Arion: Limit mollysocket to specific UUIDs

2025-03-10 21:26:43 +01:00 · 2025-03-10 21:26:43 +01:00 · 9a9a1f947d
commit 9a9a1f947d
parent bb038e237d
2 changed files with 15 additions and 8 deletions
--- a/hosts/franz/arion/signal/arion-compose.nix
+++ b/hosts/franz/arion/signal/arion-compose.nix
@ -1,4 +1,4 @@
-{ pkgs, ... }: {
+{
  project.name = "signal";

  networks.dmz = {
@ -37,8 +37,7 @@
      };
      environment = {
        MOLLY_DB = "/data/mollysocket.db";
-        MOLLY_ALLOWED_ENDPOINTS = "[\"https://push.ghoscht.com\",\"*\"]";
-        MOLLY_ALLOWED_UUIDS = "[\"*\"]";
+        MOLLY_ALLOWED_ENDPOINTS = "[\"https://push.ghoscht.com\"]";
        MOLLY_HOST = "0.0.0.0";
        MOLLY_PORT = 8020;
        RUST_LOG = "info";
--- a/hosts/franz/arion/signal/default.nix
+++ b/hosts/franz/arion/signal/default.nix
@ -1,14 +1,21 @@
-{config, ...}: let
+{ config, ... }:
+let
  vars = import ../../../../vars.nix;
-in {
+in
+{
  virtualisation.arion = {
    projects.signal.settings = {
-      imports = [./arion-compose.nix];
+      imports = [ ./arion-compose.nix ];
    };
  };

-  sops.secrets."signal/vapid_privkey" = {
-    owner = vars.user;
+  sops.secrets = {
+    "signal/vapid_privkey" = {
+      owner = vars.user;
+    };
+    "signal/allowed_uuids" = {
+      owner = vars.user;
+    };
  };

  sops.templates."mollysocket.env" = {
@ -17,6 +24,7 @@ in {
    mode = "0775";
    content = ''
      MOLLY_VAPID_PRIVKEY="${config.sops.placeholder."signal/vapid_privkey"}"
+      MOLLY_ALLOWED_UUIDS="${config.sops.placeholder."signal/allowed_uuids"}"
    '';
  };
 }