From f4767435a3bf01b8736d58c9923eae5ebd0eb338 Mon Sep 17 00:00:00 2001
From: h7x4 <h7x4@nani.wtf>
Date: Mon, 26 Jan 2026 21:12:20 +0900
Subject: [PATCH] {synapse,workers}: pass `signing_key_path` through
 `LoadCredential`

---
 synapse-module/default.nix | 34 +++++++++++++++++++++++++++-------
 synapse-module/workers.nix |  7 +++++--
 2 files changed, 32 insertions(+), 9 deletions(-)

diff --git a/synapse-module/default.nix b/synapse-module/default.nix
index cbc5633..73ea3e0 100644
--- a/synapse-module/default.nix
+++ b/synapse-module/default.nix
@@ -1,7 +1,8 @@
-{ pkgs, lib, config, ... }:
-let 
+{ pkgs, lib, options, config, ... }:
+let
   matrix-lib = (import ../lib.nix { inherit lib; });
 
+  opt = config.services.matrix-synapse-next;
   cfg = config.services.matrix-synapse-next;
   wcfg = cfg.workers;
 
@@ -9,11 +10,27 @@ let
   cfgText = "config.services.matrix-synapse-next";
   wcfgText = "config.services.matrix-synapse-next.workers";
 
-  format = pkgs.formats.yaml {};
-  matrix-synapse-common-config = format.generate "matrix-synapse-common-config.yaml" (cfg.settings // {
-    listeners = map (lib.filterAttrsRecursive (_: v: v != null)) cfg.settings.listeners;
-    media_store_path = "/var/lib/matrix-synapse/media_store";
-  });
+  format = pkgs.formats.yaml { };
+  matrix-synapse-common-config = lib.pipe cfg.settings [
+    (settings: settings // {
+      listeners = map (lib.filterAttrsRecursive (_: v: v != null)) cfg.settings.listeners;
+      media_store_path = "/var/lib/matrix-synapse/media_store";
+    })
+    (settings: settings // (lib.optionalAttrs (cfg.settings.signing_key_path != opt.settings.signing_key_path) {
+      signing_key_path = "/run/credentials/matrix-synapse.service/signing_key";
+    }))
+    (let
+      filterRecursiveNull =
+          o:
+          if lib.isAttrs o then
+            lib.mapAttrs (_: v: filterRecursiveNull v) (lib.filterAttrs (_: v: v != null) o)
+          else if lib.isList o then
+            map filterRecursiveNull (lib.filter (v: v != null) o)
+          else
+            o;
+    in filterRecursiveNull)
+    (format.generate "matrix-synapse-common-config.yaml")
+  ];
 
   # TODO: Align better with the upstream module
   wrapped = cfg.package.override { 
@@ -512,6 +529,9 @@ in
             (lib.filter (path: path != "/run/matrix-synapse"))
             lib.uniqueStrings
           ];
+          LoadCredential = lib.mkIf (cfg.settings.signing_key_path != opt.settings.signing_key_path) [
+            "signing_key:${cfg.settings.signing_key_path}"
+          ];
           RemoveIPC = true;
           RestrictAddressFamilies = [
             "AF_INET"
diff --git a/synapse-module/workers.nix b/synapse-module/workers.nix
index 08f6dfc..15235fd 100644
--- a/synapse-module/workers.nix
+++ b/synapse-module/workers.nix
@@ -4,8 +4,8 @@
   throw',
   format
 }:
-{ pkgs, lib, config, ... }: let
-
+{ pkgs, lib, options, config, ... }: let
+  opt = options.services.matrix-synapse-next;
   cfg = config.services.matrix-synapse-next;
   wcfg = config.services.matrix-synapse-next.workers;
 
@@ -449,6 +449,9 @@ in {
             (lib.filter (path: path != "/run/matrix-synapse"))
             lib.uniqueStrings
           ];
+          LoadCredential = lib.mkIf (cfg.settings.signing_key_path != opt.settings.signing_key_path) [
+            "signing_key:${cfg.settings.signing_key_path}"
+          ];
           RemoveIPC = true;
           RestrictAddressFamilies = [
             "AF_INET"