From 3da843c3ffbd93dc9d4f4d272e0793fffdb6af1f Mon Sep 17 00:00:00 2001
From: Simon Gardling <titaniumtown@proton.me>
Date: Tue, 5 May 2026 12:40:11 -0400
Subject: [PATCH] fix secrets

---
 modules/server-age-secrets.nix  |  10 ++++++++++
 secrets/secrets.nix             | Bin 3675 -> 3724 bytes
 secrets/server/livekit-keys.age | Bin 0 -> 295 bytes
 secrets/server/livekit_keys     | Bin 84 -> 0 bytes
 services/matrix/livekit.nix     |   8 +++-----
 5 files changed, 13 insertions(+), 5 deletions(-)
 create mode 100644 secrets/server/livekit-keys.age
 delete mode 100644 secrets/server/livekit_keys

diff --git a/modules/server-age-secrets.nix b/modules/server-age-secrets.nix
index 0f09962..3cb5c09 100644
--- a/modules/server-age-secrets.nix
+++ b/modules/server-age-secrets.nix
@@ -217,5 +217,15 @@
       owner = "firefly-iii-data-importer";
       group = "caddy";
     };
+
+    # LiveKit + lk-jwt-service shared signing keys (`<keyname>: <secret>` per
+    # nixpkgs services.livekit.keyFile docs). systemd reads via LoadCredential
+    # before dropping privileges, so root-only is correct for both consumers.
+    livekit-keys = {
+      file = ../secrets/server/livekit-keys.age;
+      mode = "0400";
+      owner = "root";
+      group = "root";
+    };
   };
 }
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 1b3cfb51245827912ea9b698a79e70b6f38975eb..84d796bf34569375de2498a0847451c569345df8 100644
GIT binary patch
literal 3724
zcmZQ@_Y83kiVO&0c);f?Tr{Oeb;Fmm-A_IFJB`E_zJ0}WMnpU9SflEahA`%PqC)!H
z!VEve8=pF`uafUrjiy8RWv#9Cvwo*C3jYjXj*YtBq~qZ~uYW_uk-c6QOd6`Q9XGa}
zu{?8Vk<)I`btiA0te9+adiR@`Uk>b;#L~)O&LU)Wq5Eb3vLK5^AEYWS>o#q8z_*O8
zA)ft*eE!QhRvJ@}@rhrl|Gpw_>8_rIW)lVS<$V|%x8B@-OYB!~ilv{O^A7H2mu&7S
zTJlV49({e&-Z<4Se;g^n<i6xhhUiNEGZzK*<#-fNbtav7Yj^dfv_|^BgjEu^j6}l?
zZ_Jo4#dCb3@bv<J3(1X^ntUZeCJh_)yMFxV?PryE<|GqsdqO1m_2d0X0(YAk-pzj>
z%&lD?bU>;*;e7D#cY7tywkIu0*!%KWgVF5kiAr95Gprk?DDM|JBrdLbcZz=EBw+zD
z{#~jiUUOtZ_>WE(apGU;nl(lCc*_Q{eaBT)lQwbR{kbh9_<QDpMmfFz5B*H_*4}0m
z4}NT?r*`DcoWi%YuLbN2u12wHJ_wxqmgm2)gDuDRpY!A0eJ@?&6HI<{X63gAp+A8(
z2lRs0>L>RaYPZTceth#^Ax%|6U1M9qRPVbLaaH+KGj)oykJ&hTy)7=bC@%`-{^Rve
zw|II?ORYxGr|dkh?$bh1PcHt|me|m_z2AzVC~OhSqWtX-a$2^CpR&F5zRqMu^2G4!
z<$KMloBe&B7ao|ok86wdO{qfb_<GIX^2#O$TOKd%6~BKyd&;I|&yJ+ej8jv#6xLu^
zdT*vjo!jO2Yo<&z|8%Y2ZuMEUs(>pVx^r$US?_K2+0|T&H{{r2b+M&4%<h~&WTv;N
z_TgN%N~5(kDQX)Iu|JgIZZf)*BD$O>bxPRl;ML{%&mQ_0UvhSPUgp8EbHS(8+&>w1
zvORs2)6n{zh3Q)EkyrC1LT;<XROcAo`qzIeVatm4vf%X3b(2pO9xzxUvdE-y+M3^r
z=Xgwg>_lYp%5)naclhp=PWIE<aP^|9YWxG!_!l>HCb%#>iriJ>bTWkTHRtMunv=VY
zR9@+XFaD=#^7$P5OR*jgi87@^)jZzchtKo9Dz}-p(*K(-d-)^rJDV2UuUQ?F@pV&K
z%g@zEb_pc%WWS#G+1ScA;m_P6s|gD~Fr?=txJF8E$ak|jvG2zEgxASeRx)wV*`KrL
z;<VE3GLIj(%v@X|(0N_^mz!F?p?30?z6nC<nLl*hR+{Ybv-|Y<tGmr6rnNRxZ137G
zV~+dPEAjF3O&>P*tf?Pl*b7w!Ty8T*?wOV*ez;)&<CHZg_C(EnW;1Vbk=*|ato-3i
zeucAh=olt`d;jv}tV{P!wjJOyO;_Kf?sae~tBvB%mvaKy3mz}s{5Il}nyiOR#_Q`(
zg*R;EEdM^&EHq$;z~SC=tve6qW%%A?YgRPdI<xTYjm6hu56;;ac643L6TY+VpRcaj
zF3hL8l~GJ8!>w86uh`3@`~Eh4D2m*F)-v|bq~nh-M?1`#Gix%Vo%y@F^U{w?zmh%n
zcr(}K+5gw?3)t>H*?r?B4SD%Mj;NOKScW^+yEngl)pVNSgqqyja<&MWXwRw9N5aCk
zYA)jYzR~dU#Z5iZ2_IutFDXu)>YBBG|Ky@+Pmg)N`}{>;b<&53DdKCM{gx}(cf0uD
zgk7^v-fQ13^7v#?O=?)C&Y?St&ba5zdD$kh{pp%ag@6RNocxrko+9>;P{%*H!E2o)
zSWjQy@p_+DZ(X4H(zS2hX6O{nQjJ_Q`@i`g?vPyHH>*pvm4j^et+zVT_OEue`Zt!Z
zkL=zgnG5YdcayENZRzn9aW~H`YiFOc;>r34|9T%BeqG?kqI6MSzP#>t=DGsG#BZVV
z!Y}y0k8^Bu(hx~l@_Ejz3WxHmmpAszI@u}Dx+3SN<nk-?<9|2!ce8%kv~K#f!rGI)
z!ABQK<uVH#^V=czmf_XLRW`F9TwCJUw`)&$)ZRU>7W@r!RN~&P_`rOhUP+ov)P{>!
z_uM(Xc&om#a&_CBPesa;qxe=!o0{AfHu-I!=etNXV5!{&6LqtL`IdP<o}W$M-z<23
zzHgTFS@r&7J~Jk)mtYUtUF@?tb<M-(Zw(1$OMb;(nfk4@)ilHI;uSNg-KC*nbIP^}
zbW1zT+V=FyT|dum1N~DyQBf=O-o^Vgb){$|%eFP1U6T3##EWq6Ght2s*MiQ3PKsl>
zy+$o=hw`!O&u(0+e9Q4t^7j<Ab>%s)^z<h+3pp%L+f>)_XV2QCjrW-~C$L;KuXSyR
zSK4Sh?Zx*y;tB2t?sHaZ{mYd+bN|i0#nlRG@$s5FcjX3J>f2`+&o0dCJ;(K9g0xZ4
z(K#`9oIZVBT`FZ<sCT|Z;Hk<k@jVVjA>S-S!`t57uFvOb=6_Yd{W)~CRLT8VgF?fn
zLgs!;p0*q1eKIMZ6&CX^FnPU~xS{c_hKTUxA9S7;DyY?E@+sM0Flvu>X}EZK#n0q>
zo_Qvm!ioD>jM<Z}6|ML*bHdF^)`PQr6*{8%ZM04(PCCE2F`2`C{+HT+ijoCB8dEsR
zpY^!1--->jaB0=nEDZa?`(?AyX2~YoFyEWY=P&=)c_LCQYt{J@9cybpY5AVLKEGKD
zYOQ_t&VTj(iL7N4@2a%whIzkuUqngBh#%V!bSKV)Q}I%HOw4&XR_AwdPxzO9>fc!%
zo*c_zXnbMMgmWiXh!<TFt4z?`e*e_3SCuEi-Tp0O3g##>dQ(&5p0e`9`KQe1*M~>i
z{_B}he16kX)4C0jKaa=Qab7*c*f1wa^tG@eOWl^1AHCh-1+S*<(^C2Qf#<Z4vWuXn
z$-PsL6ZU!4i^+vcGuExEaq1S&`*X`ez3ku7hG`}FiN}pkN9Q%Fv8sC>JD0KZNAM<g
zvmffmUTySb;$1we>GB@8xu1UOth}ajMPq00tp6=9V&`j#@a)asWx*$?F;k9nZqc=w
z)`wPaar(C>w)(k8Vae+Qb8Wj+jx3Ft<swn1e0BN#rO6Aw8wRojPSUOq2zy{1d4|hq
zU!EVstUKr3^{Z!jhuF=ISNS*f_S!{ZRuu*N3}aVF7wT2dO5ek^p`caPZ{>!zU!haX
zH0Gbo^S#g?otD)2{N;hgTbY<M-2N|=4zuSzTW}$l**)`lamTS-h4n5oPc@w0@@Gvm
z^Uvi=L@ZQ-Tz)Rp$XFLKscu(Of90PR*IR!*zTG#p)6i40DPC-OcJt06`}*hW{xo>6
zy~K5~m)9uR;?AU3l0Orc#zrhpW>h~F6Lj;@oFA^7yGpb@Z7zSg5f}S-!{Wb;%cU1j
znk@d$#4nJ4*^(Uv4O_c1oaP@0^qj}P^jmRM;cxElEcI_{2TpCsV!m}^(YiqH9<?c)
zwsuS#?5cJq)~hhSyywI5Yg*rluk1-8sa1CpuI+mAI6G_0g5Ml@0s@~xqcw6(1S66r
zKFoNUP~!Y()du|y94>3Kztrxvda8Tkme$ARA6g!;r^T<k<MQ)j<)Oes!pgA=sxO^l
z=V6)nQzP}tB34yXtDwhwou5_BuvS|W&2#+wiSIErJDvwvmH7PIYh-%lMtuD5l`@gf
zxXvmzt$cG<Co=7UN`bueMUQvMGkUU{1#Nc7tUfStU%bVAb55mu>OFNzFKv=`a>Rr^
zoW-={=GS>Uj`E3Fvu3SrleAL0wMX@6)@(0+hHm4D%LSZmqxU^=x~Q#CRwy=4@J-&4
zw{L{!drUY#LE=NwhJ*UG>-$@mTI_jf-d$r@{6X}|VTO?Dt;a4qyuNvh{Y-K1r`vVy
ztJUTf$1XdvL}TIPi;E1;oVm6}bJfYWn|U-IO}pXU;4ZdH#lYV*HgmE7@3EqX^6LIf
z4{w$*w?+Ejh?(^47t7(Tl@DvrPWI}#e^T(r<O@t+yC%y^i5aa^jrcor;mpemik2L#
zF*2`;lU0vAI`e+S$FdEUJB_YK{#x?>R&=>d*^zgPo30)F)8g8vB^{tzX7J=tvs1H|
z>3yA4yZQ&QUyVfT#bs_uf3V7_@Msd-^vRSl^k8_Rs<?MfY;%mD=I_r7j$Y_=-_|Vl
zMrrxG8F3zRy7SeKzleX8ud}h{)+YbM+FE7v1oWD{f=sF<9i$g}O;FyH%6f2e8=IPk
z<l-0J5__zF%1bJ2t>RXU@QqLPbqLG0I+d_Cp}6hEZX5r!MJyRiTDRWxU!UGOiBsfy
zvQEXU`RWzFOf*{h`)7St`0pd&wtnqB+x4MuqpRN7Gc47As3zmLC{JOh)t~#9YnLo*
z){j%o4E9QvjQ@G%%B9XL%P#0?6se#7uGo^Kvru!3v0<s|@=|+MgWQv`k8k@f4ce;l
zH%N9CW6sNuB@As7lD^!%u=~VkYZ)W8<c+gmGAB(va?U8oe8x4Ab4(e16YFP8y-}ya
zT&DQFB%uCH<7^v`5JStWJZgJpCH>QxGVOan(7Ek58fG=9amd}NO)xKDjy|U|tHo7n
zvsvLjpY6dNCmGCkMx3)u7w@ZfC{1X|+!xUFa7{<q&8}@vESH$KnI|q)kt&w_Tag~I
zV%4KQMQav^d2^(1d|Gl;>{($sqwn-jatay`1hdVHqq&w|j@q^9k?ob}D@yEH0xwTD
zoma~aaaTUFZh7Pm*UIDrf#;rzxaogpbltV4c;`wv^S5)KmT=BiGG21b!~ET2ON*4r
zS^4_RoqlD)zhVzB*>Sk`cqyOM<;5+*=MLmHhkd!(-)B&C`o%hH|B0GeEPLO+RXO$h
zpWJ45dv|U&U1{67e+6o}44GM`b!9W_hPm7;zL6Beb9GtqX7;qx!L`l5g5PaFqR4g4
zzI)q!OU+f)w+}K|R_@z+?eMAUx<3Ea9T)BVOOEGs{bKM=`M!DU*=?S`TTk_*XkEO-
zJNMnWH*vEhuPUURTNLQ@LYX(ERNRi|>zgYs3szhHwR)1vvCjF>?4EL;d-rn{Qyn`V
ztGX;n{FAoy_T6<CZ^d5gnfx`v!+F)(xX-G;iXLT~)ih~k%;Q<SdisI;7dA|0?m5Tx
zD?+8n-2A6n%d@EVV~<WaJqxv|wRaNQB-oZVzueAy<@G1i#96cT*i5xFylk|bIbLmu
ZD3F;U+<Bnxw!w=p%CF4>6%Q{s3;-rn50wA_

literal 3675
zcmZQ@_Y83kiVO&0NbaBYxaEM|yqM2&#hl!q|CUXzn#O%6MAo6$X*&1Ha}O^3p46zC
zTffZF(yHHX_k?K&`pXVZC{RAl`_)5VZ((J$ji=iQpWnYtpE9Z#_3ocBlbs{whnrQn
z^Q!AFdbJDvLo)ByglV2QGwFJ0>8UFVf0*p>%UCFVum0B^e(8ht9<!_jJeP+l+|7!T
z4EbjA_03x;2i5PlITQsepR8RbcFCT74(rV0w^w+luw0qssPI+#!AZA@eN`U+CeF5O
zx$|gp<djbhYya<EBRV}mrfKU-$%MO3ngUa6r*wYVoKbi5zueW={k8uC*Q75_;`Fl3
zKP|C!&a;0nt#8c;*ehl?bCSPtug?pmO1^zF)_#7Hc+DvC&Xeg`4CR+ktAD@ZaQo~1
z<czhiuitY&oSb}fYRlz^OkZvCJ2w0aH;#_mQ1^0{kbC*f(%K1MXT{Dt6sWjaL^542
zc=6Rd9e2j96+gY5o1<5$9nJJo*3aIk^6h)v>FwY4&(l_RS-fk`9i{&}`zM&K)Smrj
z`<!RncADLFWPP@B`AHYyI}-oD>YiJ>;^eb!yr)+9B=oIxSS0_3H_u>ZA(Mw&{e~B3
z!^KK=ul%nusr_om=hWYR$|dh&WFv!5d|29L$a6Jc?kn@<CHEu?x0$O+Up^x6p0}er
z-Fwzk)(0=dCmV^(YWdyI@M}d$qUE{e9P3&8W_Ij2@kai-ef%5?;j>@F1Afmk-M%B|
zX^-`!l4XStpWPJiZZx(_V@;ZTv~~i^$LShxGUgv)j+D@~i%42$UEOE7{jt!#S?kvJ
zy0o9xUVG3`boNWHg)wUxp1#RowO#13oz=Z<O*reOEq->qPO+7a3KJvyvn^DXX5HfR
zW<38w+CQvkh2fGJjx%2$n|b3$@{O|wjl5<pZ#eG1^4^hOxot{8(z{Nd;QH@{6^@gh
z&D~{jhwIsc?eAAt&P=WD`FAC)cl|cyNG>MU|3-5cCC{}s2za;3{E+OcgAp>C>sahV
z4onvBZ`9_wzU#HP{8X;{)^>|dG`AMCEEhN*eAec}HRs=4kFU;j?cQ-baDh@x_=TO)
zR|O64FpG07{#j94+Oqi5@y54v!{irNzB=z>ymZP()+=`+t{&Z-V49RwB_0!^eRd+Z
z`P=1+A9e<39uGF%S~}<Lll8Jm7fwkt%v_gN&Gnq;=82xUUj(DmrwY8c5?0|X?N*-g
z{^Y@?hs&S*T@Y25?XBq`e(a-}SE8$qsNm@o-NUBK_RX_e^}6WeegU7yW+G45etOE+
zAI-h!xXrh04yQ>M7TVA8J9&TO63YdZ#qm!=Z*HlY9qE2Y&F7#%PHyDP9X0MoS~35O
z7iqW`Wd60ZJDcSn)!44LW%ebPtKu`=Bq!T9R@I%GEww^VtG|lDC^g4ZQmcD&Q_9Yt
zPQO$xEpbfQKK({o*_Jr}`U|Dm7uQ@gp15~X&0hW=1wtLh0_VdW_-_5**Z5SSVd+KY
z=wr;czUrmz-JACPZ2R+sEpLC%bNpA-zUqK?*u95G+LvpoS3bQa&(r%-=T*(?Xa6Fe
z-!ebO&K<w`66fz=4NkepKDO3qt0bpQH93D}u2-$R`6Za)5R=`vUFi$0m%s4c#$+k)
z-}vUm?mm`wfj{od{1KCx)Ak)?u<!cl{d1PwIqR8;Qjb&aJr5VSxO>fkS!bQT{ACR-
z44tekIb-J<*LaHuPk*iDZGI#4q}Q6guY&!CfcVxYQq9_j*_Ky5mK58xN%Brzzpeki
z#aAbZPPt`tT)xu$N-bkd-2Q7qAFPgD*YAq_FPnQd+Oh2rYcS{4S!W|Ro2Z%2ijCvA
z-6T`}c5~qCb^L<df*DpVpO-v7bThF3P^M$0N|`|IA9>Ey3az{YhGrKhtyDLD_mQKV
zOI?=NL0o6r#>llhA3r=l?UjNH|I2+|GjCUYkakMA+E)3jh&^L_T{3fB`11dDU#9--
zILA{p#kax4<i|-t?x-HKmv0a3XIr2>`TCyAv)4Wh4q4>Qyufaz)0I6PdN<N^GD6S)
zS-kzA<%2VG&p9ng4T)Z4pe_*;zAu-Z=TS_G<PjB}Ci5?=`lX)#(|FOHa8P~o{0Y~m
zPtC~DH#R<gS+H09{b_OC=;bdwZapnM^dMo+%sJv)^0qOrn^$=$@uuImujXp}mU(AC
z9j>p^luvB^e00*c&n(}3>ZVM7w^MD^^4PYH%4u$bZo>86-O&fDe2WkLHJ<j&?AiJ3
zi+VS23hmULm+<Oh$F`8O?BA3A@T#3o%03}>VdbNicap}}_%x!pSDQIFg^IQ<bK_y!
z@p7fMYrFmzmBLG37fzkWQknBf?&bOruby9bXGzGf`=i{nq%P%R;fAKb{|B!(m&|Ps
z3tZg76D$`ydkwdEvd+I9Z6&fHKlg1Aa8Wr_9%}lwc4OLkwjAE;{}@Ux+}^*+j76m4
z?(~|EeRm(fyXmU*XiGh_PqS+8tohtMas12pWIsDNosMTns%(~=YCHEM!?$lYPOE*H
zbhc~rmd2)=ixUMe{7;prsD6K_b+O%{{eO)u<x(#Gd35E3o73-gZpD%*G8>OtKEHeW
z9(!xw+*1rw?<{z}(__lhb+2xDvv%HQuU6ma^fH6#^%~aMlS>#{&+TVB!TspAVo!p>
zG_8hZsoY||kJiupuxWpB|MYoRmY-&t$yLrNy7=2N$>lpW|FOSVwqWbTT+LfyJWJM#
z8dPpv;<4!R*T2svMu^68@y?lgTwAN4?80^P4dQyg{6DXH*A=>)-RadobH#~!12P0w
z8MmL_w_fwQZnVB@cXVL4{4V=>x8}{WDcZp!bF*+RhemH!;Oekl>N4vXE*^3@ZoXRo
zw8fM#^{m$86<^(!tgF+Pnt8bWYqE*wty?=>&5pJHXP5F--||njWAUmj>^$$>@;2O@
zmd$W$ujQ||&yCNeOn$L@=CY+VXFFQ+($AIr<xLP(l-%|B`TNADCNopltG~@Tx7+ho
ztXa{!ALml<_q1y3*e(>QJ6n3aCiuq9_=(4r7xg}gJlEZ9_WI*)h0e)r`_`tjN-qmb
zk}UpQEH0XxIo&2=$NVQ#gk5A$ZL)dY(3l;~7cWyBWO#=E%+FV6XYAned7iWCR7%#d
zf96YaN<wrmmuvp))xW>f;q-}3g?yF|6z;|>Kdf5*?8Z!aYd*;$i~Nq*)rr&3sr`D_
z{ZGQFyH#Y$#>lsCmNrcI>h^9{;DQhB2U(^sVST=@Ro_-?>XObW4|DC`we+`L<$l<)
z?>t-L;X8S2PMY6{pJ|!-Uzu@#uet0b<ue}h*~0#P$p}!s{p#S?IX@OvCEvQT_s_Ri
zc^!g02c`Z_QW3oU!ZK{y-NXChm)^|}6K6i~-sKM?`{bC^e69usjY~IIEIYwcwRV^F
z{h6v&J9ggwT;;C9cp{F=PkMKunex3ie7Ca%)^xaRY&_3lQF=P{mdnMT7i2?iCUEsR
zr5?P?bT8<3&=##neA9)mPrdc>aMJ3TdGoFazI)Z<wcw~<<3*RSttIQrx-yJ@&AYgG
zm4_t*ugAaBQ|(VS=hq2uvHX_5JmkpBLo1wie>(5a`0j`Lt-I1Qw6y%VYpnJ(IM`fz
z<WkW)wIIi#r^z+%(}NkaG<;UaTV^$9#fQ|~`^n|wVK+Z{*PnB#_gPctRHUDBzF+io
z<;LmNYx2T7{2ktAw-ju=B>J)G`pXj;EgRz3uD%;QF`{kl24)YQmHPUtH=g~}<ZSfr
z`1(tKZi=e+M3ug7>^rn;tM2VZXR>%@=0yMd&3!#k#wsXTa%1w}*~Tl1ZPw*{nE6nI
zW9id%hfb!Qnya07>ewx%ZB<{?t$4ESuS_Zq_t&0w-|XGFjrV0GAC>LvP&M;v_4Mvt
zknI}HXiyT{*l^zLdVxg#tH6?le+55(5$ljRyrc3m+dcJ9mQStx_BdHYUY%iSGc9&j
zGiPgpRCORnfwkBCgsA>V=f_Dqd$U^_CV%*y>>T+kf0f9@riPXUimQ6$rm0-y4VztD
z?;;oTSmdjTqK2d7iHX8)n)cixXP<R<F<xDD{$P*^<EyMAdP;`^S8Y3>GhMN7@w*al
z3+9VI6atLb9_Ziwy!m~EbN!!JH7jSl6b<v5KlPFC3O3!HyLNgwEc$!FebwV&!A*}|
zX4Zahp0CuH%R7@x+Q`D`&C2%;j4MBxEb}_Fl%?wBEB~A%nf5f+E!@JUleSq`UjEMg
z?}+rWc{{$YEu8)}#B7INE33EX=GB)|FG~J?IBjBq$02o=od<sKE}3|1hSK5J%#S2y
zex2C4?`l!xj;)P<EoU_y%zjbE6F4va;LN2pohJ6r)!CcoU0U1Twaw<_{U2I)-)vnT
zaWvTQJWETzlq}1J*^C;E36nE-_)KPO+&q2ncJ}@GZ_~o6A{<YqMC=NA6M40J%e_@6
z1q5E&-`06&C>p0aCvwUPuiO*L={kZrelIyyf4!BN&f@9pH1+$H8*d(eTz>V7Q=<Oa
zPiE$?rbsMau6n=QZl>kjnd+y_j;H?*+<d)2My2>E$HtRUf4s_euh`aU`uoee@SuWX
z;}gtrW`{XX8_3^V^>5yBS;g2mk^OO!h4+^xo@{e?%^g+dU?^``_;A+D2hWfEF?h8o
z>inTgQ*#QGbj5T|GUmqG$ej5jKmX?OQ~Y1ELaWrzC*=IgcvAgJa!R{robK7rmv3s?
zvNb=~HF)ph=a=v`cm0|QC3_#u>clO-n{s(R3iZz0q`tfIQqvKM$?dr+zt*3ST(8A-
zVs=tR%EL=*&Y!UmwhjpmmAWkuR`aM=tnbpi+~xasD=p}0P4D94U}#A`8e03cBsluv
z_Sj9)3qF@N*LW_{zT4jw)yC0v)7K#0@n_Zjq66#aF8=A!?DKN%v9!tW=6L!Y_PTq)
z;`Q9yQMTn*mu$*;(WLUjbDtB3OpW*qi}`Uz5gGR<YpqcZ6MVFT;nn<2Tb%!weSg(x
zlMveR&6MM1S9GAt&v2C!3py*Ta#d#)etRf-YHrbS)Bm5iAI>#jbU5qfo!+@?*K7*D
p96OQAvij?-uNz$tGu2u%9Etp$5c213;GNdId5@nK8%}M>1pw<oKkonl

diff --git a/secrets/server/livekit-keys.age b/secrets/server/livekit-keys.age
new file mode 100644
index 0000000000000000000000000000000000000000..7d52ce56963b882478a2aedf657a801a71e8c47d
GIT binary patch
literal 295
zcmZQ@_Y83kiVO&0@aAgnbay+=#>m^`EY@n5ZF2YAUu{(_Mf2EOJ152oYKVJ!EL*#6
zTGQJVCi)e<4Y3bH)V6-|jy8R|BfjhzgO=lOdpm=q)ps*~X|;cheItAF>bK{WQj4cL
z9SPK(y~$!$|E*b{s_eI<Z#;hX0>^9Z|Fus~s~w!Rw3e4;&f*uhO(vS=pHMigxQQ)4
zW8-%b6<<a5MCQl;Sp3en-R%;a<nFeKXEpB^HD&3b?r)a@R+MdGELT{~xqE7%_y3JE
zZ*{01UHf}d_Lp$x85bo>I?kW@A$je>z6Jce3m#pZ_=aOyx`12s=I}DB`vL-~FK6C;
z;W0t9h&xNO;_vn7WtC1Mm#<fH+I-}l@7>t+qMu`a@Zke5JWjs+_C~ehX5@n-Io?n1
Gvj70k*N>+F

literal 0
HcmV?d00001

diff --git a/secrets/server/livekit_keys b/secrets/server/livekit_keys
deleted file mode 100644
index 0d894e9e1f2bd3044482cee6855dac2d5fb21985..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 84
zcmZQ@_Y83kiVO&0h)bDsVfG@i_IMs%3!zgrHfudMt%&X8?vppO{rKzAszWyMi}D)m
r7X6rcqAJhewVksUXL#A7Py3H?p7UFn`!3kP=uSb#r^(ZQ^9ld})~+T&

diff --git a/services/matrix/livekit.nix b/services/matrix/livekit.nix
index 99a5208..cdbb310 100644
--- a/services/matrix/livekit.nix
+++ b/services/matrix/livekit.nix
@@ -1,14 +1,12 @@
 {
+  config,
   service_configs,
   ...
 }:
-let
-  keyFile = ../../secrets/server/livekit_keys;
-in
 {
   services.livekit = {
     enable = true;
-    inherit keyFile;
+    keyFile = config.age.secrets.livekit-keys.path;
     openFirewall = true;
 
     settings = {
@@ -34,7 +32,7 @@ in
 
   services.lk-jwt-service = {
     enable = true;
-    inherit keyFile;
+    keyFile = config.age.secrets.livekit-keys.path;
     livekitUrl = "wss://${service_configs.livekit.domain}";
     port = service_configs.ports.private.lk_jwt.port;
   };