hosts/vps1: update mautrix bridges

- Regenerate pickle keys
- Enable double puppeting

hosts/vps1/matrix.nix

@@ -41,8 +41,6 @@ let
       allow = true;
       default = true;
       require = true;
-      pickle_key =
-        if (bridge == "mautrix-whatsapp") then "maunium.net/go/mautrix-whatsapp" else "mautrix.bridge.e2ee";
     };
     provisioning = {
       shared_secret = "disable";
@@ -71,6 +69,24 @@ in
     (inputs.nixpkgs-unstable + /nixos/modules/services/matrix/mautrix-whatsapp.nix)
   ];
 
+  age.secrets = {
+    mautrix-doublepuppet-registration = {
+      rekeyFile = ./secrets/mautrix-doublepuppet-registration.age;
+      mode = "0440";
+      group = "matrix-synapse";
+    };
+    mautrix-signal-env = {
+      rekeyFile = ./secrets/mautrix-signal-env.age;
+      mode = "0440";
+      group = "mautrix-signal";
+    };
+    mautrix-whatsapp-env = {
+      rekeyFile = ./secrets/mautrix-whatsapp-env.age;
+      mode = "0440";
+      group = "mautrix-whatsapp";
+    };
+  };
+
   networking.firewall.allowedTCPPorts = [
     8448 # Matrix federation
   ];
@@ -177,6 +193,9 @@ in
     enable = true;
     enableRegistrationScript = true;
     settings = {
+      app_service_config_files = [
+        config.age.secrets.mautrix-doublepuppet-registration.path
+      ];
       database.name = (if usePostgresql then "psycopg2" else "sqlite3");
       enable_metrics = false;
       enable_registration = false;
@@ -213,16 +232,25 @@ in
 
   services.mautrix-signal = lib.mkIf bridges.signal {
     enable = true;
-    settings = commonBridgeSettings "mautrix-signal";
+    environmentFile = config.age.secrets.mautrix-signal-env.path;
+    settings = lib.recursiveUpdate {
+      encryption = {
+        pickle_key = "$MAUTRIX_SIGNAL_ENCRYPTION_PICKLE_KEY";
+      };
+    } (commonBridgeSettings "mautrix-signal");
   };
 
   services.mautrix-whatsapp = lib.mkIf bridges.whatsapp {
     enable = true;
+    environmentFile = config.age.secrets.mautrix-whatsapp-env.path;
     settings = lib.recursiveUpdate {
       backfill = {
         enabled = true;
         max_initial_messags = 50;
       };
+      encryption = {
+        pickle_key = "$MAUTRIX_WHATSAPP_ENCRYPTION_PICKLE_KEY";
+      };
       network = {
         mute_status_broadcast = true;
         history_sync = {

hosts/vps1/secrets/mautrix-whatsapp-env.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> piv-p256 a1N2XA Aun1dGh6g8jvPV3vYn1oUoP+LjhV973flcjtVIqtdvHU
+ZJgOWsP2WeQEFImxZfWgv2p6JJax3Hc3BW7UQ455l5o
+-> ;2e%O0-grease Ct9^D x[W(+5% vo@!Dg~p ?,{
+LvLHWuzvEitBOTvXnva7wk7iSnlW7QO9
+--- EX0W81CgIg/olFdTbVgSOkPo43W81hzOyyUVwC4iNTI
+yY<EFBFBD><EFBFBD><EFBFBD>;<3B>d<EFBFBD><64>6#<23>q%G{<12>]<5D>Q<EFBFBD>mv(L<><4C>
<01><>G_<47>f<EFBFBD>~<16>
+<EFBFBD><EFBFBD>=
+<0B><><EFBFBD>
s<><73><11>S<EFBFBD><53>iU<1B><><EFBFBD>}<7D>2<EFBFBD><32><EFBFBD>V<1C>_<EFBFBD><5F>rH<72>n<>S<EFBFBD>	
<01>$<24>8<EFBFBD> O<>1<EFBFBD>|<7C>9'<27><><11>#<03><>{
+<EFBFBD><EFBFBD><06>lU<6C>7y[<5B>MS<12>FG!<21><>Ĥ<EFBFBD><C4A4>H<>b<><62>]?<3F>BC(<0B>j<EFBFBD><0E><>sX<73>4

secrets/rekeyed/vps1/28a626290761387828b9c64dc5d6762e-mautrix-whatsapp-env.age

@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 lOyIlA /lISmmDOngpCBwSzDxvzEwuYzfF7+HvVx79t63wW30o
+doVKg72Ayle+ZaLY70mxOzQQQ9h1PbrIuqjTRhOQobs
+-> 31A;]V-grease tT@4m2=P
+UElYAFZWQ2JzWKFWanbljMj5JA3n7D0s
+--- 4p3W3tOSNKA0vMKKAIxGWYHjKXssvdalTwawCr0efpo
+<EFBFBD><EFBFBD>U<EFBFBD>n[y<><79><EFBFBD>8'@<40>µ#<23>5(x<>ig><3E>ܱ <20>u{<7B>ݻ<EFBFBD>3<EFBFBD>C\<5C><><08>v<EFBFBD>A<EFBFBD><41>@}<7D><>d<><64><EFBFBD><EFBFBD>KCr
<01>Y{<7B>Y#9q~<7E>E<EFBFBD>
+:<3A><><EFBFBD><EFBFBD><EFBFBD>֓jH+u<>{7_<37>ʁ<EFBFBD><CA81>h<EFBFBD><68>_+4<><34><EFBFBD><EFBFBD>'<27><><EFBFBD>4}<7D>8=<3D><>G<08>d<1C><0B><><EFBFBD><11><>״{<7B><>/l<><6C>t<EFBFBD><74><EFBFBD>?J"<22>\xO<78><4F>:Q<>s<EFBFBD>rG<72><47><EFBFBD>È<EFBFBD><C388><EFBFBD>;Po h)<29>$R<<3C>X@<40>\_?<3F><>C<EFBFBD>Y<EFBFBD>4p<34>2<EFBFBD><02>eR_<52><5F>|1<><31>(:<3A>վ<EFBFBD><1B>

secrets/rekeyed/vps1/297ecb1d48e44e0f309958a6b43f58d4-mautrix-doublepuppet-registration.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 lOyIlA LfDvF0kXFmP4yGPz9A5uov9DbRfMeLniWQhgnYE3ZA0
+9GkGo/twG1cfOHZgRGAmAcfQlrgQ86QvgehbkleKyz0
+-> GEv|{-grease c)B+5+, \v$ piek
+hwIw75OzOhfdScMKrNZ5i+WWh5zcfMryQXdbz81yUkEjWm9P4UVOYee+zz4/PU+t
+6nEKEqvPf6RwBOzAlzx72Yi0l+onxh1CHOWRlfU
+--- dkZlSoaBUqLnMu25ocR0VwgPr190ZOmcMdxQ3KApFS0
+<1D><><ٲ<06><>}M9Gdh<64><68><EFBFBD><EFBFBD>0[<5B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>̮ȼa<7F>j<EFBFBD>g<1C><><EFBFBD>:J<><4A><14>$:^<5E><><EFBFBD>O<1A>e<EFBFBD><65>@<40><>o<EFBFBD><6F>1
+<1B>r]I><3E>t<EFBFBD>?<3F>X<06>Q<EFBFBD><15>ى<EFBFBD><D989>A<EFBFBD>r)ab	<09><13><><EFBFBD>$8e<38><65><EFBFBD><EFBFBD>f<EFBFBD>ōz<02>7<EFBFBD><10><>lf)<29>|jl<6A>%<0F><>
+v-<2D><>!<21><><EFBFBD>(<28><>.qR<71><52><EFBFBD>*y<><06><><EFBFBD>X<EFBFBD>ٵ