Switch the matrix hosts secret management from colmena to sops-nix

2024-05-26 02:58:15 +02:00 · 2024-05-26 02:58:15 +02:00 · 154edc1972
commit 154edc1972
parent 361ccac69f
6 changed files with 265 additions and 10 deletions
--- a/config/hosts/matrix/matrix-synapse.nix
+++ b/config/hosts/matrix/matrix-synapse.nix
@ -44,20 +44,16 @@
    };

    extraConfigFiles = [
-      "/secrets/matrix-registration-shared-secret.secret"
+      "/run/secrets/matrix_registration_shared_secret"
    ];
  };

  systemd.services.matrix-synapse.serviceConfig.ReadWritePaths = [ config.services.matrix-synapse.settings.media_store_path ];

-  deployment.keys = {
-    "matrix-registration-shared-secret.secret" = {
-      keyCommand = [ "pass" "noc/vm-secrets/chaosknoten/matrix/registration-shared-secret" ];
-      destDir = "/secrets";
-      user = "matrix-synapse";
-      group = "matrix-synapse";
-      permissions = "0640";
-      uploadAt = "pre-activation";
-    };
+  sops.secrets."matrix_registration_shared_secret" = {
+    mode = "0440";
+    owner = "matrix-synapse";
+    group = "matrix-synapse";
+    restartUnits = [ "matrix-synapse.service" ];
  };
 }