From 7165d6fe24cab73de34d0e4d1267ec3fc517c1a6 Mon Sep 17 00:00:00 2001
From: Jordan Holt <jordan@vimium.com>
Date: Sun, 5 Oct 2025 21:23:28 +0100
Subject: [PATCH] hosts/vps1: update mautrix bridges

- Regenerate pickle keys
- Enable double puppeting
---
 hosts/vps1/matrix.nix                         |  34 ++++++++++++++++--
 .../mautrix-doublepuppet-registration.age     | Bin 0 -> 575 bytes
 hosts/vps1/secrets/mautrix-signal-env.age     | Bin 0 -> 556 bytes
 hosts/vps1/secrets/mautrix-whatsapp-env.age   |  10 ++++++
 ...828b9c64dc5d6762e-mautrix-whatsapp-env.age |   8 +++++
 ...58d4-mautrix-doublepuppet-registration.age |  10 ++++++
 ...566b3ad02189b6d105b-mautrix-signal-env.age | Bin 0 -> 545 bytes
 7 files changed, 59 insertions(+), 3 deletions(-)
 create mode 100644 hosts/vps1/secrets/mautrix-doublepuppet-registration.age
 create mode 100644 hosts/vps1/secrets/mautrix-signal-env.age
 create mode 100644 hosts/vps1/secrets/mautrix-whatsapp-env.age
 create mode 100644 secrets/rekeyed/vps1/28a626290761387828b9c64dc5d6762e-mautrix-whatsapp-env.age
 create mode 100644 secrets/rekeyed/vps1/297ecb1d48e44e0f309958a6b43f58d4-mautrix-doublepuppet-registration.age
 create mode 100644 secrets/rekeyed/vps1/33aa80cdd327d566b3ad02189b6d105b-mautrix-signal-env.age

diff --git a/hosts/vps1/matrix.nix b/hosts/vps1/matrix.nix
index 610fc08..c0b970c 100644
--- a/hosts/vps1/matrix.nix
+++ b/hosts/vps1/matrix.nix
@@ -41,8 +41,6 @@ let
       allow = true;
       default = true;
       require = true;
-      pickle_key =
-        if (bridge == "mautrix-whatsapp") then "maunium.net/go/mautrix-whatsapp" else "mautrix.bridge.e2ee";
     };
     provisioning = {
       shared_secret = "disable";
@@ -71,6 +69,24 @@ in
     (inputs.nixpkgs-unstable + /nixos/modules/services/matrix/mautrix-whatsapp.nix)
   ];
 
+  age.secrets = {
+    mautrix-doublepuppet-registration = {
+      rekeyFile = ./secrets/mautrix-doublepuppet-registration.age;
+      mode = "0440";
+      group = "matrix-synapse";
+    };
+    mautrix-signal-env = {
+      rekeyFile = ./secrets/mautrix-signal-env.age;
+      mode = "0440";
+      group = "mautrix-signal";
+    };
+    mautrix-whatsapp-env = {
+      rekeyFile = ./secrets/mautrix-whatsapp-env.age;
+      mode = "0440";
+      group = "mautrix-whatsapp";
+    };
+  };
+
   networking.firewall.allowedTCPPorts = [
     8448 # Matrix federation
   ];
@@ -177,6 +193,9 @@ in
     enable = true;
     enableRegistrationScript = true;
     settings = {
+      app_service_config_files = [
+        config.age.secrets.mautrix-doublepuppet-registration.path
+      ];
       database.name = (if usePostgresql then "psycopg2" else "sqlite3");
       enable_metrics = false;
       enable_registration = false;
@@ -213,16 +232,25 @@ in
 
   services.mautrix-signal = lib.mkIf bridges.signal {
     enable = true;
-    settings = commonBridgeSettings "mautrix-signal";
+    environmentFile = config.age.secrets.mautrix-signal-env.path;
+    settings = lib.recursiveUpdate {
+      encryption = {
+        pickle_key = "$MAUTRIX_SIGNAL_ENCRYPTION_PICKLE_KEY";
+      };
+    } (commonBridgeSettings "mautrix-signal");
   };
 
   services.mautrix-whatsapp = lib.mkIf bridges.whatsapp {
     enable = true;
+    environmentFile = config.age.secrets.mautrix-whatsapp-env.path;
     settings = lib.recursiveUpdate {
       backfill = {
         enabled = true;
         max_initial_messags = 50;
       };
+      encryption = {
+        pickle_key = "$MAUTRIX_WHATSAPP_ENCRYPTION_PICKLE_KEY";
+      };
       network = {
         mute_status_broadcast = true;
         history_sync = {
diff --git a/hosts/vps1/secrets/mautrix-doublepuppet-registration.age b/hosts/vps1/secrets/mautrix-doublepuppet-registration.age
new file mode 100644
index 0000000000000000000000000000000000000000..34fd8eb30b50afde34c0ecb8d57ba784909e1812
GIT binary patch
literal 575
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14$Sl(>Ffuh$NHp{_if~kL%+61#Eb^(+
z4=PUAE=jcTD33}qHct%9DhhJRG%O3VED9~ucPw=G_Xr8&N-5ShDhe`4E^{g^Ffen?
zat%)Nvq*QT@+vMdE-}wDcMkI`FiuNPH;=La*=3LzmZ_Uwl$uza%BAfQ;Nz%WRO;fS
zouwb*mSR{KY@F(3T3F@opPZRqkmhaR$fc{Rs}SHHuI-zZT<K9+7OtNcUKAW|SYWAb
z8EBbgndIc_Utv_4S(ajH?4NI9!4((!?zffMnz+2mM#mlB9^KVXxg#c-ajAHRWE?N|
z)r^;gzILp0lP0~su(Bsuj&JgH-ItH1giXkKlJ!?6@2&8c7`5v^_UO;KDl~2L5gqY>
zQ*HkyPFifEzasFJ`7O5(&lihce}8<frFDy{L;2^KH*b8Hucgw+bkg$dBR{4&^Osu$
zpGmST-N`cf&H;w^GRp<@?_M!(n!+C)dCETZnn`l}ukeIz^Az96>@GNQFOWC&qu~?D
zY#$+$Ym44aR?bfTu<=gMnh&d|O>dlEBQj;Wi^<n#MXiEN$JA;j#7i{3YCX<zU!ukB
zz2^ML{tm8IQ7++cSM~ZLKL(ig?fm(}{@SAq<r4p}>lWXQIqj@ug?PCV6=y%KwzYfO
zS3m1b?M?~Cf2=i!4=lH0d}bLmamCa#o3>WRZptWSnf$%KG<Ky9uh}2Q98*)bxlN}!
bE_)en)4VY|e%q$<TfD|RUtRJq-Q5iU-IViX

literal 0
HcmV?d00001

diff --git a/hosts/vps1/secrets/mautrix-signal-env.age b/hosts/vps1/secrets/mautrix-signal-env.age
new file mode 100644
index 0000000000000000000000000000000000000000..ecbb3c6811a0c45bfe473058df425acaef46da7e
GIT binary patch
literal 556
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14$Sl(>Ffuh$NHp{_if~kLtTMGI$@i%Y
z^*0O%4o^wV2@ZC0(yyut^C~kcEKf0s2usPTh{#M2O)e_r^3KmPay8Ga^bIsmj3}<K
z^a%<MbvJf(%P`8#G7L;hb~p7;@+<T8EH2Ln*_EUklCPUyl$uzast{@w7G|TRkf0Fg
zuA60_rst?ot5eD46K)t3k?(12;qH@cX5^UY;vSq9UQ(3dYf$1Ck>RDCoMM!kV;B}<
z7!u`SnUtGinWt?Sm0_M(Zs;1BZ0Hism6Q?{nXPT$?-!Y89$w(*mzGoJk>nW}9_goT
zT$JILYT}xlRGu4F>K9;P?px&>X;RLmtE;QvV^MCBQV^9=l^N`oofsD7R$-7D7?~gH
z=i(o1;#HLt>Eh;>Vrg0wk?P8If}!>ugLv@EO+E7a6-8fO_4~Cr(58C(t0&i!t8+|Z
zXKl{bJ5aktLG_L{*FUKVj$v2Q)Fw60(YRa}5&g&9s`QA=<{GEzo`wg{M<4hwC-%{j
zw+8nQ^G_Ev{XBWfna)@Iev&)S>~Koo@5g-UleyG3exB=7QgkmI7gxN<y;Y!g!6waa
zHipQ=lhSd?YNrL4_39Y%Ji78$ktxn@+txGk4-aNJ9#<5rx-R$p!2Ja22#Ku>tN#B!
z^luBVns2_@t&=QAy;V<&RaVOt$lumeTfp!1cB0Y)3EtnDM>2$4#9LN=>D#Yg4ghfM
B(}w^6

literal 0
HcmV?d00001

diff --git a/hosts/vps1/secrets/mautrix-whatsapp-env.age b/hosts/vps1/secrets/mautrix-whatsapp-env.age
new file mode 100644
index 0000000..8fd65dc
--- /dev/null
+++ b/hosts/vps1/secrets/mautrix-whatsapp-env.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> piv-p256 a1N2XA Aun1dGh6g8jvPV3vYn1oUoP+LjhV973flcjtVIqtdvHU
+ZJgOWsP2WeQEFImxZfWgv2p6JJax3Hc3BW7UQ455l5o
+-> ;2e%O0-grease Ct9^D x[W(+5% vo@!Dg~p ?,{
+LvLHWuzvEitBOTvXnva7wk7iSnlW7QO9
+--- EX0W81CgIg/olFdTbVgSOkPo43W81hzOyyUVwC4iNTI
+yY×ÛÅ;àdþê6#àq%G{Á]šQÞmv(L‚è‡ÓG_Æfæ~×Áò=
+ÞÄös ¥¡S‚òiU¥Ôû}³2¨¤æV·_óþrHÇn×S›	¤$é8‘ Oñ1‘|¼9'ßð#Åì{
+‡€ÍlUÇ7y[îMSÐFG!ëÄ¤—ôH³bþ‰]?àBC(¬j™™ŒsXê4
+ýû?ïIakPÄ9³J¡ü>þ´ŠhŸáÓyê·ßobù6D.T}hz>A¯[³ú«» ÆÈF%å>å®EÌ
\ No newline at end of file
diff --git a/secrets/rekeyed/vps1/28a626290761387828b9c64dc5d6762e-mautrix-whatsapp-env.age b/secrets/rekeyed/vps1/28a626290761387828b9c64dc5d6762e-mautrix-whatsapp-env.age
new file mode 100644
index 0000000..c698b5f
--- /dev/null
+++ b/secrets/rekeyed/vps1/28a626290761387828b9c64dc5d6762e-mautrix-whatsapp-env.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 lOyIlA /lISmmDOngpCBwSzDxvzEwuYzfF7+HvVx79t63wW30o
+doVKg72Ayle+ZaLY70mxOzQQQ9h1PbrIuqjTRhOQobs
+-> 31A;]V-grease tT@4m2=P
+UElYAFZWQ2JzWKFWanbljMj5JA3n7D0s
+--- 4p3W3tOSNKA0vMKKAIxGWYHjKXssvdalTwawCr0efpo
+ÇòU¥n[yô¼Â8'@ˆÂµ#Ü5(xÝig>ÔÜ± †u{¯Ý»­3€C\Ž´Ñv„A»À@}îîd¬®Œ’KCr˜Y{©Y#9q~÷Eæ
+:„ÄæáÛÖ“jH+uŒ{7_ÃÊ’´hµ¥_+4ûùöé'ŠÉÒ4}¡8=äÖGüd÷ûÎíŒ×´{òñ/löþtø¼¢?J"«\xO¾³:QásÙrG±šŸÃˆ§Ûò;Po h)û$R<…X@·\_?âC‚YÎ4på2¿ÔeR_†À|1×Ê(:ÅÕ¾Òö
\ No newline at end of file
diff --git a/secrets/rekeyed/vps1/297ecb1d48e44e0f309958a6b43f58d4-mautrix-doublepuppet-registration.age b/secrets/rekeyed/vps1/297ecb1d48e44e0f309958a6b43f58d4-mautrix-doublepuppet-registration.age
new file mode 100644
index 0000000..1c11323
--- /dev/null
+++ b/secrets/rekeyed/vps1/297ecb1d48e44e0f309958a6b43f58d4-mautrix-doublepuppet-registration.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 lOyIlA LfDvF0kXFmP4yGPz9A5uov9DbRfMeLniWQhgnYE3ZA0
+9GkGo/twG1cfOHZgRGAmAcfQlrgQ86QvgehbkleKyz0
+-> GEv|{-grease c)B+5+, \v$ piek
+hwIw75OzOhfdScMKrNZ5i+WWh5zcfMryQXdbz81yUkEjWm9P4UVOYee+zz4/PU+t
+6nEKEqvPf6RwBOzAlzx72Yi0l+onxh1CHOWRlfU
+--- dkZlSoaBUqLnMu25ocR0VwgPr190ZOmcMdxQ3KApFS0
+ƒþ<Ù²õŒ}M9Gdhœú’³0[ù¹ú¡²¯Ì®È¼ažjÅg–…¨:JÀ»Æ$:^èä€OÓeêø@÷žoé‡1
+¤r]I>†tü?°XãQÙ•Ù‰¡„A¯r)ab	§’”Ü$8e“ˆ½f¥ÅzÍ7ÓÜÁlf)Õ|jl“%öâ
+v-òá!ª‘•(ÕÙ.qR…ÚÙ*yŽÁ¿¿XªÙµÉi€ÎÌi	ä†Æê‘c=½ƒúeÐ„>/ôLsö½—4ò-.ó™èYq¤¸é‰¾âb|ðÖKßFc	(17Ê²™KI~>t4Áw	ípÝÈ¨IquÝši¾£œEÞ\Õ×‘AZ1`Zõ\ê¤¨ÄË²¯Mª©©UmÚß2z¿	ùìxãÒv(A«¢W6oÉ¶ùÇfÕ7Ç)e—™Ó5­ýîêR2/`äó•Ú\å
\ No newline at end of file
diff --git a/secrets/rekeyed/vps1/33aa80cdd327d566b3ad02189b6d105b-mautrix-signal-env.age b/secrets/rekeyed/vps1/33aa80cdd327d566b3ad02189b6d105b-mautrix-signal-env.age
new file mode 100644
index 0000000000000000000000000000000000000000..8930742fbaf678e8d6bedfbbe4faecc21d11b02e
GIT binary patch
literal 545
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCU7@vrpEaa2gmH}m%>
z%q(;CiZV+!D+nuhO>?gFcGWlcO$s!04hYSQbT08J@bu28DCbJ{HjFHHjB+<lGcOEx
z%@5D?Ff1#p^!BYZ^Y;#OGfz)<adbD$%+7KR4h7k!XqN4kkzpODn_iTfSe&YmqLdZt
zY!#wlV(evHp=_9-5N=rI=v$zWqo!|TW$(mQ7Uh<n>*$|XRA!Xx9q#K@>}^)=U8?V2
z<?WenoZ|19mf~lYl~?6mu3hR|VCw4Q9-5z)@8?$O;^S=MSg9Y(m8fr6WLZ^UT9R(+
zZDg30Y*?A=o?M#DrK_u}kgK1YY8dWYUgBh0>Z|Wj=;fd6<P_xQRvBVh6jtFEnw1om
z;+9t&WRM-o_3ORvE4SFHC5O!QlP`EC=<QZtqx^eLtN54gyE0s~SrfgsFjsfa>hYF-
zZMAh;Y>Vv7l^=CA=ex?CPr75F#yaIc|Al2<MaHjvw=u_?y@}>9n)9g7aJ~5tqkSvQ
z)AG;!YyD-AV9)i=(CNoA4Hvd8?^h&U$PCvs+UF7(9x`if-5%Ayhh8pG)3n>UQ*}xD
zo#>Kp{dcySG0GljG+vi;cuv#a*2iaf&#rSc?cR81;}Y=zF(w6Zud2q}mG#C~y#6kf
qG@51~_~Hc5eXcv=t|vAh^1Wc1(mVelL*do(a>3hQo;n=8=L-PiOw#uN

literal 0
HcmV?d00001