From 1f3f719032fd865b185bbf653c4185bf290f6727 Mon Sep 17 00:00:00 2001
From: Daniel Berteaud <dbd@ehtrace.com>
Date: Wed, 31 Jan 2024 14:50:08 +0100
Subject: [PATCH] Cleanup

---
 example/init/vault-database               |  2 +-
 example/matrix.nomad.hcl                  | 18 ++++++++--------
 example/prep.d/10-mv-conf.sh              | 19 -----------------
 example/prep.d/20-rand-pwd.sh             | 25 ++++++++++++++---------
 example/vault/policies/matrix-synapse.hcl |  4 ++--
 init/vault-database                       |  5 +----
 matrix.nomad.hcl                          |  5 +++--
 prep.d/10-mv-conf.sh                      |  1 -
 prep.d/20-rand-pwd.sh                     | 15 +-------------
 templates/homeserver.yml.tpl              |  4 ++--
 variables.yml                             | 23 ++++++++++++---------
 vault/policies/matrix-synapse.hcl         |  4 ++--
 12 files changed, 49 insertions(+), 76 deletions(-)
 delete mode 100755 example/prep.d/10-mv-conf.sh
 delete mode 100755 prep.d/10-mv-conf.sh

diff --git a/example/init/vault-database b/example/init/vault-database
index 6c54e15..f256d1f 100755
--- a/example/init/vault-database
+++ b/example/init/vault-database
@@ -2,7 +2,7 @@
 
 set -euo pipefail
 
-vault write database/roles/matrix-synapse \
+vault write /database/roles/matrix-synapse \
     db_name="postgres" \
     creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
         GRANT \"matrix-synapse\" TO \"{{name}}\"; \
diff --git a/example/matrix.nomad.hcl b/example/matrix.nomad.hcl
index 08c349d..90bf0d3 100644
--- a/example/matrix.nomad.hcl
+++ b/example/matrix.nomad.hcl
@@ -41,15 +41,15 @@ job "matrix" {
 
         "traefik.enable=true",
         "traefik.http.routers.matrix-admin.entrypoints=https",
-        "traefik.http.middlewares.matrix-csp.headers.contentsecuritypolicy=connect-src 'self' https://scalar.vector.im https://api.maptiler.com;default-src 'self';font-src 'self' data:;frame-src 'self' blob: https://scalar.vector.im/ https://meet.element.io;img-src 'self' data: blob: https://img.youtube.com https://*.ytimg.com;script-src 'self' https://usercontent.riot.im https://scalar.vector.im;style-src 'self' 'unsafe-inline';worker-src 'self' blob:;",
-        "traefik.http.routers.matrix-admin.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,matrix-csp",
+        "traefik.http.middlewares.csp-matrix-admin.headers.contentsecuritypolicy=connect-src 'self' https://scalar.vector.im https://api.maptiler.com;default-src 'self';font-src 'self' data:;frame-src 'self' blob: https://scalar.vector.im/ https://meet.element.io;img-src 'self' data: blob: https://img.youtube.com https://*.ytimg.com;script-src 'self' https://usercontent.riot.im https://scalar.vector.im;style-src 'self' 'unsafe-inline';worker-src 'self' blob:;",
+        "traefik.http.routers.matrix-admin.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,csp-matrix-admin",
 
         "traefik.http.routers.matrix.rule=Host(`matrix.consul`) || (Host(`matrix.consul`) && PathRegexp(`^/(_(synapse|matrix)|\\.well-known/matrix)/.*`))",
 
         "traefik.enable=true",
         "traefik.http.routers.matrix.entrypoints=https",
-        "traefik.http.middlewares.matrix-csp.headers.contentsecuritypolicy=connect-src 'self' https://scalar.vector.im https://api.maptiler.com;default-src 'self';font-src 'self' data:;frame-src 'self' blob: https://scalar.vector.im/ https://meet.element.io;img-src 'self' data: blob: https://img.youtube.com https://*.ytimg.com;script-src 'self' https://usercontent.riot.im https://scalar.vector.im;style-src 'self' 'unsafe-inline';worker-src 'self' blob:;",
-        "traefik.http.routers.matrix.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,matrix-csp",
+        "traefik.http.middlewares.csp-matrix.headers.contentsecuritypolicy=connect-src 'self' https://scalar.vector.im https://api.maptiler.com;default-src 'self';font-src 'self' data:;frame-src 'self' blob: https://scalar.vector.im/ https://meet.element.io;img-src 'self' data: blob: https://img.youtube.com https://*.ytimg.com;script-src 'self' https://usercontent.riot.im https://scalar.vector.im;style-src 'self' 'unsafe-inline';worker-src 'self' blob:;",
+        "traefik.http.routers.matrix.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,csp-matrix",
 
       ]
 
@@ -136,6 +136,7 @@ job "matrix" {
 
       env {
         SYNAPSE_CONFIG = "/secrets/homeserver.yml"
+        TMPDIR         = "/data/tmp"
 
 
       }
@@ -144,7 +145,6 @@ job "matrix" {
       template {
         data        = <<_EOT
 LANG=fr_FR.utf8
-TMPDIR=/data/tmp
 TZ=Europe/Paris
 _EOT
         destination = "secrets/.env"
@@ -168,9 +168,9 @@ database:
   args:
     database: matrix-synapse
     host: 127.0.0.1
-    password: '{{ with secret "database/creds/matrix-synapse" }}{{ .Data.password }}{{ end }}'
+    password: '{{ with secret "/database/matrix" }}{{ .Data.password }}{{ end }}'
     port: "5432"
-    user: '{{ with secret "database/creds/matrix-synapse" }}{{ .Data.username }}{{ end }}'
+    user: '{{ with secret "/database/matrix" }}{{ .Data.username }}{{ end }}'
   name: psycopg2
 default_identity_server: https://matrix.org
 delete_stale_devices_after: 180d
@@ -183,7 +183,7 @@ email:
   smtp_host: 127.0.0.1
   smtp_port: 25
 forgotten_room_retention_period: 15d
-form_secret: '{{ with secret "kv/service/matrix" }}{{ .Data.data.form_secret }}{{ end }}'
+form_secret: '{{- with secret "/kv/service/matrix" }}{{ .Data.data.form_secret }}{{ end }}'
 listeners:
   - path: /alloc/tmp/synapse.sock
     resources:
@@ -193,7 +193,7 @@ listeners:
           - federation
     type: http
 log_config: /secrets/logging.conf
-macaroon_secret_key: '{{ with secret "kv/service/matrix" }}{{ .Data.data.macaroon_secret_key }}{{ end }}'
+macaroon_secret_key: '{{- with secret "/kv/service/matrix" }}{{ .Data.data.macaroon_secret_key }}{{ end }}'
 max_avatar_size: 4M
 media_retention:
   local_media_lifetime: 730d
diff --git a/example/prep.d/10-mv-conf.sh b/example/prep.d/10-mv-conf.sh
deleted file mode 100755
index ab5c761..0000000
--- a/example/prep.d/10-mv-conf.sh
+++ /dev/null
@@ -1,19 +0,0 @@
-#!/bin/sh
-
-set -eu
-
-
-
-if [ "matrix" != "matrix" ]; then
-  for DIR in vault consul nomad; do
-    if [ -d output/${DIR} ]; then
-      for FILE in $(find output/${DIR} -name "*matrix*.hcl" -type f); do
-        NEW_FILE=$(echo "${FILE}" | sed -E "s/matrix/matrix/g")
-        mv "${FILE}" "${NEW_FILE}"
-      done
-    fi
-  done
-fi
-
-
-
diff --git a/example/prep.d/20-rand-pwd.sh b/example/prep.d/20-rand-pwd.sh
index 6e384d1..54edc77 100755
--- a/example/prep.d/20-rand-pwd.sh
+++ b/example/prep.d/20-rand-pwd.sh
@@ -2,17 +2,22 @@
 
 set -euo pipefail
 
-# Initialize random passwords if needed
+# vim: syntax=sh
+
+export LC_ALL=C
+VAULT_KV_PATH=/kv/service/matrix
+RAND_CMD="tr -dc A-Za-z0-9\-_\/=~\.+ < /dev/urandom | head -c 50"
+if ! vault kv list $(dirname ${VAULT_KV_PATH}) 2>/dev/null | grep -q -E "^$(basename ${VAULT_KV_PATH})\$"; then
+  vault kv put ${VAULT_KV_PATH} \
+    macaroon_secret_key="$(sh -c "${RAND_CMD}")" \
+    form_secret="$(sh -c "${RAND_CMD}")" \
 
-if ! vault kv list kv/service 2>/dev/null | grep -q -E '^matrix$'; then
-  vault kv put kv/service/matrix \
-    macaroon_secret_key=$(pwgen -s -n 50 1) \
-    form_secret=$(pwgen -s -n 50 1)
 fi
-
-for PWD in macaroon_secret_key form_secret; do
-  if ! vault kv get -field ${PWD} kv/service/matrix >/dev/null 2>&1; then
-    vault kv patch kv/service/matrix \
-      ${PWD}=$(pwgen -s -n 50 1)
+for SECRET in macaroon_secret_key form_secret; do
+  if ! vault kv get -field ${SECRET} ${VAULT_KV_PATH} >/dev/null 2>&1; then
+    vault kv patch ${VAULT_KV_PATH} \
+      ${SECRET}=$(sh -c "${RAND_CMD}")
   fi
 done
+
+
diff --git a/example/vault/policies/matrix-synapse.hcl b/example/vault/policies/matrix-synapse.hcl
index e85716a..4590923 100644
--- a/example/vault/policies/matrix-synapse.hcl
+++ b/example/vault/policies/matrix-synapse.hcl
@@ -1,7 +1,7 @@
-path "kv/data/service/matrix" {
+path "/kv/data/service/matrix" {
   capabilities = ["read"]
 }
 
-path "database/creds/matrix-synapse" {
+path "/database/creds/matrix-synapse" {
   capabilities = ["read"]
 }
diff --git a/init/vault-database b/init/vault-database
index 269c513..aab8357 100755
--- a/init/vault-database
+++ b/init/vault-database
@@ -2,7 +2,4 @@
 
 set -euo pipefail
 
-[[- template "common/vault.mkpgrole.sh.tpl"
-  dict "ctx" .
-       "config" (dict "role" (printf "%s-synapse" .instance) "database" "postgres")
-]]
+[[ template "common/vault.mkpgrole.sh.tpl" merge .matrix.synapse . ]]
diff --git a/matrix.nomad.hcl b/matrix.nomad.hcl
index 7b3f114..9c9ad79 100644
--- a/matrix.nomad.hcl
+++ b/matrix.nomad.hcl
@@ -38,7 +38,7 @@ job "[[ .instance ]]" {
 [[ template "common/traefik_tags" $w ]]
       ]
 
-[[ template "common/connect" merge $c ]]
+[[ template "common/connect" $c ]]
     }
 
 [[ template "common/task.wait_for" $c ]]
@@ -58,10 +58,11 @@ job "[[ .instance ]]" {
 
       env {
         SYNAPSE_CONFIG = "/secrets/homeserver.yml"
+        TMPDIR         = "/data/tmp"
         [[ template "common/proxy_env" $c ]]
       }
 
-[[ template "common/file_env" $c.env ]]
+[[ template "common/file_env" $c ]]
 
       template {
         data =<<_EOT
diff --git a/prep.d/10-mv-conf.sh b/prep.d/10-mv-conf.sh
deleted file mode 100755
index 4452159..0000000
--- a/prep.d/10-mv-conf.sh
+++ /dev/null
@@ -1 +0,0 @@
-[[ template "common/mv_conf.sh.tpl" dict "ctx" . "services" (dict "matrix" .instance) ]]
diff --git a/prep.d/20-rand-pwd.sh b/prep.d/20-rand-pwd.sh
index beb6f28..4f72248 100755
--- a/prep.d/20-rand-pwd.sh
+++ b/prep.d/20-rand-pwd.sh
@@ -2,17 +2,4 @@
 
 set -euo pipefail
 
-# Initialize random passwords if needed
-
-if ! vault kv list [[ .vault.prefix ]]kv/service 2>/dev/null | grep -q -E '^[[ .instance ]]$'; then
-  vault kv put [[ .vault.prefix ]]kv/service/[[ .instance ]] \
-    macaroon_secret_key=$(pwgen -s -n 50 1) \
-    form_secret=$(pwgen -s -n 50 1)
-fi
-
-for PWD in macaroon_secret_key form_secret; do
-  if ! vault kv get -field ${PWD} [[ .vault.prefix ]]kv/service/[[ .instance ]] >/dev/null 2>&1; then
-    vault kv patch [[ .vault.prefix ]]kv/service/[[ .instance ]] \
-      ${PWD}=$(pwgen -s -n 50 1)
-  fi
-done
+[[ template "common/vault.rand_secrets" merge .matrix.synapse . ]]
diff --git a/templates/homeserver.yml.tpl b/templates/homeserver.yml.tpl
index b5f5cbb..f73e755 100644
--- a/templates/homeserver.yml.tpl
+++ b/templates/homeserver.yml.tpl
@@ -74,8 +74,8 @@ default_identity_server: https://matrix.org
 
 allow_guest_access: [[ .matrix.allow_guests ]]
 
-macaroon_secret_key: '[[ .matrix.synapse.macaroon_secret_key ]]'
-form_secret: '[[ .matrix.synapse.form_secret ]]'
+macaroon_secret_key: '{{- with secret "[[ .vault.root ]]kv/service/[[ .instance ]]" }}{{ .Data.data.macaroon_secret_key }}{{ end }}'
+form_secret: '{{- with secret "[[ .vault.root ]]kv/service/[[ .instance ]]" }}{{ .Data.data.form_secret }}{{ end }}'
 
 sso:
   client_whitelist:
diff --git a/variables.yml b/variables.yml
index 5b7b56e..b4379aa 100644
--- a/variables.yml
+++ b/variables.yml
@@ -28,8 +28,7 @@ matrix:
     image: '[[ .docker.repo ]]matrix-synapse:1.99.0-1'
   
     # Additional env var to set in the container
-    env:
-      TMPDIR: /data/tmp
+    env: {}
   
     # You can define a custom yaml config which will be merged over the default one.
     # Eg, to setup OIDC auth
@@ -50,10 +49,6 @@ matrix:
     #          email_template: '{{"{{"}} user.email {{"}}"}}'
     config: {}
   
-    # Secrets used by Synapse
-    macaroon_secret_key: '{{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }}{{ .Data.data.macaroon_secret_key }}{{ end }}'
-    form_secret: '{{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }}{{ .Data.data.form_secret }}{{ end }}'
-
     # URL preview settings
     url_preview:
       enabled: true
@@ -75,18 +70,26 @@ matrix:
         - username: '*'
         - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$'
   
-    # Vault policies
     vault:
+      # Vault policies
       policies:
         - '[[ .instance ]]-synapse[[ .consul.suffix ]]'
+      # Random secrets to generate and store in vault KV
+      rand_secrets:
+        fields:
+          - macaroon_secret_key
+          - form_secret
+      database:
+        role: '[[ .instance ]]-synapse'
+        pgrole: '[[ .instance ]]-synapse'
 
     # Postgres database to use
     postgres:
       host: 127.0.0.1
       port: 5432
       database: '[[ .instance ]]-synapse'
-      user: '{{ with secret "[[ .vault.prefix ]]database/creds/[[ .instance ]]-synapse" }}{{ .Data.username }}{{ end }}'
-      password: '{{ with secret "[[ .vault.prefix ]]database/creds/[[ .instance ]]-synapse" }}{{ .Data.password }}{{ end }}'
+      #user: '{{ with secret "[[ .vault.root ]]database/creds/[[ .instance ]]-synapse" }}{{ .Data.username }}{{ end }}'
+      #password: '{{ with secret "[[ .vault.root ]]database/creds/[[ .instance ]]-synapse" }}{{ .Data.password }}{{ end }}'
   
     # Wait for the postgres service to be ready before starting
     wait_for:
@@ -132,7 +135,7 @@ matrix:
     admin:
       traefik:
         auto_rule: false
-        router: '[[ .instance ]]-admin[[ .consul.suffix ]]'
+        router: admin
 
   # Volumes used for data persistance
   volumes:
diff --git a/vault/policies/matrix-synapse.hcl b/vault/policies/matrix-synapse.hcl
index b77abb1..bd8ef38 100644
--- a/vault/policies/matrix-synapse.hcl
+++ b/vault/policies/matrix-synapse.hcl
@@ -1,7 +1,7 @@
-path "[[ .vault.prefix ]]kv/data/service/[[ .instance ]]" {
+path "[[ .vault.root ]]kv/data/service/[[ .instance ]]" {
   capabilities = ["read"]
 }
 
-path "[[ .vault.prefix ]]database/creds/[[ .instance ]]-synapse" {
+path "[[ .vault.root ]]database/creds/[[ .instance ]]-synapse" {
   capabilities = ["read"]
 }