Migrate mastodon to sops-nix

2026-05-17 18:46:41 +02:00 · 2026-05-17 18:46:41 +02:00 · dc965c3329
commit dc965c3329
parent 88ce33c504
2 changed files with 51 additions and 68 deletions
--- a/config/hosts/mastodon/mastodon.nix
+++ b/config/hosts/mastodon/mastodon.nix
@ -61,21 +61,21 @@ in
    enable = true;
    package = pkgs-overlay.mastodon;
    localDomain = "social.nekover.se";
-    secretKeyBaseFile = "/secrets/mastodon-secret-key-base.secret";
+    secretKeyBaseFile = "/run/secrets/mastodon-secret-key-base";
    vapidPublicKeyFile = "${vapidPublicKey}";
-    vapidPrivateKeyFile = "/secrets/mastodon-vapid-private-key.secret";
+    vapidPrivateKeyFile = "/run/secrets/mastodon-vapid-private-key";
    smtp = {
      authenticate = true;
      host = "mail-1.grzb.de";
      port = 465;
      user = "social@nekover.se";
-      passwordFile = "/secrets/mastodon-email-smtp-pass.secret";
+      passwordFile = "/run/secrets/mastodon-email-smtp-pass";
      fromAddress = "Nekoverse <nyareply@nekover.se>";
    };
    streamingProcesses = 3;
-    activeRecordEncryptionPrimaryKeyFile = "/secrets/mastodon-active-record-encryption-primary-key.secret";
-    activeRecordEncryptionKeyDerivationSaltFile = "/secrets/mastodon-active-record-encryption-key-derivation-salt.secret";
-    activeRecordEncryptionDeterministicKeyFile = "/secrets/mastodon-active-record-encryption-deterministic-key.secret";
+    activeRecordEncryptionPrimaryKeyFile = "/run/secrets/mastodon-active-record-encryption-primary-key";
+    activeRecordEncryptionKeyDerivationSaltFile = "/run/secrets/mastodon-active-record-encryption-key-derivation-salt";
+    activeRecordEncryptionDeterministicKeyFile = "/run/secrets/mastodon-active-record-encryption-deterministic-key";
    extraConfig = {
      SMTP_TLS = "true";
      ES_PRESET = "single_node_cluster";
@ -94,8 +94,52 @@ in
      AUTHORIZED_FETCH = "true";
    };
    extraEnvFiles = [
-      "/secrets/mastodon-keycloak-client-secret.secret"
+      "/run/secrets/mastodon-keycloak-client-secret"
    ];
    elasticsearch.host = "127.0.0.1";
  };
+
+  sops.secrets."mastodon-secret-key-base" = {
+    mode = "0440";
+    owner = "mastodon";
+    group = "mastodon";
+    restartUnits = [ "mastodon-web.service" ];
+  };
+  sops.secrets."mastodon-vapid-private-key" = {
+    mode = "0440";
+    owner = "mastodon";
+    group = "mastodon";
+    restartUnits = [ "mastodon-web.service" ];
+  };
+  sops.secrets."mastodon-email-smtp-pass" = {
+    mode = "0440";
+    owner = "mastodon";
+    group = "mastodon";
+    restartUnits = [ "mastodon-web.service" ];
+  };
+  sops.secrets."mastodon-active-record-encryption-primary-key" = {
+    mode = "0440";
+    owner = "mastodon";
+    group = "mastodon";
+    restartUnits = [ "mastodon-web.service" ];
+  };
+  sops.secrets."mastodon-active-record-encryption-key-derivation-salt" = {
+    mode = "0440";
+    owner = "mastodon";
+    group = "mastodon";
+    restartUnits = [ "mastodon-web.service" ];
+  };
+  sops.secrets."mastodon-active-record-encryption-deterministic-key" = {
+    mode = "0440";
+    owner = "mastodon";
+    group = "mastodon";
+    restartUnits = [ "mastodon-web.service" ];
+  };
+  sops.secrets."mastodon-keycloak-client-secret" = {
+    mode = "0440";
+    owner = "mastodon";
+    group = "mastodon";
+    restartUnits = [ "mastodon-web.service" ];
+  };
 }
+
--- a/config/hosts/mastodon/secrets.nix
+++ b/config/hosts/mastodon/secrets.nix
@ -1,61 +0,0 @@
-{ keyCommandEnv, ... }:
-{
-  deployment.keys = {
-    "mastodon-secret-key-base.secret" = {
-      keyCommand = keyCommandEnv ++ [ "pass" "mastodon/secret-key-base" ];
-      destDir = "/secrets";
-      user = "mastodon";
-      group = "mastodon";
-      permissions = "0640";
-      uploadAt = "pre-activation";
-    };
-    "mastodon-vapid-private-key.secret" = {
-      keyCommand = keyCommandEnv ++ [ "pass" "mastodon/vapid-private-key" ];
-      destDir = "/secrets";
-      user = "mastodon";
-      group = "mastodon";
-      permissions = "0640";
-      uploadAt = "pre-activation";
-    };
-    "mastodon-email-smtp-pass.secret" = {
-      keyCommand = keyCommandEnv ++ [ "pass" "mastodon/email-smtp-pass" ];
-      destDir = "/secrets";
-      user = "mastodon";
-      group = "mastodon";
-      permissions = "0640";
-      uploadAt = "pre-activation";
-    };
-    "mastodon-keycloak-client-secret.secret" = {
-      keyCommand = keyCommandEnv ++ [ "pass" "mastodon/keycloak-client-secret" ];
-      destDir = "/secrets";
-      user = "mastodon";
-      group = "mastodon";
-      permissions = "0640";
-      uploadAt = "pre-activation";
-    };
-    "mastodon-active-record-encryption-primary-key.secret" = {
-      keyCommand = keyCommandEnv ++ [ "pass" "mastodon/active-record-encryption-primary-key" ];
-      destDir = "/secrets";
-      user = "mastodon";
-      group = "mastodon";
-      permissions = "0640";
-      uploadAt = "pre-activation";
-    };
-    "mastodon-active-record-encryption-key-derivation-salt.secret" = {
-      keyCommand = keyCommandEnv ++ [ "pass" "mastodon/active-record-encryption-key-derivation-salt" ];
-      destDir = "/secrets";
-      user = "mastodon";
-      group = "mastodon";
-      permissions = "0640";
-      uploadAt = "pre-activation";
-    };
-    "mastodon-active-record-encryption-deterministic-key.secret" = {
-      keyCommand = keyCommandEnv ++ [ "pass" "mastodon/active-record-encryption-deterministic-key" ];
-      destDir = "/secrets";
-      user = "mastodon";
-      group = "mastodon";
-      permissions = "0640";
-      uploadAt = "pre-activation";
-    };
-  };
-}