From 6282e3fed97a37fbd5219d3f0c6627b77d91c0f7 Mon Sep 17 00:00:00 2001
From: Fiona Grzebien <fiona@grzb.de>
Date: Sun, 24 May 2026 01:18:37 +0200
Subject: [PATCH] Migrate searx to sops-nix

---
 config/hosts/searx/searx.nix    |  9 ++++++++-
 config/hosts/searx/secrets.nix  | 11 -----------
 config/hosts/searx/secrets.yaml | 25 +++++++++++++++++++++++++
 3 files changed, 33 insertions(+), 12 deletions(-)
 delete mode 100644 config/hosts/searx/secrets.nix
 create mode 100644 config/hosts/searx/secrets.yaml

diff --git a/config/hosts/searx/searx.nix b/config/hosts/searx/searx.nix
index cdb9940..29a645e 100644
--- a/config/hosts/searx/searx.nix
+++ b/config/hosts/searx/searx.nix
@@ -24,6 +24,13 @@
       ui.static_use_hash = true;
       enabled_plugins = [ "Hash plugin" "Self Informations" "Tracker URL remover" "Ahmia blacklist" ];
     };
-    environmentFile = "/secrets/searx-secret-key.secret";
+    environmentFile = "/run/secrets/searx-secret-key";
+  };
+
+  sops.secrets."searx-secret-key" = {
+    mode = "0440";
+    owner = "root";
+    group = "root";
+    restartUnits = [ "searx.service" ];
   };
 }
diff --git a/config/hosts/searx/secrets.nix b/config/hosts/searx/secrets.nix
deleted file mode 100644
index 38231fc..0000000
--- a/config/hosts/searx/secrets.nix
+++ /dev/null
@@ -1,11 +0,0 @@
-{ keyCommandEnv, ... }:
-{
-  deployment.keys."searx-secret-key.secret" = {
-    keyCommand = keyCommandEnv ++ [ "pass" "searx/secret-key" ];
-    destDir = "/secrets";
-    user = "root";
-    group = "root";
-    permissions = "0640";
-    uploadAt = "pre-activation";
-  };
-}
diff --git a/config/hosts/searx/secrets.yaml b/config/hosts/searx/secrets.yaml
new file mode 100644
index 0000000..70c5b8f
--- /dev/null
+++ b/config/hosts/searx/secrets.yaml
@@ -0,0 +1,25 @@
+searx-secret-key: ENC[AES256_GCM,data:FH/TfmvtaDIwVCDf69EJBgUljeUFGEzBBF2nUNPxZL5HKh4zPR5peVW1vld2OSNWd3UD72H+/F/7TArcV3nEJgqNc/rU9BXsUeS4tvsrZqlI,iv:p5Rdz8clGb8mBF8mVqSjYhDPXrsIVM4KC2WcXwAs8O4=,tag:C/wZoqqF+mcYRGjVUSLjhQ==,type:str]
+sops:
+  age:
+    - enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjWVN5bnY5OTZlT3MwVFZR
+        YjhTR3Z6Q3QrRDVHN0pvVDl4ZTJXMHNLVEdBCjZHcW9uWStQUXBBcWRrZHlhbjlx
+        blhGOWRRS0UzSVFTQmJSWUZrQ3kwZlUKLS0tIFBLcDROOU1aU05hVFR0NGJWY0xY
+        Q2VmY0lHUmhKSGtWT01NN2t6amVVMzQKgpe5zffX6Pc1GDJ8zA7ipa257zG5ZRho
+        rLdQBJkA+N4crKj12lPLYf5fd4sowfFMTfsdyuxcZUD7Wwq8SO7aQA==
+        -----END AGE ENCRYPTED FILE-----
+      recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7
+    - enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJTmhNeUdMRnpWQ0JoWmRJ
+        Uk5ubUF3K3l2eDUzYnB4ZXQvRUJ5dnJmOXd3CnlhUEJHK0NvNVA5dWp0eGV5VWR1
+        ZzV6S3hneiszZU4vaEg0R2laOU1XbTAKLS0tIDU2ZkFWcXl5TE9Sd1AxVjZ1Rzlq
+        UUFXZEQ2cDlsS2hnTVVlNWxDK3VyeWMKMvH2PBlKpyHt4WVp9BLJwAGm2h8QPMa1
+        LCxybdE3+Gs6uQboKX6uo5pMXMQPOedyJZFBDhdu74BOd46u0rcMoQ==
+        -----END AGE ENCRYPTED FILE-----
+      recipient: age17h3js5v8s5vezcankky6kqxcrvtfxanmvhp3axmnqs4y9s2lr9yqvc6zrn
+  lastmodified: "2026-05-23T23:16:55Z"
+  mac: ENC[AES256_GCM,data:yx+gxeRcl89iokWwH+a+t/OVtOUZUN3Sws/85o9hymtefBxNLqX7GGTMZfa/nQloD4avevWTU71TkYZWRZZj/qlW2B29BSPoIfadbba5rgJHu5D/ij4XrYY14wK3SwMTKpwkjhSBiFOFZLml0zADPWaJH0F6QCTSshUsFQapAW8=,iv:vZt/ejbutG+1UuIU+mQIVXbsl0TQhE+nrulvP0rIVpI=,tag:iSSbw67/A8oMknEzcoOgXw==,type:str]
+  unencrypted_suffix: _unencrypted
+  version: 3.13.0