matrix: Simplify vault

No need to store secrets for more than one matrix server.

matrix: Simplify vault
No need to store secrets for more than one matrix server.
20a3d46f · Jan Alexander Steffens (heftig) · 95592165 · 20a3d46f · 20a3d46f · 20a3d46f
Verified Commit 20a3d46f authored Jan 15, 2021 by Jan Alexander Steffens (heftig)
--- a/group_vars/all/vault_matrix.yml
+++ b/group_vars/all/vault_matrix.yml
--- a/roles/matrix/tasks/main.yml
+++ b/roles/matrix/tasks/main.yml
@@ -141,7 +141,7 @@

 - name: install signing key
  copy:
-    content: '{{ vault_matrix_secrets[matrix_server_name].signing_key }}'
+    content: '{{ vault_matrix_secrets.signing_key }}'
    dest: /etc/synapse/{{ matrix_server_name }}.signing.key
    owner: root
    group: synapse
@@ -149,7 +149,7 @@

 - name: install ircpass key
  copy:
-    content: '{{ vault_matrix_secrets[matrix_server_name].ircpass_key }}'
+    content: '{{ vault_matrix_secrets.ircpass_key }}'
    dest: /etc/synapse/{{ matrix_server_name }}.ircpass.key
    owner: root
    group: synapse

--- a/roles/matrix/templates/appservice-registration-irc.yaml.j2
+++ b/roles/matrix/templates/appservice-registration-irc.yaml.j2
-id: {{ vault_matrix_secrets[matrix_server_name].irc_appservice_id }}
-hs_token: {{ vault_matrix_secrets[matrix_server_name].irc_hs_token }}
-as_token: {{ vault_matrix_secrets[matrix_server_name].irc_as_token }}
+id: {{ vault_matrix_secrets.irc_appservice_id }}
+hs_token: {{ vault_matrix_secrets.irc_hs_token }}
+as_token: {{ vault_matrix_secrets.irc_as_token }}
 namespaces:

  users:
-{% for network in vault_matrix_secrets[matrix_server_name].irc_networks.values() %}
+{% for network in vault_matrix_secrets.irc_networks.values() %}
    - exclusive: true
      regex: '@{{ network.name | regex_escape() }}_.*:{{ matrix_server_name | regex_escape() }}'
      group_id: '+{{ network.name }}:{{ matrix_server_name }}'
 {% endfor %}

  aliases:
-{% for network in vault_matrix_secrets[matrix_server_name].irc_networks.values() %}
+{% for network in vault_matrix_secrets.irc_networks.values() %}
    - exclusive: true
      regex: '#{{ network.name | regex_escape() }}_.*:{{ matrix_server_name | regex_escape() }}'
 {% endfor %}

  rooms:
-{% for room in vault_matrix_secrets[matrix_server_name] | json_query("irc_networks.*[].mappings.*[].room") %}
+{% for room in vault_matrix_secrets | json_query("irc_networks.*[].mappings.*[].room") %}
    - exclusive: false
      regex: '{{ room | regex_escape() }}'
 {% endfor %}
@@ -25,3 +25,5 @@ namespaces:
 url: 'http://127.0.0.1:8499'
 sender_localpart: irc-bridge
 rate_limited: false
+
+# vim:set ft=yaml sw=2:
--- a/roles/matrix/templates/homeserver.yaml.j2
+++ b/roles/matrix/templates/homeserver.yaml.j2
@@ -1096,7 +1096,7 @@ turn_uris:

 # The shared secret used to compute passwords for the TURN server
 #
-turn_shared_secret: "{{ vault_matrix_secrets[matrix_server_name].turn_shared_secret }}"
+turn_shared_secret: "{{ vault_matrix_secrets.turn_shared_secret }}"

 # The Username and password if the TURN server needs them and
 # does not use a token
@@ -1229,7 +1229,7 @@ account_validity:
 # If set, allows registration of standard or admin accounts by anyone who
 # has the shared secret, even if registration is otherwise disabled.
 #
-registration_shared_secret: "{{ vault_matrix_secrets[matrix_server_name].registration_shared_secret }}"
+registration_shared_secret: "{{ vault_matrix_secrets.registration_shared_secret }}"

 # Set the number of bcrypt rounds used to generate password hash.
 # Larger numbers increase the work factor needed to generate the hash.
@@ -1444,13 +1444,13 @@ app_service_config_files:
 # the registration_shared_secret is used, if one is given; otherwise,
 # a secret key is derived from the signing key.
 #
-macaroon_secret_key: "{{ vault_matrix_secrets[matrix_server_name].macaroon_secret_key }}"
+macaroon_secret_key: "{{ vault_matrix_secrets.macaroon_secret_key }}"

 # a secret which is used to calculate HMACs for form values, to stop
 # falsification of values. Must be specified for the User Consent
 # forms to work.
 #
-form_secret: "{{ vault_matrix_secrets[matrix_server_name].form_secret }}"
+form_secret: "{{ vault_matrix_secrets.form_secret }}"

 ## Signing Keys ##

@@ -2037,7 +2037,7 @@ password_config:
   # Uncomment and change to a secret random string for extra security.
   # DO NOT CHANGE THIS AFTER INITIAL SETUP!
   #
-   pepper: "{{ vault_matrix_secrets[matrix_server_name].pepper }}"
+   pepper: "{{ vault_matrix_secrets.pepper }}"

   # Define and enforce a password policy. Each parameter is optional.
   # This is an implementation of MSC2000.

--- a/roles/matrix/templates/irc-bridge.yaml.j2
+++ b/roles/matrix/templates/irc-bridge.yaml.j2
@@ -43,7 +43,7 @@ homeserver:
 # Configuration specific to the IRC service
 ircService:
  servers:
-{% for address, settings in vault_matrix_secrets[matrix_server_name].irc_networks.items() %}
+{% for address, settings in vault_matrix_secrets.irc_networks.items() %}
    # The address of the server to connect to.
    "{{ address }}":
      # A human-readable short name. This is used to label IRC status rooms

--- a/roles/matrix/templates/turnserver.conf.j2
+++ b/roles/matrix/templates/turnserver.conf.j2
@@ -6,7 +6,7 @@ max-port=33999
 use-auth-secret

 # 'Static' authentication secret value (a string) for TURN REST API only.
-static-auth-secret="{{ vault_matrix_secrets[matrix_server_name].turn_shared_secret }}"
+static-auth-secret="{{ vault_matrix_secrets.turn_shared_secret }}"

 # The default realm to be used for the users when no explicit
 # origin/realm relationship is found in the database, or if the TURN