Pass signing_key_path through LoadCredential

synapse-module/default.nix

@@ -13,6 +13,7 @@ let
   matrix-synapse-common-config = format.generate "matrix-synapse-common-config.yaml" (cfg.settings // {
     listeners = map (lib.filterAttrsRecursive (_: v: v != null)) cfg.settings.listeners;
     media_store_path = "/var/lib/matrix-synapse/media_store";
+    signing_key_path = "/run/credentials/matrix-synapse.service/signing_key";
   });
 
   # TODO: Align better with the upstream module
@@ -511,6 +512,7 @@ in
             (lib.filter (path: path != "/run/matrix-synapse"))
             lib.uniqueStrings
           ];
+          LoadCredential = [ "signing_key:${cfg.settings.signing_key_path}" ];
           RemoveIPC = true;
           RestrictAddressFamilies = [
             "AF_INET"

synapse-module/workers.nix

@@ -375,6 +375,7 @@ in {
           worker_name = worker.name;
           worker_listeners =
             map (lib.filterAttrsRecursive (_: v: v != null)) worker.value.settings.worker_listeners;
+          signing_key_path = "/run/credentials/matrix-synapse-worker-${worker.name}.service/signing_key";
         });
     in builtins.listToAttrs (lib.flip map workerList (worker: {
       name = "matrix-synapse-worker-${worker.name}";
@@ -448,6 +449,7 @@ in {
             (lib.filter (path: path != "/run/matrix-synapse"))
             lib.uniqueStrings
           ];
+          LoadCredential = [ "signing_key:${cfg.settings.signing_key_path}" ];
           RemoveIPC = true;
           RestrictAddressFamilies = [
             "AF_INET"