From 63980496c9f980131778054fd3ffd99134d4e0ab Mon Sep 17 00:00:00 2001 From: teutat3s Date: Tue, 17 Dec 2024 17:59:01 -0300 Subject: [PATCH] flake: update to NixOS 24.11 Fix warnings: trace: evaluation warning: The option `services.forgejo.mailerPasswordFile' defined in `/nix/store/13vqhb5askjgi07wqwxawq4bdm7h0wc7-source/flake.nix, via option flake.nixosModules.forgejo' has been renamed to `services.forgejo.secrets.mailer.PASSWD'. trace: evaluation warning: Using `services.nextcloud.config.dbtableprefix` is deprecated. Fresh installations with this option set are not allowed anymore since v20. If you have an existing installation with a custom table prefix, make sure it is set correctly in `config.php` and remove the option from your NixOS config. Fix errors: - The option definition `services.matrix-sliding-sync' in `/nix/store/wgxgv8rjbd2nhf7y28kfzm4n6kz85dnq-source/flake.nix, via option flake.nixosModules.matrix' no longer has any effect; please remove it. The matrix-sliding-sync package has been removed, since matrix-synapse incorporated its functionality - The option `services.keycloak.settings.proxy' has been removed. Set `services.keycloak.settings.proxy-headers` in combination with other hostname options as needed instead. See [Proxy option removed](https://www.keycloak.org/docs/latest/upgrading/index.html#proxy-option-removed) for more information. error: The option `services.matrix-appservice-irc.settings.ircService.mediaProxy.publicUrl' was accessed but has no value defined. Try setting the option. --- flake.lock | 54 +++-- flake.nix | 12 +- hosts/nachtigall/configuration.nix | 16 +- hosts/nachtigall/default.nix | 2 - hosts/underground/configuration.nix | 9 + modules/forgejo/default.nix | 3 +- modules/keycloak/default.nix | 3 +- modules/matrix-irc/default.nix | 213 ++++++++++-------- modules/matrix/default.nix | 17 -- modules/nextcloud/default.nix | 3 +- modules/nginx-matrix/default.nix | 7 + overlays/default.nix | 2 - ...service-irc-mediaproxy-signing-key.jwk.age | Bin 0 -> 2700 bytes .../matrix-synapse-sliding-sync-secret.age | 45 ---- secrets/secrets.nix | 4 +- ...service-irc-mediaproxy-signing-key.jwk.age | Bin 0 -> 2700 bytes 16 files changed, 193 insertions(+), 197 deletions(-) create mode 100644 secrets/matrix-appservice-irc-mediaproxy-signing-key.jwk.age delete mode 100644 secrets/matrix-synapse-sliding-sync-secret.age create mode 100644 secrets/staging-matrix-appservice-irc-mediaproxy-signing-key.jwk.age diff --git a/flake.lock b/flake.lock index 9f98ebd..9a0b11d 100644 --- a/flake.lock +++ b/flake.lock @@ -257,16 +257,16 @@ ] }, "locked": { - "lastModified": 1726989464, - "narHash": "sha256-Vl+WVTJwutXkimwGprnEtXc/s/s8sMuXzqXaspIGlwM=", + "lastModified": 1734366194, + "narHash": "sha256-vykpJ1xsdkv0j8WOVXrRFHUAdp9NXHpxdnn1F4pYgSw=", "owner": "nix-community", "repo": "home-manager", - "rev": "2f23fa308a7c067e52dfcc30a0758f47043ec176", + "rev": "80b0fdf483c5d1cb75aaad909bd390d48673857f", "type": "github" }, "original": { "owner": "nix-community", - "ref": "release-24.05", + "ref": "release-24.11", "repo": "home-manager", "type": "github" } @@ -336,20 +336,35 @@ }, "nixpkgs": { "locked": { - "lastModified": 1734202038, - "narHash": "sha256-LwcGIkORU8zfQ/8jAgptgPY8Zf9lGKB0vtNdQyEkaN8=", + "lastModified": 1734323986, + "narHash": "sha256-m/lh6hYMIWDYHCAsn81CDAiXoT3gmxXI9J987W5tZrE=", "owner": "nixos", "repo": "nixpkgs", - "rev": "bcba2fbf6963bf6bed3a749f9f4cf5bff4adb96d", + "rev": "394571358ce82dff7411395829aa6a3aad45b907", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-24.05", + "ref": "nixos-24.11", "repo": "nixpkgs", "type": "github" } }, + "nixpkgs-24_05": { + "locked": { + "lastModified": 1717144377, + "narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "805a384895c696f802a9bf5bf4720f37385df547", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-24.05", + "type": "indirect" + } + }, "nixpkgs-lib": { "locked": { "lastModified": 1733096140, @@ -362,6 +377,21 @@ "url": "https://github.com/NixOS/nixpkgs/archive/5487e69da40cbd611ab2cadee0b4637225f7cfae.tar.gz" } }, + "nixpkgs_2": { + "locked": { + "lastModified": 1717602782, + "narHash": "sha256-pL9jeus5QpX5R+9rsp3hhZ+uplVHscNJh8n8VpqscM0=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "e8057b67ebf307f01bdcc8fba94d94f75039d1f6", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-unstable", + "type": "indirect" + } + }, "root": { "inputs": { "agenix": "agenix", @@ -384,12 +414,8 @@ "inputs": { "blobs": "blobs", "flake-compat": "flake-compat_2", - "nixpkgs": [ - "unstable" - ], - "nixpkgs-24_05": [ - "nixpkgs" - ], + "nixpkgs": "nixpkgs_2", + "nixpkgs-24_05": "nixpkgs-24_05", "utils": "utils_2" }, "locked": { diff --git a/flake.nix b/flake.nix index 611d0e1..e5f1586 100644 --- a/flake.nix +++ b/flake.nix @@ -1,14 +1,14 @@ { inputs = { # Track channels with commits tested and built by hydra - nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05"; + nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11"; unstable.url = "github:nixos/nixpkgs/nixos-unstable"; fork.url = "github:teutat3s/nixpkgs/init-matrix-authentication-service-module"; nix-darwin.url = "github:lnl7/nix-darwin/master"; nix-darwin.inputs.nixpkgs.follows = "nixpkgs"; - home-manager.url = "github:nix-community/home-manager/release-24.05"; + home-manager.url = "github:nix-community/home-manager/release-24.11"; home-manager.inputs.nixpkgs.follows = "nixpkgs"; flake-parts.url = "github:hercules-ci/flake-parts"; @@ -38,8 +38,6 @@ element-stickers.inputs.nixpkgs.follows = "nixpkgs"; simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.05"; - simple-nixos-mailserver.inputs.nixpkgs-24_05.follows = "nixpkgs"; - simple-nixos-mailserver.inputs.nixpkgs.follows = "unstable"; }; outputs = @@ -108,9 +106,9 @@ nvfetcher shellcheck shfmt - inputs.unstable.legacyPackages.${system}.treefmt2 + treefmt2 nixos-generators - inputs.unstable.legacyPackages.${system}.opentofu + opentofu terraform-backend-git terraform-ls jq @@ -132,7 +130,7 @@ system: deployLib: deployLib.deployChecks self.deploy ) inputs.deploy-rs.lib; - formatter."x86_64-linux" = inputs.unstable.legacyPackages."x86_64-linux".nixfmt-rfc-style; + formatter."x86_64-linux" = inputs.nixpkgs.legacyPackages."x86_64-linux".nixfmt-rfc-style; deploy.nodes = self.lib.deploy.mkDeployNodes self.nixosConfigurations { nachtigall = { diff --git a/hosts/nachtigall/configuration.nix b/hosts/nachtigall/configuration.nix index 62dc644..11daca5 100644 --- a/hosts/nachtigall/configuration.nix +++ b/hosts/nachtigall/configuration.nix @@ -73,22 +73,24 @@ owner = "matrix-synapse"; }; - age.secrets."matrix-synapse-sliding-sync-secret" = { - file = "${flake.self}/secrets/matrix-synapse-sliding-sync-secret.age"; - mode = "400"; - owner = "matrix-synapse"; - }; - age.secrets."matrix-authentication-service-secret-config.yml" = { file = "${flake.self}/secrets/matrix-authentication-service-secret-config.yml.age"; mode = "400"; owner = "matrix-authentication-service"; }; + # matrix-appservice-irc + age.secrets."matrix-appservice-irc-mediaproxy-signing-key" = { + file = "${flake.self}/secrets/matrix-appservice-irc-mediaproxy-signing-key.jwk.age"; + mode = "400"; + owner = "matrix-appservice-irc"; + }; + pub-solar-os.matrix = { enable = true; + appservice-irc.mediaproxy.signingKeyPath = + config.age.secrets."matrix-appservice-irc-mediaproxy-signing-key".path; synapse = { - sliding-sync.enable = false; signing_key_path = config.age.secrets."matrix-synapse-signing-key".path; extra-config-files = [ config.age.secrets."matrix-synapse-secret-config.yaml".path diff --git a/hosts/nachtigall/default.nix b/hosts/nachtigall/default.nix index 100759a..bacc72f 100644 --- a/hosts/nachtigall/default.nix +++ b/hosts/nachtigall/default.nix @@ -10,11 +10,9 @@ ./wireguard.nix ./backups.nix "${flake.inputs.fork}/nixos/modules/services//matrix/matrix-authentication-service.nix" - "${flake.inputs.unstable}/nixos/modules/services/web-apps/mastodon.nix" ]; disabledModules = [ "services/matrix/matrix-authentication-service.nix " - "services/web-apps/mastodon.nix" ]; } diff --git a/hosts/underground/configuration.nix b/hosts/underground/configuration.nix index ff1c809..49efdfe 100644 --- a/hosts/underground/configuration.nix +++ b/hosts/underground/configuration.nix @@ -42,8 +42,17 @@ owner = "matrix-authentication-service"; }; + # matrix-appservice-irc + age.secrets."matrix-appservice-irc-mediaproxy-signing-key" = { + file = "${flake.self}/secrets/staging-matrix-appservice-irc-mediaproxy-signing-key.jwk.age"; + mode = "400"; + owner = "matrix-appservice-irc"; + }; + pub-solar-os.matrix = { enable = true; + appservice-irc.mediaproxy.signingKeyPath = + config.age.secrets."matrix-appservice-irc-mediaproxy-signing-key".path; synapse = { extra-config-files = [ config.age.secrets."staging-matrix-synapse-secret-config.yaml".path diff --git a/modules/forgejo/default.nix b/modules/forgejo/default.nix index 744d618..0de30ba 100644 --- a/modules/forgejo/default.nix +++ b/modules/forgejo/default.nix @@ -65,6 +65,7 @@ services.forgejo = { enable = true; + package = pkgs.forgejo; user = "gitea"; group = "gitea"; database = { @@ -75,7 +76,7 @@ }; stateDir = "/var/lib/forgejo"; lfs.enable = true; - mailerPasswordFile = config.age.secrets.forgejo-mailer-password.path; + secrets.mailer.PASSWD = config.age.secrets.forgejo-mailer-password.path; settings = { DEFAULT.APP_NAME = "pub.solar git server"; diff --git a/modules/keycloak/default.nix b/modules/keycloak/default.nix index 38da6cf..d924717 100644 --- a/modules/keycloak/default.nix +++ b/modules/keycloak/default.nix @@ -50,7 +50,8 @@ hostname = "auth.${config.pub-solar-os.networking.domain}"; http-host = "127.0.0.1"; http-port = 8080; - proxy = "edge"; + proxy-headers = "xforwarded"; + http-enabled = true; }; themes = { "pub.solar" = diff --git a/modules/matrix-irc/default.nix b/modules/matrix-irc/default.nix index 1b4fa82..c026d8c 100644 --- a/modules/matrix-irc/default.nix +++ b/modules/matrix-irc/default.nix @@ -16,111 +16,128 @@ let synapseClientPort = "${toString listenerWithClient.port}"; in { - services.matrix-appservice-irc = { - enable = true; - localpart = "irc_bot"; - port = 8010; - registrationUrl = "http://localhost:8010"; - settings = { - homeserver = { - domain = "${config.pub-solar-os.networking.domain}"; - url = "http://127.0.0.1:${synapseClientPort}"; - media_url = "https://matrix.${config.pub-solar-os.networking.domain}"; - enablePresence = false; + options.pub-solar-os = { + matrix.appservice-irc.mediaproxy = { + signingKeyPath = lib.mkOption { + description = "Path to file containing the IRC appservice mediaproxy signing key"; + type = lib.types.str; + default = "/var/lib/matrix-appservice-irc/media-signingkey.jwk"; }; - ircService = { - ident = { - address = "::"; - enabled = false; - port = 1113; + }; + }; + config = { + services.matrix-appservice-irc = { + enable = true; + localpart = "irc_bot"; + port = 8010; + registrationUrl = "http://localhost:8010"; + settings = { + homeserver = { + domain = "${config.pub-solar-os.networking.domain}"; + url = "http://127.0.0.1:${synapseClientPort}"; + enablePresence = false; }; - logging = { - # set to debug for debugging - level = "warn"; - maxFiles = 5; - toCosole = true; - }; - matrixHandler = { - eventCacheSize = 4096; - }; - metrics = { - enabled = true; - remoteUserAgeBuckets = [ - "1h" - "1d" - "1w" - ]; - }; - provisioning = { - enabled = false; - requestTimeoutSeconds = 300; - }; - servers = - let - commonConfig = { - allowExpiredCerts = false; - botConfig = { - enabled = false; - joinChannelsIfNoUsers = false; - nick = "MatrixBot"; - }; - dynamicChannels = { - createAlias = true; - enabled = true; - federate = true; - joinRule = "public"; - published = true; - }; - ircClients = { - allowNickChanges = true; - concurrentReconnectLimit = 50; - idleTimeout = 10800; - lineLimit = 3; - maxClients = 30; - nickTemplate = "$DISPLAY[m]"; - reconnectIntervalMs = 5000; - }; - matrixClients = { - joinAttempts = -1; - }; - membershipLists = { - enabled = true; - floodDelayMs = 10000; - global = { - ircToMatrix = { - incremental = true; - initial = true; - }; - matrixToIrc = { - incremental = true; - initial = true; + ircService = { + ident = { + address = "::"; + enabled = false; + port = 1113; + }; + logging = { + # set to debug for debugging + level = "warn"; + maxFiles = 5; + toCosole = true; + }; + matrixHandler = { + eventCacheSize = 4096; + }; + mediaProxy = { + signingKeyPath = config.pub-solar-os.matrix.appservice-irc.mediaproxy.signingKeyPath; + # keep media for 2 weeks + ttlSeconds = 1209600; + bindPort = 11111; + publicUrl = "https:///matrix.${config.pub-solar-os.networking.domain}/media"; + }; + metrics = { + enabled = true; + remoteUserAgeBuckets = [ + "1h" + "1d" + "1w" + ]; + }; + provisioning = { + enabled = false; + requestTimeoutSeconds = 300; + }; + servers = + let + commonConfig = { + allowExpiredCerts = false; + botConfig = { + enabled = false; + joinChannelsIfNoUsers = false; + nick = "MatrixBot"; + }; + dynamicChannels = { + createAlias = true; + enabled = true; + federate = true; + joinRule = "public"; + published = true; + }; + ircClients = { + allowNickChanges = true; + concurrentReconnectLimit = 50; + idleTimeout = 10800; + lineLimit = 3; + maxClients = 30; + nickTemplate = "$DISPLAY[m]"; + reconnectIntervalMs = 5000; + }; + matrixClients = { + joinAttempts = -1; + }; + membershipLists = { + enabled = true; + floodDelayMs = 10000; + global = { + ircToMatrix = { + incremental = true; + initial = true; + }; + matrixToIrc = { + incremental = true; + initial = true; + }; }; }; + port = 6697; + privateMessages = { + enabled = true; + federate = true; + }; + sasl = false; + sendConnectionMessages = true; + ssl = true; }; - port = 6697; - privateMessages = { - enabled = true; - federate = true; + in + { + "irc.libera.chat" = lib.attrsets.recursiveUpdate commonConfig { + name = "libera"; + dynamicChannels.groupId = "+libera.chat:localhost"; + dynamicChannels.aliasTemplate = "#_libera_$CHANNEL"; + matrixClients.displayName = "$NICK (LIBERA-IRC)"; + }; + "irc.scratch-network.net" = lib.attrsets.recursiveUpdate commonConfig { + name = "scratch"; + matrixClients.displayName = "$NICK (SCRATCH-IRC)"; + dynamicChannels.aliasTemplate = "#_scratch_$CHANNEL"; + dynamicChannels.groupId = "+scratch-network.net:localhost"; }; - sasl = false; - sendConnectionMessages = true; - ssl = true; }; - in - { - "irc.libera.chat" = lib.attrsets.recursiveUpdate commonConfig { - name = "libera"; - dynamicChannels.groupId = "+libera.chat:localhost"; - dynamicChannels.aliasTemplate = "#_libera_$CHANNEL"; - matrixClients.displayName = "$NICK (LIBERA-IRC)"; - }; - "irc.scratch-network.net" = lib.attrsets.recursiveUpdate commonConfig { - name = "scratch"; - matrixClients.displayName = "$NICK (SCRATCH-IRC)"; - dynamicChannels.aliasTemplate = "#_scratch_$CHANNEL"; - dynamicChannels.groupId = "+scratch-network.net:localhost"; - }; - }; + }; }; }; }; diff --git a/modules/matrix/default.nix b/modules/matrix/default.nix index 53fbb9a..d1b2fc2 100644 --- a/modules/matrix/default.nix +++ b/modules/matrix/default.nix @@ -32,11 +32,6 @@ in type = lib.types.str; default = "${config.services.matrix-synapse.dataDir}/homeserver.signing.key"; }; - - sliding-sync.enable = lib.mkEnableOption { - description = "Whether to enable a sliding-sync proxy, no longer needed with synapse version 1.114+"; - default = false; - }; }; matrix-authentication-service = { @@ -339,18 +334,6 @@ in }; }; - services.matrix-sliding-sync = { - enable = config.pub-solar-os.matrix.synapse.sliding-sync.enable; - settings = { - SYNCV3_SERVER = "https://${publicDomain}"; - SYNCV3_BINDADDR = "127.0.0.1:8011"; - # The bind addr for Prometheus metrics, which will be accessible at - # /metrics at this address - SYNCV3_PROM = "127.0.0.1:9100"; - }; - environmentFile = config.age.secrets."matrix-synapse-sliding-sync-secret".path; - }; - pub-solar-os.backups.restic.matrix-synapse = { paths = [ "/var/lib/matrix-synapse" diff --git a/modules/nextcloud/default.nix b/modules/nextcloud/default.nix index 662d1ce..9cda818 100644 --- a/modules/nextcloud/default.nix +++ b/modules/nextcloud/default.nix @@ -27,7 +27,7 @@ home = "/var/lib/nextcloud"; enable = true; - package = pkgs.nextcloud29; + package = pkgs.nextcloud30; https = true; secretFile = config.age.secrets."nextcloud-secrets".path; # secret maxUploadSize = "1G"; @@ -45,7 +45,6 @@ dbuser = "nextcloud"; dbtype = "pgsql"; dbname = "nextcloud"; - dbtableprefix = "oc_"; }; settings = { diff --git a/modules/nginx-matrix/default.nix b/modules/nginx-matrix/default.nix index 1d82c10..f6274d8 100644 --- a/modules/nginx-matrix/default.nix +++ b/modules/nginx-matrix/default.nix @@ -120,6 +120,13 @@ in extraConfig = commonHeaders; }; + # For IRC appservice media proxy + "/media" = { + priority = 100; + proxyPass = "http://127.0.0.1:${toString (config.services.matrix-appservice-irc.settings.ircService.mediaProxy.bindPort)}"; + extraConfig = commonHeaders; + }; + # Forward to the auth service "~ ^/_matrix/client/(.*)/(login|logout|refresh)" = { priority = 100; diff --git a/overlays/default.nix b/overlays/default.nix index 33f0e1d..af9faa9 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -16,8 +16,6 @@ element-stickerpicker = prev.callPackage ./pkgs/element-stickerpicker { inherit (inputs) element-stickers maunium-stickerpicker; }; - mastodon = unstable.mastodon; - matrix-authentication-service = unstable.matrix-authentication-service; } ) ]; diff --git a/secrets/matrix-appservice-irc-mediaproxy-signing-key.jwk.age b/secrets/matrix-appservice-irc-mediaproxy-signing-key.jwk.age new file mode 100644 index 0000000000000000000000000000000000000000..f38c861d512a5f58b2aa81d330314c231f79f3c5 GIT binary patch literal 2700 zcmZXW`^zkK9mlf{sDqURmW9=mp@_rd%+o%_yB zM9aWTDJvwgKuqzNR1jI&)lA4s1xG6)tW%VB{2?{Tz|veTupQyCy<2axBFmwaV}JB=Nz2z^f+ zy+NFfXfWBDrIoA7>$X6XvnQ{DkUO9;2sZi=90rpf#s92Lqgiv|_t`_7mlnw(AgB{yql7$fkomQf+? zYlDnqs6>GV@{YiZiKr9A!~=|V74CD1i!eqcIdQz4dGV35hMEUXmIIciO=dIS3l=-q z#Ts|z{&2vqv8E?*$*NmrI|mFzSlsk)JFMYg+R!BBt zw1rUvV9^gZJd7v0Wz`e1mt&I>sg$%4!M=^g3g;KeXfPk!xXi7pkT*<%$jJe04Cksa z&^f@SB_Yxls}c`lOKaz$N1$Oqs=+=)QCt!#Cq7yl+he2LF`)<<870+_xNG7~}EM4NGnkdGpHKW01VkT+v4X zW>i9pW?_q^PYy!7VO_|Ysk$4>i_k}FP3%K?z@`y3wRw9{b<+wVtPLeX<;cr0hz8hM z)mb`L`0<>Ip9^kOFs9Yb zxe03_Il3%Cs}%Jl78001*DfO+4K4d+YQo#LN(z=~QJ<++eXO0Tb2`ABjR!>BXzZb~ z(()kGu0(JdD_8|}&Pd`-uk-y#mT{ve@8+bGI3gcfxsl)I));P3O#vrU2m%AFj@BcVjjFXr5dYC}x~>k>9)=%ON;f}>eyV~vJ57j?3@0Lv zQTlF3sb;RlA)%8ziOz7uWu-iJRz?aGncg#+rJ;4p7+I&v-e?I?rTW^gq_;*jora+> zX9mydyCX10U!Nv)qA*5$k{%lC9XpC%j9L_OQWeD?*%Xd}20y=5{ zTWOnf#k$xU8qJE^3YNA6na@X=oEJRi>U(CU2IcGiJkz1pP?d_{phiudZg=QLY+E|r zS#mF2l@&DC)>BK~Z0u3RhPqsBgGL7whg(!jdpNO$d_^P8oKj<3lQce4R`Zk{@nla~ zH)sw+`k6F1Lt6_A9HkEMrq(=##>dc6AqZhaiB&XI;gBIpWnUSU6anZ#FcWR!Ok$IY6r`OACD&_?>LPd}jb0S3Mjf>LMh$3Qw7m>qs@o-to8S2inS+SvjgxEJo0jiE! zi8iP1^j!{@Z83~{HX9s$BvNbMS9${}l&8Sq;o-q5SSc-6^L<`360e&>vb`gHxHlaw zD1kk4k~j>(9WHNL3OMiN3E&&IeQoxO<8OWLvOhlb(mD6N?eTwtw=QnF@;2eMZ^@US zcQX&a2<(IJy;A@Br*{xn-FXtfxj}Ax(7E6f$fZ9Ct`VH)o`~j`{^k#_Ja(RP>BoNb z!l`?{|0w+3_ipgB@4Wfg@mJt?Jb&Wkd)|5Yz*Qf@e~%n{@tFtiJMnI2cz@r!?1l@) zP5Q29u7Bdzdk;^a`T+I9_U^x2{^=fZJh=LoZwD`Y^rlDN{4?$R&;I@NHTVAfq3xH? zzV_JgkolE&`FCChPt@nM_Nnu~*~6#TtsilJaLegO-}JBasquB!K6%@#mwxd}KYrnp z;{3JWp89(5nWtYq>vK1ye-+kZosXw3m$JH->^n;(jekHjdzT}6W e`uJnE4L|+(>cswu_=?f}FFkwK4bMOPyMF_GT&F$& literal 0 HcmV?d00001 diff --git a/secrets/matrix-synapse-sliding-sync-secret.age b/secrets/matrix-synapse-sliding-sync-secret.age deleted file mode 100644 index 088e91b..0000000 --- a/secrets/matrix-synapse-sliding-sync-secret.age +++ /dev/null @@ -1,45 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 iDKjwg GPTqfaZZC6ze7BUkT1uF4VslvE29BFKm0+AlJk+DKQQ -GxI7erqw8p3GrCArh5vZOiTmYh40DVisCphNyFhNTqM --> ssh-ed25519 uYcDNw oo52Nh9BCO5NNF0YyzracKfvMifSiREsxyQqiRZ6WTs -JvqwRX5yOMtEYgWyc7dIQs85wDghMRHQCIi6t5QxIwo --> ssh-rsa f5THog -w+B5hc0E9u1fFWNNPaTtPmJfPJWUBbRwHYK/T69g2ORNfaBYynl0LL4vSUs8o9Gw -rwBY+cLpth6e4tS819H5C7HtvT47KR3KF8JLxVjA2mbVO83+BnWFjThjYB452CdI -KZvQQPhkSH/43YF6pjxnQjNWB/wroScyjGVtUamcij7YHxt71z0AAnyqE5PgWEc6 -6/ao5gLfTKhcWpxkTTz8LHn05s9IppXywDrvpwtJaU8LKgJT2H6Epsaci348lG+I -tAZYODhQqP+yKl92DZbuQQCjxH5CJfhdBs2ZR63hQPj9OrIFRjLg4V+1gdcxzAuz -9FwwIeLq3uxWXPdwTRR8RUsHEGhKMcVty4PkW0vlt+VwZrZBhdz3k+ApVG7Jvclz -MPZYLzKC0DiODqPuA23ye6suFRCHXYfq3ZyCIIN6wOci0X0crSr9ZXW4M8R7aWaZ -XDeZRaUgvd54WI0HZhVWBvJQyswgUXf+/RkS4aI8IgnNV801x12h+mTdWX9BC/cD -YRIWBnGkfTX4WM4OEE2VEgqSDuKl/90o2LFIquIIJULVd2Vs5C2S8FhJcsT7+HmL -TFWnLeIfGbw7RDUeH0c/Bbg9NK11SZF0/VdRZcBQ/zIXBMBlL1EZsH1HfIfhKISN -PyHFB5kfmuVIBhDXgtDdgjKfDmQL9/9Aq1U4ZMBcUKA --> ssh-rsa kFDS0A -KysKtr7wrKKJ8w+Dj7qjJstyXtKIw9weFi9oVwJkMvy2utn+JARs7puh7KC27TXC -slZJrHf4vx+y8qSjRS0W4z8CPl8/auiYOilepT9JoxwGUP7J/nTr5SCofgWcdZm5 -FtgHoCcABjzcF+mrKUofuqrx6oYSDCS0JkV2tClQI6ybXnjRwIIicLmBN9UDHCuU -9ZOesYp5XrJyBoD3Zv51b19xJyOfuWAUQvlNPRH2TpgvisutpESU/o869z5AMn4Z -BfDD/0oR1ALbk/sB3r13Xi6oJZAB2AbggoQRlwvPeWc3MdS+bFNV2o2ue0ov6Fkd -U5C/GnJVlyE0cv9I+YvxtLT6T/Gf/yoUZGfB7xD5QkHpMIEmKxUYqGNBB/NcnFMY -Tal8jMDtZDEk+uk0MahE7GsL6Z3xrkKTevG+Rr3j+beFYie2RJbNwwUyQ1lL3EoA -Rx1AMk+nYlvxVHiciYJNh9nffgAXXwO255IkWvYzmuPBEP1LmqadA4fQPf5Rgj3u -DuOX3hJ+rIyRIoDXOZio3SDf+bb380xCxF+7efJ27Ep0sFviAq5qKeptbyt51Dp8 -tlbeYAylhVbV9Zgd+EozwE7Btlfqt3sbUij/0Iy+BdOYSPLmvx3oKybpipZ0i3fo -KR/bZHlMKF1Ipd5L7zEwh5aTjImuomoyRyZG3NWdv44 --> piv-p256 vRzPNw A7FwWUuml/VyHcOmha3R/DOg1RvnRXcwjaJJH/sgmsBR -+CP1/qY8sHbR7nkFl1T5HPsjYLRPDCSR01DEJaim96o --> piv-p256 zqq/iw AgYhaJWqe+QbVCHkXsU7AQhWhte/fjwVbOgmHVRPHsEE -7jNmDI62i/9RakJhbo3MP0qMgXYGlhAW9BKo8HLWQYc --> ssh-ed25519 YFSOsg cGPMyhqcd20TDBeMkSDJ8hQ/vE9cuDgVi1hfcwAKVjw -U9GRSr607w5oUGr0rC6XqdWMD65JidY/Ri3Ex1dmGXI --> ssh-ed25519 iHV63A cW7bblsvL1TwI6lp8KjPfUwB5EzWilLhc6Z2geE3SQw -PzBdZ/LXA7iGI7ZjErredqC7ehHsr5MCY3qENv0nZI8 --> ssh-ed25519 BVsyTA AGDqp6Rrp2vStBU9+eJMGf5O4SZQIASE63n8vbf8PEs -SFakjoivQrFkSUBGZ9sISKVhAxNOpc2RxugiBTSK9/k --> ssh-ed25519 +3V2lQ MmMv45CQFAdgkV/B7InOY22iXzvIU8TY41SV5Jxx7RQ -vNIRE5wSXVzy4miZLV90T1TEOhOjYQT12GWtZpsTxJ8 ---- EBBXvYr1OpETpgXOsUfJn6h1e4rXF+olz6DbhDUWCcw -. -s~Hͯk 2 9 Bz?3TJ`gPior" ws-K6f -0XΌvX&8 g=zrHjh> \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 3678d9b..9bf2f9d 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -67,12 +67,14 @@ in "matrix-mautrix-telegram-env-file.age".publicKeys = nachtigallKeys ++ adminKeys; "matrix-synapse-signing-key.age".publicKeys = nachtigallKeys ++ adminKeys; "matrix-synapse-secret-config.yaml.age".publicKeys = nachtigallKeys ++ adminKeys; - "matrix-synapse-sliding-sync-secret.age".publicKeys = nachtigallKeys ++ adminKeys; "matrix-authentication-service-secret-config.yml.age".publicKeys = nachtigallKeys ++ adminKeys; + "matrix-appservice-irc-mediaproxy-signing-key.jwk.age".publicKeys = nachtigallKeys ++ adminKeys; "staging-matrix-synapse-secret-config.yaml.age".publicKeys = undergroundKeys ++ adminKeys; "staging-matrix-authentication-service-secret-config.yml.age".publicKeys = undergroundKeys ++ adminKeys; + "staging-matrix-appservice-irc-mediaproxy-signing-key.jwk.age".publicKeys = + undergroundKeys ++ adminKeys; "nextcloud-secrets.age".publicKeys = nachtigallKeys ++ adminKeys; "nextcloud-admin-pass.age".publicKeys = nachtigallKeys ++ adminKeys; diff --git a/secrets/staging-matrix-appservice-irc-mediaproxy-signing-key.jwk.age b/secrets/staging-matrix-appservice-irc-mediaproxy-signing-key.jwk.age new file mode 100644 index 0000000000000000000000000000000000000000..8b4a65e029928738665148cc8a1d6238d738159f GIT binary patch literal 2700 zcmZ9NTj(?e8HY^^YA(zJrJ~>;vozPw*`3*$oz>LlxO3Q@nVsX#_EF939Cwa8v$JzZ zLK5=CCuUGoA8J_{c2Shr*+5Vu47EfF!%(Q3NDw6i1N(cSkoPa|^IrVk-(v^f2`}4} zU9pey?3%m`z{3bQal=tng(o~0LXgq)h@Y0wI5@(jdcc&iS{X$$fveCANQ0nlllPVN z2CLx2MfN%sVNE{<7j+IH?B2i)3dud(N zt}jlOIH{zE#NJJK3iVy~Jz81WM?Rvlc>vI>1GVjnNd2qk*_aEO61Sv|xQ$v%2pSOusHm1DL^!T(lU9+%95%RqOt0M(gcnBsV=BuBi|n zYI*8u{Z7UmYT#Gla0b_$ZF^MamP@n*S{^fa9-kCzG^u7xA0dJ`i+LzBq=~5 zlMpNOkv=MQaGZAa03Q^|d^GY1mf8V3(zi^|8`P1e+aV=wEW2j5yqC3Rv-DGc zgM*2ixD2Nno?HwOyzKQk4{CGG0#<4r9h%LO!0Haq+QJMaLuCVbpbL#R@Qpl5B51l3 z6bNKBNu)+!=i;V-Hiwi z+3yL^U=^p44qm5Z^FST}Q9~PeTr?Fmm039m#bnpSGh!_*T2uiesH(Hp&QSWG zR&>z^HA?nX*H~ONL;#hQ!xd73qC{_Lk8IR29Cie*ISOl8p=AbLv)^~s&NHXcO6vBw zIOdwEGpuQ%UI?uN5TgQ>cn+asIJUgx_)KQ1Fuiz4rW|LEmkL-H^Qk>>S-)re?x}10mO5c?6yI=E8j$?*W zhd4lJL%OSzVX69^t>{o13L!nFxRlx*lF09Ni?U!tQ&qV}6PFn3BGnY(Y)F(x`#GpC z0VJ>*iWtCfz1(x*v(i*4yZ!*SlxvLw0KA|`OQS~T;?h}vVvu~Zp= zLy=LrX&26X<8(xgh(SOt=BO|c2BR!qD3ZkNbP9*qxsV!&s2vDYHj7wKTWNJrK?TTp zq{5~KCHaG00o5> z(R^t#6(u?72;I4OzOxyg?r0%0<$mm2?9%5Uu&8TM@%H1OjibpbWBkfz5ONBvyRluV zVI-GQ*R%p*9S~CQ8G@46v^-ZSc~u595UBgv0^Ta*$TB4_ zOPpiFfI%|$OxLRqQnNQ^I2qfK{!WgI=y0Nd5cKGv^zw1_;~C>v@T`jo)4?|CKB?vP zQe|{w!;TepgS(m_ks(1zLUa#iDF6y`{ zmd%w~6~}enCsJp5)ZQ{1AYRs?P97$Li0yLDU~Lfh7n-e)hQdZ$4d=ux?`;B0lahY7 z4c?_itbxM#(aLY%amQ@WIxgd>oc-YM!dD;TH253(d3{w}vLeb{UzOGsGh9{j>pW zK*{nbl_9&(1+>K5q$hUEz-etKbfnSdSiipCQ+csfgUNKetblH&X|)N_+H{?u;0Rt( zqmg1t;-=l;2$si-!$hkpqr=PqIC0{{k>fNPgsKo;@h08DIF=2TA?{MN>oz*6i-^m{ zXuI1g1`T|m_{mkzoc&W4xxu+@|B+8#IDF>H^npiC0>8WP)O|-0`nkhbFMaK*GWweF z`5*uBOD_OF!iVRP%vpC|{@wDyyKcGU{NlFL_;dU(AHM(PPiW;wpSt{mPoQUFr$1|a z;nV{+&z0X-mz`1Zf4cX3YW4AdpK%4Z`R_x;shm0cu%*&zih7F5iCi z`QO^NK2BVJ=PW<-^$Q;O)*0vh?2T_Plq*i3dC_m4{n$Czo_F!?74)KOKXniF{rm1c z>z)@Ly#A&~??}G#_&Jw6eR22UHzbJu&x;QC