From b5d6055f36d8a0fb050342b4cb316652ccb022b8 Mon Sep 17 00:00:00 2001
From: Fiona Grzebien <fiona@grzb.de>
Date: Sun, 24 May 2026 01:09:56 +0200
Subject: [PATCH] Migrate nextcloud to sops-nix

---
 config/hosts/nextcloud/nextcloud.nix | 15 +++++++++++++--
 config/hosts/nextcloud/secrets.nix   | 21 ---------------------
 config/hosts/nextcloud/secrets.yaml  | 26 ++++++++++++++++++++++++++
 3 files changed, 39 insertions(+), 23 deletions(-)
 delete mode 100644 config/hosts/nextcloud/secrets.nix
 create mode 100644 config/hosts/nextcloud/secrets.yaml

diff --git a/config/hosts/nextcloud/nextcloud.nix b/config/hosts/nextcloud/nextcloud.nix
index f27c9a6..7c13bd4 100644
--- a/config/hosts/nextcloud/nextcloud.nix
+++ b/config/hosts/nextcloud/nextcloud.nix
@@ -7,7 +7,7 @@
     https = true;
     config = {
       dbtype = "pgsql";
-      adminpassFile = "/secrets/nextcloud-adminpass.secret";
+      adminpassFile = "/run/secrets/nextcloud-adminpass";
     };
     database.createLocally = true;
     configureRedis = true;
@@ -30,7 +30,7 @@
       default_phone_region = "DE";
     };
     # Only contains mail_smtppassword
-    secretFile = "/secrets/nextcloud-secretfile.secret";
+    secretFile = "/run/secrets/nextcloud-secretfile";
     phpOptions = {
       # The amount of memory for interned strings in Mbytes
       "opcache.interned_strings_buffer" = "64";
@@ -50,4 +50,15 @@
       '';
     };
   };
+
+  sops.secrets."nextcloud-adminpass" = {
+    mode = "0440";
+    owner = "nextcloud";
+    group = "nextcloud";
+  };
+  sops.secrets."nextcloud-secretfile" = {
+    mode = "0440";
+    owner = "nextcloud";
+    group = "nextcloud";
+  };
 }
diff --git a/config/hosts/nextcloud/secrets.nix b/config/hosts/nextcloud/secrets.nix
deleted file mode 100644
index b344d78..0000000
--- a/config/hosts/nextcloud/secrets.nix
+++ /dev/null
@@ -1,21 +0,0 @@
-{ keyCommandEnv, ... }:
-{
-  deployment.keys = {
-    "nextcloud-adminpass.secret" = {
-      keyCommand = keyCommandEnv ++ [ "pass" "nextcloud/adminpass" ];
-      destDir = "/secrets";
-      user = "nextcloud";
-      group = "nextcloud";
-      permissions = "0640";
-      uploadAt = "pre-activation";
-    };
-    "nextcloud-secretfile.secret" = {
-      keyCommand = keyCommandEnv ++ [ "pass" "nextcloud/secretfile" ];
-      destDir = "/secrets";
-      user = "nextcloud";
-      group = "nextcloud";
-      permissions = "0640";
-      uploadAt = "pre-activation";
-    };
-  };
-}
diff --git a/config/hosts/nextcloud/secrets.yaml b/config/hosts/nextcloud/secrets.yaml
new file mode 100644
index 0000000..c92b6c0
--- /dev/null
+++ b/config/hosts/nextcloud/secrets.yaml
@@ -0,0 +1,26 @@
+nextcloud-adminpass: ENC[AES256_GCM,data:9hjeHUMNBg3fCN80mGCXarXEMOySEdyfnFIL8ivGb2Vi8LKbzZ2fHZZUzMO5/7XYRpNKWtBz1yzn2fj/ZeLiMw==,iv:38bucE+hmU/hZXw67fc34s1uZefXpWdY5vaTpvDfpUI=,tag:vKI6DrBYekjVU8Va/7BT8A==,type:str]
+nextcloud-secretfile: ENC[AES256_GCM,data:PaX7jAFBNweVwyG9nNU/TTHlGrQvPfgc92uCS1s1UwrHH8KlbKGed6NpTPvulwgMQ5cjwUMy5OuOt15kGRS03LQNcWJ+mlu2TQ2Hjsza+SV/ahtxzs/NiA==,iv:An3LZG9gnnna8TuNYlXDGxyter/Sj5DbIjZyGedqteU=,tag:2VbInjBoiv+w3nhh6AAQng==,type:str]
+sops:
+  age:
+    - enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6bDNNZnh5UTFtei84YXdC
+        SFJONFdHNE1WZ1FvSFZoSW4rMkh3ZC9tbWljClA0RWlRTFA1K2pSMTAyY0I0d01a
+        cHlUK3ZTd0lydm82VnpBbUdCQmFRYWcKLS0tIEhicldwUFc0cEt2aFVKeVhSeEtS
+        eFNBbUY1UXZMSEVzL3YyZDUrWVlxd0EKy5TnMyh7WxWK9lO7MKLINRbwMQuFlN4l
+        E01+FXAUiVSHO4aJW4CsqeegTAAux3FUWB1tL2myZskOFkJPws3boQ==
+        -----END AGE ENCRYPTED FILE-----
+      recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7
+    - enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAra3A4ZDQzZEZCRGErVFBK
+        bUFqS0ZSTjJFYm00cnVuei85MldCU25MV0VrCnMwVTJndWNQbUUwWmJnMUR3MjJp
+        VXUwV1RaZElaN2l1S3JxQVVoOXhweEkKLS0tIFFndXpaRlRKdzRvUUxUZVN1cXVr
+        TTFFYmx5OVU4Q3BWaFpWNFlPdGJZSzQKMLLZzESV0JdlNbMGpdDaorJnDKaSuax0
+        YQT/+G702pjqOjg8kRbHH8BZ3pK/3wApJBUW5iilAAxIzIm1zU/0Hw==
+        -----END AGE ENCRYPTED FILE-----
+      recipient: age1lvlmct30jtg7p4qpf8evtjlld6g74q2ckh803hd3ynr7cz7zlceq84flwu
+  lastmodified: "2026-05-23T23:09:29Z"
+  mac: ENC[AES256_GCM,data:dPYCQ7hfToQptTlbeA22MQ7EEtn9NyYvdshG9d24h2kLkPKpq/i0bcmG3o6xfyDsofTPZOOzRjCVUlxRukWuhHODPpyOronoDv3hrJNtj1YHsMzeMEK1xK1hpNtJeYkWx12SBZw4zZ7Vw3tLxc5Ay95LD7ZWCsCTqawbMufMjwc=,iv:3LeWH8eU0vTtnJRr0ZqUHHNdifzb++i6Y3CB6J/2wdA=,tag:40tOjuZZ+0Ww2wOwIXkcUQ==,type:str]
+  unencrypted_suffix: _unencrypted
+  version: 3.13.0