fix secrets

modules/server-age-secrets.nix

@@ -217,5 +217,15 @@
       owner = "firefly-iii-data-importer";
       group = "caddy";
     };
+
+    # LiveKit + lk-jwt-service shared signing keys (`<keyname>: <secret>` per
+    # nixpkgs services.livekit.keyFile docs). systemd reads via LoadCredential
+    # before dropping privileges, so root-only is correct for both consumers.
+    livekit-keys = {
+      file = ../secrets/server/livekit-keys.age;
+      mode = "0400";
+      owner = "root";
+      group = "root";
+    };
   };
 }

services/matrix/livekit.nix

@@ -1,14 +1,12 @@
 {
+  config,
   service_configs,
   ...
 }:
-let
-  keyFile = ../../secrets/server/livekit_keys;
-in
 {
   services.livekit = {
     enable = true;
-    inherit keyFile;
+    keyFile = config.age.secrets.livekit-keys.path;
     openFirewall = true;
 
     settings = {
@@ -34,7 +32,7 @@ in
 
   services.lk-jwt-service = {
     enable = true;
-    inherit keyFile;
+    keyFile = config.age.secrets.livekit-keys.path;
     livekitUrl = "wss://${service_configs.livekit.domain}";
     port = service_configs.ports.private.lk_jwt.port;
   };