Verified Commit 20a3d46f authored by Jan Alexander Steffens (heftig)'s avatar Jan Alexander Steffens (heftig)
Browse files

matrix: Simplify vault

No need to store secrets for more than one matrix server.
parent 95592165
This diff is collapsed.
......@@ -141,7 +141,7 @@
- name: install signing key
copy:
content: '{{ vault_matrix_secrets[matrix_server_name].signing_key }}'
content: '{{ vault_matrix_secrets.signing_key }}'
dest: /etc/synapse/{{ matrix_server_name }}.signing.key
owner: root
group: synapse
......@@ -149,7 +149,7 @@
- name: install ircpass key
copy:
content: '{{ vault_matrix_secrets[matrix_server_name].ircpass_key }}'
content: '{{ vault_matrix_secrets.ircpass_key }}'
dest: /etc/synapse/{{ matrix_server_name }}.ircpass.key
owner: root
group: synapse
......
id: {{ vault_matrix_secrets[matrix_server_name].irc_appservice_id }}
hs_token: {{ vault_matrix_secrets[matrix_server_name].irc_hs_token }}
as_token: {{ vault_matrix_secrets[matrix_server_name].irc_as_token }}
id: {{ vault_matrix_secrets.irc_appservice_id }}
hs_token: {{ vault_matrix_secrets.irc_hs_token }}
as_token: {{ vault_matrix_secrets.irc_as_token }}
namespaces:
users:
{% for network in vault_matrix_secrets[matrix_server_name].irc_networks.values() %}
{% for network in vault_matrix_secrets.irc_networks.values() %}
- exclusive: true
regex: '@{{ network.name | regex_escape() }}_.*:{{ matrix_server_name | regex_escape() }}'
group_id: '+{{ network.name }}:{{ matrix_server_name }}'
{% endfor %}
aliases:
{% for network in vault_matrix_secrets[matrix_server_name].irc_networks.values() %}
{% for network in vault_matrix_secrets.irc_networks.values() %}
- exclusive: true
regex: '#{{ network.name | regex_escape() }}_.*:{{ matrix_server_name | regex_escape() }}'
{% endfor %}
rooms:
{% for room in vault_matrix_secrets[matrix_server_name] | json_query("irc_networks.*[].mappings.*[].room") %}
{% for room in vault_matrix_secrets | json_query("irc_networks.*[].mappings.*[].room") %}
- exclusive: false
regex: '{{ room | regex_escape() }}'
{% endfor %}
......@@ -25,3 +25,5 @@ namespaces:
url: 'http://127.0.0.1:8499'
sender_localpart: irc-bridge
rate_limited: false
# vim:set ft=yaml sw=2:
......@@ -1096,7 +1096,7 @@ turn_uris:
# The shared secret used to compute passwords for the TURN server
#
turn_shared_secret: "{{ vault_matrix_secrets[matrix_server_name].turn_shared_secret }}"
turn_shared_secret: "{{ vault_matrix_secrets.turn_shared_secret }}"
# The Username and password if the TURN server needs them and
# does not use a token
......@@ -1229,7 +1229,7 @@ account_validity:
# If set, allows registration of standard or admin accounts by anyone who
# has the shared secret, even if registration is otherwise disabled.
#
registration_shared_secret: "{{ vault_matrix_secrets[matrix_server_name].registration_shared_secret }}"
registration_shared_secret: "{{ vault_matrix_secrets.registration_shared_secret }}"
# Set the number of bcrypt rounds used to generate password hash.
# Larger numbers increase the work factor needed to generate the hash.
......@@ -1444,13 +1444,13 @@ app_service_config_files:
# the registration_shared_secret is used, if one is given; otherwise,
# a secret key is derived from the signing key.
#
macaroon_secret_key: "{{ vault_matrix_secrets[matrix_server_name].macaroon_secret_key }}"
macaroon_secret_key: "{{ vault_matrix_secrets.macaroon_secret_key }}"
# a secret which is used to calculate HMACs for form values, to stop
# falsification of values. Must be specified for the User Consent
# forms to work.
#
form_secret: "{{ vault_matrix_secrets[matrix_server_name].form_secret }}"
form_secret: "{{ vault_matrix_secrets.form_secret }}"
## Signing Keys ##
......@@ -2037,7 +2037,7 @@ password_config:
# Uncomment and change to a secret random string for extra security.
# DO NOT CHANGE THIS AFTER INITIAL SETUP!
#
pepper: "{{ vault_matrix_secrets[matrix_server_name].pepper }}"
pepper: "{{ vault_matrix_secrets.pepper }}"
# Define and enforce a password policy. Each parameter is optional.
# This is an implementation of MSC2000.
......
......@@ -43,7 +43,7 @@ homeserver:
# Configuration specific to the IRC service
ircService:
servers:
{% for address, settings in vault_matrix_secrets[matrix_server_name].irc_networks.items() %}
{% for address, settings in vault_matrix_secrets.irc_networks.items() %}
# The address of the server to connect to.
"{{ address }}":
# A human-readable short name. This is used to label IRC status rooms
......
......@@ -6,7 +6,7 @@ max-port=33999
use-auth-secret
# 'Static' authentication secret value (a string) for TURN REST API only.
static-auth-secret="{{ vault_matrix_secrets[matrix_server_name].turn_shared_secret }}"
static-auth-secret="{{ vault_matrix_secrets.turn_shared_secret }}"
# The default realm to be used for the users when no explicit
# origin/realm relationship is found in the database, or if the TURN
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment