hosts/vps1: update mautrix bridges

- Regenerate pickle keys
- Enable double puppeting

hosts/vps1/matrix.nix

@@ -41,8 +41,6 @@ let
       allow = true;
       default = true;
       require = true;
-      pickle_key =
-        if (bridge == "mautrix-whatsapp") then "maunium.net/go/mautrix-whatsapp" else "mautrix.bridge.e2ee";
     };
     provisioning = {
       shared_secret = "disable";
@@ -71,6 +69,24 @@ in
     (inputs.nixpkgs-unstable + /nixos/modules/services/matrix/mautrix-whatsapp.nix)
   ];
 
+  age.secrets = {
+    mautrix-doublepuppet-registration = {
+      rekeyFile = ./secrets/mautrix-doublepuppet-registration.age;
+      mode = "0440";
+      group = "matrix-synapse";
+    };
+    mautrix-signal-env = {
+      rekeyFile = ./secrets/mautrix-signal-env.age;
+      mode = "0440";
+      group = "mautrix-signal";
+    };
+    mautrix-whatsapp-env = {
+      rekeyFile = ./secrets/mautrix-whatsapp-env.age;
+      mode = "0440";
+      group = "mautrix-whatsapp";
+    };
+  };
+
   networking.firewall.allowedTCPPorts = [
     8448 # Matrix federation
   ];
@@ -177,6 +193,9 @@ in
     enable = true;
     enableRegistrationScript = true;
     settings = {
+      app_service_config_files = [
+        config.age.secrets.mautrix-doublepuppet-registration.path
+      ];
       database.name = (if usePostgresql then "psycopg2" else "sqlite3");
       enable_metrics = false;
       enable_registration = false;
@@ -213,16 +232,25 @@ in
 
   services.mautrix-signal = lib.mkIf bridges.signal {
     enable = true;
-    settings = commonBridgeSettings "mautrix-signal";
+    environmentFile = config.age.secrets.mautrix-signal-env.path;
+    settings = lib.recursiveUpdate {
+      encryption = {
+        pickle_key = "$MAUTRIX_SIGNAL_ENCRYPTION_PICKLE_KEY";
+      };
+    } (commonBridgeSettings "mautrix-signal");
   };
 
   services.mautrix-whatsapp = lib.mkIf bridges.whatsapp {
     enable = true;
+    environmentFile = config.age.secrets.mautrix-whatsapp-env.path;
     settings = lib.recursiveUpdate {
       backfill = {
         enabled = true;
         max_initial_messags = 50;
       };
+      encryption = {
+        pickle_key = "$MAUTRIX_WHATSAPP_ENCRYPTION_PICKLE_KEY";
+      };
       network = {
         mute_status_broadcast = true;
         history_sync = {

hosts/vps1/secrets/mautrix-whatsapp-env.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> piv-p256 a1N2XA Aun1dGh6g8jvPV3vYn1oUoP+LjhV973flcjtVIqtdvHU
+ZJgOWsP2WeQEFImxZfWgv2p6JJax3Hc3BW7UQ455l5o
+-> ;2e%O0-grease Ct9^D x[W(+5% vo@!Dg~p ?,{
+LvLHWuzvEitBOTvXnva7wk7iSnlW7QO9
+--- EX0W81CgIg/olFdTbVgSOkPo43W81hzOyyUVwC4iNTI
+yY×ÛÅ;àdþê6#àq%G{Á]šQÞmv(L‚è
‡ÓG_Æfæ~×
+Áò=
+ÞÄö
s ¥¡S‚òiU¥Ôû}³2¨¤æV·_óþrHÇn×S›	
¤$é8‘ Oñ1‘|¼9'ßð<11>#Åì{
+‡€ÍlUÇ7y[îMSÐFG!<21>ëĤ—ôH³bþ‰]?àBC(¬j™™ŒsXê4

secrets/rekeyed/vps1/28a626290761387828b9c64dc5d6762e-mautrix-whatsapp-env.age

@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 lOyIlA /lISmmDOngpCBwSzDxvzEwuYzfF7+HvVx79t63wW30o
+doVKg72Ayle+ZaLY70mxOzQQQ9h1PbrIuqjTRhOQobs
+-> 31A;]V-grease tT@4m2=P
+UElYAFZWQ2JzWKFWanbljMj5JA3n7D0s
+--- 4p3W3tOSNKA0vMKKAIxGWYHjKXssvdalTwawCr0efpo
+ÇòU¥n[yô¼Â8'@ˆµ#Ü5(xÝig>Ôܱ †u{¯Ý»­3€C\Ž´Ñv„A»À@}îîd¬®Œ’KCr
˜Y{©Y#9q~÷Eæ
+:„ÄæáÛÖ“jH+uŒ{7_ÃÊ<C383>’´hµ¥_+4ûùöé'ŠÉÒ4}¡8=äÖGüd<1C>÷ûÎíŒ×´{òñ/löþtø¼¢?J"«\xO¾³:QásÙrG±šŸÃˆ§Ûò;Po h)û$R<…X@·\_?<3F>âC‚YÎ4på2¿ÔeR_†À|1×Ê(:ÅÕ¾Òö

secrets/rekeyed/vps1/297ecb1d48e44e0f309958a6b43f58d4-mautrix-doublepuppet-registration.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 lOyIlA LfDvF0kXFmP4yGPz9A5uov9DbRfMeLniWQhgnYE3ZA0
+9GkGo/twG1cfOHZgRGAmAcfQlrgQ86QvgehbkleKyz0
+-> GEv|{-grease c)B+5+, \v$ piek
+hwIw75OzOhfdScMKrNZ5i+WWh5zcfMryQXdbz81yUkEjWm9P4UVOYee+zz4/PU+t
+6nEKEqvPf6RwBOzAlzx72Yi0l+onxh1CHOWRlfU
+--- dkZlSoaBUqLnMu25ocR0VwgPr190ZOmcMdxQ3KApFS0
+ƒþ<Ù²õŒ}M9Gdhœú’³0[ù¹ú¡²¯Ì®È¼ažjÅg–…¨:JÀ»Æ$:^èä€OÓeêø@÷žoé‡1
+¤r]I>†tü?°XãQٕى¡„A¯r)ab	§’”Ü$8e“ˆ<E2809C>½f¥Å<C2A5>zÍ7ÓÜÁlf)Õ|jl“%öâ
+v-òá!ª‘•(ÕÙ.qR…ÚÙ*yŽÁ¿¿XªÙµ