fix: switch back to better secret handling

hosts/fw/modules/web/matrix.nix

@@ -21,12 +21,24 @@ let
   masUpstreamId = "01KJPRKN397E5N8D0CA2Z3TJ7Y";
   elementWebClientId = "01KJPVT5D54NRAY7AJY6PZEN0D";
   masPackage = pkgs.matrix-authentication-service;
+
+  synapseMasConfig = pkgs.writeText "synapse-mas-config.yaml" ''
+    matrix_authentication_service:
+      enabled: true
+      endpoint: "http://127.0.0.1:8081"
+      secret_file: ${config.sops.secrets.mas-matrix-secret-synapse.path}
+  '';
 in {
   # Secrets for MAS
   sops.secrets.mas-encryption-key = { owner = "mas"; };
   sops.secrets.mas-matrix-secret = { owner = "mas"; };
   sops.secrets.mas-authelia-client-secret = { owner = "mas"; };
   sops.secrets.mas-rsa-key = { owner = "mas"; };
+  # Synapse also needs the shared secret
+  sops.secrets.mas-matrix-secret-synapse = {
+    owner = "matrix-synapse";
+    key = "mas-matrix-secret";
+  };
 
   sops.secrets.mautrix-whatsapp-env = { };
   sops.secrets.mautrix-signal-env = { };
@@ -87,16 +99,6 @@ in {
       MATRIX_SECRET=$(cat ${config.sops.secrets.mas-matrix-secret.path})
       CLIENT_SECRET=$(cat ${config.sops.secrets.mas-authelia-client-secret.path})
 
-      # Write Synapse MAS config fragment with inline secret
-      # (secret_path is not supported in all Synapse versions)
-      cat > /run/mas/synapse-mas-config.yaml <<SYNEOF
-      matrix_authentication_service:
-        enabled: true
-        endpoint: "http://127.0.0.1:8081"
-        secret: "$MATRIX_SECRET"
-      SYNEOF
-      chmod 644 /run/mas/synapse-mas-config.yaml
-
       # Write MAS config with secrets interpolated
       cat > /run/mas/config.yaml <<MASEOF
       http:
@@ -174,7 +176,7 @@ in {
   # Synapse homeserver
   services.matrix-synapse = {
     enable = true;
-    extraConfigFiles = [ "/run/mas/synapse-mas-config.yaml" ];
+    extraConfigFiles = [ "${synapseMasConfig}" ];
     settings = {
       server_name = "cloonar.com";
       public_baseurl = baseUrl;