From 31e5b1ff2642a56cf3d34ba160c71c2a0808cb55 Mon Sep 17 00:00:00 2001
From: h7x4 <h7x4@nani.wtf>
Date: Mon, 22 Jun 2026 18:44:30 +0900
Subject: [PATCH] workers: fix `LoadCredential` signing key passthrough

---
 synapse-module/workers.nix | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/synapse-module/workers.nix b/synapse-module/workers.nix
index 292b6c7..57fcdba 100644
--- a/synapse-module/workers.nix
+++ b/synapse-module/workers.nix
@@ -372,12 +372,19 @@ in {
     systemd.services = let
       workerList = lib.mapAttrsToList lib.nameValuePair wcfg.instances;
       workerConfig = worker:
-        format.generate "matrix-synapse-worker-${worker.name}-config.yaml"
-        (worker.value.settings // {
-          worker_name = worker.name;
-          worker_listeners =
-            map (lib.filterAttrsRecursive (_: v: v != null)) worker.value.settings.worker_listeners;
-        });
+        format.generate "matrix-synapse-worker-${worker.name}-config.yaml" (
+          worker.value.settings
+          //
+          {
+            worker_name = worker.name;
+            worker_listeners = map (lib.filterAttrsRecursive (_: v: v != null)) worker.value.settings.worker_listeners;
+          }
+          //
+          # NOTE: the workers cannot pick up creds from `/run/credentials/matrix-synapse.service/*`
+          (lib.optionalAttrs usesCustomSigningKeyPath {
+            signing_key_path = "/run/credentials/matrix-synapse-worker-${worker.name}.service/signing_key";
+          })
+        );
     in builtins.listToAttrs (lib.flip map workerList (worker: {
       name = "matrix-synapse-worker-${worker.name}";
       value = {