matrix-synapse: migrate to vars

2025-01-10 15:18:07 +01:00
parent 4c172fad77
commit 9b885f54af
4 changed files with 32 additions and 16 deletions
--- a/checks/matrix-synapse/default.nix
+++ b/checks/matrix-synapse/default.nix
@@ -31,6 +31,8 @@
            clan.matrix-synapse.users.someuser = { };
            clan.core.facts.secretStore = "vm";
            clan.core.vars.settings.secretStore = "vm";
            clan.core.vars.settings.publicStore = "in_repo";
            # because we use systemd-tmpfiles to copy the secrets, we need to a separate systemd-tmpfiles call to provision them.
            boot.postBootCommands = "${config.systemd.package}/bin/systemd-tmpfiles --create /etc/tmpfiles.d/00-vmsecrets.conf";
@@ -41,21 +43,21 @@
                d.mode = "0700";
                z.mode = "0700";
              };
-              "/etc/secrets/synapse-registration_shared_secret" = {
+              "/etc/secrets/matrix-synapse/synapse-registration_shared_secret" = {
                f.argument = "supersecret";
                z = {
                  mode = "0400";
                  user = "root";
                };
              };
-              "/etc/secrets/matrix-password-admin" = {
+              "/etc/secrets/matrix-password-admin/matrix-password-admin" = {
                f.argument = "matrix-password1";
                z = {
                  mode = "0400";
                  user = "root";
                };
              };
-              "/etc/secrets/matrix-password-someuser" = {
+              "/etc/secrets/matrix-password-someuser/matrix-password-someuser" = {
                f.argument = "matrix-password2";
                z = {
                  mode = "0400";
--- a/clanModules/matrix-synapse/default.nix
+++ b/clanModules/matrix-synapse/default.nix
@@ -116,26 +116,28 @@ in
    };
    clan.postgresql.databases.matrix-synapse.restore.stopOnRestore = [ "matrix-synapse" ];
-    clan.core.facts.services =
+    clan.core.vars.generators =
      {
        "matrix-synapse" = {
-          secret."synapse-registration_shared_secret" = { };
+          files."synapse-registration_shared_secret" = { };
-          generator.path = with pkgs; [
+          runtimeInputs = with pkgs; [
            coreutils
            pwgen
          ];
-          generator.script = ''
+          migrateFact = "matrix-synapse";
-            echo -n "$(pwgen -s 32 1)" > "$secrets"/synapse-registration_shared_secret
+          script = ''
            echo -n "$(pwgen -s 32 1)" > "$out"/synapse-registration_shared_secret
          '';
        };
      }
      // lib.mapAttrs' (
        name: user:
        lib.nameValuePair "matrix-password-${user.name}" {
-          secret."matrix-password-${user.name}" = { };
+          files."matrix-password-${user.name}" = { };
-          generator.path = with pkgs; [ xkcdpass ];
+          migrateFact = "matrix-password-${user.name}";
-          generator.script = ''
+          runtimeInputs = with pkgs; [ xkcdpass ];
-            xkcdpass -n 4 -d - > "$secrets"/${lib.escapeShellArg "matrix-password-${user.name}"}
+          script = ''
            xkcdpass -n 4 -d - > "$out"/${lib.escapeShellArg "matrix-password-${user.name}"}
          '';
        }
      ) cfg.users;
@@ -152,7 +154,7 @@ in
          + lib.concatMapStringsSep "\n" (user: ''
            # only create user if it doesn't exist
            /run/current-system/sw/bin/matrix-synapse-register_new_matrix_user --exists-ok --password-file ${
-              config.clan.core.facts.services."matrix-password-${user.name}".secret."matrix-password-${user.name}".path
+              config.clan.core.vars.generators."matrix-password-${user.name}".files."matrix-password-${user.name}".path
            } --user "${user.name}" ${if user.admin then "--admin" else "--no-admin"}
          '') (lib.attrValues cfg.users);
      in
@@ -161,7 +163,7 @@ in
        serviceConfig.ExecStartPre = lib.mkBefore [
          "+${pkgs.coreutils}/bin/install -o matrix-synapse -g matrix-synapse ${
            lib.escapeShellArg
-              config.clan.core.facts.services.matrix-synapse.secret."synapse-registration_shared_secret".path
+              config.clan.core.vars.generators.matrix-synapse.files."synapse-registration_shared_secret".path
          } /run/synapse-registration-shared-secret"
        ];
        serviceConfig.ExecStartPost = [
--- a/nixosModules/clanCore/vars/default.nix
+++ b/nixosModules/clanCore/vars/default.nix
@@ -16,10 +16,9 @@ in
 {
  imports = [
    ./public/in_repo.nix
    # ./public/vm.nix
    ./secret/password-store.nix
    ./secret/sops
-    # ./secret/vm.nix
+    ./secret/vm.nix
  ];
  options.clan.core.vars = lib.mkOption {
    description = ''
--- a/nixosModules/clanCore/vars/secret/vm.nix
+++ b/nixosModules/clanCore/vars/secret/vm.nix
@@ -0,0 +1,13 @@
 {
  config,
  lib,
  ...
 }:
 {
  config.clan.core.vars.settings = lib.mkIf (config.clan.core.vars.settings.secretStore == "vm") {
    fileModule = file: {
      path = "/etc/secrets/${file.config.generatorName}/${file.config.name}";
    };
    secretModule = "clan_cli.vars.secret_modules.vm";
  };
 }