nixos/synapse: doc: suggest LoadCredential before nixops/sops

[martinetd]

Description of changes

This is a bit selfish, but that's what I was looking for in the .md when I wanted to quickly add a user without adding the password in the store on a local machine. Happy to reword or try another way of describing it.

---

nixops and similar are great, but require an upfront cost that is no longer necessary now systemd can read root-only files for restricted services through LoadCredential

Suggest the native method first in the service readme for simplicity

---

Note: it'd make more sense to set $CREDENTIALS_DIRECTORY/matrix-shared-secret instead of hardcoding /run/credentials/<service>, but that doesn't pass types.path check. The service name is made explicit when setting LoadCredential anyway, so this constant should be safe to use.

Things done

• Fits CONTRIBUTING.md.

Cc @Ma27 @fadenb @mguentner @Ralith @sumnerevans @NickCao @dali99 (matrix team)

[NickCao]

Tip: you can use /$CREDENTIALS_DIRECTORY/matrix-shared-secret to trick the check.

[Ma27]

Don't we have a section in the NixOS manual that explains how to deal with secrets? (cc @NixOS/documentation-team )

I'm pretty sure that this is by far not the only module where you have an issue like this and I think it's far better to have a central place where (1) the general issue is described (i.e. why that shouldn't be in the Nix store) and (2) how to deal with it (i.e. "deployment" tooling such as sops-nix/agenix) and mechanisms for services (i.e. LoadCredential, SuppplementaryGroups etc.). Then, all modules could just reference this section of the manual and we don't need to duplicate this information everywhere (and risking that it is incomplete - as demonstrated by @martinetd in this case).

If such a section exists, we should just link it here and remove the rest. Otherwise, I'd accept this patch as temporary improvement, but I'd really appreciate it if the docs team could add that to their backlog if possible :)

[jian-lin]

Don't we have a section in the NixOS manual that explains how to deal with secrets?

not yet #142282

[martinetd]

Tip: you can use /$CREDENTIALS_DIRECTORY/matrix-shared-secret to trick the check.

Oh, that's nice I've updated it to that!
I don't suppose you have another trick to hide the systemd service name by accessing it through services.matrix-synapse.something instead of sytemd.services.matrix-synapse ?

If such a section exists, we should just link it here and remove the rest.

Agreed. There was something so I just built on it, but if there's something common it'd be better to share. Looking for 'LoadCredential" in all *.md files only found ths and a mention in nixos/modules/security/acme/default.md so I can confirm there doesn't seem to be anything yet.

[pennae]

Tip: you can use /$CREDENTIALS_DIRECTORY/matrix-shared-secret to trick the check.

you can also inject arbitraty synapse command line arguments by adding spaces to an extraConfigFiles entry. this is a bug, not a feature

[martinetd]

Actually just tested that and the command is escaped, so that doesn't work -- systemd tries to run --config-path "/\$CREDENTIALS_DIRECTORY/secretfile" which.. isn't anywhere to be found.

Reverting the commit

[ju1m]

Actually just tested that and the command is escaped, so that doesn't work -- systemd tries to run --config-path "/\$CREDENTIALS_DIRECTORY/secretfile" which.. isn't anywhere to be found.

In ExecStart= the env vars substitution is done by systemd (not bash), so it has to be written as: /${CREDENTIALS_DIRECTORY}/secretfile.
I've been bitten by this before:

Minor gotcha, $CREDENTIALS_DIRECTORY must indeed actually be used with ${} (as in ${CREDENTIALS_DIRECTORY}/mycred from the doc example) when part of a word, since contrary to bash, a / is not a separator for variable names.

This behavior is mentionned in the systemd.service manual:

Basic environment variable substitution is supported. Use "${FOO}" as part of a word, or as a word of its own, on the command line, in which case it will be erased and replaced by the exact value of the environment variable (if any) including all whitespace it contains, always resulting in exactly a single argument. Use "$FOO" as a separate word on the command line, in which case it will be replaced by the value of the environment variable split at whitespace, resulting in zero or more arguments. For this type of expansion, quotes are respected when splitting into words, and afterwards removed.

[ju1m]

Hmm, by reading the code, I think the path /run/credentials/matrix-synapse.service/matrix-shared-secret should remain hardcoded instead of using ${CREDENTIALS_DIRECTORY}, because it is used in the shell script matrix-synapse-register_new_matrix_user, hence outside of matrix-synapse.service, hence without the right CREDENTIALS_DIRECTORY set.