From 8de5fb909b89f57ca1e19bf15d14ecf6306bba8c Mon Sep 17 00:00:00 2001
From: RGBCube <git@rgbcu.be>
Date: Thu, 12 Jun 2025 04:22:10 +0300
Subject: [PATCH] matrix: store signing key

---
 hosts/best/matrix/default.nix         |  15 +++++++++++----
 hosts/best/matrix/key.age             | Bin 0 -> 381 bytes
 hosts/best/matrix/password.secret.age | Bin 417 -> 0 bytes
 hosts/best/matrix/secret.age          |   7 +++++++
 secrets.nix                           |  21 +++++++++++----------
 5 files changed, 29 insertions(+), 14 deletions(-)
 create mode 100644 hosts/best/matrix/key.age
 delete mode 100644 hosts/best/matrix/password.secret.age
 create mode 100644 hosts/best/matrix/secret.age
diff --git a/hosts/best/matrix/default.nix b/hosts/best/matrix/default.nix
index 89a88d2..9fced80 100644
--- a/hosts/best/matrix/default.nix
+++ b/hosts/best/matrix/default.nix
@@ -1,3 +1,6 @@
+# TODO: FIXME: We are not handling backups properly.
+# The `e2e_one_time_keys_json` table should not be backed up.
+
 { self, config, lib, ... }: let
   inherit (config.networking) domain;
   inherit (lib) const enabled genAttrs merge;
@@ -29,8 +32,12 @@ in {
     (self + /modules/postgresql.nix)
   ];
 
+  secrets.matrixKey = {
+    file  = ./key.age;
+    owner = "matrix-synapse";
+  };
   secrets.matrixSecret = {
-    file  = ./password.secret.age;
+    file  = ./secret.age;
     owner = "matrix-synapse";
   };
 
@@ -75,10 +82,10 @@ in {
 
       # Trusting Matrix.org.
       suppress_key_server_warning = true;
-    };
 
-    # Sets registration_shared_secret.
-    extraConfigFiles = [ config.secrets.matrixSecret.path ];
+      signing_key_path                = config.secrets.matrixKey.path;
+      registration_shared_secret_path = config.secrets.matrixSecret.path;
+    };
 
     settings.listeners = [{
       inherit port;
diff --git a/hosts/best/matrix/key.age b/hosts/best/matrix/key.age
new file mode 100644
index 0000000000000000000000000000000000000000..f461b83803c52aebb98a800a7ac2a93289910a06
GIT binary patch
literal 381
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCT)s5A~SD_1BhjdIR#
z361cGFm_AK^hq>uGR<}~t&B`IcQPyw)=vyGDsnAw^)-qJjO4N?4$LdB$~4y2_AQEx
zEG!H*@NqJYFf4O5H_5dONe(J5H!3r%^r`fX@<q4JxvDTJAW$LEE!i|ZNIy8;HPPSS
z%%~{YDcL+TATh!@Ft5nS(%B@@&&bnKJF>#xF`LV?#LL~$U%Md5GBqlr(4-(RD#<L%
zJIz12JkzMyG(XS4$S@_>*C5<KE09Z9S63m>*v!RWKO{6Y#4$C%G}FW{D$vlsD#Sfp
z-@vWFC`sQx+&n1Tt1`<V&4jBwDe}n4OF^5zhc67hwrRQD$6Y5**Y45`&f?zsG=AfL
zcAbxM0$1KHS5L7pk!D`&$?BH2e9?BrMz(hjU;hTE$$Bunu8GNLzd7#<`_sEVJ&JrM
P*=EfCx}{)E^=5Sd`PzoR

literal 0
HcmV?d00001

diff --git a/hosts/best/matrix/password.secret.age b/hosts/best/matrix/password.secret.age
deleted file mode 100644
index 780510c4df9372037d087d65e53c52b97830b913..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 417
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCT)s5A~SD_5wr^hilA
z4+}6U3^4Z!@r+2X@+(Mju1a(>F?OqpaIMU!$~E^2Ot0`WG~g=F4)AexPWCX%GAPXO
z$Te~`kI3+@@XO4p45|t%2o3j6Dvm4(tq3slDo3}?xvDTJAW$JOFVa0UFV8TkBDWyI
zQ#-l9Ey>iyKTtoyy)2|8C(OskGtj5F*d;5`(16Rk$|NY!-OM1ZxXM4zyC~1m)iAKa
zztqtvprX`0wW6}n%%$9=&>}3?GmuMHS689fKS?{Q%&@>x+c3&NzuYmv&pp7|)vq$q
zrP3rNqddag#3w-8)jQ0$u$W6^`r7ZIQXxzS4X6IjZ(`?OB3vwTm7_w7Yg(ah*)!i~
zbsw&~-HP42t-9mN^3dS2MCaMQldN2)cC}>83!74uf3$<aG@R#@c#5|2o2Ui@7w&^c
zYWIq*`F=ZW`QInC-tM~nYF4xNJXPne)%Nm{;}v%8lowgqs<UHlX7;4V{Yl>esOgrl

diff --git a/hosts/best/matrix/secret.age b/hosts/best/matrix/secret.age
new file mode 100644
index 0000000..980a138
--- /dev/null
+++ b/hosts/best/matrix/secret.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 8y3T6w sUQRJW9xDK6GmZLtl4MK48DZIh2t8a/KWPkzrMK34mY
+gVmL1Bn+kcT6ReAO2oxYSpGL5URQnqEOqDUxWgpHsrM
+-> ssh-ed25519 CzqbPQ GticSm2nWNiADVwuxH+aeJeQVlAWz9hy9VsTMkCw/yg
+KaQ2pnVAblIftzqBOvcxHhXcBOivax0em2EOLXFH2Q8
+--- ukxPhzbewA/HQQlDqlavsGQ9uDXp55M0ZFMcDJT4TWc
+Î£ð„6½ÄþZKxÔ>Åñ­'Â‹z¡¾„ãk$ˆ›J$ïBX3:KÞ¶cš¡å]©·¨°Z±×vOjõÎ‡½çÓ¨>Îé¨7’à{R=t¯a*e)ú/Û_Í{"úmœ
\ No newline at end of file
diff --git a/secrets.nix b/secrets.nix
index 4e0ab44..e013ff2 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -9,26 +9,27 @@ in {
 
   "hosts/best/garage/environment.age".publicKeys = [ best ] ++ admins;
 
-  "hosts/best/grafana/password.age".publicKeys        = [ best ] ++ admins;
+  "hosts/best/grafana/password.age".publicKeys = [ best ] ++ admins;
 
-  "hosts/best/hercules/caches.age".publicKeys       = [ best ] ++ admins;
-  "hosts/best/hercules/credentials.age".publicKeys  = [ best ] ++ admins;
-  "hosts/best/hercules/secrets.age".publicKeys      = [ best ] ++ admins;
-  "hosts/best/hercules/token.age".publicKeys        = [ best ] ++ admins;
+  "hosts/best/hercules/caches.age".publicKeys      = [ best ] ++ admins;
+  "hosts/best/hercules/credentials.age".publicKeys = [ best ] ++ admins;
+  "hosts/best/hercules/secrets.age".publicKeys     = [ best ] ++ admins;
+  "hosts/best/hercules/token.age".publicKeys       = [ best ] ++ admins;
 
-  "hosts/best/matrix/password.secret.age".publicKeys  = [ best ] ++ admins;
+  "hosts/best/matrix/key.age".publicKeys    = [ best ] ++ admins;
+  "hosts/best/matrix/secret.age".publicKeys = [ best ] ++ admins;
 
-  "hosts/best/nextcloud/password.age".publicKeys      = [ best ] ++ admins;
+  "hosts/best/nextcloud/password.age".publicKeys = [ best ] ++ admins;
 
-  "hosts/best/plausible/key.age".publicKeys      = [ best ] ++ admins;
+  "hosts/best/plausible/key.age".publicKeys = [ best ] ++ admins;
 
   # disk
   "hosts/disk/id.age".publicKeys              = [ disk ] ++ admins;
   "hosts/disk/password.age".publicKeys = [ disk ] ++ admins;
 
   # nine
-  "hosts/nine/id.age".publicKeys                         = [ nine ] ++ admins;
-  "hosts/nine/password.age".publicKeys             = [ nine ] ++ admins;
+  "hosts/nine/id.age".publicKeys       = [ nine ] ++ admins;
+  "hosts/nine/password.age".publicKeys = [ nine ] ++ admins;
 
   "hosts/nine/github2forgejo/environment.age".publicKeys = [ nine ] ++ admins;
 
