From 37fbff768a60e21b79717616e3b8dbbd5bad4d07 Mon Sep 17 00:00:00 2001
From: Piotr Dobrowolski <informatic@hackerspace.pl>
Date: Sat, 13 Feb 2021 20:17:33 +0100
Subject: [PATCH] app/matrix/appservice-irc: implement passwordEncryptionKey

This allows people to save their NickServ passwords into bridge's
storage. Obviously nobody should trust us tho.

Change-Id: I2afe9e5215cd8f7419e9eab8183789df13e21aac
---
 app/matrix/lib/appservice-irc.libsonnet  | 19 ++++++++++++++++---
 app/matrix/matrix.hackerspace.pl.jsonnet |  1 +
 2 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/app/matrix/lib/appservice-irc.libsonnet b/app/matrix/lib/appservice-irc.libsonnet
index 76289207..b9e5b84c 100644
--- a/app/matrix/lib/appservice-irc.libsonnet
+++ b/app/matrix/lib/appservice-irc.libsonnet
@@ -6,9 +6,18 @@ local kube = import "../../../kube/kube.libsonnet";
         local cfg = bridge.cfg,
         cfg:: {
             metadata: {},
-            config: std.native("parseYaml")(importstr "appservice/appservice-irc.yaml")[0],
+            config: std.native("parseYaml")(importstr "appservice/appservice-irc.yaml")[0] {
+                ircService+: {
+                    [if cfg.passwordEncryptionKeySecret != null then "passwordEncryptionKeyPath"]: "/key/key.pem"
+                },
+            },
             image: error "image must be set",
             storageClassName: error "storageClassName must be set",
+
+            # RSA encryption private key secret name containing "key.pem" key
+            # Create using:
+            #   kubectl -n matrix create secret generic appservice-irc-password-encryption-key --from-file=key.pem=<(openssl genpkey -out - -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048)
+            passwordEncryptionKeySecret: null,
         },
 
         config: kube.ConfigMap("appservice-irc-%s" % [name]) {
@@ -67,7 +76,9 @@ local kube = import "../../../kube/kube.libsonnet";
                             config: kube.ConfigMapVolume(bridge.config),
                             data: kube.PersistentVolumeClaimVolume(bridge.dataVolume),
                             registration: { secret: { secretName: "appservice-irc-%s-registration" % [name] } },
-                        },
+                        } + (if cfg.passwordEncryptionKeySecret != null then {
+                            key: { secret: { secretName: cfg.passwordEncryptionKeySecret } },
+                        } else {}),
                         nodeSelector: cfg.nodeSelector,
                         containers_: {
                             appserviceIrc: kube.Container("appservice-irc-%s" % [name]) {
@@ -80,7 +91,9 @@ local kube = import "../../../kube/kube.libsonnet";
                                     registration: { mountPath: "/registration", },
                                     config: { mountPath: "/config", },
                                     data: { mountPath: "/data" },
-                                },
+                                } + (if cfg.passwordEncryptionKeySecret != null then {
+                                    key: { mountPath: "/key" },
+                                } else {}),
                             },
                         },
                     },
diff --git a/app/matrix/matrix.hackerspace.pl.jsonnet b/app/matrix/matrix.hackerspace.pl.jsonnet
index 8ca94f46..f150f6de 100644
--- a/app/matrix/matrix.hackerspace.pl.jsonnet
+++ b/app/matrix/matrix.hackerspace.pl.jsonnet
@@ -53,6 +53,7 @@ matrix {
                         },
                     },
                 },
+                passwordEncryptionKeySecret: "appservice-irc-password-encryption-key",
             },
         },
         "telegram-prod": telegram.AppServiceTelegram("prod") {