treewide: replace <secrets> with sops.secrets

2configs/bgt/download.binaergewitter.de.nix

@@ -56,9 +56,10 @@ in {
   systemd.services.nginx.serviceConfig.ReadWritePaths = [
     "/var/spool/nginx/logs/"
   ];
+  sops.secrets."lego-binaergewitter" = {};
   security.acme.certs."download.binaergewitter.de" = {
     dnsProvider = "cloudflare";
-    credentialsFile = toString <secrets/lego-binaergewitter>;
+    credentialsFile = config.sops.secrets."lego-binaergewitter".path;
     webroot = lib.mkForce null;
   };
 

2configs/bgt/hidden_service.nix

@@ -6,12 +6,12 @@ let
   srvdir = "/var/lib/tor/onion/";
 in
   {
-  sops.secrets."bgt_cyberwar_hidden_service/private_key" = {
+  sops.secrets."${name}/private_key" = {
     path = "${srvdir}/${name}/private_key";
     owner = "tor";
     restartUnits = [ "tor.service" ];
   };
-  sops.secrets."bgt_cyberwar_hidden_service/hostname" = {
+  sops.secrets."${name}/hostname" = {
     path = "${srvdir}/${name}/hostname";
     owner = "tor";
     restartUnits = [ "tor.service" ];

2configs/binary-cache/server.nix

@@ -1,12 +1,13 @@
 { config, lib, pkgs, ...}:
 
 {
+  sops.secrets."nix-serve.key" = {};
   # generate private key with:
   # nix-store --generate-binary-cache-key gum nix-serve.key nix-serve.pub
   services.nix-serve = {
     enable = true;
     port = 5001;
-    secretKeyFile = toString <secrets> + "/nix-serve.key";
+    secretKeyFile = config.sops.secrets."nix-serve.key".path;
   };
 
   services.nginx = {

2configs/nginx/dl.euer.krebsco.de.nix

@@ -1,6 +1,8 @@
 { config, lib, pkgs, ... }:
 
 {
+  sops.secrets."dl.euer.krebsco.de-auth" = {};
+  sops.secrets."dl.gum-auth" = {};
   users.groups.download.members = [ "nginx" ];
   services.nginx = {
     enable = lib.mkDefault true;
@@ -11,13 +13,13 @@
         extraConfig = "autoindex on;";
         forceSSL = true;
         enableACME = true;
-        basicAuth = import <secrets/dl.euer.krebsco.de-auth.nix>;
+        basicAuthFile = config.sops.secrets."dl.euer.krebsco.de-auth".path;
     };
     virtualHosts."dl.gum.r" = {
         serverAliases = [ "dl.gum" "dl.makefu.r" "dl.makefu" ];
         root = config.makefu.dl-dir;
         extraConfig = "autoindex on;";
-        basicAuth = import <secrets/dl.gum-auth.nix>;
+        basicAuthFile = config.sops.secrets."dl.gum-auth".path;
     };
   };
 }

2configs/nginx/euer.wiki.nix

@@ -2,7 +2,6 @@
 
 with pkgs.stockholm.lib;
 let
-  sec = toString <secrets>;
   ext-dom = "wiki.euer.krebsco.de";
 
   user = config.services.nginx.user;
@@ -18,9 +17,10 @@ let
   #  user1 = pass1
   #  userN = passN
   # afterwards put /var/www/<ext-dom>/user1.html as tiddlywiki
-  tw-pass-file = "${sec}/tw-pass.ini";
+  tw-pass-file = config.sops.secrets."tw-pass.ini".path;
 
 in {
+  sops.secrets."tw-pass.ini" = {};
   state = [ base-dir ];
   # hotfix for broken wiki after reboot
   systemd.services."phpfpm-euer-wiki".serviceConfig.RequiresMountFor = [ "/media/cloud" ];

2configs/nix-community/mediawiki-matrix-bot.nix

@@ -1,8 +1,12 @@
-{ pkgs, ... }:
-let
-  seccfg = toString <secrets/mediawikibot-config.json>;
-  statecfg = "/var/lib/mediawiki-matrix-bot/config.json";
-in {
+{ pkgs, config, ... }:
+
+{
+  sops.secrets."mediawikibot-config.json" = {
+    mode = "0440";
+    group = config.users.groups.mediawiki.name;
+  };
+  users.groups.mediawiki = {};
+
   systemd.services.mediawiki-matrix-bot = {
     description = "Mediawiki Matrix Bot";
     after = [ "network-online.target" ];
@@ -12,11 +16,9 @@ in {
       RestartSec = "60s";
       DynamicUser = true;
       StateDirectory = "mediawiki-matrix-bot";
-      PermissionsStartOnly = true;
-      ExecStartPre = pkgs.writeDash "mediawikibot-copy-config" ''
-        install -D  -m644 ${seccfg} ${statecfg}
-      '';
-      ExecStart = "${pkgs.mediawiki-matrix-bot}/bin/mediawiki-matrix-bot ${statecfg}";
+      SupplementaryGroups = [ config.users.groups.mediawiki.name ];
+
+      ExecStart = "${pkgs.mediawiki-matrix-bot}/bin/mediawiki-matrix-bot ${config.sops.secrets."mediawikibot-config.json".path}";
       PrivateTmp = true;
     };
   };

2configs/torrent/rtorrent.nix

@@ -1,7 +1,6 @@
 { config, lib, pkgs, ... }:
 
 let
-  basicAuth = import <torrent-secrets/auth.nix>;
   peer-port = 51412;
   web-port = 8112;
   daemon-port = 58846;
@@ -30,14 +29,13 @@ in {
   };
 
   #security.acme.certs."torrent.${config.krebs.build.host.name}.r".server = config.krebs.ssl.acmeURL;
-
+  sops.secrets."torrent-auth" = {
+    owner = "nginx";
+  };
   services.nginx = {
     enable = true;
     virtualHosts."torrent.${config.krebs.build.host.name}.r" = {
-      # TODO
-      inherit basicAuth;
-      #enableACME = true;
-      #addSSL = true;
+      basicAuthFile = config.sops.secrets."torrent-auth".path;
       root = "${pkgs.nodePackages.flood}/lib/node_modules/flood/dist/assets";
       locations."/api".extraConfig = ''
         proxy_pass       http://localhost:${toString web-port};

2configs/wireguard/server.nix

@@ -7,6 +7,9 @@ in { # wireguard server
 
   # boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
   # conf.all.proxy_arp =1
+
+  sops.secrets."wireguard.key" = {};
+
   networking.firewall = {
     allowedUDPPorts = [ 51820 ];
   };
@@ -20,7 +23,7 @@ in { # wireguard server
   networking.wireguard.interfaces.wg0 = {
     ips = [ "10.244.0.1/24" ];
     listenPort = 51820;
-    privateKeyFile = (toString <secrets>) + "/wireguard.key";
+    privateKeyFile = config.sops.secrets."wireguard.key".path;
     # allowedIPsAsRoutes = true;
     postSetup = ''
         ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.244.0.0/24 -o ${ext-if} -j MASQUERADE