From 5d1fc8bbc337d7f25a3b430caae31397e6b46382 Mon Sep 17 00:00:00 2001
From: Fiona Grzebien <fiona@grzb.de>
Date: Sun, 17 May 2026 03:10:06 +0200
Subject: [PATCH] Migrate keycloak to sops-nix

---
 config/hosts/keycloak/keycloak.nix |  9 ++++++++-
 config/hosts/keycloak/secrets.nix  | 13 -------------
 config/hosts/keycloak/secrets.yaml | 25 +++++++++++++++++++++++++
 3 files changed, 33 insertions(+), 14 deletions(-)
 delete mode 100644 config/hosts/keycloak/secrets.nix
 create mode 100644 config/hosts/keycloak/secrets.yaml

diff --git a/config/hosts/keycloak/keycloak.nix b/config/hosts/keycloak/keycloak.nix
index 2ae957b..a069fd1 100644
--- a/config/hosts/keycloak/keycloak.nix
+++ b/config/hosts/keycloak/keycloak.nix
@@ -10,6 +10,13 @@
       http-host = "127.0.0.1";
       http-port = 8080;
     };
-    database.passwordFile = "/secrets/keycloak-database-password.secret";
+    database.passwordFile = "/run/secrets/keycloak-database-password";
+  };
+
+  sops.secrets."keycloak-database-password" = {
+    mode = "0440";
+    owner = "root";
+    group = "systemd-network";
+    restartUnits = [ "keycloak.service" ];
   };
 }
diff --git a/config/hosts/keycloak/secrets.nix b/config/hosts/keycloak/secrets.nix
deleted file mode 100644
index 984e9ad..0000000
--- a/config/hosts/keycloak/secrets.nix
+++ /dev/null
@@ -1,13 +0,0 @@
-{ keyCommandEnv, ... }:
-{
-  deployment.keys = {
-    "keycloak-database-password.secret" = {
-      keyCommand = keyCommandEnv ++ [ "pass" "keycloak/database-password" ];
-      destDir = "/secrets";
-      user = "root";
-      group = "systemd-network";
-      permissions = "0640";
-      uploadAt = "pre-activation";
-    };
-  };
-}
diff --git a/config/hosts/keycloak/secrets.yaml b/config/hosts/keycloak/secrets.yaml
new file mode 100644
index 0000000..a84ab28
--- /dev/null
+++ b/config/hosts/keycloak/secrets.yaml
@@ -0,0 +1,25 @@
+keycloak-database-password: ENC[AES256_GCM,data:2Jk0wskmlpdpaZj05MX4YRRDR75eAkk5eDNNOTSA9+dN8OGkUWdI0CX9ZdQFUB31GiRaLZQ4I9gwnIc2sIxzuA==,iv:4fq+safzIGC21NFTaHsIfgZwuKelQyxttEeW7Pp09v8=,tag:c7LO34hJqi1yEwQ+cQc0Dg==,type:str]
+sops:
+  age:
+    - enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArR0Y2ZVg4S1FDYmRlS0xL
+        VWlJVzNvdHVXanBMN043QjcxVjd5bFk5d21JCnVzYVcwT2tnQS9jblhVQUFaNWZD
+        L0owQ1hhUFdhNVAzaVJNbWhQaEdXZlUKLS0tIFZFOFpKUklKNVJFRS9ZY1JaeS9D
+        RnF5YjRmbXRaY3h1MU5PWEZETGh0N2cKIwZg6mMY8c3VpE9hAk9bcFXLyzl7J/4M
+        BIh7C+yZbD7bL92TEP3gTpW+EsGiJl2LCq7NVVuDkboYuJ6kAqLppg==
+        -----END AGE ENCRYPTED FILE-----
+      recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7
+    - enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGS25mcEErQ1pUMTV6U1h4
+        WXduajlyTFFncXdhZ09BdXg4amV4V0xMalFNCm85dk1ldUlHTytXRDJLcjIyN2M2
+        ZmVFVG1YcWhnTmwySmFRUDhEMkVyb1EKLS0tIHVDVkc3QytPU3pQTWxMSG1TRFdI
+        LzVUdGUrZmVTa1RqRHNWaFFhY09ySEUKFrN7X2ir3gwL/S91mychdjXi2oBPEPr9
+        aizXtIk0JX6SzrP/Oy0mYROeEEEUfPVBBypEUlBjlyeSyathmEoVLQ==
+        -----END AGE ENCRYPTED FILE-----
+      recipient: age15kluaw2krucmc0j98zfk0s5tkwqer0ax6jva458zukzrgnqjqc9q7s88yd
+  lastmodified: "2026-05-17T01:07:49Z"
+  mac: ENC[AES256_GCM,data:fAOsq2jrl8dTvQSn+Cp0sxuU5AuOdnm97LBIyPY71KbxMAY0vn/RDvhszvskMIE25JWGuZROnFoYmrkUqSp/pxG9gvcPQ6keW9WMr09YFli4u1tvADl6Ag+OkcgDe2UP1aPRkW6i7sGpq7Wfv/3G8HNMLgywhyiAA2XICymbDBI=,iv:ChOk26gheG2ErLVqt/rrMw1MxuOmEA595fay6pGUCcc=,tag:8wGA4YZa+ZyNDIBz/d1DUg==,type:str]
+  unencrypted_suffix: _unencrypted
+  version: 3.13.0