From 8784537a380c6faa1bb4a30365797079aa849244 Mon Sep 17 00:00:00 2001
From: Fiona Grzebien <fiona@grzb.de>
Date: Sun, 17 May 2026 03:25:55 +0200
Subject: [PATCH] Migrate lifeline to sops-nix

---
 config/hosts/lifeline/configuration.nix | 18 +++++++++++++++--
 config/hosts/lifeline/secrets.nix       | 21 --------------------
 config/hosts/lifeline/secrets.yaml      | 26 +++++++++++++++++++++++++
 3 files changed, 42 insertions(+), 23 deletions(-)
 delete mode 100644 config/hosts/lifeline/secrets.nix
 create mode 100644 config/hosts/lifeline/secrets.yaml

diff --git a/config/hosts/lifeline/configuration.nix b/config/hosts/lifeline/configuration.nix
index 500c407..788c3fc 100644
--- a/config/hosts/lifeline/configuration.nix
+++ b/config/hosts/lifeline/configuration.nix
@@ -26,7 +26,7 @@
           {
             name = "mail-2";
             publicKey = "OIBOJlFzzM3P/u1ftVW2HWt8kA6NveB4PaBOIXhCYhM=";
-            presharedKeyFile = "/secrets/wireguard-lifeline-mail-2-lifeline-psk.secret";
+            presharedKeyFile = "/run/secrets/wireguard-lifeline-mail-2-lifeline-psk";
             allowedIPs = [ "172.18.50.2/32" ];
           }
         ];
@@ -38,7 +38,7 @@
           ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
           ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 172.18.50.0/24 -o ens6 -j MASQUERADE
         '';
-        privateKeyFile = "/secrets/wireguard-lifeline-wg0-privatekey.secret";
+        privateKeyFile = "/run/secrets/wireguard-lifeline-wg0-privatekey";
       };
     };
     nat = {
@@ -62,5 +62,19 @@
 
   services.prometheus.exporters.node.enable = false;
 
+  sops.secrets."wireguard-lifeline-mail-2-lifeline-psk" = {
+    mode = "0440";
+    owner = "root";
+    group = "root";
+    restartUnits = [ "wireguard-wg0.service" ];
+  };
+
+  sops.secrets."wireguard-lifeline-wg0-privatekey" = {
+    mode = "0440";
+    owner = "root";
+    group = "root";
+    restartUnits = [ "wireguard-wg0.service" ];
+  };
+
   system.stateVersion = "23.05";
 }
diff --git a/config/hosts/lifeline/secrets.nix b/config/hosts/lifeline/secrets.nix
deleted file mode 100644
index f2b6e23..0000000
--- a/config/hosts/lifeline/secrets.nix
+++ /dev/null
@@ -1,21 +0,0 @@
-{ keyCommandEnv, ... }:
-{
-  deployment.keys = {
-    "wireguard-lifeline-wg0-privatekey.secret" = {
-      keyCommand = keyCommandEnv ++ [ "pass" "wireguard/lifeline-wg0-privatekey" ];
-      destDir = "/secrets";
-      user = "root";
-      group = "root";
-      permissions = "0640";
-      uploadAt = "pre-activation";
-    };
-    "wireguard-lifeline-mail-2-lifeline-psk.secret" = {
-      keyCommand = keyCommandEnv ++ [ "pass" "wireguard/lifeline-mail-2/psk" ];
-      destDir = "/secrets";
-      user = "root";
-      group = "root";
-      permissions = "0640";
-      uploadAt = "pre-activation";
-    };
-  };
-}
diff --git a/config/hosts/lifeline/secrets.yaml b/config/hosts/lifeline/secrets.yaml
new file mode 100644
index 0000000..01b2010
--- /dev/null
+++ b/config/hosts/lifeline/secrets.yaml
@@ -0,0 +1,26 @@
+wireguard-lifeline-wg0-privatekey: ENC[AES256_GCM,data:yUIu+AC24/84w0GQPko64E89ZjzMoaa0Z8J2IFY8wDmCw+z1Als0h42XB5U=,iv:2pmy0FyeyvHbRRYnog9mth7hWfMt4mNe8/dSK3eYd2E=,tag:/gRbYT8EnbDRiFN0Ohu4ng==,type:str]
+wireguard-lifeline-mail-2-lifeline-psk: ENC[AES256_GCM,data:IvgVTsgFfONCm3OJ8iKtwRUY6uTEZfpyGubm/iysOySebPuDg+/AGNUu5ZQ=,iv:HZpAqLLt/cDQo51+koS3nZ1mkN0ZmqCY7gedx6PHthM=,tag:klM8lxBmZvXn3XUD/duGMA==,type:str]
+sops:
+  age:
+    - enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLcGo4RTJsQnZWWXBadjAz
+        YW5VcFBwWUxUR2N2d092WmN6LzdkaStaVVNJCkdWLzF4ZU4rY3pPLzc1YUZUb2hM
+        bHNiRkhabG1ON2YzemdCMjQwOW5hdG8KLS0tIER4RGdZNkN4U0dTekx6MURpY0oz
+        ZURQbEF0c2VXNFFRVEI5YjUydzNQVTQK6Q3yE+P41Ukay2h2RVXHcCbE19piBwHa
+        Gdxok7ObnjTBpFxWuz4Sqvozb4R9dbkTPtSp72Yjv78QBinLmWGJ/A==
+        -----END AGE ENCRYPTED FILE-----
+      recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7
+    - enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlemExaHpsTFBEYjJURjNp
+        WmluaHcwaUtyNmRINEJ6NXlFVWplZm9YeEJvCktMM2N0dWFxYUFKM25EdVo0RmNG
+        MDYzcFFnOG95SXdrU3VzWmdqQ3U0L2cKLS0tIGhHUmNNS0w0bzhhdHgzL1hYQjRr
+        SEczcDdWMnh3aThXK3JrLzkrTEZ0TkUKexB+HBUOWSsel9sNgUHnj5NJdj8zZX/C
+        XB4W6fwzMxPHHknk1y/4z/F8oNnUzXmh3QfT/15glDmmCpyM3PGWVw==
+        -----END AGE ENCRYPTED FILE-----
+      recipient: age1pmx78vda0c2qnn8epvkavl26e2939uj65608fdq959ds60d58ucsqwxsua
+  lastmodified: "2026-05-17T01:24:39Z"
+  mac: ENC[AES256_GCM,data:JyTfrwkD8GxbzzuK1CsBRr8+Hxheu1gvB2KP3jGJkvLktzzNLYH7qq7JJu2oP6X18MMa+dlMuY9lHosoWy+wA34kgrtBVqtCfTnOx3jafwfLdNVBVTORN8h7so1N0KKwuSJnFL6BqMWhiQiPVOENGThqlIqKDwSiP3hyfFLDBuM=,iv:0IkM76X2Ly3hil7XneURzQk4wVUJy/bs/9zX3r9cTVo=,tag:vC7HDnB6WCTTy5MSh4tDDg==,type:str]
+  unencrypted_suffix: _unencrypted
+  version: 3.13.0