From a28f7a5848b95dc08a96eaa38511963aef5ca722 Mon Sep 17 00:00:00 2001
From: Fiona Grzebien <fiona@grzb.de>
Date: Sun, 17 May 2026 01:17:20 +0200
Subject: [PATCH] Migrate coturn to sops-nix

---
 .sops.yaml                       |  6 ++++++
 config/hosts/coturn/coturn.nix   |  9 ++++++++-
 config/hosts/coturn/default.nix  |  1 +
 config/hosts/coturn/secrets.nix  | 11 -----------
 config/hosts/coturn/secrets.yaml | 25 +++++++++++++++++++++++++
 config/hosts/coturn/sops.nix     |  6 ++++++
 6 files changed, 46 insertions(+), 12 deletions(-)
 delete mode 100644 config/hosts/coturn/secrets.nix
 create mode 100644 config/hosts/coturn/secrets.yaml
 create mode 100644 config/hosts/coturn/sops.nix

diff --git a/.sops.yaml b/.sops.yaml
index 76cda7e..a0912e8 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -1,7 +1,13 @@
 keys:
   - &admin_age_fi age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7
+  - &host_age_coturn age1vnrtarxwmqxflh2sxe2s49ldfzkve268hx62x4ltv38h3emv8dqspu028l
   - &host_age_ikiwiki age1st5axcrn2s09effsjp6gl89rnwd967y007pzpzamlqydrpf7yeeqjwtnx0
 creation_rules:
+  - path_regex: config/hosts/coturn/.*
+    key_groups:
+      -  age:
+          - *admin_age_fi
+          - *host_age_coturn
   - path_regex: config/hosts/ikiwiki/.*
     key_groups:
       -  age:
diff --git a/config/hosts/coturn/coturn.nix b/config/hosts/coturn/coturn.nix
index 719c872..0b266ba 100644
--- a/config/hosts/coturn/coturn.nix
+++ b/config/hosts/coturn/coturn.nix
@@ -5,7 +5,7 @@
     min-port = 49200;
     max-port = 49500;
     use-auth-secret = true;
-    static-auth-secret-file = "/secrets/static-auth-secret.secret";
+    static-auth-secret-file = "/run/secrets/static-auth-secret";
     realm = "turn.nekover.se";
     cert = "${config.security.acme.certs."turn.nekover.se".directory}/fullchain.pem";
     pkey = "${config.security.acme.certs."turn.nekover.se".directory}/key.pem";
@@ -42,4 +42,11 @@
       total-quota=1200
     '';
   };
+
+  sops.secrets."static-auth-secret" = {
+    mode = "0440";
+    owner = "turnserver";
+    group = "turnserver";
+    restartUnits = [ "coturn.service" ];
+  };
 }
diff --git a/config/hosts/coturn/default.nix b/config/hosts/coturn/default.nix
index bc32a3d..36644a0 100644
--- a/config/hosts/coturn/default.nix
+++ b/config/hosts/coturn/default.nix
@@ -4,5 +4,6 @@
     ./configuration.nix
     ./acme.nix
     ./coturn.nix
+    ./sops.nix
   ];
 }
diff --git a/config/hosts/coturn/secrets.nix b/config/hosts/coturn/secrets.nix
deleted file mode 100644
index 48fd211..0000000
--- a/config/hosts/coturn/secrets.nix
+++ /dev/null
@@ -1,11 +0,0 @@
-{ keyCommandEnv,... }:
-{
-  deployment.keys."static-auth-secret.secret" = {
-    keyCommand = keyCommandEnv ++ [ "pass" "coturn/static-auth-secret" ];
-    destDir = "/secrets";
-    user = "turnserver";
-    group = "turnserver";
-    permissions = "0640";
-    uploadAt = "pre-activation";
-  };
-}
diff --git a/config/hosts/coturn/secrets.yaml b/config/hosts/coturn/secrets.yaml
new file mode 100644
index 0000000..d90c1c5
--- /dev/null
+++ b/config/hosts/coturn/secrets.yaml
@@ -0,0 +1,25 @@
+static-auth-secret: ENC[AES256_GCM,data:af5cjUSeiCEtYki85h+XoJW5FKY4X18i6zOBZnH64Ju/LwA/yUemA8co17TG5cQnc/sw1pz6LySL2DOq/Gj42g==,iv:Yne84/VLN0jCSulA5OQ0UKbQWkqWBmHYogDuAngAp48=,tag:wJ/4yGnbypjTo/akV3P9ZA==,type:str]
+sops:
+  age:
+    - enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLMXRScDR1NzhzZGRXYUZQ
+        ZGpRYUlOUWZTVHQvdUlrSG5SRWM2ME9sdUVZCldCZkZ0SXdqUjBVNlRnckg3N0dS
+        S0s2NkRnQys2SGJKSTdiUWlnbTg1dkEKLS0tIGthb0FESjAyMjlEbnV4S0lPOHda
+        S1ZBOWdTSmNRQXMvUGJnd05sK1Q2Qk0KHseEBDVLeSWHdgrYyITRuJyp3orrjwwS
+        04ORMniHR7ymHzRPvm3oX/jkFD0iJEmk8clgm/Gcn2AQ7xXeJO7Vnw==
+        -----END AGE ENCRYPTED FILE-----
+      recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7
+    - enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmemxWRnFLMFVEcVZCb3BT
+        MStWU21kcnF5enpleWt3dFdaMHo3RzJGaENNClU2M2tmdE0zd2pXWUJHQkV5Mkhi
+        a0lIbHJmWDN6UXhVeTZId3RhcEd5TWcKLS0tIFRlSUNQN0pGYmtiOGxJS0pJY0tQ
+        YjFzS205QklRZWdPbklIRzVzbFFPT2sKCXra+DUchbomy9pe2HJAbhAF1mstgUcv
+        NalettWmuLXe2B0WjC9fAy2AAJS6kysEbUh960suzSPLTqTce0MGfA==
+        -----END AGE ENCRYPTED FILE-----
+      recipient: age1vnrtarxwmqxflh2sxe2s49ldfzkve268hx62x4ltv38h3emv8dqspu028l
+  lastmodified: "2026-05-16T23:13:15Z"
+  mac: ENC[AES256_GCM,data:PxX20JAaYhj3DE1KjakVmVucL7jjZU0vh5vnSNmKLgqedJiV2ZqEXpF4s1WPgYTY723aLiWDLw/8kTF/VmvMs8zOdGSkIhojWIWFE6I2yq1MjlawXuUhGpe6C1XGQ+w0KTqzyJLxyIsUSH24GqPHmLRMStE7bYdr0a4lRBHEyqE=,iv:6tXoqhG1XqDAz4SZSIxFCi01Be76/dV4vFPwv3lkcps=,tag:ytLoh7gJ+Iuqv5AwhDElrw==,type:str]
+  unencrypted_suffix: _unencrypted
+  version: 3.13.0
diff --git a/config/hosts/coturn/sops.nix b/config/hosts/coturn/sops.nix
new file mode 100644
index 0000000..78dc2c8
--- /dev/null
+++ b/config/hosts/coturn/sops.nix
@@ -0,0 +1,6 @@
+{ ... }:
+{
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+  };
+}