Add mastodon active record encryption secrets

config/hosts/mastodon/mastodon.nix

@@ -46,6 +46,9 @@ in
       fromAddress = "Nekoverse <nyareply@nekover.se>";
     };
     streamingProcesses = 3;
+    activeRecordEncryptionPrimaryKeyFile = "/secrets/mastodon-active-record-encryption-primary-key.secret";
+    activeRecordEncryptionKeyDerivationSaltFile = "/secrets/mastodon-active-record-encryption-key-derivation-salt.secret";
+    activeRecordEncryptionDeterministicKeyFile = "/secrets/mastodon-active-record-encryption-deterministic-key.secret";
     extraConfig = {
       SMTP_TLS = "true";
       ES_PRESET = "single_node_cluster";

config/hosts/mastodon/secrets.nix

@@ -41,5 +41,29 @@
       permissions = "0640";
       uploadAt = "pre-activation";
     };
+    "mastodon-active-record-encryption-primary-key.secret" = {
+      keyCommand = keyCommandEnv ++ [ "pass" "mastodon/active-record-encryption-primary-key" ];
+      destDir = "/secrets";
+      user = "mastodon";
+      group = "mastodon";
+      permissions = "0640";
+      uploadAt = "pre-activation";
+    };
+    "mastodon-active-record-encryption-key-derivation-salt.secret" = {
+      keyCommand = keyCommandEnv ++ [ "pass" "mastodon/active-record-encryption-key-derivation-salt" ];
+      destDir = "/secrets";
+      user = "mastodon";
+      group = "mastodon";
+      permissions = "0640";
+      uploadAt = "pre-activation";
+    };
+    "mastodon-active-record-encryption-deterministic-key.secret" = {
+      keyCommand = keyCommandEnv ++ [ "pass" "mastodon/active-record-encryption-deterministic-key" ];
+      destDir = "/secrets";
+      user = "mastodon";
+      group = "mastodon";
+      permissions = "0640";
+      uploadAt = "pre-activation";
+    };
   };
 }

hosts.nix

@@ -65,6 +65,7 @@ in
       environment = "proxmox";
     };
     mastodon = {
+      hostNixpkgs = nixpkgs-unstable;
       site = "vs";
       environment = "proxmox";
     };