From 4825645bc1c767820f2077c5a7c69e30d6438d51 Mon Sep 17 00:00:00 2001
From: Dominik Polakovics <dominik.polakovics@cloonar.com>
Date: Mon, 2 Mar 2026 11:17:28 +0100
Subject: [PATCH] fix: switch back to better secret handling

---
 hosts/fw/modules/web/matrix.nix | 24 +++++++++++++-----------
 1 file changed, 13 insertions(+), 11 deletions(-)

diff --git a/hosts/fw/modules/web/matrix.nix b/hosts/fw/modules/web/matrix.nix
index 59e7356..eb4b433 100644
--- a/hosts/fw/modules/web/matrix.nix
+++ b/hosts/fw/modules/web/matrix.nix
@@ -21,12 +21,24 @@ let
   masUpstreamId = "01KJPRKN397E5N8D0CA2Z3TJ7Y";
   elementWebClientId = "01KJPVT5D54NRAY7AJY6PZEN0D";
   masPackage = pkgs.matrix-authentication-service;
+
+  synapseMasConfig = pkgs.writeText "synapse-mas-config.yaml" ''
+    matrix_authentication_service:
+      enabled: true
+      endpoint: "http://127.0.0.1:8081"
+      secret_file: ${config.sops.secrets.mas-matrix-secret-synapse.path}
+  '';
 in {
   # Secrets for MAS
   sops.secrets.mas-encryption-key = { owner = "mas"; };
   sops.secrets.mas-matrix-secret = { owner = "mas"; };
   sops.secrets.mas-authelia-client-secret = { owner = "mas"; };
   sops.secrets.mas-rsa-key = { owner = "mas"; };
+  # Synapse also needs the shared secret
+  sops.secrets.mas-matrix-secret-synapse = {
+    owner = "matrix-synapse";
+    key = "mas-matrix-secret";
+  };
 
   sops.secrets.mautrix-whatsapp-env = { };
   sops.secrets.mautrix-signal-env = { };
@@ -87,16 +99,6 @@ in {
       MATRIX_SECRET=$(cat ${config.sops.secrets.mas-matrix-secret.path})
       CLIENT_SECRET=$(cat ${config.sops.secrets.mas-authelia-client-secret.path})
 
-      # Write Synapse MAS config fragment with inline secret
-      # (secret_path is not supported in all Synapse versions)
-      cat > /run/mas/synapse-mas-config.yaml <<SYNEOF
-      matrix_authentication_service:
-        enabled: true
-        endpoint: "http://127.0.0.1:8081"
-        secret: "$MATRIX_SECRET"
-      SYNEOF
-      chmod 644 /run/mas/synapse-mas-config.yaml
-
       # Write MAS config with secrets interpolated
       cat > /run/mas/config.yaml <<MASEOF
       http:
@@ -174,7 +176,7 @@ in {
   # Synapse homeserver
   services.matrix-synapse = {
     enable = true;
-    extraConfigFiles = [ "/run/mas/synapse-mas-config.yaml" ];
+    extraConfigFiles = [ "${synapseMasConfig}" ];
     settings = {
       server_name = "cloonar.com";
       public_baseurl = baseUrl;