Migrate metrics-nekomesh to sops-nix

config/hosts/metrics-nekomesh/grafana.nix

@@ -11,15 +11,15 @@
         cookie_secure = true;
         cookie_samesite = "strict";
         admin_user = "admin";
-        admin_password = "$__file{/secrets/metrics-nekomesh-grafana-admin-password.secret}";
+        admin_password = "$__file{/run/secrets/metrics-nekomesh-grafana-admin-password}";
         admin_email = "fi@nekover.se";
-        secret_key = "$__file{/secrets/metrics-nekomesh-grafana-secret-key.secret}";
+        secret_key = "$__file{/run/secrets/metrics-nekomesh-grafana-secret-key}";
       };
       smtp = {
         enabled = true;
         host = "mail.grzb.de:465";
         user = "nekomesh@grzb.de";
-        password = "$__file{/secrets/mail-nekomesh-nekover-se.secret}";
+        password = "$__file{/run/secrets/mail-nekomesh-nekover-se}";
         from_address = "nyareply@nekover.se";
         from_name = "Nekomesh";
         startTLS_policy = "NoStartTLS";
@@ -29,7 +29,7 @@
         name = "Nekoverse ID";
         allow_sign_up = true;
         client_id = "nekomesh";
-        client_secret = "$__file{/secrets/metrics-nekomesh-grafana-keycloak-client-secret.secret}";
+        client_secret = "$__file{/run/secrets/metrics-nekomesh-grafana-keycloak-client-secret}";
         scopes = "openid email profile offline_access roles";
         email_attribute_path = "email";
         login_attribute_path = "preferred_username";
@@ -52,4 +52,29 @@
       }
     ];
   };
+
+  sops.secrets."metrics-nekomesh-grafana-admin-password" = {
+    mode = "0440";
+    owner = "grafana";
+    group = "grafana";
+    restartUnits = [ "grafana.service" ];
+  };
+  sops.secrets."metrics-nekomesh-grafana-keycloak-client-secret" = {
+    mode = "0440";
+    owner = "grafana";
+    group = "grafana";
+    restartUnits = [ "grafana.service" ];
+  };
+  sops.secrets."metrics-nekomesh-grafana-secret-key" = {
+    mode = "0440";
+    owner = "grafana";
+    group = "grafana";
+    restartUnits = [ "grafana.service" ];
+  };
+  sops.secrets."mail-nekomesh-nekover-se" = {
+    mode = "0440";
+    owner = "grafana";
+    group = "grafana";
+    restartUnits = [ "grafana.service" ];
+  };
 }

config/hosts/metrics-nekomesh/secrets.nix

@@ -1,37 +0,0 @@
-{ keyCommandEnv, ... }:
-{
-  deployment.keys = {
-    "metrics-nekomesh-grafana-admin-password.secret" = {
-      keyCommand = keyCommandEnv ++ [ "pass" "metrics-nekomesh/grafana/admin-password" ];
-      destDir = "/secrets";
-      user = "grafana";
-      group = "grafana";
-      permissions = "0640";
-      uploadAt = "pre-activation";
-    };
-    "metrics-nekomesh-grafana-keycloak-client-secret.secret" = {
-      keyCommand = keyCommandEnv ++ [ "pass" "metrics-nekomesh/grafana/keycloak-client-secret" ];
-      destDir = "/secrets";
-      user = "grafana";
-      group = "grafana";
-      permissions = "0640";
-      uploadAt = "pre-activation";
-    };
-    "metrics-nekomesh-grafana-secret-key.secret" = {
-      keyCommand = keyCommandEnv ++ [ "pass" "metrics-nekomesh/grafana/secret-key" ];
-      destDir = "/secrets";
-      user = "grafana";
-      group = "grafana";
-      permissions = "0640";
-      uploadAt = "pre-activation";
-    };
-    "mail-nekomesh-nekover-se.secret" = {
-      keyCommand = keyCommandEnv ++ [ "pass" "mail/nekomesh-nekover-se" ];
-      destDir = "/secrets";
-      user = "grafana";
-      group = "grafana";
-      permissions = "0640";
-      uploadAt = "pre-activation";
-    };
-  };
-}

config/hosts/metrics-nekomesh/secrets.yaml

@@ -0,0 +1,28 @@
+metrics-nekomesh-grafana-admin-password: ENC[AES256_GCM,data:7Ji5Bb+/ekFtptG6JQBViocqozol7vdTRxAgYuRpicO3v7UFswLBkFd/+asaCKkYTrYjDFcOOSjSMr2Yp+9IhQ==,iv:VjpntKn3PdIX56DjHlkhYmx05MZtvTinGcO0vz4BFkQ=,tag:Lcat3LbXJyWcEOq6pmTx9w==,type:str]
+metrics-nekomesh-grafana-keycloak-client-secret: ENC[AES256_GCM,data:6SHmMy0gbT6rYC9i60TzCcP0q4eSzC3Srse9O3La1Ag=,iv:H6wEzy6MgX2Ft+D3rWzyWwnh8ZmNmMlcEQLuKrkSwoU=,tag:M7pGHOKq0fglHGyj5jFoYg==,type:str]
+metrics-nekomesh-grafana-secret-key: ENC[AES256_GCM,data:5+aUdzNAy0nDuGW8g2e7LdT9woo=,iv:rSn+XTJA46Eq4FcKUQaph/WPLXC4vxnRulpSjls1QZg=,tag:aXSgUUzxe8tQV+oqXnidPA==,type:str]
+mail-nekomesh-nekover-se: ENC[AES256_GCM,data:vuyDjtvCT0D8aYftcGiA59i7mriqLNoqeHy0+LQ3awUt4d//p81LpPNdb/EQMuUnCp2QZgdsy4rU5ktDa1Ewfg==,iv:+pqVQfWxSQF4fTJ0gMuAf4EjyvsUVFUxpRa2BHpvZ3Q=,tag:UlHzONbcfeCJuJjamKV39w==,type:str]
+sops:
+  age:
+    - enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvOVFIckQ3R2FsYXl4NkRW
+        RGdSRmNaMURIUkYrSGtnWmdxVGJMOUFta0JJCnN1blNoaG9PUVJNN1RJcUhnYlFq
+        WTlhcGx3cUUwbkREMVVleDZNazJ2dm8KLS0tIFl5NGhFeHZKaENmQjRwZ0hiS3Jl
+        TTRMVloxK25uUVVMcE56M1RMKzlDb2cKuNKexzjC9eefQHCjVAY4rS7wqTSqs0uO
+        PvSvxs4tY5d2nUJuORGn25MU9Y65UFTvTzuxgqg9Z37NTEjVfvnrYA==
+        -----END AGE ENCRYPTED FILE-----
+      recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7
+    - enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByTzErWVY1V3ZrMHBYTjRm
+        M1IwTG9DZmhBTFpGSkwyTVJJYndsRnRSOTJrClhFWi9TbGhRWkQ1VjhLaE4wd3Bi
+        WlpSUUcxU3A4dmZUYmNJYnlyQnMwK00KLS0tIDZqdU1DcXc3YmpDMThRMzQwQWk4
+        TnFKNS9xcXdKZXo0cThpbjd2NEQ3NTgK4XTrXdaHVveeXwsEuGx5+Y2bu/F6jooo
+        auWtrm7z3rxzCxePxNs6LCYr/ppoE7J8nEFKnFmT0vyUGryhzlbo9A==
+        -----END AGE ENCRYPTED FILE-----
+      recipient: age1rh7zgp445t39c7tmh84r30e9edju8gmtn84u7rjwhmyntzkugucq5x0xse
+  lastmodified: "2026-05-23T22:38:11Z"
+  mac: ENC[AES256_GCM,data:VWo7UFRey2w/2x/wn/XfFW9gCpogO9Igxt/xEBngHBTkSJh0p6HhbZlmA3iv3QmYKui74cHSfQUOq2IOc96CLsfWKUWhMQVw5z/be7OEoY3cIG8V1WRTixQB5a0284jPXcGHPreLdMdAQW5nvJJRwx6Pysm7+rTzdxi8VGmOKyE=,iv:l4KBomWzPfOw1UiVpMwWg68OdYc85FtrRcVygfbEoeU=,tag:EeboepV+hDkA9QNmi/Ao+w==,type:str]
+  unencrypted_suffix: _unencrypted
+  version: 3.13.0