From dc965c33290ef7fca815394bc4acfc9337c0e3a7 Mon Sep 17 00:00:00 2001 From: Fiona Grzebien Date: Sun, 17 May 2026 18:46:41 +0200 Subject: [PATCH] Migrate mastodon to sops-nix --- config/hosts/mastodon/mastodon.nix | 58 ++++++++++++++++++++++++---- config/hosts/mastodon/secrets.nix | 61 ------------------------------ 2 files changed, 51 insertions(+), 68 deletions(-) delete mode 100644 config/hosts/mastodon/secrets.nix diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix index 51b3afe..56cdd00 100644 --- a/config/hosts/mastodon/mastodon.nix +++ b/config/hosts/mastodon/mastodon.nix @@ -61,21 +61,21 @@ in enable = true; package = pkgs-overlay.mastodon; localDomain = "social.nekover.se"; - secretKeyBaseFile = "/secrets/mastodon-secret-key-base.secret"; + secretKeyBaseFile = "/run/secrets/mastodon-secret-key-base"; vapidPublicKeyFile = "${vapidPublicKey}"; - vapidPrivateKeyFile = "/secrets/mastodon-vapid-private-key.secret"; + vapidPrivateKeyFile = "/run/secrets/mastodon-vapid-private-key"; smtp = { authenticate = true; host = "mail-1.grzb.de"; port = 465; user = "social@nekover.se"; - passwordFile = "/secrets/mastodon-email-smtp-pass.secret"; + passwordFile = "/run/secrets/mastodon-email-smtp-pass"; fromAddress = "Nekoverse "; }; streamingProcesses = 3; - activeRecordEncryptionPrimaryKeyFile = "/secrets/mastodon-active-record-encryption-primary-key.secret"; - activeRecordEncryptionKeyDerivationSaltFile = "/secrets/mastodon-active-record-encryption-key-derivation-salt.secret"; - activeRecordEncryptionDeterministicKeyFile = "/secrets/mastodon-active-record-encryption-deterministic-key.secret"; + activeRecordEncryptionPrimaryKeyFile = "/run/secrets/mastodon-active-record-encryption-primary-key"; + activeRecordEncryptionKeyDerivationSaltFile = "/run/secrets/mastodon-active-record-encryption-key-derivation-salt"; + activeRecordEncryptionDeterministicKeyFile = "/run/secrets/mastodon-active-record-encryption-deterministic-key"; extraConfig = { SMTP_TLS = "true"; ES_PRESET = "single_node_cluster"; @@ -94,8 +94,52 @@ in AUTHORIZED_FETCH = "true"; }; extraEnvFiles = [ - "/secrets/mastodon-keycloak-client-secret.secret" + "/run/secrets/mastodon-keycloak-client-secret" ]; elasticsearch.host = "127.0.0.1"; }; + + sops.secrets."mastodon-secret-key-base" = { + mode = "0440"; + owner = "mastodon"; + group = "mastodon"; + restartUnits = [ "mastodon-web.service" ]; + }; + sops.secrets."mastodon-vapid-private-key" = { + mode = "0440"; + owner = "mastodon"; + group = "mastodon"; + restartUnits = [ "mastodon-web.service" ]; + }; + sops.secrets."mastodon-email-smtp-pass" = { + mode = "0440"; + owner = "mastodon"; + group = "mastodon"; + restartUnits = [ "mastodon-web.service" ]; + }; + sops.secrets."mastodon-active-record-encryption-primary-key" = { + mode = "0440"; + owner = "mastodon"; + group = "mastodon"; + restartUnits = [ "mastodon-web.service" ]; + }; + sops.secrets."mastodon-active-record-encryption-key-derivation-salt" = { + mode = "0440"; + owner = "mastodon"; + group = "mastodon"; + restartUnits = [ "mastodon-web.service" ]; + }; + sops.secrets."mastodon-active-record-encryption-deterministic-key" = { + mode = "0440"; + owner = "mastodon"; + group = "mastodon"; + restartUnits = [ "mastodon-web.service" ]; + }; + sops.secrets."mastodon-keycloak-client-secret" = { + mode = "0440"; + owner = "mastodon"; + group = "mastodon"; + restartUnits = [ "mastodon-web.service" ]; + }; } + diff --git a/config/hosts/mastodon/secrets.nix b/config/hosts/mastodon/secrets.nix deleted file mode 100644 index 88413c7..0000000 --- a/config/hosts/mastodon/secrets.nix +++ /dev/null @@ -1,61 +0,0 @@ -{ keyCommandEnv, ... }: -{ - deployment.keys = { - "mastodon-secret-key-base.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "mastodon/secret-key-base" ]; - destDir = "/secrets"; - user = "mastodon"; - group = "mastodon"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - "mastodon-vapid-private-key.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "mastodon/vapid-private-key" ]; - destDir = "/secrets"; - user = "mastodon"; - group = "mastodon"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - "mastodon-email-smtp-pass.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "mastodon/email-smtp-pass" ]; - destDir = "/secrets"; - user = "mastodon"; - group = "mastodon"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - "mastodon-keycloak-client-secret.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "mastodon/keycloak-client-secret" ]; - destDir = "/secrets"; - user = "mastodon"; - group = "mastodon"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - "mastodon-active-record-encryption-primary-key.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "mastodon/active-record-encryption-primary-key" ]; - destDir = "/secrets"; - user = "mastodon"; - group = "mastodon"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - "mastodon-active-record-encryption-key-derivation-salt.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "mastodon/active-record-encryption-key-derivation-salt" ]; - destDir = "/secrets"; - user = "mastodon"; - group = "mastodon"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - "mastodon-active-record-encryption-deterministic-key.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "mastodon/active-record-encryption-deterministic-key" ]; - destDir = "/secrets"; - user = "mastodon"; - group = "mastodon"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - }; -}