From 3932fd5c77c264ec6a3285dd52bde93317103e65 Mon Sep 17 00:00:00 2001
From: s-prechtl <stefan@tague.at>
Date: Wed, 10 Dec 2025 15:19:05 +0100
Subject: [PATCH] feat: enable double puppet for signal

---
 hosts/hitsugibune/matrix.nix              |  31 ++++++++++++++++++++++
 secrets/mautrix-signal-puppeting.yaml.age | Bin 0 -> 1310 bytes
 secrets/mautrix-signal.age                | Bin 1037 -> 1102 bytes
 secrets/secrets.nix                       |   1 +
 4 files changed, 32 insertions(+)
 create mode 100644 secrets/mautrix-signal-puppeting.yaml.age

diff --git a/hosts/hitsugibune/matrix.nix b/hosts/hitsugibune/matrix.nix
index 0ebb3e5..14a8b54 100644
--- a/hosts/hitsugibune/matrix.nix
+++ b/hosts/hitsugibune/matrix.nix
@@ -38,6 +38,12 @@ in {
     owner = "mautrix-signal";
     group = "mautrix-signal";
   };
+  age.secrets.mautrix-signal-puppeting = {
+    file = ../../secrets/mautrix-signal-puppeting.yaml.age; # your encrypted YAML
+    owner = "mautrix-signal";
+    group = "mautrix-signal";
+    mode = "0640";
+  };
 
   age.secrets.mautrix-whatsapp = {
     file = ../../secrets/mautrix-whatsapp.age;
@@ -204,6 +210,9 @@ in {
         ];
       }
     ];
+    settings.app_service_config_files = [
+      "/var/lib/mautrix-signal/double-puppeting.yaml"
+    ];
 
     extraConfigFiles = [config.age.secrets.matrix.path];
     settings.turn_uris = ["turn:${turn.realm}:3478?transport=udp" "turn:${turn.realm}:3478?transport=tcp"];
@@ -253,6 +262,9 @@ in {
 
       double_puppet = {
         allow_discovery = false;
+        secrets = {
+          "sprechtl.me" = "as_token:$DOUBLE_PUPPET_SECRET";
+        };
       };
 
       provisioning = {
@@ -261,6 +273,25 @@ in {
     };
   };
 
+  # Ensure directory
+  systemd.tmpfiles.settings."10-mautrix-signal" = {
+    "/var/lib/mautrix-signal".d = {
+      user = "mautrix-signal";
+      group = "mautrix-signal";
+      mode = "0750";
+    };
+  };
+
+  # Insert file for double puppeting
+  systemd.tmpfiles.settings."20-mautrix-signal-puppeting-yaml" = {
+    "/var/lib/mautrix-signal/double-puppeting.yaml".L = {
+      argument = config.age.secrets.mautrix-signal-puppeting.path;
+      user = "mautrix-signal";
+      group = "mautrix-signal";
+      mode = "0640";
+    };
+  };
+
   services.mautrix-whatsapp = {
     enable = true;
     environmentFile = config.age.secrets.mautrix-whatsapp.path;
diff --git a/secrets/mautrix-signal-puppeting.yaml.age b/secrets/mautrix-signal-puppeting.yaml.age
new file mode 100644
index 0000000000000000000000000000000000000000..71877af1dfb54736f801a01e31c7e72041e68875
GIT binary patch
literal 1310
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSP5AezMN>@lKEDs3_
z(oPCUb&1gS3du4k^Kthp%+2*mGtYD@a`iNG2~Y9Mi3$x(59BHj_9`#TiZm)NEw?oD
zHT3atjw(+oxA65hcMCKx&x-K(b1QMwPYj6)v4GiDRGg^blkR5h8p!2kQtIUv7E)Q9
zukUXhY><;#?x&qr<`)%KT9|K|n&cJYl~S5rW?*2N?(S@qRg@DM;G1aZZ&qj+o}HNP
zt8K|;oKzC&8kFyqQCx1OZ&2bBW$ad|pXr$ynUZW48c}HMqaBo)XjWhpm=uy6>X&8g
zUJ{;Vky}`9T3q58W>`_cWohObUSJlXpA?cF>FOTjZ5~wS6j-2b7#W<Llw0Ol<x-h!
z5oVE@=bw~Wk(*cP?rP?rU7Y5VQ<7ok;v7}v#O0ssWuER;5@zY|ZlGVOUuhib>*^O6
z;1ld(lJD%{SDq9QT9jW}mTu|dS{@ZroL^C7mYwKi5o%%JVq{>LtId_+l<Q+=>=lq6
z?rR!VVCj+Xl^L9xoMfOK5*i+!S(;Z_<eeOm8CL9NToP3tT9E9LpOqSH>X?`AS?&{6
z8REp1=9W}do}5wT5n@pu5*ZchTjZT=XkL_BYV7S*=8<cV?w(s3;q9OATp1Nv>06jn
zY8X@=Y2c~t>yuhw?qgEUW#MHOVHlVgl<)2s9N?24mg-rNXX+g0Xkl&?8d~XOYUW%L
zP@J1%?(bWiYN~DK;Z{}Y@9byf;^VC!lAE34$5ot?>zor+ROy)Hl#v#YTx{Tx<fU&|
zQBjhZ9$Dm`oa9vQ<Pwn+<z;B$lwskXXHeknm0{uSXOQZcXHltN6voA+tE;PER8nB-
zYUu2e6Po7h=xOGX8WNafmYSkpYU~&65#?{`Qf!%?XAxc&WRc9ZB=%9qrYSxLch8FE
z64ts<yW{kwk`=awK97Aisxw~W32|2HdzO4`=Z#gW-RCb^drVmse@7{-O5k-1lc&s$
zjiu5))(xTeB6h!deOzW<|GOO#F0Pgb=Xt3=J$>8p6-U&gFZ&suF&7{FIsd!redbRK
zwPH^_d3D?}JYH?W9A&ns0(OHv6QpjXZn}E)cEd96i;fFFze+Lscj;(u*QwQVCo{h-
zon*-w-me_I(V{D0<Hvs%KhI3x^rHXmB_ENs3mka$&L6fD)#+-h(|)P4EU0ltZJmH(
z)YkMu{?^&AyjVo0ve#%_sG2q-Z}xj`$)&G6ExT40ZFgq;nY3h~Vn`hG)_J}U*><nA
z%jJI4d26fi^ZTB*Yv+D?V0`M+fiqUhOy{1|tA|G?wVr3(&ZVzf#dh$br1tE9$Z4;Z
zX7-xBF9>Uoo^KVs=O*{|%)H-DF28%dXLPKy3AtOS7pxp~Xhu&}Lip0uc*|5hWxZM9
z`aujHf}Ll1I}^HBmdeE4+<(Ar*DhPXwl95+QERn-R$iZdXTS1CHpxqYj`2cvrbUet
zV-D{;_V+#Cxs6;bJU;Dzv#fNky}VnjwJ9QMl}qED;Jveo*BVc>6`kmQGxvj&<VocP
zox-vU_wAZvVjoqxq=YNY;_f9W4ck?R7dTA29?4oT@znOXlR{CIEIK<%7A)Cq;@a2o
z{<zH3Ubmallb*4D<KpT6$zMKSa{Jvt!GL+}!5hw`ud!R}UY~1Pz;X1{<LUf+Pe!Ju
qJe#oar{esWUuMp_X|8`ZsY|`yC@R+JUUR$9y?Wa7E~|guqU8W|_6Y|7

literal 0
HcmV?d00001

diff --git a/secrets/mautrix-signal.age b/secrets/mautrix-signal.age
index 930c497fb7eb205ab992d5e0cb0342b99fb02e44..20e44bf7e1f1409891c7a544815d2195da7cedb9 100644
GIT binary patch
delta 1073
zcmeC>IL9$Tr#_|FIK|h(yfoJ+E!n)#q_kAKq97<YCC4<)Db&}ptjNW)D!n+f%%nUg
zoy*M0T;DR&!pGd%ue>PBD<VB3ud1Xtxga+qC)nLIH&Nfzw<y~ry&yl&f=ky<p}06h
zx2QN#!6)6#*fo$VD5$7BCAB!p(7V9Yt<*fRz%w!<w>~1utIW?kF)gexxxyzm%+NI>
zJ=`?6)Yvi2-`^~w(%&yRB0nlU(mTLCldCK((<i5>!ZNoY-9Nb?Dcv&1*}SkS%Q!#3
ztim|eJS^2CE7Uy7y)48+KQX_svfQoIxirHw*(kfTGN~-cCyy&D(9FrnJJ;VN-8|hO
zJT<sHt3J=WB0t+A#Mr~PBFZ(pps3QNv>?c=pvcoDB*Va~DkUVv#LY4)D55xAJ13=r
z%cLqNF*`lXC@d-<Ff6FB+&RxJ&otF9C@Ve4IXluhGN{Zf!c#w|pv)*N-8ISE(<0Hk
zQa{Z!JS^NNGu5*sh|3~1%qJoxQ`@UFInzhmtUlZ;(cd%5%-hAxEvVQtBg54=Gr}m*
z%(5aVxx_6euOh3;y}+a_EiWkDuqf2RBP*DzR68Zupu)+o!qLpMDA+AK$Hl88xv*H@
ztvJHMKULq!EhjV5$SW|^Ki%CiSHHq1FVMrXI4Cr-w9vdH#KXdgtGvX=!`LLnAk{EG
zx!$=rJ<BgGCp@CeGa@O)J;x`|+&j`cN54EfH8|BUBs173Dl0vxAk)**%+DjFC@;^b
z%7Cjl!#mu&G%KVsAUh??BdEOG(j(EVC^_6c)u+-tsnpzDJ2NLZEGf^mGTkY}FV|Z;
zz}(a)!n+_d+rTf!pel!pOIKG{At|gfwBEa<A~M;x(jXu_I55L3J;^`cHPSNC$TP#o
zProeG-#yREFEiA@fXiRwevf?3o^7YCbTlHnJd0grv^D=eH~9WZcW&R}P8-9h&5PbC
z@9?O0{uX!Vyg+;6J%x+^B<tGGY%tsZWm(M0tCJ529oaZ>f;)5agqhzw{vPQTc)0F{
z`?mW3ap(3GwYr>MIr&psl<$F{C%zpo(<EJfR=zo+<Tmr{tj>Q?yBAj31v^+WR_Hn`
z`cZ7AwML;aV&lsb?^m5p-}LvO&L+O^?xEK|74)t1%fJ8iF-K0+56PwsnWH%c?ycHY
zavN$43T`o4{g~-~zIKsagTUz>hs7lfqQW)TnqD^jQ=g(O!S1|pdG4z8w-@ZE*PPyS
z>rnIddCJRMd#tn-U1YB<`{(t}p-M=}+p2j&PS5MzlNrC6-cj*4TW@wJs5CsdBl5`h
z_Ro>&jyr_v1G|}yEc{R<uIDxVQ^t9vpO^G5J&63pbwnqP^UAEOm%4`vMQ2<S+xcMi
zhh;Kn3fBl3`o4as74uE#W`%EJT*9nb43o<Z*q+*ax|!;(ulPLjNAS0k!umIwFXph^
Jp1#P94FEF1s>c8T

delta 1007
zcmX@d(aSMGr@pMn*~K_JRllmFB*MGMwaCf9xFE#TJ2x>Przku;!Z$x4I7r(qJxSZy
zk*nO<+|jW(+|n}BDX}8cJ2W84(XqrZ*D1>>v^=CtJ2*Et+cCVVB-h*|kW1H2p}06h
zx2QN#!6)6#*fo$VDJse|xS%p9*UPaqB0N~%!!p@8xIQn$EGr@)CDF{qGBPnNBD1t0
zFfX;z&p9<eHQQV}CC4%<(AC+uNINh>o6FljEhyN(GThkNsUV}muhJsf*D$-hATeCq
zHz+vA-Q6QI(ZDP}+@i|D)gYq4(>1WlJtM`vJiEXz+_^F@--0XBtT-#zBg?}q-!!cv
zL*F+tr9M5!D>*12AT>F)D6`ln+sq|6C(2OYF~Bg=DI_tmz{$WQyr9HXJD@zp#J#wH
z%f-{j+`J^EGRie9D6`n9K)WobD$h|{JIYYsFDtb&G~2>8#UeS>-N-+$!ZXRyHL%3T
zAm87}#V<11sVLkxfXh6j%*4buImt9BEx;$Zs6H{kIUw1j(%8ks+c=;+!__xC(!)gG
zD8<6m!oyA5B+;Ov#KI+{FsjHU-6GX8InszLSHCLH)WpjrD8)4(B-tr7SwADmu(&cb
zyudxv)!(Niz%Mr~+sEI?Ez`)tEy>KYGSMZ!%q_X7LO;njKfNG=t1`IEGsV~-P1~<B
ztUfCv+#;l)$}1?>H94@VFe^9LA|T1q(Ir<u%_$?vOh33XEX*m(Kcy<$IM+C&(9zR4
zGKDLpBs)0MF*4gfA}6UJ*(1j_$H&Fe(#^3Xzu2VE$;TwC#LvAbv#=_}G0D=aBrhY<
zC9%RWAS&3k*sCDRKQxJpOIKG{A=0NbxIWM`r93~_zd%1l+rT|ArPL+Y*xlPLD=)v;
z*Ucl{%Pb?(FxcPAf=l>_)4C&PKfZeVeeLB?J-$NSw7XrUb~lAu*1ub>w0`=8XO^2X
zKXR1lIK7Us-5-A8FWYfZ)$%${tMgLQ?frj0mfb$a&i_#>bKy79iCtF?{W2?hwr<AV
zf35W<CD$jeaNjv;lBdAb`NEGEsNPkq?Ad2&tN!3~)XMeNb)S-F<UUBRzp?k+huOap
zs{>-5ruR(>&+xFfP5qyun9qHDLABiVm*&QedK;UjxfN8cKlbeKdC_7=pC3N2XCx~x
zJ{5D=rsI)D@HOMW+21|lR9EF~+~Kq6-ph|aIX2v43C&<>xVY||x{B3K+0}fTPkb@$
zes0M3(|UuUzgtMI+HHofcII=|y*MTjFX?glkFT}cfy*kZ?q7T^aOLrYA3s}`@r1-)
s^((lhEUM+px!&mB<C$IcY9C%ipMGSf+G)9)%SQW}QbzI8+Lazx02jQ5WdHyG

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 6b3cbb5..310ff47 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -13,6 +13,7 @@ in {
   "homarr.age".publicKeys = [saberofxebec key];
   "matrix.age".publicKeys = [hitsugibune key];
   "mautrix-signal.age".publicKeys = [hitsugibune key];
+  "mautrix-signal-puppeting.yaml.age".publicKeys = [hitsugibune key];
   "mautrix-whatsapp.age".publicKeys = [hitsugibune key];
   "coturn.age".publicKeys = [hitsugibune key];
   "mail-admin.age".publicKeys = [hitsugibune key];