From 48d3f66855fb57379351fb9a458a95cf28522916 Mon Sep 17 00:00:00 2001
From: stuebinm
Date: Tue, 11 Apr 2023 18:37:20 +0200
Subject: manage secrets with sops

not sure if i like this yet, but it seems worth trying it out.
---
 flora/services/akkoma.nix | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

(limited to 'flora/services/akkoma.nix')

diff --git a/flora/services/akkoma.nix b/flora/services/akkoma.nix
index 98cfb7b..3eb9173 100644
--- a/flora/services/akkoma.nix
+++ b/flora/services/akkoma.nix
@@ -12,6 +12,11 @@ let
   staticDir = "/var/lib/akkoma/static";
 in
 {
+  sops.secrets = {
+    "akkoma/keyBase" = {};
+    "akkoma/signingSalt" = {};
+    "akkoma/jokenDefaultSigner" = {};
+  };
 
   containers.pleroma = {
     autoStart = true;
@@ -22,6 +27,11 @@ in
     hostAddress6 = "fd00::42:30";
     localAddress6 = "fd00::42:31";
 
+    bindMounts."/sops" = {
+      hostPath = "/run/secrets/akkoma";
+      isReadOnly = true;
+    };
+
     config = {pkgs, config, ...}: {
 
       # generating the manual will fail when mixing nixos channels,
@@ -63,10 +73,10 @@ in
           ":pleroma"."Pleroma.Web.Endpoint" = {
             "url" = { host = "pleroma.stuebinm.eu"; scheme = "https"; port = 443; };
             "http" = { ip = "::"; port = 4000; };
-            secret_key_base._secret = "/secret/secret_key_base";
-            signing_salt._secret = "/secret/signing_salt";
+            secret_key_base._secret = "/sops/keyBase";
+            signing_salt._secret = "/sops/signingSalt";
           };
-          ":joken".":default_signer"._secret = "/secret/joken_default_signer";
+          ":joken".":default_signer"._secret = "/sops/jokenDefaultSigner";
 
           ":pleroma" = {
             ":instance" = {
-- 
cgit v1.2.3