From 48d3f66855fb57379351fb9a458a95cf28522916 Mon Sep 17 00:00:00 2001
From: stuebinm
Date: Tue, 11 Apr 2023 18:37:20 +0200
Subject: manage secrets with sops

not sure if i like this yet, but it seems worth trying it out.
---
 flora/services/akkoma.nix | 16 +++++++++++++---
 flora/services/mail.nix   |  4 ++--
 2 files changed, 15 insertions(+), 5 deletions(-)

(limited to 'flora/services')

diff --git a/flora/services/akkoma.nix b/flora/services/akkoma.nix
index 98cfb7b..3eb9173 100644
--- a/flora/services/akkoma.nix
+++ b/flora/services/akkoma.nix
@@ -12,6 +12,11 @@ let
   staticDir = "/var/lib/akkoma/static";
 in
 {
+  sops.secrets = {
+    "akkoma/keyBase" = {};
+    "akkoma/signingSalt" = {};
+    "akkoma/jokenDefaultSigner" = {};
+  };
 
   containers.pleroma = {
     autoStart = true;
@@ -22,6 +27,11 @@ in
     hostAddress6 = "fd00::42:30";
     localAddress6 = "fd00::42:31";
 
+    bindMounts."/sops" = {
+      hostPath = "/run/secrets/akkoma";
+      isReadOnly = true;
+    };
+
     config = {pkgs, config, ...}: {
 
       # generating the manual will fail when mixing nixos channels,
@@ -63,10 +73,10 @@ in
           ":pleroma"."Pleroma.Web.Endpoint" = {
             "url" = { host = "pleroma.stuebinm.eu"; scheme = "https"; port = 443; };
             "http" = { ip = "::"; port = 4000; };
-            secret_key_base._secret = "/secret/secret_key_base";
-            signing_salt._secret = "/secret/signing_salt";
+            secret_key_base._secret = "/sops/keyBase";
+            signing_salt._secret = "/sops/signingSalt";
           };
-          ":joken".":default_signer"._secret = "/secret/joken_default_signer";
+          ":joken".":default_signer"._secret = "/sops/jokenDefaultSigner";
 
           ":pleroma" = {
             ":instance" = {
diff --git a/flora/services/mail.nix b/flora/services/mail.nix
index d41f0e8..e43e56f 100644
--- a/flora/services/mail.nix
+++ b/flora/services/mail.nix
@@ -3,7 +3,7 @@
 {
   imports = [ inputs.simple-nixos-mailserver.nixosModule ];
 
-
+  sops.secrets."mail/hashedPassword" = {};
 
   mailserver = {
     enable = true;
@@ -14,7 +14,7 @@
     # nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2
     loginAccounts = {
         "hello@stuebinm.eu" = {
-            hashedPasswordFile = "/var/mailstate/hello-password";
+            hashedPasswordFile = "/run/secrets/mail/hashedPassword";
             aliases = ["postmaster@stuebinm.eu" "abuse@stuebinm.eu"];
         };
     };
-- 
cgit v1.2.3