Serives: Use sops for service secrets (heidi, kopia)

system/services/0_TEMPLATE.nix

@@ -4,6 +4,11 @@
   pkgs,
   ...
 }: {
+  # If we need to pass secrets to containers we can't use plain env variables.
+  sops.templates."TEMPLATE_secrets.env".content = ''
+    SECRET=${config.sops.placeholder.SECRET}
+  '';
+
   virtualisation.oci-containers.containers.TEMPLATE = {
     image = "TEMPLATE";
     autoStart = true;
@@ -14,7 +19,7 @@
 
       # DockerHub Credentials
       username = "christoph.urlacher@protonmail.com";
-      passwordFile = "${config.age.secrets.dockerhub-pasword.path}";
+      passwordFile = "${config.sops.secrets.docker-password.path}";
     };
 
     dependsOn = [];
@@ -31,9 +36,13 @@
       # NVIDIA_DRIVER_CAPABILITIES = "all";
     };
 
+    environmentFiles = [
+      config.sops.templates."TEMPLATE_secrets.env".path
+    ];
+
     extraOptions = [
-      # "--gpus=all"
       "--net=behind-nginx"
+      # "--gpus=all"
     ];
   };
 }

system/services/adguard.nix

@@ -14,7 +14,7 @@
 
       # DockerHub Credentials
       username = "christoph.urlacher@protonmail.com";
-      passwordFile = "${config.age.secrets.dockerhub-pasword.path}";
+      passwordFile = "${config.sops.secrets.docker-password.path}";
     };
 
     dependsOn = [];

system/services/authelia.nix

@@ -14,7 +14,7 @@
 
       # DockerHub Credentials
       username = "christoph.urlacher@protonmail.com";
-      passwordFile = "${config.age.secrets.dockerhub-pasword.path}";
+      passwordFile = "${config.sops.secrets.docker-password.path}";
     };
 
     dependsOn = [

system/services/formula10.nix

@@ -8,15 +8,6 @@
     image = "gitea.vps.chriphost.de/christoph/formula10:latest";
     autoStart = true;
 
-    # login = {
-    #   # Uses DockerHub by default
-    #   # registry = "";
-    #
-    #   # DockerHub Credentials
-    #   username = "christoph.urlacher@protonmail.com";
-    #   passwordFile = "${config.age.secrets.dockerhub-pasword.path}";
-    # };
-
     dependsOn = [];
 
     ports = [

system/services/formula11.nix

@@ -8,15 +8,6 @@
     image = "gitea.vps.chriphost.de/christoph/pocketbase:0.25.0";
     autoStart = true;
 
-    # login = {
-    #   # Uses DockerHub by default
-    #   # registry = "";
-    #
-    #   # DockerHub Credentials
-    #   username = "christoph.urlacher@protonmail.com";
-    #   passwordFile = "${config.age.secrets.dockerhub-pasword.path}";
-    # };
-
     dependsOn = [
       # "pihole"
     ];
@@ -41,15 +32,6 @@
     image = "gitea.vps.chriphost.de/christoph/formula11:latest";
     autoStart = true;
 
-    # login = {
-    #   # Uses DockerHub by default
-    #   # registry = "";
-    #
-    #   # DockerHub Credentials
-    #   username = "christoph.urlacher@protonmail.com";
-    #   passwordFile = "${config.age.secrets.dockerhub-pasword.path}";
-    # };
-
     dependsOn = [
       "formula11_pocketbase"
     ];

system/services/gitea-runner.nix

@@ -14,7 +14,7 @@
 
       # DockerHub Credentials
       username = "christoph.urlacher@protonmail.com";
-      passwordFile = "${config.age.secrets.dockerhub-pasword.path}";
+      passwordFile = "${config.sops.secrets.docker-password.path}";
     };
 
     dependsOn = [];

system/services/gitea.nix

@@ -29,7 +29,7 @@
 
       # DockerHub Credentials
       username = "christoph.urlacher@protonmail.com";
-      passwordFile = "${config.age.secrets.dockerhub-pasword.path}";
+      passwordFile = "${config.sops.secrets.docker-password.path}";
     };
 
     dependsOn = [];
@@ -61,7 +61,7 @@
 
       # DockerHub Credentials
       username = "christoph.urlacher@protonmail.com";
-      passwordFile = "${config.age.secrets.dockerhub-pasword.path}";
+      passwordFile = "${config.sops.secrets.docker-password.path}";
     };
 
     dependsOn = [

system/services/heidi.nix

@@ -4,19 +4,15 @@
   pkgs,
   ...
 }: {
+  # If we need to pass secrets to containers we can't use plain env variables.
+  sops.templates."heidi_secrets.env".content = ''
+    DISCORD_TOKEN=${config.sops.placeholder.heidi-discord-token}
+  '';
+
   virtualisation.oci-containers.containers.heidi = {
     image = "gitea.vps.chriphost.de/christoph/discord-heidi:latest";
     autoStart = true;
 
-    # login = {
-    #   # Uses DockerHub by default
-    #   # registry = "";
-    #
-    #   # DockerHub Credentials
-    #   username = "christoph.urlacher@protonmail.com";
-    #   passwordFile = "${config.age.secrets.dockerhub-pasword.path}";
-    # };
-
     dependsOn = [];
 
     ports = [];
@@ -28,12 +24,13 @@
     ];
 
     environment = {
-      # TODO: I can't do this because readFile obviously doesn't
-      #       read at runtime but at buildtime, duh...
-      DISCORD_TOKEN = builtins.readFile config.age.secrets.heidi-discord-token.path;
       DOCKER = "True";
     };
 
+    environmentFiles = [
+      config.sops.templates."heidi_secrets.env".path
+    ];
+
     extraOptions = [
       "--init" # Make an init process take up PID 1, to make python receive the SIGTERM
       "--net=behind-nginx"

system/services/immich.nix

@@ -8,15 +8,6 @@
     image = "ghcr.io/immich-app/postgres:15-vectorchord0.3.0-pgvectors0.2.0";
     autoStart = true;
 
-    # login = {
-    #   # Uses DockerHub by default
-    #   # registry = "";
-    #
-    #   # DockerHub Credentials
-    #   username = "christoph.urlacher@protonmail.com";
-    #   passwordFile = "${config.age.secrets.dockerhub-pasword.path}";
-    # };
-
     dependsOn = [];
 
     ports = [
@@ -48,7 +39,7 @@
 
       # DockerHub Credentials
       username = "christoph.urlacher@protonmail.com";
-      passwordFile = "${config.age.secrets.dockerhub-pasword.path}";
+      passwordFile = "${config.sops.secrets.docker-password.path}";
     };
 
     dependsOn = [];
@@ -70,15 +61,6 @@
     image = "ghcr.io/imagegenius/immich:latest";
     autoStart = true;
 
-    # login = {
-    #   # Uses DockerHub by default
-    #   # registry = "";
-    #
-    #   # DockerHub Credentials
-    #   username = "christoph.urlacher@protonmail.com";
-    #   passwordFile = "${config.age.secrets.dockerhub-pasword.path}";
-    # };
-
     dependsOn = [
       "immich-database"
       "immich-redis"

system/services/jellyfin.nix

@@ -14,7 +14,7 @@
 
       # DockerHub Credentials
       username = "christoph.urlacher@protonmail.com";
-      passwordFile = "${config.age.secrets.dockerhub-pasword.path}";
+      passwordFile = "${config.sops.secrets.docker-password.path}";
     };
 
     dependsOn = [

system/services/kopia.nix

@@ -4,6 +4,11 @@
   pkgs,
   ...
 }: {
+  # If we need to pass secrets to containers we can't use plain env variables.
+  sops.templates."kopia_secrets.env".content = ''
+    KOPIA_PASSWORD=${config.sops.placeholder.kopia-user-password}
+  '';
+
   virtualisation.oci-containers.containers.kopia = {
     image = "kopia/kopia:latest";
     autoStart = true;
@@ -14,7 +19,7 @@
 
       # DockerHub Credentials
       username = "christoph.urlacher@protonmail.com";
-      passwordFile = "${config.age.secrets.dockerhub-pasword.path}";
+      passwordFile = "${config.sops.secrets.docker-password.path}";
     };
 
     dependsOn = [];
@@ -65,9 +70,12 @@
     environment = {
       TZ = "Europe/Berlin";
       USER = "christoph";
-      KOPIA_PASSWORD = builtins.readFile config.age.secrets.kopia-user-password.path;
     };
 
+    environmentFiles = [
+      config.sops.templates."kopia_secrets.env".path
+    ];
+
     entrypoint = "/bin/kopia";
 
     cmd = [
@@ -76,8 +84,8 @@
       "--disable-csrf-token-checks"
       "--insecure"
       "--address=0.0.0.0:51515"
-      "--server-username=${builtins.readFile config.age.secrets.kopia-server-username.path}"
+      "--server-username=$(cat ${config.sops.secrets.kopia-server-username.path})"
-      "--server-password=${builtins.readFile config.age.secrets.kopia-server-password.path}"
+      "--server-password=$(cat ${config.sops.secrets.kopia-server-password.path})"
     ];
 
     extraOptions = [

system/services/nextcloud.nix

@@ -36,7 +36,7 @@
 
       # DockerHub Credentials
       username = "christoph.urlacher@protonmail.com";
-      passwordFile = "${config.age.secrets.dockerhub-pasword.path}";
+      passwordFile = "${config.sops.secrets.docker-password.path}";
     };
 
     dependsOn = [];
@@ -70,7 +70,7 @@
 
       # DockerHub Credentials
       username = "christoph.urlacher@protonmail.com";
-      passwordFile = "${config.age.secrets.dockerhub-pasword.path}";
+      passwordFile = "${config.sops.secrets.docker-password.path}";
     };
 
     dependsOn = [];
@@ -100,7 +100,7 @@
 
       # DockerHub Credentials
       username = "christoph.urlacher@protonmail.com";
-      passwordFile = "${config.age.secrets.dockerhub-pasword.path}";
+      passwordFile = "${config.sops.secrets.docker-password.path}";
     };
 
     dependsOn = [

system/services/nginx-proxy-manager.nix

@@ -14,7 +14,7 @@
 
       # DockerHub Credentials
       username = "christoph.urlacher@protonmail.com";
-      passwordFile = "${config.age.secrets.dockerhub-pasword.path}";
+      passwordFile = "${config.sops.secrets.docker-password.path}";
     };
 
     dependsOn = [

system/services/paperless.nix

@@ -14,7 +14,7 @@
 
       # DockerHub Credentials
       username = "christoph.urlacher@protonmail.com";
-      passwordFile = "${config.age.secrets.dockerhub-pasword.path}";
+      passwordFile = "${config.sops.secrets.docker-password.path}";
     };
 
     dependsOn = [];
@@ -42,7 +42,7 @@
 
       # DockerHub Credentials
       username = "christoph.urlacher@protonmail.com";
-      passwordFile = "${config.age.secrets.dockerhub-pasword.path}";
+      passwordFile = "${config.sops.secrets.docker-password.path}";
     };
 
     dependsOn = [];
@@ -68,15 +68,6 @@
     image = "ghcr.io/paperless-ngx/paperless-ngx:latest";
     autoStart = true;
 
-    # login = {
-    #   # Uses DockerHub by default
-    #   # registry = "";
-    #
-    #   # DockerHub Credentials
-    #   username = "christoph.urlacher@protonmail.com";
-    #   passwordFile = "${config.age.secrets.dockerhub-pasword.path}";
-    # };
-
     dependsOn = [
       "paperless-redis"
       "paperless-postgres"

system/services/portainer.nix

@@ -38,7 +38,7 @@
 
       # DockerHub Credentials
       username = "christoph.urlacher@protonmail.com";
-      passwordFile = "${config.age.secrets.dockerhub-pasword.path}";
+      passwordFile = "${config.sops.secrets.docker-password.path}";
     };
 
     dependsOn = [];

system/services/whats-up-docker.nix

@@ -14,7 +14,7 @@
 
       # DockerHub Credentials
       username = "christoph.urlacher@protonmail.com";
-      passwordFile = "${config.age.secrets.dockerhub-pasword.path}";
+      passwordFile = "${config.sops.secrets.docker-password.path}";
     };
 
     dependsOn = [