about summary refs log tree commit diff
diff options
context:
space:
mode:
authorsefidel <contact@sefidel.net>2023-12-22 19:13:18 +0900
committersefidel <contact@sefidel.net>2023-12-23 00:03:24 +0900
commitf47bf3b5c7c4c03a7f4e2aac7856e6e8a6dc360f (patch)
tree32c88ebbfcc5e3ec8c654408f077ec41c73a373a
parent81e502a651b39e96cc062e9a8a376cc2bd7a4378 (diff)
downloadinfra-f47bf3b5c7c4c03a7f4e2aac7856e6e8a6dc360f.tar.gz
infra-f47bf3b5c7c4c03a7f4e2aac7856e6e8a6dc360f.zip
feat(modules/matrix-bridge): configure double puppeting
-rw-r--r--modules/services/matrix-bridge.nix33
-rw-r--r--systems/cobalt/secrets/secrets.yaml9
2 files changed, 38 insertions, 4 deletions
diff --git a/modules/services/matrix-bridge.nix b/modules/services/matrix-bridge.nix
index 04f51be..2a96e01 100644
--- a/modules/services/matrix-bridge.nix
+++ b/modules/services/matrix-bridge.nix
@@ -18,6 +18,22 @@ in
   };
 
   config = mkIf cfg.enable {
+    sops.secrets.double-puppet-as-token = { };
+    sops.secrets.double-puppet-hs-token = { };
+
+    sops.templates."double-puppet-registration.yaml".content = ''
+      id: doublepuppet
+      url:
+      as_token: ${config.sops.placeholder.double-puppet-as-token}
+      hs_token: ${config.sops.placeholder.double-puppet-hs-token}
+      sender_localpart: 55e126746dad19e50d9c4e646b6f5ac9ba21b346a24b840330cd8d8a1d65ce80
+      rate_limited: false
+      namespaces:
+        users:
+          - regex: '@.*:exotic\.sh'
+            exclusive: false
+    '';
+
     services.mautrix-telegram = {
       enable = true;
 
@@ -56,6 +72,10 @@ in
             require = true;
             allow_key_sharing = true;
           };
+          # NOTE: python bridge - managed via env variable
+          # login_shared_secret_map = {
+          #   "${cfg.domain}" = "as_token:$DOUBLE_PUPPET_AS_TOKEN";
+          # };
           permissions = {
             "@sef:exotic.sh" = "admin";
             "exotic.sh" = "full";
@@ -112,6 +132,10 @@ in
             require = true;
             allow_key_sharing = true;
           };
+          # NOTE: python bridge - managed via env variable
+          # login_shared_secret_map = {
+          #   "${cfg.domain}" = "as_token:$DOUBLE_PUPPET_AS_TOKEN";
+          # };
           permissions = {
             "@sef:exotic.sh" = "admin";
             "exotic.sh" = "full";
@@ -155,7 +179,9 @@ in
           };
           send_presence_on_typing = true;
           double_puppet_server_map = { };
-          login_shared_secret_map = { };
+          login_shared_secret_map = {
+            "${cfg.domain}" = "as_token:$DOUBLE_PUPPET_AS_TOKEN";
+          };
           private_chat_portal_meta = true;
           mute_bridging = true;
           pinned_tag = "m.favourite";
@@ -213,6 +239,9 @@ in
             require = true;
             allow_key_sharing = true;
           };
+          login_shared_secret_map = {
+            "${cfg.domain}" = "as_token:$DOUBLE_PUPPET_AS_TOKEN";
+          };
           permissions = {
             "@sef:exotic.sh" = "admin";
             "exotic.sh" = "full";
@@ -256,6 +285,7 @@ in
       "mautrix-signal:/var/lib/mautrix-signal/signal-registration.yaml"
       "mautrix-whatsapp:/var/lib/mautrix-whatsapp/whatsapp-registration.yaml"
       "mautrix-discord:/var/lib/mautrix-discord/discord-registration.yaml"
+      "double-puppet:${config.sops.templates."double-puppet-registration.yaml".path}"
     ];
 
     services.matrix-synapse.settings.app_service_config_files = [
@@ -263,6 +293,7 @@ in
       "/run/credentials/matrix-synapse.service/mautrix-signal"
       "/run/credentials/matrix-synapse.service/mautrix-whatsapp"
       "/run/credentials/matrix-synapse.service/mautrix-discord"
+      "/run/credentials/matrix-synapse.service/double-puppet"
     ];
   };
 }
diff --git a/systems/cobalt/secrets/secrets.yaml b/systems/cobalt/secrets/secrets.yaml
index 2117961..14e0df2 100644
--- a/systems/cobalt/secrets/secrets.yaml
+++ b/systems/cobalt/secrets/secrets.yaml
@@ -7,7 +7,10 @@ matrix-server-key: ENC[AES256_GCM,data:gv1zTWRNqmpB/WtPGwYahm9BnCNNsuzKN5oMTnkv1
 matrix-shared-secret: ENC[AES256_GCM,data:Xv9pOMA/kUJUrYxdXRA7NTrbkFvVsA==,iv:J3rZJGJ1cQPyhBK5lcd04dv2cGbhAvjg9IEQeXU+K/U=,tag:3YD3/MMUsVPnbW3ZUuf11Q==,type:str]
 synapse-extra-config: ENC[AES256_GCM,data:bJh9nMzZvP36Uwe7x03MLEk2N+FKq2V2YAFJT43vhMQ/XkvdN9yAeWhlxPGNEtl2wcMpCLnqbVAtfhJVI4VI5hGnue5HZz4Q51lbVQr2ZwzWuU6I25mY,iv:2qJuuyBlwgSWx5dkxGDbHhTW7ajI68lPgrvjdHmNTZ8=,tag:xRM6XGlitvcf+MrxBQ9GDw==,type:str]
 mjolnir-password: ENC[AES256_GCM,data:dyM2VVxn1PFRXy5dgfvq3EuWyGDhDZvJOd1sTnKE5q0Arv1y,iv:DD80um8QXLybj1w4ZsxPbv3+s2NrQfpPDAEpkztkMFo=,tag:3ZEJ7V+ICh2Ip5gZt06zjA==,type:str]
-mautrix-envs: ENC[AES256_GCM,data:1ocnZg7g6bLo+hjBMLqNQas2TXT1fiVz5HGYQId6LlsrdQ2zHlxtWF8AIQCRhzS3EvVhNjqqKYhAK7cYVYNcTBXhHKqFUlvN4NPJ3ItFl1y5ULkDXrt8Mj3rP4aotKIby4RmR9c5FSaL8U0zDFhe+Yd0cadLfH9WadYZtHJcww9MRsIhb8cS5SVhyhuYMwtNWms6ypOJ1kk+FCDAsV5hbps7J/8LL53eJySuG1TIo7L+ADnC5ZA15EDp1+FQsMIAhh7Ck5703DlInimCgc0IV6x4Qtba36buFbY9cmHTTfn2fC/ykJGE27HLT9RgpDo8gbNUCr6tZNxZ/02sXriKTEJj//4HG4smfZRlzgBerwsOxDAt0Gp0Pn8PKN8Cz4QdBa8wg/terOgQkTNB5UKXNRU3k90YpXlCzCtKvALKIrXLqgu8aWU8hjuERdBCljirh6LhuguQtG0W1+MGTecH5aGRAQr4Uim4pF0vm0vvzs1+KQHyqfgp8NcZgNLED+cd1NTZX16AUnyAAO7ZXgxa8WnJbcA2KRv+GlH69uXhgrphlqQ+JFSLYAvK3mRtaZbds11bFHq4CcnXEAyzK7dNrOe2/TdDZSVA3giM39LX4m9cqkVJM1k8Um0e54MtR5rdezv8omBqM5ACQMfBplUA/ELY1pTJWWtciHEEKQknLsXZwZPIMH9EaD3p9lbJpfdKP4CaqjWcAMsvwmy57PW2mGMWhRBwWGzlR86Aw+qzIHbn2UqmVOfKKR3++BZsgBA+VeR9n8QNkm4oi6n/K5Grpii8+sv7e6ochuF0gSAX4QT2CUl2KGRNEo2htb2G1fM+dNuzYVkZH91GMZJQ98YDkB6rMabQ50Hfj4r1qVbpYCW3Q1V6zd5kVF/aFfB+EBr3+W1m5IteW3Rho0dVGjvfLBCCKac5Yv3fqsRzm9CezNE0THWr/lai6glfUU+ejP/ZdxABIOjGyHN2y7JD2ZWTJjfvyIe0KZvNTro9wnORoaFgU2JevOkQjqgE6Flk9lonKliJpbzFhgRiibkd1kXpoIYqxslgtGPl5W1YseBurUMK4zDXL6+Z+hCuMUcGWdIMM+DPv6kNHB26j7HdMESV4UGGT4Bx86TjiEeERK0LvvoANgGRU32AO3nPbIWqAvM5gAuE7kf8R7PSruMY2No8EyKpuueMePY8hvCMlSq2/1SVkUYmScQuMeG9x54geAGxRyXVKnZq9gBL6isnHpfC0pjrvKwBRy3dsiL6qETcXfKw/LcNv+7yiYa73pDcxj5O2phyMwQYqWmzH3NmaCCjB7zznHSDawxoNIcz1oUIFZm+srPlN9mvxqQxM1o=,iv:wB2tF/YJAiHr8CtqxYlXSxqEpnMzVyGSL3iGFRP5OtU=,tag:Sg4fXeNt8WfpEoTPEOlrTg==,type:str]
+#ENC[AES256_GCM,data:Qp2qzobiQ1q5JQboo9fRG/HUhyqoYEF4EmBd/DFt46Y9i4dCU+kbEHnqGOvb6zdOgAcIo1L/8Z4ZutGiRnvkJFnrbA6r/bf3LJOilLsVbg==,iv:TCj3cjZcLhHNVv6fDwx092D2YHRwIwaRj1Vuw56BYQs=,tag:gMAkM++w92fFwRrMv5AGLA==,type:comment]
+mautrix-envs: ENC[AES256_GCM,data:Aoggf5HUOYV8YhJXck/W1EL7HGp4Tus2bjetPmeRNWB6teZeo8LP8j+IlqM43i6wnaTUnjLf1KxLEjKbsjMBL8OCJXLzZpOlm9FkVN47pI4ItjFnZlAyc951fQ8j0p3z+EVPKoH10El1fFd1GCmu5Y8ZJCIo/kaO/LOl2m0iLSMViPh7NMf7KOVQbTmMRSf+TwfzrdXoX58YRAIYX+NbfRkaxjZ16FAbGbAoClLk0SUjJ/4zvnVQWLPPzuCDo+7oTof769kVdzCVe5j174ocKxekYxmodq05zOHAJ0p5VBTe/MF2nSyLGU7j79gaOBsdpzYvNTv9DeCWVTPAKI7HoKkt804q7Ea+mtA5QJLOl3WbDbCjnzAt59vESKx64oouthuLhNaMU6gqcb+7dFhkZFCgHMj1sEBJ1NU8lY44uYlmgZPjeNlsLLHqxAvxoxIaiZFxg1AmOQU8BiIMogPoUZ8dItHCRM3pgNUrBFRq5YbKYv3NSnFziDYFiBIkIVwwsbaoDKvMO1a23dX1JJS1cMyWxceg/YLhKM/Y3aOPX0NxNoyiLpIkk838DsTYv/uepvn3FD1sB5uK0rtNgzXe9/dznRx52cM4uz2Qjc0+Cjw68CNX8ptLZL/+lMT10W9FOT8pRHH7+Xa3R9wx6Kb4XJX5J19H7cpnPl38m7VwoSS5qk6Rf1ddJhbHfcQlha7ERZJzEd9FoVT9oxe8LAoVYpnJCq2AYQXCeveF92OkmhBJ3NXaE7RryBM6Xed/ac0n8yZ5HMV48dWLwUy1R/gr55rFkJhD/hnjT7SR9fEvh7E0UaXuBRiTwJVQH5Dl1NLyjeX4ntJ/qz0akFw/dTv0fo4S1Boj+xK1v4pWzrtYz2qvpG2904pnubUE5mmWnFzKDa+P+oebmiqRlINacZtKyMCfAj/L2ySaOiaDB6EEiBGfROtv3pm2sCyFJbxEAc0AbWpqP/JfoDhrqRCpxbGPfXo4ZGCWTGcmVBx7KXwiTOyxrHPtlUR1eoZb2X7hLQSwRQlxOE2HyDituKq/Qmq8ctL7m7yTbL1wYvzqwON/KwYr//aYvj/IrWqpA34fNVWHMag8qoa8O07OemrW6YTRKF+nREGuDALr8e4kJ4bB4IRSHlLJCsa6aNYkgkiGWuWvfkQZWlFG6o2zUDLdEYwe7ilofSZlqTt/riAXL8htF1vF3EmsxUTYC1/tBqGnEH/5WKC/LPiIxMSxUuZnWBpbOhjpQDtcqo+PU5qeOEGEabzqAJGXD+OLb4MobOSuT4d3N/j7WNGkL+RPjWIC6mpwYJR4UNoeouPhgDq9kwGcI0c2po0SPkNvI+osQwvJFS4UnFfW8cUYyxgIvbsEKYuXcBbcIsOsIGHzccGw3KcHcBftodgmvo3cwP6aJ7E6723Jqx5RLxo6sQtEsr5tTgyWQuoRwDXVSZtVDsU++R++qOzmR/bp9EG0Okj+4KOXXjfR4wNPlBZBnVkNNHgzY7y3WwuGgHVAFO8ssTOacXQ38CfdYUi4lYz9uhfTcYw4K34Cz2RFZLAJuDgqMQ/+dP2JtOTY9W7g49xioYqrut64J7WHdKUHJcNYj3p/M00+DqtCI+AH+8htJc++mmJCeTrnJDST9cXS1srpmvw8flB1oY0ubPI4CTfx7ZbPbmbqlUEBIGDAHQzomdYbAwICe1+plBlIDJ3IGVVOMY+UCbAfZjYwMaQsRjPzynx8eHWikI9gIKYVZDdejF8LyrcVhxJZMi2whNv682Sqb68s5DQwNySCvF7ebEYfPM6OKVqqZqgnj1mNLHYsWxVU/22SijO1Ncdjh00gRLILLQQT9wwogczjHKx2RcHbYf1PAEruWvRvRSiygh6Ny1nZFqBfi3bk1bTO8xtc7ZrXTnYdauTUovjLKAnhl2O0Ax9R8OBvMnVBT0oW5uP8ErdV9HjrjEbTYCJucW9Fo3Ip1ffGkrpZb6lOskjWsl52vpqTivxD05QeHVGI/dt2wBEpk6xqBB1G1rw5M+qncsie2LYwHvTql7OYIEZd5sDhMbth5QNMEtsnrgXw9xR0YQITd13QJfOvvpTr5scBBuM6A+be9nBDjPVeJpqgVR0kW1be2cz7X5/eG9221OQfAiszHY1t2a9VHeXRC6oajb7g3cUL0QXXGfa58Nm2BGTEIBpG,iv:KjkrFePP86nV3wGkaNhJvRnXcB+Jqkj1FncPxVTrOPQ=,tag:SbH6fcbB3x52FEfUs2DowA==,type:str]
+double-puppet-as-token: ENC[AES256_GCM,data:q7zsHsm9JvKfQkLxLZb44cuUse3+JdJKjC1Z8erAVaNZjDNvBzqHZv6hgWLnRvjD5htCOZyDk0cAdg17/wNWsA==,iv:KTUJsLfit9vXuVD8ba2QyCS1v7dRgDfgnrE+1nkHL5c=,tag:keLyl4TS2RQ6li07JCn+7A==,type:str]
+double-puppet-hs-token: ENC[AES256_GCM,data:iHIjy5pcjgVJF39XXj6WCdFslRmkLRnrCs95mjzmzRHCPEgWbmTqlqBuQVGIOkKhcyTZtflpC1D0/NtoBlmtFg==,iv:iDLvhGBABbgGSH9Q/FfgSMcw0srwL1KX6P87zAjn70k=,tag:pmTecoXSMVsRPZ5OhaD5Jg==,type:str]
 dendrite-envs: ENC[AES256_GCM,data:67FnrGQUZWFfHAoUM/idTZlBX7aek3fbPkswB9+3pjLNQuXpIWYoa2vpdGt7zec2n9o9z0V3LdlkookjS95aPpZmKYwPaKkH2L7Jaxw=,iv:c4lEReLizcQeTTiG7cJwd+2sBH+EKBGycKeoDgJ/394=,tag:zBBxIcXn+8Q90BkPidltfQ==,type:str]
 sliding-sync-secret: ENC[AES256_GCM,data:mBgQZ/SVRpvELrqwCzjxJETxDSj5gw+CcIb3rk/vjQ3j8tvjt4Z2GbuE6fwQ1CXhHKRL7kYOLn8ec7rgaMTr6me2pRcI+Sz/40IKUvlE,iv:NQvkJ4gjmOtfOyb8ciOudNHBYOytizNg6K6IhVxhE28=,tag:LNhd6MgUOPBHY9qK/tDBjA==,type:str]
 turn-secret: ENC[AES256_GCM,data:JA5/BlGwH6yIjYsFZGa8Nm8XVbOBKpre+NFybniOtlmbSx89ldKBvuqF2ZoPltJS+vzQ/+wxM/VorhF7M+s4jA==,iv:rK5SFj4VOzgfaP/LIzWTVFyCBmklGMSyd9iWbet2CVc=,tag:QycYCHH72bMMX5UubDHTlg==,type:str]
@@ -42,8 +45,8 @@ sops:
             cUpBZ01CMEFjNnNuWjlYejVKajkwcGMKehqYCZP0zZHDTfJrC/5LYiE/3doa0OiM
             OKXhOuUX8HF8RfkyiOSMpntxuNX2jSvd9sQRYnHkUvgm793+IuQjrg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-12-21T16:51:47Z"
-    mac: ENC[AES256_GCM,data:ZoSWm8puMrA3rbesfCLbP/cgLwUrgDOoDAv8/s3ACpfOxqjqa4KKX7JxIn28CSouhpR/MAgDisb1I6XdItjYAy9ISBTnrthY3gfx/1GjJVrWXgOaYJVcegLQyiMKUkHerP+mV7S+GwCgeQAVSkRnlqL9220t1zlj8easj3FTybo=,iv:+5aNpcrKSPs6Kkd8K4n6AfH6znupHsZ1r44xwCa1x9c=,tag:PtQW8k/5y2mjpX9obHsW3g==,type:str]
+    lastmodified: "2023-12-22T14:57:57Z"
+    mac: ENC[AES256_GCM,data:l0dP/78qh+urLgW0ga+WOiOalGVXpaJv89PtWwmxAfPfIQ4zPfe3EnfCWqs65VZRD6ZAZXDVgHfrSn6htElAFCGY3Y5zw00+n7fXdAOQ5pahwA4FsJQy8yxS0XlRZ0HpIXpklbbhUp71Tq1m+0KCG+eBZg2MyIfsljlwHVuPiss=,iv:F/NM0f5xXYMOUSmwJ1GuJnIyGKjoqyNF9Rxfo765FTo=,tag:RM4OkjjkyibMfnpG5fxxsg==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1