YAML: What is the File Format with Matrix Secrets

I would like to store my database passwords outside of the files in my /etc/nixos directory. According to the Appendix B of the 22.05 release notes I can now do so like this:

The secrets in your original config should be migrated into a YAML file that is included via extraConfigFiles

I therefore created /run/keys/matrix-synapse/secrets.yaml and put the following in it:

          database: synapse
          user: some_guy
          password: "SoethingClever"
          host: localhost

I then deleted the services.matrix-synapse.settings.database.args settings from my Synapse config file and added a reference to the yaml file like so:

{config, pkgs, lib, ...}:

  services.matrix-synapse = {

    enable = true;

    settings = {
      server_name = "somethingsomething.wtf";
      listeners = [
          port = 8008;
          bind_addresses = [
          type = "http";
          tls = false;
          x_forwarded = true;
          resources = [
              names = [ "client" "federation" ];
              compress = false;

    extraConfigFiles = [

I then ran sudo nixos-rebuild switch, but now the synapse service won’t start.

Is the format of the YAML file correct? Am I missing a step?

The file has to be synapse configuration.

And I doubt that regular synapse config does start the nesting the same way as the NixOS option hirarchy.

Also if you want that configuration to live under /run you might need to do some extra setup to persist it there, /run is tempfs and lives in RAM only, it gets destroyed with each reboot.

1 Like

Ahh, ok that is very helpful. It looks like I will need to find a better way to store my secrets.