From 366694fb4ea75dad4c98555f2cf333a995f713ed Mon Sep 17 00:00:00 2001
From: Akshay Mankar <itsakshaymankar@gmail.com>
Date: Sat, 28 Oct 2023 18:43:07 +0200
Subject: [PATCH] nachtigall: Configure matrix with telegram integration

---
 hosts/nachtigall/apps/matrix-log-config.yaml  |  40 ++++
 hosts/nachtigall/apps/matrix.nix              | 216 ++++++++++++++++--
 hosts/nachtigall/apps/mautrix-telegram.nix    | 207 ++++++++++++++++-
 secrets/matrix-mautrix-telegram-env-file.age  | Bin 0 -> 2013 bytes
 secrets/matrix-synapse-secret-config.yaml.age | Bin 0 -> 2809 bytes
 secrets/matrix-synapse-signing-key.age        |  28 +++
 secrets/secrets.nix                           |   4 +
 7 files changed, 478 insertions(+), 17 deletions(-)
 create mode 100644 hosts/nachtigall/apps/matrix-log-config.yaml
 create mode 100644 secrets/matrix-mautrix-telegram-env-file.age
 create mode 100644 secrets/matrix-synapse-secret-config.yaml.age
 create mode 100644 secrets/matrix-synapse-signing-key.age

diff --git a/hosts/nachtigall/apps/matrix-log-config.yaml b/hosts/nachtigall/apps/matrix-log-config.yaml
new file mode 100644
index 0000000..555f3aa
--- /dev/null
+++ b/hosts/nachtigall/apps/matrix-log-config.yaml
@@ -0,0 +1,40 @@
+version: 1
+
+formatters:
+  precise:
+    format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
+
+filters:
+  context:
+    (): synapse.util.logcontext.LoggingContextFilter
+    request: ""
+
+handlers:
+  console:
+    class: logging.StreamHandler
+    formatter: precise
+    filters: [context]
+
+loggers:
+  synapse:
+    level: WARNING
+
+  synapse.storage.SQL:
+    # beware: increasing this to DEBUG will make synapse log sensitive
+    # information such as access tokens.
+    level: WARNING
+
+  synapse.http.matrixfederationclient:
+    level: CRITICAL
+  synapse.federation.sender.per_destination_queue:
+    level: CRITICAL
+  synapse.handlers.device:
+    level: CRITICAL
+  synapse.replication.tcp.handler:
+    level: CRITICAL
+  shared_secret_authenticator:
+    level: INFO
+
+root:
+  level: WARNING
+  handlers: [console]
diff --git a/hosts/nachtigall/apps/matrix.nix b/hosts/nachtigall/apps/matrix.nix
index e903f3e..1c6c405 100644
--- a/hosts/nachtigall/apps/matrix.nix
+++ b/hosts/nachtigall/apps/matrix.nix
@@ -1,31 +1,221 @@
 { config, pkgs, ... }:
-{
-
-  services.caddy = { 
-  };
-
+let
+  publicDomain  = "matrix.test.pub.solar";
+  serverDomain = "test.pub.solar";
+in {
   services.matrix-synapse = {
     settings = {
-      server_name = "pub.solar";
-      public_baseurl = "https://matrix.pub.solar/";
+      server_name = serverDomain;
+      public_baseurl = "https://matrix.test.pub.solar/";
       database = {
         name = "psycopg2";
-        args.host = "/run/postgresql";
-        args.user = "";
-        args.database = "";
+        args = {
+          host = "/run/postgresql";
+          cp_max = 10;
+          cp_min = 5;
+          database = "matrix";
+        };
+        allow_unsafe_locale = false;
+        txn_limit = 0;
       };
 
+      account_threepid_delegates.msisdn = "";
+      alias_creation_rules = [{
+        action = "allow";
+        alias=  "*";
+        room_id = "*" ;
+        user_id = "*";
+      }];
+      allow_guest_access = false;
+      allow_public_rooms_over_federation = false;
+      allow_public_rooms_without_auth = false;
+      auto_join_rooms = [
+        "#community:${serverDomain}"
+        "#general:${serverDomain}"
+      ];
+
+      autocreate_auto_join_rooms = true;
+      caches.global_factor = 0.5;
+
+      default_room_version = "10";
+      disable_msisdn_registration = true;
+      email = {
+        app_name = "Matrix";
+        client_base_url = "https://chat.pub.solar";
+        enable_notifs = true;
+        enable_tls = true;
+        # FUTUREWORK: Maybe we should change this
+        invite_client_location = "https://app.element.io";
+        notif_for_new_users = true;
+        notif_from = "Matrix <no-reply@pub.solar>";
+        require_transport_security = false;
+        smtp_host = "matrix-mailer";
+        smtp_port = 8025;
+      };
+
+      enable_media_repo = true;
+      enable_metrics = true;
+      enable_registration = false;
+      enable_registration_captcha = false;
+      enable_registration_without_verification = false;
+      enable_room_list_search = true;
+      encryption_enabled_by_default_for_room_type = "off";
+      event_cache_size = "100K";
+      federation_rr_transactions_per_room_per_second = 50;
+      forget_rooms_on_leave = true;
+      include_profile_data_on_invite = true;
+      instance_map = {};
+      limit_profile_requests_to_users_who_share_rooms = false;
+
+      log_config = ./matrix-log-config.yaml;
+
+      max_spider_size = "10M";
+      max_upload_size = "50M";
+      media_storage_providers = [];
+
+      password_config = {
+        enabled = false;
+        localdb_enabled = false;
+        pepper = "";
+      };
+
+      presencee.enabled = true;
+      push.include_content = false;
+
+      rc_admin_redaction= {
+        burst_count = 50;
+        per_second = 1;
+      };
+      rc_federation= {
+        concurrent = 3;
+        reject_limit = 50;
+        sleep_delay = 500;
+        sleep_limit = 10;
+        window_size = 1000;
+      };
+      rc_invites= {
+        per_issuer= {
+          burst_count = 10;
+          per_second = 0.3;
+        };
+        per_room= {
+          burst_count = 10;
+          per_second = 0.3;
+        };
+        per_user= {
+          burst_count = 5;
+          per_second = 0.003;
+        };
+      };
+      rc_joins= {
+        local= {
+          burst_count = 10;
+          per_second = 0.1;
+        };
+        remote= {
+          burst_count = 10;
+          per_second = 0.01;
+        };
+      };
+      rc_login= {
+        account= {
+          burst_count = 3;
+          per_second = 0.17;
+        };
+        address= {
+          burst_count = 3;
+          per_second = 0.17;
+        };
+        failed_attempts= {
+          burst_count = 3;
+          per_second = 0.17;
+        };
+      };
+      rc_message= {
+        burst_count = 10;
+        per_second = 0.2;
+      };
+      rc_registration= {
+        burst_count = 3;
+        per_second = 0.17;
+      };
+      redaction_retention_period = "7d";
+      redis.enabled = false;
+      registration_requires_token = false;
+      registrations_require_3pid = ["email"];
+      report_stats = false;
+      require_auth_for_profile_requests = false;
+      room_list_publication_rules = [{
+        action = "allow";
+        alias = "*";
+        room_id = "*";
+        user_id = "*";
+      }];
+
+      # TODO: Agenix
+      signing_key_path = "/data/matrix.pub.solar.signing.key";
+
+      stream_writers = {};
+      trusted_key_servers = [{ server_name = "matrix.org";}];
+      turn_allow_guests = false;
+      turn_uris = [
+        "turn:matrix.pub.solar?transport=udp"
+        "turn:matrix.pub.solar?transport=tcp"
+      ];
+      url_preview_accept_language = [
+        "en-US"
+        "en"
+      ];
+      url_preview_enabled = true;
+      url_preview_ip_range_blacklist = [
+        "127.0.0.0/8"
+        "10.0.0.0/8"
+        "172.16.0.0/12"
+        "192.168.0.0/16"
+        "100.64.0.0/10"
+        "192.0.0.0/24"
+        "169.254.0.0/16"
+        "192.88.99.0/24"
+        "198.18.0.0/15"
+        "192.0.2.0/24"
+        "198.51.100.0/24"
+        "203.0.113.0/24"
+        "224.0.0.0/4"
+        "::1/128"
+        "fe80::/10"
+        "fc00::/7"
+        "2001:db8::/32"
+        "ff00::/8"
+        "fec0::/10"
+      ];
+
+      user_directory = {
+        prefer_local_users = false;
+        search_all_users = false;
+      };
+      user_ips_max_age = "28d";
+
       app_service_config_files = [
+        # "/matrix-appservice-irc-registration.yaml"
+        # "/matrix-appservice-slack-registration.yaml"
+        # "/hookshot-registration.yml"
+        # "/matrix-mautrix-signal-registration.yaml"
+        # "/matrix-mautrix-telegram-registration.yaml"
       ];
     };
 
     extraConfigFiles = [
-      # registration_shared_secret 
-      # mailer
+      # The registration file is automatically generated after starting the
+      # appservice for the first time.
+      # cp /var/lib/mautrix-telegram/telegram-registration.yaml \
+      #   /var/lib/matrix-synapse/
+      # chown matrix-synapse:matrix-synapse \
+      #   /var/lib/matrix-synapse/telegram-registration.yaml
+      "/var/lib/matrix-synapse/telegram-registration.yaml"
     ];
 
     plugins = [
-      pkgs.matrix-synapse-plugins.matrix-synapse-shared-secret-auth
+      config.services.matrix-synapse.package.plugins.matrix-synapse-shared-secret-auth
     ];
   };
 
diff --git a/hosts/nachtigall/apps/mautrix-telegram.nix b/hosts/nachtigall/apps/mautrix-telegram.nix
index ac73eb3..560405e 100644
--- a/hosts/nachtigall/apps/mautrix-telegram.nix
+++ b/hosts/nachtigall/apps/mautrix-telegram.nix
@@ -1,12 +1,211 @@
 { config, pkgs, ... }:
+
+let
+  # TODO: Get this from something in config so its shared among all integrations
+  publicDomain = "matrix.test.pub.solar";
+in
 {
-  servies.mautrix-telegram = {
+  services.mautrix-telegram = {
     enable = true;
-    environmentFile = ""; # Secrets
+    # TODO: agenix
+    environmentFile = "/run/age/some-file";
     settings = {
+      homeserver = {
+        # TODO: Use the port from synapse config
+        address = "http://localhost:8008";
+        domain = publicDomain;
+        verify_ssl = true;
+      };
       appservice = {
-        database = "psql:////run/postgresql";
+        address = "http://matrix-mautrix-telegram:8080";
+        bot_avatar = "mxc://maunium.net/tJCRmUyJDsgRNgqhOgoiHWbX";
+        bot_displayname = "Telegram bridge bot";
+        bot_username = "telegrambot";
+        # TODO: See if we can use postgresql
+        database = "sqlite:////var/lib/mautrix-telegram/sqlite.db";
+        hostname = "0.0.0.0";
+        id = "telegram";
+        max_body_size = 1;
+        port = 8080;
+        provisioning =  {
+          enabled = false;
+          prefix = "/_matrix/provision/v1";
+          shared_secret = "generate";
+        };
+        public = {
+          enabled = true;
+          external = "https://${publicDomain}/c3c3f34b-29fb-5feb-86e5-98c75ec8214b";
+          prefix = "/c3c3f34b-29fb-5feb-86e5-98c75ec8214b";
+        };
+      };
+      bridge = {
+        alias_template = "telegram_{groupname}";
+        allow_matrix_login = true;
+        # Animated stickers conversion requires additional packages in the
+        # service's path.
+        # If this isn't a fresh installation, clearing the bridge's uploaded
+        # file cache might be necessary (make a database backup first!):
+        # delete from telegram_file where \
+        #   mime_type in ('application/gzip', 'application/octet-stream')
+        animated_sticker = {
+          args = {
+            background = "'020202'"; # only for gif, transparency not supported
+            fps = 30; # only for webm
+            height = 256;
+            width = 256;
+          };
+          target = "gif";
+        };
+        bot_messages_as_notices = true;
+        bridge_notices = {
+          default = false;
+          exceptions = [];
+        };
+        command_prefix = "!tg";
+        delivery_error_reports = true;
+        delivery_receipts = false;
+        displayname_max_length = 100;
+        displayname_preference = [
+          "full name"
+          "username"
+          "phone number"
+        ];
+        displayname_template = "'{displayname} (Telegram)'";
+        emote_format = "'* $mention $formatted_body'";
+        encryption = {
+          allow = false;
+          database = "default";
+          default = false;
+          key_sharing = {
+            allow = false;
+            require_cross_signing = false;
+            require_verification = true;
+          };
+        };
+        federate_rooms = true;
+        filter = {
+          list = [];
+          mode = "blacklist";
+        };
+        image_as_file_size = 10;
+        initial_power_level_overrides = {
+          group = {};
+          user = {};
+        };
+        inline_images = false;
+        max_document_size = 100;
+        max_initial_member_sync = 10;
+        max_telegram_delete = 10;
+        message_formats = {
+          "m.audio" = "'<b>$sender_displayname</b> sent an audio file: $message'";
+          "m.emote" = "'* <b>$sender_displayname</b> $message'";
+          "m.file" = "'<b>$sender_displayname</b> sent a file: $message'";
+          "m.image" = "'<b>$sender_displayname</b> sent an image: $message'";
+          "m.location" = "'<b>$sender_displayname</b> sent a location: $message'";
+          "m.notice" = "'<b>$sender_displayname</b>: $message'";
+          "m.text" = "'<b>$sender_displayname</b>: $message'";
+          "m.video" = "'<b>$sender_displayname</b> sent a video: $message'";
+        };
+        parallel_file_transfer = false;
+        permissions = {
+          pub.solar = "full";
+        };
+        plaintext_highlights = false;
+        private_chat_portal_meta = false;
+        public_portals = true;
+        relaybot = {
+          authless_portals = true;
+          group_chat_invite = [];
+          ignore_own_incoming_events = true;
+          ignore_unbridged_group_chat = true;
+          private_chat = {
+            invite = [];
+            message = "This is a Matrix bridge relaybot and does not support direct chats";
+            state_changes = true;
+          };
+          whitelist = [];
+          whitelist_group_admins = true;
+        };
+        resend_bridge_info = false;
+        skip_deleted_members = true;
+        startup_sync = true;
+        state_event_formats = {
+          join = "<b>$displayname</b> joined the room.";
+          leave = "<b>$displayname</b> left the room.";
+          name_change = "<b>$prev_displayname</b> changed their name to <b>$displayname</b>";
+        };
+        sync_channel_members = false;
+        sync_dialog_limit = 30;
+        sync_direct_chats = false;
+        sync_matrix_state = true;
+        sync_with_custom_puppets = true;
+        telegram_link_preview = true;
+        username_template = "telegram_{userid}";
+
+        permissions = {
+          "pub.solar" = "full";
+        };
+      };
+
+      logging = {
+        formatters= {
+          precise = {
+            format = "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s";
+          };
+        };
+        handlers = {
+          console = {
+            class = "logging.StreamHandler";
+            formatter = "precise";
+          };
+        };
+        loggers={
+          aiohttp.level = "WARNING";
+          mau.level = "WARNING";
+          telethon.level = "WARNING";
+        };
+        root = {
+          handlers = [ "console" ];
+          level =  "WARNING";
+        };
+        version = 1;
+      };
+
+      telegram = {
+        connection = {
+          flood_sleep_threshold = 60;
+          request_retries = 5;
+          retries = 5;
+          retry_delay = 1;
+          timeout = 120;
+        };
+        device_info = {
+          app_version = "auto";
+          device_model = "auto";
+          lang_code = "en";
+          system_lang_code = "en";
+          system_version = "auto";
+        };
+        proxy = {
+          address = "127.0.0.1";
+          password = "''";
+          port = 1080;
+          rdns = true;
+          type = "disabled";
+          username = "''";
+        };
+        server = {
+          dc = 2;
+          enabled = false;
+          ip = "149.154.167.40";
+          port = 80;
+        };
       };
     };
+
+    systemd.services.mautrix-telegram.path = with pkgs; [
+      lottieconverter  # for animated stickers conversion, unfree package
+      ffmpeg           # if converting animated stickers to webm (very slow!)
+    ];
   };
-};
+}
diff --git a/secrets/matrix-mautrix-telegram-env-file.age b/secrets/matrix-mautrix-telegram-env-file.age
new file mode 100644
index 0000000000000000000000000000000000000000..2497dfdfc6ae974d903a22130d6cdd9bd4c33752
GIT binary patch
literal 2013
zcmZA0{qxg=0mtzTzMNQ@Zon5DKCH3{jPRvNnkKE|!L&`=q)F2>O`DV<Bz;KJr?g3$
zCs1z6zyrLUOmE_VO^$8%o#N?+J2yCW;^6QBx5;E~=M)%Dz#$HF2Qt|91HbSWyzbuj
z`N(R0tlp~{Uf<I6-a_3_LpBr`TM{(Q=2*Q3M<P%xs3o&4M-Ap+sb^()zYmstM;<1l
z1R$kRkgS(dXr<CI5^6_ch?;M}LI9Mw9!WN>c%#_lgovGp+GN#gNhz!^HMD%ecS#k%
znr@qtuGNN8HJNjQl#Qaz2CS-FCkHkv7@5OJC5lN%u}sQRH`W;Tao2<gt+*4wdZBD6
zqNVh9!PfmwpEa`ys$hh;oFoi}{6G@RJ*O>XxE^v<GfX+yP9=E|53~U-L{YY;a0+6&
zRZF7DNIu<+g}EXdL179sf!-jc_IREXvpNy&mt%!ImT)Dlj(JI<6d;%Z;Po|&b)Z23
z&Q}Yr;HJXaA{)nHfz}|Nq`3j2&@7OQ)0rj=c~)ANTP6lkadW^p0hG&z5W67fbA%GJ
zGPQV3Z`p7Z37HkYDZxrTta0TiBl2LcFMGKPZc!vVFpLVPQ%OG+3bZ7sS_jlvY9Jd<
zF7GF}4k467T%K#jWj8Wx=OhRp7Tj(LPgem7A&L-0<t;bDWJOWci2$D)m>p18I9nx)
zn2I*i5|4C=t`jcFV3qE~k)8(#KG=}01c0=iBvenKX2Ta5ks)9-6ab)}*(y0Dmg{k8
zG75CndbyhA$}E=6mFs!Ylgo<Q>UBk>3(_o}l}cU~0yE)qyb=}6Vm!bCu{6zEJWW*M
zQmVqiNk6Alqe{V3NwNwseXvQ;VbCiv*(6>Fl_Ads3S1(_=rRvS2`A8CavUNlP=*t`
z12kL4hmgX<BFPXfF-8f)8sYT1e$E+`eA_a*U6g?+iXP}{q5?!)-DW_*Js<C=@ebb4
z^+I{0X!{u-&4N7`qeFDvf}3ay$&g&f6oo;dAqim~sEas*G>a%cs3HNQB$r$RuBAA!
zTw&v78^dtju5{>RGVKuw-^qCzrbGsrp%yJuLQ&{IvXa-j9NC~Gx{U?;l+jYHTwm(-
zP!*B8mL=p^*#jz+WOWi*-EXmlZh~l-zHoKNS3fGHc-B;d9AMyVD;zE4X*VI%;*{$_
z(R?0><Tb);4cdZMZn#6%vLGVRhq7kO0UM(0fkHboOr&dB6g5ghJ3`h{Ks1R$rH0Tc
z5Nh>WP0N(fFdk%mA<{>?A-h*B*<fsl)iS0~9`xg4*zcy&vfgFWxP}6C*bE3Ygv;?!
zsanC*eoS?7oUROqmA+$j3YtabK+%o)V#3hl(QCDM$@GeN(8XMSXc%-Jj?q@C-_TgU
zq6liz*YO_7%5g|b=K3Xq<Xd`x0n4`GV<ce~bk!U<c%@!6hlJ7KF~3=l#;BoUd*wV?
zN;Ci06nqXirW$qGtOq#(4%SvLiY*@omwuyVAo}cJ_wIIuTtWv-h;D{MrEpu!cnDi+
z=;=Db6wOrGBceKwvDr3RWt!QjT(Da0y5k}JBySo-Ie{0YFj>n63O%;TLSRZ$iZ!)}
z2>B$|3`z0)|0*S1Fk~0=eJoQ?N{r_Kq7B5dbcu0LqZ}9;8w;iw(6o~VmnQlN%dgrL
z+C?O%m54zDA>`UN$mcP|({nm11@@e{`10K|Biq0Auk&X^Z@gZe_rdPzv#&da&UmmP
zJ^#sz=O+F9;Vo0|TfXni;lJ(rd>eCIhz6Jc=AG}sdp7TwzV4RkbN%o9I)2^6S^1mx
z?o&n%Za!IiZprpDk$J~fB-iik_ZB~XVgAO(!oPfb#<ax&<qqll&yF)c8s}ah4sBv*
zOuJ+C57&J8&kGjr(Et73P2z?{i8uDnIl2s<Rb@Y0vqwF#?cDUIKVLE9=}m7gdTHa?
z1IyIYJGcDONm0iZyryhlet{ZYxqH#!bx$F8esTPtw=^bSIDLb8<7dkJ!)xukPEFb2
zE*d$1^AE5?Baa^WD0~C_$D?<ypEq*PZQK5SX#3>iGaKGHxACMY{3Et@-KEpd5GPKa
zntg@5?S<ppXUu0GdF91@7au&*eqhJ`Rd=oa*)KL%GW<`@-}<MoKlI_6UE0EjR~}ir
z`b)a_q({#Wzx(Lv^_PD)Yk&8iZ!XYp)LtLqYnNYndHe%Ie)fTP)0Hor8J|4!u?1V7
zy#GI&)>kH+d%w6hygT*w>4`hPa$xJLxt|{Yc-4}z(XWoI+;x88Zy$O;-TLkn;_X{!
z!k^B)`H|$~S?ZJP<(JMrf8Xf!(~iY1{c7~+W%x};UOHhv75y>u;qRBe_1>ztM(=%Y
zjWD-xsc~>0y>)a>ZPMtJ_?5q2{Pf-{6Gxt)UaK5fy!8IfA5EPCe(iSr4+oEKxsu{<
Xf8wcEmkl4=FloidQ!kQaaKe89ci7^o

literal 0
HcmV?d00001

diff --git a/secrets/matrix-synapse-secret-config.yaml.age b/secrets/matrix-synapse-secret-config.yaml.age
new file mode 100644
index 0000000000000000000000000000000000000000..e9342d1ede9ffa198f69ea726bfe2f88fcb3260e
GIT binary patch
literal 2809
zcmZXU`F{)t1IA088zL$~nitUoi50uEM|M|2yZ6i<vpci*(AFNav%9nR>`hRSx;3ga
zaUWHhG#Yihgt)bWR@5EGt3o2KI$9cv*ZV_%>H8OaKhN{|K97~ai*Ua^oD4?X0sq)Q
zm|(;JTG51DigFd<4i=XS2y)#Lr6*40O0=ew$ev6(gIt_t=a{5!SV^!<8lOuhGul*`
zLN1p&O{CSuvePUaeIi28<1D3HDHkOoo}kntr}!8v;t?j@ac!|E734A5LbHzZPg>Ms
zm%#Ddlt#n!6&r+dIttnq0?Z~yC_rq&?Q$Dp76Gn^K?SH4C?SkXY3u}Suo?BBFQuld
zonfPuQs5NRBrqWYkw;<H2f>I$=Oh&#jqq<;n6l=QGKr2Uq*+i5h+{T8UnCUSOb!Wb
zQmHYM4UiD7h*iN!>Ge{vFh+5rae&fdVYT1GNHAF-Y)Q#Yc2a4j0aiDUv@10dK*2=l
z5w}e*^Sa$^Cqoet>C8aFmjJ{_z@|fkVm&IPLsB>yq>EyqgiaCls7N{uCiDzvDkA0-
zTOhGYtnfz6J_TLC#}U3N>`QRnl+~q=^JQkE!oZ5F#a@<MFW@FvnlN39a@k&*BSu6$
zKnehbc#5YBd9*QEn1IASt%ZSE0ueE;Q`r1o9J8Y~(&*3zEovi9Xasba5mO6LBuv9%
z1~K0%pai5gDbb)otrtfUDghkSIzmP=D)Bi55}efdonDt5l|fOZNzK<YloTMeLy|Zj
zrUe493Y57FZ%k2Hohe)tK=k}12zkP86ybzmjS!S*2qdY9$oW``!lN!w1-PPdv7G5e
z?O{4i;#C_HW`wKdXe7R{n!utwmOz7ZJ!X5NnDVnE3<gieC?;igfyrOYL2U-WfrCOy
zg1gKPDD0$Z)piS?nUu+$Xn+zC<`~=hMqb3Dlw+nK9)iP$q%0UEt?@7&DMn*B7_|7!
zNv4HOAkvsx!=ljx7Lf_naieOBIVSc66=DQu;gS%Xa8X=2h6M;6DF;9uDRhMe5v|Ia
za(J`^NA8jP=%n1ips75JkSyq>yeJ1mV3Z*u8KBY6H^z-gzSty<@er0jNwF=YB7_4B
zwl?nL*<moGC+K0Vi^1X3d~^qd8WLUvqw6s<3aT+d2vUaw0SU@sSVit6BonGRF=mK|
z{O$4I8@0%E8j8q8BLP585q^F+1zGvFpc1ESY&JipRvR&yoq&X>+fPxDTbQ6|QM=TV
zU}!Kv8<f-e?vz9R1}EUSAP9ki45lza*GAlIhk%d$AI%LKi`l|l8`CR$^8q1(8`LnR
zFv9ZUb^$H|xeRAgCz43LPBO_QAQ55+&}=-riNg}cu$0CeWs-iQ2IR%0DUFv$PY4WB
ze+q;N1v45{an%3JCNfe<y)f6J7DX6(hn3Dyf`~4GSg{x!i!ywH0O;kxT8~c`5Gb(_
zDbw3&@i)o5wxos!ST%Ac#PX6NgtSq`7^I?XG9H{%cwA)4kSaEl|D#F#rs0LUA|i}i
zDLfa{63EnmjwWO(Bs`VD%w;E75C@_#m{7u~-{ggnNJ=HKg#o{jlk`f8lZ*%hm-!fP
zdMYZ)4Rhj}sDNV&kqHwk4)S3)KcMjdDtW?#hcG503@6!i7||kX4sGq`J12L`u8tMv
za-#S1GHYMWGy9fw*W{b5OkMYV4Tm%L-<~#c^q@&tN%O8ry-RC*obs$Y<2$<9m{&M|
zVeDu2U(U<(s&-ci&FCj@_sM9yw6dY#y_xI*%HhRRntx|D1Eact`Mc#^WLmoX8Rwn*
zjs5Eb4pbUE|8DMz+M9P(+ZGk1x4-?KUVrM^%7H7xFUf}T<@W=|t7m)Q=8^-C{#{O+
zcB8Guw0~Rp`s@4?LwfIPai5BIEJ$BA#1m<5pJJ;?yLiz4sPFToQ+uf<+}=8=?Cp-J
zgU?NOG;d!w0_s{r?=x?D%>mpib-h!lN+j-8zrS&I*+(r?v6suG{Yb{Dr~USvxmG`Y
zul?l+guZtCp+#_k?}Hna_2b)Se3+Eh1Q+1pXG>(wubO#dzQ{ek#jv+LI|r-Dp#T0y
zwdZ)bFDF_)d+Z2thNZOc*gwh6%E!|%-s)!$BCn729oM66d1XqNO=`Mgt&)xt7b<hA
zx_FxwqklElU1)w<;cLYPR1|J4fX82v+SH|<!up(L|4GwkO5S-|whCKQ+Vpb#L|vDR
zQ{O(!<`3hR)%KtBRCoJ~{n(18No}@O-`tz-afO6ObQ_M{+xY5m<Kp%a*!IeiofE;c
z+476$It|B;Ws#S%j;gB${c<<$)_}F1M(fAxGP^F!vR)Y%jd8Y~+<duj#hSOervK}}
z4s)r9>HT`nXEWz!4ZS=N+I;$()dw?g*EjvBz~ejq2)8G0uKu%eQ-5_;-4?v>k0Xz?
zFFkzx{Hcrs1#3H6m!5t$x~?`IM!T*nZxz-9j?a$lY=BJ5XTJN4u@UKf@<pK$(0k>N
zkL1oaoLS%Ar(vJcGtGGVr^w*B`}O&0OKbam^5RmmVp&bukm48nj=Q9hu{qF_$yK4f
z4&R~g0Ku>W(#b0LVCI<Q;=`u#r9Y;<zq0OvVd1!4>n2UVoIRtyW#5t&gRAFVn6>@b
zqpye64SW3R>ys_%Q&oA{&8L4@Gh<EZhPAV<8dhH)`GoTtBf5?K<O~c>*>UJxLCftb
zqNA{DM4{q+3l<QG;Yi<=(HF?zjeDLjW0!Y)w6t0Ms2xg&>9@As`I6TJuFqIhF@M!4
z{?EeSPE8vU-?@F|U8-&Tn%3DHzuHm%V$o{{x@Qm&obmAS<Z~OwR-@H_wtoxo2d>Mk
zo;TBdWistm>4(=pNBgJECxiEwf7O@Keck3810UYa$$IfHwe#ZYlchN~H#u{-510!b
z-Ii44cbVI{vuo#MS-0(Z1<eo4v(rgMw}lx-XRj;QvOw<rO{<*;>dS^U1MlnKIx*-`
z##~|Erk|b*c$>Ge^v;SEt+kZsb#DPQsOrY=k3CH#6Y`$El_MWCWB@E^@GTs==DQ^;
zLR|Z=-79w$brXF0MEDoJDt~AVpnU+Ir*GMM=ib%4tF?=I?C|d5Pk3Is@5&Ef^c(G5
zSakE&{GUoOZuP{Bnvu8sIois$0X-LAT&q92uUv3Xli6}e|I077tTQD;US-dplT7dR
z{hr^(lr8@?Bh3+Pf0mw`H@V|Tpl7ImFI5cE^!Z@k#9mEz&W^iZzkVx6bG_i?rB9Dg
zJx_hPe^aYrz`^cyod>2=)Zzo_eJZ9tcux8vn|C;3yR(mimB$xs`RYMK-HeP)whZH$
z!A{?3r{?mj=Am`{X07SZEZP5YnzBlTmBXJe>%G_Bu($B(t<*dy?;7OKd(L0XTuke>
zlK$2O#jL8<vh%~K?3r^nG?UXhoG8|F&V|;aRL<&)>v!Mj4657<EFThkCRdNj*wD5r
zUzJ_*(uFM_cB^qh@x-gh@G*BcmhU`KQ^MjsZ~Lg@VDJ3!OGQ>^;nUHWtI<$$PPCzE
p#=|2mLsvm(8!wN4eQ#$yJM;73zWe@%E|YGi5{E{Qs%^Gh{x2H`dSd_p

literal 0
HcmV?d00001

diff --git a/secrets/matrix-synapse-signing-key.age b/secrets/matrix-synapse-signing-key.age
new file mode 100644
index 0000000..51eab61
--- /dev/null
+++ b/secrets/matrix-synapse-signing-key.age
@@ -0,0 +1,28 @@
+age-encryption.org/v1
+-> ssh-ed25519 iDKjwg DIYhq76lfISisIR1cF5QRAHpUOcY73wh2AAIveZzQEU
+AaISTQUQHKZPfI3eOmez1LsANCwMiLae6wNDtdGyrk4
+-> ssh-ed25519 uYcDNw aWo4SN3rJXLWjeQFmHWQsWvq6TZysarvk2/ymPNjSW0
+Z8dFM+4R/rCzVsAQtmeO/ANFdeqkcOixgcfp5Pe9FIY
+-> ssh-rsa kFDS0A
+fNc11rAe6fUi7DaxEGbU84nJ99DCwv2oSs0EXUtXYU7kSQnPzEMvBUmDtsjc/yJK
+JrER6X3EZpStvveHs12T2bD8sC7qvpGDM0/yxQaD/g2sebdl/PSdly3PcKZPmFJn
+5a8bdFz6auLoxPtV9Ew83rai7/zSGWomD9MtISmtzofQ6ZUMCTHkyv+JFrSGMlDR
+/wAPP4AthjlysLgVnpbFixcFaZKA1825H7yk+i+TvIHIZ5YNhcTlvyos5BnKTbjI
+JJffhvEz4I3c+v6Nb6tssFs/WcnuylDQZa3YqHT8zaL/pXWKZKwSTMkXMXdN5/V6
+bKwwyuSepbKgcdnYt3qnSRZcGobAD3LISrkyPuh3/6v6mPxX9eriv8A+cCTVFR+H
+tx2EEa0PQpgQX7erCxu8n3marv43e6tF58ULJHoBtEcUs0ov5ereNWJBRL5NcZcZ
+1jAg3tJtWFcplghJ8oS4ePrCj87ibNeHUW50zTmpoCWnSdl5coKzPtFRjjWJNf0U
+mUAqnoCOVSkpy+5tUbCdo3IhxXPwQp70SkBTKqJhLw7AqmqCSEt8IzO7Nmh8Cra7
+CpRvcqLvOjDNKLpc3FZWcJdZyFoQUd+hjqO3GsmYE+0HQm4Prb9bDqRIyUiGa2y8
+8Z/Ae7T/X2hvr/h8by/JI+f67fj9n88LMBIc2+VF17M
+-> ssh-ed25519 YFSOsg 7VxASO8bBrWC66jWnFDr/E4uLrE9Eduk1DrxqKBNeAA
+ADu0wFcdyO2+Jzb8nbcBl9RArUrA11+Olr+5wT1NpxI
+-> ssh-ed25519 iHV63A 5its014WusI08tPQDHHPngzWaMWwbTFXUr3uRSjmgU4
+PjhSqHE9QtLQsOvkTh44TYsf4dlBxlHA+0hbY0P34rI
+-> ssh-ed25519 BVsyTA /0Lg7IgQ+ziQPB8zW/g+b9B5MBUmxl44zHKlPC2qgiM
+/nGP+6j9jDh/I0ZW4+nkhVtIRf7rqv0RG+sPoGXq/84
+-> fd]-grease "J/'r
+1Gqo8aWuDf5XWFLB+OxHs3sNKf/4Kwv8dXBEtn40oL0uk8UZyUkNaLWZ2/GfdO0t
+dT7bm5ihzq/7wJsIoNUgGBDprFAZgcEExno
+--- zpUnJCx+HoeJm0KW3PIwljBvp/94VsyKfDQ2GRSOd+4
+�1�I#��C[���|)܁�:d��d� �3X���'����qA��ok���C�TT3�aB����t�'�k\���c&�a|:R�5
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index db05a92..7405a9b 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -26,4 +26,8 @@ in {
   "mastodon-vapid-public-key.age".publicKeys = nachtigallKeys ++ baseKeys;
   "mastodon-smtp-password.age".publicKeys = nachtigallKeys ++ baseKeys;
   "mastodon-extra-env-secrets.age".publicKeys = nachtigallKeys ++ baseKeys;
+
+  "matrix-mautrix-telegram-env-file.age".publicKeys = nachtigallKeys ++ baseKeys;
+  "matrix-synapse-signing-key.age".publicKeys = nachtigallKeys ++ baseKeys;
+  "matrix-synapse-secret-config.yaml.age".publicKeys = nachtigallKeys ++ baseKeys;
 }