From 90ca1eb7a1b2f4920171db8a4225a9b14a182de7 Mon Sep 17 00:00:00 2001 From: h7x4 Date: Mon, 26 Jan 2026 21:12:20 +0900 Subject: [PATCH] {synapse,workers}: pass `signing_key_path` through `LoadCredential` --- synapse-module/default.nix | 36 +++++++++++++++++++++++++++++------- synapse-module/workers.nix | 9 +++++++-- 2 files changed, 36 insertions(+), 9 deletions(-) diff --git a/synapse-module/default.nix b/synapse-module/default.nix index cbc5633..cd73837 100644 --- a/synapse-module/default.nix +++ b/synapse-module/default.nix @@ -1,7 +1,8 @@ -{ pkgs, lib, config, ... }: -let +{ pkgs, lib, options, config, ... }: +let matrix-lib = (import ../lib.nix { inherit lib; }); + opt = options.services.matrix-synapse-next; cfg = config.services.matrix-synapse-next; wcfg = cfg.workers; @@ -9,11 +10,29 @@ let cfgText = "config.services.matrix-synapse-next"; wcfgText = "config.services.matrix-synapse-next.workers"; - format = pkgs.formats.yaml {}; - matrix-synapse-common-config = format.generate "matrix-synapse-common-config.yaml" (cfg.settings // { - listeners = map (lib.filterAttrsRecursive (_: v: v != null)) cfg.settings.listeners; - media_store_path = "/var/lib/matrix-synapse/media_store"; - }); + usesCustomSigningKeyPath = cfg.settings.signing_key_path != (opt.settings.type.getSubOptions { }).signing_key_path.default; + + format = pkgs.formats.yaml { }; + matrix-synapse-common-config = lib.pipe cfg.settings [ + (settings: settings // { + listeners = map (lib.filterAttrsRecursive (_: v: v != null)) cfg.settings.listeners; + media_store_path = "/var/lib/matrix-synapse/media_store"; + }) + (settings: settings // (lib.optionalAttrs usesCustomSigningKeyPath { + signing_key_path = "/run/credentials/matrix-synapse.service/signing_key"; + })) + (let + filterRecursiveNull = + o: + if lib.isAttrs o then + lib.mapAttrs (_: v: filterRecursiveNull v) (lib.filterAttrs (_: v: v != null) o) + else if lib.isList o then + map filterRecursiveNull (lib.filter (v: v != null) o) + else + o; + in filterRecursiveNull) + (format.generate "matrix-synapse-common-config.yaml") + ]; # TODO: Align better with the upstream module wrapped = cfg.package.override { @@ -512,6 +531,9 @@ in (lib.filter (path: path != "/run/matrix-synapse")) lib.uniqueStrings ]; + LoadCredential = lib.mkIf usesCustomSigningKeyPath [ + "signing_key:${cfg.settings.signing_key_path}" + ]; RemoveIPC = true; RestrictAddressFamilies = [ "AF_INET" diff --git a/synapse-module/workers.nix b/synapse-module/workers.nix index f0e5ffb..343a57f 100644 --- a/synapse-module/workers.nix +++ b/synapse-module/workers.nix @@ -4,8 +4,8 @@ throw', format }: -{ pkgs, lib, config, ... }: let - +{ pkgs, lib, options, config, ... }: let + opt = options.services.matrix-synapse-next; cfg = config.services.matrix-synapse-next; wcfg = config.services.matrix-synapse-next.workers; @@ -13,6 +13,8 @@ cfgText = "config.services.matrix-synapse-next"; wcfgText = "config.services.matrix-synapse-next.workers"; + usesCustomSigningKeyPath = cfg.settings.signing_key_path != (opt.settings.type.getSubOptions { }).signing_key_path.default; + inherit (lib) types mkOption mkEnableOption mkIf mkMerge literalExpression; mkWorkerCountOption = workerType: mkOption { @@ -449,6 +451,9 @@ in { (lib.filter (path: path != "/run/matrix-synapse")) lib.uniqueStrings ]; + LoadCredential = lib.mkIf usesCustomSigningKeyPath [ + "signing_key:${cfg.settings.signing_key_path}" + ]; RemoveIPC = true; RestrictAddressFamilies = [ "AF_INET"