From 755d92bb96760702b38d364a067e3eaf0fe5b518 Mon Sep 17 00:00:00 2001
From: Fiona Grzebien <fiona@grzb.de>
Date: Tue, 29 Oct 2024 16:22:12 +0100
Subject: [PATCH] Add mastodon active record encryption secrets

---
 config/hosts/mastodon/mastodon.nix |  3 +++
 config/hosts/mastodon/secrets.nix  | 24 ++++++++++++++++++++++++
 hosts.nix                          |  1 +
 3 files changed, 28 insertions(+)

diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix
index 4bd22c2..b895735 100644
--- a/config/hosts/mastodon/mastodon.nix
+++ b/config/hosts/mastodon/mastodon.nix
@@ -46,6 +46,9 @@ in
       fromAddress = "Nekoverse <nyareply@nekover.se>";
     };
     streamingProcesses = 3;
+    activeRecordEncryptionPrimaryKeyFile = "/secrets/mastodon-active-record-encryption-primary-key.secret";
+    activeRecordEncryptionKeyDerivationSaltFile = "/secrets/mastodon-active-record-encryption-key-derivation-salt.secret";
+    activeRecordEncryptionDeterministicKeyFile = "/secrets/mastodon-active-record-encryption-deterministic-key.secret";
     extraConfig = {
       SMTP_TLS = "true";
       ES_PRESET = "single_node_cluster";
diff --git a/config/hosts/mastodon/secrets.nix b/config/hosts/mastodon/secrets.nix
index f1f9457..950498d 100644
--- a/config/hosts/mastodon/secrets.nix
+++ b/config/hosts/mastodon/secrets.nix
@@ -41,5 +41,29 @@
       permissions = "0640";
       uploadAt = "pre-activation";
     };
+    "mastodon-active-record-encryption-primary-key.secret" = {
+      keyCommand = keyCommandEnv ++ [ "pass" "mastodon/active-record-encryption-primary-key" ];
+      destDir = "/secrets";
+      user = "mastodon";
+      group = "mastodon";
+      permissions = "0640";
+      uploadAt = "pre-activation";
+    };
+    "mastodon-active-record-encryption-key-derivation-salt.secret" = {
+      keyCommand = keyCommandEnv ++ [ "pass" "mastodon/active-record-encryption-key-derivation-salt" ];
+      destDir = "/secrets";
+      user = "mastodon";
+      group = "mastodon";
+      permissions = "0640";
+      uploadAt = "pre-activation";
+    };
+    "mastodon-active-record-encryption-deterministic-key.secret" = {
+      keyCommand = keyCommandEnv ++ [ "pass" "mastodon/active-record-encryption-deterministic-key" ];
+      destDir = "/secrets";
+      user = "mastodon";
+      group = "mastodon";
+      permissions = "0640";
+      uploadAt = "pre-activation";
+    };
   };
 }
diff --git a/hosts.nix b/hosts.nix
index 5de4e6f..363f377 100644
--- a/hosts.nix
+++ b/hosts.nix
@@ -65,6 +65,7 @@ in
       environment = "proxmox";
     };
     mastodon = {
+      hostNixpkgs = nixpkgs-unstable;
       site = "vs";
       environment = "proxmox";
     };