From b6d3f51fa11e4af8a8a46f2c2d8a7ac6826ca73c Mon Sep 17 00:00:00 2001 From: h7x4 Date: Mon, 26 Jan 2026 21:12:20 +0900 Subject: [PATCH] Pass `signing_key_path` through `LoadCredential` --- synapse-module/default.nix | 2 ++ synapse-module/workers.nix | 2 ++ 2 files changed, 4 insertions(+) diff --git a/synapse-module/default.nix b/synapse-module/default.nix index 2cc17ae..4f71fb5 100644 --- a/synapse-module/default.nix +++ b/synapse-module/default.nix @@ -13,6 +13,7 @@ let matrix-synapse-common-config = format.generate "matrix-synapse-common-config.yaml" (cfg.settings // { listeners = map (lib.filterAttrsRecursive (_: v: v != null)) cfg.settings.listeners; media_store_path = "/var/lib/matrix-synapse/media_store"; + signing_key_path = "/run/credentials/matrix-synapse.service/signing_key"; }); # TODO: Align better with the upstream module @@ -511,6 +512,7 @@ in (lib.filter (path: path != "/run/matrix-synapse")) lib.uniqueStrings ]; + LoadCredential = [ "signing_key:${cfg.settings.signing_key_path}" ]; RemoveIPC = true; RestrictAddressFamilies = [ "AF_INET" diff --git a/synapse-module/workers.nix b/synapse-module/workers.nix index 23136de..f56f16c 100644 --- a/synapse-module/workers.nix +++ b/synapse-module/workers.nix @@ -375,6 +375,7 @@ in { worker_name = worker.name; worker_listeners = map (lib.filterAttrsRecursive (_: v: v != null)) worker.value.settings.worker_listeners; + signing_key_path = "/run/credentials/matrix-synapse-worker-${worker.name}.service/signing_key"; }); in builtins.listToAttrs (lib.flip map workerList (worker: { name = "matrix-synapse-worker-${worker.name}"; @@ -448,6 +449,7 @@ in { (lib.filter (path: path != "/run/matrix-synapse")) lib.uniqueStrings ]; + LoadCredential = [ "signing_key:${cfg.settings.signing_key_path}" ]; RemoveIPC = true; RestrictAddressFamilies = [ "AF_INET"