Add `macaroon_secret_key_path` config option (#17983)

Another config option on my quest to a `*_path` variant for every secret. This time it’s `macaroon_secret_key_path`. Reading secrets from files has the security advantage of separating the secrets from the config. It also simplifies secrets management in Kubernetes. Also useful to NixOS users.
author: V02460 <git@kaialexhiller.de> 2024-12-17 01:01:33 +0100
committer: GitHub <noreply@github.com> 2024-12-16 18:01:33 -0600
commit: 57bf44941e52f09dc7ea21acdbe20633b7449f5a (patch)
tree: d27643103f2f20f06f62380ba60c357a4f075598 /docs/usage
parent: Add `last_seen_ts` to query user example (#17976) (diff)
download: synapse-57bf44941e52f09dc7ea21acdbe20633b7449f5a.tar.xz
1 files changed, 16 insertions, 0 deletions
diff --git a/docs/usage/configuration/config_documentation.md b/docs/usage/configuration/config_documentation.md
index 7a48d76bbb..98ceb878e2 100644
--- a/docs/usage/configuration/config_documentation.md
+++ b/docs/usage/configuration/config_documentation.md
@@ -3092,6 +3092,22 @@ Example configuration:
 macaroon_secret_key: <PRIVATE STRING>
 ```
 ---
+### `macaroon_secret_key_path`
+
+An alternative to [`macaroon_secret_key`](#macaroon_secret_key):
+allows the secret key to be specified in an external file.
+
+The file should be a plain text file, containing only the secret key.
+Synapse reads the secret key from the given file once at startup.
+
+Example configuration:
+```yaml
+macaroon_secret_key_path: /path/to/secrets/file
+```
+
+_Added in Synapse 1.121.0._
+
+---
 ### `form_secret`
 
 A secret which is used to calculate HMACs for form values, to stop
author	V02460 <git@kaialexhiller.de>	2024-12-17 01:01:33 +0100
committer	GitHub <noreply@github.com>	2024-12-16 18:01:33 -0600
commit	57bf44941e52f09dc7ea21acdbe20633b7449f5a (patch)
tree	d27643103f2f20f06f62380ba60c357a4f075598 /docs/usage
parent	Add `last_seen_ts` to query user example (#17976) (diff)
download	synapse-57bf44941e52f09dc7ea21acdbe20633b7449f5a.tar.xz