fix secrets

2026-05-05 12:40:11 -04:00
parent 92d49571b9
commit 3da843c3ff
5 changed files with 13 additions and 5 deletions
--- a/modules/server-age-secrets.nix
+++ b/modules/server-age-secrets.nix
@@ -217,5 +217,15 @@
      owner = "firefly-iii-data-importer";
      group = "caddy";
    };
+
+    # LiveKit + lk-jwt-service shared signing keys (`<keyname>: <secret>` per
+    # nixpkgs services.livekit.keyFile docs). systemd reads via LoadCredential
+    # before dropping privileges, so root-only is correct for both consumers.
+    livekit-keys = {
+      file = ../secrets/server/livekit-keys.age;
+      mode = "0400";
+      owner = "root";
+      group = "root";
+    };
  };
 }
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
--- a/secrets/server/livekit-keys.age
+++ b/secrets/server/livekit-keys.age
--- a/secrets/server/livekit_keys
+++ b/secrets/server/livekit_keys
--- a/services/matrix/livekit.nix
+++ b/services/matrix/livekit.nix
@@ -1,14 +1,12 @@
 {
+  config,
  service_configs,
  ...
 }:
-let
-  keyFile = ../../secrets/server/livekit_keys;
-in
 {
  services.livekit = {
    enable = true;
-    inherit keyFile;
+    keyFile = config.age.secrets.livekit-keys.path;
    openFirewall = true;

    settings = {
@@ -34,7 +32,7 @@ in

  services.lk-jwt-service = {
    enable = true;
-    inherit keyFile;
+    keyFile = config.age.secrets.livekit-keys.path;
    livekitUrl = "wss://${service_configs.livekit.domain}";
    port = service_configs.ports.private.lk_jwt.port;
  };