From 74f35e704c076e77561f927c9fffee88a1e2c579 Mon Sep 17 00:00:00 2001
From: Fiona Grzebien <fiona@grzb.de>
Date: Sun, 17 May 2026 02:53:13 +0200
Subject: [PATCH] Migrate forgejo to sops-nix

---
 config/hosts/forgejo/forgejo.nix  |  9 ++++++++-
 config/hosts/forgejo/secrets.nix  | 13 -------------
 config/hosts/forgejo/secrets.yaml | 25 +++++++++++++++++++++++++
 3 files changed, 33 insertions(+), 14 deletions(-)
 delete mode 100644 config/hosts/forgejo/secrets.nix
 create mode 100644 config/hosts/forgejo/secrets.yaml

diff --git a/config/hosts/forgejo/forgejo.nix b/config/hosts/forgejo/forgejo.nix
index 2b2aea8..21e9269 100644
--- a/config/hosts/forgejo/forgejo.nix
+++ b/config/hosts/forgejo/forgejo.nix
@@ -61,6 +61,13 @@
         HOST = "redis+socket:///run/redis-forgejo/redis.sock";
       };
     };
-    secrets.mailer.PASSWD = "/secrets/forgejo-mailer-password.secret";
+    secrets.mailer.PASSWD = "/run/secrets/forgejo-mailer-password";
+  };
+
+  sops.secrets."forgejo-mailer-password" = {
+    mode = "0440";
+    owner = "forgejo";
+    group = "forgejo";
+    restartUnits = [ "forgejo.service" ];
   };
 }
diff --git a/config/hosts/forgejo/secrets.nix b/config/hosts/forgejo/secrets.nix
deleted file mode 100644
index 5c23295..0000000
--- a/config/hosts/forgejo/secrets.nix
+++ /dev/null
@@ -1,13 +0,0 @@
-{ keyCommandEnv, ... }:
-{
-  deployment.keys = {
-    "forgejo-mailer-password.secret" = {
-      keyCommand = keyCommandEnv ++ [ "pass" "mail/forgejo-nekover-se" ];
-      destDir = "/secrets";
-      user = "forgejo";
-      group = "forgejo";
-      permissions = "0640";
-      uploadAt = "pre-activation";
-    };
-  };
-}
diff --git a/config/hosts/forgejo/secrets.yaml b/config/hosts/forgejo/secrets.yaml
new file mode 100644
index 0000000..e4a1309
--- /dev/null
+++ b/config/hosts/forgejo/secrets.yaml
@@ -0,0 +1,25 @@
+forgejo-mailer-password: ENC[AES256_GCM,data:bFUrFyE/reeTtKZCrb1T1CG8Ng9QbDwZo9AdxU67i8uNmKcn93k3dqY70tSqBTAc9hpsXyW3UTKnPpk+ffb0mw==,iv:p16td5KV0rTmrrtX8FMojotEa+2oiFmVizkc6mt9QyI=,tag:czg/IlNLkx75m2iSddUkUw==,type:str]
+sops:
+  age:
+    - enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFNjVaNlFWeG9vMW4vM2R3
+        bWQyVk9jN1VkUUczbTBzUmdpZ2NyWlV4aVFjCmZwa0lDcXUzVDM4d1Mwa1B4Qm9q
+        WjVKMXJBRVNtc0JzcmE0Y20zdCtzM3cKLS0tIEJWanpwZHdPMGJiL0lkME9yVGQ1
+        a3ZvRGV3VENIbmlubG16MWF3SkdyQ00KZj5vuzVyCqbLH5gnQjhRpOfHtIB3RVZC
+        m+VdnnAFIfShrxwfOekVavffaHmG3PWS7RUKoeZNSdtz1ScuwfazPw==
+        -----END AGE ENCRYPTED FILE-----
+      recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7
+    - enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYOEdadnQvSW1mcE9hSmFL
+        aFlqdHpTejNZRXJCbTh4WjQyQXVobitaa2hFCjV1RU9UOGlqaXhIckNLMmYwb0s2
+        eHY2VVpiQThzQUNuS1FLbFd3V2NGZk0KLS0tIGdOK3VEOUlNcldBQ1haRHhVS0cw
+        N3ZoNWlVK2trVkJLQlhnaHFueFdqVEkK800paYmP1opnW7o2V8f2zzWNR5tOVYGs
+        fl+SA7hE7uTpRrrGfuZq0jQgWOaeAbJ3+PzRuSrVlrXdWIyipcZM2Q==
+        -----END AGE ENCRYPTED FILE-----
+      recipient: age1d5y8dx3e8pksvxr8fv8f02v0y7qg7kuwpxpmxksp7xlvrcpfju5sdz6guk
+  lastmodified: "2026-05-17T00:50:59Z"
+  mac: ENC[AES256_GCM,data:I3a9s9i6sFVTRQIAj94YZNyxQsDIWIvRhy9M/e6iMYpvoQyxFvMD3xAE0NQ1uX1QgMoi+6njTc8AmTXFJvSfoiqtVfHQH+HkLPMR27DZUY6kgZGMvUVswioSKfaF8fZxGEyWRPAuTDlynfOsGpr4Tqt5U8NBiYL1FDD6CPALaiY=,iv:RUbSPPTR6cTWwzvbnQRA/f9AjjjOpQUiEBrWvxqCpTQ=,tag:GcGsBgxWU/AXm06FkUI1LA==,type:str]
+  unencrypted_suffix: _unencrypted
+  version: 3.13.0