From 9b885f54af8e462bf1db11b9a50e3060d2214bd0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Fri, 10 Jan 2025 15:18:07 +0100
Subject: [PATCH] matrix-synapse: migrate to vars

---
 checks/matrix-synapse/default.nix        |  8 +++++---
 clanModules/matrix-synapse/default.nix   | 24 +++++++++++++-----------
 nixosModules/clanCore/vars/default.nix   |  3 +--
 nixosModules/clanCore/vars/secret/vm.nix | 13 +++++++++++++
 4 files changed, 32 insertions(+), 16 deletions(-)
 create mode 100644 nixosModules/clanCore/vars/secret/vm.nix

diff --git a/checks/matrix-synapse/default.nix b/checks/matrix-synapse/default.nix
index 5a28efe3b..fb8ee4da1 100644
--- a/checks/matrix-synapse/default.nix
+++ b/checks/matrix-synapse/default.nix
@@ -31,6 +31,8 @@
             clan.matrix-synapse.users.someuser = { };
 
             clan.core.facts.secretStore = "vm";
+            clan.core.vars.settings.secretStore = "vm";
+            clan.core.vars.settings.publicStore = "in_repo";
 
             # because we use systemd-tmpfiles to copy the secrets, we need to a separate systemd-tmpfiles call to provision them.
             boot.postBootCommands = "${config.systemd.package}/bin/systemd-tmpfiles --create /etc/tmpfiles.d/00-vmsecrets.conf";
@@ -41,21 +43,21 @@
                 d.mode = "0700";
                 z.mode = "0700";
               };
-              "/etc/secrets/synapse-registration_shared_secret" = {
+              "/etc/secrets/matrix-synapse/synapse-registration_shared_secret" = {
                 f.argument = "supersecret";
                 z = {
                   mode = "0400";
                   user = "root";
                 };
               };
-              "/etc/secrets/matrix-password-admin" = {
+              "/etc/secrets/matrix-password-admin/matrix-password-admin" = {
                 f.argument = "matrix-password1";
                 z = {
                   mode = "0400";
                   user = "root";
                 };
               };
-              "/etc/secrets/matrix-password-someuser" = {
+              "/etc/secrets/matrix-password-someuser/matrix-password-someuser" = {
                 f.argument = "matrix-password2";
                 z = {
                   mode = "0400";
diff --git a/clanModules/matrix-synapse/default.nix b/clanModules/matrix-synapse/default.nix
index f20f88424..a29b413f6 100644
--- a/clanModules/matrix-synapse/default.nix
+++ b/clanModules/matrix-synapse/default.nix
@@ -116,26 +116,28 @@ in
     };
     clan.postgresql.databases.matrix-synapse.restore.stopOnRestore = [ "matrix-synapse" ];
 
-    clan.core.facts.services =
+    clan.core.vars.generators =
       {
         "matrix-synapse" = {
-          secret."synapse-registration_shared_secret" = { };
-          generator.path = with pkgs; [
+          files."synapse-registration_shared_secret" = { };
+          runtimeInputs = with pkgs; [
             coreutils
             pwgen
           ];
-          generator.script = ''
-            echo -n "$(pwgen -s 32 1)" > "$secrets"/synapse-registration_shared_secret
+          migrateFact = "matrix-synapse";
+          script = ''
+            echo -n "$(pwgen -s 32 1)" > "$out"/synapse-registration_shared_secret
           '';
         };
       }
       // lib.mapAttrs' (
         name: user:
         lib.nameValuePair "matrix-password-${user.name}" {
-          secret."matrix-password-${user.name}" = { };
-          generator.path = with pkgs; [ xkcdpass ];
-          generator.script = ''
-            xkcdpass -n 4 -d - > "$secrets"/${lib.escapeShellArg "matrix-password-${user.name}"}
+          files."matrix-password-${user.name}" = { };
+          migrateFact = "matrix-password-${user.name}";
+          runtimeInputs = with pkgs; [ xkcdpass ];
+          script = ''
+            xkcdpass -n 4 -d - > "$out"/${lib.escapeShellArg "matrix-password-${user.name}"}
           '';
         }
       ) cfg.users;
@@ -152,7 +154,7 @@ in
           + lib.concatMapStringsSep "\n" (user: ''
             # only create user if it doesn't exist
             /run/current-system/sw/bin/matrix-synapse-register_new_matrix_user --exists-ok --password-file ${
-              config.clan.core.facts.services."matrix-password-${user.name}".secret."matrix-password-${user.name}".path
+              config.clan.core.vars.generators."matrix-password-${user.name}".files."matrix-password-${user.name}".path
             } --user "${user.name}" ${if user.admin then "--admin" else "--no-admin"}
           '') (lib.attrValues cfg.users);
       in
@@ -161,7 +163,7 @@ in
         serviceConfig.ExecStartPre = lib.mkBefore [
           "+${pkgs.coreutils}/bin/install -o matrix-synapse -g matrix-synapse ${
             lib.escapeShellArg
-              config.clan.core.facts.services.matrix-synapse.secret."synapse-registration_shared_secret".path
+              config.clan.core.vars.generators.matrix-synapse.files."synapse-registration_shared_secret".path
           } /run/synapse-registration-shared-secret"
         ];
         serviceConfig.ExecStartPost = [
diff --git a/nixosModules/clanCore/vars/default.nix b/nixosModules/clanCore/vars/default.nix
index 92c29d893..1fe121aa6 100644
--- a/nixosModules/clanCore/vars/default.nix
+++ b/nixosModules/clanCore/vars/default.nix
@@ -16,10 +16,9 @@ in
 {
   imports = [
     ./public/in_repo.nix
-    # ./public/vm.nix
     ./secret/password-store.nix
     ./secret/sops
-    # ./secret/vm.nix
+    ./secret/vm.nix
   ];
   options.clan.core.vars = lib.mkOption {
     description = ''
diff --git a/nixosModules/clanCore/vars/secret/vm.nix b/nixosModules/clanCore/vars/secret/vm.nix
new file mode 100644
index 000000000..fcd6e82b4
--- /dev/null
+++ b/nixosModules/clanCore/vars/secret/vm.nix
@@ -0,0 +1,13 @@
+{
+  config,
+  lib,
+  ...
+}:
+{
+  config.clan.core.vars.settings = lib.mkIf (config.clan.core.vars.settings.secretStore == "vm") {
+    fileModule = file: {
+      path = "/etc/secrets/${file.config.generatorName}/${file.config.name}";
+    };
+    secretModule = "clan_cli.vars.secret_modules.vm";
+  };
+}