seafile: put secret on nuc

flake.lock

@@ -216,11 +216,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1714203603,
-        "narHash": "sha256-eT7DENhYy7EPLOqHI9zkIMD9RvMCXcqh6gGqOK5BWYQ=",
+        "lastModified": 1714430505,
+        "narHash": "sha256-SSJQ/KOy8uISnoZgqDoRha7g7PFLSFP/BtMWm0wUz8Q=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "c1609d584a6b5e9e6a02010f51bd368cb4782f8e",
+        "rev": "f8e6694edabe4aaa7a85aac47b43ea5d978b116d",
         "type": "github"
       },
       "original": {
@@ -317,11 +317,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1713869268,
-        "narHash": "sha256-o3CMQeu/S8/4zU0pMtYg51rd1FWdJsI2Xohzng1Ysdg=",
+        "lastModified": 1714273701,
+        "narHash": "sha256-bmoeZ5zMSSO/e8P51yjrzaxA9uzA3SZAEFvih6S3LFo=",
         "owner": "nix-community",
         "repo": "nix-index-database",
-        "rev": "dcb6ac44922858ce3a5b46f77a36d6030181460c",
+        "rev": "941c4973c824509e0356be455d89613611f76c8a",
         "type": "github"
       },
       "original": {
@@ -332,11 +332,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1714076141,
-        "narHash": "sha256-Drmja/f5MRHZCskS6mvzFqxEaZMeciScCTFxWVLqWEY=",
+        "lastModified": 1714253743,
+        "narHash": "sha256-mdTQw2XlariysyScCv2tTE45QSU9v/ezLcHJ22f0Nxc=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "7bb2ccd8cdc44c91edba16c48d2c8f331fb3d856",
+        "rev": "58a1abdbae3217ca6b702f03d3b35125d88a2994",
         "type": "github"
       },
       "original": {

flake.nix

@@ -67,6 +67,7 @@
         # thinkpad = self.nixosConfigurations.thinkpad.config.system.build.toplevel;
         jmri = nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/jmri { };
         adguardian-term = nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/adguardian-term { };
+        matrix-authentication-service = nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/matrix-authentication-service { };
         pww = nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/pww { };
         gnome-break-timer = nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/gnome-break-timer { };
         hashcash-milter = nixpkgs.legacyPackages.x86_64-linux.callPackage ./pkgs/hashcash-milter { };

hosts/nuc/modules/seafile/default.nix

@@ -3,11 +3,6 @@ let
   domain = "seafile.${config.networking.domain}";
 in
 {
-  age.secrets."seafile/oidc-secret" = {
-    file = ../../../../secrets/nuc/seafile/oidc-secret.age;
-    mode = "0440";
-    group = "seafile";
-  };
   services.seafile = {
     enable = true;
     adminEmail = "admin@rfive.de";
@@ -20,7 +15,7 @@ in
       OAUTH_ENABLE_INSECURE_TRANSPORT = True
 
       OAUTH_CLIENT_ID = "seafile"
-      with open('${config.age.secrets."seafile/oidc-secret".path}') as f:
+      with open('/var/lib/seafile/.oidcSecret') as f:
         OAUTH_CLIENT_SECRET = f.readline().rstrip()
       OAUTH_REDIRECT_URL = 'https://seafile.rfive.de/oauth/callback/'
  

pkgs/matrix-authentication-service/default.nix

@@ -0,0 +1,29 @@
+{ lib, rustPlatform, fetchFromGitHub }:
+rustPlatform.buildRustPackage rec {
+  pname = "matrix-authentication-service";
+  version = "0.9.0";
+
+  src = fetchFromGitHub {
+    owner = "matrix-org";
+    repo = pname;
+    rev = "v${version}";
+    hash = "sha256-e5JlkcSJ44iE+pVnGQpGiSNahxUcIFeaPyOjp9E3eD0=";
+  };
+  cargoLock = {
+    lockFile = "${src}/Cargo.lock";
+    outputHashes = {
+      "opa-wasm-0.1.0" = "sha256-f3IIln7BbN7NJiCVMgfoell/plzlqkSm4YYK7mqzKgw=";
+    };
+  };
+
+  meta = with lib;
+    {
+      description = "O.uth2.0 + OpenID Provider for Matrix Homeservers";
+      homepage = "https://github.com/matrix-org/matrix-authentication-service/blob/main/LICENSE";
+      license = with licenses; [ asl20 ];
+      maintainers = with maintainers; [ therealr5 ];
+      mainProgram = "mas-cli";
+    };
+}
+
+

secrets.nix

@@ -22,7 +22,6 @@ in
   "secrets/nuc/vaultwarden.age".publicKeys = [ rouven nuc ];
   "secrets/nuc/keycloak/db.age".publicKeys = [ rouven nuc ];
   "secrets/nuc/cache.age".publicKeys = [ rouven nuc ];
-  "secrets/nuc/seafile/oidc-secret.age".publicKeys = [ rouven nuc ];
   "secrets/nuc/borg/passphrase.age".publicKeys = [ rouven nuc ];
   "secrets/nuc/borg/key.age".publicKeys = [ rouven nuc ];