{synapse,workers}: pass signing_key_path through LoadCredential

2026-01-26 21:12:20 +09:00
parent 0c97580c8d
commit f4767435a3
2 changed files with 32 additions and 9 deletions
@@ -1,7 +1,8 @@
-{ pkgs, lib, config, ... }:
-let 
+{ pkgs, lib, options, config, ... }:
+let
  matrix-lib = (import ../lib.nix { inherit lib; });

+  opt = config.services.matrix-synapse-next;
  cfg = config.services.matrix-synapse-next;
  wcfg = cfg.workers;

@@ -9,11 +10,27 @@ let
  cfgText = "config.services.matrix-synapse-next";
  wcfgText = "config.services.matrix-synapse-next.workers";

-  format = pkgs.formats.yaml {};
-  matrix-synapse-common-config = format.generate "matrix-synapse-common-config.yaml" (cfg.settings // {
-    listeners = map (lib.filterAttrsRecursive (_: v: v != null)) cfg.settings.listeners;
-    media_store_path = "/var/lib/matrix-synapse/media_store";
-  });
+  format = pkgs.formats.yaml { };
+  matrix-synapse-common-config = lib.pipe cfg.settings [
+    (settings: settings // {
+      listeners = map (lib.filterAttrsRecursive (_: v: v != null)) cfg.settings.listeners;
+      media_store_path = "/var/lib/matrix-synapse/media_store";
+    })
+    (settings: settings // (lib.optionalAttrs (cfg.settings.signing_key_path != opt.settings.signing_key_path) {
+      signing_key_path = "/run/credentials/matrix-synapse.service/signing_key";
+    }))
+    (let
+      filterRecursiveNull =
+          o:
+          if lib.isAttrs o then
+            lib.mapAttrs (_: v: filterRecursiveNull v) (lib.filterAttrs (_: v: v != null) o)
+          else if lib.isList o then
+            map filterRecursiveNull (lib.filter (v: v != null) o)
+          else
+            o;
+    in filterRecursiveNull)
+    (format.generate "matrix-synapse-common-config.yaml")
+  ];

  # TODO: Align better with the upstream module
  wrapped = cfg.package.override { 
@@ -512,6 +529,9 @@ in
            (lib.filter (path: path != "/run/matrix-synapse"))
            lib.uniqueStrings
          ];
+          LoadCredential = lib.mkIf (cfg.settings.signing_key_path != opt.settings.signing_key_path) [
+            "signing_key:${cfg.settings.signing_key_path}"
+          ];
          RemoveIPC = true;
          RestrictAddressFamilies = [
            "AF_INET"
@@ -4,8 +4,8 @@
  throw',
  format
 }:
-{ pkgs, lib, config, ... }: let
-
+{ pkgs, lib, options, config, ... }: let
+  opt = options.services.matrix-synapse-next;
  cfg = config.services.matrix-synapse-next;
  wcfg = config.services.matrix-synapse-next.workers;

@@ -449,6 +449,9 @@ in {
            (lib.filter (path: path != "/run/matrix-synapse"))
            lib.uniqueStrings
          ];
+          LoadCredential = lib.mkIf (cfg.settings.signing_key_path != opt.settings.signing_key_path) [
+            "signing_key:${cfg.settings.signing_key_path}"
+          ];
          RemoveIPC = true;
          RestrictAddressFamilies = [
            "AF_INET"