From f4265bbb5df10753bd36594dc238ab0e1ade4705 Mon Sep 17 00:00:00 2001
From: Fiona Grzebien <fiona@grzb.de>
Date: Sun, 24 May 2026 01:24:38 +0200
Subject: [PATCH] Migrate torrent to sops-nix

---
 config/hosts/torrent/configuration.nix |  8 +++++++-
 config/hosts/torrent/secrets.nix       | 13 -------------
 config/hosts/torrent/secrets.yaml      | 25 +++++++++++++++++++++++++
 3 files changed, 32 insertions(+), 14 deletions(-)
 delete mode 100644 config/hosts/torrent/secrets.nix
 create mode 100644 config/hosts/torrent/secrets.yaml

diff --git a/config/hosts/torrent/configuration.nix b/config/hosts/torrent/configuration.nix
index 83dbdab..e673884 100644
--- a/config/hosts/torrent/configuration.nix
+++ b/config/hosts/torrent/configuration.nix
@@ -15,7 +15,7 @@
       fsType = "cifs";
       options = [ 
         "username=torrent" 
-        "credentials=/secrets/torrent-samba-credentials.secret"
+        "credentials=/run/secrets/torrent-samba-credentials"
         "iocharset=utf8"
         "vers=3.1.1"
         "uid=torrent"
@@ -25,5 +25,11 @@
     };
   };
 
+  sops.secrets."torrent-samba-credentials" = {
+    mode = "0440";
+    owner = "root";
+    group = "root";
+  };
+
   system.stateVersion = "24.11";
 }
diff --git a/config/hosts/torrent/secrets.nix b/config/hosts/torrent/secrets.nix
deleted file mode 100644
index 289778a..0000000
--- a/config/hosts/torrent/secrets.nix
+++ /dev/null
@@ -1,13 +0,0 @@
-{ keyCommandEnv, ... }:
-{
-  deployment.keys = {
-    "torrent-samba-credentials.secret" = {
-      keyCommand = keyCommandEnv ++ [ "pass" "torrent/samba-credentials" ];
-      destDir = "/secrets";
-      user = "root";
-      group = "root";
-      permissions = "0640";
-      uploadAt = "pre-activation";
-    };
-  };
-}
diff --git a/config/hosts/torrent/secrets.yaml b/config/hosts/torrent/secrets.yaml
new file mode 100644
index 0000000..021916b
--- /dev/null
+++ b/config/hosts/torrent/secrets.yaml
@@ -0,0 +1,25 @@
+torrent-samba-credentials: ENC[AES256_GCM,data:dPK2pePHoH+bOvE1NsQ5N6/UncaLCTqpTvQEI0lmYBxCpaI6F14+JwwTYDzqxuNAgLDRDdRINoLQWdkMR8Cwk1AzRWObE6BKHA==,iv:cEImJtn9N3O8RJUYe77BbuDAMbLAzqWu3WVbcM5B6k8=,tag:MXPRfjvqViNa0uvJvH449Q==,type:str]
+sops:
+  age:
+    - enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLSE44bFdlQlArMUdwTDdD
+        TVdCdWF6QkVCTzFxRWd0T2xYSWJUWTdEY25rCnRhd0t6OVVpbzNQTDVwNHRybmMy
+        ZlYwdTRpVnFmTG1VbVlnT1ZtSHpMeFEKLS0tIGZNRDU0SFpMS0cvY3JOSnpLR2FK
+        TG1pZGpGRXA3bTc4NDQrWkFLVUxIS1EKrm9NENbpt/moVGrBhVLSOzFtBtLKoOJT
+        A87C8H4SHQ1W61X4Chz+eQdCRCqVUWUXvyOgJsC1cwECjXR177zQ3w==
+        -----END AGE ENCRYPTED FILE-----
+      recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7
+    - enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJTlpSQlFZOFZqZ3BTR3Fj
+        WEV3TTBIYjZaSTd0MVl2V2owbS9VRS81bTI0CkJKQVBtcnhmZ2tKaThocTM2Q29O
+        NHJCczNSY01EeDNZQTdjUjI5cHFnRnMKLS0tIDlUKzkyUHdGbDlhekY4N3NMRTNm
+        c2tmVHBQTWprSVE0eEJGajNPcFJCWTQKPopTbKZuLVxipgl9S4wMzYyjFj9T0Euq
+        t8Yw2jG8s09EeKq2slwBUqev0JpIptwItT/yiuWNQgu70V9Cd7uZhA==
+        -----END AGE ENCRYPTED FILE-----
+      recipient: age1m37wtvp7fpavaygn2jc6kq2gtuvgvf0jgwwhd3p5862djv5segqs97mg7c
+  lastmodified: "2026-05-23T23:24:28Z"
+  mac: ENC[AES256_GCM,data:3dwyQ1ZBoL/Pq8gqyBhGSLy3HHYCLtP75ezkJQR8ndY8n9yHtkfuR96H6+OkskASReDpFo4HfuYOLSiZZlli4pokYCrdtCbm53kE92L2n5jXWDXur/EIwjHfRe2rsPyvKbhe4zLB8GPQYMsxzHN0iYbO+6/TmPGTzi26iZvLlrc=,iv:Gf5oWQ7foRy1mb41X9+jYXS+20mSJBXWbuFtZP6FRmk=,tag:jigFUiga1zHJ+xLE4ObZTQ==,type:str]
+  unencrypted_suffix: _unencrypted
+  version: 3.13.0