matrix: store signing key

2025-07-29 02:57:44 +00:00 · 2025-06-12 04:22:10 +03:00 · 2025-06-12 04:22:10 +03:00 · 8de5fb909b
commit 8de5fb909b
parent 43386cc144
5 changed files with 29 additions and 14 deletions
--- a/hosts/best/matrix/default.nix
+++ b/hosts/best/matrix/default.nix
@ -1,3 +1,6 @@
+# TODO: FIXME: We are not handling backups properly.
+# The `e2e_one_time_keys_json` table should not be backed up.
+
 { self, config, lib, ... }: let
  inherit (config.networking) domain;
  inherit (lib) const enabled genAttrs merge;
@ -29,8 +32,12 @@ in {
    (self + /modules/postgresql.nix)
  ];

+  secrets.matrixKey = {
+    file  = ./key.age;
+    owner = "matrix-synapse";
+  };
  secrets.matrixSecret = {
-    file  = ./password.secret.age;
+    file  = ./secret.age;
    owner = "matrix-synapse";
  };

@ -75,10 +82,10 @@ in {

      # Trusting Matrix.org.
      suppress_key_server_warning = true;
-    };

-    # Sets registration_shared_secret.
-    extraConfigFiles = [ config.secrets.matrixSecret.path ];
+      signing_key_path                = config.secrets.matrixKey.path;
+      registration_shared_secret_path = config.secrets.matrixSecret.path;
+    };

    settings.listeners = [{
      inherit port;
--- a/hosts/best/matrix/key.age
+++ b/hosts/best/matrix/key.age
--- a/hosts/best/matrix/password.secret.age
+++ b/hosts/best/matrix/password.secret.age
--- a/hosts/best/matrix/secret.age
+++ b/hosts/best/matrix/secret.age
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 8y3T6w sUQRJW9xDK6GmZLtl4MK48DZIh2t8a/KWPkzrMK34mY
+gVmL1Bn+kcT6ReAO2oxYSpGL5URQnqEOqDUxWgpHsrM
+-> ssh-ed25519 CzqbPQ GticSm2nWNiADVwuxH+aeJeQVlAWz9hy9VsTMkCw/yg
+KaQ2pnVAblIftzqBOvcxHhXcBOivax0em2EOLXFH2Q8
+--- ukxPhzbewA/HQQlDqlavsGQ9uDXp55M0ZFMcDJT4TWc
+Î£ð
„6½ÄþZKxÔ>Åñ'
Â‹z¡¾„ãk$ˆ›J$ïBX3:KÞ¶cš¡å]©·¨°Z±×vOjõÎ‡½çÓ¨>Îé¨7’à{R=t¯a*e)ú/Û_Í{"úmœ
--- a/secrets.nix
+++ b/secrets.nix
@ -9,26 +9,27 @@ in {

  "hosts/best/garage/environment.age".publicKeys = [ best ] ++ admins;

-  "hosts/best/grafana/password.age".publicKeys        = [ best ] ++ admins;
+  "hosts/best/grafana/password.age".publicKeys = [ best ] ++ admins;

-  "hosts/best/hercules/caches.age".publicKeys       = [ best ] ++ admins;
-  "hosts/best/hercules/credentials.age".publicKeys  = [ best ] ++ admins;
-  "hosts/best/hercules/secrets.age".publicKeys      = [ best ] ++ admins;
-  "hosts/best/hercules/token.age".publicKeys        = [ best ] ++ admins;
+  "hosts/best/hercules/caches.age".publicKeys      = [ best ] ++ admins;
+  "hosts/best/hercules/credentials.age".publicKeys = [ best ] ++ admins;
+  "hosts/best/hercules/secrets.age".publicKeys     = [ best ] ++ admins;
+  "hosts/best/hercules/token.age".publicKeys       = [ best ] ++ admins;

-  "hosts/best/matrix/password.secret.age".publicKeys  = [ best ] ++ admins;
+  "hosts/best/matrix/key.age".publicKeys    = [ best ] ++ admins;
+  "hosts/best/matrix/secret.age".publicKeys = [ best ] ++ admins;

-  "hosts/best/nextcloud/password.age".publicKeys      = [ best ] ++ admins;
+  "hosts/best/nextcloud/password.age".publicKeys = [ best ] ++ admins;

-  "hosts/best/plausible/key.age".publicKeys      = [ best ] ++ admins;
+  "hosts/best/plausible/key.age".publicKeys = [ best ] ++ admins;

  # disk
  "hosts/disk/id.age".publicKeys              = [ disk ] ++ admins;
  "hosts/disk/password.age".publicKeys = [ disk ] ++ admins;

  # nine
-  "hosts/nine/id.age".publicKeys                         = [ nine ] ++ admins;
-  "hosts/nine/password.age".publicKeys             = [ nine ] ++ admins;
+  "hosts/nine/id.age".publicKeys       = [ nine ] ++ admins;
+  "hosts/nine/password.age".publicKeys = [ nine ] ++ admins;

  "hosts/nine/github2forgejo/environment.age".publicKeys = [ nine ] ++ admins;