From f3ea03b0ad5a51e7687d9095abaa54aa6f2487da Mon Sep 17 00:00:00 2001
From: Mike Cugini <mike@betamike.com>
Date: Wed, 17 Mar 2021 16:54:46 -0400
Subject: [PATCH] move secret files to a single json file

---
 .gitignore               |  1 +
 nixos_configs/matrix.nix | 18 +++++++-----------
 2 files changed, 8 insertions(+), 11 deletions(-)

diff --git a/.gitignore b/.gitignore
index b5b8ee5..019004f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,3 +4,4 @@ matrix_reg_key
 slack_client_secret
 slack-registration.yaml
 *_psql_password
+secrets.json
diff --git a/nixos_configs/matrix.nix b/nixos_configs/matrix.nix
index b7bbc41..85ee822 100644
--- a/nixos_configs/matrix.nix
+++ b/nixos_configs/matrix.nix
@@ -6,11 +6,7 @@ let
   storage-dir = "/srv/matrix-data";
   matrix-reg-dir = "${storage-dir}/matrix-registration";
   slackbridge-dir = "${storage-dir}/slackbridge";
-  remove-newline = string: builtins.replaceStrings [ "\n" ] [ "" ] string;
-  matrix-reg-key = remove-newline (builtins.readFile ./matrix_reg_key);
-  matrix-psql-password = remove-newline (builtins.readFile ./matrix_psql_password);
-  slackbridge-psql-password = remove-newline (builtins.readFile ./slackbridge_psql_password);
-  slack-client-secret = remove-newline (builtins.readFile ./slack_client_secret);
+  secrets = builtins.fromJSON (builtins.readFile ./secrets.json);
   slack-reg-source-yaml = (builtins.readFile ./slack-registration.yaml);
   slack-reg-dest-yaml = pkgs.writeText "slack-registration.yaml" "${slack-reg-source-yaml}";
   fqdn =
@@ -47,13 +43,13 @@ in {
     dataDir = "${storage-dir}/db";
 
     initialScript = pkgs.writeText "synapse-init.sql" ''
-      CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD '${matrix-psql-password}';
+      CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD '${secrets.matrix.psql_password}';
       CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
       TEMPLATE template0
       LC_COLLATE = "C"
       LC_CTYPE = "C";
       CREATE DATABASE slack_bridge;
-      CREATE USER slackbridge_user WITH PASSWORD '${slackbridge-psql-password}';
+      CREATE USER slackbridge_user WITH PASSWORD '${secrets.matrix.slack_bridge.psql_password}';
       GRANT ALL PRIVILEGES ON DATABASE slack_bridge to slackbridge_user;
     '';
   };
@@ -139,7 +135,7 @@ in {
   services.matrix-synapse = {
     enable = true;
     server_name = config.networking.domain;
-    registration_shared_secret = matrix-reg-key;
+    registration_shared_secret = secrets.matrix.registration_secret;
     extraConfig = ''
       allow_public_rooms_over_federation: true
       auto_join_rooms:
@@ -180,7 +176,7 @@ in {
 server_location: 'https://matrix.waffle.farm:443'
 base_url: 'waffle.farm'
 server_name: 'waffle.farm'
-shared_secret: '${matrix-reg-key}'
+shared_secret: '${secrets.matrix.registration_secret}'
 riot_instance: 'chat.waffle.farm'
 db: 'sqlite:///${matrix-reg-dir}/db.sqlite3'
 host: 'localhost'
@@ -238,7 +234,7 @@ username_prefix: "slack_"
 
 db:
   engine: "postgres"
-  connectionString: "postgresql://slackbridge_user:${slackbridge-psql-password}@localhost/slack_bridge"
+  connectionString: "postgresql://slackbridge_user:${secrets.matrix.slack_bridge.psql_password}@localhost/slack_bridge"
 
 matrix_admin_room: "!tuUJADDNODYliJTxYK:waffle.farm"
 
@@ -253,7 +249,7 @@ inbound_uri_prefix: "https://waffle.farm/slackbridge/"
 #
 oauth2:
   client_id: "4494054004.1702274627236"
-  client_secret: "${slack-client-secret}"
+  client_secret: "${secrets.matrix.slack_bridge.client_secret}"
   #redirect_prefix: "https://waffle.farm/slackbridge/oauth"
 
 # Optional. Enable metrics reporting on http://0.0.0.0:bridgePort/metrics which can be scraped by prometheus