Fixed a number of security vulns

modules/matrix.nix

@@ -1,7 +1,7 @@
 { pkgs, ... }:
 
 let
-  livekitKeyFile = "/run/livekit.key";
+  livekitKeyFile = "/var/lib/livekit/livekit.key";
   serverName = "atri.dad";
   matrixDomain = "matrix.atri.dad";
   matrixRtcDomain = "matrixrtc.atri.dad";
@@ -116,9 +116,14 @@ in
     ];
     script = ''
       echo "Key missing, generating key"
+      install -d -m 0700 "$(dirname "${livekitKeyFile}")"
+      install -m 0600 /dev/null "${livekitKeyFile}"
       echo "lk-jwt-service: $(livekit-server generate-keys | tail -1 | awk '{print $3}')" > "${livekitKeyFile}"
     '';
-    serviceConfig.Type = "oneshot";
+    serviceConfig = {
+      Type = "oneshot";
+      UMask = "0177";
+    };
     unitConfig.ConditionPathExists = "!${livekitKeyFile}";
   };