From a8dd82d05f225bb5c1b3cf446a4e0af681a4b4ab Mon Sep 17 00:00:00 2001 From: yukkop Date: Wed, 27 May 2026 12:41:51 +0000 Subject: [PATCH] feat: `matrix-cluster`: shared users --- nixos/module/generic/matrix-cluster-users.nix | 48 +++++++++++++++++++ .../bfs.poland.xray/bfs.poland.xray.nix | 1 + nixos/system/hectic-lab/hectic-lab.nix | 32 +------------ sus/hectic-lab.yaml | 20 +------- sus/matrix-cluster.yaml | 17 ++++++- 5 files changed, 67 insertions(+), 51 deletions(-) create mode 100644 nixos/module/generic/matrix-cluster-users.nix diff --git a/nixos/module/generic/matrix-cluster-users.nix b/nixos/module/generic/matrix-cluster-users.nix new file mode 100644 index 0000000..0e3201f --- /dev/null +++ b/nixos/module/generic/matrix-cluster-users.nix @@ -0,0 +1,48 @@ +{ + inputs, + flake, + self, +}: { + config, + ... +}: { + hectic.generic.matrix-cluster.users = { + yukkop = { + passwordFile = config.sops.secrets."matrix/users/yukkop/password".path; + admin = true; + }; + liquiz = { + passwordFile = config.sops.secrets."matrix/users/liquiz/password".path; + }; + vismajor = { + passwordFile = config.sops.secrets."matrix/users/vismajor/password".path; + }; + lvgkcfjl = { + passwordFile = config.sops.secrets."matrix/users/lvgkcfjl/password".path; + }; + }; + + sops.secrets."matrix/users/yukkop/password" = { + key = "matrix/users/yukkop/password"; + owner = "matrix-synapse"; + sopsFile = "${flake}/sus/matrix-cluster.yaml"; + }; + + sops.secrets."matrix/users/liquiz/password" = { + key = "matrix/users/liquiz/password"; + owner = "matrix-synapse"; + sopsFile = "${flake}/sus/matrix-cluster.yaml"; + }; + + sops.secrets."matrix/users/vismajor/password" = { + key = "matrix/users/vismajor/password"; + owner = "matrix-synapse"; + sopsFile = "${flake}/sus/matrix-cluster.yaml"; + }; + + sops.secrets."matrix/users/lvgkcfjl/password" = { + key = "matrix/users/lvgkcfjl/password"; + owner = "matrix-synapse"; + sopsFile = "${flake}/sus/matrix-cluster.yaml"; + }; +} diff --git a/nixos/system/bfs.poland.xray/bfs.poland.xray.nix b/nixos/system/bfs.poland.xray/bfs.poland.xray.nix index 10e1f6b..c0e3dc4 100644 --- a/nixos/system/bfs.poland.xray/bfs.poland.xray.nix +++ b/nixos/system/bfs.poland.xray/bfs.poland.xray.nix @@ -22,6 +22,7 @@ in { imports = [ self.nixosModules.xray-system self.nixosModules.matrix-cluster + self.nixosModules.matrix-cluster-users ]; hectic.generic.xray-system = { diff --git a/nixos/system/hectic-lab/hectic-lab.nix b/nixos/system/hectic-lab/hectic-lab.nix index c6c125a..0742270 100644 --- a/nixos/system/hectic-lab/hectic-lab.nix +++ b/nixos/system/hectic-lab/hectic-lab.nix @@ -25,6 +25,7 @@ in { self.nixosModules.hectic self.nixosModules.matrix-cluster inputs.sops-nix.nixosModules.sops + self.nixosModules.matrix-cluster-users self.nixosModules."shadowsocks-rust" # NOTE(nrv): impl self.nixosModules."shadowsocks" # NOTE(nrv): usage/instance @@ -69,21 +70,6 @@ in { secretsFile = config.sops.secrets."matrix/secrets".path; turnSecretFile = config.sops.secrets."matrix/turn-secret".path; publicIp = "128.140.75.58"; - users = { - yukkop = { - passwordFile = config.sops.secrets."matrix/users/yukkop/password".path; - admin = true; - }; - liquiz = { - passwordFile = config.sops.secrets."matrix/users/liquiz/password".path; - }; - vismajor = { - passwordFile = config.sops.secrets."matrix/users/vismajor/password".path; - }; - lvgkcfjl = { - passwordFile = config.sops.secrets."matrix/users/lvgkcfjl/password".path; - }; - }; objectStorage.s3 = { bucket = "matrix-hectic-lab"; regionName = "hel1"; @@ -193,22 +179,6 @@ in { mode = "0400"; sopsFile = "${flake}/sus/matrix-cluster.yaml"; }; - sops.secrets."matrix/users/yukkop/password" = { - key = "matrix/users/yukkop/password"; - owner = "matrix-synapse"; - }; - sops.secrets."matrix/users/liquiz/password" = { - key = "matrix/users/liquiz/password"; - owner = "matrix-synapse"; - }; - sops.secrets."matrix/users/vismajor/password" = { - key = "matrix/users/vismajor/password"; - owner = "matrix-synapse"; - }; - sops.secrets."matrix/users/lvgkcfjl/password" = { - key = "matrix/users/lvgkcfjl/password"; - owner = "matrix-synapse"; - }; sops.secrets."matrix/object-storage/credentials" = { key = "matrix/object-storage/credentials"; owner = "matrix-synapse"; diff --git a/sus/hectic-lab.yaml b/sus/hectic-lab.yaml index a022cc4..6834a72 100644 --- a/sus/hectic-lab.yaml +++ b/sus/hectic-lab.yaml @@ -14,22 +14,6 @@ mailserver: lvgkcfjl: hashedPassword: ENC[AES256_GCM,data:Nm1ijH8DU+HdeN5fOjAsf1Y0jEubiIbBq6NMJsxeMqFNBt6dU1IN9e99Y/7X6xh55JN2e8H1cUohgT7lWTywTOAtjAbOz5SHHQ==,iv:PVormkYkIIV39rjoODcZFtNBUWbO/yeiJWhwusGTnrE=,tag:96Xab0zoZtGkiIigq8Weyg==,type:str] init-postgresql: ENC[AES256_GCM,data:Iw8M2P1QoqPVaEdM8Zo0qlHrYgop0iknDY4NtgDo,iv:RWj9AFnh4/KWCm3UH4RoCdM2lzsXGY7A7qko8xCxjp8=,tag:l8acSq8+NBXB4L1rVzG6kw==,type:str] -matrix: - object-storage: - credentials: ENC[AES256_GCM,data:n2sDhGMR8y0in9pdn4zNEQBC5dqk+4JwbuJgEeQxyjn8bL9GebFBaqeE+frvPAGXj/DgpU6lFlFPgaGTWaMZAEEVpXyFeOdODpgW049q83ug5e4j/mbZgFM36XoItw==,iv:MW9H0zASdrY7SX1XM/jfoBihBYX0Fmlew4f71AvvV6Y=,tag:cAiOKUtOeTnczudps8YgQw==,type:str] - secrets: ENC[AES256_GCM,data:ivXp2YSiMI4hgL6122Ex+fGW0lsZvGD6XmiRvNgFgvzLH5yDv9uLsYcGCTYfQSL3X5VyIMGvsdRF+4pbIjBZMuQKrjvXv74E7aFBLQ2Qk98N3IIrznUFR3KXbHR6xXy5ILd7Bmw5JI/ZHULbmITahXUBt2kEJvfh4eAtqShNA4vsJrabHX9A8Q+2Ddp16w0cWftV5++WXzlNpvIc2Py6BwvfroNAjpSaO+ILYDOIL7XjPvF83fTt64pxZ9nsi3hCzcDtBgGkqc8=,iv:wvt9V2uYQUwivSwEIYZwcHjXr5WwMw19lgFDIa1CcVw=,tag:/22UZvp7+1hLbt+kV+wokQ==,type:str] - users: - yukkop: - password: ENC[AES256_GCM,data:2JUc8U87HVrJIDc9j2InZKgTRQBP,iv:0tuM7TFENbiVi7aM0nTgvRJrK0vGLewsmWJz2MUi62g=,tag:RL61PCXzQFLObBwXthpk5Q==,type:str] - liquiz: - password: ENC[AES256_GCM,data:6y3eFrfAZ88=,iv:yEIr1Oq4x3jnWcymHwrLDioKqapzaiOfNPvkgiNIOiw=,tag:CJ3gWTRpQtEEaMkYUOb8Mg==,type:str] - lvgkcfjl: - password: ENC[AES256_GCM,data:heZSXKj9MCQcY7wH,iv:PdIo3PhXTiGt8JiwafxQA7ysjJ3MJ0hrgCMO+sCs4Oo=,tag:iQYP6r44F3J+xEkam7Zjiw==,type:str] - vismajor: - password: ENC[AES256_GCM,data:drD8JaqQ5tg=,iv:LnDMbaPRTxOBtqN7ZbWXd6FcSWJQ808Vv7Zxugozn8g=,tag:t6w4TPkYphF+wSbAKzHUIw==,type:str] - snuff: - password: ENC[AES256_GCM,data:DG+35VxkuCfmz4UxF70YI+E+TJTD,iv:1pdXLohOKVsmGrwLdg0p9wncCUnaJYQIPdGtJaG1Wsc=,tag:2Aa8zjSMiDfYW3Kh7/5Jrg==,type:str] - turn-secret: ENC[AES256_GCM,data:2RerKgYNFXEVM/YVmXt2l+t3BqduS+FlmjBWTA==,iv:6odb0HB9mntsceNaJtU2kwEVAiF0O88u47eDPLZVJbs=,tag:BJXAvK8abcnCLi96Kra5zA==,type:str] wg-bfs: private-key: ENC[AES256_GCM,data:/J02asiesrQcsO7Xbq66HQIQeSPmFEMkM2q/z+9Y42K8SYEQP0OYQz+8fXI=,iv:PdGhPWgGxhe0a7C6CaVM/ePKABT+y8HRFOAPzNwQk+c=,tag:9AI30JFh6uyaXXVjMBJ1zg==,type:str] ss-bfs: @@ -91,7 +75,7 @@ sops: Yk43ZmlTc09aNFV1VjdjN2RWQlFWTDQKcYSvA2lHP8GS0lkYY19Tm8RXmFHQX5Ck qV2Fn22Fic4M5FVKDEMfaO6WmeXgki9a8dGeO9LlC+Phf16SOq7eLw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-05-25T20:54:48Z" - mac: ENC[AES256_GCM,data:fb6JjwTKbXayFOmLF/QaKiYHK1gnYK7E6y7OGARzfpwh9nV28n/aydgQiJ1+aS+88QgRbXbHdGH8GGeqKzApA1TczomYnm/BRA+gUsLIKGDbsamArtY8BqTC9ZEwVXK/izcwURWbTabJYA9FsK+ggYskwNOJmrukh5mhtKVmeUo=,iv:INodLtYp54Bm4YdGhJbrqaXMb90CyAG/8aHs3iIFXzY=,tag:jKMl0a9ZdmIh/ayvEvLNsw==,type:str] + lastmodified: "2026-05-27T12:36:35Z" + mac: ENC[AES256_GCM,data:dqVqDqMRJFVhT78mO8q+X+Mf4TUqxY4ApOdkMAF9bvyvPAPW7kxbKEvn9H5LBDev9CNxfNF9siqaa7aEdATM6ylhrcWPdzPN04LorojdMNRQy/WFQ0rB1Lz1RrIvwltQD5K8RSPFCWWtF8rhqVTGdFafwCWpdmuKTx0HEPNXsPY=,iv:cWHx326j4aycz17N+q2NNqq0VwfeupmOiPdAtZRz7ws=,tag:LOKuvivMogAGQoVlSTu/vg==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2 diff --git a/sus/matrix-cluster.yaml b/sus/matrix-cluster.yaml index a93160d..9c6309e 100644 --- a/sus/matrix-cluster.yaml +++ b/sus/matrix-cluster.yaml @@ -7,6 +7,19 @@ matrix: turn-secret: ENC[AES256_GCM,data:9nSIeoGrCTGNoOoZ6VeqQXTqcAL24QfPfrN86A==,iv:RQmHtbjonlTNl/Bl5TcokIGHzFp7uNDvTZVqgsgDaIE=,tag:m3It9uTAox9uOqZvgh5ygQ==,type:str] porkbun-api-key: ENC[AES256_GCM,data:OrzR0Haf1cjA18XHmMjpDeigF5AnqXencUUpaM+t0G7JoMvA41bPGy5Risp0TTraHAovzECX39Gx6n5qXlOToFZQmJ8=,iv:v9B62LDTwhV7UyhvYCUjbFRXLdyQW4v36boksh670B8=,tag:X77/yeRdWEMbBFQQvw0++Q==,type:str] porkbun-secret-api-key: ENC[AES256_GCM,data:LC4TZZBAhwyRbKLbMwc7pI5oSrfDg2RWkAUjpFyLDgp+zFhWv4+3R1Gfs5S+aqkuLP5l29H6dhSxN1A5rBBL1aLLr6A=,iv:67VAYUZJanK+X/DvEWcjANcEWuho1Gfu5wn4k8dFqdE=,tag:9VTAo1/ITcCJ3gPgQNVtcQ==,type:str] + users: + yukkop: + password: ENC[AES256_GCM,data:bVz5EUSp70NOTAwYEW8Smx2EI+zV,iv:bgnX7sI7Lx2rRHDfe5k/xOIZgHmY9V4fpV5AlL6+C9A=,tag:mqZe5n7DakXmuRu6iEG91w==,type:str] + liquiz: + password: ENC[AES256_GCM,data:nLWVQ3g3Ghc=,iv:cuHF19mO2Xp/Iqh6Mm6Atuc+XgVj1adwY3/o9pPXF0o=,tag:WImTMZUABQaq3ZXseBQHxA==,type:str] + lvgkcfjl: + password: ENC[AES256_GCM,data:E27NQ5wnmpxpJlo0,iv:19O8cYj2Z4ILzuJWjBlqrTBPNFLhSxwpSawH3vQc1Tw=,tag:WqiMlxn3Sas55BTUknk0nA==,type:str] + vismajor: + password: ENC[AES256_GCM,data:AOAxZgY6mmw=,iv:RCEqeI/jL1n9oGREFR3zUTcQRQuupqMsoTVxBWaMvf0=,tag:tYv4X1iXkol3I2Qr0oaY5g==,type:str] + snuff: + password: ENC[AES256_GCM,data:gM2BV4xD2lZ860c7VSYRlcgFIwyD,iv:pMb0dzCfYcsrx4ReeI4/4jsCoUj+BKucP9eOFag+vWI=,tag:dPVvXIWOqPi0yAxjmaPE8g==,type:str] + MrAlex0O: + password: ENC[AES256_GCM,data:aq6wYy1OxXPmHVdE926Q79pARzwaKX1ieE0=,iv:vNV0Gm2DlgLuZpEDm1q4+iltNJOtRechdaXUNfDrfpc=,tag:bECr7NWnOEv7DgZ7OIQMcg==,type:str] sops: age: - recipient: age1x04u7ftjgx8de2gq596e7frauze764cmn7jjwqnx8szthvfft5qq0tezx6 @@ -72,7 +85,7 @@ sops: cGtrUDRlUUliSVVjU1o4VUVMOE0ySFEKnjBAqifgYnaJ6LPWzDcopqQxUJ0d9vhe F2fIVq8LmO0Nuu7JMhJAvTJgkEyVUAQVTTAtrnhUf2RmILOb72BTKQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-05-25T07:23:06Z" - mac: ENC[AES256_GCM,data:/zbRiKcGwwUwErqDinNAq6/BZIhGMQEa0M39TEJsTvLn4JPW3T0oKlPiEviARRbdICRYYm2ad6pZm3HUmcjUgvPsMxQW7d8DutaowrRdbTryWZQv5S8zptlsA/gOVJxB7t1Xp4Hq1qPIrbmOuu6mBK/3vsiunN+FitMti775NVk=,iv:ngEXIDROEVssf8PuIsLMctcaqbzNCuMynqYNo449tyI=,tag:Gg3CXvZ5jERiUSxj9ThDmg==,type:str] + lastmodified: "2026-05-27T12:39:42Z" + mac: ENC[AES256_GCM,data:CkFer6IhVGIER25iO/WYMBvmsjtsV0K5c0zT/iZKrkeMBY+k8mHdZe/5eMpvx11Wl1kIL+o1oxUf+/VDw1q+gkXCrDIAhqyAVe6szYVpU04X0sYmSiZvFVtiAGDblOw2SrCIP7XATwBYFsPqBULhpnajMOTnRAUnuWxPLAdRuxM=,iv:VY1AGatQ1TnbypEpw/lx/C3bQbpqRqzYG6NYQMSOYPE=,tag:3Iy/3RHoRegUhlHzrlcrVQ==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2