation_api.database = database; key_server.database = database; @@ -52,13 +59,6 @@ in { reverse_proxy /_matrix/* localhost:9003 ''; }; - - systemd.services.dendrite = { - serviceConfig.LoadCredential = [ - # $ nix-shell -p dendrite --run 'generate-keys --private-key /tmp/key' - "matrix-server-key:${config.age.secrets.matrix-priv.path}" - ]; - after = ["postgresql.service"]; - }; + systemd.services.dendrite.after = ["postgresql.service"]; }; }