app/matrix/appservice-irc: implement passwordEncryptionKey

This allows people to save their NickServ passwords into bridge's storage. Obviously nobody should trust us tho. Change-Id: I2afe9e5215cd8f7419e9eab8183789df13e21aac
2021-02-13 20:17:33 +01:00 · 2021-02-13 20:17:33 +01:00 · 37fbff768a
parent 3d5bb6f2e9
commit 37fbff768a
2 changed files with 17 additions and 3 deletions
--- a/app/matrix/lib/appservice-irc.libsonnet
+++ b/app/matrix/lib/appservice-irc.libsonnet
@ -6,9 +6,18 @@ local kube = import "../../../kube/kube.libsonnet";
        local cfg = bridge.cfg,
        cfg:: {
            metadata: {},
-            config: std.native("parseYaml")(importstr "appservice/appservice-irc.yaml")[0],
+            config: std.native("parseYaml")(importstr "appservice/appservice-irc.yaml")[0] {
+                ircService+: {
+                    [if cfg.passwordEncryptionKeySecret != null then "passwordEncryptionKeyPath"]: "/key/key.pem"
+                },
+            },
            image: error "image must be set",
            storageClassName: error "storageClassName must be set",
+
+            # RSA encryption private key secret name containing "key.pem" key
+            # Create using:
+            #   kubectl -n matrix create secret generic appservice-irc-password-encryption-key --from-file=key.pem=<(openssl genpkey -out - -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048)
+            passwordEncryptionKeySecret: null,
        },

        config: kube.ConfigMap("appservice-irc-%s" % [name]) {
@ -67,7 +76,9 @@ local kube = import "../../../kube/kube.libsonnet";
                            config: kube.ConfigMapVolume(bridge.config),
                            data: kube.PersistentVolumeClaimVolume(bridge.dataVolume),
                            registration: { secret: { secretName: "appservice-irc-%s-registration" % [name] } },
-                        },
+                        } + (if cfg.passwordEncryptionKeySecret != null then {
+                            key: { secret: { secretName: cfg.passwordEncryptionKeySecret } },
+                        } else {}),
                        nodeSelector: cfg.nodeSelector,
                        containers_: {
                            appserviceIrc: kube.Container("appservice-irc-%s" % [name]) {
@ -80,7 +91,9 @@ local kube = import "../../../kube/kube.libsonnet";
                                    registration: { mountPath: "/registration", },
                                    config: { mountPath: "/config", },
                                    data: { mountPath: "/data" },
-                                },
+                                } + (if cfg.passwordEncryptionKeySecret != null then {
+                                    key: { mountPath: "/key" },
+                                } else {}),
                            },
                        },
                    },
--- a/app/matrix/matrix.hackerspace.pl.jsonnet
+++ b/app/matrix/matrix.hackerspace.pl.jsonnet
@ -53,6 +53,7 @@ matrix {
                        },
                    },
                },
+                passwordEncryptionKeySecret: "appservice-irc-password-encryption-key",
            },
        },
        "telegram-prod": telegram.AppServiceTelegram("prod") {