matrix: use shared secret

.gitignore

@@ -1,2 +1,3 @@
-borg-backup-repo
+/secrets/borg-backup-repo
-miniflux-admin-credentials
+/secrets/miniflux-admin-credentials
+/secrets/matrix-registration-shared-secret

configuration.nix

@@ -88,7 +88,13 @@
       privatePort = 8080;
     };
 
-    matrix.enable = true;
+    matrix = {
+      enable = true;
+      registration_shared_secret =
+        (lib.removeSuffix "\n" (
+          builtins.readFile ./secrets/matrix-registration-shared-secret
+        ));
+    };
 
     monitoring = {
       enable = true;

secrets/matrix-registration-shared-secret.example

@@ -0,0 +1 @@
+0000000000000000000000000000000000000000000000000000000000000000

services/matrix.nix

@@ -21,6 +21,13 @@ let
 in {
   options.my.services.matrix = {
     enable = lib.mkEnableOption "Matrix Synapse";
+
+    registration_shared_secret = lib.mkOption {
+      type = types.str;
+      default = null;
+      example = "deadbeef";
+      description = "Shared secret to register users";
+    };
   };
 
   config = lib.mkIf cfg.enable {
@@ -38,6 +45,8 @@ in {
       server_name = domain;
       public_baseurl = "https://matrix.${domain}";
 
+      registration_shared_secret = cfg.registration_shared_secret;
+
       listeners = [
         # Federation
         {