From 0f11cca8ec85e524ddd65b1749c278347e713880 Mon Sep 17 00:00:00 2001
From: h7x4 <h7x4@nani.wtf>
Date: Wed, 21 Jan 2026 11:08:26 +0900
Subject: [PATCH] bicep/matrix: use sops templates to render structured files

---
 hosts/bicep/services/matrix/coturn.nix  | 18 ++++++++++--------
 hosts/bicep/services/matrix/synapse.nix | 11 ++++++++---
 secrets/bicep/matrix.yaml               |  8 ++++----
 3 files changed, 22 insertions(+), 15 deletions(-)

diff --git a/hosts/bicep/services/matrix/coturn.nix b/hosts/bicep/services/matrix/coturn.nix
index 5adf570..c2f218f 100644
--- a/hosts/bicep/services/matrix/coturn.nix
+++ b/hosts/bicep/services/matrix/coturn.nix
@@ -1,13 +1,6 @@
 { config, lib, fp, pkgs, secrets, values, ... }:
 
 {
-  sops.secrets."matrix/synapse/turnconfig" = {
-    sopsFile = fp /secrets/bicep/matrix.yaml;
-    key = "synapse/turnconfig";
-    owner = config.users.users.matrix-synapse.name;
-    group = config.users.users.matrix-synapse.group;
-    restartUnits = [ "coturn.service" ];
-  };
   sops.secrets."matrix/coturn/static-auth-secret" = {
     sopsFile = fp /secrets/bicep/matrix.yaml;
     key = "coturn/static-auth-secret";
@@ -16,9 +9,18 @@
     restartUnits = [ "coturn.service" ];
   };
 
+  sops.templates."matrix-synapse-turnconfig" = {
+    owner = config.users.users.matrix-synapse.name;
+    group = config.users.users.matrix-synapse.group;
+    content = ''
+      turn_shared_secret: ${config.sops.placeholder."matrix/coturn/static-auth-secret"}
+    '';
+    restartUnits = [ "matrix-synapse.target" ];
+  };
+
   services.matrix-synapse-next = {
     extraConfigFiles = [
-      config.sops.secrets."matrix/synapse/turnconfig".path
+      config.sops.templates."matrix-synapse-turnconfig".path
     ];
 
     settings = {
diff --git a/hosts/bicep/services/matrix/synapse.nix b/hosts/bicep/services/matrix/synapse.nix
index 07f3ce2..5b29f60 100644
--- a/hosts/bicep/services/matrix/synapse.nix
+++ b/hosts/bicep/services/matrix/synapse.nix
@@ -15,11 +15,16 @@ in {
     group = config.users.users.matrix-synapse.group;
   };
 
-  sops.secrets."matrix/synapse/user_registration" = {
+  sops.secrets."matrix/synapse/user_registration/registration_shared_secret" = {
     sopsFile = fp /secrets/bicep/matrix.yaml;
-    key = "synapse/signing_key";
+    key = "synapse/user_registration/registration_shared_secret";
+  };
+  sops.templates."matrix-synapse-user-registration" = {
     owner = config.users.users.matrix-synapse.name;
     group = config.users.users.matrix-synapse.group;
+    content = ''
+      registration_shared_secret: ${config.sops.placeholder."matrix/synapse/user_registration/registration_shared_secret"}
+    '';
   };
 
   services.matrix-synapse-next = {
@@ -83,7 +88,7 @@ in {
       mau_stats_only = true;
 
       enable_registration = false;
-      registration_shared_secret_path = config.sops.secrets."matrix/synapse/user_registration".path;
+      registration_shared_secret_path = config.sops.templates."matrix-synapse-user-registration".path;
 
       password_config.enabled = true;
 
diff --git a/secrets/bicep/matrix.yaml b/secrets/bicep/matrix.yaml
index bc9ae18..9a974e4 100644
--- a/secrets/bicep/matrix.yaml
+++ b/secrets/bicep/matrix.yaml
@@ -1,6 +1,6 @@
 synapse:
-    turnconfig: ENC[AES256_GCM,data:mASRjYa4C9WRow4x0XYRrlCE5LMJUYaId+o62r1qhsyJPa2LzrI=,iv:5vYdubvMDjLS6soiWx2DzkEAATb9NFbSS/Jhuuz1yI8=,tag:wOW07CQMDbOiZNervee/pg==,type:str]
-    user_registration: ENC[AES256_GCM,data:ZDZfEEvyw8pg0WzhrdC8747ed+ZR2ZA8/WypJd/iDkmIy2RmxOeI0sE=,iv:l61mOlvzpCql4fC/eubBSU6px21et2WcpxQ6rFl14iw=,tag:sVDEAa3xipKIi/6isCjWew==,type:str]
+    user_registration:
+        registration_shared_secret: ENC[AES256_GCM,data:Ch0JzTJ7OqZQxr+L,iv:6hSTsBwieRg6oy0feBaqJQaY/AvIUyIlcclzlK0GmVE=,tag:Z55kxXppzmU+YP5JkU0jLw==,type:str]
     signing_key: ENC[AES256_GCM,data:6UpfiRlX9pRM7zhdm7Mc8y8EItLzugWkHSgE0tGpEmudCTa1wc60oNbYfhKDWU81DT/U148pZOoX1A==,iv:UlqCPicPm5eNBz1xBMI3A3Rn4t/GtldNIDdMH5MMnLw=,tag:HHaw6iMjEAv5b9mjHSVpwA==,type:str]
 coturn:
     static-auth-secret: ENC[AES256_GCM,data:y5cG/LyrorkDH+8YrgcV7DY=,iv:ca90q2J3+NOy51mUBy4TMKfYMgWL4hxWDdsKIuxRBgU=,tag:hpFCns1lpi07paHyGB7tGQ==,type:str]
@@ -86,8 +86,8 @@ sops:
             Qnh1djQ0ZDFhRmxsU2g0eHJZeFlkcU0Kj5H/dHrOwSgiZIzpv3nOc7AWeNMofJg7
             OzSVdRry72qPqYU8YLWjAcoP3ddITZnWr53/yYBVmssW/KeyVyPy9A==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-01-21T01:01:35Z"
-    mac: ENC[AES256_GCM,data:1f8RYVjnNs9T3DRFY+CouPUsGmfBRWEOASjB04dd89iIYC6sagk5e4JjqPDpOQjMxbAVnEKa2oX+nFSBa8xF14jqNSadl9xwlKwLJnaBhUb3grJ5d+O8Tcq+0xQ+oqIN+Awm6eaJTesiopRu68MhFQeUZwBUO+83W2YeQgFhz34=,iv:NymjPCr6/osod8liluA6Pbq1XT4KiI/qIS6lx9sM4NQ=,tag:Td3mjPaHUFeD3d/hZ3f1og==,type:str]
+    lastmodified: "2026-01-21T02:03:24Z"
+    mac: ENC[AES256_GCM,data:yVe+78V7zYgYveLFBghKdAeibg97DRafgsRRCZPYkWu8t2iadtD5UqRK0KS4Zcc55ojHJ11otgadaPHQyl8EIzt7Dwlm7ZOVEmmPAYdaweWfnPRdFhDAxcgj8Ejh03LAdLQK8WwlfTF/09Avub2ZUnN0aPwFCen/qD6dYmcGDNk=,iv:y4YE9AqlVVBBtRGoIdfIcNGE4chChBOR0Euy68xkQBA=,tag:/yopCpkvFaEzr2iXxLd3uw==,type:str]
     pgp:
         - created_at: "2026-01-16T06:34:46Z"
           enc: |-