phantom: migrate secrets to sops

2026-02-15 03:47:47 -03:00 · 2026-02-15 03:47:47 -03:00 · 3be05b100b
commit 3be05b100b
parent 5f57fb269a
11 changed files with 24 additions and 102 deletions
--- a/hosts/phantom/invidious.nix
+++ b/hosts/phantom/invidious.nix
@ -23,7 +23,7 @@
    #     "visitor_data": "...",
    #     "po_token": "..."
    # }
-    extraSettingsFile = config.age.secrets.phantom-invidious-settings.path;
+    extraSettingsFile = config.sops.secrets."invidious/settings.json".path;
    settings = {
      force_resolve = "ipv6";
      db = {
@ -33,8 +33,7 @@
    };
  };

-  age.secrets.phantom-invidious-settings = {
-    file = ../../secrets/phantom-invidious-settings.age;
+  sops.secrets."invidious/settings.json" = {
    mode = "666";
  };
 }
--- a/hosts/phantom/mastodon.nix
+++ b/hosts/phantom/mastodon.nix
@ -14,15 +14,14 @@
      host = "lelgenio.com";
      fromAddress = "noreply@social.lelgenio.com";
      user = "noreply@social.lelgenio.com";
-      passwordFile = config.age.secrets.phantom-mastodon-mailer-password.path;
+      passwordFile = config.sops.secrets."mastodon/smtp-password".path;
    };
    streamingProcesses = 2;
    extraConfig.SINGLE_USER_MODE = "true";
    mediaAutoRemove.olderThanDays = 5;
  };

-  age.secrets.phantom-mastodon-mailer-password = {
-    file = ../../secrets/phantom-mastodon-mailer-password.age;
+  sops.secrets."mastodon/smtp-password" = {
    mode = "400";
    owner = "mastodon";
  };
--- a/hosts/phantom/nextcloud.nix
+++ b/hosts/phantom/nextcloud.nix
@ -11,7 +11,7 @@
    https = true;
    config = {
      dbtype = "sqlite"; # TODO: move to single postgres db
-      adminpassFile = config.age.secrets.phantom-nextcloud.path;
+      adminpassFile = config.sops.secrets."nextcloud/default-password".path;
    };
  };

@ -20,12 +20,9 @@
    enableACME = true;
  };

-  age = {
-    secrets.phantom-nextcloud = {
-      file = ../../secrets/phantom-nextcloud.age;
-      mode = "400";
-      owner = "nextcloud";
-      group = "nextcloud";
-    };
+  sops.secrets."nextcloud/default-password" = {
+    mode = "400";
+    owner = "nextcloud";
+    group = "nextcloud";
  };
 }
--- a/hosts/phantom/writefreely.nix
+++ b/hosts/phantom/writefreely.nix
@ -12,19 +12,16 @@
    nginx.forceSSL = true;
    host = "blog.lelgenio.com";
    admin.name = "lelgenio";
-    admin.initialPasswordFile = config.age.secrets.phantom-writefreely.path;
+    admin.initialPasswordFile = config.sops.secrets."writefreely/password".path;
    settings.app = {
      site_name = "Leo's blog";
      single_user = true;
    };
  };

-  age = {
-    secrets.phantom-writefreely = {
-      file = ../../secrets/phantom-writefreely.age;
-      mode = "400";
-      owner = "writefreely";
-      group = "writefreely";
-    };
+  sops.secrets."writefreely/password" = {
+    mode = "400";
+    owner = "writefreely";
+    group = "writefreely";
  };
 }