Migrate metrics to sops-nix

config/hosts/metrics/grafana.nix

@@ -11,14 +11,14 @@
         cookie_secure = true;
         cookie_samesite = "strict";
         admin_user = "yuri";
-        admin_password = "$__file{/secrets/metrics-grafana-admin-password.secret}";
+        admin_password = "$__file{/run/secrets/metrics-grafana-admin-password}";
         admin_email = "yuri@nekover.se";
       };
       smtp = {
         enabled = true;
         host = "mail.grzb.de:465";
         user = "grafana";
-        password = "$__file{/secrets/metrics-grafana-smtp-password.secret}";
+        password = "$__file{/run/secrets/metrics-grafana-smtp-password}";
         from_address = "grafana@robot.grzb.de";
         from_name = "Grafana";
         startTLS_policy = "NoStartTLS";
@@ -33,4 +33,17 @@
       }
     ];
   };
+
+  sops.secrets."metrics-grafana-admin-password" = {
+    mode = "0440";
+    owner = "grafana";
+    group = "grafana";
+    restartUnits = [ "grafana.service" ];
+  };
+  sops.secrets."metrics-grafana-smtp-password" = {
+    mode = "0440";
+    owner = "grafana";
+    group = "grafana";
+    restartUnits = [ "grafana.service" ];
+  };
 }

config/hosts/metrics/secrets.nix

@@ -1,21 +0,0 @@
-{ keyCommandEnv, ... }:
-{
-  deployment.keys = {
-    "metrics-grafana-admin-password.secret" = {
-      keyCommand = keyCommandEnv ++ [ "pass" "metrics/grafana/admin-password" ];
-      destDir = "/secrets";
-      user = "grafana";
-      group = "grafana";
-      permissions = "0640";
-      uploadAt = "pre-activation";
-    };
-    "metrics-grafana-smtp-password.secret" = {
-      keyCommand = keyCommandEnv ++ [ "pass" "metrics/grafana/smtp-password" ];
-      destDir = "/secrets";
-      user = "grafana";
-      group = "grafana";
-      permissions = "0640";
-      uploadAt = "pre-activation";
-    };
-  };
-}

config/hosts/metrics/secrets.yaml

@@ -0,0 +1,26 @@
+metrics-grafana-admin-password: ENC[AES256_GCM,data:vk5KwDxDvTtI/vycl+2XItCFadUQL7rDHZ+0e3WAXynkHq/gmP0Q4VBBjQQNnFwxumF/dIj+CxEqEDdCL6HpSqEOZm/SJCfBARSCxyNCXoYiI/0+NTlUdfhscrDVleLJcMNrBxmxKt3cnDotPWS8rwF5oA1A79OW6+eZm1RC8hA=,iv:JtV0/vZIIzIF+WtD9KRPmyfLI4sMSe7ff5KHG7PEXjY=,tag:A1RgqOOd6M2m1ueXWPxw2w==,type:str]
+metrics-grafana-smtp-password: ENC[AES256_GCM,data:ledR3mYQaQndiXgWJSZCqwrar1d5LvnwfdAb0EYI40M=,iv:T6yV0KKz5MK8pLWQoO0xi/ZAdhpFgNvER17X5ZfCCe0=,tag:16lt0z4Gn4Gcc54ssF0W5w==,type:str]
+sops:
+  age:
+    - enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqVWd2NHNWTElaTk42R1Qx
+        bmZxYnhoT3NqQ0I5ZWVsS0N4eHdWMDhRU0hFCmhlQ1hrZ3R5REt2ODV0dTA4VWl0
+        R0dtNWIydzhCUmVMYk85d0ZETk8wQkEKLS0tIElFbXRhYWprVER4ZGZocTNzcGNv
+        RHN2MWJVTXFEZnhKeXNQdUlnQ0ZiYmMKXicuiR0ZlDNb4EX49y3NmAOk7onTcDEV
+        Ohe+Enl0dM+dMfCdcojIkdTln74KZ+h6yxVr5jDU3EnDZVZpczY5wQ==
+        -----END AGE ENCRYPTED FILE-----
+      recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7
+    - enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4bkFiY0x1TUFGYnExWnYz
+        QldDOW1oaWVEUDMvbUN2TmwxZVZEOVpZbW5JCjlnYklSSjV1OExObDl1QUhoZFls
+        V3cyVVBkYWwyT0lpTlVnb1kxTG9IM0UKLS0tIENGak1HaFZYT2ZCL0hleUVVUDZu
+        MTI5ZkhUK0RZdGhSYVFZMDNHaS9QaFEKyptwQi4pYw0zZ2F9LvwX4F18UUdjqVrz
+        aB4hZkakAI94qVz3JvIVlslWzsDtIKoBTobl3dBNFId7M8TQwwZUvg==
+        -----END AGE ENCRYPTED FILE-----
+      recipient: age1lrtengtdc0nzpagr8fkp5mwqda66jqr0s2h3wsxcdscmalp8n3js3r0e3n
+  lastmodified: "2026-05-23T22:14:10Z"
+  mac: ENC[AES256_GCM,data:w1pNlY6g/PxQcpY/0Jt02TL5oZ0gwB5fYIzd99PgJTU0X76tmvlAF1i58SubnyR6TWiO0Q4TYJcqgeKHHvWYkYtQZzV4MGc0UwY1+Ipw3q38fRTHqVNbiaCorYbWBMXUnewE4eXictnFfq+vIfFeWktoGws/NTrZEIQ4lY+NSiE=,iv:vP7vujgXGRSr/adBJu1SATryPbqF3Obcg885EZahMTg=,tag:HuRqc8wS1+geWmJMdRWNSA==,type:str]
+  unencrypted_suffix: _unencrypted
+  version: 3.13.0