refactor(nixos): bfs: some secrets
This commit is contained in:
@@ -10,6 +10,7 @@
|
||||
...
|
||||
}: let
|
||||
xrayPort = 10086;
|
||||
matrixDomain = "accord.tube";
|
||||
in {
|
||||
# TODO:
|
||||
# white list
|
||||
@@ -28,6 +29,8 @@ in {
|
||||
|
||||
currentServer = {
|
||||
matrix = {
|
||||
secretsFile = config.sops.secrets."matrix/secrets".path;
|
||||
turnSecretFile = config.sops.secrets."matrix/turn-secret".path;
|
||||
postgresql = {
|
||||
port = 5432;
|
||||
initialEnvFile = config.sops.secrets."init-postgresql".path;
|
||||
@@ -87,8 +90,14 @@ in {
|
||||
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||
defaultSopsFile = ../../../sus/bfs.xray.yaml;
|
||||
|
||||
secrets."config" = {};
|
||||
secrets."init-postgresql" = {};
|
||||
secrets."config" = {};
|
||||
secrets."init-postgresql" = {};
|
||||
secrets."matrix/secrets" = {};
|
||||
secrets."matrix/turn-secret" = {
|
||||
owner = "turnserver";
|
||||
group = "turnserver";
|
||||
mode = "0400";
|
||||
};
|
||||
};
|
||||
|
||||
networking.firewall = {
|
||||
|
||||
@@ -2,33 +2,43 @@
|
||||
cfg = config.currentServer.matrix;
|
||||
in {
|
||||
options = {
|
||||
currentServer.matrix = {
|
||||
postgresql = {
|
||||
port = lib.mkOption {
|
||||
type = lib.types.port;
|
||||
default = 5432;
|
||||
description = ''
|
||||
postgres port
|
||||
'';
|
||||
};
|
||||
initialEnvFile = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
description = ''
|
||||
path to env file with postgresql initial secrets
|
||||
|
||||
content:
|
||||
POSTGRESQL_PASSWORD=
|
||||
'';
|
||||
};
|
||||
};
|
||||
matrixDomain = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
description = ''
|
||||
domain to matrix
|
||||
'';
|
||||
};
|
||||
currentServer.matrix = {
|
||||
secretsFile = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
description = ''
|
||||
path to env file with matrix secrets
|
||||
|
||||
content:
|
||||
registration_shared_secret:
|
||||
macroon_secret_key
|
||||
form_secret
|
||||
'';
|
||||
};
|
||||
postgresql = {
|
||||
port = lib.mkOption {
|
||||
type = lib.types.port;
|
||||
default = 5432;
|
||||
description = ''
|
||||
postgres port
|
||||
'';
|
||||
};
|
||||
initialEnvFile = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
description = ''
|
||||
path to env file with postgresql initial secrets
|
||||
|
||||
content:
|
||||
POSTGRESQL_PASSWORD=
|
||||
'';
|
||||
};
|
||||
};
|
||||
matrixDomain = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
description = ''
|
||||
domain to matrix
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
config = {
|
||||
services.matrix-synapse = {
|
||||
@@ -59,9 +69,9 @@ in {
|
||||
enable_registration = true;
|
||||
enable_registration_without_verification = true;
|
||||
|
||||
registration_shared_secret = "secret1";
|
||||
macaroon_secret_key = "secret2";
|
||||
form_secret = "secret3";
|
||||
extraConfigFiles = [
|
||||
cfg.secretsFile
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
@@ -2,12 +2,24 @@
|
||||
cfg = config.currentServer.matrix;
|
||||
shared_secret = "secret";
|
||||
in {
|
||||
options = {
|
||||
currentServer.matrix = {
|
||||
turnSecretFile = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
description = ''
|
||||
path to env file with matrix secrets
|
||||
|
||||
just raw secret
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
config = {
|
||||
services.coturn = rec {
|
||||
enable = true;
|
||||
realm = cfg.matrixDomain;
|
||||
use-auth-secret = true;
|
||||
static-auth-secret = shared_secret;
|
||||
static-auth-secret-file = cfg.turnSecretFile;
|
||||
cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
|
||||
pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
|
||||
listening-ips = ["188.137.254.58"];
|
||||
@@ -35,7 +47,6 @@ in {
|
||||
"turn:${cfg.matrixDomain}:3478?transport=udp"
|
||||
"turn:${cfg.matrixDomain}:3478?transport=tcp"
|
||||
];
|
||||
turn_shared_secret = shared_secret;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user